intrusion detection and malware analysis - introduction to ... · malware: deﬁnitions and root...

Intrusion Detection and Malware AnalysisIntroduction to Malware

Pavel LaskovWilhelm Schickard Institute for Computer Science

Malware: definitions and root causes

The term malicious software denotes program code executedwithout a user’s consent and carrying out harmful functionality.

Why is malware such a serious problem?Technical reasons:

Difficulty to separate code and dataHomogeneity of “computing base” (Windows, iPhone,Facebook)Unprecedented connectivity

Non-technical reasons:

Recklessness and ignorance of usersProfitability of security violations (spam, DoS extortion,stealing of personal information)



Why is malware such a serious problem?

Technical reasons:Difficulty to separate code and dataHomogeneity of “computing base” (Windows, iPhone,Facebook)Unprecedented connectivity





Why is malware such a serious problem?Technical reasons:

Difficulty to separate code and dataHomogeneity of “computing base” (Windows, iPhone,Facebook)Unprecedented connectivity



An example from last semester

“Theoretical foundations” of malware

Von Neumann’s model (1948,1953)universal machineuniversal constructorinformation on the tape

Darwin/Core Wars: fighting programs (1966)a special assembly language with 10 instructions (“Redcode”)two programs simultaneously running in the same memorya program dies if it executes division by 0 or a null instructionto increase their survival chances, programs can replicatethemselves

Cohen’s thesis (1984)definition of a virusmathematical description of virus propagation

Pioneers of practical malware

Elk Cloner (1982)an Apple-II program written by a student Rich Skrentaa program spread via boot sector infectionon every 50-th reset a short poem was displayed by hookingthe reset handler

Brain Virus (1986)first virus to spread in the wildwritten by Ashar brothers to prevent illegal copying of softwareincluded in a boot sector of distrubuted software diskettes

Morris worm (1988)used a debugging feature of sendmail (remote execution)propagated in the Arpanetpenetrated ca. 6,000 computers (10% of Arpanet)

First generation of malware

DefinitionA virus is a program that infects other programs by modifyingthem to include a possibly modified copy of itself.

Boot sector virusesstored in disk boot sectors, executed automatically at boot

Executable virusesstored in exetuable data, hijack flow control

Macro virusesstored in non-executable data, started by opening a document

Second generation of malware

DefinitionA worm is a program that actively propagates over computernetworks, with or without human interaction.

Mass-mailers (e.g. Melissa, LoveLetter, Nimda)use SMTP protocol for propagationusually (but not necessarily) require manual interaction

In-memory worms (e.g. Slammer, CodeRed)proliferation over TCP/HTTPautomatic execution on vulnerable systems (very fast!)

Third generation of malware (current)

DefinitionA trojan horse is a program carrying a hidden functionality behinda seemingly useful one.

focus on stealthy operationanti-deteciton mechanisms (obfuscation, encryption andpolymorphism)combination of various malware types and techniquesincreasing commercialization

Further malware types (1)

Backdoor: remote access to compromized computers(especially used in botnets)Downloader: installation of malicious content (used toovercome filtering of executables and update of alreadyinstalled malware)Rootkit: modification of system behavior, either at a userlevel (e.g. user settings) or a root level (e.g. system tools orregistry entries)Dialer: calling premium services, re-surging in mobilemalware

Further malware types (2)

Spyware: monitoring of user behavior (e.g. during webbrowsing)Adware: unsolicited presentation of advertisementKeylogger: capturing of keystrokes, especially for typed inpasswords or financial credentialsSniffer: capturing of network traffic, especially for passwordssend in clear text

Malware carriers: boot sector

Save the original MBR in a safe locationOverwrite the MBR with an infected oneBootstrap a system using the new MBR

Viren-Infektionsvektoren Infektion des Boot-Sektors

Infektion des Boot-Sektors

Virus kopiert originalen Bootblock und überschreibt den BootblockVirus erhält Kontrolle beim Bootvorgang noch bevorBetriebssystem und Anti-Viren-SW geladen werdenGegenmaßnahme: Bootblockschutz im BIOS

Abbildung: Mehrfache Infektion durch verschiedene Viren

c© Ulrich Flegel Reaktive Sicherheit · Teil 4 21 / 130

Malware carriers: COM executables

Append a virus body to a programSave an entry point to a program in a virus bodyReplace a program entry point with a jump to a virus bodyVirus code restores the original entry point and jumps to itafter its own execution

Viren-Infektionsvektoren Infektion von Dateien

Anhängen an die Datei (1)

Abbildung: Infektion durch Anhängen


Malware carriers: EXE executables

Append a virus body to a programOverwrite a program header to switch the entry point to avirusJump to the original entry point during execution


Anhängen an die Datei (2)

Abbildung: Infektion durch Anhängen


Malware carriers: PE executables

Virus is split into parts that areparcelled together by adefragmentation routine.Defragmentation routine isinserted between the PE headerand the first section.Entry point in the PE header isswitched to the defragmentationroutine.Additional viral sections are storedin unused parts of sections.


