Malware

MalwareCS155 Spring 2009Elie BurszteinWelcome to the zooWhat malware areHow do they infect hostsHow do they hideHow do they propagateZoo visit !How to detect themWorms

What is a malware ?A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do.

What it is good for ?Steal personal informationDelete filesClick fraudSteal software serial numbersUse your computer as relayThe Malware ZooVirusBackdoorTrojan horseRootkitScarewareAdwareWorm

What is a Virus ?a program that can infect other programs by modifying them to include a, possibly evolved, version of itself

Fred Cohen 1983

Some Virus TypePolymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer)Methamorpic : Change after each infection

What is a trojanA trojan describes the class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computer

WikipediaWhat is rootkit A root kit is a component that uses stealth to maintain a persistent and undetectable presence on the machine

SymantecWhat is a wormA computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention.

Almost 30 years of MalwareFrom Malware fighting malicious code

History1981 First reported virus : Elk Cloner (Apple 2)1983 Virus get defined1986 First PC virus MS DOS1988 First worm : Morris worm1990 First polymorphic virus 1998 First Java virus1998 Back orifice 1999 Melissa virus1999 Zombie concept1999 Knark rootkit2000 love bug2001 Code Red Worm2001 Kernel Intrusion System2001 Nimda worm2003 SQL Slammer wormMelissa spread by email and share

Knark rootkit made by creed demonstrate the first ideas

love bug vb script that abused a weakness in outlook

Kernl intrusion by optyx gui and efficent hidding mechanimsNumber of malware signatures

Symantec report 2009Malware Repartition

Panda Q1 report 2009Infection methodsOutlineWhat malware areHow do they infect hostsHow do they propagateZoo visit !How to detect themWorms

What to InfectExecutableInterpreted fileKernelServiceMBR Hypervisor

Overwriting malwareTargetedExecutableMalwareMalwareprepending malwareTargetedExecutableMalwareInfected hostExecutableMalwareappending malwareTargetedExecutable MalwareInfectedhostExecutableMalwareCavity malwareTargetedExecutableInfected hostExecutableMalwareMalwareMulti-Cavity malwareTargetedExecutableMalwareMalwareMalwareMalwarePackersMalwareInfected hostExecutablePackerPayloadPacker functionalitiesCompress EncryptRandomize (polymorphism)Anti-debug technique (int / fake jmp)Add-junkAnti-VMVirtualizationAuto startFolder auto-start : C:\Documents and Settings\[user_name]\Start Menu\Programs\StartupWin.ini : run=[backdoor]" or "load=[backdoor]".System.ini : shell=myexplorer.exeWininitConfig.sysmore like autoexec.batetcAuto start cont.Assign know extension (.doc) to the malwareAdd a Registry key such as HKCU\SOFTWARE\Microsoft\Windows \CurrentVersion\RunAdd a task in the task schedulerRun as serviceUnix autostartInit.d/etc/rc.local.login .xsession crontab crontab -e/etc/crontabMacro virusUse the builtin script engineExample of call back used (word)AutoExec()AutoClose()AutoOpen()AutoNew()Document based malwareMS OfficeOpen OfficeAcrobat

Userland root kitPerformlogin sshdpasswd

Hide activitypsnetstatlsfindduSubverting the KernelKernel taskProcess management File access Memory management Network management What to hide

ProcessFiles Network traffic

Kernel rootkitPSKERNELHardware : HD, keyboard, mouse, NIC, GPUP1P2P3P3rootkitSubverting techniquesKernel patchLoadable Kernel Module Kernel memory patching (/dev/kmem)Windows KernelP1P2PnCsrss.exeWin32 subsystem DLLsUser32.dll, Gdi32.dll and Kernel32.dll

Other Subsytems(OS/2 Posix)Ntdll.dllntoskrnl.exeHardware Abstraction Layer (HAL.dll)HardwareUnderlying kernelExecutiveCrss.exe Client/server run time sub system -> used to run a keep state of process => can be query in userlandNtdll -> convert api call to kernel callNTll do call gate jumpsExecutive dispatch syscall to the underlying kernelSSDT system service dispatch table HAL.dll hardware abstraction

Transition using the int0x2E interruptKernel Device driverP2Win32 subsystem DLLs

Ntdll.dllntoskrnl.exeInterrupt HookSystem service dispatcherSystem service dispatch tableDriver Overwriting functionsDriver Replacing FunctionsNew pointerACBA OverwriteB Redirect by patching the service dispatch tableC Redirect the interrupt

