malware 2 - iswatlab · corrado aaron visaggio . malware 2 . malicious software ... using email –...
TRANSCRIPT
Corrado Aaron Visaggio
Malware 2
Malicious Software
Programs exploiting computing system vulnerabilities Known as malicious software or malware Malware can be divided into two categories Program fragments that need host program - parasitic malware E.g. viruses, logic bombs, and backdoors – cannot exist independently of
some actual application program, utility or system program
Independent self-contained programs E.g. worms, bots – can be run directly by the operating system
We differentiate between software threats that Do not replicate – activated by a trigger (e.g., logic bombs, bot) Do replicate/propagate itself (e.g., viruses and worms)
2
Malicious Software
3
Malicious programs
Need host program Independent
Trapdoors Logic bombs
Trojan horse Viruses Worms Zombie
(Bot)
Replicate
Virus: A piece of code that inserts itself into a host program (infects it). It cannot run independently. It requires that its host program be run to activate it.
Worm: A program that can run independently and can propagate a complete working version of itself onto other hosts on a network.
Logic bomb: A program inserted into software by an intruder. It executes on specific condition (trigger). Triggers for logic bombs can include change in a file, by a particular series of keystrokes, or at a specific time or date.
Malware Terminology (1/3)
4
legitimate code if date is Friday the 13th; crash_computer(); legitimate code
Trojan horse: Programs that appear to have one (useful) function but actually perform another (malicious) function, without the user’s knowledge.
Backdoor (trapdoor): Any mechanism that bypasses a normal security check. It is a code that recognizes for example some special input sequence of input; programmers can use backdoors legitimately to debug and test programms.
Malware Terminology (2/3)
5
username = read_username(); password = read_password(); if username is “112_h4ck0r” return ALLOW_LOGIN; if username and password are valid return ALLOW_LOGIN else return DENY_LOGIN
Exploit: Malicious code specific to a single vulnerability. Keylogger: Captures key strokes on a compromised system. Rootkit: A set of hacker tools installed on a computer system
after the attcker has broken into the system and gained administrator (root-level) access.
Zombie, bot: Program on infected machine activated to launch attacks on other machines.
Spyware: Collects info from a computer and transmits it to another system.
Malware Terminology (3/3)
6
Internet Worms
Internet Worms
Self-replicating program that propagates over Internet Using email – a worm mails a copy of itself to other system Remote execution capability – a worm executes a copy of itself
on a remote system, either using explicit remote execution facility or by exploiting flaw (e.g., buffer overflow) in some net service
Remote login – a worm logs onto a remote system as a user then uses commands to copy itself from one to the remote system
8
Internet Worms Uses/Applications
Launch a DDoS Access to Sensitive Information Spread Disinformation Unknown reasons Most generally is the need for being recognized and famous
(never has it been that it was an accident)
9
Worm Operation
Has phases like a virus Dormant phase Worm is idle, waiting for trigger event (e.g., date, time, program)
Propagation phase Worm searches for other systems, connects to it, copies self to it and
runs (the copy may not be identical – it morphs to avoid detection)
Triggering phase Worm activated by some trigger event to perform intended function
Execution phase The intended function is performed E.g., DDoS attack on a specified target
10
Worm Operation: Propagation Phase
To propagate a worm generally performes the following functions Search for other systems to infect by examining different
repositories of remote system addresses IP address-space probing to detect vulnerable targets Note that this active aquisition/seach phase is not present in viruses
Establish a connection with a remote system Copy itself to the remote system and cause the copy to be run
11
Generalized Worm Propagation Model In the first stage the infected host searches for vulnerable targets When the target is found, the infected host tries to deliver
malcode to the selected target Executing the malcode, the target host would be comprimised Once the system is compromised, some malware can perform
additional tasks Payload refers to those additional
tasks by a worm (DoS, install backdoors, self-replicate)
12
Infected Host
Select Target
Deliver Malcode
Compromise System
Infection Completed
Execute Payload
Payload Yes
No
Actions in Each of the Stages The target selecting stage
Random IP address probing Harvesting email addresses (e.g., from the address book) Through file sharing systems
The malcode delivery stage (can send only a part in this stage) A payload associated with buffer overflows Using mail of messaging services Specially crafted HTML pages hosted
on a web server
Compromising the system Execute malcode: email vulnerabilites,
user intervention, automatic execution E.g., buffer overflow, backdoors, etc.
