Network Security - UniTrento 2016-03-15 · one type Dr. Luca Allodi - Network Security -University of Trento, DISI (AA 2015/2016) 3. Viruses • software that replicate and install

NetworkSecurityAA2015/2016

MalwareDr.LucaAllodi

Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)

1

Malicioussoftware

• Programsactingwithouttheconsciousordesignedauthorizationofauserorsystem• Mayexploitsystemvulnerabilities

• knownasmalicioussoftwareormalware• Programsthatneedahostprogramtooperate

• Notexecutableperse• e.g.viruses,logicbombs,andbackdoors

• independentself-containedprograms• e.g.worms,bots

• replicatingornot• sophisticatedthreattocomputersystems

Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 2

Taxonomy

• Virusàmodifieslegitimatesoftware• Wormà self-replicates• Trojanhorseà allowsremotecontrolofmachine• Keyloggersà sendstypedinfotoattacker• Rootkità hooktolibrariesorsystemfiles• Zombie,botà remotecoordinatedcontrolofmultiplemachines

àMalwarecanassumecharacteristicsofmorethanonetype


Viruses

• softwarethatreplicateandinstallthemselveswithoutuserconsent• Copiescanbeinstalledinto• Programs

• modifyingthemtoincludeacopyofthevirus• soitexecutessecretlywhenhostprogramisrun

• Datafiles• Bootsector


Virusstructure

• components:• infectionmechanism- enablesreplication• trigger- eventthatmakespayloadactivate• payload- whatitdoes,maliciousorbenign

• prepended/postpended /embeddedintoinfectedprogram• wheninfectedprograminvoked,executesviruscode• Viruspayloadmaychangesizeofexecutable

• Embeddedlayoutmayavoidthis(systemdependent)• e.g.Portableexecutablesheadersoftenhave“empty”allocatedmemorywords


Typesofviruses

• bootsector• fileinfector• macrovirus

• encryptedvirus• polymorphicvirus• metamorphicvirus


Byinfectiontarget

Byconcealmentmechanism

Bootsector

• Atboottime,thefirmwarechecksforsystemcomponentsandteststhem• TheoperatingsystemisthencopiedfromtheharddrivetotheRAM• MasterBootRecordcontainscodethatultimatelyleadstoloadingOSinmemory• MBRtypicallysmallinsize,pointstobootloader(inVolumebootrecord,VBR)• “chainloading”

• Bootloader actuallyloadsOS


Bootsectorinfections- depiction


Bootstraploader

Systeminitialization

MasterBootRecord/VBR

Virus Systeminitialization

MasterBootRecord/VBR

Bootstraploader

Rootkits

• CantakecontrolofMBR• Caninjectintokernel• Defeatdiskencryptionà StoneBootkit

• setofprogramsinstalledforadminaccess• subvertingreportmechanismsonprocesses,files,registryentriesetc• maybe:• persistentormemory-based• userlevelà lesspowerful,mayneedadditionalvulns• kernelmodeà hardtodetectandremove• installedbyuserviatrojan orintruderonsystem


Macrovirusandfileinfectors

• becameverycommoninmid-1990s• platformindependent• infectdocuments• easilyspread

• exploitmacrocapabilityofofficeapps• executableprogramembeddedinofficedoc• oftenaformofBasic

• morerecentreleasesincludeprotection• recognizedbymanyanti-virusprograms• à evolvedtoemailviruses

• Exploitauto-executionbuginemail-clientstoinfectsystem


ILoveYou


Userbelievesthat’satxtfile;It’sactuallyVBS(VisualBasicScript).

Opening theattachmentloadsandexecutesscript.

