Date post: | 16-Jan-2016 |
Category: |
Documents |
Upload: | abraham-chapman |
View: | 212 times |
Download: | 0 times |
1
Polymorphism and IDS
Black Hat BriefingsBlack Hat Briefings
Las Vegas 2001Las Vegas 2001
Chad R. SkipperChad R. Skipper
Sr. Software EngineerSr. Software Engineer
Symantec Corp.Symantec Corp.
2
whoami
Chad R. SkipperChad R. Skipper
• Air Force - Air Force - systems counter intelligence, systems counter intelligence, OSI investigations, information warfare, OSI investigations, information warfare, and exploit intelligenceand exploit intelligence
• Trident Data Systems – Trident Data Systems – Network/Sys/Security AdministratorNetwork/Sys/Security Administrator
• L-3 Network Security/Symantec – Sr. L-3 Network Security/Symantec – Sr. Software EngineerSoftware Engineer• Signature DevelopmentSignature Development• IDS Evasion TechniquesIDS Evasion Techniques
[email protected]@symantec.com
3
Overview
• Evolution of malicious polymorphic codeEvolution of malicious polymorphic code
• Paradigm shiftParadigm shift
• Polymorphic codingPolymorphic coding• ADMmutate by K2 ADMmutate by K2 • http://www.ktwo.ca/http://www.ktwo.ca/
• TCPDumpsTCPDumps
• IDS ResponseIDS Response
4
Polymorphism
What is polymorphismWhat is polymorphism
• The ability to appear in many formsThe ability to appear in many forms
• Continuous change (unique coding)Continuous change (unique coding)
• Independent of encryptionIndependent of encryption
• Morphs regexp’s within attacksMorphs regexp’s within attacks
• Can exist on multiple platformsCan exist on multiple platforms
5
Evolution of Polymorphism
Simple VirusesSimple Viruses
• Replicates itself and is the easiest to Replicates itself and is the easiest to detectdetect
• Virus always makes an exact replica of Virus always makes an exact replica of itselfitself
• Detection: Scan for a sequence of bytes Detection: Scan for a sequence of bytes found in the virusfound in the virus
6
Evolution of Polymorphism
Encrypted VirusesEncrypted Viruses
• Response to detection was encrypting Response to detection was encrypting virusesviruses
• Hide the fixed bytes by encrypting the Hide the fixed bytes by encrypting the virusvirus
7
Evolution of Polymorphism
Encrypted VirusesEncrypted Viruses
• Consists of a virus decryption routine and Consists of a virus decryption routine and an encrypted virus bodyan encrypted virus body
• Uses encryption keys, but decryption Uses encryption keys, but decryption remained constant, thus detection was a remained constant, thus detection was a sequence of bytes of the decryption sequence of bytes of the decryption routineroutine
8
Evolution of Polymorphism
Encrypted Viruses Encrypted Viruses
• Executes decryption routineExecutes decryption routine• Gains control of the systemGains control of the system• Decrypts and gives control to virusDecrypts and gives control to virus• Infection occursInfection occurs• Copies itselfCopies itself• Encrypts itselfEncrypts itself• Attaches itself to a new programAttaches itself to a new program
9
Evolution of Polymorphism
Polymorphic VirusPolymorphic Virus
• Response to detection was polymorphismResponse to detection was polymorphism• Contains the encrypted body and Contains the encrypted body and
decryption routine decryption routine • Adds a mutation engine that generates Adds a mutation engine that generates
randomized decryption routines with each randomized decryption routines with each useuse
• Mutation engine and virus body are both Mutation engine and virus body are both encryptedencrypted
• Result is the virus body encryption and Result is the virus body encryption and decryption routines vary from infection to decryption routines vary from infection to infectioninfection
• NO FIXED SIGNATURENO FIXED SIGNATURE
10
Evolution of Polymorphism
Polymorphic VirusPolymorphic Virus
• Decrypts virus and mutation engineDecrypts virus and mutation engine• Transfers control to the virusTransfers control to the virus• Copies itself and the mutation engineCopies itself and the mutation engine• Invokes the mutation engineInvokes the mutation engine• Randomly generates decryption routineRandomly generates decryption routine• Virus is now unique from the prior virusVirus is now unique from the prior virus• Attaches to a new programAttaches to a new program
