Chao-Hsien ChuCollege of Information Sciennces and Technology

The Pennsylvania State UniversityUniversity Park, PA 16802

chu@ist.psu.eduModified by Santoro

Malicious Code: Viruses and WormsMalicious Code: Viruses and Worms

LearningbyDoing

Theo

ry

Practi

ce

Malicious Code TaxonomyMalicious Code Taxonomy

• Viruses – replicating malicious code• Worms – self-replicating malicious code

– Mailing worms– Random scanning worms

• Logic Bombs – programmed malfunctions (similar to easter eggs)

• Trojan Horses – malicious program that masquerades as legitimate– Backdoors– Password stealers

• Exploit code:– Autorooters– White hat penetration tools

• Downloaders – loads other malicious code on a machine

Malicious Code TaxonomyMalicious Code Taxonomy

• Dialers – generate money for attackers by having users unknowingly dial premium rate numbers

• Code generator kits (e.g. Virus Creation Lab)

• Spammer programs

• Flooders – DDOS tools, BotNets

• Keyloggers

• Rootkits – special tool set installed after an attacker has gained control of a system; modifies logs, installs backdoors, etc.

• Other:– Hoax messages– Adware– Spyware– Phishing attacks

Malicious Code ExampleMalicious Code Example

“Most people I think don’t even know what a rootkit is so why should they care about it?”

– Thomas Hesse, Sony BMG

• In 2005, Sony BMG released music CDs containing extended copy protection (XCP) software.

• This software was functionally a rootkit that installed hidden files with no notification to the user – a special uninstaller was required to remove the software

• Simply playing the music CD in a windows machine resulted in infection

NPR story: http://www.npr.org/templates/story/story.php?storyId=4989260

Virus: DefinitionVirus: Definition

“A computer virus is a program that recursively and explicitly copies a possibly evolved version of itself.”

– Peter Szor, 2005

Key aspects of this definition:– Recursively: operate on their own output– Explicitly: the copy is specifically intended as opposed

to resulting from a side-effect of some other action– Possibly evolved: the virus may alter itself over time

(metamorphism)

Virus: EnvironmentsVirus: Environments

For a sequence of symbols to execute successfully, it must match the execution environment

• Many execution environments exist, e.g.:– MS Office macro invoking a Java method on a windows XP machine running on an

x86 processor• Any given virus can only be successful if its code matches all of the various dependencies

– Homogeneous environments, such as Java and MS Office provide execution environments across many lower level environments

– For exploit-based dependencies, it may be difficult for a virus to spread far• Dependencies:

– CPU: differences between families, within a family (backward compatibility, extensions such as MMX, prefetch queue, etc.)

– Operating System: different OSs and different versions of an OS– File system: virus may modify file system metadata (e.g. FAT), NTFS stream-based

hiding– File format: COM, EXE, dll, ELF, etc…– Interpreter: Office Macros, Shell languages, VBScript, Jscript, etc…

Virus Infection Techniques (1)Virus Infection Techniques (1)

DOS boot process– BIOS loads the master boot record into memory and

jumps to the first address of the bootstrap loader– The bootstrap loader examines the MBR partition tables

(PT) and locates an active, bootable partition– The bootstrap loader then boots the rest of the operating

system

MBR

DBR

Virus

Saved MBR

DBR

MBR infection strategies:• Replace and save bootstrap code – relocate MBR and

transfer control• Replace but do not save bootstrap code – keep PT and

perform bootstrap functions (find active partition and transfer control)

• Infect MBR by altering the PT to load a different boot sector where the virus is stored

MBR Infection

Exebug virus: modified the BIOS to make it appear that no floppy drive was present; PC always boots to infected MBR – virus checks for presence of floppy disk and transfers control if one is present

Boot Sector Virus Relocating CodeBoot Sector Virus Relocating Code

BootstrapLoader

SystemInitialization

Boot Sector Other Sectors

Chain

BootstrapLoader

SystemInitialization

VirusCode

Boot Sector Other Sectors

ChainChain

(a) Before Infection

(b) After Infection

Virus Infection Techniques (2)Virus Infection Techniques (2)File Infection

• Overwriting viruses

– Simply overwrite a file on disk with virus code starting at first file byte

– Do not change file size

– Cannot be disinfected

• Random overwriting viruses

– Seek to random location before overwriting file contents – entry point obscuring

– A challenge for scanners that look in expected locations for virus code

– Execution cannot be guaranteed

• Appending viruses

– Virus body is appended to the end of the host file

– A jump instruction is inserted in the front of the host to point to the virus

– Over-written host bytes at the beginning are stored in the virus body

– Once executed, the virus can “clean” the program by replacing the over-written bytes and transferring execution to the program

• Pre-pending viruses

– Virus code is appended before the first host instruction, guaranteeing that all virus instructions are executed before any host instructions.

