Virii, Worms, and Other Malware. Thanks to Marc Liberatore for putting together these slides

Transcription

1 Virii, Worms, and Other Malware Thanks to Marc Liberatore for putting together these slides 1

2 Overview Forms and Characteristics of Malware "Detecting" Malware Prevention/Restoration Techniques Historical Examples Areas of Research References 2

3 Forms of Malware Virii: Spread indirectly and generally unintentionally via user actions Worms: Spread automatically and autonomously Trojan Horses: Masquerade as useful programs Logic Bombs: Left by malicious/disgruntled programmers Rootkits/Backdoors: Allow remote control of a machine 3

4 Methods of Transmission A running executable, library, macro, etc. can attempt to infect any other files that the user has permission to write to (or that can be buffer overflowed to!) A running executable can attempt to modify the machine s boot block (or kernel loader, etc.)

5 Methods of Transmission A running executable could attempt to modify a program s source code (if available). What if the source code in question was a C compiler? How about gcc? How often do you check gcc s sources? What if the original UNIX C compiler had a source-code virus in it?

6 What can viruses do? Just proliferation can cause denials of service. Excess disk space, CPU cycles, network bandwidth, etc. may be consumed by careless virus writers. Of course, these may be deliberate attacks, as well

7 Other types of damage File deletion File modification Protections changing Data-dependent changes (Apparent) hardware glitches Whatever you can imagine

8 Virii A computer virus is a program that replicates itself. Generally, virii are: Malicious Corrupting or destroying data Degrading system performance Installing backdoors, rootkits, etc. Passive; spread (for example) as new executable are run or floppies are inserted 8

9 Virii Able to reproduce Dependent upon another program, executable, or file to spread Concealed May tunnel: redirect reads to itself in memory or on disk to innocuous data May be polymorphic: change form (but usually not function) upon replication 9

10 Worms A worm is a program that actively attempts to replicate itself both locally and across a network. This active network propagation is what distinguishes a worm from a virus. Usually, worms attempt to compromise a known insecure service running on a remote machine, and copy themselves to that machine. 10

11 Trojan Horses A trojan horse is program designed to carry a malicious payload of some sort. I.e., it has both an overt and covert function. Often the trojan will be a fully-functional, innocuousseeming version of a game or other such diversion. Trojans may also be cleverly named binaries that replace (or are confused with) actual system binaries. 11

12 Logic Bomb Originally, this referred to a deliberate set of malicious instructions encoded in a program by a malicious programmer. This payload would be executed when a certain condition occured, e.g.: if ((name == "Bob")&&(status=="fired")) destroy_system(); Some virii also are time delayed or conditionally malicious. 12

13 Rootkits and Backdoors A backdoor is an open passage into a system, often taking the form of a root shell listening on a high port (or the equivalent for a GUI OS). Usually, it is disguised in some fashion. A rootkit is a complete system used to hide one or more backdoors, and to modify system logs, binaries, etc., to hide its presence. 13

14 Windows Backdoors Back Orifice Back Orifice 2000 (BO2K) A Remote Administration tool for windows 9x and NT. Runs on remote system without user knowing Client can control several servers simultaneously Allows client complete control over server system including logging all keystrokes at the console. (Passwords, , etc) By default server listens on tcp or udp NetBus WinVNC (Virtual Network Computing) SubSeven 14

15 SubSeven Windows remote administration utility. Allows full control over windows and devices. Many features not found in other remote admin. Tools get Windows CD-Key retrieve dialup usernames/passwords, phone numbers AOL/Microsoft/Yahoo - IM spy ICQ hijacking 15

16 SubSeven: Client Easy to use interface Extremely configurable 16

17 SubSeven: Server Easy to use interface Extremely configurable 17

18 SubSeven: Countermeasures Password protect windows file shares Run Anti-virus software (Most detect Netbus) Check hosts and scan the network for open signature ports. Run IDS system to detect SubSeven traffic 18

19 Bots and Botnets Back in the days of IRC An IRC bot is: a program that connects to IRC as a client appears as an IRC users performs automated functions. Combine a rootkit with an IRC bot and what do you get? Trouble A compromised endpoint that can initiate outgoing connections with a command and control channel 19

20 Bots and Botnets Bots allow an attacker to remotely control this compromised host Combine a large number of bots together and what do you get? A botnet And all machines are controlled by a single IRC channel Botnets have been found in the wild with thousands and tens or thousands of compromised hosts 20

21 Why is Malware Hard to Detect? "But I have a virus scanner..." It would be nice if an arbitrary program could be scanned, and if it could be determined without a priori knowledge that the program contained a virus. Unfortunately, this is impossible -- the best we can (reliably) do is match against known virii. 21

22 Can we detect all viruses? In general, you cannot write a program D that determines whether other programs are viruses, unless D: runs forever in some cases; or has an infinite number of false positives; or has an infinite number of false negatives; or has combinations of these three problems I.e., the halting problem is coming into play here.

