CS 510 : Malicious Code and Forensics

About the course

Syllabus atSyllabus at http://thefengs.com/wuchang/work/courses/cs410

Textbook

Required:Required:

Malware – Fighting MaliciousMalware – Fighting Malicious

Code, Ed SkoudisCode, Ed Skoudis

ISBN: 0131014056 ISBN: 0131014056

Other material (optional)

Hacking - The Art of Exploitation, Jon Erickson, ISBN: Hacking - The Art of Exploitation, Jon Erickson, ISBN: 1-59327-007-0 1-59327-007-0

The Shellcoder's Handbook - Discovering and The Shellcoder's Handbook - Discovering and exploiting Security Holes, Koziol et al., ISBN: 0-7645-exploiting Security Holes, Koziol et al., ISBN: 0-7645-4468-3 4468-3

Trojans, Worms, and Spyware: A Computer Security, M. Trojans, Worms, and Spyware: A Computer Security, M. Erbschloe, ISBN0750678488 Erbschloe, ISBN0750678488

The Giant Black Book of Computer Viruses, M. Ludwig The Giant Black Book of Computer Viruses, M. Ludwig ISBN: 0929408233 ISBN: 0929408233

Ethics

Exploring malwareExploring malware

Do it on your own computer, or somewhere you have Do it on your own computer, or somewhere you have permission topermission to

Don’t run vulnerability scanners on other people’s Don’t run vulnerability scanners on other people’s machinesmachines

What is Malware?

Malware – set of instructions that run on your computer Malware – set of instructions that run on your computer and make your system do something that an attacker and make your system do something that an attacker wants it to dowants it to do Delete files to render your computer inoperable Infect other systems (worms, viruses) Monitor activity (webcams, keystroke loggers) Gather information on you, your habits, web sites you visit Provide unauthorized access (trojans, backdoors) Steal files (credit card data) Store illicit files (copyrighted material) Send spam or attack other systems Stepping stone to launder activity (frame you for a crime) Hide activity (rootkits)

Why make malware?

For kicksFor kicks

For profitFor profit Commercial-grade malware

Unprecedented ConnectivityUnprecedented Connectivity

Huge clueless userbaseHuge clueless userbase

Increasingly generic softwareIncreasingly generic software

Homogeneous architecturesHomogeneous architectures

Mature toolkitsMature toolkits

Data/Instruction mix (.. more)Data/Instruction mix (.. more)

Why is it so prevalent?

Mixing Data & Code

What’s the difference between code and data?What’s the difference between code and data? Data is information that your CPU acts on Code tells your CPU to take action (danger!)

To a computer, what’s the difference between code and To a computer, what’s the difference between code and data?data?

… …. Not much *. Not much *

Data & code are intermixed these daysData & code are intermixed these days ELF, .exe, .html, .doc ….

Mixing Data & Code

Developers do it becauseDevelopers do it because Cool – Dynamic,interactive environment (eg HTML) Flexible – Extended functionality (eg .doc) Efficient – Flexible software building blocks (eg .js) Market share – Features increase usage

Types of malware

VirusesViruses

WormsWorms

Malicious mobile codeMalicious mobile code

BackdoorsBackdoors

TrojansTrojans

Rootkits (user & kernel level)Rootkits (user & kernel level)

Viruses

Infects a host fileInfects a host file

Self-replicatesSelf-replicates

Spreads via secondary storage or networkSpreads via secondary storage or network

Human interaction usually requiredHuman interaction usually required

ExamplesExamples Michelangelo, stoned, CIH

Worms

Spreads across a networkSpreads across a network

Self-replicatesSelf-replicates

Human interaction not usually requiredHuman interaction not usually required

ExamplesExamples Morris Worm, Code Red, SQL Slammer

Malicious Mobile Code

LightweightLightweight

Downloaded and executed locallyDownloaded and executed locally

Human interaction minimalHuman interaction minimal

Javascript, VBScript, Java, ActiveX, FlashJavascript, VBScript, Java, ActiveX, Flash

ExamplesExamples Cross Site Scripting, Drive-by downloads, Cross-site

Request Forging

Backdoor

Bypasses normal security controls to give an attacker Bypasses normal security controls to give an attacker accessaccess

Can have dual uses (for good and evil)Can have dual uses (for good and evil)

ExamplesExamples Netcat, VNC, Back Orifice

Trojan Horse

Disguised as useful file/programDisguised as useful file/program

Performs malicious purpose such as launching other Performs malicious purpose such as launching other programs or capturing user informationprograms or capturing user information Eg. Setiri, Hydan

Rootkits

Tools to hide presence of attacker/other malware on Tools to hide presence of attacker/other malware on systemsystem

User-level rootkitUser-level rootkit Replaces utilities on host system

Kernel-level rootkitKernel-level rootkit Manipulates operating system directly

Others

SpywareSpyware Monitors a system’s activity and reports it to attacker

Others

AdwareAdware Software to continually display advertisements to users

Others

ScarewareScareware Software that scares users to purchase or install software

they do not want or need

Others

RansomwareRansomware Software that attempts to force users to pay hacker money