ABSTRACT
The lucrative rewards of security penetrations into large organizations have motivated the development and use of many sophisticated rootkit techniques to maintain an attacker's presence on a compromised system. Due to the evasive nature of such infections, detecting these rootkit infestations is a problem facing modern organizations. While many approaches to this problem have been proposed, various drawbacks that range from signature generation issues, to coverage, to performance, prevent these approaches from being ideal solutions.
In this paper, we present Blacksheep, a distributed system for detecting a rootkit infestation among groups of similar machines. This approach was motivated by the homogenous natures of many corporate networks. Taking advantage of the similarity amongst the machines that it analyses, Blacksheep is able to efficiently and effectively detect both existing and new infestations by comparing the memory dumps collected from each host.
We evaluate Blacksheep on two sets of memory dumps. One set is taken from virtual machines using virtual machine introspection, mimicking the deployment of Blacksheep on a cloud computing provider's network. The other set is taken from Windows XP machines via a memory acquisition driver, demonstrating Blacksheep's usage under more challenging image acquisition conditions. The results of the evaluation show that by leveraging the homogeneous nature of groups of computers, it is possible to detect rootkit infestations.
- Gmer. http://www.gmer.net/, May 2012.Google Scholar
- Hbgary responder pro. http://www.hbgary.com/responder-pro-2, May 2012.Google Scholar
- Qemu website. http://qemu.org, May 2012.Google Scholar
- Windows academic program. http://www.microsoft.com/education/facultyconnection/articles/articledetails.aspx?cid=2416, Apr. 2012.Google Scholar
- A. Baliga, V. Ganapathy, and L. Iftode. Detecting kernel-level rootkits using data structure invariants. IEEE Transactions on Dependable and Secure Computing, Vol. 8, No. 5, Sept. 2010. Google ScholarDigital Library
- B. Blunden. The Rootkit Arsenal. Wordware Publishing, 2009. Chapter 7.9.Google Scholar
- M. Burdach. Finding digital evidence in physical memory. In Black Hat Federal Conference, 2006.Google Scholar
- M. Carbone, W. Lee, W. Cui, M. Peinado, L. Lu, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. In ACM Conf. on Computer and Communications Security, 2009. Google ScholarDigital Library
- B. Cogswell and M. Russinovich. Rootkitrevealer. http://technet.microsoft.com/en-us/sysinternals/bb897445, Nov. 2008.Google Scholar
- M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, and C. Xiao. The daikon system for dynamic detection of likely invariants. Science of Computer Programming, 69, Dec. 2007. Google ScholarDigital Library
- F. Gadaleta, N. Nikiforakis, J. Mühlberg, and W. Joosen. Hyperforce: Hypervisor-enforced execution of security-critical code. Information Security and Privacy Research, pages 126--137, 2012.Google ScholarCross Ref
- F. Gadaleta, N. Nikiforakis, Y. Younan, and W. Joosen. Hello rootkitty: a lightweight invariance-enforcing framework. Information Security, pages 213--228, 2011. Google ScholarDigital Library
- G. L. Garcia. Forensic physical memory analysis: an overview of tools and techniques. In TKK T- 110.5290 Seminar on Network Security, 2007.Google Scholar
- K. Griffin, S. Schneider, X. Hu, and T. cker Chiueh. Automatic generation of string signatures for malware detection.Google Scholar
- G. Hoglund. Rootkits: Subverting the Windows Kernel. Addison-Wesley, 2005. Google ScholarDigital Library
- G. Jacob, H. Debar, and E. Filiol. Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology, 4:251--266, 2008. 10.1007/s11416-008-0086-0.Google ScholarCross Ref
- A. Kapoor and R. Mathur. Predicting the future of stealth attacks. Virus Bulletin conference, Oct. 2011.Google Scholar
- J. D. Kornblum. Exploiting the rootkit paradox with windows memory analysis. International Journal of Digital Evidence, 2006.Google Scholar
- J. D. Kornblum. Using every part of the buffalo in windows memory analysis. Digital Investigation, Mar. 2007. Google ScholarDigital Library
