K-Tracer: a System for Extracting Kernel Malware Behavior
Total Page:16
File Type:pdf, Size:1020Kb
K-Tracer: A System for Extracting Kernel Malware Behavior Andrea Lanzi1,2 Monirul Sharif1 Wenke Lee1 1School of Computer Science, College of Computing, Georgia Institute of Technology, USA {msharif, wenke}@cc.gatech.edu 2Dipartimento di Informatica e Comunicazione, Universita` degli Studi di Milano, Italy [email protected] Abstract install backdoors, and maliciously manipulate other system level data. Kernel rootkits can easily hide activities from Kernel rootkits can provide user level-malware programs user-level programs and at the same time cripple kernel- with the additional capabilities of hiding their malicious ac- level security programs. tivities by altering the legitimate kernel behavior of an op- Since rootkits are not used alone, discovering their ma- erating system. While existing research has studied rootkit licious behaviors is essential in understanding the impli- hooking behavior in an effort to help develop defense and cations of malware that utilizes them. Determining that remediation mechanisms, automated analysis of the actual a rootkit has a backdoor capability that waits for network malicious goals and capabilities of rootkits has not been packets on a specific port with specific contents can enable adequately investigated. In this paper, we present an ap- the identification of infected hosts in a network by way of proach based on a combination of backward slicing and examining the network traffic. Network perimeter defense chopping techniques that enables automatic discovery of systems can also use this information to stop further mali- the system data manipulation behaviors of rootkits. We have cious activities on infected hosts. Rootkits that hide pro- built a system called K-Tracer that can dynamically analyze cesses with specific names can help identify the malicious Windows kernel-level code and extract malicious behaviors programs that are being hidden by the rootkit. In order from rootkits, including sensitive data access, modification to conceal specific system level objects such as processes, and triggers. Our system overcomes several challenges of files, etc., rootkits usually use conditions in the code before analyzing the Windows Kernel. We have performed exper- manipulating the data. Therefore, extracting triggers or con- iments on several kernel malware samples and shown that ditions used on sensitive or critical data before modification our system can successfully extract all malicious data ma- reveals what specific malicious entities or data items the nipulation behaviors from them. We also discuss the limita- rootkit wants to conceal. With large, complex and closed- tions of our current system on newer rootkit strategies, and source kernels of operating systems such as Windows, man- provide insight into how it can be extended to handle these ually understanding these behaviors of rootkits is a daunting emerging threats. and error-prone task. Thus, there is a dire need of an auto- mated system for this purpose. In order to intercept various events in the kernel, kernel- level rootkits implant hooks to divert execution flow to its 1 Introduction own code. Recent research has focused on identifying the hooking behavior of kernel-level rootkits [26, 27] in an ef- In a system where malware programs reside in the same fort to understand the mechanism in which rootkits install environment with anti-malware software, whoever operates their additional illicit behavior. This information can help at a lower-level in the system has the control and wins. identify potential locations in the kernel where hooks are Rootkits, programs that are designed to take control of sys- placed as well as ways to remove rootkits from an infected tems by running with administrative level privileges, work system. However, such systems do not discover the actual as helper programs for other malware and provide addi- malicious goals and capabilities of the rootkits. Moreover, a tional illicit capabilities that can increase the difficulty of rootkit with the same malicious goal can use different meth- detection and clean-up. User-level malware generally use ods to hook into the kernel. Some newer techniques such as the help of kernel-level rootkits to hide processes and files, Direct Kernel Object Modification (DKOM) and hardware based approaches do not need to place hooks. While hook- evaluated our system on a large number of rootkits and ing behavior can be expressed as manipulation of kernel showed that we can extract information about the malicious control-flow, the actual malicious goals of kernel rootkits capabilities of these rootkits. We summarize our contribu- can be expressed as manipulation of system-level data. tions below: In this paper, we present an automated system that effi- • We designed an approach for analyzing kernel-level ciently analyzes the data manipulation behaviors of rootkits. code that can extract information about the malicious Our observation is that rootkits modify sensitive data ac- goals and capabilities from the kernel rootkits through cessed by user-level programs via system-calls or account- the stimulation of the data-flow events. Such rootkit ing data structures maintained by the kernel that reflect sys- behaviors are not revealed by hooking behavior analy- tem state, by executing rootkit code during specific events sis in existing research. in the kernel. In our approach, by stimulating potential events and performing data-flow analysis on sensitive data • We propose a new technique that is a combination of through the executed code paths in the kernel that service backward slicing and chopping techniques on selective these events, we gather detailed information about the data stimulated execution paths in the kernel that identifies access patterns, data modifications and used triggers of the all possible data sources that the malware uses to in- rootkit. fluence sensitive data, and all possible instructions that We use derivatives of the dynamic slicing technique [2] are influenced by these sources, for example malicious for data-flow analysis. Our use of dynamic slicing differs triggers. from [26] in that we use a combination of backward and • To the best of our knowledge, we are the first to de- forward slicing on selected execution paths of the kernel. velop a dynamic kernel level analysis engine for the This combined approach is essential for identifying all pos- Windows OS. We have tackled several design and im- sible data manipulation behaviors. The more traditional plementation challenges in order to make our system backward slicing phase identifies all potential data sources handle a large variety of rootkit techniques. We have that can influence the sensitive data. The forward slicing performed experimental evaluation on different real- technique is required for identifying all instructions that are world rootkits, showing that our system is able to au- influenced by the identified sources, including triggers used tomatically extract detailed information about the ma- in the rootkit code. More precisely, our forward slicing licious capabilities. technique is known as chopping [14]. Although many mal- ware analysis techniques rely on dynamic taint propagation • We describe the limitations of our system against some technique, we chose not to use it for our analysis purposes. newer rootkit techniques, and discuss how our system Kernel-level code can read or write from anywhere in mem- can be further improved to counter these new rootkit ory. Moreover, different kernel components share the same techniques. address space. Therefore, performing dynamic taint anal- ysis on rootkits for identifying kernel data modifications We present background information related to rootkit be- may lead to an uncontrollable explosion of tainted code/data havior analysis in Section 2. In Section 3, we discuss the throughout the kernel, which may lead to a significant num- principles of K-Tracer’s approach. Section 4 describes the ber of false positives. By using dynamic data-flow analysis architecture and details of K-Tracer. Experimental evalua- on selective event-handling execution paths, our system is tion of our tool with various rootkits are discussed in Sec- much more scalable and efficient than pure dynamic taint tion 5. We provide a discussion of how our current im- based approaches while reducing the false positives. plementation can be extended to handle other sophisticated rootkit techniques such as DKOM (Direct Kernel Object We have developed K-Tracer, an automated rootkit be- Modification) and hardware based techniques in Section 6. havior analyzer for the Windows OS. It is developed us- Related work is presented in Section 7. We conclude our ing the whole system emulator, QEMU [4]. An important paper in Section 8. functionality of K-Tracer is to gather a dynamic trace of the execution path in the kernel that handles a specific stimu- lated event. In order to extract a precise dynamic trace, K- 2 Background Tracer handles all Windows internal functionalities, includ- ing asynchronous or synchronous I/O events, user-space The goal of rootkits can be generally expressed as at- memory re-mapping of arguments during system calls, and tempts to manipulate information passed between user pro- interrupt handling [24]. Our system can identify several grams and the system. Usually, when user programs induce types of data manipulation behaviors, including access to specific events in the system, rootkits intercept these events sensitive data, modifications, and trigger conditions applied and perform manipulation