930 likes | 1.1k Views
Networking & Malware. CS 598: Network Security Michael Rogers & Leena Winterrowd March 26, 2013. Types of Malware. Image courtesy of prensa.pandasecurity.com. Types of Malware. No standardized definitions!. Viruses 16,82%. Trojan horses 69.99%. Viruses.
E N D
Networking & Malware CS 598: Network Security Michael Rogers & Leena Winterrowd March 26, 2013
Types of Malware Image courtesy of prensa.pandasecurity.com
Types of Malware No standardized definitions! Viruses 16,82% Trojan horses 69.99%
Viruses • Programs capable of self-replication • Spread to other systems • Cannot execute on their own • Must attach themselves to other programs • Effectively need user-interaction to spread
Worms • Standalone programs • Self-replicating • Rely on exploits to self-execute • Self-propagating • No user interaction!
Ye Olde Computyre Virus Thou hast presently received ye olde virus! Since it doth not useth 'electricitee' or 'computyres', thou art on ye olde 'Honore Systeme'. Please deleteth all of thy files from thy hard drive and forward ye olde virus to thy friends.
Trojans • Masquerade as legitimate files • Often 'gifts' or free downloads • Gives (unauthorized) access to a system • Most often propagated with worms • Most often contains spyware
Backdoors • Bypass security to directly access data/service • Often default/hard-coded password • Maintain undetectability • Example (2003): • 2-line Linux kernel change: http://kerneltrap.org/node/1584 • Frequently used by worms
Rootkits • Hide existence of a payload • Payload is often a trojan • Generally subvert/disable security programs • Usually enable root access (elevated privilege) • Modern rootkits do not do this! • Most often perform injection: • Enable a backdoor • Replace a library • Hide on devices or in BIOS • CompuTrace & LoJack DAEMON Tools is actually a beneficial rootkit! (Intercepts Windows API calls)
Spyware • Collects information without user knowledge/permission • Often trojans • May be intentional • Keyloggers
Adware • Automatically renders ads • Generates money for developer(s) • Often intentional • Ideally non-intrusive
Typhoid Adware • An infected machine poses as the legitimate access point • Intercepts and hijacks other users connections via ARP spoofing • The infected machine inserts ad-content into video streams • Infected machine shows no symptoms • Only a NAT-box proxy Paper available at: http://pages.cpsc.ucalgary.ca/~aycock/papers/eicar10.pdf
Infection Mechanisms • Droppers • Inject malware (single-stage) • Download malware to the machine (two-stage) • Pretend to be legitimate programs (Trojans) • Injector: dropper which installs to memory only • Drive-By Downloads • Placed on systems by compromised websites • Serves as point of entry for other malware • Recent Example: FBI virus (Java exploit) Image courtesy of http://www.technobuffalo.com
Infection Mechanisms • DECEPTION! • Exploitation • OS design defects • Zero-day • Unpatched • Software bugs • Privilege elevation • Preexisting (related or unrelated) backdoors • 'Auto-run' on removable devices (USB, CD, etc.) • Purposely install malicious code • Physical access Image courtesy of http://www.technobuffalo.com
Stuxnet • In June 2010, VirusBlokAda discovered an unprecedented type of Malware – Stuxnet. • But what made Stuxnet different? (usu < 1KB)
Stuxnet's Infection Mechanisms • Infected Windows systems via USB (auto-run) • 3 infections/drive; self-replicates to removable drives • Worm attempts to spread to any Windows system for 21 days • Systems were 'air-gapped' (not connected to internet) • Uses four zero-day Windows exploits • Copies itself through LAN via a print-spooler exploit • Spreads through SMB • Exploits a Windows Server Service RPC vulnerability (same as Conficker worm; patched in 2008) • 2 escalation of privilege vulnerabilities Image courtesy of http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process
Stuxnet's Propagation Mechanisms • Spreads via network shares • Looks for and injects itself into specific control software project • Software has a hard-coded password • Copies to server via SQL injection • Can self-update or report data via 'command & control' servers • Self-updating via LAN or p2p • Contained a Windows rootkit to further avoid detection • Digitally signed with stolen certificates from Realtek & Jmicron Image courtesy of http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process
What did Stuxnetdo? • Targeted Siemen's 315 and 417 PLCs • Fingerprinted by model number, configuration, and actual PLC code • Exploited a driver DLL to copy itself to the PLCs • Changed frequency controller drives' speeds • Alternated between slowing down and speeding up the normal frequency • Could cause a PLC-controlled centrifuge to fly apart over time Speed Settings Centrifuge Image courtesy of http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process
Flame • "Arguably the most sophisticated malware ever found" • ~20 MB • Spreads via LAN or USB • Compromised Microsoft code-signing certificate • MD5 chosen-prefix collision attack • Modular design
What did Flame do? • Steals information • Records Skype calls • Activates Bluetooth • Steals information from other Bluetooth devices • Communicates information back to command & control server and awaits further instructions