- Z. Li, M. Sanghi, Y. Chen, M. yang Kao, and B. Chavez. Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In SP '06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 32--47. IEEE Computer Society, 2006. Google ScholarDigital Library
- M. H. Ligh. Volatility malware plugins. http://code.google.com/p/malwarecookbook.Google Scholar
- Z. Lin, J. Rhee, X. Zhang, D. Xu, and X. Jiang. Siggraph: Brute force scanning of kernel data structure instances using graph-based signatures. In the 17th Network and Distributed System Security Symposium, 2011.Google Scholar
- McAfee. Mcafee deepsafe. http://www.mcafee.com/us/solutions/mcafee-deepsafe.aspx, 2011.Google Scholar
- Microsoft. Kernel patch protection: Faq. http://msdn.microsoft.com/en-us/windows/hardware/gg487353, Sept. 2007.Google Scholar
- N. L. Petroni, J. Timothy, F. Aaron, W. William, and A. Arbaugh. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Proceedings of the USENIX Security Symposium, pages 289--304, 2006. Google ScholarDigital Library
- M. E. Russinovich and D. A. Solomon. Windows Internals. Microsoft, 5th edition, June 2009.Google Scholar
- J. Rutkowska. Rootkits vs. stealth by design malware. https://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Rutkowska.pdf, 2006.Google Scholar
- J. Rutkowska. Beyond the cpu: Defeating hardware based ram acquisition (part i: Amd case). In Black Hat DC, 2007.Google Scholar
- A. Schuster. Pool allocations as an information source in windows memory forensics. In Pool Allocations as an Information Source in Windows Memory Forensics, 2006.Google Scholar
- A. Schuster. Searching for processes and threads in microsoft windows memory dumps. In Digital Investigation, 2006. Google ScholarDigital Library
- A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses, 2007.Google Scholar
- R. Treit. Some observations on rootkits. http://blogs.technet.com/b/mmpc/archive/2010/01/07/some-observations-on-rootkits.aspx, Jan. 2010.Google Scholar
- D. Wagner. Mimicry attacks on host-based intrusion detection systems. Proceedings of the 9th ACM conference on computer and communications security, 2002. Google ScholarDigital Library
- A. Walters. The volatility framework: Volatile memory artifact extraction utility framework. https://www. volatilesystems.com/default/volatility.Google Scholar
- Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering kernel rootkits with lightweight hook protection. In ACM Conf. on Computer and Communications Security, Nov. 2009. Google ScholarDigital Library
- Y. Xie, H. Kim, D. O'Hallaron, M. Reiter, and H. Zhang. Seurat: A pointillist approach to anomaly detection. In Recent Advances in Intrusion Detection, pages 238--257. Springer, 2004.Google ScholarCross Ref
- H. Yin, P. Poosankam, S. Hanna, and D. Song. Hookscout: Proactive binary-centric hook detection. In Proceedings of the 7th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Bonn, Germany, July 2010. Google ScholarDigital Library
Index Terms
- Blacksheep: detecting compromised hosts in homogeneous crowds
Recommendations
Idea: opcode-sequence-based malware detection
ESSoS'10: Proceedings of the Second international conference on Engineering Secure Software and SystemsMalware is every malicious code that has the potential to harm any computer or network. The amount of malware is increasing faster every year and poses a serious security threat. Hence, malware detection has become a critical topic in computer security. ...
Opcode sequences as representation of executables for data-mining-based unknown malware detection
Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...
POSTER: Scanning-free Personalized Malware Warning System by Learning Implicit Feedback from Detection Logs
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityNowadays, World Wide Web connects people to each other in many ways ubiquitously. Followed along with the convenience and usability, millions of malware infect various devices of numerous users through the web every day. In contrast, traditional anti-...
Comments