11
Evolution of Polymorphism
Problems with Polymorphic Virus DetectionProblems with Polymorphic Virus Detection
• Dark Avenger and MtEDark Avenger and MtE• Produces random programsProduces random programs• Billions-upon-billions of variationsBillions-upon-billions of variations
Polymorphic Virus DetectionPolymorphic Virus Detection
• One-by-one, line-by-line (Don’t think so)One-by-one, line-by-line (Don’t think so) Generic DecryptionGeneric Decryption
• SlowSlow Heuristic-Based Generic DecryptionHeuristic-Based Generic Decryption
• Heuristic guessesHeuristic guesses• False NegativesFalse Negatives
12
Evolution of Polymorphism
Polymorphic Virus Detection SolutionsPolymorphic Virus Detection Solutions
• Does not rely on heuristic guessesDoes not rely on heuristic guesses• Relies on rules or profiles specific to each Relies on rules or profiles specific to each
virusvirus• Rules out possibilities firstRules out possibilities first• Runs file in virtual machine (VM)Runs file in virtual machine (VM)• Looks for triggersLooks for triggers
13
Evolution of Polymorphism
Polymorphic Virus Detection SolutionsPolymorphic Virus Detection Solutions
• Load file into self-contained VM Load file into self-contained VM • Is this file .exe, .com, .sys…?Is this file .exe, .com, .sys…?• If .exe then A,B,C,D,and E are virus If .exe then A,B,C,D,and E are virus
behaviorsbehaviors• Suspect filesSuspect files
• A,B,CA,B,C• A,B,DA,B,D• D,B,ED,B,E
• Observes A, then “D,B,E” are outObserves A, then “D,B,E” are out• Observes B, then remaining are still inObserves B, then remaining are still in• Observes D, then “A,B,C” are out and Observes D, then “A,B,C” are out and
“A,B,D” are in“A,B,D” are in
14
The Paradigm Shift
Concepts used from Polymorphic VirusesConcepts used from Polymorphic Viruses
• Mutation engineMutation engine• Polymorphic algorithmPolymorphic algorithm• Morphing of the payload to includeMorphing of the payload to include
• Shell codeShell code• NOP’sNOP’s• Encoder/DecoderEncoder/Decoder• Non-Operational PaddingNon-Operational Padding
15
The Paradigm Shift
The intent of Polymorphic AttacksThe intent of Polymorphic Attacks
• To evade signature analysis of IDSTo evade signature analysis of IDS• Signature analysis looks atSignature analysis looks at
• Shell codeShell code• NOP’sNOP’s• Specific offsets within a payloadSpecific offsets within a payload• ASCIIASCII• HeadersHeaders
16
Encoding Process
Shell codeShell code
• Morphed prior to launch with each Morphed prior to launch with each subsequent morphing uniquesubsequent morphing unique
• ROT, MOVROT, MOV• XOR (exclusive-or) Randomly generated XOR (exclusive-or) Randomly generated
valuevalue• 0 xor 0 = 0 0 xor 0 = 0 • 0 xor 1 = 1 0 xor 1 = 1 • 1 xor 0 = 1 1 xor 0 = 1 • 1 xor 1 = 01 xor 1 = 0 • If the first or the second operand, but not If the first or the second operand, but not
both, is one, the result is one; otherwise both, is one, the result is one; otherwise the result is zero.the result is zero.
17
Encoding Process
Shell codeShell code
• Randomly generated xor value of 0x23Randomly generated xor value of 0x23
• DNS – SnortDNS – Snort
alert UDP $EXTERNAL any -> $INTERNAL 53 alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS489/named-exploit-tsig-lsd"; (msg: "IDS489/named-exploit-tsig-lsd"; content: "|content: "|3F 909090 EB3B 31DB 5F 3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F2083EF7C 8D7710 897704 8D4F20|"; |"; classtype: system-attempt; reference: classtype: system-attempt; reference: arachnids,489;) arachnids,489;)
18
Encoding Process
Shell codeShell code
• Shell code of: Shell code of: 0x0x 3F 909090 EB3B 31DB 3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F205F 83EF7C 8D7710 897704 8D4F20
• XOR with with the value of 0x23XOR with with the value of 0x23• We get:We get: 0x 1C B3B3B3 C818 12F8 7C 0x 1C B3B3B3 C818 12F8 7C
A0CC5F AE5433 AA5427 AE6C03A0CC5F AE5433 AA5427 AE6C03
• This can give us over 64,000 This can give us over 64,000 permutations for 1 bytepermutations for 1 byte
• BTW, the computational overhead for this for NIDS may/will be substantial.
