Alkanet[1, 2] Alkanet CPU CPU 2 Alkanet Alkanet (VMM) VMM Alkanet Windows Alkanet 1 Alkanet VMM BitVisor[3] BitVisor OS ユーザモードカーネルモードマルウェア観測用 PC VM

Size: px

Start display at page:

Download "Alkanet[1, 2] Alkanet CPU CPU 2 Alkanet Alkanet (VMM) VMM Alkanet Windows Alkanet 1 Alkanet VMM BitVisor[3] BitVisor OS ユーザモードカーネルモードマルウェア観測用 PC VM"

さやつねざき
5 years ago
Views:

1 Computer Security Symposium October {takimoto, Alkanet CPU Identifying of System Call Invoker by Branch Trace Facilities Yuto Otsuki Eiji Takimoto Shoichi Saito Koichi Mouri Ritsumeikan University Nojihigashi, Kusatsu, Shiga Japan {takimoto, Nagoya Institute of Technology Gokiso-cho, Showa-ku, Nagoya, Aichi, Japan Abstract Recent malware infects other processes. Another one consists of two or more modules and plugins. It is difficult to trace these malware because traditional methods focus on threads or processes. We are developing Alkanet, a system call tracer for malware analysis. To trace the malware, Alkanet identifies the system call invoker by stack trace. However, if malware has falsified its stack, Alkanet cannot identify it correctly. In this paper, we describe a method for identifying a system call invoker by branch trace facilities. We consider the effectiveness of branch trace facilities for malware analysis

保存ロガー VMM Intel CPU Intel VT (Intel Virtualization Technology) Windows OS 32bit Windows XP Service Pack 3 sysenter sysexit

2 Alkanet[1, 2] Alkanet CPU CPU 2 Alkanet Alkanet (VMM) VMM Alkanet Windows Alkanet 1 Alkanet VMM BitVisor[3] BitVisor OS ユーザモードカーネルモードマルウェア観測用 PC VM システムコール Windows システムコールアナライザログ Alkanet BitVisor IEEE1394 1: Alkanet ロギング用 PC ログ解析ツールログ解析挙動抽出保存ロガー VMM Intel CPU Intel VT (Intel Virtualization Technology) Windows OS 32bit Windows XP Service Pack 3 sysenter sysexit Alkanet PC IEEE 1394 [2] VAD (Virtual Address Descriptor) PTE (Page Table Entry) 3 BTS Intel CPU MSR (Model Specific Register)

3 LBR (Last Branch Record) BTS (Branch Trace Store) BTF (Single Step on Branches) 2 BTS BTS BTS 3 CPU IA32 DS AREA MSR BTS IA32 DEBUGCTL MSR TR bit ( 6bit) BTS bit ( 7bit) BTS OFF OS bit ( 9bit) BTS OFF USR bit ( 10bit) BTINT bit ( 8bit) BTINT bit 4 BTS VMM Alkanet BTS VM 4.1 VM OS VM MSR Alkanet VM MSR VM IA32 DEBUGCTL VMCS (Virtual-Machine Control Structures) IA32 DS AREA VMCS MSR IA32 DS AREA OS OS Windows Alkanet BTS Windows Windows Mm- PfnDatabase BTS OS BTS OFF OS bit 4.2 BTS Alkanet BTS Windows Windows PCR (Processor Control Region)

4 4.3 call BTS call call ret DLL [2] rundll32.exe DLL rundll32.exe BTS MWS Datasets 2014 [4] CCC DATAset 2013 DLL Conficker.dll 2 Stack- Trace 1 2 [] API [2] BTS From Valid From BTS Valid VALID INVALID BTINT UNVALIDATED 2 [11] [10] rundll32.exe Load- LibraryW Conficker.dll [05] [00] Conficker.dll Sleep API SleepEx API NtDelayExecution NtDelayExecution [05] [00] BTS (VALID) [11] [10] (UNVALIDATED) BTINT BTS 5.2 PDF call ROP (Return Oriented Programming)

5 StackTrace:! SP: 7ed24, StackBase: 80000, StackLimit: 74000! [00] <- 7c94d1fc (API: NtDelayExecution+0xc, Writable: 0, Dirty: 0,! VAD: {7c c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}),! From: 7c94d1fa, Valid: VALID, SP: 7ed24! [01] <- 7c8023f1 (API: SleepEx+0x51, Writable: 0, Dirty: 0,! From: 7c8023eb, Valid: VALID, SP: 7ed28! [02] <- 7c (API: Sleep+0xf, Writable: 0, Dirty: 0,! From: 7c802450, Valid: VALID, BP: 7ed7c! [03] < (API: -, Writable: 0, Dirty: 0,! VAD: { , ImageMap: 1, File: "\Conficker.dll"}),! From: , Valid: VALID, BP: 7ed8c! [04] < b (API: -, Writable: 0, Dirty: 0,! VAD: { , ImageMap: 1, File: "\Conficker.dll"}),! From: , Valid: VALID, BP: 7f184! [05] <- 7c94118a (API: LdrpCallInitRoutine+0x14, Writable: 0, Dirty: 0,! VAD: {7c c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}),! From: 7c941187, Valid: VALID, BP: 7f1a4! < 省略 >! [10] <- 7c80aeec (API: LoadLibraryW+0x11, Writable: 0, Dirty: 0,! From: -, Valid: UNVALIDATED, BP: 7f888! [11] < (API: -, Writable: 0, Dirty: 0,! VAD: { b000, ImageMap: 1, File: "\WINDOWS\system32\rundll32.exe"}),! From: -, Valid: UNVALIDATED, BP: 7f89c! < 省略 >! 2: Conficker.dll call ret call ret BTS MWS Datasets 2014 [4] D3M 2013 PDF [2] PDF 3 3 (Writable: 1) (Dirty: 1) ([03]) Virtual- Protect API VirtualProtectEx API NtProtect- VirtualMemory ([02] [00]) NtProtectVirtualMemory [02] [00] Valid: VALID BTS [03] From 2f900a9 2f900c7 INVALID BTS 3 [03] 4 BTS (from) (to) 4 2f900a9 2f900ae call ( 1 ) 2f900c5 Virtual- Protect API 7c801ad9 jmp ( 2 )

