Malware PowerPoint Presentation

Slide 1 -

CS155 Spring 2009 Elie Bursztein Malware

Slide 2 -

Welcome to the zoo What malware are How do they infect hosts How do they hide How do they propagate Zoo visit ! How to detect them Worms

Slide 3 -

What is a malware ? A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do.

Slide 4 -

What it is good for ? Steal personal information Delete files Click fraud Steal software serial numbers Use your computer as relay

Slide 5 -

The Malware Zoo Virus Backdoor Trojan horse Rootkit Scareware Adware Worm

Slide 6 -

What is a Virus ? a program that can infect other programs by modifying them to include a, possibly evolved, version of itself Fred Cohen 1983

Slide 7 -

Some Virus Type Polymorphic : uses a polymorphic engine to mutate while keeping the original algorithm intact (packer) Methamorpic : Change after each infection

Slide 8 -

What is a trojan A trojan describes the class of malware that appears to perform a desirable function but in fact performs undisclosed malicious functions that allow unauthorized access to the victim computer Wikipedia

Slide 9 -

What is rootkit A root kit is a component that uses stealth to maintain a persistent and undetectable presence on the machine Symantec

Slide 10 -

What is a worm A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and do so without any user intervention.

Slide 11 -

Almost 30 years of Malware From Malware fighting malicious code

Slide 12 -

History Melissa spread by email and share Knark rootkit made by creed demonstrate the first ideas love bug vb script that abused a weakness in outlook Kernl intrusion by optyx gui and efficent hidding mechanims 1981 First reported virus 1983 Virus get defined 1986 First PC virus MS DOS 1988 First worm : Morris worm 1990 First polymorphic virus 1998 First Java virus 1998 Back orifice 1999 Melissa virus 1999 Zombie concept 1999 Knark rootkit 2000 love bug 2001 Code Red Worm 2001 Kernel Intrusion System 2001 Nimda worm 2003 SQL Slammer worm

Slide 13 -

Number of malware signatures Symantec report 2009

Slide 14 -

Malware Repartition Panda Q1 report 2009

Slide 15 -

Outline What malware are How do they infect hosts How do they propagate Zoo visit ! How to detect them Worms

Slide 16 -

What to Infect Executable Interpreted file Kernel Service MBR Hypervisor

Slide 17 -

Overwriting malware Targeted Executable Malware Malware

Slide 18 -

prepending malware Targeted Executable Malware Infected host Executable Malware

Slide 19 -

appending malware Targeted Executable Malware Infected host Executable Malware

Slide 20 -

Cavity malware Targeted Executable Infected host Executable Malware Malware

Slide 21 -

Multi-Cavity malware Targeted Executable Malware Malware Malware Malware

Slide 22 -

Packers Malware Infected host Executable Packer Payload

Slide 23 -

Packer functionalities Compress Encrypt Randomize (polymorphism) Anti-debug technique (int / fake jmp) Add-junk Anti-VM Virtualization

Slide 24 -

Auto start Folder auto-start : C:\Documents and Settings\[user_name]\Start Menu\Programs\Startup Win.ini : run=[backdoor]" or "load=[backdoor]". System.ini : shell=”myexplorer.exe” Wininit Config.sys

Slide 25 -

Auto start cont. Assign know extension (.doc) to the malware Add a Registry key such as HKCU\SOFTWARE\Microsoft\Windows \CurrentVersion\Run Add a task in the task scheduler Run as service

Slide 26 -

Unix autostart Init.d /etc/rc.local .login .xsession crontab crontab -e /etc/crontab

Slide 27 -

Macro virus Use the builtin script engine Example of call back used (word) AutoExec() AutoClose() AutoOpen() AutoNew()

Slide 28 -

Document based malware MS Office Open Office Acrobat

Slide 29 -

Userland root kit Perform login sshd passwd Hide activity ps netstat ls find du

Slide 30 -

Subverting the Kernel Kernel task Process management File access Memory management Network management What to hide Process Files Network traffic

Slide 31 -

Kernel rootkit PS KERNEL Hardware : HD, keyboard, mouse, NIC, GPU P1 P2 P3 P3 rootkit

Slide 32 -

Subverting techniques Kernel patch Loadable Kernel Module Kernel memory patching (/dev/kmem)

Slide 33 -

Windows Kernel P1 P2 Pn Csrss.exe Win32 subsystem DLLs User32.dll, Gdi32.dll and Kernel32.dll Other Subsytems (OS/2 Posix) Ntdll.dll ntoskrnl.exe Hardware Abstraction Layer (HAL.dll) Hardware Underlying kernel Executive

Slide 34 -

Kernel Device driver P2 Win32 subsystem DLLs Ntdll.dll ntoskrnl.exe Interrupt Hook System service dispatcher System service dispatch table Driver Overwriting functions Driver Replacing Functions New pointer A C B

Slide 35 -

MBR/Bootkit Bootkits can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control.