19
Encoding Process
NOP’sNOP’s
• No operation assembly processor No operation assembly processor instructioninstruction
• So, we substitute known NOP’s with other So, we substitute known NOP’s with other characters that do not affect the outcome characters that do not affect the outcome of the codeof the code
20
Encoding Process
NOP’sNOP’s
• Platform specific NOP’sPlatform specific NOP’s• AIX – 0x4ffffb82AIX – 0x4ffffb82• Digital – 0x47ff041fDigital – 0x47ff041f• HP – 0x0b390280HP – 0x0b390280• Intel – 0x90Intel – 0x90• SGI – 0x240f1234SGI – 0x240f1234• SPARC – 0x13c01ca6; 0xa61cc013, SPARC – 0x13c01ca6; 0xa61cc013,
0x801c40110x801c4011
21
Encoding Process
NOP’sNOP’s
• Substitutional NOP’s per K2Substitutional NOP’s per K2• IntelIntel
• 0x490x49• 0x4b0x4b• 0x450x45
• SPARCSPARC• 0xa21c80120xa21c8012• 0xb606401a0xb606401a• 0xa026e0420xa026e042
22
Encoding Process
Encoder/DecoderEncoder/Decoder
• My first thought was that we can detect My first thought was that we can detect the Encoder/Decoderthe Encoder/Decoder
• ““It would not be cool if the IDS vendor It would not be cool if the IDS vendor could simply detect our decoder.” - K2could simply detect our decoder.” - K2
• FAT CHANCE… This would be too easyFAT CHANCE… This would be too easy• Techniques used are multiple code paths, Techniques used are multiple code paths,
non-operational padding, and randomly non-operational padding, and randomly generated instructionsgenerated instructions
• Decoder processes the data after the Decoder processes the data after the overflowoverflow
23
Attacks
VictimAttacker
POWERFAULT DATA ALARM
Network IDS
24
TCPDumps (Normal)
454500 04e8 be81 4000 00 04e8 be81 4000 40064006 0f4c 0a0a 2a2a 0f4c 0a0a 2a2a
0a0a 2a05 0933 000a0a 2a05 0933 001919 70e1 3dc3 ad03 63b0 70e1 3dc3 ad03 63b0
8018 7d78 b342 0000 0101 080a 0400 22e18018 7d78 b342 0000 0101 080a 0400 22e1
008c 3e60 008c 3e60 909090 9090 9090 9090 9090 909090 9090 9090 9090 9090 9090
9090 9090 9090 9090 9090 9090 9090 90909090 9090 9090 9090 9090 9090 9090 9090
9090 9090 9090 9090 9090 9090 9090 90909090 9090 9090 9090 9090 9090 9090 9090
9090 9090 9090 9090 9090 9090 9090 90909090 9090 9090 9090 9090 9090 9090 9090
(Cut)(Cut)
9090 9090 9090 9090 eb48 9aff ffff ff079090 9090 9090 9090 eb48 9aff ffff ff07
ffc3 5e31 c089 46b4 8846 b988 4607 8946ffc3 5e31 c089 46b4 8846 b988 4607 8946
0c31 c050 b08d e8df ffff ff83 c404 31c00c31 c050 b08d e8df ffff ff83 c404 31c0
50b0 17e8 d2ff ffff 83c4 0431 c050 8d5e50b0 17e8 d2ff ffff 83c4 0431 c050 8d5e
0853 8d1e 895e 0853 b03b e8bb ffff ff830853 8d1e 895e 0853 b03b e8bb ffff ff83
c40c e8bb ffff ffc40c e8bb ffff ff2f 6269 6e2f 73682f 6269 6e2f 7368 ffff ffff
ffff ffff 7c6b 0408 7c6b 0408 7c6b 0408ffff ffff 7c6b 0408 7c6b 0408 7c6b 0408
7c6b 0408 7c6b 0408 7c6b 0408 7c6b 04087c6b 0408 7c6b 0408 7c6b 0408 7c6b 0408
25