23 Alternatives to the PVC Since the PVC can't exist, what are the alternatives? Attempt to pattern match against known "bad" bit strings. Attempt to heuristically discover bad behavior. Watch for "unauthorized" modification of system binaries, logs, etc. 23

24 Pattern Matching Malware can (sometimes) be detected by pattern matching: IDSs use this to great effect: Large packets containing the string "/bin/sh" or other known strings are likely buffer overflow attacks Other malware can be detected directly - simple malware is identical as it reproduces, and thus easily found. 24

25 Problems with Pattern Matching Much like biological virii, malware can mutate. Basic: Intersperse instructions with NOOPs Intermediate: Reorder instructions that are not dependent Advanced: Redirection of data access through pointers, encryption, etc. When encrypted, malware's signature changes completely. Malware authors exploit this by having each iteration of the malware encrypted with a different key. Thus only the decryption needs to be polymorphic. 25

26 Heuristic Detection Some malware can be detected heuristically: Watching for possibly malicious strings "/bin/sh" in network packets "echo * * >.rhosts" "rm -rf /" Complex systems approaching the PVC: variable/memory emulator parser flow analyzer analyzer disassembler/emulator weight-based system and/or rule based system 26

27 Watching for Signs System binaries, logs, etc. may be attacked These changes may indicate active malware Detecting these changes can be difficult What if the tools to do the detection are changed? This is a security problem... If these changes are detected, it's too late! 27

28 Prevention of Malware Malware spreads due to security flaws. Virii can spread when files that contain executable code are user-writable -- Separate code from data! Worms often spread through known network daemon insecurities Proper system security will help prevent malware infections 28

29 Securing a System Unfortunately, securing a system is difficult. New exploits (and classes of exploits) are discovered on a frequent basis Closed source systems cannot be examined by independent security experts Overworked system administrators may not have the time or expertise to keep all systems fully secure Users may not tolerate the restrictions that security requires "What? No attachments?!?" 29

30 Other Prevention Techniques Virus detectors (on host or on gateway systems) can be somewhat effective. These systems cannot reliably detect unknown malware These systems can help prevent the spread of known malware Systems must be deployed universally Systems must be kept up to date Polymorphic malware may not be reliably detected 30

31 Virus Scanners and Cleaners Known viruses (only) are detected. Virus scanners eat up processor time Scanners must be updated often There are infinitely many viruses. As they proliferate, a VIRUS.DAT file might get somewhat large. Evolutionary and polymorphic viruses exacerbate this problem. False positives are a problem. People don t use scanners reliably. Cleaning viruses (assuming it is even possible) is hard on a active system; the tail-chasing problem comes into play.

32 Restoration and Recovery Techniques Two cases exist: Well-known, non-destructive malware These programs may be deleted or excised from other programs All others, including destructive or unknown malware If malware is known, it may still be excised, but data/programs will have to be restored from backups If malware is unknown, the system will have to be completely wiped and reinstall from known clean media 32

33 Problems with Restoration Excision of known malware is simple. What about malware whose behavior is not fully understood? Several issues arise when restoring from backups: Are the backups clean of malware? Can prior polymorphic variants of the malware be detected reliably? What about the original media, and vendor-supplied patches? 33

34 Nontechnical Defenses Limit Sharing Limits functionality Isolate during known attacks Viruses may be time delayed No external data Hard to stop Sneakernet and Internet Clearinghouses Not all viruses will be caught Auditing Viruses almost always operate within allowed permissions Backups Not always reliable Aren t kept long enough Act as safe harbor for viruses (e.g. floppy backups)

35 What can we do? Consider highest exposures first Use strongest defenses feasible Be proactive in defense Rapid central reporting and response Keep good records, and analyze them Don t punish victims Procedural anti-virus policies can fail Training and education do help Defense-in-depth (synergism) works Don t put all your eggs in one basket

36 Historical Examples Some of the more infamous malware programs include: Early Virii Elk Cloner (infected Apple DOS) (c)brain (infected IBM-PC boot sectors, redirected queries of to boot sector to a backup of the original) Followed by Alameda, Cascade, etc., which were also able to infect.com and.exe files More Advanced Virii virus used variable encryption to deter substring detection; Whale virus, while ineffective, pioneers full polymorphism First Word macro virus, Concept, discovered in wild: "That's enough to prove my point" First Excel macro virus, XM.Laroux, discovered in wild; it becomes clear that the code/data overlap in Office documents will allow malware spread. 36

37 Historical Examples Worms Past and Present: Morris Worm exploits bugs in sendmail, fingerd, rsh/rexec and weak passwords on VAX and Sun 3 systems. Not deliberately malicious, but a code error brings down an estimated 6,000 systems on the Internet The macro-based Melissa Worm spread by opening a user's Outlook addressbook and sending itself as an attachment (disguised as a joke) to the first 50 entries in the addressbook. 37

38 Historical Examples 2001, July - Code Red I begins spread by exploiting a hole in Microsoft IIS (which is on by default in Windows NT Server installations). Payload is DOS on www1.whitehouse.gov 2001, August - Code Red II (unrelated except in name to Code Red II) begins spread by another buffer overflow. Upon infection, a backdoor is installed, and worm is dormant for a day. Then, the machine is rebooted, and new machines are attacked, with "nearby" IP addresses being probed first. Damage is estimated at near $1b, and BGP routers exhibit instability during worm's most active phase. 38

39 Nimda 2001, September - Nimda begins its spread. Nimda (admin spelled backwards) is a worm/virus that spreads in several ways, and can potentially infect all versions of Windows: Known exploits in IIS and PWS (Personal Web Server) are exploited Sent as attachment, which will auto-run when opened on unpatched machines When in control of a web server, Nimda appends JavaScript to a client's requested pages that loads "README.EML" onto the client machine Propogation via writable Windows File Shares Nimda installs backdoors, modifies the registry, and trojans numerous system binaries. Cleaning is nearly impossible. 39

40 Areas of Research Detection Monitoring for unusual network traffic Monitoring for unusual system behavior Prevention New security paradigms Modeling Infection, immunization, and rates of spread and propagation 40

41 References Virus and Worm Information A Short Course on Computer Viruses, by Fred Cohen SecurityFocus's Virus Info Archive, McAfee's Virus Information Library, alt.comp.virus FAQ, IBM Antivirus Online, Security Resources CERT Coordination Center, CIAC, SANS, Tripwire Data Integrity Checker, 41