Einstreuen in ungenutzte Füllbereiche (1)Code Interlacing Infection bzw. Cavity Hole Infection

Abbildung: Infektion durch Einstreuen in ungenutzte Dateibereiche


Malware carriers: companion viruses

MS-DOS feature: if a command is typed without anextension, first a .COM file is searched for and then an .EXE

Exploitation: Inject a malicions program <program>.COMwhich calls <program.EXE> besides doing its dirty job.

Variations on a theme:Renaming legitimate filesPlacing a new earlier in the search path

Malware carriers: companion viruses

MS-DOS feature: if a command is typed without anextension, first a .COM file is searched for and then an .EXEExploitation: Inject a malicions program <program>.COMwhich calls <program.EXE> besides doing its dirty job.

Variations on a theme:Renaming legitimate filesPlacing a new earlier in the search path

Malware carriers: macros

Malicious functionality is implemented in Visual Basic forApplications (VBA).If a document template are infected, so will be everydocument on a system.


Dokumenten-Viren (3)Macro Viruses

Abbildung: Beispiel: Concept Virus infiziert Microsoft-Word-Dateien


Malware carriers: Visual Basic (VB) script

Similar functionality to macro viruses implemented in “pure”VB.A script is executed by a user by clicking at the emailattachment (LoveLetter mass-mailer).Why does the user execute a VB script? The attachmentname LOVE-LETTER-FOR-YOU.TXT.vbs is shown inOutlook as LOVE-LETTER-FOR-YOU.TXT (withoutextension!).Further functionality is possible via access to ActiveXobjects.

Malware carriers: SuperLogo

A set of “turtle-control” commandsis provided in the Logo language(e.g. HIDETURTLE, FORWARD,PENUP, PENDOWN, WAIT).Sets of commands can be saved inLGP file.A command PRINTTO “XYZ” canbe used to write directly to files(with a complete path to a file).

Overwrite winstart.bat with anyfunctionality and it will be run!

Malware carriers: SuperLogo

A set of “turtle-control” commandsis provided in the Logo language(e.g. HIDETURTLE, FORWARD,PENUP, PENDOWN, WAIT).Sets of commands can be saved inLGP file.A command PRINTTO “XYZ” canbe used to write directly to files(with a complete path to a file).Overwrite winstart.bat with anyfunctionality and it will be run!

Malware carriers: JavaScript

Similar functionality to VB scripts:Read, write and overwrite filesAccess to ActiveX communication objects: send emails...

Automatic invocation during web browsing: infection ispossible via opening of malicious web pages.

Malware carriers: other script languages

Potential carriers: shell scripts, PHP, Perl, Python, Emacs,Tcl, VIMInfection strategies:

file overwriting“exec” functionality

Covering the tracks

Erasing dataManipulation of registry entriesChanging time stampsChanging checksumsMemory-resident operationAPI hooking...

Malware packers

A run-time executable packer is a program for compressing aprogram code and data.Primary goal: reduction of the program sizeSide effect: signature detection is heavily impeded!Main idea:

Compress the original executable program and store it in adata segmentPut a decompression routine in some program segment.Decompression routine unpacks malicious code into memoryand transfers control to it.

Further development: compression can be implementedusing cryptographic primitives of varying strength.

Advanced evasion techniques

Oligomorphism: a set of decryptors is carried along; a newdecryptor is chosen at random for each new replication.Polymorphism: insert junk or semantically equivalent codeinto a decryptor to increase its variability.Metamorphism: instead of decryption, the malware body ismutated during each replication using equivalent programtransformations.

Lessons learned

The key challendge in fighting malware is its rapid evolutiondue to an underlying monetary interest.The main technical cause of malware is poor separationbetween code and data.Malware exemplifies a fundamental tradeoff betweensecurity and usability: advanced programming languagefeatures facilitate operation of malware.

Recommended reading

John Aycock.Computer Viruses and Malware.Springer, 2006.

Peter Szor.The art of computer virus research and defense.Symantec Press, 2005.

intrusion detection and malware analysis - introduction to ... · malware: deﬁnitions and root...

Documents