Malicious Software CSCI 454/554. Malicious Software

Transcription

1 Malicious Software CSCI 454/554 Malicious Software 1

2 Trapdoors w secret entry point into a program w allows those who know access bypassing usual security procedures w have been commonly used by developers w a threat when left in production programs allowing exploited by attackers w very hard to block in O/S w requires good s/w development & update Logic Bomb w one of oldest types of malicious software w code embedded in legitimate program w activated when specified conditions met n n eg presence/absence of some file particular date/time n particular user w when triggered typically damage system n modify/delete files/disks 2

3 Trojan Horse w program with hidden side-effects w which is usually superficially attractive n eg game, s/w upgrade etc w when run performs some additional tasks n allows attacker to indirectly gain access they do not have directly w often used to propagate a virus/worm or install a backdoor w or simply to destroy data Zombie (bot) w program which secretly takes over another networked computer w then uses it to indirectly launch attacks w often used to launch distributed denial of service (DDoS) attacks w exploits known flaws in network systems 3

4 Bot Remote Control Facility w distinguishes a bot from a worm l worm propagates itself and activates itself l bot is initially controlled from some central facility w typical means of implementing the remote control facility is on an IRC server l bots join a specific channel on this server and treat incoming messages as commands l more recent botnets use covert communication channels via protocols such as HTTP l distributed control mechanisms use peer-to-peer protocols to avoid a single point of failure Viruses w a piece of self-replicating code attached to some other code n cf biological virus w both propagates itself & carries a payload n carries code to make copies of itself n as well as code to perform some covert task 4

5 Virus Operation w virus phases: n dormant waiting on trigger event n propagation replicating to programs/disks n triggering by event to execute payload n execution of payload w target at specific machine/os n exploiting features/weaknesses Types of Viruses w parasitic virus w memory-resident virus w boot sector virus w stealth w polymorphic/metamorphic virus w macro virus w virus 5

6 Macro Virus w macro virus infects documents (data files), not executable files n macro code embedded in word processing file w macro virus is platform independent w is a major source of new viral infections w blurs distinction between data and program files making task of detection even harder w classic trade-off: "ease of use" vs "security" Virus w spread using with attachment containing a macro virus n e.g Melissa w triggered when user opens attachment w or worse even when mail viewed by using scripting features in mail agent w usually targeted at Microsoft Outlook mail agent & Word/Excel documents 6

7 Worms w replicating but not infecting program w typically spreads over a network n cf Morris Internet Worm in 1988 w using users distributed privileges or by exploiting system vulnerabilities w widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS w major issue is lack of security of connected systems, esp PC's Worm Operation w worm phases like those of viruses: n dormant n propagation l search for other systems to spread l establish connection to target remote system l replicate self onto remote system n triggering n execution 7

8 Worm Attacks w Code Red n exploited buffer overflow in MS IIS to penetrate & spread n probes random IPs for systems running IIS n 2 nd wave infected servers in 14 hours w Code Red 2 n had backdoor installed to allow remote control w Nimda n MS Outlook, IE, IIS n search strategy: island hopping l 50% same first two octets l 25% same first octet l 25% completely random IP w Sapphire Worm (Slammer, January 2003) (UDP-based) n two orders magnitude faster than the Code Red worm n Buffer overflow in MS SQL Server Spread of Sapphire Worm 8

9 Mobile Phone Worms w First discovery was Cabir worm in 2004 n Then Lasco and CommWarrior in 2005 w Communicate through Bluetooth wireless connections or MMS w Target is the smartphone n can completely disable the phone, delete data on the phone, or force the device to send costly messages n CommWarrior replicates by means of Bluetooth to other phones, sends itself as an MMS file to contacts and as an auto reply to incoming text messages Buffer Overflow w Most common cause of Internet attacks n Over 50% of advisories published by CERT (computer security incident report team) are caused by various buffer overflows w Buffer is a data storage area inside computer memory (stack or heap) n Intended to hold pre-defined amount of data l If more data is stuffed into it, it spills into adjacent memory n If executable code is supplied as data, victim s machine may be fooled into executing it we ll see how l Code will self-propagate or give attacker control over machine 9

