CSE543 Computer and Network Security Module: Internet Malwaretrj1/cse543-s15/slides/cse543-internet-malware.p… · Soma/Ultram/Tramadol 20K (2.5%) $1.8M (2.4%) 46K (5.5%) $4.1M (4.8%)

CSE543 - Introduction to Computer and Network Security Page

CSE543 Computer and Network Security

Module: Internet Malware

Professor Trent Jaeger

1

CMPSC443 - Introduction to Computer and Network Security Page

Viruses• Is an attack that modifies programs on your host• Approach

1. Download a program …2. Run the program …3. Searches for binaries and other code (firmware, boot

sector) that it can modify …4. Modifies these programs by adding code that the

program will run

• What can an adversary do with this ability?

2


Viruses• How does it work?‣ Modify the file executable format

3


Viruses• How does it work?‣ Modify the file executable format

• What types of modifications?‣ Overwrite the beginning‣ Add code anywhere and change

“address of entry point”• Add a new section header• Patch into a section

‣ Add jump instruction to exploit• All these were well known by 90s

4


Worms• A worm is a self-propagating program.• As relevant to this discussion

1. Exploits some vulnerability on a target host …2. (often) embeds itself into a host …3. Searches for other vulnerable hosts …4. Goto (1)

• Q: Why do we care?5


The Danger• What makes worms so dangerous is that infection

grows at an exponential rate‣ A simple model:

• s (search) is the time it takes to find vulnerable host

• i (infect) is the time is take to infect a host

‣ Assume that t=0 is the worm outbreak, the number of hosts infected at t=j is

2(j/(s+i))

‣ For example, if (s+i = 1), what is it at time t=32?

6


The result

0

500,000,000

1,000,000,000

1,500,000,000

2,000,000,000

2,500,000,000

3,000,000,000

3,500,000,000

4,000,000,000

4,500,000,000

5,000,000,000

7


The Morris Worm• Robert Morris, a 23 doctoral student from Cornell‣ Wrote a small (99 line) program‣ November 3rd, 1988‣ Simply disabled the Internet

• How it did it‣ Reads /etc/password, they tries the obvious choices and

dictionary, /usr/dict words‣ Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts

that are related• Tries cracked passwords at related hosts (if necessary)• Uses whatever services are available to compromise other hosts

‣ Scanned local interfaces for network information‣ Covered its tracks (set is own process name to sh, prevented

accurate cores, re-forked itself)8


Code Red• Exploited a Microsoft IIS web-server vulnerability‣ A vanilla buffer overflow (allows adversary to run code)‣ Scans for vulnerabilities over random IP addresses‣ Sometimes would deface the served website

• July 16th, 2001 - outbreak‣ CRv1- contained bad randomness (fixed IPs searched)‣ CRv2 - fixed the randomness,

• added DDOS of www.whitehouse.gov• Turned itself off and on (on 1st and 19th of month, attack 20-27th,

dormant 28-31st)

‣ August 4 - Code Red II• Different code base, same exploit• Added local scanning (biased randomness to local IPs)• Killed itself in October of 2001

9


Worms and infection• The effectiveness of a worm is determined by how good it is at

identifying vulnerable machines‣ Morris used local information at the host‣ Code Red used what?

• Multi-vector worms use lots of ways to infect‣ E.g., network, DNS partitions, email, drive by downloads …‣ Another worm, Nimda did this

• Lots of scanning strategies‣ Signpost scanning (using local information, e.g., Morris)‣ Random IP - good, but waste a lot of time scanning “dark” or

unreachable addresses (e.g., Code Red)‣ Local scanning - biased randomness‣ Permutation scanning - instance is given part of IP space

10


Other scanning strategies• The doomsday worm: a flash worm‣ Create a hit list of all vulnerable hosts

• Staniford et al. argue this is feasible

• Would contain a 48MB list

‣ Do the infect and split approach

‣ Use a zero-day vulnerability

• Result: saturate the Internet is less than 30 seconds!11

0

500,000,000

1,000,000,000

1,500,000,000

2,000,000,000

2,500,000,000

3,000,000,000

3,500,000,000

4,000,000,000

4,500,000,000

5,000,000,000


Worms: Defense Strategies• (Auto) patch your systems: most, if not all, large worm outbreaks

have exploited known vulnerabilities (with patches)• Heterogeneity: use more than one vendor for your networks• Shield (Ross): provides filtering for known vulnerabilities, such that

they are protected immediately (analog to virus scanning)