MBR/BootkitBootkits can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control.BIOSMBRVBSNTBootSectorBOOTMGR.EXEWINLOAD.EXEWindows 7 kernel HAL.DLLVBS : volume boot sectorMBR: master boot record

white unknowngreen - 16 bitsred 32 bitsblue 64 bits

VbootWork on every Windows (vista,7)3koBypass checks by letting them run and then do inflight patchingCommunicate via pingHypervisor rootkitTarget OS HardwareAppAppBlue pill (Joanna)SubVirt (Microsoft)Hypervisor rootkitTarget OS HardwareAppAppVirtual machine monitor Host OS Rogue appBlue pill (Joanna)injection method using raw disk access from user modepatched need a signed driverPropagationVectorOutlineWhat malware areHow do they infect hostsHow do they propagateZoo visit !How to detect themWorms

Shared folder

Email propagation

from pandalab blogValentine day ...Waledac malicious domain from pandalab blog

Email again

Symantec 2009Fake codec

Fake antivirus

from pandalab blogHijack you browser

from pandalab blogFake page !

from pandalab blogP2P FilesPopular query35.5% are malwares (Kalafut 2006)

BackdoorBasicInfectedHostAttackerTCP

ReverseInfectedHostAttackerTCP

covertInfectedHostAttackerICMP

Rendez vous backdoorInfectedHostAttackerRDVPointBestiaryOutlineWhat malware areHow do they infect hostsHow do they propagateZoo visit !How to detect themWorms

Adware

BackOrificeDefcon 1998new version in 2000

Sir DysticCult of the dead cow demonstrate the vuln of 98Netbus1998Used for prank

used to plant child pornography on the work computer of Magnus Eriksson

law scholar at Lund University. The 3,500 images

n lost his research position

Fled the country

acquitted in 2004

Symantec pcAnywhere

Browser Toolbar ...

Toolbar again

RansomwareTrj/SMSlock.ARussian ransomwareApril 2009

To unlock you need to send an SMS with the text4121800286to the number3649Enter the resulting code:Any attempt to reinstall the system may lead to loss of important information and computer damage from pandalab blogDetectionOutlineWhat malware areHow do they infect hostsHow do they propagateZoo visit !How to detect themWorms

Anti-virusAnalyze system behaviorAnalyze binary to decide if it a virusType :ScannerReal time monitor

Impossibility resultIt is not possible to build a perfect virus/malware detector (Cohen)Impossibility resultDiagonal argument P is a perfect detection programV is a virusV can call P if P(V) = true -> haltif P(V) = false -> spreadVirus signatureFind a string that can identify the virusFingerprint likeHeuristicsAnalyze program behaviorNetwork accessFile openAttempt to delete fileAttempt to modify the boot sectorSpeak of sending mail

ChecksumCompute a checksum forGood binaryConfiguration fileDetect change by comparing checksumAt some point there will more malware than goodware ...Sandbox analysisRunning the executable in a VMObserve itFile activityNetworkMemoryDealing with Packer Launch the exeWait until it is unpackDump the memoryWormsOutlineWhat malware areHow do they infect hostsHow do they propagateZoo visit !How to detect themWorms

79WormA worm is self-replicating software designed to spread through the networkTypically, exploit security flaws in widely used servicesCan cause enormous damage Launch DDOS attacks, install bot networks Access sensitive informationCause confusion by corrupting the sensitive information

Worm vs Virus vs Trojan horseA virus is code embedded in a file or programViruses and Trojan horses rely on human intervention Worms are self-contained and may spread autonomously80Cost of worm attacksMorris worm, 1988Infected approximately 6,000 machines10% of computers connected to the Internet cost ~ $10 million in downtime and cleanupCode Red worm, July 16 2001Direct descendant of Morris wormInfected more than 500,000 serversProgrammed to go into infinite sleep mode July 28 Caused ~ $2.6 Billion in damages,Love Bug worm: $8.75 billion

Statistics: Computer Economics Inc., Carlsbad, California81Internet Worm (First major attack)Released November 1988Program spread through Digital, Sun workstations Exploited Unix security vulnerabilitiesVAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX codeConsequencesNo immediate damage from program itself Replication and threat of damage Load on network, systems used in attackMany systems shut down to prevent further attack82Some historical worms of noteWormDateDistinctionMorris11/88Used multiple vulnerabilities, propagate to nearby sysADM5/98Random scanning of IP address spaceRamen1/01Exploited three vulnerabilitiesLion3/01Stealthy, rootkit wormCheese6/01Vigilante worm that secured vulnerable systemsCode Red7/01First sig Windows worm; Completely memory residentWalk8/01Recompiled source code locallyNimda9/01Windows worm: client-to-server, c-to-c, s-to-s, Scalper6/0211 days after announcement of vulnerability; peer-to-peer network of compromised systemsSlammer1/03Used a single UDP packet for explosive growthKienzle and Elder83Increasing propagation speedCode Red, July 2001Affects Microsoft Index Server 2.0, Windows 2000 Indexing service on Windows NT 4.0.Windows 2000 that run IIS 4.0 and 5.0 Web serversExploits known buffer overflow in Idq.dllVulnerable population (360,000 servers) infected in 14 hoursSQL Slammer, January 2003Affects in Microsoft SQL 2000Exploits known buffer overflow vulnerabilityServer Resolution service vulnerability reported June 2002 Patched released in July 2002 Bulletin MS02-39Vulnerable population infected in less than 10 minutes84Code RedInitial version released July 13, 2001Sends its code as an HTTP requestHTTP request exploits buffer overflow Malicious code is not stored in a filePlaced in memory and then runWhen executed,Worm checks for the file C:\NotwormIf file exists, the worm thread goes into infinite sleep stateCreates new threadsIf the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses85Code Red of July 13 and July 19Initial release of July 131st through 20th month: Spread via random scan of 32-bit IP addr space20th through end of each month: attack.Flooding attack against 198.137.240.91 (www.whitehouse.gov)Failure to seed random number generator linear growthRevision released July 19, 2001.White House responds to threat of flooding attack by changing the address of www.whitehouse.govCauses Code Red to die for date 20th of the month.But: this time random number generator correctly seededSlides: Vern Paxson86Infection rate