6 Stacktrace:! SP: f601ff8, StackBase: , StackLimit: 11d000! [00] <- 7c94d6dc (API: NtProtectVirtualMemory+0xc, Writable: 0, Dirty: 0,! VAD: {7c c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}),! From: 7c94d6da, Valid: VALID, SP: f601ff8! [01] <- 7c801a81 (API: VirtualProtectEx+0x20, Writable: 0, Dirty: 0,! From: 7c801a7f, Valid: VALID, SP: f601ffc! [02] <- 7c801aec (API: VirtualProtect+0x18, Writable: 0, Dirty: 0,! From: 7c801ae7, Valid: VALID, BP: f60201c! [03] <- 2f900c7 (API: -, Writable: 1, Dirty: 1,! VAD: {2f f91000, ImageMap: 0}),! From: 2f900a9, Valid: INVALID, BP: f602038! 3: PDF from= 2f900a9, to= 2f900ae call 2f900ae! from= 2f900c5, to=7c801ad9 jmp EBX! 4: 2 jmp API API jmp call 2f900c5 call ret 4 BTS 6 BTS Intel Core 2 Quad Q GHz 4GB PC PCMark05[5] System Test Suite PC Windows Native Alkanet (Normal) Alkanet (ST) BTS Alkanet (BTS) 3 Alkanet OS Windows Native Alkanet (Normal) Alkanet (ST) ( PCMarks) Native 100 Alkanet (Normal) 75 Alkanet (ST) 59 Alkanet (BTS) Web Page Rendering Internet Explorer Alkanet (BTS) HDD Native 10% BTS call ret

7 1 IA32 DS AREA PTE QEMU HDD Native 10% QEMU 7 kbouncer[6] API 1 LBR ROP BTS kbouncer Windows VMM VM BTS CXPInspector[7] VMM DLL CXPInspector LBR BTS BTS 5.2 call ret call call ret BTS API Windows DLL BTS 8.2 BTS 6 kbouncer[6] % LBR BTS LBR Haswell CPU EN CALLSTACK LBR BTS EN CALLSTACK LBR MSR

8 8.3 BTS BTS LBR BTS 9 BTS BTS call ret BTS LBR EN CALLSTACK [1] Otsuki, Y., Takimoto, E., Kashiyama, T., Saito, S., Cooper, E. and Mouri, K.: Tracing Malicious Injected Threads Using Alkanet Malware Analyzer, IAENG Transactions on Engineering Technologies, Lecture Notes in Electrical Engineering, Vol. 247, Springer Netherlands, pp (2014). [2] Alkanet 2013 Vol. 2013, No. 4, pp (2013). [3] Shinagawa, T., Eiraku, H., Tanimoto, K., Omote, K., Hasegawa, S., Horie, T., Hirano, M., Kourai, K., Oyama, Y., Kawai, E., Kono, K., Chiba, S., Shinjo, Y. and Kato, K.: Bit- Visor: a thin hypervisor for enforcing i/o device security, Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, ACM, pp (2009). [4] MWS Datasets 2014 CSEC Vol CSEC- 66, No. 19, pp. 1 7 (2014). [5] Futuremark Corporation: Futuremark - Legacy Benchmarks, com/benchmarks/legacy (2014, accessed ). [6] Pappas, V., Polychronakis, M. and Keromytis, A. D.: Transparent ROP Exploit Mitigation Using Indirect Branch Tracing, Proceedings of the 22nd USENIX Conference on Security, SEC 13, USENIX Association, pp (2013). [7] Willems, C., Hund, R. and Holz, T.: Hypervisor-based, hardware-assisted system monitoring, Virus Bulletin Conference (2013)

1 BitVisor [3] Alkanet[1] Alkanet (DLL) DLL 2 Alkanet 3 4 5 6 7 2 Alkanet Alkanet VMM VMM Alkanet Windows [2] マルウェア観測用 VM SystemCall Windows System

1 BitVisor [3] Alkanet[1] Alkanet (DLL) DLL 2 Alkanet 3 4 5 6 7 2 Alkanet Alkanet VMM VMM Alkanet Windows [2] マルウェア観測用 VM SystemCall Windows System Computer Security Symposium 2013 21-23 October 2013 Alkanet 525-8577 1-1-1 yotuki@asl.cs.ritsumei.ac.jp, {takimoto, mouri}@cs.ritsumei.ac.jp 466-8555 shoichi@nitech.ac.jp BitVisor Alkanet API DLL A Method

Alkanet[1, 2] Alkanet CPU CPU 2 Alkanet Alkanet (VMM) VMM Alkanet Windows Alkanet 1 Alkanet VMM BitVisor[3] BitVisor OS ユーザモード カーネルモード マルウェア観測用 PC VM

Alkanet[1, 2] Alkanet CPU CPU 2 Alkanet Alkanet (VMM) VMM Alkanet Windows Alkanet 1 Alkanet VMM BitVisor[3] BitVisor OS ユーザモードカーネルモードマルウェア観測用 PC VM