CS-695 Host Forensics Georgios Portokalidis

Slides:



Advertisements
Similar presentations
C risis And A ftermath Eugene H. Spafford 발표자 : 손유민.
Advertisements

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.
HTTP Cookies. CPSC Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.
System Security Scanning and Discovery Chapter 14.
The Internet Worm Crisis and Aftermath Miyu Nakagawa Cameron Smithers Ying Han.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.
Advanced Persistent Threats CS461/ECE422 Spring 2012.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
A sophisticated Malware Arpit Singh CPSC 420
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
By: Sharad Sharma, Somya Verma, and Taranjit Pabla.
Jonathan Baulch  A worm that spreads via USB drives  Exploits a previously unknown vulnerability in Windows  Trojan backdoor that looks for a specific.
More Network Security Threats Worm = a stand-alone program that can replicate itself and spread Worms can also contain manipulation routines to perform.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
We want this Internet, this global cyberspace, to be completely free, completely open. Everyone does. I do. But we also want to conduct business there,
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Recent Internet Viruses & Worms By Doppalapudi Raghu.
CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
CHAPTER 9 Sniffing.
Security CS Introduction to Operating Systems.
©Ian Sommerville 2004Software Engineering Case Studies Slide 1 The Internet Worm Compromising the availability and reliability of systems through security.
Crisis And Aftermath Eugene H. Spafford 이희범.  Introduction  How the worm operated  Aftermath Contents.
4061 Session 26 (4/19). Today Network security Sockets: building a server.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
Stuxnet.
Understand Malware LESSON Security Fundamentals.
The Internet Worm Incident Eugene H. Spafford  Attack Format –Worm vs. Virus  Attack Specifications –Worm operation –Infection and propagaion  Topics.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
GCSE Computing: A451 Computer Systems & Programming Topic 3 Software System Software (2) Utility Software.
Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.
NEXT GENERATION ATTACKS & EXPLOIT MITIGATIONS TECHNIQUES ID No: 1071 Name: Karthik GK ID: College: Sathyabama university.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
Network Attacks Instructor: Dr. X. Outline Worms DoS.
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.
Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Chapter 40 Internet Security.
Secure services Unit-IV CHAP-1
What they are and how to protect against them
The Internet Worm Compromising the availability and reliability of systems through security failure.
Malware and Computer Maintenance
Instructor Materials Chapter 7 Network Security
Protecting Memory What is there to protect in memory?
Secure Software Confidentiality Integrity Data Security Authentication
Wireless Network Security
Onno W. Purbo Cracking Techniques Onno W. Purbo
Chapter 2: System Structures
Viruses and Other Malicious Content
Answer the questions to reveal the blocks and guess the picture.
Information Security Session October 24, 2005
Chapter 3. Basic Dynamic Analysis
Chap 10 Malicious Software.
Propagation, behavior, and countermeasures
Lesson 16-Windows NT Security Issues
Faculty of Science IT Department By Raz Dara MA.
Chap 10 Malicious Software.
Chapter 7 Network Applications
Crisis and Aftermath Morris worm.
MESSAGE ACCESS AGENT: POP AND IMAP
Presentation transcript:

CS-695 Host Forensics Georgios Portokalidis Real Malware CS-695 Host Forensics Georgios Portokalidis

CS-695 Host Forensics Real Malware The morris worm 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Some Facts About 1988 The Internet consisted of about 60,000 computers They were connected using TCP/IP Mostly run BSD Unix 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Worm vs Virus Definitions can be tricky Specially in 1988 Our definition A worm is a standalone malicious program that replicates itself in order to spread to other computers without any explicit user action. The Morris worm does just that 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Steps Isolating and obtaining a copy of the worm Decompiling its program Analyzing the obtained data Reveal its algorithm Discover weaknesses/characteristics that can be used to defeat it 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Challenges Obtaining a copy and even decompiling (this was 1988 after all) was done easily The worm spread with incredible speed Brought the Internet of the day on its knees It took analysts months to figure out the payload of the worm Is it doing something malicious? (it wasn’t) Why did it spread so fast? 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Vectors of Infection Sendmail DEBUG bug Finger daemon on VAX systems Bruteforce password on remote execution systems rexec rsh 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Targets SUN and VAX architectures Hosts found in /etc/hosts.equiv /.rhosts .forward .rhosts Routing tables end points of point-to-point interfaces 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware What It Never Did Gain privileged access Destroy data Install time bombs or backdoors Brute force the root account 4/23/2013 CS-695 Host Forensics Real Malware

