2.56k likes | 2.87k Views
Malware: Scanners, Sniffers, Viruses, Worms, Mobile Code. COEN 252 / 152: Computer Forensics. Scanning. Wireless Scanners War driving: Finding Wireless Access Points Normal WLAN needs < 100 m to access point to function well. Good antenna can get a signals from miles away.
E N D
Malware:Scanners, Sniffers, Viruses, Worms, Mobile Code COEN 252 / 152: Computer Forensics
Scanning • Wireless Scanners • War driving: Finding Wireless Access Points • Normal WLAN needs < 100 m to access point to function well. • Good antenna can get a signals from miles away. • Omni-directional antenna make war driving easy. • Directional antenna yield better results. • Can build a good one out of a Pringles box.
Scanning Home-made War Driving Antenna
Scanning • War driving goal: • Locate WLANs • Determine Extended Service Set Identifier (ESSID) • Access points transmit beacon packets approximately every 100 msec.
Scanning • Active Scanning: • Broadcast 802.11 probe packets with ESSID of “Any” • Implemented by netstumbler. • Or Windows XP SP 2. • Listening for Beacons • Put wireless card into the monitor mode. • AKA rfmon • Read all packages. • Implemented by Wellenreiter, Kismet, • Forcing Deauthentication • Some WLANs ignore probes with an ESSID of “any”. • First, get MAC address of access point. • Tool sends a wireless deauthenticate message to client with spoofed MAC of access point. • Clients now need to reassociate, revealing the ESSID.
Scanning • Hardening • Set ESSID to something that does not contain the name of your organization. • Configure access points to ignore probe requests that don’t include the ESSID. • Use stronger authentication mechanism. • Do not rely on MAC address alone, since this can be spoofed. • Switch from WEP to WPA • Reset transmission power of access points.
Scanning • War Dialing • Looking for modems by dialing all numbers of an organization. • Target are ill-configured modems. • Especially those connected to computers with remote control products such as VNC, psAnywhere, Mini Remote Control, Laplink Gold, …
Scanning • Network Mapping (Assume that attackers have gained access to the target system.) • Sweeping: • Attempting to ping all possible addresses. • Port mapping: • Identify services listening on ports: • TCP Connect Scan • Tries to complete TCP threeway handshake. • TCP Syn Scan • Attacker sends Syn, but does not ack to the Syn-Ack response by the target. • (Many systems do not log these interrupted connection attempts.) • Could result into an accidental DOS attack, since target buffers these attempts waiting for completion. Attacker could send Reset instead of the final Ack to avoid this.
Scanning • Network Mapping • Port mapping: • Identify services listening on ports: • Protocol Violators: • TCP FIN • Attacker sends FIN packet. • Target supposed to send RESET packet, if port is closed. • Target does not send anything back if the port is open. • Xmas Tree Scan: • Attacker sends packets with URG, ACK, PSH, RST, SYN, and FIN flags. • Null Scan: • Attacker sends packet without any flags set. • Closed port sends RESET, listening port sends nothing.
Scanning • Network Mapping • Port mapping: • Identify services listening on ports: • Protocol Violators: • TCP ACK Scan • “Firewall Friendly”: Stateless firewalls will only let TCP packages through with the ACK flag set. • If packet passes through the firewall, then the internal system answers with a RESET packet. • Response of target is somewhat OS dependent.
Scanning • FTP Bounce Scans: • Goal: Source IP address does not show up in target logs. • Exploits old FTP option (sometimes available with printers that support FTP): • FTP server allows a user to connect to them and requests that the server send a file to another system. • Attacker requests that a file is sent to every port on the target. • If the target port is open, then the FTP server tells the attacker that it opened the connection, but could not communicate. • If the target port is closed, then the FTP server tells the attacker that it could not communicate with the target.
