Ch. 7 Malicious Software Malware. Malware Terminology

1

Ch. 7 Malicious Software

Æ

Malware

• Male-ware? Partially true

• malicious software exploits system vulnerabilities

–program fragments that need a host program

»e.g. viruses, logic bombs, and backdoors

–independent self-contained programs run by OS

»e.g. worms, bots

–Actively replicating or not

• sophisticated threat to computer systems

2

Malware Terminology

• Backdoor (trapdoor): secret maintenance hooks, privilege/unautherized access

• Logic bomb: embedded with trigger condition

• Trojan horse: hidden codes, open access, damage data, compiler

• Mobile code: java applet, ActiveX, JavaScript, VBScript

• Virus: execute to infect other codes

• Worm: replicate itself to other hosts

• Exploits:codes to certain vulnerability

• Auto-rooter Kit: to break into other machine remotely

• Spammer and Flooder programs • Keyloggers, Spyware, Adware

• Rootkit: set of hacker tools to gain root-level accesses

• Zombie, bot: program activated to attack others

• Multiple-threat malware: combined several infection methods – Nimda: Email, Windows file share, web servers, web clients

3

Viruses

• piece of software that

infects other programs

– modifying them to include a copy of the virus

– so it executes secretly when a host program is run

– Spread by “contact”: floppy, email, share, web, etc

• specific to operating system and hardware

• a typical virus goes through phases of:

– Dormant

– Propagation: copy of itself – Triggering: system events – Execution: benign or harmful

Virus Structure

• components:

– infection mechanism: enables replication

– Trigger: event that makes payload activate

– Payload: what it does, malicious or benign

• prepended/ postpended/ embedded into a

program

– when infected program invoked, executes virus code, then original program code

• We can block initial infection or propagation

5

Sample Virus Structure

program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file == 1234567)

then goto loop

else prepend V to file; }

subroutine do-damage :=

{whatever damage is to be done}

subroutine trigger-pulled :=

{return true if some condition holds}

main: main-program :=

{infect-executable;

if trigger-pulled then do-damage; goto next;} next: } 6 program CV := {goto main; 01234567; subroutine infect-executable := {loop: file:=get-random-executable-file; if (first-line-of-file = 01234567)

then goto loop; (1) compress file; (2) prepend CV to file; }

main: main-program :=

{if ask-permission then infect-executable; (3) uncompress rest-of-file;

(4) run uncompressed file;} }

7

Virus Classification

• Classification by the target to infect and

method to conceal itself

• Based on

target

– boot sector

– file infector: OS or shell programs

– macro virus: files interpreted by an application

• Based on

concealment

– encrypted virus: encrypt with a random key

– stealth virus

– polymorphic virus: mutate every infection

– metamorphic virus: mutate every infection; rewrite self at each iteration; may change behavior

Macro Virus

• became very common in mid-1990s since

– infect documents

– easily spread

• exploit macro capability of office apps

– often a form of macro language Basic

• New releases of office apps include protection

• Macro recognized by many anti-virus programs

– Run scripts in a sandbox to see what happens

9

E-Mail Viruses

• more recent development

• e.g. Melissa

– exploits MS Word macro in attached doc

– if attachment opened, the macro is activated

– sends email to all on a user’s address list

– and does local damage

• then saw versions triggered

• hence much faster propagation

– Much hard to fight

10

Virus Countermeasures

• Prevention: ideal solution but difficult

• realistically we need:

– Detection: detection and understand virus

– Identification: where in an infected program

– Removal: restore files to original states

• if detect but can’t identify or remove, must

discard and replace the infected program

11

Anti-Virus Evolution

• virus and antivirus tech have both evolved

• early viruses simple code, easily removed

• As viruses become more complex, so must the

countermeasures

• Four generations

– First: specific signature scanners

– Second: not specific signatures, but heuristics

»Fragments of codes; integrity check with secret keys

– Third: memory-resident program to identify actions using activity traps

»No needs for signatures or segments heuristics

– Fourth: combination packages

»Scanner, activity traps, access control

Advanced Anti-virus:

Generic Decryption

• runs executable files through GD scanner

• As polymorphic viruses need to decrypt itself,

we can detect such events using

– CPU emulator to interpret instructions »not real runs, not real damages

– virus scanner to check known virus signatures

– emulation control module to manage process

• lets virus decrypt itself in interpreter

• periodically scan for virus signatures

• issue is to take time to interpret and scan

13

Digital Immune System

• Goal: Fast response to spread via (1) email and (2) mobile programs • Developed by IBM and refined by Symantec

(1) find suspicious code; (2) send to analysis machine; (3) emulate in a safe environment and generate prescription P; (4), (5), and (6) distribute P; (7) send P to other subscribers to stop spread

14

Behavior-Blocking Software

• Blocking before spread, in real-time, without signatures or heuristics

• Monitor: attempts to modify files, disks, programs, system settings, scripting email/IM, initiating communications

