DC9723 May 21 2019 Meeting
When: Tuesday 21 of May, 2019 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)
Agenda:
Brief Introduction
The butterfly effect – actively manipulating VMs through hypervisor introspection – Sofia Belikovetsky
Herding cattle in the desert: How malware actors have adjusted to new security enhancements in MacOS Mojave – Omer Zohar
As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/
*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org
Abstracts:
The butterfly effect – actively manipulating VMs through hypervisor introspection – Sofia Belikovetsky
Imagine your cloud was compromised with malware. Remediating this threat is often complex, since you need to have security solutions installed on each VM (virtual machine). Security solutions for the cloud often use the same security methods as for regular PCs, not tapping into the potential of virtualization. In this talk, we will show a way to break the “security agent per VM” paradigm by leveraging the power of hypervisor introspection against the attackers and their malware. Hypervisor introspection is the ability to analyze and monitor the internal memory of a VM from its host. It is a well-researched area in cyber security that focuses on a passive approach of analyzing the internal kernel structures of the VM in order to detect malicious code execution and anomalies. Traditionally, hypervisor introspection is used to detect security threats in datacenters. We build on the previous work in this field and extend it to utilize a more active approach where we can take remedial actions once a threat is detected and externally influence the behaviour of the VM. Remediation of cyber security threats is one of the most complicated problems in datacenter security, since there is a need to stop and remove the threat without harming the operational aspect of the VMs and the network. Currently there is no standard for solving this problem. However, by leveraging the power of virtualization, we can add remediation capabilities into the hypervisor layer. We can handle various security threats by focusing on suspension of processes and threads, and termination of unwanted network connections, all from outside the VM. One of the biggest advantages of such approach is that the malware running on the VM is completely unaware of either the detection methods that are running from the hypervisor or the remediation methods that modify values in memory. In this case, the malware can neither evade detection nor disable the detection mechanism. We demonstrate the concept of the “butterfly effect” in a virtualized environment, where changing a single value in a kernel struct can influence the behaviour of a VM. We have analyzed crucial linux kernel structures and tested how minor changes in their values can change the flow of the VM. This approach is unique, since we surgically select which values to modify in order to change the behavioural flow of the OS. Thus, a minor change achieves the desired effect, termination of the security threat. This is a technical talk where we will explain how hypervisor introspection works and demonstrate how to externally read and write to the internal memory of the VM. We will deep dive into the internals of the KVM hypervisor and Linux based VMs, show the addition of QMP commands to qemu-kvm and the modification of the memory. For each remediation scenario, we will show the value that was changed and how the flow of the Linux kernel was influenced by this change.
Herding cattle in the desert: How malware actors have adjusted to new security enhancements in MacOS Mojave – Omer Zohar
Malware on the Mac has always been like a unicorn – a creature from folk tales. But in recent years what was thought of as a unicorn, turned out to be a shadow of a horse with a wooden peg on his head: a story being told to give users a (false) sense of security.
Mac malware is on the rise, at an alarming rate. Estimations indicate that over 12% of Macs showed malicious activity in the past year. Most common types are adware, monetizing malware and scareware such as fake cleaners.
In contrast, each new version of macOS introduce improved security mechanisms, supposedly setting a higher bar for successful infection. Mechanisms such as Quarantine, SIP and GateKeeper verify software integrity, and make changes to user and OS settings more difficult, TCC (Transparency, Consent, and Control) requires stricter user consent during app installation, while XProtect and MRT finish off with rules to detect malicious files.
Still, Mac Malware is on the rise, with 12M infected machine identified in 2018 alone, while the YoY growth of infection has been over 100% since 2016. A clear signal that bad guys adapt fast.
In this talk, we’ll deep dive into recent security changes in MacOS Mojave & Safari and examine how these updates impacted actors of highly distributed malware in terms of number of infections, and more importantly – monetization.
We’ll take a look at malware actors currently infecting machines in the wild (Bundlore and Genio to name a few) – and investigate how their tactics evolved after the update: From Vectors of infection that bypass GateKeeper, getting around the new TCC dialogs, hijacking search in a SIP protected Safari, to persistency and reinfection mechanisms that ultimately turn these ‘annoying PUPs’ into a fully fledged backdoored botnet.