Embed Size (px)
Citation preview
Malware: Viruses
Table of Contents
Notices ............................................................................................................................................ 2
Malware .......................................................................................................................................... 3
Malware .......................................................................................................................................... 4
Types of Malicious Code ................................................................................................................. 6
Viruses ............................................................................................................................................. 7
Example Viruses .............................................................................................................................. 9
Typical Virus Routine .................................................................................................................... 11
Lifecycle of a Virus ........................................................................................................................ 12
Symptoms of a Virus ..................................................................................................................... 13
Virus Characteristics ..................................................................................................................... 15
Virus Storage Places ...................................................................................................................... 17
Types of Viruses -1 ........................................................................................................................ 18
Types of Viruses -2 ........................................................................................................................ 20
Virus Characteristics ..................................................................................................................... 21
Types of Viruses -2 ........................................................................................................................ 22
Armored Viruses ........................................................................................................................... 24
Polymorphic Malware ................................................................................................................... 25
Notices .......................................................................................................................................... 26
Page 1 of 26
Notices
2
Notices© 2014 Carnegie Mellon University
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.
Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].
This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.
THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT ® is a registered mark owned by Carnegie Mellon University.
**002 So we're going to look at the threats and vulnerabilities to start off with.
Page 2 of 26
Malware
5
Malware
**005 Major threat: Malware. We're going to talk about all the different types of malware. I'm going to give you some examples of malware, and then I'll tell you kind of what's going on in the market today.
Page 3 of 26
Malware
6
Malware
MALicious softWARE
Overarching category of malicious -logic, -code or programming (scripts, active content, or other software) designed to
• Disrupt or deny system operations• Gather information that leads to loss of privacy or exploitation • Gain unauthorized access to system resources• Other destructive behavior
**006 So it's malicious software. That's what malware means. It can be anything that is evil to us. This could be logic, code or programming. It could be a script. It could be a piece of software that you install that you think is good. And the whole thing with malware is your intended business purpose is this; its intended business purpose is not this. It is something that's counter to what you need to achieve. In most cases, malware is about command and control of this computer for other purposes. So at a minimum, when somebody takes control of your machine and they don't want anything on your machine, they want
Page 4 of 26
command and control over this machine so that they can make it go attack somebody else. So at a minimum, this is an availability attack against your resource. Now, what we want to do is we want to be good netizens. We want to be good people that are working on the internet and protect. And so for us, for malware, we want to try to eradicate it. But the best way to eradicate it is to know the different ways that it attacks your machines, look for those particular things, and then take action so that this never occurs.
Page 5 of 26
Types of Malicious Code
7
Types of Malicious Code
Viruses
Armored Viruses
Polymorphic Malware
Rootkits
Trojan Horses
Botnets
Adware, Spyware, Scareware, and Ransomware
Backdoors
Logic Bombs
Mobile Code
**007 So now here's our laundry list of malware types. You should become familiar with the characteristics of each one of these and know how to protect yourself. And we're going to look at each one of these in a couple of examples.
Page 6 of 26
Viruses
8
Viruses
Viruses are self-replicating programs that require user intervention to spread.
Most viruses are spread through email, removable media drives, and commonly used files like Microsoft Office or Adobe documents.
Usually have two parts• Replication element• Payload
**008 Let's start off with viruses. Viruses have one key characteristic in the malware, and that is that they require a user to take an action. That action could be, "Oh, let's click on this file and install it." It could be, "View this website." Now, for most environments today, we've got virus protection out there. But let's look at the virus. There are really two key concepts that you have to understand in a virus. One is the replication element, and the other is the payload. How does it get from machine to machine to machine? Sometimes it
Page 7 of 26
can be a click, and then it takes control of the machine and then sends out another message. Sometimes it can be reading an email and then auto-forwarding on to others out there. Sometimes it could be you forwarding this. "Hey, look at this cool joke that I got. Here, let me send it to you. It's got an embedded video in it. You should really check it out." May not be you that's checking it out. The other part is the payload. When it gets there, what does it do? The standard answer to the payload question is: replicate it itself, command-and-control here. It could be: steal your information and encrypt it locally, send you a message locally. It could be: steal your information, encrypt it, and transmit it out to somebody else. But standard is command-and-control.
