by Stefano Zanero, Sotiris Ioannidis and Evangelos Markatos
A European Union project aims to provide a much needed toolkit for forensic analysis of network-spreading malicious code.
Networks are currently infested with malicious programs propagating from one computer to another. Referred to by colourful names such as worms, viruses, and shellcodes, these programs seek to penetrate and compromise remote computers by exploiting their vulnerabilities. Once a remote computer is compromised, it can be used for a wide variety of illegal activities including blackmailing, Denial of Service attacks, illegal material hosting, sending of SPAM and fraud.
i-Code is a two-year-long research project aimed at realizing an integrated real-time detection and identification toolbox for malicious code. The toolbox (complete with an integrated console) can help network administrators and forensic analysts wishing to investigate an incident involving malicious code.
Having identified the challenge that the increasing network speeds pose to attack detection, i-Code addresses this challenge by developing an I/O architecture which avoids common bottlenecks by reconfiguring datapath logic at application load time to match workload and exploit special-purpose hardware. The two components of the I/O architecture that are crucial for performance are processing and buffering. For processing, i-Code reuses the well-known streams and filters model and for buffering, i-Code employs a buffer management system where all live data are kept in coarse-grain ring buffers, and buffers are shared long-term between protection domains.
The detection approach of i-Code is three-pronged, with two network-level detectors (NEMU and Argos) and a host level detector (AccessMiner), integrated by a forensic console which also correlates their results and glues them together with shellcode analysis provided by the Anubis sandbox.
NEMU [1] is a tool that performs network-level emulation, a heuristic detection method that scans network traffic to detect polymorphic attacks. NEMU uses a CPU emulator to dynamically analyse every potential instruction sequence in the inspected traffic, and attempts to identify the execution behaviour of certain malicious code classes, such as self-decrypting polymorphic shellcode. Attackers trying to hide their malware inside ordinary-looking incoming network packets, are easily discovered by NEMU. Complemented by Anubis, a dynamic malware analysis sandbox, NEMU is able not only to detect, but also accurately classify incoming attacks.
Argos [2] is a full and secure system emulator designed for use in honeypots. It is based on Qemu but has been extended to detect remote attempts to compromise the emulated guest operating system. Using dynamic taint analysis, it tracks network data throughout execution and detects any attempt to use them in an illegal way. When an attack is detected the memory footprint of the attack is logged.
AccessMiner [3] is a tool developed to analyse system calls collected on hosts that run applications for regular users on actual inputs, and differentiate them from malware system calls. It has been designed for large scale collection and centralized analysis on real world networks.
Anubis is a dynamic malware analysis system based on an instrumented Qemu emulator. It is offered as an open service through a public website, where users can submit binaries for analysis, and receive a report that describes the behaviour of the sample in a human-readable way. For i-Code Anubis was extended to support the analysis and classification of shellcode.
The console is designed to collect events generated by these systems, pass the resulting shellcode on to the Anubis sandbox for analysis, and integrate the results in an easy-to-use view. It is also designed to be easily extensible with further detection systems through the use of open communication standards.
Figure 1: A screenshot of the i-code console. The events shown are fictional and the IP addresses not real.
The final results of the project were presented in Brussels in June 2012 in a conference, attended by over 40 members of the European forensics community. Besides project results, several open source or research tools for network monitoring and incident analysis were presented.
Links:
i-Code: http://www.icode-project.eu
Anubis: http://anubis.iseclab.org
Anubis Shellcode Analyzer: http://shellcode.iseclab.org/
NEMU: http://www.ics.forth.gr/dcs/Activities/papers/nemu.wdfia09.pdf
Argos: http://www.few.vu.nl/argos/
References:
[1] M. Pol ychronakis, E. P. Markatos, and K. G. Anagnostakis. Emulation-based detection of non-self-contained polymorphic shellcode. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2007.
[2] G. Portokalidis, A. Slowinska, and H. Bos. 2006. “Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation”. In Proc. of the 1st ACM SIGOPS/EuroSys European Conf. on Computer Systems 2006 (EuroSys '06). ACM, New York, NY, USA, 15-27.
[3] A. Lanzi et al 2010. “AccessMiner: using system-centric models for malware protection”. In Proc. of the 17th ACM Conf. on Computer and communications security (CCS '10). ACM, New York, NY, USA, 399-412.
Please contact:
Stefano Zanero, Politecnico di Milano, Italy
Evangelos Markatos, ICS-FORTH, Greece
E-mail:
{jcomments on}