13
Infected Host
Select Target
Deliver Malcode
Compromise System
Infection Completed
Execute Payload
Payload Yes
No
Worm Propagation in Real Life
Morris Worm (Robert Morris in 1988) To propagate, worm’s first task was to discover other hosts
known to first infected host that would allow entry from this host Exemained system tables that declare which other machines were trusted by this
host, users’ mail forwarding files, remote access control tables, reports from services that reported the status of net connections
For each discovered host, various attacks on UNIX systems Cracking password file to use login/password to logon to other systems Exploiting a bug in the finger protocol Exploiting a bug in sendmail
If any of the three above succeeded have remote shell access Sent bootstrap program to the compromised machine’s operating system The bootstrap program called back the parent program and downloaded the
reminder of the worm to to copy it over
About 4000 of the Internet’s approximately 60,000 (at that time) hosts were infected within 16 hours of the worm’s deployment 15
Code Red (July 2001) The Code Red worm spreads via a buffer overflow in the
Microsoft Internet Information Server’s (IIS) Indexing Services Infection begins by issuing HTTP GET command to a vulnerable IIS system
The worm probes random IP addresses to spread to other hosts During a certain period of time, it only spreads It then initiates a denial-of-service attack against a government
Web site by flooding the site with packets from numerous hosts Code Red I v2 infected nearly 360,000 servers in 14 hours
Caused problems to infected servers But more importantly, consumed a significant amount of Internet capacity
Code Red II is a variant that also targets Microsoft IIS It also installs a backdoor, allowin a hacker to remotely execute commands
on victim computers
16
The Spread of Code-Red v2
17
http://www.caida.org/research/security/code-red/coderedv2_analysis.xml
SQL Slammer (January 2003) Exploited buffer overflow in Microsoft SQL server
A single short (400 bytes) packet to UDP port 1434 was sufficient
The worm infected more than 90 percent of vulnerable hosts within 10 minutes Causing significant disruption to financial, transportation, and government
institutions and precluding any human-based response No malicious content, but simply overloaded networks
The worm’s spreading strategy uses random scanning It randomly selects IP addresses, eventually finding and infecting all
susceptible hosts
Slammer spread nearly two orders of magnitude faster than Code Red, yet it infected fewer machines The fastest computer worm in history (full scanning rate of 55 million
scans per second after only 3 minutes)
18
The Spread of SQL Slammer Faster than Code Red (CR)
Slammer is bandwith-limited (its scanner is only only 400 bytes long, a single UDP packet could exploit the SQL server’s vulnerability)
CR is latency-limited (its scanner does TCP handshake and therefore has to wait to receive SYN/ACK packet from target)
However Slammer’s author made several mistakes in the random number generator (many active IP addresses simply skipped – fewer infections)
19 Code Red v2 Slammer
Saturated network with its scans
Modelling Propagation of Worms
Why Modelling?
Worms spread at an exponential rate E.g., 10M hosts in < 5 minutes Hard to deal with manual intervention How to protect our systems? What are possible effects?
To be able to defend against future worms, we need to understand Worms propagation patterns The impact of human countermeasures (like patching the
computer systems, firewalls, disconnecting devices from the network, etc.) on worm propagation
The impact of network traffic (recall the Slammer worm) 21
Worm Propagation Modelling
Simple Epidemic Model Uses the time model of Infectious diseases to model Worm propagation Three possible states – Susceptible, Infected, Quarantined/Removed
“Infectious” hosts: continuously infect others “Removed” hosts in epidemic area
Recover and immune to the virus Dead because of the disease
“Removed” hosts in computer area: Patched computers that are clean and immune to the worm Computers that are shut down or cut off from worm’s circulation
22
Simple Epidemic Model
Assumptions The population size (#hosts) is large Any host has equal probability to contact any other hosts in system Number of contacts is proportional to #infectious X #susceptible
23
susceptible
infectious
removed
Infectious (I) Susceptible (S) contact
Classical Simple Epidemic Model
State transition N - population of hosts S(t) - susceptible hosts; I(t) - infectious hosts at time t
24
susceptible infectious
Classical General Epidemic Model (SIR)
State transition N - population of hosts S(t) - susceptible hosts I(t) - infectious hosts R(t) - removed from infectious at rate γ
25
removed susceptible infectious
0 10 20 30 40
1
2
3
4
5
6
7
8
9
10 x 105
γ=0γ=βN/16γ=βN/4γ=βN/2
Are the Two SIR Models Adequate? The classical and general SIR models are not perfectly suitable as
human countermeasures will remove both suceptible and infectious hosts from circulation
Human countermeasures include Clean and patch: download cleaning program, patches Filter: put filters on firewalls, gateways Disconnect computers (as in the case of Code Red worm)