Sendmail DEBUG function A server to send email Speaks the SMTP protocol DEBUG function enables one to run a program at the host Added by the author of sendmail to remotely troubleshoot systems 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware 19:43:10 smtpd: <--- 220 inet.att.com SMTP 19:43:14 smtpd: -------> debug 19:43:14 smtpd: DEBUG attempt 19:43:14 smtpd: <--- 200 OK 19:43:25 smtpd: -------> mail from:</dev/null> 19:43:25 smtpd: <--- 503 Expecting HELO 19:43:34 smtpd: -------> helo 19:43:34 smtpd: HELO from 19:43:34 smtpd: <--- 250 inet.att.com 19:43:42 smtpd: -------> mail from: </dev/null> 19:43:42 smtpd: <--- 250 OK 19:43:59 smtpd: -------> rcpt to:</dev/ ˆHˆHˆHˆHˆHˆHˆHˆHˆHˆHˆHˆHˆHˆHˆHˆH 19:43:59 smtpd: <--- 501 Syntax error in recipient name 19:44:44 smtpd: -------> rcpt to:<|sed -e ’1,/ˆ$/’d | /bin/sh ; exit 0"> 19:44:44 smtpd: shell characters: |sed -e ’1,/ˆ$/’d | /bin/sh ; exit 0" 19:44:45 smtpd: <--- 250 OK 19:44:48 smtpd: -------> data 19:44:48 smtpd: <--- 354 Start mail input; end with <CRLF>.<CRLF> 19:45:04 smtpd: <--- 250 OK 19:45:04 smtpd: /dev/null sent 48 bytes to upas.security 19:45:08 smtpd: -------> quit 19:45:08 smtpd: <--- 221 inet.att.com Terminating 19:45:08 smtpd: finished. Unfriendly activity 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware No Shellcode Commands sent to sendmail did two things Strip email headers from the message Compile the message It contained a C program that fetched the rest of the worm from the already infected host C is easier to understand than assembly 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Finger Daemon Bug Typical stack overflow bug Finger used a library function that copied data without range checking That function was there for backwards compatibility, but was not used after 1979 What does this teach us? 4/23/2013 CS-695 Host Forensics Real Malware

Brute forcing Passwords & rexec rexec allows a user to execute a command in a remote host by sending a plaintext username and password Local accounts were tried on remote systems Passwords were first tried locally This ensured alarms were not raised from too many failed authentications attempts 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Guessed Passwords Empty passwords Same as user name The user name repeated twice The last name The last name spelled backwards Words in a 432-word dictionary included in worm Words in /usr/dict/words 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware rsh. Better Than rexec Gain a shell at the remote host Allow trusted hosts to login without a password /etc/host.equiv .rhosts for individual users 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware First Reactions Administrators cut off the sendmail service Big mistake! It shut off communication channels necessary to fix the error The worm had alternate ways to propagete 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Worm Defences Worm deleted its argument list It was compiled as ‘sh’ Weak authentication based on the exchange of magic numbers It forked every three minutes This resets the CPU time and memory usage counters Harder to seize Obfuscation Each string in the program was XORed with 81 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Flaws Never checked if a host is already infected Routines would exit with errors while leaving a copy of the virus running: When multiple instances of the worm attempted to infect a clean host concurrently When multiple instances of the worm attempted to infect and already compromised host When a machine is heavily loaded Remember it is actually compiling Infection rate was proportional to number of instances of the worm running on a host Due also to randomly mutating known hosts 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Bad Target Finding Worm checked for telnet or rsh ports to determine if a host is running UNIX Some systems only run sendmail! It did not utilize DNS 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Stopping the Worm Isolation from the network Pulling the plug always works…well almost Turning off sendmail Patching sendmail to disable debug command Shutting down finger daemon Patching finger daemon mkdir /usr/tmp/sh Renaming cc and ld 4/23/2013 CS-695 Host Forensics Real Malware

