570 likes | 582 Views
CSCD 434 Spring 2019. Lecture 8 Attacks Worms, Trojans, Backdoors. 1. Introduction. Today, cover malware Worms, Trojan Horses/ Backdoors Define Rootkits, viruses - Cover later Nearly all of these infect computers via the network Email counts as a form of remote infection
E N D
CSCD 434Spring 2019 Lecture 8 Attacks Worms, Trojans, Backdoors 1
Introduction • Today, cover malware • Worms, Trojan Horses/ Backdoors • Define Rootkits, viruses - Cover later • Nearly all of these infect computers via the network • Email counts as a form of remote infection • If you do decide to write one for fun don’t release it … could get into trouble ... 2
Definitions • Worm • Replicates itself, stand alone program, spreads via a network .. including phishing • Virus • Program that attaches itself to another program • Replicates itself, program must run to activate • Trojan horse • Program that pretends to do one thing but does something behind the scenes • Rootkit - • A root kit is malware that uses stealth to maintain a persistent and undetectable presence on the machine … consits of a number of files and components 3
Purpose of Malware • What is the main purpose of most modern malware? • Profit!!!! • Modern malware is a for-profit, big-business undertaking • Online criminals invest significant amounts of money and time in more efficient malware and better malware distribution mechanisms because financial rewards can be enormous • According to research company Computer Economics, direct damage attributed to malware totaled $13 billion globally in 2006 http://www.computereconomics.com/article.cfm?id=1225 5
Malware Related Statistics 2018 According to CSO magazine, statistics for 2018 related to malware 92% of malware is delivered by email 56% of IT decision makers say targeted phishing attacks are their top security threat 77% of compromised attacks in 2017 were fileless Fileless attacks exploit software already installed on victim's computer than download large executables It takes organizations an average of 191 days to identify data breaches ... about 6 months !!! https://www.csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-statistics.html
More Statistics on Malware 2018 https://www.helpnetsecurity.com/ 2019/03/07/cyberattack-cost-2018/
Statistics on Malware Explained Malware is most expensive type of attack, costing companies $2.6 million, on average, Web-based attacks are next, at $2.3 million Number of organizations experiencing Ransomware attacks increased by 15 percent in 2018, with costs increasing 21 percent, to approximately $650,000 per company, on average Number of ransomware attacks more than tripled in past two years 85 % experienced phishing and social engineering attacks in 2018 76 % suffered web-based attacks
Purpose of Malware How is it distributed? • Malware has been part of computing for decades • In1990s, Floppy Disksyour network or system infected when you stuck an infected floppy disk into your drive, • Then, Emailbecame more prevalent, hackers designed malware to spread as infected email attachments • Today, Email is dominant with Web-based second as distribution mechanism for malware • Recently, Malvertising … attackers buy space on popular, websites and load them with ads infected by viruses, spyware, malware 9
Worms 10
Worms A worm is self-replicating software designed to spread through the network Typically, exploit security flaws in widely used services ... mostly buffer overflows Causes massive damage Launch DDOS attacks, Install bot networks Access sensitive information Used for spam
Worms Worm vs Virus vs Trojan horse A virus is code embedded in a file or program Viruses and Trojan horses rely on humans Human must access file or run program Worms are often self-contained and may spread autonomously ... and they do! Can also spread via email, Internet
Worms Spread? • Copy itself directly across the network • Read your address book • Emails itself to everyone in your address book • How easy is it to do this? • Microsoft outlook – was trivial < 5 lines of code to send out an email • Can cause outlook to send emails without user awareness • Reason why so many worms used Outlook
Morris Worm First appeared in 1988 Purpose Determine where it could spread Spread its infection Remain undiscovered Robert Morris claimed his worm had a bug… The Morris worm tried to re-infect systems Led to resource exhaustion, systems crashed
Morris Worm How did it spread? Multi-vector Attack Capability!!! Tried to obtain access to machine by… User account password guessing Exploited buffer overflow in fingerd, identifies users Exploited debug code in sendmail Flaws in fingerd and sendmail were well- known at the time, but not widely patched
Morris Worm Once access had been obtained to machine… “Bootstrap loader” sent to victim Consisted of 99 lines of C code Victim machine compiled and executed code Bootstrap loader fetched the rest of worm
Morris Worm Why was it successful? For its time, it was truly sophisticated in its behavior If transmission of worm was interrupted, all code was deleted Code encrypted when downloaded Code deleted after decrypting and compiling When running, worm regularly changed its name and process identifier (PID)
I-Love-You Worm • E-mail worm arrived May 4, 2000, subject of "ILOVEYOU" and an attachment • LOVE-LETTER-FOR-YOU.TXT.vbs
I-Love-You Worm • LOVE-LETTER-FOR-YOU.TXT.vbs • Upon opening attachment, software sent copy of itself to everyone in user's address list, posing as user Overwrote all these files types: • VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, JPG, JPEG, MP3, and MP2 • Overwritten files contain worm's body and extensions changed to vbs
