Title Text Placeholder
Download
Report
Transcript Title Text Placeholder
Polymorphism and IDS
Black Hat Briefings
Las Vegas 2001
Chad R. Skipper
Sr. Software Engineer
Symantec Corp.
1
whoami
Chad R. Skipper
• Air Force - systems counter intelligence, OSI
investigations, information warfare, and exploit
intelligence
• Trident Data Systems – Network/Sys/Security
Administrator
• L-3 Network Security/Symantec – Sr. Software
Engineer
• Signature Development
• IDS Evasion Techniques
[email protected]
2
Overview
• Evolution of malicious polymorphic code
• Paradigm shift
• Polymorphic coding
• ADMmutate by K2
• http://www.ktwo.ca/
• TCPDumps
• IDS Response
3
Polymorphism
What is polymorphism
• The ability to appear in many forms
• Continuous change (unique coding)
• Independent of encryption
• Morphs regexp’s within attacks
• Can exist on multiple platforms
4
Evolution of Polymorphism
Simple Viruses
• Replicates itself and is the easiest to detect
• Virus always makes an exact replica of itself
• Detection: Scan for a sequence of bytes found in
the virus
5
Evolution of Polymorphism
Encrypted Viruses
• Response to detection was encrypting viruses
• Hide the fixed bytes by encrypting the virus
6
Evolution of Polymorphism
Encrypted Viruses
• Consists of a virus decryption routine and an
encrypted virus body
• Uses encryption keys, but decryption remained
constant, thus detection was a sequence of bytes
of the decryption routine
7
Evolution of Polymorphism
Encrypted Viruses
•
•
•
•
•
•
•
8
Executes decryption routine
Gains control of the system
Decrypts and gives control to virus
Infection occurs
Copies itself
Encrypts itself
Attaches itself to a new program
Evolution of Polymorphism
Polymorphic Virus
• Response to detection was polymorphism
• Contains the encrypted body and decryption
routine
• Adds a mutation engine that generates
randomized decryption routines with each use
• Mutation engine and virus body are both
encrypted
• Result is the virus body encryption and
decryption routines vary from infection to
infection
• NO FIXED SIGNATURE
9
Evolution of Polymorphism
Polymorphic Virus
•
•
•
•
•
•
•
10
Decrypts virus and mutation engine
Transfers control to the virus
Copies itself and the mutation engine
Invokes the mutation engine
Randomly generates decryption routine
Virus is now unique from the prior virus
Attaches to a new program
Evolution of Polymorphism
Problems with Polymorphic Virus Detection
• Dark Avenger and MtE
• Produces random programs
• Billions-upon-billions of variations
Polymorphic Virus Detection
• One-by-one, line-by-line (Don’t think so)
Generic Decryption
• Slow
Heuristic-Based Generic Decryption
• Heuristic guesses
• False Negatives
11
Evolution of Polymorphism
Polymorphic Virus Detection Solutions
•
•
•
•
•
12
Does not rely on heuristic guesses
Relies on rules or profiles specific to each virus
Rules out possibilities first
Runs file in virtual machine (VM)
Looks for triggers
Evolution of Polymorphism
Polymorphic Virus Detection Solutions
•
•
•
•
Load file into self-contained VM
Is this file .exe, .com, .sys…?
If .exe then A,B,C,D,and E are virus behaviors
Suspect files
• A,B,C
• A,B,D
• D,B,E
• Observes A, then “D,B,E” are out
• Observes B, then remaining are still in
• Observes D, then “A,B,C” are out and “A,B,D”
are in
13
The Paradigm Shift
Concepts used from Polymorphic Viruses
• Mutation engine
• Polymorphic algorithm
• Morphing of the payload to include
•
•
•
•
14
Shell code
NOP’s
Encoder/Decoder
Non-Operational Padding
The Paradigm Shift
The intent of Polymorphic Attacks
• To evade signature analysis of IDS
• Signature analysis looks at
•
•
•
•
•
15
Shell code
NOP’s
Specific offsets within a payload
ASCII
Headers
Encoding Process
Shell code
• Morphed prior to launch with each subsequent
morphing unique
• ROT, MOV
• XOR (exclusive-or) Randomly generated value
• 0 xor 0 = 0
• 0 xor 1 = 1
• 1 xor 0 = 1
• 1 xor 1 = 0
• If the first or the second operand, but not both, is
one, the result is one; otherwise the result is
zero.