TCPDumps (Polymorphed)454500 04e8 be81 4000 00 04e8 be81 4000 40064006 0f4c 0a0a 2a2a 0f4c 0a0a 2a2a0a0a 2a05 0933 000a0a 2a05 0933 001919 70e1 3dc3 ad03 63b0 70e1 3dc3 ad03 63b08018 7d78 b342 0000 0101 080a 0400 44758018 7d78 b342 0000 0101 080a 0400 4475008c 5fe5 008c 5fe5 494949 4b49 4949 4b49 494d4d 4df5 40f9 4040 4df5 40f9 40404d49 414b 484d49 414b 484545 4bf5 484d 4b4d 4549 4449 4bf5 484d 4b4d 4549 44494827 494a 434c 4b4d 4af9 f54a 4c4d 274c4827 494a 434c 4b4d 4af9 f54a 4c4d 274c414d 4c4c 4c27 494c 4a49 4140 414d 274c414d 4c4c 4c27 494c 4a49 4140 414d 274c4244 414b 4540 4940 f54c 4945 40f5 48f54244 414b 4540 4940 f54c 4945 40f5 48f54c4d 454d f54d 404d 4d27 f94b 4d4d 4b424c4d 454d f54d 404d 4d27 f94b 4d4d 4b42(CUT)(CUT)36aa 763c 5b31 c9b0 df6a 1866 5993 310636aa 763c 5b31 c9b0 df6a 1866 5993 31069383 e886 9640 968c c08c e083 c601 f5339383 e886 9640 968c c08c e083 c601 f533c046 85c0 46e2 e685 c085 c0eb 0bb0 346bc046 85c0 46e2 e685 c085 c0eb 0bb0 346bc087 e8c5 ffff ff7e 413e a6c9 5589 c331c087 e8c5 ffff ff7e 413e a6c9 5589 c33155b5 6207 6aff 7a82 2230 85be ec71 b57055b5 6207 6aff 7a82 2230 85be ec71 b570a647 fc66 1afb d4e9 5589 c3b5 6e72 0df6a647 fc66 1afb d4e9 5589 c3b5 6e72 0df6fac6 2bde 7889 c3c9 29b2 3807 6a26 b168fac6 2bde 7889 c3c9 29b2 3807 6a26 b168a225 b128 2328 3465 1a4d d48d 5589 c3b5a225 b128 2328 3465 1a4d d48d 5589 c3b56e7a d48d 5589 c319 c81f 5219 d91e c3c96e7a d48d 5589 c319 c81f 5219 d91e c3c95589 c3c9 d61d 0408 816b 0408 816b 04085589 c3c9 d61d 0408 816b 0408 816b 0408
26
TCPDumps (Polymorphed)454500 04e8 be81 4000 00 04e8 be81 4000 40064006 0f4c 0a0a 2a2a 0f4c 0a0a 2a2a0a0a 2a05 0933 000a0a 2a05 0933 001919 70e1 3dc3 ad03 63b0 70e1 3dc3 ad03 63b08018 7d78 b342 0000 0101 080a 0400 c60f8018 7d78 b342 0000 0101 080a 0400 c60f008c e181 008c e181 454b454b 44 444949 444a 4040 4342 4af9 444a 4040 4342 4af940f9 414b 444b 4c44 4845 4d40 4944 f94840f9 414b 444b 4c44 4845 4d40 4944 f948404b 484b 4af9 4b4a f94d 404a 2740 f94b404b 484b 4af9 4b4a f94d 404a 2740 f94bf941 4449 4327 4d44 48f5 45f9 4149 4341f941 4449 4327 4d44 48f5 45f9 4149 4341f545 4b40 4027 2745 48f5 f549 f544 4d4a f545 4b40 4027 2745 48f5 f549 f544 4d4a f5f5 2742 f54b 4c41 41f5 4927 444b 4941f5f5 2742 f54b 4c41 41f5 4927 444b 4941454d 42f9 f548 4d45 4b4c f545 4442 424d454d 42f9 f548 4d45 4b4c f545 4442 424d(CUT)(CUT)5896 83c0 4a68 9801 56bf 5b31 c091 c1e85896 83c0 4a68 9801 56bf 5b31 c091 c1e84a40 6a18 5889 c193 3106 9346 f946 c1e84a40 6a18 5889 c193 3106 9346 f946 c1e8aa8c c083 c601 9640 96c1 c0ed e2e9 8cc0aa8c c083 c601 9640 96c1 c0ed e2e9 8cc0eb06 e8c9 ffff ffd9 ea1e 2567 fea9 409feb06 e8c9 ffff ffd9 ea1e 2567 fea9 409ffe95 e1a9 c1df f92c 8910 0610 4751 36defe95 e1a9 c1df f92c 8910 0610 4751 36de0d67 7fc8 b1db 5747 fea9 401b c552 8e580d67 7fc8 b1db 5747 fea9 401b c552 8e5851e6 a870 d3a9 4067 8292 bba9 c106 32c651e6 a870 d3a9 4067 8292 bba9 c106 32c60905 3286 8808 b7cb b16d 5723 fea9 401b0905 3286 8808 b7cb b16d 5723 fea9 401bc55a 5723 fea9 40b7 633f d1b7 723e 4067c55a 5723 fea9 40b7 633f d1b7 723e 4067fea9 4067 7d3d 0408 cb6b 0408 cb6b 0408fea9 4067 7d3d 0408 cb6b 0408 cb6b 0408
27
Network Intrusion Response
Protocol AnalysisProtocol Analysis
• Application LayerApplication Layer
Physical
Data Link
Network
Transport
Session
Presentation
Application
28
Network Intrusion Response
Protocol AnalysisProtocol Analysis
• What protocol is it?What protocol is it?• IP, IPX…IP, IPX…
• If IP then is it TCP, UPD, ICMP…If IP then is it TCP, UPD, ICMP…• If TCP then is it HTTP, DNS, FTP…If TCP then is it HTTP, DNS, FTP…• If HTTP then apply HTTP signaturesIf HTTP then apply HTTP signatures• Determine if alert is neededDetermine if alert is needed
29
Network Intrusion Response
Protocol AnalysisProtocol Analysis