Page 8 of 26
Example Viruses
9
Example VirusesMichelangelo – 1992, boot sector virus, public reaction to the hype caused more damage than the virus itself
Chernobyl – 1998/9, first virus known to have the power to damage computer hardware, attempts to erase the hard drive and overwrite the systems BIOS
Melissa – 1999, distributed as an e-mail attachment that disables safeguards in Word 97 or Word 2000; sent itself to addresses in Microsoft Outlook address book
Pikachu – 2000, first virus targeting children with “Pikachu is your friend message”, but poorly coded, didn’t achieve effect of deleting c:\windows
Simile – 2002, metamorphic virus, changes itself on installation
Here you have – 2010, sent through email with “Here you have” subject
EICAR – a test virus, used for testing virus scanning engines and inducing responses as if a live virus were detected
**009 Here's a laundry list of viruses. Now, I know what you're saying at this point. You're saying, "Dan, 1992? I was born in 1992." If you don't pay attention to how these viruses were created and the effects of these viruses and the way they did what they did, somebody will take this same concept in their mind and update it. Let's say that we can't do a boot sector virus because we don't have any boot sectors anymore. And somebody says, "Well, that won't ever happen again." Well, there's something called U3 that got infected. It was a boot sector virus
Page 9 of 26
on auto-booting USB drives. And that happened very recently. So boot sector viruses-- it was just a different tool that initiates the boot of that particular-- in this case it was a USB, which doesn't have a spinner platter, but it still has a section on it where the file system is read at the very beginning. Chernobyl actually could erase the hard drive and overwrite the systems Melissa, Pikachu, Simile, Here You Are-- all of these have their unique characteristics that we should study, just a little bit. Just take the time to look at them and say, "How could evildoers use this again in a different way?" Now, let's look at this last one. EICAR-- a test virus used for testing virus scanning engines and inducing responses as if a live virus were detected. This is a tool and technique to see whether-- what we do is we defang that particular virus. We submit it to the virus engine and we see whether it detects that particular virus type or that signature. So we have a trigger mechanism with no payload, is what we're looking for. Sometimes the EICARs are looking for payload activity, but that's separate from.
Page 10 of 26
Typical Virus Routine
10
Typical Virus Routine
System Contracts Virus
Virus Infects Files
User Runs Infected Files
Virus Takes ActionActions could include
propagating itself, erasing files, or stealing data.
**010 So how does a virus do what it does? Well, somebody gets an email, somebody downloads a file, somebody visits a website, somebody plugs in a USB drive. In other words, they bring it to it. So the system contracts the virus. The virus then takes itself and says, "I can get onto this system. I'm local here. I'm going to find other files that I can install myself into." It infects. Then the user runs the affected file, whether that's on purpose or by accident or instantiated in something else. Some of the viruses-- for instance, when you launch a particular application like the Help
Page 11 of 26
file, it will actually run the infected files. The Help file application is infected, and then is used to attack other portions of the machines. Then the virus is going to take an action, which is to deliver its payload and then replicate itself out.
Lifecycle of a Virus
11
Lifecycle of a Virus
Design
Replication
Launch
Detection
Incorporation
Elimination
Malicious Actor Codes Virus
Virus is Copied to Systems
Virus is Executed on System
Virus is Discovered
Anti-Virus Signatures Created
Systems Cleaned
**011 When we look at the lifecycle of a virus, it goes through just the same principles as any kind of software development-- design, replication, launch, detection, incorporation, and elimination. So they make the virus; they replicate the virus-- they see that it works on systems. The virus is executed on
Page 12 of 26
the system-- it's launched. Virus companies find out that it's actually happening. They could be listening out there and set up their own machines that they want to be infected. They discover it. They look for the routine that it has that's unique to that particular virus-- the signature of that virus. They put that signature into the database and they distribute that out to all of the different clients that are out there that subscribe to this particular antivirus software, and then it gets eliminated from the system.
