Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
NetworkSecurityAA2015/2016
MalwareDr.LucaAllodi
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)
1
Malicioussoftware
• Programsactingwithouttheconsciousordesignedauthorizationofauserorsystem• Mayexploitsystemvulnerabilities
• knownasmalicioussoftwareormalware• Programsthatneedahostprogramtooperate
• Notexecutableperse• e.g.viruses,logicbombs,andbackdoors
• independentself-containedprograms• e.g.worms,bots
• replicatingornot• sophisticatedthreattocomputersystems
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 2
Taxonomy
• Virusàmodifieslegitimatesoftware• Wormà self-replicates• Trojanhorseà allowsremotecontrolofmachine• Keyloggersà sendstypedinfotoattacker• Rootkità hooktolibrariesorsystemfiles• Zombie,botà remotecoordinatedcontrolofmultiplemachines
àMalwarecanassumecharacteristicsofmorethanonetype
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 3
Viruses
• softwarethatreplicateandinstallthemselveswithoutuserconsent• Copiescanbeinstalledinto• Programs
• modifyingthemtoincludeacopyofthevirus• soitexecutessecretlywhenhostprogramisrun
• Datafiles• Bootsector
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 4
Virusstructure
• components:• infectionmechanism- enablesreplication• trigger- eventthatmakespayloadactivate• payload- whatitdoes,maliciousorbenign
• prepended/postpended /embeddedintoinfectedprogram• wheninfectedprograminvoked,executesviruscode• Viruspayloadmaychangesizeofexecutable
• Embeddedlayoutmayavoidthis(systemdependent)• e.g.Portableexecutablesheadersoftenhave“empty”allocatedmemorywords
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 5
Typesofviruses
• bootsector• fileinfector• macrovirus
• encryptedvirus• polymorphicvirus• metamorphicvirus
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 6
Byinfectiontarget
Byconcealmentmechanism
Bootsector
• Atboottime,thefirmwarechecksforsystemcomponentsandteststhem• TheoperatingsystemisthencopiedfromtheharddrivetotheRAM• MasterBootRecordcontainscodethatultimatelyleadstoloadingOSinmemory• MBRtypicallysmallinsize,pointstobootloader(inVolumebootrecord,VBR)• “chainloading”
• Bootloader actuallyloadsOS
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 7
Bootsectorinfections- depiction
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 8
Bootstraploader
Systeminitialization
MasterBootRecord/VBR
Virus Systeminitialization
MasterBootRecord/VBR
Bootstraploader
Rootkits
• CantakecontrolofMBR• Caninjectintokernel• Defeatdiskencryptionà StoneBootkit
• setofprogramsinstalledforadminaccess• subvertingreportmechanismsonprocesses,files,registryentriesetc• maybe:• persistentormemory-based• userlevelà lesspowerful,mayneedadditionalvulns• kernelmodeà hardtodetectandremove• installedbyuserviatrojan orintruderonsystem
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 9
Macrovirusandfileinfectors
• becameverycommoninmid-1990s• platformindependent• infectdocuments• easilyspread
• exploitmacrocapabilityofofficeapps• executableprogramembeddedinofficedoc• oftenaformofBasic
• morerecentreleasesincludeprotection• recognizedbymanyanti-virusprograms• à evolvedtoemailviruses
• Exploitauto-executionbuginemail-clientstoinfectsystem
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 10
ILoveYou
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 11
Userbelievesthat’satxtfile;It’sactuallyVBS(VisualBasicScript).
Opening theattachmentloadsandexecutesscript.