• Break the payload down into manageable Break the payload down into manageable partsparts
• Look for expected resultsLook for expected results• Anything out of that range – alertAnything out of that range – alert
Payload
Physical
Data Link
Network
Payload
Physical
Data Link
Network
Normal HTTPAbnormal HTTP
30
Network Intrusion Response
Protocol AnalysisProtocol Analysis
• Can detect polymorphic attacksCan detect polymorphic attacks
• ProactiveProactive
• Better performanceBetter performance
• Harder to evadeHarder to evade
• May be possible to create polymorphic May be possible to create polymorphic code that looks like normal traffic on some code that looks like normal traffic on some servicesservices
31
Network Intrusion Response
Pattern MatchingPattern Matching
• Searches for set patterns within packets, Searches for set patterns within packets, such as shell-code, NOP’s, and ASCIIsuch as shell-code, NOP’s, and ASCII
• Pattern matching is defeated by Pattern matching is defeated by polymorphic attackspolymorphic attacks
Payload
Physical
Data Link
Network
32
Network Intrusion Response
Snort Example – Pattern MatchingSnort Example – Pattern Matching
DNS - SnortDNS - Snort
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS489/named-exploit-tsig-lsd"; content: "|"IDS489/named-exploit-tsig-lsd"; content: "|3F 3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F208D4F20|"; classtype: system-attempt; reference: |"; classtype: system-attempt; reference: arachnids,489;) arachnids,489;)
TFN - SnortTFN - Snort
alert ICMP any any -> any any (msg: "IDS425/ddos-alert ICMP any any -> any any (msg: "IDS425/ddos-tfn2k-icmp_possible_communication"; itype: 0; tfn2k-icmp_possible_communication"; itype: 0; icmp_id: 0; content: "icmp_id: 0; content: "AAAAAAAAAAAAAAAAAAAA"; classtype: "; classtype: system-success; reference: arachnids,425;) system-success; reference: arachnids,425;)
33
Network Intrusion Response
Snort Example – Pattern MatchingSnort Example – Pattern Matching
X86 NOP’s - SnortX86 NOP’s - Snort
alert UDP $EXTERNAL any -> $INTERNAL any alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS362/shellcode-x86-nops-udp"; (msg: "IDS362/shellcode-x86-nops-udp"; content: "|content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 90 90|"; classtype: system-attempt; |"; classtype: system-attempt; reference: arachnids,362;) reference: arachnids,362;)
34
Network Intrusion Response
Binary SignaturesBinary Signatures
• Detecting binary strings within protocols Detecting binary strings within protocols such as SMTPsuch as SMTP
• Attacks against text-only services could Attacks against text-only services could check for characters outside the standard check for characters outside the standard text rangetext range
• FTPFTP• Could pick up polymorphic attacksCould pick up polymorphic attacks
35
Network Intrusion Response
Packet SizePacket Size
• Detecting unusual large amounts of data Detecting unusual large amounts of data streamsstreams
• POP3, RPC, HTTP, FTPPOP3, RPC, HTTP, FTP• Can pick up polymorphic attacksCan pick up polymorphic attacks
Payload
Physical
Data Link
Network
36
Network Intrusion Response
Connection TimeConnection Time
• Abnormal connection time rates such as Abnormal connection time rates such as lengthy DNS collaborationlengthy DNS collaboration
