2.2k likes | 2.37k Views
Malware: Scanners, Sniffers, Viruses, Worms, Mobile Code. COEN 252 / 152: Computer Forensics. Scanning. Wireless Scanners War driving: Finding Wireless Access Points Normal WLAN needs < 100 m to access point to function well. Good antenna can get a signals from miles away.
E N D
Malware:Scanners, Sniffers, Viruses, Worms, Mobile Code COEN 252 / 152: Computer Forensics
Scanning • Wireless Scanners • War driving: Finding Wireless Access Points • Normal WLAN needs < 100 m to access point to function well. • Good antenna can get a signals from miles away. • Omni-directional antenna make war driving easy. • Directional antenna yield better results. • Can build a good one out of a Pringles box.
Scanning Home-made War Driving Antenna
Scanning • War driving goal: • Locate WLANs • Determine Extended Service Set Identifier (ESSID) • Access points transmit beacon packets approximately every 100 msec.
Scanning • Active Scanning: • Broadcast 802.11 probe packets with ESSID of “Any” • Implemented by netstumbler. • Or Windows XP SP 2. • Listening for Beacons • Put wireless card into the monitor mode. • AKA rfmon • Read all packages. • Implemented by Wellenreiter, Kismet, • Forcing Deauthentication • Some WLANs ignore probes with an ESSID of “any”. • First, get MAC address of access point. • Tool sends a wireless deauthenticate message to client with spoofed MAC of access point. • Clients now need to reassociate, revealing the ESSID.
Scanning • Hardening • Set ESSID to something that does not contain the name of your organization. • Configure access points to ignore probe requests that don’t include the ESSID. • Use stronger authentication mechanism. • Do not rely on MAC address alone, since this can be spoofed. • Switch from WEP to WPA • Reset transmission power of access points.
Scanning • War Dialing • Looking for modems by dialing all numbers of an organization. • Target are ill-configured modems. • Especially those connected to computers with remote control products such as VNC, psAnywhere, Mini Remote Control, Laplink Gold, …
Scanning • Network Mapping (Assume that attackers have gained access to the target system.) • Sweeping: • Attempting to ping all possible addresses. • Port mapping: • Identify services listening on ports: • TCP Connect Scan • Tries to complete TCP threeway handshake. • TCP Syn Scan • Attacker sends Syn, but does not ack to the Syn-Ack response by the target. • (Many systems do not log these interrupted connection attempts.) • Could result into an accidental DOS attack, since target buffers these attempts waiting for completion. Attacker could send Reset instead of the final Ack to avoid this.
Scanning • Network Mapping • Port mapping: • Identify services listening on ports: • Protocol Violators: • TCP FIN • Attacker sends FIN packet. • Target supposed to send RESET packet, if port is closed. • Target does not send anything back if the port is open. • Xmas Tree Scan: • Attacker sends packets with URG, ACK, PSH, RST, SYN, and FIN flags. • Null Scan: • Attacker sends packet without any flags set. • Closed port sends RESET, listening port sends nothing.
Scanning • Network Mapping • Port mapping: • Identify services listening on ports: • Protocol Violators: • TCP ACK Scan • “Firewall Friendly”: Stateless firewalls will only let TCP packages through with the ACK flag set. • If packet passes through the firewall, then the internal system answers with a RESET packet. • Response of target is somewhat OS dependent.
Scanning • FTP Bounce Scans: • Goal: Source IP address does not show up in target logs. • Exploits old FTP option (sometimes available with printers that support FTP): • FTP server allows a user to connect to them and requests that the server send a file to another system. • Attacker requests that a file is sent to every port on the target. • If the target port is open, then the FTP server tells the attacker that it opened the connection, but could not communicate. • If the target port is closed, then the FTP server tells the attacker that it could not communicate with the target.