Also, the infection rate β is decreased because of the large amount of scan-traffic (e.g., the SQL Slammer worm)
State transition
26
susceptible
infectious
removed
Two Factor Worm Model
Human countermeasures and decreased infection rate β N - population of hosts S(t) - susceptible hosts I(t) - infectious hosts R(t) - removed from infectious hosts at rate γ Q(t) - removal from susceptible
at rate μ
27
Two Factor Worm Model
Human countermeasures and decreased infection rate β
β(t)S(t) < γ: the number of removed infectious hosts in a unit time is greater than the number of newly generated
infectious hosts at the same time
Characteristics of Worm Spreading
Worm growth: slow start, fast spread phase, slow decay
Speed-ups with more advanced probing techniques
Probing Techniques (Examples)
Random Scanning Local Subnet Scanning Routing Worm Pre-generated Hit List Topological
Probing Techniques: Random Scanning
32 bit number is randomly generated and used as the IP address Aside: IPv6 worms will be different …
E.g., Slammer and Code Red I Hits black-holed IP space frequently Only 28.6% of IP space is allocated Aside: can track worms by monitoring unused
addresses Honeypots
Probing Techniques: Subnet Scanning
Generate last 1, 2, or 3 bytes of IP address randomly Code Red II and Blaster Some scans must be completely random to infect the
whole Internet
Probing Techniques: Routing Worm
BGP information can tell which IP address blocks are allocated
This information is publicly available http://www.routeviews.org/ http://www.ripe.net/ris/
Probing Techniques: Topological
Uses info on the infected host to find the next target Morris Worm used /etc/hosts , .rhosts Email address books P2P software usually store info about peers that each host
connects to
Probing Techniques: Hit List
Hit list of vulnerable machines is sent with payload Determined before worm launch by scanning
Gives the worm a boost in the slow start phase Skips the phase that follows the exponential model Infection rate looks linear in the rapid propagation phase
Can avoid detection by the early detection systems
Warhol: Hit List + Permutation Scanning Infection time estimated to about 15 minutes Andy Warhol: “In the future, everybody will have 15 minutes of
fame.” 1. Conventional (Code Red-like )
worm capable of 10 scans/second 2. Fast scanning worm capable of 100
scans/second 3. Warhol worm capable of 100
scans/second using a 10,000 entry hit-list
No human-driven intervention is possible when it comes to Warhol worms (or even more severe flash worms – infects Internet in tens of seconds!)
Worm Countermeasures
)(
)()()(
)()(
tIdtdR
tItStIdtdI
tStIdtdS
γ
γβ
β
=
−=
−=
S(0) = N β = λ / M λ probe rate of worm M total population (e.g. 232 for IPv4) γ “removal” rate
3. Reduce # of infected hosts (containment)
2. Reduce rate of infection (suppression)
1. Reduce # of susceptible hosts (prevention)
How to Mitigate the Worm Threat?
Mitigating the Worm Threat
Prevention This aims to reduce the size of the vulnerable population Secure programming, applying software updates, AV protection Patching Generally, patches take days to release – only now that relatively reliable
distribution networks for patches are springing up
Containment and suppression (the easiest) Firewalls, Content Filtering, Automated Routing Blacklists,
disconnecting infected machines
Reduce # of Susceptible Hosts (Patching)
Reduce # of Infected Hosts (e.g., AV)
Worm Countermeasures
Overlaps with anti-virus techniques Once worm on system A/V can detect it Worms also cause significant net activity
Scanning for other targets (scan rates 10-10000 scans/second)
Worm defense approaches include: Signature-based worm scan filtering
Generates a worm scan signature to prevent worm scans from entering a network/host Filter-based worm containment
Focuses on a worm content rather than a scan signature Payload-classification-based worm containment
Packet based checks Threshold random walk scan detection
Exploits randomness in picking destinations to connect to (to detect scanning) Rate limiting and rate halting
Limit or block outgoing traffic when a given threshold exceeded (for fast worms)
Reaction Time Matters
Worm containment mechanisms should be automated
1. Conventional (Code Red-like ) worm capable of 10 scans/second
2. Fast scanning worm capable of 100 scans/second
3. Warhol worm capable of 100 scans/second using a 10,000 entry hit-list
4. SQL Slammer 30,000 scans/second per machine (on 100 Mbps link)
No human-driven intervention is possible when it comes to Warhol worms (or even more severe flash worms – infects Internet in tens of seconds!)
Reaction Time Matters
Reactive Address Blacklisting strategy against Slammer (α is the proportion of sussceptible hosts)
Sandboxes • A sandbox is a security mechanism
for safely running untrusted programs – Provides a tightly-controlled set of resources for guest
programs to run in, such as space on disk and memory. Network access, the ability to inspect the host system or read from input devices is usually disallowed or heavily restricted. Cf. virtual machine.
• Examples of sandboxes are: – Applets are self-contained programs that run in a virtual
machine or scripting language interpreter that does the sandboxing, for example in the browser.