Slide 36 -

BIOS MBR VBS NT Boot Sector BOOTMGR.EXE WINLOAD.EXE Windows 7 kernel HAL.DLL

Slide 37 -

Vboot Work on every Windows (vista,7) 3ko Bypass checks by letting them run and then do inflight patching Communicate via ping

Slide 38 -

Hypervisor rootkit Target OS Hardware App App

Slide 39 -

Hypervisor rootkit Target OS Hardware App App Virtual machine monitor Host OS Rogue app

Slide 40 -

Outline What malware are How do they infect hosts How do they propagate Zoo visit ! How to detect them Worms

Slide 41 -

Shared folder

Slide 42 -

Email propagation from pandalab blog

Slide 43 -

Valentine day ... Waledac malicious domain from pandalab blog

Slide 44 -

Email again Symantec 2009

Slide 45 -

Fake codec

Slide 46 -

Fake antivirus from pandalab blog

Slide 47 -

Hijack you browser from pandalab blog

Slide 48 -

Fake page ! from pandalab blog

Slide 49 -

P2P Files Popular query 35.5% are malwares (Kalafut 2006)

Slide 50 -

Basic InfectedHost Attacker TCP

Slide 51 -

Reverse InfectedHost Attacker TCP

Slide 52 -

covert InfectedHost Attacker ICMP

Slide 53 -

Rendez vous backdoor InfectedHost Attacker RDV Point

Slide 54 -

Outline What malware are How do they infect hosts How do they propagate Zoo visit ! How to detect them Worms

Slide 55 -

Adware

Slide 56 -

BackOrifice Defcon 1998 new version in 2000

Slide 57 -

Netbus 1998 Used for “prank”

Slide 58 -

Symantec pcAnywhere

Slide 59 -

Browser Toolbar ...

Slide 60 -

Toolbar again

Slide 61 -

Ransomware Trj/SMSlock.A Russian ransomware April 2009 To unlock you need to send an SMS with the text4121800286to the number3649Enter the resulting code:Any attempt to reinstall the system may lead to loss of important information and computer damage from pandalab blog

Slide 62 -

Outline What malware are How do they infect hosts How do they propagate Zoo visit ! How to detect them Worms

Slide 63 -

Anti-virus Analyze system behavior Analyze binary to decide if it a virus Type : Scanner Real time monitor

Slide 64 -

Impossibility result It is not possible to build a perfect virus/malware detector (Cohen)

Slide 65 -

Impossibility result Diagonal argument P is a perfect detection program V is a virus V can call P if P(V) = true -> halt if P(V) = false -> spread

Slide 66 -

Virus signature Find a string that can identify the virus Fingerprint like

Slide 67 -

Heuristics Analyze program behavior Network access File open Attempt to delete file Attempt to modify the boot sector

Slide 68 -

Checksum Compute a checksum for Good binary Configuration file Detect change by comparing checksum At some point there will more malware than “goodware” ...

Slide 69 -

Sandbox analysis Running the executable in a VM Observe it File activity Network Memory

Slide 70 -

Dealing with Packer Launch the exe Wait until it is unpack Dump the memory

Slide 71 -

Outline What malware are How do they infect hosts How do they propagate Zoo visit ! How to detect them Worms

Slide 72 -

72 Worm A worm is self-replicating software designed to spread through the network Typically, exploit security flaws in widely used services Can cause enormous damage Launch DDOS attacks, install bot networks Access sensitive information Cause confusion by corrupting the sensitive information Worm vs Virus vs Trojan horse A virus is code embedded in a file or program Viruses and Trojan horses rely on human intervention Worms are self-contained and may spread autonomously

Slide 73 -

73 Cost of worm attacks Morris worm, 1988 Infected approximately 6,000 machines 10% of computers connected to the Internet cost ~ $10 million in downtime and cleanup Code Red worm, July 16 2001 Direct descendant of Morris’ worm Infected more than 500,000 servers Programmed to go into infinite sleep mode July 28 Caused ~ $2.6 Billion in damages, Love Bug worm: $8.75 billion Statistics: Computer Economics Inc., Carlsbad, California

Slide 74 -

74 Internet Worm (First major attack) Released November 1988 Program spread through Digital, Sun workstations Exploited Unix security vulnerabilities VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX code Consequences No immediate damage from program itself Replication and threat of damage Load on network, systems used in attack Many systems shut down to prevent further attack

Slide 75 -

75 Some historical worms of note Kienzle and Elder

Slide 76 -

76 Increasing propagation speed Code Red, July 2001 Affects Microsoft Index Server 2.0, Windows 2000 Indexing service on Windows NT 4.0. Windows 2000 that run IIS 4.0 and 5.0 Web servers Exploits known buffer overflow in Idq.dll Vulnerable population (360,000 servers) infected in 14 hours SQL Slammer, January 2003 Affects in Microsoft SQL 2000 Exploits known buffer overflow vulnerability Server Resolution service vulnerability reported June 2002 Patched released in July 2002 Bulletin MS02-39 Vulnerable population infected in less than 10 minutes