16
Encoding Process
Shell code
• Randomly generated xor value of 0x23
• DNS – Snort
alert UDP $EXTERNAL any -> $INTERNAL 53
(msg: "IDS489/named-exploit-tsig-lsd"; content:
"|3F 909090 EB3B 31DB 5F 83EF7C 8D7710
897704 8D4F20|"; classtype: system-attempt;
reference: arachnids,489;)
17
Encoding Process
Shell code
• Shell code of: 0x 3F 909090 EB3B 31DB 5F
83EF7C 8D7710 897704 8D4F20
• XOR with with the value of 0x23
• We get: 0x 1C B3B3B3 C818 12F8 7C A0CC5F
AE5433 AA5427 AE6C03
• This can give us over 64,000 permutations for
1 byte
• BTW, the computational overhead for this for
NIDS may/will be substantial.
18
Encoding Process
NOP’s
• No operation assembly processor instruction
• So, we substitute known NOP’s with other
characters that do not affect the outcome of the
code
19
Encoding Process
NOP’s
• Platform specific NOP’s
•
•
•
•
•
•
20
AIX – 0x4ffffb82
Digital – 0x47ff041f
HP – 0x0b390280
Intel – 0x90
SGI – 0x240f1234
SPARC – 0x13c01ca6; 0xa61cc013, 0x801c4011
Encoding Process
NOP’s
• Substitutional NOP’s per K2
• Intel
• 0x49
• 0x4b
• 0x45
• SPARC
• 0xa21c8012
• 0xb606401a
• 0xa026e042
21
Encoding Process
Encoder/Decoder
• My first thought was that we can detect the
Encoder/Decoder
• “It would not be cool if the IDS vendor could
simply detect our decoder.” - K2
• FAT CHANCE… This would be too easy
• Techniques used are multiple code paths, nonoperational padding, and randomly generated
instructions
• Decoder processes the data after the overflow
22
Attacks
Network IDS
POWERFAULT DATA ALARM
Attacker
23
Victim
TCPDumps (Normal)
4500 04e8
0a0a 2a05
8018 7d78
008c 3e60
9090 9090
9090 9090
9090 9090
(Cut)
9090 9090
ffc3 5e31
0c31 c050
50b0 17e8
0853 8d1e
c40c e8bb
ffff ffff
7c6b 0408
24
be81
0933
b342
9090
9090
9090
9090
4000
0019
0000
9090
9090
9090
9090
4006
70e1
0101
9090
9090
9090
9090
0f4c
3dc3
080a
9090
9090
9090
9090
0a0a
ad03
0400
9090
9090
9090
9090
2a2a
63b0
22e1
9090
9090
9090
9090
9090
c089
b08d
d2ff
895e
ffff
7c6b
7c6b
9090
46b4
e8df
ffff
0853
ff2f
0408
0408
eb48
8846
ffff
83c4
b03b
6269
7c6b
7c6b
9aff
b988
ff83
0431
e8bb
6e2f
0408
0408
ffff
4607
c404
c050
ffff
7368
7c6b
7c6b
ff07
8946
31c0
8d5e
ff83
ffff
0408
0408
TCPDumps (Polymorphed)
4500 04e8
0a0a 2a05
8018 7d78
008c 5fe5
4d49 414b
4827 494a
414d 4c4c
4244 414b
4c4d 454d
(CUT)
36aa 763c
9383 e886
c046 85c0
c087 e8c5
55b5 6207
a647 fc66
fac6 2bde
a225 b128
6e7a d48d
5589 c3c9
25
be81
0933
b342
4949
4845
434c
4c27
4540
f54d
4000
0019
0000
4b49
4bf5
4b4d
494c
4940
404d
4006
70e1
0101
494d
484d
4af9
4a49
f54c
4d27
0f4c
3dc3
080a
4df5
4b4d
f54a
4140
4945
f94b
0a0a
ad03
0400
40f9
4549
4c4d
414d
40f5
4d4d
2a2a
63b0
4475
4040
4449
274c
274c
48f5
4b42
5b31
9640
46e2
ffff
6aff
1afb
7889
2328
5589
d61d
c9b0
968c
e685
ff7e
7a82
d4e9
c3c9
3465
c319
0408
df6a
c08c
c085
413e
2230
5589
29b2
1a4d
c81f
816b
1866
e083
c0eb
a6c9
85be
c3b5
3807
d48d
5219
0408
5993
c601
0bb0
5589
ec71
6e72
6a26
5589
d91e
816b
3106
f533
346b
c331
b570
0df6
b168
c3b5
c3c9
0408
TCPDumps (Polymorphed)
26
4500 04e8
0a0a 2a05
8018 7d78
008c e181
40f9 414b
404b 484b
f941 4449
f545 4b40
f5f5 2742
454d 42f9
(CUT)
5896 83c0
4a40 6a18
aa8c c083
eb06 e8c9
fe95 e1a9
0d67 7fc8
51e6 a870
0905 3286
c55a 5723
fea9 4067
be81
0933
b342
454b
444b
4af9
4327
4027
f54b
f548
4000
0019
0000
4449
4c44
4b4a
4d44
2745
4c41
4d45
4006
70e1
0101
444a
4845
f94d
48f5
48f5
41f5
4b4c
0f4c
3dc3
080a
4040
4d40
404a
45f9
f549
4927
f545
0a0a
ad03
0400
4342
4944
2740
4149
f544
444b
4442
2a2a
63b0
c60f
4af9
f948