• DNS, HTTP, RPC, etc…DNS, HTTP, RPC, etc…• Time basedTime based• ExpensiveExpensive• Could detect polymorphic attacks by Could detect polymorphic attacks by
timing the session between hoststiming the session between hosts
37
Network Intrusion Response
Outcome Detection – Success/FailureOutcome Detection – Success/Failure
• Able to detect response to attacksAble to detect response to attacks
• Able to detect “/bin/sh” leaving on port 53Able to detect “/bin/sh” leaving on port 53
• Could detect polymorphic attacksCould detect polymorphic attacks
• Another evasion technique is the response Another evasion technique is the response from the victim being from the victim being hashed/encrypted/scrambledhashed/encrypted/scrambled
38
Network Intrusion Response
Outcome Detection – Success/FailureOutcome Detection – Success/Failure
• Solaris snmpXdmid - LAST STAGE OF Solaris snmpXdmid - LAST STAGE OF DELIRIUMDELIRIUM• NOP’s to serverNOP’s to server• 00 00 1C1C 00 00 00 00 00 00 4040 00 00 00 00 00 00 1111 FF FF FF FF FF FF 8080 00 00 00 00 00 00
1C1C 00 00 00 00 00 00 4040 00 00 00 00 00 00 1111 FF FF FF FF FF FF 8080 00 00 00 00 00 00 1C1C 00 00 00 00 00 00 4040 00 00 00 00 00 00 1111 FF FF FF FF FF FF 8080 00 00 00 00 00 00 1C1C 00 00
• //bin/ksh to serverbin/ksh to server• 00 08 00 00 00 00 08 00 00 00 2F2F 00 00 00 00 00 00 6262 00 00 00 00 00 00 6969 00 00
00 ...../...b...i..00 ...../...b...i..• 00 00 6E6E 00 00 00 00 00 00 2F2F 00 00 00 00 00 00 6B6B 00 00 00 00 00 00 7373 00 00
00 .n.../...k...s.. 00 .n.../...k...s.. • 00 00 6868 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00
00 .h.............. 00 .h..............
• uname –a to serveruname –a to server• 82 8C 82 8C 2F 62 69 6E 2F 75 6E 61 6D 65 20 2D 612F 62 69 6E 2F 75 6E 61 6D 65 20 2D 61
0A ../bin/uname -a0A ../bin/uname -a. .
39
Network Intrusion Response
Outcome Detection – Success/FailureOutcome Detection – Success/Failure
• Solaris snmpXdmid - LAST STAGE OF Solaris snmpXdmid - LAST STAGE OF DELIRIUMDELIRIUM• Response to uname –aResponse to uname –a• 2E E1 53 75 6E 4F 53 20 73 61 2D 73 6F 6C 61 2E E1 53 75 6E 4F 53 20 73 61 2D 73 6F 6C 61
72 ..SunOS sa-solar 69 73 2D 30 32 20 35 2E 38 20 47 72 ..SunOS sa-solar 69 73 2D 30 32 20 35 2E 38 20 47 65 6E 65 72 69 is-02 5.8 Generi 63 20 73 75 6E 34 75 65 6E 65 72 69 is-02 5.8 Generi 63 20 73 75 6E 34 75 20 73 70 61 72 63 20 53 55 c sun4u sparc 4E 57 2C 55 20 73 70 61 72 63 20 53 55 c sun4u sparc 4E 57 2C 55
6C 74 72 61 2D 35 5F 31 30 0A NW,Ultra-5_10.6C 74 72 61 2D 35 5F 31 30 0A NW,Ultra-5_10. • Response to /etc/passwdResponse to /etc/passwd• 35 1C 72 6F 6F 74 3A 78 3A 30 3A 31 3A 53 75 70 35 1C 72 6F 6F 74 3A 78 3A 30 3A 31 3A 53 75 70
5.root:x:0:1:Sup 65 72 2D 55 73 65 72 3A 2F 3A 2F 73 62 69 5.root:x:0:1:Sup 65 72 2D 55 73 65 72 3A 2F 3A 2F 73 62 69 6E 2F er-User:/:/sbin/ 73 68 0A 64 61 65 6D 6F 6E 3A 78 3A 6E 2F er-User:/:/sbin/ 73 68 0A 64 61 65 6D 6F 6E 3A 78 3A 31 3A 31 3A sh.daemon:x:1:1: 0070: 3A 2F 3A 0A 62 69 6E 31 3A 31 3A sh.daemon:x:1:1: 0070: 3A 2F 3A 0A 62 69 6E 3A 78 3A 32 3A 32 3A 3A 2F :/:.bin:x:2:2::/ 3A 78 3A 32 3A 32 3A 3A 2F :/:.bin:x:2:2::/
40
Network Intrusion Response
Log AnalysisLog Analysis
• Event Viewer, /var/adm/messages/, Event Viewer, /var/adm/messages/, /var/log/syslog, etc./var/log/syslog, etc.