Impactà DisruptsystemfilesReplicationà sendsitselftothefullcontactlist
Notrelyingonoffice, itstillreliesonan“interpreter”toexecuteà notnativecode
Viruscountermeasures
• prevention- idealsolutionbutdifficult• realisticallyneed:• detection• identification• removal
• ifdetectbutcan’tidentifyorremove,mustdiscardandreplaceinfectedprogram
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 12
AVDefenses- evolution
• Virus&antivirustechhavebothevolved• Earlyvirusessimplecode,easilyremoved• Asbecomemorecomplex,somustthecountermeasures• Generations
1. signaturescannersà looksforknowntracesofvirusinmemory
2. heuristicsà looksforfeaturescommoninmalwaretraces/strands
3. identifyactionsà behavioralfingerprintofthemalwareexecution
4. Machinelearningà classifierstrainedtodecidewhetherafileorprogramisactingmaliciously
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 13
Defense1- Signaturescanners
• Malwareisanalysed bysecurityfirm• Footprintofmalwareinmemory• Everytimemalwareisloadedintomemory,apre-fixedseriesofbitswillappearinram• Thisfootprintisthe“signature”ofthemalware• Recognitionhappensthroughmatchingthosesequenceofbyteswithallsignaturesknowntoasecurityproduct
• Purely“reactive”strategyà unknownmalwaredoesnotyethaveasignature• Detectioncanonlyhappenafteranalysis
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 14
Defense1- Heuristics
• Partiallyaddressesthepolymorphismproblem• Virusesmayevolvetodifferentstrainsofthesamevirusfamily• Manualmodifications• Newmalwareversions• Geneticalgorithms
• Differentfootprintbutcommoncharacteristics• Ratherthanhavinganexactmatchofthefootprintinmemory,detectionhappensby• Partialmatching• Commoncharacteristicsofavirusstrain
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 15
Evolution1- Polymorphicviruses
• Polymorphic:• thefirsttechniquethatposedaseriousthreattoAntivirus• Usesencryptiontoobfuscatecode• Decryptionmoduleismodifiedateachinfection
• à allsampleswillhaveadifferentfootprintinmemory• FixedencryptionpersewouldnotsufficeàWhy?
• Awell-writtenpolymorphicvirushasnopartswhichremainidenticalbetweeninfections• Signaturecheckingisuseless• Heuristicsmayworkifencryption-decryptionpairdoesnotvaryenough
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 16
Defense2- GenericDecryption
• Eachpolymorphicviruswilllookdifferentondisk• Butatexecutiontimecodewillalwaysbethesame
• Ifdetectionhappenswhenmalwareisexecuted,it’stoolate• GenericDecryptionà akaSandboxing
• Potentialvirusexecutedonanemulatedenvironment• Noactualaccesstosystemresources• themalwaredecryptsitselfà signaturecheckingwillnowwork
• Modernmalwarecanpreventexecutioninemulatedorvirtualenvironment• Viaanalysisoftheexecutionenvironment• Preventanalysisbyresearchers
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 17
Evolution2- Metamorphicviruses
• Metamorphic:• Toavoidbeingdetectedbyemulation,somevirusesrewritethemselvescompletelyeachtimetheyaretoinfectnewexecutables• Afterexecutiononemulatedenvironment,signaturewon’tmatch
• Metamorphicengineisneededtoenablevirus• VeryLargeandComplex• Ex.W32/Simileconsistedofover14,000linesofassemblycode
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 18
Defense3– behavioural detection
• Addressesissuewithmetamorphicmalwareanddetectionofpreviouslyunseenmalware• Basedonsetofactionsthatthemalwareperforms• Basicideaàmalwarebehavesdifferentlyfromlegitimatesoftware• Systemcalls• Interactionwithdrivers(e.g.I/O)• Systeminterrupts..
• Veryhardtoenumerateallpossibleactionsà exponentialtime• Alsohardtocorrectlyidentifysetofactionsthatcharacterise malware• Riskoffalsepositiveshigherthanforheuristicsandsignatures(youneedanhashcollisionforthat)
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 19
Defensesinpractice
• Defenseisonlyeffectivewhenitpreventsmalwareexecution• Oncethesystemisinfected,systemcannotbetrustedanymore• Malwareremovalcannotbetrusted
• Why?• Malwarecanaffecttheintegrityofsystemprocedurestoo
• interceptantivirus’callstoOSdiskdriverstoanalyse storedmalwareà returns“null”orbenignfile
• Disableantivirusitselfà e.g.Conficker• RunanalysisfromacleandriveonuninitializedinfectedOS
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 20
Worms
• replicatingprogramthatpropagatesovernet• usingemail,remoteexec,remotelogin• Exploitationofremoteexploits
• typicallyarbitrarycodeexecutionà bufferoverflows
• hasphaseslikeavirus:• dormant,propagation,triggering,execution• propagationphase:searchesforothersystems,connectstoit,copiesselftoitandruns;repeat.