f94b
4341
4d4a
4941
424d
4a68
5889
c601
ffff
c1df
b1db
d3a9
8808
fea9
7d3d
9801
c193
9640
ffd9
f92c
5747
4067
b7cb
40b7
0408
56bf
3106
96c1
ea1e
8910
fea9
8292
b16d
633f
cb6b
5b31
9346
c0ed
2567
0610
401b
bba9
5723
d1b7
0408
c091
f946
e2e9
fea9
4751
c552
c106
fea9
723e
cb6b
c1e8
c1e8
8cc0
409f
36de
8e58
32c6
401b
4067
0408
Network Intrusion Response
Protocol Analysis
• Application Layer
Application
Presentation
Session
Transport
Network
Data Link
Physical
27
Network Intrusion Response
Protocol Analysis
• What protocol is it?
• IP, IPX…
•
•
•
•
28
If IP then is it TCP, UPD, ICMP…
If TCP then is it HTTP, DNS, FTP…
If HTTP then apply HTTP signatures
Determine if alert is needed
Network Intrusion Response
Protocol Analysis
• Break the payload down into manageable parts
• Look for expected results
• Anything out of that range – alert
Abnormal HTTP
Normal HTTP
Payload
Payload
Network
Data Link
Physical
29
Network
Data Link
Physical
Network Intrusion Response
Protocol Analysis
• Can detect polymorphic attacks
• Proactive
• Better performance
• Harder to evade
• May be possible to create polymorphic code that
looks like normal traffic on some services
30
Network Intrusion Response
Pattern Matching
• Searches for set patterns within packets, such as
shell-code, NOP’s, and ASCII
• Pattern matching is defeated by polymorphic
attacks
Payload
Network
Data Link
Physical
31
Network Intrusion Response
Snort Example – Pattern Matching
DNS - Snort
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg:
"IDS489/named-exploit-tsig-lsd"; content: "|3F 909090
EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F20|";
classtype: system-attempt; reference: arachnids,489;)
TFN - Snort
alert ICMP any any -> any any (msg: "IDS425/ddos-tfn2kicmp_possible_communication"; itype: 0; icmp_id: 0;
content: "AAAAAAAAAA"; classtype: system-success;
reference: arachnids,425;)
32
Network Intrusion Response
Snort Example – Pattern Matching
X86 NOP’s - Snort
alert UDP $EXTERNAL any -> $INTERNAL any
(msg: "IDS362/shellcode-x86-nops-udp"; content:
"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90|"; classtype: systemattempt; reference: arachnids,362;)
33
Network Intrusion Response
Binary Signatures
• Detecting binary strings within protocols such as
SMTP
• Attacks against text-only services could check for
characters outside the standard text range
• FTP
• Could pick up polymorphic attacks
34
Network Intrusion Response
Packet Size
• Detecting unusual large amounts of data streams
• POP3, RPC, HTTP, FTP
• Can pick up polymorphic attacks
Payload
Network
Data Link
Physical
35
Network Intrusion Response
Connection Time
• Abnormal connection time rates such as lengthy
DNS collaboration
• DNS, HTTP, RPC, etc…
• Time based
• Expensive
• Could detect polymorphic attacks by timing the
session between hosts
36
Network Intrusion Response
Outcome Detection – Success/Failure
• Able to detect response to attacks
• Able to detect “/bin/sh” leaving on port 53
• Could detect polymorphic attacks
• Another evasion technique is the response from
the victim being hashed/encrypted/scrambled
37
Network Intrusion Response
Outcome Detection – Success/Failure
• Solaris snmpXdmid - LAST STAGE OF
DELIRIUM
• NOP’s to server
• 00 1C 00 00 00 40 00 00 00 11 FF FF FF 80 00 00 00 1C 00
00 00 40 00 00 00 11 FF FF FF 80 00 00 00 1C 00 00 00 40
00 00 00 11 FF FF FF 80 00 00 00 1C 00
• /bin/ksh to server
• 00 08 00 00 00 2F 00 00 00 62 00 00 00 69 00 00 ...../...b...i..