• Filtering: look for unnecessary or unusual communication patterns, then drop them on the floor ‣ This is the dominant method, getting sophisticated (Arbor Networks)

OperatingSystem

Network Interface

Shield NetworkTraffic

12


Modern Malware• Now malware has a whole other level of sophistication• Now we speak of …

• Advanced Persistent Malware

13


Advanced• More like a software engineering approach

• Growing demand for “reliable” malware• Want malware to feed into existing criminal enterprise• Online - criminals use online banking too

• Malware ecosystem• Measuring Pay-per-Install: The Commoditization of

Malware Distribution, USENIX 2011• Tool kits • Sharing of exploit materials• Combine multiple attack methodologies

• Not hard to find DIY kits for malware

14


Malware Lifecycle

15


Persistent• Malware writers are focused on specific task

• Criminals willing to wait for gratification• Cyberwarfare

• Low-and-slow• Can exfiltrate secrets at a slow rate, especially if you

don't need them right away

• Plus can often evade or disable defenses

16


Threat• Coordinated effort to complete objective

• Not just for kicks anymore• Well-funded

• There is money to be made • … At least that is the perception

17


Threat• PharmaLeaks: Understanding the Business of Online

Pharmaceutical Affiliate Programs, USENIX 2012

18

GlavMed SpamIt RX-Promotion

Product Orders Revenue Orders Revenue Orders Revenue

ED and Related 580K (73%) $55M (75%) 670K (79%) $70M (82%) 58K (72%) $5.3M (51%)Viagra 300K (38%) $28M (38%) 290K (34%) $31M (36%) 33K (41%) $2.7M (27%)Cialis 180K (23%) $19M (26%) 190K (22%) $23M (27%) 18K (22%) $1.9M (19%)Combo Packs 49K (6.1%) $3.9M (5.4%) 110K (14%) $8.4M (9.8%) 5100 (6.4%) $350K (3.4%)Levitra 32K (4.1%) $3.2M (4.4%) 35K (4.2%) $3.9M (4.5%) 1200 (1.5%) $150K (1.5%)

Abuse Potential 48K (6.1%) $4.5M (6.1%) 64K (7.6%) $6.2M (7.3%) 11K (14%) $3.3M (32%)Painkillers 29K (3.7%) $2.4M (3.3%) 53K (6.3%) $4.7M (5.5%) 10K (13%) $3.0M (29%)Opiates — — — — 8000 (10%) $2.7M (26%)Soma/Ultram/Tramadol 20K (2.5%) $1.8M (2.4%) 46K (5.5%) $4.1M (4.8%) 1000 (1.3%) $150K (1.5%)

Chronic Conditions 120K (15%) $9.5M (13%) 64K (7.6%) $5.2M (6.1%) 8500 (11%) $1.3M (13%)Mental Health 23K (2.9%) $2.1M (2.9%) 16K (1.9%) $1.4M (1.7%) 6000 (7.4%) $1.1M (11%)Antibiotics 25K (3.2%) $2.1M (2.9%) 16K (1.9%) $1.4M (1.6%) 1300 (1.6%) $97K (0.9%)Heart and Related 12K (1.5%) $770K (1.1%) 9700 (1.2%) $630K (0.7%) 390 (0.5%) $35K (0.3%)

Uncategorized 48K (6.0%) $4.0M (5.5%) 47K (5.6%) $3.9M (4.6%) 2400 (3.0%) $430K (4.2%)

Table 2: Product popularity in each of the three programs. Product groupings and categories are in italics; individual brands arewithout italics. Opiates are a further subcategory of Painkillers, and include Oxycodone, Hydrocodone, Vicodin, and Percocet.