• maydisguiseitselfasasystemprocess• implementedbyXeroxPaloAltolabsin1980’s
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 21
Wormspropagationmodel
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 22
Historicalinternetworms
• Morrisworm(1988):overflowinfingerd• 6,000machinesinfected(10%ofexistingInternet)
• CodeRed (2001):overflowinMS-IISserver• 300,000machinesinfectedin14hours
• Blaster(2003):RPCoverflow• SQLSlammer(2003):overflowinMS-SQLserver• 75,000machinesinfectedin10minutes
• Sasser (2004):overflowinWindowsLSASS• Around500,000machinesinfected
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 23
Morrisworm
• 1988byRobertMorris• ConvictedunderComputerFraudandAbuseAct
• 3yrsprobation• NowCSprofessor@MIT
• Vulns:• Sendmail à couldexecutecommandviaSMTP
• Fingerà BoF• weakpasswordsà dictionaryattack
• Nomaliciouspayloadbutpropagationtoofastfortheinfrastructuretohold• Singlecomputercouldbeinfectedmultipletimesà similartoa“forkbomb”issue• Malwareneedstestingtoo
• Severalmilliondollarsindamage
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 24
TheWelchia andBlasterworms
• Blasterà Appearsinaugust2003• AffectsprimarilyWindowsXPmachines• SYNDoS againstwindowsupdate.com• ExploitsaBoF inRPC(patchexistedsinceMay2003)• SideeffectàmakesRPCunstable,XPunusable
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 25
• Welchia (anti-worm)• RemovesBlasterinfection,patches
thevulnerability• UsedthesameMicrosoftRPCbug
asBlaster• DeletesitselfafterJanuary1,2004• Wasitagoodidea?(Why?)
Slammer• BoF inMicrosoft’sSQLserver
• Patchreleased6monthsearlier• SingleUDPpackettoport1434infectsthemachine
• Binaryfits inthepacket• OverwriteRETtopointtomalwareinbuffer
• PropagationbyrandomgenerationofIPaddresses• à Sendcopyofitself
• WorksbecauseIPspaceispopulated,mostMSsystems• Donotcareaboutfalsepostives• 30kcopies/secondà UDP• Exponentialgrowth
• Sofastitsaturatedthebandwidthofthewholeinternetin10minutes• Incombinationwithroutersfailingandsubsequentgenerationofroutetableupdatestraffic
• 75kSQLserversinfected
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 26
Slammer– 5.29amUTC25.01.03
• http://www.caida.org/publications/papers/2003/sapphire/sapphire.html
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 27
Slammer– 6amUTC25.01.03
• Discsizeislogarithmicinno.infectedmachines
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 28
Effects• Killedseveralcriticalpointsofinternetinfrastructure
• 5DNSrootservers• SouthKorea’scellphonenetwork(allofit)• BankofAmericaATMs
• Nomaliciouspayloadoninfectedsystems• Infectionfollowsalogisticmodelinfinitesystems
• Startsoffexponentially,thenlevelsout
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 29
Bandwidthsaturation+Networkfailure
Morerecentworms
• Conficker (2008-09):overflowinWindowsRPC• Around10millionmachinesinfected(estimatesvary)• Introducesauto-updates,DomainGenAlgorithms,..