87Measuring activity: network telescopeMonitor cross-section of Internet address space, measure traffic Backscatter from DOS floodsAttackers probing blindlyRandom scanning from wormsLBNLs cross-section: 1/32,768 of InternetUCSD, UWiscs cross-section: 1/256.

88Spread of Code RedNetwork telescopes estimate of # infected hosts: 360K. (Beware DHCP & NAT)Course of infection fits classic logistic.Note: larger the vulnerable population, faster the worm spreads.

That night ( 20th), worm dies except for hosts with inaccurate clocks!It just takes one of these to restart the worm on August 1st Slides: Vern Paxson89

Slides: Vern Paxson90Code Red 2Released August 4, 2001.Comment in code: Code Red 2.But in fact completely different code base.Payload: a root backdoor, resilient to reboots.Bug: crashes NT, only works on Windows 2000.Localized scanning: prefers nearby addresses.

Kills Code Red 1.

Safety valve: programmed to die Oct 1, 2001.Slides: Vern Paxson91Striving for Greater Virulence: NimdaReleased September 18, 2001.Multi-mode spreading:attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected servers w/ client exploit scanning for Code Red II backdoors (!) worms form an ecosystem!Leaped across firewalls.Slides: Vern Paxson92

Code Red 2 kills off Code Red 1Code Red 2 settles into weekly patternNimda enters the ecosystemCode Red 2 dies off as programmedCR 1 returns thanksto bad clocksSlides: Vern Paxson93How do worms propagate?Scanning worms : Worm chooses random addressCoordinated scanning : Different worm instances scan different addressesFlash wormsAssemble tree of vulnerable hosts in advance, propagate along treeNot observed in the wild, yetPotential for 106 hosts in < 2 sec ! [Staniford]Meta-server worm :Ask server for hosts to infect (e.g., Google for powered by phpbb)Topological worm: Use information from infected hosts (web server logs, email address books, config files, SSH known hosts)Contagion worm : Propagate parasitically along with normally initiated communicationslammer01/25/2003Vulnerability disclosed : 25 june 2002Better scanning algorithmUDP Single packet : 380bytesSlammer propagation

Number of scan/sec

Packet loss

A server view

ConsequencesATM systems not availablePhone network overloaded (no 911!)5 DNS root downPlanes delayed100Worm Detection and DefenseDetect via honeyfarms: collections of honeypots fed by a network telescope.Any outbound connection from honeyfarm = worm.(at least, thats the theory)Distill signature from inbound/outbound traffic.If telescope covers N addresses, expect detection when worm has infected 1/N of population.Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts5 minutes to several weeks to write a signatureSeveral hours or more for testing102Signature inferenceChallengeneed to automatically learn a content signature for each new worm potentially in less than a second!Some proposed solutionsSingh et al, Automated Worm Fingerprinting, OSDI 04Kim et al, Autograph: Toward Automated, Distributed Worm Signature Detection, USENIX Sec 04103Signature inferenceMonitor network and look for strings common to traffic with worm-like behaviorSignatures can then be used for content filteringSlide: S Savage

104Content siftingAssume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow...)Two consequencesContent Prevalence: W will be more common in traffic than other bitstrings of the same lengthAddress Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinationsContent sifting: find Ws with high content prevalence and high address dispersion and drop that trafficSlide: S Savage105

Observation:High-prevalence strings are rare(Stefan Savage, UCSD *)Only 0.6% of the 40 byte substrings repeat more than 3 times in a minute111ChallengesComputationTo support a 1Gbps line rate we have 12us to process each packet, at 10Gbps 1.2us, at 40GbpsDominated by memory references; state expensiveContent sifting requires looking at every byte in a packetStateOn a fully-loaded 1Gbps link a nave implementation can easily consume 100MB/sec for tableComputation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM(Stefan Savage, UCSD *)