15

Worms

• Actively replicating program that propagates over net

– using email, remote exec, remote login

• has phases like a virus:

– dormant, propagation, triggering, execution

– Different in propagation phase: searches for other systems, connects to it, copies self to it and runs • may disguise itself as a system process

• concept seen in Brunner’s “Shockwave Rider”

• implemented by Xerox Palo Alto labs in 1980’s

– Search idle systems to run programs

Morris Worm

• one of best know worms

– http://snowplow.org/tom/worm/worm.html

• released by Robert Morris in 1988

• various attacks on UNIX systems

– cracking password file to use login/password to logon to other systems

– exploiting a bug in the finger protocol

– exploiting a bug in sendmail

• if succeed have remote shell access

17

Worm Propagation Model

•

Why phases? How should we deal with it?

18

Recent Worm Attacks

• Code Red

– July 2001 exploiting MS IIS bug

– probes random IP address, does DDoS attack

– consumes significant net capacity when active

– 360,000 servers in 14 hours

• Code Red II variant includes backdoor

• SQL Slammer, http://www.cs.ucsd.edu/~savage/papers/IEEESP03.pdf

– jan 2003, attacks MS SQL Server

– compact and very rapid spread, 10 minutes

• Mydoom

– mass-mailing e-mail worm that appeared in 2004

– installed remote access backdoor in infected systems

– 1000 times per minutes, 100M infected msg in 36hrs

• Search-worm using DNS or google to spread

• P2P-based worm: Storm worm

19

Worm Technology

• Multiplatform: Win, UNIX

• multi-exploit: Web servers, browsers, email, file

• ultrafast spreading: prepare a

• Polymorphic: each instance is generated on-fly

• Metamorphic:

– change appearance and behavior patterns

• transport vehicles of large-scale attacks

• zero-day exploit:

– unknown before the worm is launched

Worm Countermeasures

• overlaps with anti-virus techniques

• once a worm on system, A/V can detect it

• worms also cause significant

net activity

• No existing techniques can satisfy all requirements

–Timeliness to quickly respond

–Resiliency to evasion

–Minimal denial-of-service cost: »not overload the protected system

–Transparency: not require to change existing systems

–Global and local coverage: deal with both external and internal spreads

21

worm defense approaches

• signature-based worm scan filtering

– Generate worm scanning signature: Autograph, Polygraph, Earlybird

– Slow respond to polymorphic worms • filter-based worm containment

– Examine worm content signature at hosts: Vigilante, Shield • payload-classification-based worm containment

– Examine packets in net, look for control and data flow struc. • threshold random walk scan detection

– Detect scanners quickly • rate limiting

– Limit the # of connections in a period; not for slow worms • rate halting

– Blocking outgoing traffic when exceeding a threshold

– Proper recovery scheme needed

22

PWC Agent at a host

Host-based Proactive Worm Containment (PWC)

(2) block outgoing conn.; (3) alert manager; (4) start relaxation analysis

• Mangerpropagates an alert to other

• Host act on an alertby blocking outgoing ports & start relaxation analysis

• Relaxation analysis: check if outgoing conn. in a window exceeds a

threshold. If so, blocking until the #conn. below the theshold in a window

23

Network Based Worm Defense

• Ingress and egress monitor

• Sensors deployed to capture worms, e.g., honeypot • Send alert to correlation server

• Analysis in a protected environment, sandbox

• Test suspicious codes on applications and find vulnerability • Generate patch and update hosts

Rootkits

• set of programs installed for admin access

• malicious and stealthy changes to host O/S

• may hide its existence

– subverting report mechanisms on processes, files, registry entries etc

• types:

– Persistent: activate at system boot

– memory-based: no persistent code on the system

– User Mode: Intercept calls to APIs (application program interface) and modified returned results

– kernel mode: intercept native API calls in kernel mode

• installed by user via trojan or intruder on system

• range of countermeasures needed

25

Rootkit System Table Modification

• Modify system call table

• Modify system call table target

• Redirect system call table

26

Bots and Botnets

•Bot, Zombie, Drone -- a infected system controlled

by an attacker remotely

•Botnet: a set of bots controlled by an attacker

•Use of Botnet: DoS, Spam, identity theft, keylogging,

spreading malware, etc.