– Jails are a special kind of resource limit imposed on programs by the operating system.
– Virtual machines emulate a complete host computer, on which an entire operating system can run.
Detecting rootkits • Because they often hook into the operating system at
the kernel level to hide their presence, rootkits can be very hard to detect. – There are inherent limitations to any program which attempts
to detect root kits while those programs are running under the suspect system.
– As with virus detection, the rootkit detection and elimination is an ongoing struggle between perpetrators and defenders. Examples of current tools (unix): chkrootkit and rkhunter
• Probably best to reinstall the operating system from scratch.
Trusting Trust backdoor
• How to create an undetectable backdoor: – Change the compiler so that, when compiling the login
program, it adds the hard-coded username/password check to the login program.
• Thus, the login program source code looks completely normal. – As an extra twist, change the compiler so that, when
compiling the compiler, it adds the code to add the code to the login program.
• Thus, even if the compiler is recompiled, the backdoor will still be inserted.
• And none of the source code reveals the backdoor. Described in a paper by Ken Thompson, Reflections on
Trusting Trust, 1995.
“Good” viruses/worms?
• A family of worms known as Nachi tried to download and install patches from Microsoft's website to fix various vulnerabilities in the host system — the same vulnerabilities that they exploited.
• It eventually made the systems affected more secure, but generated considerable network traffic (often more than the worms they were protecting against), and rebooted the machine in the course of patching it
• Worked without the consent of the computer's owner or user. • Most security experts deprecate worms, whatever their payload.
Outlook
• Why we have so much malware
• Trends in malware – Crime – Mobile?
• The future
Why we have so much malware • Users are ill-educated, resulting in distribution as
Trojans and viruses – Because computers are fast-changing and still relatively
new • Software has vulnerabilities, resulting in
distribution of worms and viruses – Because it is badly written or badly designed – Because the designers have historically favoured user
convenience over security • The PC is an open platform
– Users can install software, in contrast with (old fashioned) mobile phones, mp3 players, set-top boxes, embedded computers, etc.
The threat of monopoly
• Another reason for the prevalence of malware is the homogeneity of software – Most computers run Windows, MS Office, MS Outlook
Express, MS Internet Explorer – This makes the attacker’s job very easy.
• In contrast, in the linux world, there is a plethora of rival distributions, office suites, email clients, browsers. – Makes the attacker’s job much, much harder!
Open-source vs closed source
• It is often argued that – OS more secure because
vulnerabilities have a much higher chance of being spotted, since hundreds of people around the world are scrutinising the source code.
– CS less secure because very few people have access to the source code.
• But one can also argue that – OS less secure because
attackers can see the code and find vulnerabilities to exploit.
– CS more secure because attacker doesn’t have access to the source code.
– However, this argument is “security through obscurity” and should be rejected.
Open-source phenomenon • An attempt to plant a backdoor in the Linux
kernel, exposed in November 2003, showed how subtle such a code change could be. – In this case a two-line change took the form of an
apparent typographical error, which in practice gave the caller to the sys_wait4 function root access to the machine (see the external link below).
• The attack was detected well before the code was released
Trend towards crime • Mikko Hypponen is chief research officer at F-secure,
and worked on detection of Sobig, Sasser, etc. – “Worms aren't making the news these days, because they are
not the right tool to use if you want to become rich by writing malware... Modern bots and trojans spread more stealthily, remaining below the detection radar... They infect your PC and wait for instructions.”
Mobile phone malware
• “Malware goes Mobile”, Mikko Hypponnen, Scientific American 2006. – Reports on Cabir, a proof of concept virus. – Original did nothing (bragware), but variants dialled 1-900
premium numbers. – As of 2006, >300 different viruses (compared with 200,000 for
the PC) – Spread by bluetooth (pestering user to accept) – As of 2006, all mobile malware exploits user naivity, not
software vulnerabilities (why?)
The future • The tension between flexibility and security will
continue to introduce vulnerabilities – especially in emerging domains, such as wearables and multi-
functional devices • But users will continue to become better educated, and
established software will continue to mature and become less vulnerable
• And PCs continue to become “locked-down” – draconian firewalls, sandboxes, fewer user priviliges – Trusted computer platforms
• Thus, things will slowly get better, but at a high price, and we will still see some spectacular attacks
Closing Words
Worms pose an ongoing threat of use in attack on a variety of sites and infrastructures The SQL Slammer affected ATMs, 911 services, caused cancelled
flights, etc.
Worms represent and extremely serious threat to the safety of the Internet
Warhol and flash-like worms can infect/affect the whole Internet in the matter of minutes/seconds The need for automated response/containment mechanisms
Threat awareness important (reduces sussceptible) Esspecially for software designers and programmers