I-Love-You Worm • How did it spread? • Sent a copy of itself to first 50 addresses in Windows Address Book used by Microsoft Outlook • Why was it successful? • Took advantage of Microsoft's practice for hiding file extensions. Windows had begun hiding extensions by default • Entice users to open attachment, ensure continued propagation • Exploited systemic weaknesses in design of Microsoft Outlook and Microsoft Windows which led to unused features easily running malicious code capable of achieving complete access to operating system
Code Red 1 V1 • July 13, 2001: First worm of modern era • Exploited buffer overflow in Microsoft’s Internet Information Server (IIS) • How did it spread? • 1st through 20th of each month: Spread • Finds new targets by random scan of IP address space • Spawn 99 threads to generate addresses and look for IIS • Creator forgot to seed random number generator, and every copy scanned same set of addresses ... Oops • 21st through the end of each month: Attack • Defaced websites with “HELLO! Welcome to http://www.worm.com! Hacked by Chinese!” slide 22
Code Red 1 V2 • July 19, 2001: Same codebase as Code Red 1, but fixed the bug in random IP address generation • Compromised all vulnerable IIS servers on Internet • Fast spread • Scanned address space grew exponentially • 350,000 hosts infected in 14 hours!! • Payload: distributed packet flooding (denial of service) attack on www.whitehouse.gov slide 23
Code Red 2 • August 4, 2001: Same IIS vulnerability, completely different code, kills Code Red I • Known as “Code Red II” because of comment in code • Worked only on Windows 2000, crashed NT • Scanning algorithm preferred nearby addresses • Chose addresses from same class A with probability ½, same class B with probability 3/8, and randomly from the entire Internet with probability 1/8 • Payload: installed root backdoor in IIS servers for unrestricted remote access • Died by design on October 1, 2001 slide 24
Code Red 2 kills off Code Red 1 Nimda enters the ecosystem CR 1 returns thanksto bad clocks Code Red 2 settles into weekly pattern Code Red 2 dies off as programmed Slides: Vern Paxson 25
SQL Slammer • Another modern worm … • SQL Slammer, January 2003 • Although titled "SQL slammer worm", program didn't use SQL language • How did it work? • Exploited buffer overflow bug in Microsoft's SQL Server and Desktop Engine database products, for which patch had been released six months earlier • Affected Microsoft SQL 2000 • Vulnerable population, 75,000 machines infected in less than 10 minutes http://en.wikipedia.org/wiki/SQL_slammer_worm http://www.die.net/musings/sql_slammer/
05:29:00 UTC, January 25, 2003 [from Moore et al. “The Spread of the Sapphire/Slammer Worm”] slide 27
Size of circles is logarithmic in the number of infected machines 30 Minutes Later [from Moore et al. “The Spread of the Sapphire/Slammer Worm”] slide 28
Secret of Slammer’s Speed • Why was it successful? • Old-style worms (Code Red) spawn a new thread which tries to establish TCP connection • If successful, send a copy of itself over TCP • Limited by latency of the network • Slammer, improved concept, connectionless UDP worm • No connection establishment, simply sent 404-byte UDP packet to randomly generated IP addresses • Limited only by bandwidth of the network slide 29
Modern WormsDon't Just Spread Old-Style Worms Goal - Mostly to spread, very noticeable attacks How fast and far can we go? Sometimes, dropped other malware to maintain access Modern Worms Stealthier Always have payload of more malware Many infection vectors - not just one Use resources of machine, glean user information
Modern WormsDon't Just Spread These worms spread more subtly, Without making noise Symptoms don't appear immediately, infected computer can sit dormant for a long time If it were a disease, More like syphilis, whose symptoms may be mild or disappear altogether, Eventually come back years later and eat your brain !! Bruce Schneir http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html
Storm Worm 2007 • How did it spread? • Spread by cleverly designed spam campaign • Arrived as an email with catchy subject • First instance:“230 dead as storm batters Europe” • Other examples:“Condoleeza Rice has kicked German Chancellor”, “Radical Muslim drinking enemies’s blood”, “Saddam Hussein alive!”, “Fidel Castro dead”, etc. • Attachment or URL with malicious payload • FullVideo.exe, MoreHere.exe, ReadMore.exe, etc. • Also masquerade as flash postcards • Once opened, • Installs trojan (wincom32) and rootkit !!! slide 33
Storm Worm Characteristics • Infected host joined Botnet • Obfuscated P2P control structure • Interacted with peers via eDonkey protocol • Obfuscated code, anti-debugging defenses • Goes into infinite loop if detects VMware or Virtual PC • Large number of spurious probes, evidence of external analysis, triggers distributed DoS attack • Infection Estimates • Between 1 million and 50 million computers infected worldwide slide 34
Storm Worm Characteristics Storm's Payload Morphed every 30 minutes or so, Typical AV (antivirus) and IDS techniques less effective --- use code signatures to detect Storm e-mail also changed, leveraging social engineering techniques Always new subject lines and new enticing text Storm began attacking anti-spam sites focused on identifying it -- spamhaus.org, 419eater – personal website of Joe Stewart, publicized an analysis of Storm joe stewart
Conficker Worm http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionDistribution Conficker.A first detected on 21 November 2008 and exploited MS08-067 described below … infection as of 4/1/2009 MS08-067 Server Service Buffer Overflow This service facilitates file, print, and named-pipe sharing over network for Windows-based computers Successful exploitation may result in execution of arbitrary code on the target host with System privileges!!!!