• Able to detect abnormal occurrences within Able to detect abnormal occurrences within the hostthe host
• Can detect polymorphic attacksCan detect polymorphic attacks• # more /var/adm/messages# more /var/adm/messages• May 25 11:55:09 sa-solaris-02 May 25 11:55:09 sa-solaris-02 dmispddmispd: : [ID 922709 daemon.error] One instance [ID 922709 daemon.error] One instance of this daemon is already running on of this daemon is already running on this machinethis machine
41
Host Intrusion Response
Access/Change AnalysisAccess/Change Analysis
• Changes to any audited fileChanges to any audited file
• Spawning of child processesSpawning of child processes
• Removal of any audited fileRemoval of any audited file
• Replacement of any audited fileReplacement of any audited file
• Can detect polymorphic attacksCan detect polymorphic attacks
42
Host Intrusion Response
Port ActivityPort Activity
• Unusual port activityUnusual port activity
• RPC – ttdb – active session to outside hostRPC – ttdb – active session to outside host
• Could detect polymorphic attacks as they Could detect polymorphic attacks as they occuroccur
43
Defeating Polymorphic
Attacks
44
Collect information from the network for real-time
monitoring
Assessment and Intrusion Detection (IDS)
Reenact common intrusionReenact common intrusionor attack scenariosor attack scenarios
ID and report network ID and report network vulnerabilities and vulnerabilities and suggest corrective suggest corrective
actionsactions
Inspect system configuration files, password files for weak passwords, and other system
objects for policy violations
Monitor audit and log dataActive “sensors” on servers and workstations monitor user actions and protect resources, applications,
and data
“Reactive”
(24 x 7)
IDS
“Proactive”
(scheduled)
Assessment
Host-Based Network-Based
45
Future trends from the past
State of NIDS detection is where Anti-Virus was State of NIDS detection is where Anti-Virus was in mid 90’sin mid 90’s
IDS Evasion is now just getting startedIDS Evasion is now just getting started
Polymorphic Virus Stats (SARC www.sarc.com)Polymorphic Virus Stats (SARC www.sarc.com)
• 1988 - 1988 - The first virus with variable key The first virus with variable key encryption (between infections)encryption (between infections)
• 1990 - Polymorphic viruses found in the 1990 - Polymorphic viruses found in the United States including V2Px, Virus-90 and United States including V2Px, Virus-90 and Virus-101 virusesVirus-101 viruses
• 1992 – First polymorphic e1992 – First polymorphic engine that could ngine that could be plugged into a virus as an add-onbe plugged into a virus as an add-on
• Today - ~2,000 – 5,000 polymorphic Today - ~2,000 – 5,000 polymorphic viruses today (Not all in the wild)viruses today (Not all in the wild)
46
Shameless Promotion
• Kevin Mandia – Foundstone• Incident Response – Investigative
Computer Crime
• www.amazon.com
47
Credits
K2 – K2 – www.ktwo.cawww.ktwo.ca
Jeru – www.newhackcity.net/~jeruJeru – www.newhackcity.net/~jeru
Snort – Snort – www.snort.orgwww.snort.org
SARC – SARC – www.sarc.comwww.sarc.com
Symantec – Symantec – www.symantec.comwww.symantec.com
48
That’s all folks
QUESTIONS????QUESTIONS????