How to Fix User Passwords A tool was created which used the same password guessing mechanism as the worm Administrators used this tool to test their systems! Maybe the first case to raise the problem of poor password choices 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Interesting Facts October 1988: mailer logs indicated someone tested the worm Someone tried to send binaries over SMTP Failed because STMP only supported 7-bit ASCII November 1988: first infections reported in Stanford A big story in the news: http://www.youtube.com/watch?v=G2i_6j55bS0 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Lessons for the Future Keeping communications up is important Allows for a more mature reaction Diversity is good The cure should not be worse that the disease Defenses must be at the host level not the network level A central fix repository 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware The Author Robert Morris was a student at Cornell University He was identified, tried, and convicted in 1990 3 years of probation, fines, etc. Received a PhD from Harvard Now a professor at MIT 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Since Then 2000: ILOVEYOU worm Actually requires the user to click on an attachment 2001: CodeRed worm Attacked Microsoft’s IIS server 2003: SQL Slammer worm Attacked Microsoft’s SQL server 2004: Sasser worm Exploits Windows LSASS service 2007: Zeus Steal banking information 2010: Stuxnet Cyber-sabotage 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Stuxnet 4/23/2013 CS-695 Host Forensics Real Malware

Infected Systems as Reported by Symantec Infected hosts by country 4/23/2013 CS-695 Host Forensics Real Malware

Why is Stuxnet Important? Its infection vectors were ordinary, but … One of the most advanced payloads seen Hard to identify its purpose Actually targeted industrial equipment Real-life effects http://www.youtube.com/watch?v=CS01Hmjv1pQ 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Infections Vectors Not the Internet! Removable USB drives Zero-day exploit - Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability http://www.securityfocus.com/bid/41732 Spreads in a LAN through the printer spooler Another zero-day exploit - Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability http://www.securityfocus.com/bid/43073 Spreads in a LAN through SMB Another zero-day exploit - Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability Copies itself in unprotected network shares WinCC database servers 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware “Features” A rootkit P2P update functionality Supports a command and control server Bypasses security products Identifies systems and ignores most host computers 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Payload Targets programmable logic controllers (PLCs) found on industrial control systems Usually controlled by Windows systems http://www.youtube.com/watch?v=cf0jlzVCyOI 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Bypassing Defenses Bypassing Behavior Blocking When Loading DLLs Host intrusion detection mechanisms intercept LoadLibrary() requests Stuxnet requests to load non-existing files It has previously hooked LoadLibrary() so files are picked up from a different location! 4/23/2013 CS-695 Host Forensics Real Malware

CS-695 Host Forensics Real Malware Bypassing Defenses Scans for the following running processes Kaspersky KAV (avp.exe) Mcafee (Mcshield.exe) AntiVir (avguard.exe) BitDefender (bdagent.exe) Etrust (UmxCfg.exe) F-Secure (fsdfwd.exe) Symantec (rtvscan.exe) Symantec Common Client (ccSvcHst.exe) Eset NOD32 (ekrn.exe) Trend Pc-Cillin (tmpproxy.exe) In addition, the registry is searched for indicators that the following programs are installed: KAV v6 to v9 McAfee Trend PcCillin Checks if it can avoid detection and injects itself in: Lsass.exe Winlogon.exe Svchost.exe The installed security process 4/23/2013 CS-695 Host Forensics Real Malware

Wrap Up: Is Stuxnet a Game Changer? http://www.youtube.com/watch?v=gFzadFI7sco 4/23/2013 CS-695 Host Forensics Real Malware

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.