Conficker Worm Conficker.B, detected in February 2009, added ability to spread through network shares and removable storage devices USB drives and AutoRun function in Windows Conficker.C, shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan Also reaches out to other infected computers via P2P networking Includes list of 50,000 different domains, 500 will be contacted by infected computer on April 1 to receive updated copies or other malware or instructions
Conficker Worm Where did Conficker come from? Ties to Russian Business Network What is its purpose? Conficker's main purpose was/is to provide its' authors with a secure binary update service that allows them instant control of the millions of infected PCs worldwide Conficker disables Windows systems security services as well as third-party firewalls and anti-virus products, leaving systems in a vulnerable state which can lead to more infection and infiltration
Conficker Worm “In April, 2009 Cyber Secure Institute estimated that the economic cost of Conficker was as high as $9.1 billion based on the average cost for related malware incidents analyzed in their previous studies” http://www.zdnet.com/blog/security/manchester-city-council-pays-2-4m-in-conficker-clean-up-costs/3690 Is Conficker still a threat in 2018? YES. Anyone using old, unpatched machines remain vulnerable Countries most affected by Conficker include India, China and Brazil. These nations have large manufacturing industries that, in many cases, use old products that remain vulnerable to Conficker. https://www.cyberscoop.com/conficker-trend-micro-2017/
Worm Propagation Methods Scanning worms - Worm chooses “random” address Coordinated scanning - Different worm instances scan different addresses Meta-server worm Ask server for hosts to infect Topological worm - Uses information from infected hosts Web server logs, email address books, config files, SSH “known hosts”f Contagion worm - Propagates parasitically along with normally initiated communication
Worm Signature Monitor network and look for strings common to traffic with worm-like behavior Signatures can then be used for content filtering Slide: S Savage 41
Content Sifting Assume there exists some (relatively) unique invariant bitstring Wacross all instances of a particular worm Two Consequences Content Prevalence: Wwill be more common in traffic than other bitstrings of same length Address Dispersion: set of packets containing Wwill address a disproportionate number of distinct sources and destinations Find W’s with high content prevalence and high address dispersion and drop that traffic … Any Problems with this? 42
Malicious Code • Using Worms transformed into Botnets • Hundreds of thousands of vulnerable computers are still being used to launch spam campaigns • 70 percent of all spam is now sent this way, according to anti-spam firm Message Labs Inc. • Perhaps 6 to 7 billion spam messages are routed through hacked home computers 43
Malicious Code • Attack Trends • Crossbreeding • Combo Malware raises threat, treats each element as a building block • Malware developer of today constructs an attack tool by selecting various blocks and combining them in a single piece of code • Worms used to spread backdoors • Bugbear.b worm, featured several backdoors. • Blaster worm and Sobig.F virus also installed backdoors 44
Malicious Code • Attack Trends • “Combo Malware ... far more likely to find some hole in your defenses than single-trick malware • Fight combo malware, you need more than your signature-based AV engine loaded on servers and desktops • You need to think in terms of holistic defense, addressing multiple vulnerability points, hardening your overall network and preparing for the worst” Ed Skoudis 45
Attack Trends Exploit Kits Exploit kits are malicious toolkits used to exploit security holes found in software applications (Adobe Reader, etc) for purpose of spreading malware These kits come with pre-written exploit code and target users running insecure or outdated software applications on their computers Kaspersky Labs states that MPack was one of the first publicly recorded kits available, released in late 2006 by Russian programmers The kit went viral and was spotted on more than 10,000 websites shortly after release
Attack Trends Today’s modern exploit kit comes neatly packaged by the author and does not require any knowledge of how an exploit works. Most exploit kits have user-friendly web interface allows licensed users to login and view active victims and statistics Highly profitable for author to create and manage these kits … licenses can be very costly to purchase—as much as $10,000 per month—and these price tags are matched by an increasing demand Even a typical kit usually costs around $500 a month
Attack TrendsExploit Kits Due to their illicit nature, acquiring exploit kits can be difficult to find Most of these kits are only available in underground black hat forums where they’re licensed directly from author Forums aren’t usually indexed in popular search engines, such as Google, and therefore can be difficult to find without doing a little digging first http://blog.malwarebytes.org/intelligence/2013/02/tools-of-the-trade-exploit-kits/
Maintaining Access • Once you have infected computer, • Through a vulnerability • System or Human • Maintain Access Needs Stealth way back in .. • Install a remote control backdoor to victim system • Backdoor allows attacker access in the future 49
Backdoors • What is a Backdoor? • Once penetrate machine through one of the ways we talked about previously • Want to install a future access point • A backdoor is a way in to the system that allows an attacker admission whenever they want 50