10 Stack Buffers w Suppose Web server contains this function void func(char *str) { char buf[126]; strcpy(buf,str); } Allocate local buffer (126 bytes reserved on stack) Copy argument into local buffer w When this function is invoked, a new frame with local variables is pushed onto the stack Top of stack Stack grows this way Frame of the calling function buf sfp ret addr str Local variables Pointer to previous frame Execute Arguments code at this address after func() finishes What If Buffer is Overstuffed? w Memory pointed to by str is copied onto stack void func(char *str) { char buf[126]; strcpy does NOT check whether the string at *str contains fewer than 126 characters strcpy(buf,str); } w If a string longer than 126 bytes is copied into buffer, it will overwrite adjacent stack locations Top of stack Frame of the calling function buf overflow str This will be interpreted as return address! 10

11 Executing Attack Code w Suppose buffer contains attacker-created string Top of stack Frame of the calling function code ret str Attacker puts actual assembly instructions into his input string, e.g., binary code of execve( /bin/sh ) In the overflow, a pointer back into the buffer appears in the location where the system expects to find return address w When function exits, code in the buffer will be executed, giving attacker a shell n Root shell if the victim program is setuid root Preventing Buffer Overflow w Use safe programming languages, e.g., Java n What about legacy C code? w Mark stack as non-executable w Randomize stack location or encrypt return address on stack by XORing with random string n Attacker won t know what address to use in his string w Static analysis of source code to find overflows w Run-time checking of array and buffer bounds n StackGuard, libsafe, many other tools w Black-box testing with long strings 11

12 DDoS Attacks Attacker/Client Attacker/Client Handler Handler Handler Handler Handler Zombie Zombie Zombie Zombie Zombie Zombie Zombie Zombie Zombie Zombie Victim Source Address Spoofing l use forged source addresses l usually via the raw socket interface on operating systems l makes attacking systems harder to identify l Reflection attack: attacker generates large volumes of packets that have the victim system as the destination address 12

13 Attacker Server Spoofed Client TCP SYN Spoofing Attack Send SYN with spoofed src (seq = x) 1 Send SYN-ACK (seq = y, ack = x+1) Resend SYN-ACK after timeouts 2 SYN-ACK s to non-existant client discarded Assume failed connection request Figure7.3 TCP SYN Spoofing Attack Reflection Attacks l attacker sends packets to a known service on the intermediary with a spoofed source address of the actual victim system l when intermediary responds, the response is sent to the target l reflects the attack off the intermediary (reflector) 13

14 Reflection Attacks DoS Attack Defenses four lines of defense against DDoS attacks attack prevention and preemption before attack l these attacks cannot be prevented entirely l high traffic volumes may be legitimate l high publicity about a specific site l activity on a very popular site l described as slashdotted, flash crowd, or flash event attack detection and filtering during the attack attack source traceback and identification during and after the attack attack reaction after the attack 14

15 Virus Countermeasures w viral attacks exploit lack of integrity control on systems w to defend need to add such controls w typically by one or more of: n prevention - block virus infection mechanism n detection - of viruses in infected system n reaction - restoring system to clean state Host-based Behavior-Blocking Software w integrated with host O/S w monitors program behavior in real-time n eg file access, disk format, executable mods, system settings changes, network access w for possibly malicious actions n if detected can block, terminate, or seek ok w but malicious code runs before detection 15

16 Generations of Anti-Virus Software first generation: simple scanners requires a malware signature to identify the malware limited to the detection of known malware second generation: heuristic scanners uses heuristic rules to search for probable malware instances another approach is integrity checking third generation: activity traps memory-resident programs that identify malware by its actions rather than its structure in an infected program fourth generation: full-featured protection packages consisting of a variety of anti-virus techniques used in conjunction include scanning and activity trap components and access control capability Worm Countermeasures w perimeter network activity and usage monitoring can form the basis of a worm defense w worm defense approaches include: n signature-based worm scan filtering n filter-based worm containment n payload-classification-based worm containment n threshold random walk (TRW) scan detection n rate limiting n rate halting 16

17 Summary w have considered: n various malicious programs n trapdoor, logic bomb, trojan horse, zombie n viruses n worms and DDoS attacks n countermeasures 17