How Virus AttachHow Virus Attach

OriginalProgram

VirusCode

OriginalProgram

VirusCode+ =

OriginalProgram

VirusCode (a)

VirusCode (b)

Appended toa Program

Surrounding a Program

ModifiedProgram

Integrated in a Program

Virus In-Memory Strategies (1)Virus In-Memory Strategies (1)

Direct Action– Do not actively manifest themselves in memory– Load with host program into memory– Once running, they start looking for new objects to infect– Simple to create

Memory-Resident– Remain in memory after virus initialization– More efficient than direct action– Typical pattern:

• Virus gains control of system and allocates memory• Virus relocates itself to an allocated memory block• Virus hooks execution of code flow to itself• Virus infects new objects

Virus In-Memory Strategies (2)Virus In-Memory Strategies (2)

Interrupt handling and hooking • DOS Example, INT 13 Disk operations

– Virus hooks INT by setting new interrupt handler addr in IVT after establishing itself in memory

– When the virus runs, it examines the appropriate registers to see what kind of disk action is being performed

– Under certain actions, the virus can covertly propagate itself (e.g. if the disk action is a write to a floppy disk, the virus can infect the floppy boot sector)

INT 00h <Addr00>INT 01h <Addr01>…INT13h <Addr13>…

IVT (Interrupt vector table)

program

BIOS

INT 00h <Addr00>INT 01h <Addr01>…INT13h <AddrXX>…

program

BIOS

Virus

Uninfected case Infected case

Stealth advantages of hooking

• INT 13 – Boot virus: can return the original version of an

infected sector during a disk read (read stealth)– Appending virus: can save overwritten beginning-

of-file bytes in last cluster slack space (leaving file size unmodified) and use hooked code to return saved bytes if they are ever accessed.

Virus In-Memory Strategies (3)Virus In-Memory Strategies (3)

• Encryption– Constant decryptor followed by virus body– Often simple XOR based encryption is used– Decryption key can be stored in the decryptor, host or nowhere

• Oligomorphism – Detection of an encrypted virus is simple if the decryptor is long and unique

enough– Oligomorphic viruses change the decryptor in new generations– Can be accomplished using a set of decryptors – for a large set, detection based

on the decryptor is impractical, must dynamically decrypt and detect based on decrypted body code

• Polymorphism– Mutates the decryptor into potentially millions of forms (e.g. via reordering,

junk instruction insertion) • Metamorphism

– “body-polymorphism” – change the entire virus, rather than just the decryptor– Source code based: example: modify virus source and recompile– Binary-based: example (simple): use different registers in the same code

Advanced Virus TechniquesAdvanced Virus Techniques

Virus Example – “Love Letter” (1)Virus Example – “Love Letter” (1)Behavioral Description (from F-Secure):

• Found in the wild May 4, 2000

• Copies itself to the windows system directory as

– - MSKernel32.vbs - LOVE-LETTER-FOR-YOU.TXT.vbs

and to the Windows directory as:

– - Win32DLL.vbs

• Adds keys to the registry, so that it will be executed when the system is restarted:

– HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32

– KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL

• Replaces the Internet Explorer home page with a link that points to an executable program, "WIN-BUGSFIX.exe“

• Creates an HTML file called "LOVE-LETTER-FOR-YOU.HTM" in the Windows System directory. This file contains the worm and it will be sent using mIRC whenever another person joins an IRC channel where the infected user currently is. To accomplish this the worm replaces the "script.ini" file from the mIRC installation directory.

• Mass mails itself to everyone in each Outlook address book. Registry is marked to prevent repeat mailings

Subject: ILOVEYOU Body: kindly check the attached LOVELETTER coming from me.

Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

• Overwrites various files with itselfSource: http://www.f-secure.com/v-descs/love.shtml

Behavioral Description (from F-Secure): continued

Downloaded executable is a password stealing trojan:

• On startup, looks for a hidden window named ‘BAROK…’

• If the hidden window is present, the trojan exits, otherwise execution continues…

• Checks for the WinFAT32 subkey in the following Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

• If the WinFAT32 subkey key is not found, the trojan creates it, copies itself to the \Windows\System\ directory as WINFAT32.EXE and then it runs the file from that location.

• Sets the IE startup page to 'about:blank'.

• Deletes the following keys:

Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds

Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideSharePwds

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Network\DisablePwdCaching

• Registers a new window class and creates a hidden window titled 'BAROK...' and remains resident in the Windows memory as a hidden application.

• Immediately after startup and when timer counters reach certain values, the trojan sends stolen RAS passwords and all cached Windows passwords to e-mail address 'mailme@super.net.ph’

Virus Example – “Love Letter” (2)Virus Example – “Love Letter” (2)

Source: http://www.f-secure.com/v-descs/love.shtml

VBS Example – “Love Letter” Virus (1)VBS Example – “Love Letter” Virus (1)

Language Reference:

MSDN Home >  MSDN Library >  Web Development >  Scripting >  Microsoft Windows Script Technologies >  Script Runtime >  FileSystemObject >  Scripting Run-Time Reference > 

VBS Example – “Love Letter” Virus (2)VBS Example – “Love Letter” Virus (2)

VBS Example – “Love Letter” Virus (3)VBS Example – “Love Letter” Virus (3)

Worm: DefinitionWorm: Definition

“A worm is a program that can run by itself and can propagate a fully working version of itself to other machines. It is derived from the word tapeworm, a parasitic organism that lives inside a host and saps

its resources to maintain itself.” – Spafford, 1988

Worm TaxonomyWorm Taxonomy

• Target discovery

– Active scanning, hitlist, passive monitoring

• Propagation method

– Self-propagation, embedded, secondary channel

• Activation

– Self-activation, scheduled, human-mediated

• Payload

– no payload, payloads which open back doors on victim machines, and payloads for denial of service, spam relays, reconnaissance, and damage to victim machines.