Slide 77 -

77 Code Red Initial version released July 13, 2001 Sends its code as an HTTP request HTTP request exploits buffer overflow Malicious code is not stored in a file Placed in memory and then run When executed, Worm checks for the file C:\Notworm If file exists, the worm thread goes into infinite sleep state Creates new threads If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses

Slide 78 -

78 Code Red of July 13 and July 19 Initial release of July 13 1st through 20th month: Spread via random scan of 32-bit IP addr space 20th through end of each month: attack. Flooding attack against 198.137.240.91 (www.whitehouse.gov) Failure to seed random number generator ⇒ linear growth Revision released July 19, 2001. White House responds to threat of flooding attack by changing the address of www.whitehouse.gov Causes Code Red to die for date ≥ 20th of the month. But: this time random number generator correctly seeded Slides: Vern Paxson

Slide 79 -

79 Infection rate

Slide 80 -

80 Measuring activity: network telescope Monitor cross-section of Internet address space, measure traffic “Backscatter” from DOS floods Attackers probing blindly Random scanning from worms LBNL’s cross-section: 1/32,768 of Internet UCSD, UWisc’s cross-section: 1/256.

Slide 81 -

81 Spread of Code Red Network telescopes estimate of # infected hosts: 360K. (Beware DHCP & NAT) Course of infection fits classic logistic. Note: larger the vulnerable population, faster the worm spreads. That night (⇒ 20th), worm dies … … except for hosts with inaccurate clocks! It just takes one of these to restart the worm on August 1st … Slides: Vern Paxson

Slide 82 -

82 Slides: Vern Paxson

Slide 83 -

83 Code Red 2 Released August 4, 2001. Comment in code: “Code Red 2.” But in fact completely different code base. Payload: a root backdoor, resilient to reboots. Bug: crashes NT, only works on Windows 2000. Localized scanning: prefers nearby addresses. Kills Code Red 1. Safety valve: programmed to die Oct 1, 2001. Slides: Vern Paxson

Slide 84 -

84 Striving for Greater Virulence: Nimda Released September 18, 2001. Multi-mode spreading: attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected servers w/ client exploit scanning for Code Red II backdoors (!) worms form an ecosystem! Leaped across firewalls. Slides: Vern Paxson

Slide 85 -

85 Code Red 2 kills off Code Red 1 Code Red 2 settles into weekly pattern Nimda enters the ecosystem Code Red 2 dies off as programmed CR 1 returns thanks to bad clocks Slides: Vern Paxson

Slide 86 -

86 How do worms propagate? Scanning worms : Worm chooses “random” address Coordinated scanning : Different worm instances scan different addresses Flash worms Assemble tree of vulnerable hosts in advance, propagate along tree Not observed in the wild, yet Potential for 106 hosts in < 2 sec ! [Staniford] Meta-server worm :Ask server for hosts to infect (e.g., Google for “powered by phpbb”) Topological worm: Use information from infected hosts (web server logs, email address books, config files, SSH “known hosts”) Contagion worm : Propagate parasitically along with normally initiated communication

Slide 87 -

slammer 01/25/2003 Vulnerability disclosed : 25 june 2002 Better scanning algorithm UDP Single packet : 380bytes

Slide 88 -

Slammer propagation

Slide 89 -

Number of scan/sec

Slide 90 -

Packet loss

Slide 91 -

A server view

Slide 92 -

Consequences ATM systems not available Phone network overloaded (no 911!) 5 DNS root down Planes delayed

Slide 93 -

93 Worm Detection and Defense Detect via honeyfarms: collections of “honeypots” fed by a network telescope. Any outbound connection from honeyfarm = worm. (at least, that’s the theory) Distill signature from inbound/outbound traffic. If telescope covers N addresses, expect detection when worm has infected 1/N of population. Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts 5 minutes to several weeks to write a signature Several hours or more for testing

Slide 94 -

94 Signature inference Challenge need to automatically learn a content “signature” for each new worm – potentially in less than a second! Some proposed solutions Singh et al, Automated Worm Fingerprinting, OSDI ’04 Kim et al, Autograph: Toward Automated, Distributed Worm Signature Detection, USENIX Sec ‘04

Slide 95 -

95 Signature inference Monitor network and look for strings common to traffic with worm-like behavior Signatures can then be used for content filtering Slide: S Savage

Slide 96 -

96 Content sifting Assume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow...) Two consequences Content Prevalence: W will be more common in traffic than other bitstrings of the same length Address Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinations Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic Slide: S Savage

Slide 97 -

97 Observation: High-prevalence strings are rare (Stefan Savage, UCSD *) Only 0.6% of the 40 byte substrings repeat more than 3 times in a minute

Slide 98 -

98 Challenges Computation To support a 1Gbps line rate we have 12us to process each packet, at 10Gbps 1.2us, at 40Gbps… Dominated by memory references; state expensive Content sifting requires looking at every byte in a packet State On a fully-loaded 1Gbps link a naïve implementation can easily consume 100MB/sec for table Computation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM (Stefan Savage, UCSD *)