RX-Promotion, they account for nearly a third of pro-gram revenue, with the Schedule-II opiates—only avail-able at RX-Promotion—accounting for a quarter of rev-enue. Indeed, during the period when RX-Promotion hadworking credit card processing for controlled meds, salesof Schedule II, III and IV drugs produced 48% of all rev-enue! The fact that such drugs are over-represented in re-peat orders as well (roughly 50% more prevalent in bothRX-Promotion and, for drugs like Soma and Tramdol, inSpamIt) reinforces the hypothesis that abuse may be asubstantial driver for this component of demand.

5.1.4 Demographics

Although ED drugs account for the majority of businessfor affiliate programs, focusing on the remaining prod-ucts reveals remarkably pronounced age and sex trendsamong customers.

Focusing on customers reporting age and sex infor-mation, Figure 5 shows the percentage of all items or-dered as a function of age, sex, and detailed product cat-egory for GlavMed and SpamIt (excluding ED products,as they would overwhelm the graph). The left half ofeach graph shows results for women, and the right halfshows results for men. The y-axis is the self-reported ageof customers, and the x-axis is the percent of all itemsthese customers ordered. For each age the graphs showstacked horizontal bars, with segments for the top tennon-ED product categories.

Both age and sex purchasing patterns emerge fromthis visualization. For example, male GlavMed cus-tomers in Figure 5(a) purchase male pattern baldnessproducts (peaking between ages 20–30) and male en-hancement products (peak 45–50), while women pre-dominantly purchase obesity (peak 40–45) and reproduc-

tive health products (peak 25–30).12 Mental health andpain/inflammation products are roughly equally popularfor men and women, with an older age bias for men.

In contrast to GlavMed, just a few categories predomi-nate for SpamIt in Figure 5(b): pain/inflammation, infec-tion, and mental health for both men and women, maleenhancement for men. Other categories more popular inGlavMed, such as acne and male pattern baldness, aresmaller. One explanation is that the differences in prod-uct popularity correlates with the vector used to adver-tise the different affiliate programs. Since GlavMed ismore likely to be involved in search engine optimiza-tion (SEO) oriented advertising, they have an opportu-nity to target narrower markets (e.g., by manipulatingsearch results for keywords correlated with specific prod-uct categories). By contrast, spam is an indiscriminateadvertising medium and customers clicking on spam-advertised links are predominantly taken to storefrontsadvertising ED products. Thus, for these customers tobuy other products would require additional initiative tosearch within the site.

5.1.5 Geography

While both affiliate programs are located in Russia, mostof their customers are not. Based on customer ship-ping addresses, we can determine that, across GlavMedand SpamIt programs, customers from the United Statesdominate at 75% of orders, with Canada, Australia, andpopulous countries in Western Europe following in sin-gle digits. Emphatically, Western money fuels these af-

12Interestingly, male customers also purchase the estrogen drug Clo-mid, which we have come to understand may be explained by bodybuilders who commonly abuse the drug to counter some of the side-effects of steroids.

9


Example: Sirefef• Windows malware - Trojan to install rootkit

• Technical details (see Microsoft)• And http://antivirus.about.com/od/virusdescriptions/a/What-Is-

Sirefef-Malware.htm

• Attack: “Sirefef gives attackers full access to your system” • Runs as a Trojan software update (GoogleUpdate)• Runs on each boot by setting a Windows registry entry• Some versions replace device drivers

• Downloads code to run a P2P communication• Steal software keys and crack password for software piracy• Downloads other files to propagate the attack to other

computers

19


Example: Sirefef• Windows malware - Trojan to install rootkit

• Technical details (see Microsoft)• http://antivirus.about.com/od/virusdescriptions/a/What-Is-Sirefef-

Malware.htm

• Stealth: “while using stealth techniques in order to hide its presence”• “altering the internal processes of an operating system so

that your antivirus and anti-spyware can't detect it.”• Disable: Windows firewall, Windows defender• Changes: Browser settings• Join bot

• Microsoft: “This list is incomplete”20

http://linux.about.com/od/glossary/l/bldef_os.htm

http://antivirus.about.com/

http://antivirus.about.com/od/antivirussoftwarereviews/tp/spywarescanners.htm


Example: Stuxnet• Symantec’s slides

21

Real%world%example:%Stuxnet%Worm%%



22

Stuxnet:(Overview(

•  June(2010:(A(worm(targe7ng(Siemens(WinCC(industrial(control(system.(

•  Targets(high(speed(variableDfrequency(programmable(logic(motor(controllers(from(just(two(vendors:(Vacon((Finland)(and(Fararo(Paya((Iran)(