Scanning • Idle Scanning • IP header includes a field “IP Identification”. • Bunches together a bunch of fragments. • Windows increases IP ID by one whenever it needs a new number. • Attacker first identifies a system that is being blamed. • Attacker then determines the current IP ID at the blamed system. • Attacker then sends fake message purporting to be from the blamed system to the target. • Target will increment IP ID number at the blamed system if it sends a reset. • Attacker determines whether the IP ID number has increased.
Scanning target SYN scapegoat
Scanning ACK IP-ID = 5
Scanning SYN to TCP port 12345
Scanning SYN-ACK from Port 12345
Scanning Port open: Reset, IP-ID = 6
Scanning SYN
Scanning SYN-ACK IP-ID = 7
Scanning Aha: Target must have sent a reset attack.
Virus: The Principle • Virus attaches itself to a host that can execute instructions contained in the virus. • When the host is invoked, the virus copies itself to other locations on the system.
Executables • Companion Infection Technique • OS will call the virus when the user requests the companion file. • Windows: • Virus is Notepad.com to hide as Notepad.exe. • Set the hidden attribute to prevent the virus from being seen. • Launch the true notebook.exe file from the virus. • If the user selects Start Run and types in notebook, then windows starts the virus (notebook.com instead of notebook.exe)
Executables • Companion Infection Technique • Windows: • Virus renames Notepad.exe to Notepad.ex_ and hides it. • Virus takes the place of Notepad.exe. • Works with shortcuts. • Used in the Trilisa virus / worm (2002)
Executables • Companion Infection Technique • Virus uses alternate data stream feature of NTFS: • Streams look like one file in explorer and directory listings. • System activates the default stream, the virus. • Virus calls alternate stream. • Win2KStream Virus (2000)
Executables • Overwriting Techniques • Virus replaces part of an executable. • Usually the executable looses functionality. • Users will know that there is something wrong. • Prepending Techniques • Virus placed in front of executable. • After virus executes, host program is called. • Very easy for .com files. • Easy to clean files. • Bliss virus had a disinfect mode built into it. • Used by the NIMDA worm.
Executables • Appending Infection Technique • Insert itself at the end of host file. • Add a jump at the beginning of host file. • Stealth Techniques for Prepending and Appending: • Compress host. • When virus calls hosts, host is uncompressed into RAM. • Fill up total package (virus, compressed host) to same size as original host. • Change filler so that checksum is not changed.
Boot Sector Modification • Target Master Boot Record or Partition Boot Sector. • Michelangelo Virus (1991). • Replaced MBR boot strap to elsewhere on disk. • First the virus loads itself into memory, then it passes control to the original MBR boot sector. • Places itself into all boot sector of all floppies. • Memory-resident copy of the virus is attached to low-level BIOS drivers. • Gets called when these are executed. • Can no longer spread under WinNT, Win2K, WinXP, only wreak havoc, e.g. by overwriting the sectors right after the partition boot sector.
Boot Sector Modification • Michelangelo Virus (1991). Bios initializes hardware and starts drivers. MBR executes and reads partition table. PBS locates OS start files.
Infection of Document Files • Many software use Macros: • MS Office, WordPerfect Office, StarOffice, OpenOffice, AutoCAD, Excel, … • WinOffice runs code in subroutines • Document_Open() • Document_Close() • AutoExec() • …. • These subroutines are executed with every document.
Infection of Document Files • Melissa (1999): • Resides in Document_Open() • Copies itself into the Normal.dot file. • Normal.dot is processed whenever MS Office starts up. • Melissa changed the Document_Close() routine. http://www.cert.org/advisories/CA-1999-04.html
Infection of Document Files • Excel Version: • Virus infects Personal.xls • This file can contains macros and is used whenever excel runs. • Laroux (1996) used auto_open() subroutine to execute whenever an excel file was opened.
