Embed Size (px)
Citation preview
11
BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection
Reporter: 林佳宜Email: [email protected]/9/13
ReferencesBrian Bowen, Pratap Prabhu,
Vasileios P. Kemerlis, Stelios Sidiroglou, Salvatore Stolfo and Angelos Keromytis. "BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection." RAID 2010.
2
3
OutlineIntroductionBotSwindlerArchitectureExperiment resultsConclusion
Introduction[1/2]The creation and rapid growth of an
underground economy rise and up to 9% of the machines in an enterprise are now bot-
infected crime-driven bots that harvest sensitive data grabbing and key stroke logging, to screenshots and video capture
A recent study focused of Zeus the largest botnet with over 3.6 million PC infections in the US bypassed up-to-date antivirus software 55%
Traditional crimeware detection techniques comparing signatures anomaly-based detection
4
Introduction[1/2]Drawback of conventional host-
based antivirus software it vulnerable to evasion or subversion by malware disable defenses such as antivirus
A novel system designed for the proactive detection of credential stealing malware on VM-based hosts
BotSwindler
5
BotSwindlerRelies upon an out-of-host software
agent to drive user simulations
Convince malware residing within the guest OS
captured legitimate credentials
The simulator is tamper resistant and difficult to detect by malware
6
Simulation behaviorsTo generate simulations of human user
BotSwindler relies on a formal language VMSim provides a flexible way to generate variable simulation
behaviors
Using various models for keystroke speed mouse speed frequency of errors made during typing
One of the challenges in designing an out-of-host simulator
verify the success or failure of mouse and keyboard events that are passed to the guest OS
developed a low overhead approach, called virtual machine verification (VMV)
7
VMSim languageThe language provides a flexible
way generate variable simulation behaviors and workflows the capturing of mouse and keyboard events of a real
user recorded map to the constructs of the VMSim
language
8
BotSwindler architecture
9
Prototype of BotSwindlerBotSwindler using a modified version of
QEMU running on a Linux hostUser simulation is implemented using
X11 libraries VMSim for expressing simulated user behavior run the simulator outside of a virtual machine pass its actions to the guest host by utilizing the X-
Window subsystem replayed via the Xorg Record and XTest extension
libraries
BotSwindler can operate on any guest OS by the underlying hypervisor or virtual machine
monitor (VMM)
10
Machine learning distinguish simulationsWe performed a computational analysis
if attackers could employ machine learning algorithms on keystrokes to distinguish simulations
Experiments running Naive Bayes and Support Vector Machine (SVM) classifier
real and generated timing data nearly identical classification results
Killourhy andMaxion’s benchmark data set
In our study with 25 human judges evaluating 10 videos of BotSwindler actions the judges’ average success rate was 46%
11
Bait credentials decoyThe system supports a variety of
different types of bait credentials decoy
Gmail PayPal banking credentials
Our system automatically monitors the decoy accounts
misuse to signal exploitation and thus detect the host infection by credential stealing malware
12
Decoy monitorCustom monitors for PayPal and Gmail
accounts the services that provide the time of last login
The PayPal and Gmail accounts the IP address of the last login
If there is any activity from IP addresses other than the BotSwindler host IP
an alert is triggered alerts are also triggered when the monitor
cannot login to the bait account
13
Experiment resultsOur results from two separate
experiments
First experiment with 116 Zeus samples
used 5 PayPal decoys and 5 Gmail decoys received 14 distinct alerts using PayPal and Gmail
decoys
Second experiment with 59 different Zeus samples
received 3 alerts from our banking decoys
14
Virtual Machine Verification Overhead
15
ContributionsBotSwindler architectureVMSim languageVirtual Machine Verification (VMV)Real malware detection resultsStatistical and information theoretic
analysisBelievability user study resultsPerformance overhead results
16
17
ConclusionWe demonstrate our system with
three types of credentials
The system can be extended to support any type of credential that can be monitored for misuse
We discuss how BotSwindler can be deployed to service hosts
include those which are not VM-based, making this approach broadly applicable
Questions
18
QEMU是一套由 Fabrice Bellard]所編寫的模擬處理器的自由軟體。它與 Bochs, PearPC近似,但其具有某些後兩者所不具備的特性,如高速度及跨平台的特性。經由 kqemu這個開源的加速器, QEMU能模擬至接近真實電腦的速度
19