• Stuxnet (2009-10):severalzero-dayoverflows+sameWindowsRPCoverflowasConficker• Windowsprintspoolerservice
• AlsoexploitedbyFlame(announcedin2012)• WindowsLNKshortcutdisplay• Windowstaskscheduler
• Flame(2012)àMD5collision,validcertificateforwindowsupdate
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 30
Conficker
• FirstdetectioninNovember2008• PatchavailableinOctober2008
• UsesabufferoverflowinWindowsServerService• MS08-067• ForgedRPCrequestleadstoshellcodeexecution
• Severalversionsoftheworm• Conficker.Aà B,C,Dà Conficker.E• ShellcodeconnectstoremoteHTTPserver• AttachesmaliciousDLLtosvchost.exe orotherprocesses• VariantsB,Cà introducednewinfectiondrivers
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 31
Conficker - impacts
• Hardtoestimateactualextensionofinfection• Differentversionsofmalwarehavedifferentpropagationstrategies
• Anywherefrom~2millionhoststo15millionhosts• Stealingpersonalandsensitiveinformation
• Bankingcredentials• CCNs• Machinesunderthecontrolofattackerà “botnet”
• Someveryhigh-leveltargetswereinfected• FrenchNavysystemsshutdownà aircraftsgrounded• SheffieldHospital,UKà managersturnedoffsecurityupdatesfor8000systems• Baddecision?Somesystemsrebootedbecauseofanupdatemid-surgeryà shutitalloff
• 800+systemsinfectedDr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 32
Conficker Bà Infectiondrivers
• NetBIOSfunctionalities• Executeremotelybycopyingitselfintoadminshare• Ifshareispwd protected,attemptdictionaryattack
• Attempts240passwords
• USBremovabledevice• Malwarecopiesitselfasautorun.inf• Malwareisruneverytime ausermountsthedriver
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 33
Conficker - defenses
• Conflicker patchesMS08-067afterinfection• Thisistominimizeinfectionsfromothermalware
• Installedpatchiscustom• AllowsforConficker re-infections• Essentiallyabackdoorfortheworm
• Canbeusedtoupdatemalwareoninfectedhosts• Disablesseveralsystemservices
• Noautoupdate,WinSecurityservice,..• BlocksDNSrequestsforantivirus-relatedomains&winupdate
• Conficker payloadsaresigned(SHA-1hash+RSAw/1024bitsecretkey)andencrypted(RC4)• Publickeyhardcodedinpayload• Variantsincreasekeysize&hashingalgorithmDr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 34
Botnets
• VirtualNetworkofinfectedmachinesunderthecontrolofa“botherder”• Machinescanperformanykindofactionforthebotherder• Managedthroughacommand&controlserverunderthecontrolofanattacker• Pushesconfigurationfiles• Functionalityupdates• BotsmustbeabletocommunicatewithC&Cserver
• Centralised vspeer-to-peerdesignDr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 35
Botnets– centralised architecture
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 36
Source:Botnets:Detection,Measurement,Disinfection&Defence - ENISA
Typesofcentralised botnets
• Botscommunicatewiththebotherdervia• IRC(Internetrelaychat)server
• Firstdefinitionof“bot”• Served“humanusers”byprovidingautomatised services• Essentially aprogramacceptingcommandsininputsandretrievinganswers
• HTTP• ConnectstoaremoteHTTPserver• Twoapproaches
• Botcontactsfixed(setof)IP(s)• Botresolvesdomaindynamically
• Fast-fluxvsdomain-flux• C&Cserverissingle-point-of-failure
• WhocontrolstheC&Ccontrolsthebotnet
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 37
Botnet– p2parchitecture
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 38
Source:Botnets:Detection,Measurement,Disinfection&Defence - ENISA
p2parchitecture
• Morerobustthancentralised architecture• Commandsarespreadthroughthenetwork• Botscanactasbothslavesandmastersdynamically• Whennewmachineisinfected,botjoinsthenetwork• Hard-codedlistofpeersarecontacteduponinfection
• Updatesitsneighboringpeerlist• Mixedp2p/centralisedapproach
• Centralisedwebcachewithlistofpeers• Infectedbotinheritspeerlistfrominfector
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 39
Threetypesofp2pbotnets[Silva2012]• Parasite:
• allbotsareselectedfromvulnerablehostswithinanexistingP2Pnetwork.
• NumberofvulnerablehostsintheexistingP2Pnetworklimitsthescaleofaparasitebotnet.
• Notflexibleandgreatlyreducesthenumberofpotentialbotsunderthebotmaster’s control.
• Leeching:• membersjoinanexistingP2PnetworkanddependonthisP2PnetworkforC&Ccommunication.
