1 / 62

Malicious Code for Fun and Profit

Malicious Code for Fun and Profit. Somesh Jha jha@cs.wisc.edu Nov 27, 2007. What is Malicious Code?. Viruses, worms, trojans, … Code that breaks your security policy. Characteristics. Attack vector Payload Spreading algorithm. Outline. Attack Vectors Payloads Spreading Algorithms

cree
Download Presentation

Malicious Code for Fun and Profit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malicious Codefor Fun and Profit Somesh Jha jha@cs.wisc.edu Nov 27, 2007

  2. What is Malicious Code? Viruses, worms, trojans, … Code that breaks your security policy. Characteristics Attack vector Payload Spreading algorithm Somesh Jha

  3. Outline • Attack Vectors • Payloads • Spreading Algorithms • Case Studies Somesh Jha

  4. Attack Vectors • Social engineering “Make them want to run it.” • Vulnerability exploitation “Force your way into the system.” • Piggybacking “Make it run when other programs run.” Somesh Jha

  5. Social Engineering • Suggest to user that the executable is: • A game. • A desirable picture/movie. • An important document. • A security update from Microsoft. • A security update from the IT department. • Spoofing the sender helps. Somesh Jha

  6. Outline • Attack Vectors: • Social Engineering • Vulnerability Exploitation • Piggybacking • Payloads • Spreading Algorithms • Case Studies Somesh Jha

  7. Vulnerability Exploitation • Make use of flaws in software input handling. • Sample techniques: • Buffer overflow attacks. • Format string attacks. • Return-to-libc attacks. • SQL injection attacks. Somesh Jha

  8. Buffer Overflows Basic Principles A buffer overflow occurs when data is stored past the boundaries of an array or a string. The additional data now overwrites nearby program variables. Result: Attacker controls or takes over a currently running process. Somesh Jha

  9. Buffer Overflows Example Expected input: \\hostname\path void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; } process_request( “\\tux12\usr\foo.txt” );   OK process_request( “\\aaabbbcccdddeeefffggghhh\bar” );   BAD Somesh Jha

  10. Buffer Overflows Program Stack A stack frame per procedure call. main() void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; } process_request() strcpy() Somesh Jha

  11. Buffer Overflows Program Stack A stack frame per procedure call. main() void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; } process_request() strcpy() Somesh Jha

  12. Buffer Overflows Program Stack A stack frame per procedure call. main() void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; } process_request() strcpy() Somesh Jha

  13. Buffer Overflows Program Stack A stack frame per procedure call. main() void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; } process_request() strcpy() Somesh Jha

  14. Buffer Overflows local: host Program Stack A stack frame per procedure call. main() void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; } process_request() strcpy() Somesh Jha

  15. Buffer Overflows local: host Program Stack A stack frame per procedure call. main() void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; } process_request() strcpy() Somesh Jha

  16. Buffer Overflows Normal Execution process_request( “\\tux12\usr\foo.txt” ); main() void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; } process_request() local: host local: pos Somesh Jha

  17. Buffer Overflows Normal Execution process_request( “\\tux12\usr\foo.txt” ); main() void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; } process_request() local: host 2 \0 t u x 1 local: pos Somesh Jha

  18. Buffer Overflows Characters that overwrite the return address. Overflow Execution process_request( “\\aaabbbcccdddeeefffggghhhiiijjj\bar” ); main() j j \0 void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; } i i i j process_request() g h h h f f g g e e e f local: host c d d d b b c c a a a b local: pos Somesh Jha

  19. Buffer Overflows Smashing the Stack The attacker gets one chance to gain control. Craft an input string such that: • The return address is overwritten with a pointer to malicious code. • The malicious code is placed inside the input string. Malicious code can create a root shell by executing “/bin/sh”. Somesh Jha

  20. Buffer Overflows Shell Code Code for exec(“/bin/sh”): mov edx, arg2 mov ecx, arg1 mov ebx, “/bin/sh” mov eax, 0Bh int 80h Pointer value for overwriting the return address. Somesh Jha

  21. Buffer Overflows Thicker Armor • Defense against stack-smashing attacks: • Bounds-checking. • Protection libraries. • Non-executable stack. • setuid()/chroot(). • Avoid running programs as root! • Address randomization. • Behavioral monitoring. Somesh Jha

  22. More Info “Smashing the Stack for Fun and Profit” by Aleph One StackGuard, RAD, PAX, ASLR CERT Somesh Jha

  23. Format Strings Format String Attacks • Another way to illegally control program values. • Uses flaws in the design of printf(): printf( “%s: %d” , s, x ); Somesh Jha