• 00 6E 00 00 00 2F 00 00 00 6B 00 00 00 73 00 00
.n.../...k...s..
• 00 68 00 00 00 00 00 00 00 04 00 00 00 00 00 00 .h..............
• uname –a to server
• 82 8C 2F 62 69 6E 2F 75 6E 61 6D 65 20 2D 61 0A
../bin/uname -a.
38
Network Intrusion Response
Outcome Detection – Success/Failure
• Solaris snmpXdmid - LAST STAGE OF
DELIRIUM
• Response to uname –a
• 2E E1 53 75 6E 4F 53 20 73 61 2D 73 6F 6C 61 72 ..SunOS
sa-solar 69 73 2D 30 32 20 35 2E 38 20 47 65 6E 65 72 69 is02 5.8 Generi 63 20 73 75 6E 34 75 20 73 70 61 72 63 20 53
55 c sun4u sparc 4E 57 2C 55 6C 74 72 61 2D 35 5F 31 30
0A NW,Ultra-5_10.
• Response to /etc/passwd
• 35 1C 72 6F 6F 74 3A 78 3A 30 3A 31 3A 53 75 70 5.root:x:0:1:Sup
65 72 2D 55 73 65 72 3A 2F 3A 2F 73 62 69 6E 2F er-User:/:/sbin/ 73
68 0A 64 61 65 6D 6F 6E 3A 78 3A 31 3A 31 3A sh.daemon:x:1:1:
0070: 3A 2F 3A 0A 62 69 6E 3A 78 3A 32 3A 32 3A 3A 2F
:/:.bin:x:2:2::/
39
Network Intrusion Response
Log Analysis
• Event Viewer, /var/adm/messages/,
/var/log/syslog, etc.
• Able to detect abnormal occurrences within the
host
• Can detect polymorphic attacks
• # more /var/adm/messages
• May 25 11:55:09 sa-solaris-02 dmispd:
[ID 922709 daemon.error] One instance
of this daemon is already running on
this machine
40
Host Intrusion Response
Access/Change Analysis
• Changes to any audited file
• Spawning of child processes
• Removal of any audited file
• Replacement of any audited file
• Can detect polymorphic attacks
41
Host Intrusion Response
Port Activity
• Unusual port activity
• RPC – ttdb – active session to outside host
• Could detect polymorphic attacks as they occur
42
Defeating
Polymorphic
Attacks
43
Assessment and Intrusion
Detection (IDS)
Host-Based
Inspect system configuration
files, password files for weak
passwords, and other system
objects for policy violations
Network-Based
Reenact common intrusion
or attack scenarios
ID and report network
vulnerabilities and
suggest corrective
actions
“Proactive”
(scheduled)
Assessment
Monitor audit and log data
Active “sensors” on servers
and workstations monitor
user actions and protect
resources, applications,
and data
44
“Reactive”
Collect information from the
network for real-time
monitoring
(24 x 7)
IDS
Future trends from the past
State of NIDS detection is where Anti-Virus was in mid
90’s
IDS Evasion is now just getting started
Polymorphic Virus Stats (SARC www.sarc.com)
• 1988 - The first virus with variable key encryption
(between infections)
• 1990 - Polymorphic viruses found in the United
States including V2Px, Virus-90 and Virus-101
viruses
• 1992 – First polymorphic engine that could be
plugged into a virus as an add-on
• Today - ~2,000 – 5,000 polymorphic viruses
today (Not all in the wild)
45
Shameless Promotion
• Kevin Mandia – Foundstone
• Incident Response – Investigative Computer
Crime
• www.amazon.com
46
Credits
K2 – www.ktwo.ca
Jeru – www.newhackcity.net/~jeru
Snort – www.snort.org
SARC – www.sarc.com
Symantec – www.symantec.com
47
That’s all folks
QUESTIONS????
48