Scanning • Idle Scanning • IP header includes a field “IP Identification”. • Bunches together a bunch of fragments. • Windows increases IP ID by one whenever it needs a new number. • Attacker first identifies a system that is being blamed. • Attacker then determines the current IP ID at the blamed system. • Attacker then sends fake message purporting to be from the blamed system to the target. • Target will increment IP ID number at the blamed system if it sends a reset. • Attacker determines whether the IP ID number has increased.
Scanning target SYN scapegoat
Scanning ACK IP-ID = 5
Scanning SYN to TCP port 12345
Scanning SYN-ACK from Port 12345
Scanning Port open: Reset, IP-ID = 6
Scanning SYN
Scanning SYN-ACK IP-ID = 7
Scanning Aha: Target must have sent a reset attack.
Malware Architecture COEN 152/252
Malware Types • Self-replicating malware • Creates new instances of itself • In contrast to passive replication • Population growth • Changes in number of instances • Parasitic malware • Requires some other executable code to exist
Malware Types • Logic Bomb • not self-replicating, zero population growth, possibly parasitic • Consists of • Payload • An action to be performed • Trigger • Boolean condition to be executed • Example: • If Thomas Schwarz is not getting paid then delete the COEN website.
Malware Types • Trojan Horse • parasitic • Program that purports doing something benign • But secretely performs a malicious task • Example: • Authentic looking login page with username and password prompt • Stores result in a file, exits user, so that true login page appears
Malware Types • Backdoor • Mechanism that bypasses normal security checks • Virus • Self-replicating • Positive Population Growth • Parasitic • Runs when a certain executable runs • Infects other executables • Traveling on same system, floppy, CD, DVD, USB • First mentioned in SF novel “The Scarred Man” Gregory Benford, 1970
Malware Types • Worm • self-replicating • positive population growth • not parasitic • Spread from machine to machine across a network
Malware Types • Rabbits • Tries to consume all system resources by multiplying quickly • Fork bomb • A worm that deletes itself after infecting another machine • Worm hops from machine to machine
Malware Types • Spyware • Software that collects information from a system and transmits it to someone else. • Addware • Spyware that presents adds.
Virus • Viruses consist of • Infection Mechanism • Can be multipartite • Trigger (optional) • Payload (optional)
Virus • Target Classification • Boot-Sector Infectors • File Infectors • Macro Viruses • Concealment Strategy Classification • No Concealment • Encryption • Stealth • Oligomorphism, Polymorphism, Metamorphism
Virus: Boot Sector Infectors • Contains code that runs when a system starts up. • Volume Boot Record • First sector of an unpartitioned storage device • First sector of an individual partition • Master Boot Record • First sector of data storage device that has been partitioned
Virus: Boot Sector Infectors • Booting: • Bootstrap loader • Loads software to start OS • Multi-stage bootstrap loader • Boot sequence on IBM-PC • Runs instruction at memory location F000:FFF0 of BIOS • Jumps to execution of BIOS startup program • Executes Power-On Self-Test (POST) • Checks, initializes devices • Goes through preconfigured list of devices • If it finds bootable device, loads, and executes boot sector • Assume MBR on hard drive • MBR contains address of bootable partition • Load boot sector of bootable partition • Boot sector moves OS kernel into memory and starts it
Virus: Boot Sector Infectors • Boot Sector Infector • Copies itself into the MBR or VBR • Typically after making copy of MBR in a “safe location” • Michelangelo: • April 1991 • Moves original boot sector to safe location • Infects all floppy disks inserted into computer • Payload: • overwrites file system with zeroes • Extinct in the wild
Virus: Boot Sector Infectors • Boot Sector Infector • Stoned Virus • Original version infects only 360KB diskettes • 1988 • Many variants • Behavior • Becomes memory resident • Disables interrupt 12 • Infects MBR • Infects all diskettes • Moves boot sector to sector 11 and copies itself into sector 0 • Same values as chosen by Michelangelo, so that computers infected with both became immediately dysfunctional • Usually destroys part of the file system • Payload: Displays message during boot process: • “Your PC is now Stoned! • Your computer is now stoned.
