Virmon: Sanallaştırma tabanlı otomatik bir dinamik zararlı yazılım analiz sistemi

Abstract

Günümüzde, güvenlik firmaları her gün onbinlerce yeni zararlı yazılım örnekleriyle karşı karşıya kalmaktadırlar. Ortaya çıkan bu kadar çok sayıda tehdit içeren uygulamaların tek tek incelenmesi mümkün olmamaktadır. Bu sebeple, bilgisayar sistemlerinin güvenliğini tehdit eden zararlı yazılımların otomatik çalışan kontrollü ortamlarda analiz edilmesi tekniği etkin bir çözüm olarak geçerliliğini korumaktadır. Hali hazırda son kullanıcıların kullanımına açık çok yetenekli dinamik zararlı yazılım analiz sistemleri bulunmasına rağmen, bu sistemler yeni işletim sistemlerini hedefleyen zararlı yazılımlara karşı zayıf kalmaktadırlar.Bu çalışmada, Windows işletim sistemlerini hedefleyen zararlı yazılımların davranış tabanlı analizi için geliştirilmiş güçlü bir sistem olan Virmon (Virus Monitor) tanıtılmıştır. Virmon zararlı yazılım analiz sistemi farklı bileşenlerden oluşan büyük bir ağ topolojisine sahip, dağıtık bir sistemdir. Analiz edilmek istenen şüpheli yazılımların sayısının artarak devam etmesine karşı, sistem kapasitesi yeni donanımlar eklenerek doğrusal bir şekilde artırılabilmektedir.Virmon, analizini gerçekleştirdiği yazılımların proses, registry ve dosya sistemi aktivitelerini çekirdek düzeyinde toplamaktadır. Bu aktiviteler, geliştirilen bir dosya sistemi filtreleme sürücüsü aracılığıyla izlenmektedir. Windows işletim sistemi tarafından sunulan çekirdek geri bildirim mekanizması, sürücülerin çalışma zamanında ihtiyaç duydukları bilgilere erişibilmelerine imkan tanımaktadır. Analiz makinesi bileşenleri olan Proses, Registry ve Dosya Sistemi İzleyici'leri, sürücünün sisteme yüklenme zamanında kendilerini çekirdek geri bildirim mekanizmasına kayıt ettirmeleriyle ilgilendikleri olaylardan haberdar olabilmektedirler.Virmon, analiz edilen dosyaların davranış bilgilerini legal bir yöntem olan geri bildirim mekanizması aracılığıyla topladığı için tüm Windows işletim sistemlerini analiz ortamı olarak kullanabilmektedir. Bu durum Virmon'un ileride çıkması muhtemel olan işletim sistemlerine de kolay bir şekilde uyum sağlanmasına imkan tanımaktadır.Analizi gerçekleştirilen uygulamaların ağ aktiviteleri sistem genelinde, IPS/IDS, HTTP, DNS, NetFlow, VPN gibi farklı ağ çözümleri kullanılarak toplanmaktadır. Gerçeklenen dağıtık sensör ağı, analiz makinelerinin ağ trafiğini internet üzerinde farklı lokasyonlara dağıtarak IP tabanlı analiz ortamı tespit etme tekniğini kullanan zararlı yazılımlara karşı sistemin gizlenmesine yardımcı olmaktadır.Analiz işlemlerinin otomatik gerçekleştirilmesi aynı anda birden fazla şüpheli dosyanın incelenmesine olanak sağlamaktadır. Tüm analiz sürecini yöneten uygulama sunucusu ve analiz makineleri üzerindeki süreci yöneten analiz uygulamaları ağ üzerinden Thrift kütüphanesinin yardımıyla haberleşmektedir. Thrift, farklı programlama dilleri ile geliştirilmiş olan uygulamaların güvenli bir şekilde haberleşmesine olanak sağlamaktadır. Geliştirilmiş olan web uygulaması aracılığıyla da analiz sonuçları takip edilebilmektedir.Virmon analiz sisteminin etkinliğini göstermek için yakın zamanda tespit edilmiş bir zararlı yazılım incelenmiştir. Analiz sonuçlarına göz atıldığında hedef uygulamanın gerçekleştirmiş olduğu tüm proses, registry ve dosya sistemi aktivitelerinin başarılı bir şekilde kayıt altına alınabildiği görülmüştür. Bunların dışında analiz edilen yazılımın yapmış olduğu ağ trafiğinin neticesinde ortaya çıkan saldırı alarmları, HTTP ve DNS isteklerinin de izlenebildiği belirlenmiştir.