Impactà DisruptsystemfilesReplicationà sendsitselftothefullcontactlist

Notrelyingonoffice, itstillreliesonan“interpreter”toexecuteà notnativecode

Viruscountermeasures

• prevention- idealsolutionbutdifficult• realisticallyneed:• detection• identification• removal

• ifdetectbutcan’tidentifyorremove,mustdiscardandreplaceinfectedprogram


AVDefenses- evolution

• Virus&antivirustechhavebothevolved• Earlyvirusessimplecode,easilyremoved• Asbecomemorecomplex,somustthecountermeasures• Generations

1. signaturescannersà looksforknowntracesofvirusinmemory

2. heuristicsà looksforfeaturescommoninmalwaretraces/strands

3. identifyactionsà behavioralfingerprintofthemalwareexecution

4. Machinelearningà classifierstrainedtodecidewhetherafileorprogramisactingmaliciously


Defense1- Signaturescanners

• Malwareisanalysed bysecurityfirm• Footprintofmalwareinmemory• Everytimemalwareisloadedintomemory,apre-fixedseriesofbitswillappearinram• Thisfootprintisthe“signature”ofthemalware• Recognitionhappensthroughmatchingthosesequenceofbyteswithallsignaturesknowntoasecurityproduct

• Purely“reactive”strategyà unknownmalwaredoesnotyethaveasignature• Detectioncanonlyhappenafteranalysis


Defense1- Heuristics

• Partiallyaddressesthepolymorphismproblem• Virusesmayevolvetodifferentstrainsofthesamevirusfamily• Manualmodifications• Newmalwareversions• Geneticalgorithms

• Differentfootprintbutcommoncharacteristics• Ratherthanhavinganexactmatchofthefootprintinmemory,detectionhappensby• Partialmatching• Commoncharacteristicsofavirusstrain


Evolution1- Polymorphicviruses

• Polymorphic:• thefirsttechniquethatposedaseriousthreattoAntivirus• Usesencryptiontoobfuscatecode• Decryptionmoduleismodifiedateachinfection

• à allsampleswillhaveadifferentfootprintinmemory• FixedencryptionpersewouldnotsufficeàWhy?

• Awell-writtenpolymorphicvirushasnopartswhichremainidenticalbetweeninfections• Signaturecheckingisuseless• Heuristicsmayworkifencryption-decryptionpairdoesnotvaryenough


Defense2- GenericDecryption

• Eachpolymorphicviruswilllookdifferentondisk• Butatexecutiontimecodewillalwaysbethesame

• Ifdetectionhappenswhenmalwareisexecuted,it’stoolate• GenericDecryptionà akaSandboxing

• Potentialvirusexecutedonanemulatedenvironment• Noactualaccesstosystemresources• themalwaredecryptsitselfà signaturecheckingwillnowwork

• Modernmalwarecanpreventexecutioninemulatedorvirtualenvironment• Viaanalysisoftheexecutionenvironment• Preventanalysisbyresearchers


Evolution2- Metamorphicviruses

• Metamorphic:• Toavoidbeingdetectedbyemulation,somevirusesrewritethemselvescompletelyeachtimetheyaretoinfectnewexecutables• Afterexecutiononemulatedenvironment,signaturewon’tmatch

• Metamorphicengineisneededtoenablevirus• VeryLargeandComplex• Ex.W32/Simileconsistedofover14,000linesofassemblycode


Defense3– behavioural detection

• Addressesissuewithmetamorphicmalwareanddetectionofpreviouslyunseenmalware• Basedonsetofactionsthatthemalwareperforms• Basicideaàmalwarebehavesdifferentlyfromlegitimatesoftware• Systemcalls• Interactionwithdrivers(e.g.I/O)• Systeminterrupts..

• Veryhardtoenumerateallpossibleactionsà exponentialtime• Alsohardtocorrectlyidentifysetofactionsthatcharacterise malware• Riskoffalsepositiveshigherthanforheuristicsandsignatures(youneedanhashcollisionforthat)


Defensesinpractice

• Defenseisonlyeffectivewhenitpreventsmalwareexecution• Oncethesystemisinfected,systemcannotbetrustedanymore• Malwareremovalcannotbetrusted

• Why?• Malwarecanaffecttheintegrityofsystemprocedurestoo

• interceptantivirus’callstoOSdiskdriverstoanalyse storedmalwareà returns“null”orbenignfile

• Disableantivirusitselfà e.g.Conficker• RunanalysisfromacleandriveonuninitializedinfectedOS


Worms

• replicatingprogramthatpropagatesovernet• usingemail,remoteexec,remotelogin• Exploitationofremoteexploits

• typicallyarbitrarycodeexecutionà bufferoverflows

• hasphaseslikeavirus:• dormant,propagation,triggering,execution• propagationphase:searchesforothersystems,connectstoit,copiesselftoitandruns;repeat.