Weaver, N., V. Paxson, et al. (2003). 'A Taxonomy of Computer Worms'. Workshop on Rapid Malcode (WORM'03)

The Worm ThreatThe Worm Threat

• In November, 1988 the Morris Worm infected an unknown proportion of Unix systems on the Internet with repair costs estimated at $100,000,000. (National Institute of Justice, 2001). Targets: sendmail, finger, rsh

• On July 19th, 2001 more than 359,000 computers were infected with Code Red worm in less than 14 hours. Target: MS IIS web server

• On January 25th, 2003, the SQL Slammer worm infected 90% of vulnerable hosts within 10 minutes, causing network outages and disruptions to airline flights, and ATM machines. Target: MS SQL Server 2000

Code Red I TimelineCode Red I Timeline

• June 18, 2001: eEye Security issued an advisory regarding a buffer overflow vulnerability in the MS IIS web server

• June 26: Microsoft releases a patch for the vulnerability

• July 12: Code Red I is released– Memory-resident, random scanning– Time-dependent behavior:

• Before 20th day of the month: infection• 20th – 28th day of the month: DoS attack against www1.whitehouse.gov• After 28th day of the month: dormant

– Slow spread due to static random seed

• July 19: random variant worm, Code Red I ver 2 is released– 359,000 machines infected in less than 14 hours

CRv2 Growth CurveCRv2 Growth Curve

Source: D. Moore, C. Shannon, and J. Brown, "Code-Red: a Case Study on the Spread and Victims of an Internet Worm," in Internet Measurement Workshop, 2002.

Worm Target DiscoveryWorm Target Discovery

Random Scan

UniformLocal preference

Sequential

Without a priori target knowledge

With a priori target knowledge

Hitlist Scan(limiting case is Flash Scan)

Topological Scan

Optimizations:

Routable ScanPermutation Scan

Bot and BotNetBot and BotNet

• Bot is a zombie computer • Bot software downloaded and installed, often as rootkit• Bots connect through TCP/IP to controller (mother ship)• Bots can be reprogrammed from controller• Botnets used to launch spam, DDOS

Bot and BotNetBot and BotNet

• Case study: Storm Botnet• By Sep 2007 running on between 1 and 50 million computers worldwide (at one point 8% of all Windows malware)• Vector was XSS – used phishing to get users to activate Web link• Used in varietyu of criminal activities, including DDOS and spam• Has displayed defensive behaviors• Developers not caught yet – believed to have originated in Russia• Believed that code has been sold to other hacker groups

Network TelescopesNetwork Telescopes

A commonly used monitor for worm activity is the network telescope

Network telescopes monitor large segments of dark, or unused, address space containing few, if any, production hosts

No or very little legitimate traffic is expected to be observed targeting telescope address space

Case Study: StuxnetCase Study: Stuxnet

• Computer worm first analyzed in July, 2010• First known case of ‘targeted’ worm that attacks industrial control systems• spreads indiscriminately, contains payload that targets Siemens control systems• believed to have been targeted against Iran nuclear fuel enrichment program• analysts believe it was created by nation-state, possibly US/Israel

Case Study: StuxnetCase Study: Stuxnet

• First appeared June 2009 – improved variants in March and April 2010• Primarily found in 8 countries, but over 60% of infections in Iran• Makes itself inert if it does not detect Siemens control software• 3-layered attack:

• Windows zero-day vulnerabilities• Step 7 industrial application• Siemens PLC

Case Study: StuxnetCase Study: Stuxnet

• Two vectors:• USB storage• P2P RPC

• contains ‘man-in-middle’ attack to fake industrial process control sensor signals

• so damage is not detected until too late• believed to have specifically targeted fuel enrichment centrifuges

Case Study: StuxnetCase Study: Stuxnet

• Contains both user-mode and kernel-mode rootkits• Valid digital certificates stolen from Veri-Sign used to avoid driver detection• Web sites in Denmark and Malasia served as command-and-control centers• Utilized 4 zero-day Windows vulnerabilities• Infects project files for Siemens WinCC/PCS 7 SCADA controlers• subverts key communications dll to avoid detection

Case Study: StuxnetCase Study: Stuxnet

• Stuxnet is VERY sophisticated• indicates multi-level, evolving attack strategy• believed to have been developed as a targeted cyber-warfare weapon• has raised awareness among cyber-security commands

• similar attacks could target power grids, communications, oil refineries, shipyards, etc.• (see movie ‘Eagle Eye’ for hypothetical potential)