  24. Format Strings printf() Operation printf( “%s: %d, %x”, s, x, y ); foo() printf() Somesh Jha

  25. Format Strings Attack 1: Read Any Value What the code says: printf( str ); What the programmer meant: printf( “%s”, str ); If str = “%x%x%x%x%s” Somesh Jha

  26. Format Strings Attack 2: Write to Address 4 What the code says: printf( str ); If str = “%x%x%x%x%n” Somesh Jha

  27. Format Strings Defenses Never use printf() without a format string! FormatGuard. Somesh Jha

  28. Outline • Attack Vectors: • Social Engineering • Vulnerability Exploitation • Piggybacking • Payloads • Spreading Algorithms • Case Studies Somesh Jha

  29. Piggybacking Malicious code injected into a benign program or data file. • Host file can be: • An executable. • A document with some executable content (Word documents with macros, etc.). Somesh Jha

  30. Piggybacking Executables • Modify program on disk: jmp evil_code • Variations: • Jump to malicious code only on certain actions. • Spread malicious code throughout program. Somesh Jha

  31. Piggybacking Documents • Documents with macros: Microsoft Office supports documents with macros scripted in Visual Basic (VBA). • Macro triggered on: • Document open • Document close • Document save • Send document by email Somesh Jha

  32. Outline • Attack Vectors: • Social Engineering • Vulnerability Exploitation • Piggybacking • Payloads • Spreading Algorithms • Case Studies • Defenses Somesh Jha

  33.  Payload Target the interesting data: • Passwords • Financial data • User behavior • User attention • Keylogger • Screen scraper • Spyware • Adware Somesh Jha

  34. Keylogger Use Somesh Jha

  35. Screen Scraper Use Somesh Jha

  36. More Payload Ideas Victim machines are pawns in larger attack: • Botnets. • Distributed denial of service (DDoS). • Spam proxies. • Anonymous FTP sites. • IRC servers. Somesh Jha

  37. Outline • Attack Vectors: • Social Engineering • Vulnerability Exploitation • Piggybacking • Payloads • Spreading Algorithms • Case Studies • Defenses Somesh Jha

  38.  Spreading Methods Depends on the attack vector: Email-based  need email addresses Vulnerability-based  need IP addresses of hosts running the vulnerable service Piggybacking  need more files to infect Somesh Jha

  39. HTML files (from cache) Windows Address Book Outlook Express folders Outlook folders Spreading through Email Internet Malware Somesh Jha

  40. Random Sequential Bandwidth-limited Pre-generated Externally-generated  Metaserver worms Internal target list  Topological worms Vulnerable Target Discovery Need to find Internet (IP) addresses. • Scanning: • Target list: • Passive: Contagion worms Somesh Jha

  41. Outline • Attack Vectors: • Social Engineering • Vulnerability Exploitation • Piggybacking • Payloads • Spreading Algorithms • Case Studies Somesh Jha

  42. Types of Malicious Code McGraw and Morrisett “Attacking malicious code: A report to the Infosec Research Council” Sept./Oct. 2000. • Virus Self-replicating, infects programs and documents. e.g.: Chernobyl/CIH, Melissa, Elkern • Worm Self-replicating, spreads across a network. e.g.: ILoveYou, Code Red, B(e)agle, Witty Somesh Jha

  43. Types of Malicious Code • Trojan • Malware hidden inside useful programs e.g.: NoUpdate, KillAV, Bookmarker • Backdoor • Tool allowing unauthorized remote access e.g.: BackOrifice, SdBot, Subseven Somesh Jha

  44. Types of Malicious Code • Spyware • Secretly monitors system activity e.g.: ISpynow, KeyLoggerPro, Look2me • Adware • Monitors user activity for advertising purposes e.g.: WildTangent, Gator, BargainBuddy Somesh Jha

  45. Outline • Attack Vectors: • Social Engineering • Vulnerability Exploitation • Piggybacking • Payloads • Spreading Algorithms • Case Studies: Sobig Somesh Jha

  46. The Sobig Worm • Mass-mailing, network-aware worm • Multi-stage update capabilities Somesh Jha

  47. Sobig: Attack Vector • E-mail • Network shares From: Subject: big@boss.com support@microsoft.com bill@microsoft.com admin@support.com support@yahoo.com • Compressed executable attachment with renamed extension. • Later: attachment in ZIP file. Somesh Jha

  48. Sobig: Payload • 1st stage: • Backdoor (Lala) • & keylogger • 2nd stage: • Proxy (WinGate) Geocities web page Trojan web server Somesh Jha

  49. Sobig: Payload 1 ... 22 Hacked DSL/cable hosts Trojan web server Somesh Jha

  50. Sobig: Spreading Algorithm • E-mail addresses extracted from files on disk. • Network shares automatically discovered. Somesh Jha

More Related