• BotcandidatesmaybevulnerablehoststhatwereeitherinsideoroutsideanexistingP2Pnetwork.
• Bot-only:• buildsitsownnetworkinwhichallmembersarebots
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 40
Botnets- usage
• Performingdistributeddenialofserviceattacks(DDoS)• SametechniquesasnormalDoS attacks,butamplifiedbyafactorequaltosizeofbotnet
• Spamà usedtodistributespamemails• Canleadtofurtherinfections• Subscriptiontoservices/goods
• Computationalpowerà useCPU/GPUtimetofindhashcollisions,breakciphers,minebitcoins..• Stealsensitiveinformationfromtheinfectedmachine• Rentalà botherdercanrentpartofthebotstoothercriminals• Outsourcecomputations/buyCreditcardnumbers(CCNs)..
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 41
Centralised botnets- details
• BotscannotoperateiftheycannotcontacttheC&Cserver• Centralised Botnettakedownshappenby“sinkholing”• Securityresearcher/firmtakescontrolofC&C
• C&Cserverneedstobeprotected• ChangeIPaddressfrequentlyà fast-flux
• Makesithardforanattackertotakeitdown• OnedomainmappedtoseveralIPaddresses
• Changedomainfrequentlyà domain-flux• Eachbotgenerates“validdomainnames”periodicallyandresolvesthem
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 42
Domainflux
• EachbotusesaDomainGenerationAlgorithm(DGA) togeneratealistofpossibledomainsatacertaintime• “rendezvous”domains• Listisgeneratedindependentlybyeachbot
• Ifbotgetsnoanswerfromagenerateddomain,itsimplyswitchesovertothenextinlist• Conficker Aà e.g.txkjngucnth.org
• http://blogs.technet.com/b/msrc/archive/2009/02/12/conficker-domain-information.aspx
• SometimesbotnetsperformaccidentalDoS attacksagainst“colliding”domainnames• DGAgeneratesadomainthatalreadyexists• Allbotstrytocontactthatdomain(ithappened)
• jogli.com,praat.org,…
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 43
Puttingitalltogether– acasestudy:Torpig [Stone-Gross2009]• Torpig wasabotnetactivein2009• UsedMebroot asarootkit• Mebroot substitutestheMasterBootRecordofthemachineà usedtoperformactionsatboottime• Hardertodetectmalware• Executedinthecontextofexplorer.exe• Operatesdirectlyondiskblocks(throughdiskdrivers)• Uponreboot,downloadsandactivatesmalware
• Torpig inthiscase• Encryptedcommunciation withMebroot server• Malwarestoredlocally,encrypted
• Mebroot providesfunctionalitiestoembed(malicious)modulestonormalsystemboot
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 44
Torpig - functionalities
• Credentialstealing• Generationofphishingattacksforasetofpre-definedwebsites• Torpigmoduleinjectsphishingcontenttowebpagepresentedtouser• typicallyaloginpage
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 45
Sinkholing Torpig
• Team@UniversityofCaliforniareverseengineeredtheDGA• Noticedthatasetofdomainsthatwillbegeneratedbetween25th Janand15th Febwerenotregisteredyet• Researchersregisteredthedomainsandreplicated“fake”C&Cserver• Allitneededtodoistoconfirmitselfasavalidserver• Torpig usesHTTPSbutacceptsanycertificateasvalid• Passivelylisteningtowhateverthebotsweresending
• 4th FebMebroot pushedupdateforTorpigà onlyabout10daysofdata
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 46
Torpig size
• IPschangeveryfrequentlyà countinguniqueIPsnotagoodproxyforbotnetsize• Eachbothasuniqueid+additionalfeatures• About180.000hosts(1.2MIPaddresses)
47
Torpig – collecteddata
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 48
Torpig – collecteddata
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 49
Readinglist
• Silva,Sérgio SC,etal."Botnets:Asurvey."ComputerNetworks 57.2(2013):378-403.• Stone-Gross,Brett,etal."Yourbotnetismybotnet:analysisofabotnettakeover."Proceedingsofthe16thACMconferenceonComputerandcommunicationssecurity.ACM,2009.
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 50