Symptoms of a Virus
12
Symptoms of a Virus
Programs take longer to load or perform tasks
Seemingly random error messages
Unexplained and continued program crashes
Frequent Windows Explorer restarts
Files with random characters as a filename
Email messages being sent from your account without your consent
**012 Now, before we read the
Page 13 of 26
symptoms of a virus here, let's pause for a second. Today, good virus writers will have no symptoms whatsoever that an end-user can detect. If they're really good at what they do, you never see them. I think that happens more and more often these days. Okay, but what are the old, historic symptoms of a virus? Well, we've got problems with programs loading; our operating is sluggish; restarts for Windows-- the actual Windows Explorer, the file display; random characters in filenames; email smart grids being sent from your computer that you didn't send. So the symptoms of a virus could also be something else. So don't think that just because it exhibits these symptoms that it is a virus, but this is a good start.
Page 14 of 26
Virus Characteristics
13
Virus Characteristics
Viruses are commonly classified by what or how they infect a system.
• System or Boot Sector – infects hard drive boot sectors• File – infects files• Macro – infects office documents• Source Code – infects application code• Network - infects via email messages
**013 There are a bunch of different types of viruses out there: system or boot sector infector files, file infection, macro and source code, and network. These characteristics are things that we look for in the antivirus engine and we look for that exhibited behavior and try to attach to it and say, "Okay, I see that you're trying to do that thing. That's inappropriate. I'll stop you." There is no reason why an email should address your boot sector, and the code that is written in that attachment for that email will have some sort of command that says, "Attack boot
Page 15 of 26
sector." It won't say it in plain English, but it'll say it in executable form. The database for the virus definition will search for that string and say, "This string is inappropriate from this particular type of activity from an end-user. We won't allow it to occur." The good thing about virus characteristics is it always starts with user interaction, and if that user doesn't have the ability to install software, if they don't have the ability to execute anything except for a specific list of executables, the likelihood of this virus actually taking control of the machine is relatively low. So even if I give you an executable, if you can't run that executable, guess what? You can't run that executable. If you can't download, then you can't get the executable there. If you can't visit that website, you can't get the executable there.
Page 16 of 26
Virus Storage Places
14
EXE
Virus Storage Places
EXEShell Viruses wrap themselves around an existing program
Virus
EXEAdd-on viruses add their code to the beginning of a program
Virus Intrusive viruses overwrite part of the program code with its own
VirusDirect or Transient viruses transfer all controls to host code
Virus Terminate and Stay Resident (TSR) remains in memory after execution
**014 Viruses can be executables. They can be a part of an executable. They can be a virus but itself. So viruses can store themselves in a variety of places. One of the ones that worries me that I think is going to crop up again is this last one: Terminate and Stay Resident. That means it executes in memory and then sits there and waitsfor conditions. This would also beassociated with a logic bomb. But Terminate and Stay Resident is an old concept. Today what happens with most antiviruses, they will actually scan in memory to look for those activities, but only when you set them to scan.
Page 17 of 26
Types of Viruses -1
15
Types of Viruses -1
Stealth masks itself in an attempt to avoid detection
Retro attacks or bypasses antivirus software
Armored wraps itself in code to hide its virus characteristics from detection
Companion attaches to legitimate program and then creates another with a different file extension to get launched in legitimate program’s place
**015 So a couple of types of viruses for us: stealth, retro, armored, and companion. Stealth-- it's going to be sneaky. Retro-- it's going to attack or bypass antivirus software. Literally. "If you would like to install this game, please disconnect your antivirus for just a moment in time." "Oh, okay, I'll go ahead and turn off my security controls so that I can play a game." Armored will actually protect itself. It'll hide its virus characteristics from detection. It will actually obfuscate in code. And in the armored, usually what they do today, they tend to
Page 18 of 26
encrypt themselves so the commands are encrypted and will only de- encrypt at runtime when the conditions are susceptible for it. By the way, a lot of armored viruses will also listen for whether they are on a virtual machine, and they may not run on a virtual machine. Then you say, "Well, let's everybody use virtual machines and they won't run." But then it's an arms race, and they'll change the way that they run. They'll run even on a virtual machine. A companion virus attaches to something else that is a legitimate program. And we talk about this also with wrappers, and we also talk about this with Trojans. So this is not unique to a virus.