Virus: Boot Sector Infectors • Extinct in the wild: • Floppies are rarely used to boot, disabling the propagation mechanism • OS prevent writing to a disk’s boot sector without proper authorization • BIOS can enable boot block protection
Virus: File Infectors • Virus infects executables • Virus is placed in an executable • Prepending Virus: At the beginning • Execution of a *.com loads file into memory • Set PC to beginning of file • Often copies infected file further down Virus Code Code
Virus Code Virus: File Infectors • Appending Virus: At the end • To get control • Save original instruction in code, replace by jump to viral code, execute virus, restore original instruction and jump to them or run original instruction at saved location followed by jump to the rest of the code • Executable file formats can specify start location in file header Code
Virus: File Infectors • Overwriting Viruses • Atop original code • Does not change file size • Virus gets control in normal execution of file • Placement Strategies: • Place virus in superfluous data • Place virus in file slack or unused allocated file space • Stash overwritten contents in a companion file • Compress (parts of) the original file, decompress
Virus: File Infectors • Inserting Virus • Move target code out of way • Intersperse small pieces of virus with infected file • Companion Virus • Virus gets executed before infected file • Infected file barely changed
Virus: File Infectors • Companion Virus Example • Change name of target file • Copy notepad.exe to notepad.exp • Virus is in new notepad.exe, which calls notepad.exp • Virus placed earlier in search path • notepad.exe in a different directory than real notepad.exe • notepad.com is executed before notepad.exe • Use Windows registry to change association for .exe files • Change “interpreter in ELF files • Typically the run-time linker, but now virus • Associate icon of target with virus
Virus: Macro Virus • Macros • Code that is part of documents. • Used extensively in MS Office Tools • Written in or translated to Visual Basic for Applications (VBA) code • Macro Virus • Changes or creates new macro
Virus: Macro Virus • Example: • Concept 1995-1997 • Infects Word’s global document-template NORMAL.DOT • Creates PayLoad and FileSaveAs macros • Infects all documents saved with the Save As command
Virus: Macro Virus • Example: Laroux • 1996 – • Excel macro virus • Consists of auto_open and check_files • auto_open executes whenever an infected spreadsheet is opened, followed by check_files • Virus looks for PERSONAL.XLS • Virus contains no malicious payload
Virus: Macro Virus • Protective Strategies • Later versions of MS Office have security levels for execution of macros • Level high only executes signed macros • MS Office provides warnings when files contain macros • ScanProt (Word prior to 7.0a) scans for the Concept virus
Virus: Concealment • Encryption • Virus body is encrypted to make it harder to detect • Virus needs to contain a decryption engine • Encryption methods range from very simple to strong
Virus: Concealment • Stealth • Virus takes active steps to conceal infection • Restore original file timestamp • Intercept system calls to play back original information of file • Change I/O calls in DOS • Change system libraries in more sophisticated OS • Run rootkit • Anti-stealth virus • Virus makes all files look infected • Payload: Anti-virus software deletes all other files
Virus: Concealment • Oligomorphism • Encrypted virus changes encryption key between infections • Infected files have different file signatures • Polymorphism • Virus also changes decryption engine • By using equivalent instruction sequences • By using different versions • Tremor had 6 decryption engines • Makes it difficult for virus to detect its presence • Virus can use specific timestamp (e.g. add 100 to file year) • Pad file sizes of infected files to a certain value • Use hidden flags in ELF format • Use metadata or alternative data streams (in NTFS) • Store data in registry or other location
Virus: Concealment • Hiding Decryptor Engine • Using a mutation engine • Instruction equivalence • All these set register r0 to zero: • clear r0 • xor r0,r0 • and 0, r0 • move 0, r0 • Instruction sequence equivalence • Instruction reordering • Register renaming • Data reordering • Spaghetti code • Junk code insertion • Run-time code generation • Use a virtual machine • Use concurrent threads to make analysis difficult • Inlining, outlining, call sequence changes