• maydisguiseitselfasasystemprocess• implementedbyXeroxPaloAltolabsin1980’s


Wormspropagationmodel


Historicalinternetworms

• Morrisworm(1988):overflowinfingerd• 6,000machinesinfected(10%ofexistingInternet)

• CodeRed (2001):overflowinMS-IISserver• 300,000machinesinfectedin14hours

• Blaster(2003):RPCoverflow• SQLSlammer(2003):overflowinMS-SQLserver• 75,000machinesinfectedin10minutes

• Sasser (2004):overflowinWindowsLSASS• Around500,000machinesinfected


Morrisworm

• 1988byRobertMorris• ConvictedunderComputerFraudandAbuseAct

• 3yrsprobation• NowCSprofessor@MIT

• Vulns:• Sendmail à couldexecutecommandviaSMTP

• Fingerà BoF• weakpasswordsà dictionaryattack

• Nomaliciouspayloadbutpropagationtoofastfortheinfrastructuretohold• Singlecomputercouldbeinfectedmultipletimesà similartoa“forkbomb”issue• Malwareneedstestingtoo

• Severalmilliondollarsindamage


TheWelchia andBlasterworms

• Blasterà Appearsinaugust2003• AffectsprimarilyWindowsXPmachines• SYNDoS againstwindowsupdate.com• ExploitsaBoF inRPC(patchexistedsinceMay2003)• SideeffectàmakesRPCunstable,XPunusable


• Welchia (anti-worm)• RemovesBlasterinfection,patches

thevulnerability• UsedthesameMicrosoftRPCbug

asBlaster• DeletesitselfafterJanuary1,2004• Wasitagoodidea?(Why?)

Slammer• BoF inMicrosoft’sSQLserver

• Patchreleased6monthsearlier• SingleUDPpackettoport1434infectsthemachine

• Binaryfits inthepacket• OverwriteRETtopointtomalwareinbuffer

• PropagationbyrandomgenerationofIPaddresses• à Sendcopyofitself

• WorksbecauseIPspaceispopulated,mostMSsystems• Donotcareaboutfalsepostives• 30kcopies/secondà UDP• Exponentialgrowth

• Sofastitsaturatedthebandwidthofthewholeinternetin10minutes• Incombinationwithroutersfailingandsubsequentgenerationofroutetableupdatestraffic

• 75kSQLserversinfected


Slammer– 5.29amUTC25.01.03

• http://www.caida.org/publications/papers/2003/sapphire/sapphire.html


Slammer– 6amUTC25.01.03

• Discsizeislogarithmicinno.infectedmachines


Effects• Killedseveralcriticalpointsofinternetinfrastructure

• 5DNSrootservers• SouthKorea’scellphonenetwork(allofit)• BankofAmericaATMs

• Nomaliciouspayloadoninfectedsystems• Infectionfollowsalogisticmodelinfinitesystems

• Startsoffexponentially,thenlevelsout


Bandwidthsaturation+Networkfailure

Morerecentworms

• Conficker (2008-09):overflowinWindowsRPC• Around10millionmachinesinfected(estimatesvary)• Introducesauto-updates,DomainGenAlgorithms,..

• Stuxnet (2009-10):severalzero-dayoverflows+sameWindowsRPCoverflowasConficker• Windowsprintspoolerservice

• AlsoexploitedbyFlame(announcedin2012)• WindowsLNKshortcutdisplay• Windowstaskscheduler

• Flame(2012)àMD5collision,validcertificateforwindowsupdate


Conficker

• FirstdetectioninNovember2008• PatchavailableinOctober2008

• UsesabufferoverflowinWindowsServerService• MS08-067• ForgedRPCrequestleadstoshellcodeexecution