Infection of Document Files • Frequent macro targets in MS Office: • AutoExec() • AutoClose() • AutoOpen() • AutoNew() • AutoExit() • FileClose() • FileOpen() • FileNew()
Other Targets • Source Code • Scripts • Visual Basic Scripts (.vbs) used by OS: • Startup.vbs • Exec.vbs • Shell scripts, Perl scripts • Java Class Files • Platform independent viruses
Propagation Techniques • Removable Storage • Boot sector viruses, executable viruses • Yamaha’s CD-R drive firmware update contained the Chernobyl virus. • Email attachments • Shared directories • Windows file sharing via Server Message Block (SMB) protocol. • Network File System shares • P2P services such as Gnutella or Morpheus
Anti-Virus Defense • Antivirus software on gateways: • User workstations • File servers • Mail servers • Application servers • Border firewalls • Handhelds.
Anti-Virus Defense • Virus signatures • Looks for small patterns indicative of a known virus. • Polymorphic viruses • Heuristics • Looks for programs with bad behavior: • Attempts to access the boot sector • Attempts to locate all files in a directory • Attempts to write to an exe file • Attempts to delete hard drive contents • …
Anti-Virus Defense • Integrity Verification • Generate database of hashes of important files. • Recalculate these hashes and compare them to known values. • Configuration Hardening • Least privilege • Minimize active components. • Set warnings (e.g. against macros) • User education
Anti-Anti-Virus Defense • Stealthing • Hide virus files. • Intercept scanning of infected files. • Slow rate of infection. • … • Polymorphism and Metamorphism • Change order of instructions in virus code • Use equivalent code (increment = subtracting with -1) • Encryption of most of the virus body. • Slightly change functionality of virus as it spreads.
Anti-Anti-Virus Defense • Antivirus software deactivation • Kill processes known to be antivirus processes. • Disable internet access to antivirus vendor’s pages. • Change security settings (e.g. allow Word macros to run)
Worms Worms: • Propagates across a network • Typically, does not require user action for propagation. Virus: • Infects files. • Typically requires user interaction.
Worms Worm Components • Warhead • Propagation Engine • Target Selection Algorithm • Scanning Engine • Payload
Worm Warhead • A piece of code that exploits a vulnerability on the target system • Exploits such as Buffer Overflow Exploits • File Sharing Attacks • E-mail • Common Mis-configurations
Worm Propagation Engine • After gaining access, the worm must transfer itself to the target machine. • Some worms are completely contained in the warhead. • File Transfer Mechanisms • FTP • TFTP • HTTP • SMB (MS Server Message Block) • Windows file sharing • Unix servers running SAMBA
Worm Target Selection Algorithm • Once the worm has gained control of a target, it starts looking for new targets. • E-mail addresses • Host lists • Trusted Systems • Network Neighborhood • DNS queries • Randomly selected ip address.
Worm Scanning Engine • Once targets are identified, the worm scans for the original vulnerability.
Worm Payload • Some specific action done on behalf of the attacker. • Opening up a backdoor. • Planting a distributed denial of service attack. • Performing complex calculations: • password cracking • math research (actually happened)
Worm Spread • Worm spread is limited • Diversity of machines • “Tiny Worm” • targeted only machines running security software from a medium company • was successful in infecting most machines with that software. • Worms can contain support for multiple entry methods. • Too many victims crash • Fast worms can cause network congestion
Worm Trends • Multiplatform worms • Multiexploit worms • Zero-day exploit worms • No chance to patch • Fast-spreading worms: Warhol / Flash • pre-scan targets • Polymorphic worms • Change appearance • Metamorphic worms • Change functionality
Worm Defenses • Ethical (?) Worms • Antivirus tools • Fast patching services • Firewalling • Block arbitrarily outbound connections • Prevents spreading • Establishment of Incident Response Capabilities
Sniffers • Sniffers: a program that gathers traffic from the local network. • Primary attack example: • Sniffers look for authentication information from clear-text protocols such as ftp or telnet. • Passive Sniffing: • Sniffer only gathers packets but does not change the network. • Active Sniffing: • Sniffer changes network settings. • Example: ARP poisoning in order to route traffic through the machine with the sniffer.