•Bot characteristics:

–remote control facility

»via Internet Relay Chat (IRC), HTTP, DNS, Google, blog, etc

–spreading mechanism

»attack software, vulnerability scanning

»scanning strategy: random, hit-list, topological, local subnet

•various counter-measures applicable

27

Spamming Botnets

Name Est. Bot # Spam Capacity

Conficker 9,000,000 10 billion/day Kraken 495,000 9 billion/day Srizbi 450,000 60 billion/day Bobax1 85,000 9 billion/day Rustock 150,000 30 billion/day Cutwail 125,000 16 billion/day

Most commonly used Bot families (2006)

some slides modified from

Usman Jafarey’ talk

• Agobot (aka Forbot, Phatbot, Urxbot, Rxbot, Rbot) – Most sophisticated

– Open source 20,000 lines C/C++ code

– IRC-based command/control Window/Linux

– Large collection of target exploits: remote buffer overflow – Key features:

» Password Protected IRC Client control interface » Remotely update and remove the installed bot » Execute programs and commands

»Port scannerused to find and infect other hosts »DDoSattacks used to takedown networks

– Packet sniffer, Keylogger, Polymorphic code, Rootkit installer

– Information harvest: Email Addresses, Software Product Keys, Passwords

29

SDBot

• Simpler than Agobot, 2,000 lines C code

• Non-malicious at base

• Utilitarian IRC-based command/control

• Easily extended for malicious purposes

–

Scanning

–

DoS Attacks

–

Sniffers

–

Information harvesting

–

Encryption

• SpyBot

–

<3,000 lines C code

–

Possibly evolved from SDBot

»Similar command/control engine

»No attempts to hide malicious purposes

• GT Bot

–

Functions based on mIRC scripting capabilities

program hides bot on local system

–

Features

»Port scanning, DoS attacks, exploits for RPC and NetBIOS

31

• Variance in codebase size, structure, complexity,

implementation

• Convergence in set of functions

– Possibility for defense systems effective across bot families

• Bot families extensible

– Agobot likely to become dominant

• A new area, very little known; many research is

going on

Botnet basics

• All of the above use IRCfor command/control

– Disrupt IRC, disable bots

– Sniff IRC traffic for commands

– Shutdown channels used for Botnets

• IRC operators play central role in stopping botnet traffic • Automated traffic identification required

• Future botnets may move away from IRC

– New directions: HTTP, p2p, DNS, search engine, blogs, news forum

• Move to P2P communication

– Storm worm detected in early 2007

– probably the largest botnets, 10M up!

Botnet Control

33

Bot Host control

• Fortify system against other malicious attacks

• Disable anti-virus software

• Harvest sensitive information

– Economic incentives for botnets

• Stresses need to patch/protect systems prior

to attack

• Stronger protection boundaries required

across applications in OSes

34

Propagation

• Horizontal scans

– Single port across address range

• Vertical scans

– Single IP across range of ports

• Current scanning techniques simple

• Future methods

– Flash, more stealthy

• Source code examination

35

Exploits and Attacks

• Agobot

– Has the most elaborate set

– Several scanners, various flooding mechanisms for DDoS

• SDBot

– None in standard

– UDP/ICMP packet modules usable for flooding

– Variants include DDoS

• SpyBot

– NetBIOS attacks

– UDP/TCP/ICMP SYN Floods, similar to SDBot

– Variants include more

• GTBot

– RPC-DCOM exploits

– ICMP Floods, variants include UDP/TCP SYN floods

• Required for protection

– Network intrusion detection

– Prevention signatures sets

• Future Threats

– More bots capable of launching multiple exploits

• Current Damages

– DDoS highlight danger of large botnets

– Large-scale spamming campaigns show the long-term damage

37

Code Delivery

• shell encoders for distribution

• Agobot separates exploits from delivery

– Open shell on host

– Then, Upload binary via HTTP or FTP

– Encoder can be used across multiple exploits

– Streamlines codebase

• NIDS/NIPS need knowledge of shell codes and

perform simple decoding

• NIDS incorporate

follow-up connection

detection

for exploit/delivery separation prevention

38

Obfuscation

• Hide details of network transmissions

• Same key used in encoding --> signature matching

• Polymorphism: generate random encodings, evades

signature matching

»POLY_TYPE_XOR

»POLY_TYPE_SWAP (swap consecutive bytes)

»POLY_TYPE_ROR (rotate right)

»POLY_TYPE_ROL (rotate left)

• NIDS/Anti-virus eventually need to develop

protection against polymorphism

39

Deception

• Detection evasion once installed

• Agobot

– Debugger tests

– VMWare tests

– Anti-virus process termination

– Pointing DNS for anti-virus to localhost

• Shows merging between botnets/trojans/etc.

– Better tools for dynamic malware analysis

– Improved rootkit detection/anti-virus as deception improves

“The Zombie Roundup” Paper

41

Dramatic Escalation

42

Rise of Zombies

43

Botnet example

45

¾

some botnets have over 1 million bots

¾

Some cut into smaller ones to sell separately

¾

60,000 bots per day in 2007 and 2008,

¾One estimation:

one out four home PCs are bots

¾ Difficult to measure, trace, and take down

Botnet: bad and big

46

47

Botnet measurements: honeypots

49

Prevent infection

50

51

Detecting future bot communication

53

Detecting behaviour

54

55