• Severalversionsoftheworm• Conficker.Aà B,C,Dà Conficker.E• ShellcodeconnectstoremoteHTTPserver• AttachesmaliciousDLLtosvchost.exe orotherprocesses• VariantsB,Cà introducednewinfectiondrivers


Conficker - impacts

• Hardtoestimateactualextensionofinfection• Differentversionsofmalwarehavedifferentpropagationstrategies

• Anywherefrom~2millionhoststo15millionhosts• Stealingpersonalandsensitiveinformation

• Bankingcredentials• CCNs• Machinesunderthecontrolofattackerà “botnet”

• Someveryhigh-leveltargetswereinfected• FrenchNavysystemsshutdownà aircraftsgrounded• SheffieldHospital,UKà managersturnedoffsecurityupdatesfor8000systems• Baddecision?Somesystemsrebootedbecauseofanupdatemid-surgeryà shutitalloff

• 800+systemsinfectedDr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 32

Conficker Bà Infectiondrivers

• NetBIOSfunctionalities• Executeremotelybycopyingitselfintoadminshare• Ifshareispwd protected,attemptdictionaryattack

• Attempts240passwords

• USBremovabledevice• Malwarecopiesitselfasautorun.inf• Malwareisruneverytime ausermountsthedriver


Conficker - defenses

• Conflicker patchesMS08-067afterinfection• Thisistominimizeinfectionsfromothermalware

• Installedpatchiscustom• AllowsforConficker re-infections• Essentiallyabackdoorfortheworm

• Canbeusedtoupdatemalwareoninfectedhosts• Disablesseveralsystemservices

• Noautoupdate,WinSecurityservice,..• BlocksDNSrequestsforantivirus-relatedomains&winupdate

• Conficker payloadsaresigned(SHA-1hash+RSAw/1024bitsecretkey)andencrypted(RC4)• Publickeyhardcodedinpayload• Variantsincreasekeysize&hashingalgorithmDr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 34

Botnets

• VirtualNetworkofinfectedmachinesunderthecontrolofa“botherder”• Machinescanperformanykindofactionforthebotherder• Managedthroughacommand&controlserverunderthecontrolofanattacker• Pushesconfigurationfiles• Functionalityupdates• BotsmustbeabletocommunicatewithC&Cserver

• Centralised vspeer-to-peerdesignDr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 35

Botnets– centralised architecture


Source:Botnets:Detection,Measurement,Disinfection&Defence - ENISA

Typesofcentralised botnets

• Botscommunicatewiththebotherdervia• IRC(Internetrelaychat)server

• Firstdefinitionof“bot”• Served“humanusers”byprovidingautomatised services• Essentially aprogramacceptingcommandsininputsandretrievinganswers

• HTTP• ConnectstoaremoteHTTPserver• Twoapproaches

• Botcontactsfixed(setof)IP(s)• Botresolvesdomaindynamically

• Fast-fluxvsdomain-flux• C&Cserverissingle-point-of-failure

• WhocontrolstheC&Ccontrolsthebotnet


Botnet– p2parchitecture


Source:Botnets:Detection,Measurement,Disinfection&Defence - ENISA

p2parchitecture

• Morerobustthancentralised architecture• Commandsarespreadthroughthenetwork• Botscanactasbothslavesandmastersdynamically• Whennewmachineisinfected,botjoinsthenetwork• Hard-codedlistofpeersarecontacteduponinfection

• Updatesitsneighboringpeerlist• Mixedp2p/centralisedapproach

• Centralisedwebcachewithlistofpeers• Infectedbotinheritspeerlistfrominfector


Threetypesofp2pbotnets[Silva2012]• Parasite:

• allbotsareselectedfromvulnerablehostswithinanexistingP2Pnetwork.

• NumberofvulnerablehostsintheexistingP2Pnetworklimitsthescaleofaparasitebotnet.

• Notflexibleandgreatlyreducesthenumberofpotentialbotsunderthebotmaster’s control.

• Leeching:• membersjoinanexistingP2PnetworkanddependonthisP2PnetworkforC&Ccommunication.

• BotcandidatesmaybevulnerablehoststhatwereeitherinsideoroutsideanexistingP2Pnetwork.