Nowadays, the technology has been developing rapidly and the computer systems have become indispensable of our daily life. More and more people are making use of technology such as smartphones, smart TVs, tablets etc. As the people use technological devices in all aspects of life, this situation attracts attention of some people having malicious intents. These bad guys use distinct methods to gain access to computer systems selected as a target and to steal private information from them. Due to the fact that the size of things which are threatening the computer systems is too high, it is a must to provide the security of these systems.One of the most important threats to the computer systems are malwares. Malwares (malicious softwares) is commonly referred to as executables used or created by an attacker to attain access to or steal sensitive information from a computer system. There are some terms used to classify malicious softwares which have similar behaviors such as virus, backdoor, rootkit, worm or bot. As the time being passed, the motivation of the malware authors has changed. Previously, one could write malware for fun and prominence, now for money, espionage and ideological purposes. Furthermore, malicious softwares and the zero day vulnerabilities used by malwares are becoming a commercial industry. Some companies such as VUPEN provide zero day vulnerabilities to the governments that prefer to use these vulnerabilities in cyber operations. In addition, some people and firms offer deal to the security researchers in order to collect zero day vulnerabilities. Besides the commercial industry, a cyber war between countries is observed. As an example, the Stuxnet malicious software which was detected in June 2010 can be given. It is claimed that the Stuxnet, one of the most known sophisticated malware (used for advanced persistent threat – APT attacks), is developed by USA and Israel so as to slow down or prevent the nuclear activities of Iran. This malicious software is regarded as the first malware targeting the Siemens industrial control systems and including PLC rootkit. Also, it has been asserted that the Stuxnet caused to two year delay in Iran's nuclear enrichment program and is cost an estimated US$1 million to create. These information help us to understand how big and vast the malware development research is.To protect the end users from cyber threats, security companies develops solutions which aim to identify malwares and cyber attacks. Typically, these solutions (anti-viruses) employs signature-based detection technique in order to identify known malwares or threats.This method requires the anti-viruses to have a database of signatures. As it is reported by the security vendors, they are faced tens of thousands new malware samples in every single day. It is impossible to analyze manually these samples and create signatures so as to identify them since it takes too long time. Due to the ineffectiveness of anti-viruses on previously unknown malwares (whose signature have not been created yet), many researchers have introduced several techniques to overcome limitation of anti-virus solutions. These techniques can be divided into two categories: static and dynamic analysis. Static analysis means examining a file without running on the system. Dynamic analysis means observing activities of a suspicious file by executing it in a controlled environment in order to understand its purpose. Because of the obfuscation techniques such as polymorphism, metamorphism, compression and encryption, it can be difficult and time consuming to statically analyze malwares. Therefore, analysis of softwares threatening the computer system's security in an automated fashion and in a controlled environment are still the valid choice. Up to now, the security researchers developed several useful systems in order to detect these threats. To the best of our knowledge, today's dynamic analysis systems generally employ old versions of windows OS as their analysis environment. Nevertheless, the majority of the computer end users prefer to use the latest ones. It seems that they cannot analyze malwares targeting latest Windows OS appropriately. Therefore, it is a necessity that next generation malware analysis solutions should cover latest 64-bit OSs and be adapted easily to future OS versions. Even though there are highly skilled dynamic malware analysis systems, they are weak against malwares targeting new operating systems.In this work, we present Virmon (Virus Monitor), a powerful system designed for behavior based analysis of malwares which target Windows operating systems. Virmon dynamic malware analysis system consists of different components. It is designed as a distributed system, that means, Virmon works on several servers connected by distinct networks. The system capacity can be increased linearly by adding new hardware against the increasing number of new malware samples.Virmon collects the process, registry and file system activities of analyzed sofwares in low kernel level. These activities are monitored through a file system filter driver. Kernel callback mechanism presented by Windows operating system enables the drivers to access the necessary information which is needed at runtime. Process, Registry and File System Monitors which are components of analysis machines can get feedback about events that they are interested in via registering themselves at driver load time.Virmon can use all the Windows operating systems as an analysis environment due to the fact that it collects the behavior information of analysed files through Windows callback mechanism which is a legal method. This situation allows us to easily adapt the Virmon to Windows operating system versions which will be released in the next time.The network activities of analyzed samples are collected system-wide by using different network solutions such as IPS/IDS, HTTP, DNS, NetFlow and VPN. The distributed sensor network can help to system to hide itself from the malicious softwares which use analysis environment detection technique based on public network addresses by distributing the network traffic of analysis machines to different locations on the internet. Since the Virmon is an automated system, it is possible to analyze several malwares at the same time. The application server managing the whole analysis processes and the analysis applications running on machines can communicates with each other by the help of Thrift library. Thrift allows the applications which are developed with different programming languages to communicate securely. In addition, a web application is designed to monitor the activities of analyzed malwares.In order to demonstrate the effectiveness of Virmon, a recently observed malware sample is examined. When we look at the analysis result, it is clear that Virmon records successfully the all process, registry and file system events initiated by the analyzed sample. Additionally, it is determined that the intrusion alerts created by the result of network activities, the downloaded files, HTTP requests and DNS queries made by analysis machine are collected successfully.