DNSChanger • Drive-by download claiming to be a required video codec • Modified DNS config to go through a rogue name server • Injected/substituted advertising on web pages & redirected some links • Could spread within a LAN • Mimicked a DHCP server • Pointed others towards the rogue DNS servers • Perpetrators apprehended, but rogue DNS servers left running for fear of knocking infected machines off the internet
Nimda • Virus/worm hybrid • Infected via multiple avenues • Email • Network shares • Compromised websites • Microsoft IIS vulnerability exploits • Backdoors left by other worms (Code Red II and sadmind/IIS) • Became the internet's most widespread worm within 22 minutes
Why Malware is Written • 'For tehlulz' (entertainment value) • Causing distraction or destruction just because it's amusing • To show off • Exploit remote systems as a show of skill • Anonymity • Attacks may act as the victim • Sociopolitical • Anonymous, Lulzsec, hacktivists • Stuxnet & Flame • May cause physical damage! (Stuxnet) • For profit
Malware for Profit • Spyware • Gain personal information for various purposes • Targeted marketing or identity theft • Corporate espionage/sabotage • Botnets • Cloud-based attacks (DDOS, click fraud, spam) • Adware/scareware/ransomware • Directly bilk money from victims • Recursive • Sell dropper/backdoor kits • Promote further infection
Target Selection • Completely targeted • Semi-targeted • Brute-force/random • Pseudorandom • Diffusion
Completely Targeted • Predetermined list of targets • Common to spam/phishing • Tend to employ social engineering techniques
Semi-Targeted • Takes a good guess at the next target • Often target machines on the local network (worms) • Uses the concept of homogeneity • Exploit one in network → may be able to exploit all • E-mail contact lists (trojans)
Brute-Force • Port-scanning and IP scanning the entire address space • Often start from a randomized offset and skip around
Pseudorandom • Brute-force with restrictions (for better performance) • Example: Blacklist known darknet/honeypot addresses • Example: Prioritize IPs belonging to a specific country
Diffusion • Design malware to use alternate channels of infection (USB drives or smartphones) • Hope someone plugs the wrong thing in the wrong place • Can be random or targeted • Targeted often requires research on habits/behaviors of individuals in the target environment
Actual Propagation • Self-propagation • Social engineering • Secondary infections • Malicious code sources: • From central source • From infector • Inject as part of exploitation
Self-Propagation • Uses exploits on the remote machine to self-install • Examples: • Unpatched network daemons (several in older versions of Samba) • Insecure driver code (thumb drives and other out-channel exploits) • Insecure system settings (autoplay, no UAC)
Social Engineering • Sends a copy of the malware disguised as something innocuous • "Funny cat video!.mpg.exe" • Spread by malicious user, unwitting infected user, or the malware itself
Secondary Infections • Create an artificial vulnerability or exploit • Serves as the vehicle for other malware • Primary approach of droppers & backdoors
Honeypots • Detection mechanism that exploits random/pseudorandom propagation • Pose as a vulnerable system • Capture malware samples • Often run by known organizations • Known IP spaces = easy to avoid • Low interaction honeypots • Emulate aspects of a vulnerable system • Safer but only emulate specific aspects • High interaction honeypots • Actual full systems/VMs • Specialized firewall • Infection (hopefully) cannot spread
Four different classifications • Uncontrolled and silent • Controlled and silent • Uncontrolled and noisy • Controlled and noisy
Uncontrolled and Silent • No interaction with programmer in either direction • No transmitting of information back to source • Behavior must be pre-programmed, e.g. Stuxnet • Often used simply to cause destruction
Uncontrolled and Silent • Pros • Cannot be disrupted by compromising command method • Less likely to be detected by network monitoring (under correct conditions)
Uncontrolled and Silent • Cons • No dynamic control • Cannot be used for data theft, reconnaissance
Controlled and Silent • Can receive commands • Numerous channels available, such as IRC, DHT, Google link bombing, establishing direct network contact, P2P networks, file drops • Does not transmit information • Often used for targeted attacks, occasionally used for botnets, planting backdoors
Controlled and Silent • Pros • Behavior can change dynamically after launch in direct response to controller • Less likely to be detected by network monitoring (under correct conditions, initially)
Controlled and Silent • Cons • Cannot be used for data theft, reconnaissance • Can be disrupted or even destroyed by subversion of command mechanism
Uncontrolled and Noisy • Can communicate information about infected systems • Methods include file drops on a central server or to online hosting services (e.g. Mega), IRC channels, P2P services • More useful for reconnaissance, smash-and-grab
Uncontrolled and Noisy • Pros • Easiest for ‘blitz’ style attacks • Good for blind mapping
Uncontrolled and Noisy • Cons • No dynamic control • More likely to be detected
Controlled and Noisy • Allows for both control and communication • Allows for targeting and exploiting specific systems • Frequently used for more sophisticated malware • High-end botnets, spyware, backdoors
Controlled and Noisy • Pros • Can dynamically alter behavior • Can gain information about infected systems • Allows for most sophisticated behavior