• Bot-only:• buildsitsownnetworkinwhichallmembersarebots


Botnets- usage

• Performingdistributeddenialofserviceattacks(DDoS)• SametechniquesasnormalDoS attacks,butamplifiedbyafactorequaltosizeofbotnet

• Spamà usedtodistributespamemails• Canleadtofurtherinfections• Subscriptiontoservices/goods

• Computationalpowerà useCPU/GPUtimetofindhashcollisions,breakciphers,minebitcoins..• Stealsensitiveinformationfromtheinfectedmachine• Rentalà botherdercanrentpartofthebotstoothercriminals• Outsourcecomputations/buyCreditcardnumbers(CCNs)..


Centralised botnets- details

• BotscannotoperateiftheycannotcontacttheC&Cserver• Centralised Botnettakedownshappenby“sinkholing”• Securityresearcher/firmtakescontrolofC&C

• C&Cserverneedstobeprotected• ChangeIPaddressfrequentlyà fast-flux

• Makesithardforanattackertotakeitdown• OnedomainmappedtoseveralIPaddresses

• Changedomainfrequentlyà domain-flux• Eachbotgenerates“validdomainnames”periodicallyandresolvesthem


Domainflux

• EachbotusesaDomainGenerationAlgorithm(DGA) togeneratealistofpossibledomainsatacertaintime• “rendezvous”domains• Listisgeneratedindependentlybyeachbot

• Ifbotgetsnoanswerfromagenerateddomain,itsimplyswitchesovertothenextinlist• Conficker Aà e.g.txkjngucnth.org

• http://blogs.technet.com/b/msrc/archive/2009/02/12/conficker-domain-information.aspx

• SometimesbotnetsperformaccidentalDoS attacksagainst“colliding”domainnames• DGAgeneratesadomainthatalreadyexists• Allbotstrytocontactthatdomain(ithappened)

• jogli.com,praat.org,…


Puttingitalltogether– acasestudy:Torpig [Stone-Gross2009]• Torpig wasabotnetactivein2009• UsedMebroot asarootkit• Mebroot substitutestheMasterBootRecordofthemachineà usedtoperformactionsatboottime• Hardertodetectmalware• Executedinthecontextofexplorer.exe• Operatesdirectlyondiskblocks(throughdiskdrivers)• Uponreboot,downloadsandactivatesmalware

• Torpig inthiscase• Encryptedcommunciation withMebroot server• Malwarestoredlocally,encrypted

• Mebroot providesfunctionalitiestoembed(malicious)modulestonormalsystemboot


Torpig - functionalities

• Credentialstealing• Generationofphishingattacksforasetofpre-definedwebsites• Torpigmoduleinjectsphishingcontenttowebpagepresentedtouser• typicallyaloginpage


Sinkholing Torpig

• Team@UniversityofCaliforniareverseengineeredtheDGA• Noticedthatasetofdomainsthatwillbegeneratedbetween25th Janand15th Febwerenotregisteredyet• Researchersregisteredthedomainsandreplicated“fake”C&Cserver• Allitneededtodoistoconfirmitselfasavalidserver• Torpig usesHTTPSbutacceptsanycertificateasvalid• Passivelylisteningtowhateverthebotsweresending

• 4th FebMebroot pushedupdateforTorpigà onlyabout10daysofdata


Torpig size

• IPschangeveryfrequentlyà countinguniqueIPsnotagoodproxyforbotnetsize• Eachbothasuniqueid+additionalfeatures• About180.000hosts(1.2MIPaddresses)

47

Torpig – collecteddata


Torpig – collecteddata


Readinglist

• Silva,Sérgio SC,etal."Botnets:Asurvey."ComputerNetworks 57.2(2013):378-403.• Stone-Gross,Brett,etal."Yourbotnetismybotnet:analysisofabotnettakeover."Proceedingsofthe16thACMconferenceonComputerandcommunicationssecurity.ACM,2009.


Documents

Network Security - UniTrento 2016-03-15 · one type Dr. Luca Allodi - Network Security -University of Trento, DISI (AA 2015/2016) 3. Viruses • software that replicate and install