•  Only(when(the(controllers(are(running(at(807Hz((to(1210Hz.(Makes(the(frequency(of(those(controllers(vary(from(1410Hz(to(2Hz(to(1064Hz.(

•  hVp://en.wikipedia.org/wiki/Stuxnet(2



23

Timeline'•  2009'June:'Earliest'Stuxnet'seen'

–  Does'not'have'signed'drivers'•  2010'Jan:'Stuxnet'driver'signed'

–  With'a'valid'cer>ficate'belonging'to'Realtek'Semiconductors'•  2010'June:'Virusblokada'reports'W32.Stuxnet'

–  Verisign'revokes'Realtek'cer>ficate'•  2010'July:'An>Ivirus'vendor'Eset'iden>fies'new'Stuxnet'

driver'–  'With'a'valid'cer>ficate'belonging'to'JMicron'Technology'Corp'

•  2010'July:'Siemens'report'they'are'inves>ga>ng'malware'SCADA'systems'–  Verisign'revokes'JMicron'cer>ficate'



24

Possible(A*ack(Scenario((Conjecture)(

•  Reconnaissance(–  Each(PLC(is(configured(in(a(unique(manner(–  Targeted(ICS’s(schemaCcs(needed(–  Design(docs(stolen(by(an(insider?(–  Retrieved(by(an(early(version(of(Stuxnet(–  Stuxnet(developed(with(the(goal(of(sabotaging(a(specific(set(of(ICS.(

•  Development((–  Mirrored(development(Environment(needed(

•  ICS(Hardware(•  PLC(modules(•  PLC(development(soOware(

–  EsCmaCon((•  6+(manRyears(by(an(experienced(and(well(funded(development((team((



25

A"ack&Scenario&(2)&•  The&malicious&binaries&need&to&be&signed&to&avoid&suspicion&

–  Two&digital&cer=ficates&were&compromised.&–  High&probability&that&the&digital&cer=ficates/keys&were&stolen&from&the&companies&premises.&

–  Realtek&and&JMicron&are&in&close&proximity.&•  Ini=al&Infec=on&&

–  Stuxnet&needed&to&be&introduced&to&the&targeted&environment&•  Insider&•  Third&party,&such&as&a&contractor&

–  Delivery&method&&•  USB&drive&•  Windows&Maintenance&Laptop&•  Targeted&email&a"ack&



26

A"ack&Scenario&(3)&

•  Infec2on&Spread&– Look&for&Windows&computer&that&program&the&

PLC’s&

•  The&Field&PG&are&typically&not&networked&•  Spread&the&Infec2on&on&computers&on&the&local&LAN&

–  ZeroHday&vulnerabili2es&–  TwoHyear&old&vulnerability&–  Spread&to&all&available&USB&drives&

– When&a&USB&drive&is&connected&to&the&Field&PG,&

the&Infec2on&jumps&to&the&Field&PG&&

•  The&“airgap”&is&thus&breached&



27

A"ack&Scenario&(4)&

•  Target&Infec5on&&

–  Look&for&Specific&PLC&&•  Running&Step&7&Opera5ng&System&

–  Change&PLC&code&•  Sabotage&system&

•  Hide&modifica5ons&

–  Command&and&Control&may&not&be&possible&

•  Due&to&the&“airgap”&•  Func5onality&already&embedded&


Take Away• Malware is now very functional and effective

• Tools for building and hiding malware from detection• Malware can be difficult to notice much less detect and

remove• Malware leverages multiple exploits to escalate privileges and

disable defenses• What exploits did Stuxnet use?

• So what can we do as defenders?

28

Documents

CSE543 Computer and Network Security Module: Internet Malwaretrj1/cse543-s15/slides/cse543-internet-malware.p… · Soma/Ultram/Tramadol 20K (2.5%) $1.8M (2.4%) 46K (5.5%) $4.1M (4.8%)