Page 19 of 26
Types of Viruses -2
16
Types of Viruses -2
Phage alters programs and databases and can only be removed with reinstallation that removes every instance on the phage virus
Macro fastest growing exploit that takes advantage of application enhancements in common applications such as Word or Excel
Multipartite uses several virus attack typesPolymorphic alters form each time executed to try to avoid
detection
**016 You could also have the concept of phage, where it alters the program in database and can only be removed with reinstallation that removes every instance of the phage virus. This is an older one. So you've got to go through the system, because not only does it attack this executable, but it attacks all the other executables. It goes into all the DLLs. Or, in a lot of cases with phase, what it would do is it would attach itself to every single doc that's in your machine. Think about how many docs are on your machine. Those macro viruses require that you go into your machine setting and
Page 20 of 26
enable macros. In the very beginning, macros were by default enabled and you were allowed to execute that code to make everything run more fast and more elegant and do all sorts of cool things. A multipartite is a really old name for a virus that may be--
Virus Characteristics
13
Virus Characteristics
Viruses are commonly classified by what or how they infect a system.
• System or Boot Sector – infects hard drive boot sectors• File – infects files• Macro – infects office documents• Source Code – infects application code• Network - infects via email messages
**013 --System boot infector, file infector, macro, source code-- in other words, a combination of.
Page 21 of 26
Types of Viruses -2
16
Types of Viruses -2
Phage alters programs and databases and can only be removed with reinstallation that removes every instance on the phage virus
Macro fastest growing exploit that takes advantage of application enhancements in common applications such as Word or Excel
Multipartite uses several virus attack typesPolymorphic alters form each time executed to try to avoid
detection
**016 When we talk about multipartite today, what we say is that is a blended threat. And a blended threat speaks to a piece of malware that has a virus, a worm, and a Trojan horse component. So it goes across different types of malware. Most multipartite only speaks about viruses themselves and different types of viruses. And finally, when we talk about viruses-- and this is not unique to viruses; this happens in all kinds of malware-- it's polymorphic. And what that means is that, "I know that the antivirus signature is there and it's going to be looking for me to do it
Page 22 of 26
this way. But to achieve the result, instead of doing it this way, I do it this way. I change what I'm doing every single time." So I can still achieve the same objective of getting across the room by doing it this way as I can by doing it this way. I still achieve my objective of attacking the machine, but I do it in a different way where the signature cannot figure out what I'm doing. So as it morphs, as it changes many times, the signature can't keep up with-- or we can't change the signature to address the polymorphic code. However, all malware has a signature that is unique to it, even though it may polymorph.
Page 23 of 26
Armored Viruses
17
Armored Viruses
Armored viruses wrap themselves in code to hide its characteristics from detection.
Armored viruses make the job of analyzing the virus difficult by employing one or more of the following:
• Anti-disassemblers• Anti-debuggers• Anti-heuristics• Anti-emulation
**017 Now, when I look at armored viruses, literally they protect themselves. They wrap themselves in code and hide all their characteristics from detection. In a lot of cases, when we go to study viruses, what we'll do is we'll disassemble them. And in the armored virus, it will set up an anti- disassembler. So when it detects disassemblers actually after it, or if it detects debuggers or any kind of emulation whatsoever, it will stop that. It will say, "I see what you're doing here, and I'm not going to tell you." And usually that involves some sort of encryption and hiding. So it encrypts itself and it won't decrypt
Page 24 of 26
because it sees that a disassembler is in memory. It may decrypt a little tiny bit of itself to actually detect that the disassembler is there, but not the core code of it.
Polymorphic Malware
18
Polymorphic Malware
Polymorphic malware are among the most advanced due to their ability to mutate. They can generate the same function millions of different ways.
Consists of: • Mutation engine• Virus body
After decryption the virus code remains the same – only the mutation engine changes during obfuscation.
**018 Polymorphic malware is-- it's better said here-- it's a mutation engine. That's really what it allows us to do. It's a separate piece of programming within the malware that allows it to change how it does what it does so that the database can't keep up.
Page 25 of 26
Notices
2
Notices© 2015 Carnegie Mellon University
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.
Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].
This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.
THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT ® is a registered mark owned by Carnegie Mellon University.
Page 26 of 26
