Malware Björn Victor 1 Feb 2013 Ask Sofia if anything is unclear/too difficult with the lab. Coordinate meetings between you? BadStore: demo version New York Times, Wall Street Journal attacks from China, possibly to find sources of news about China and its leadership. New US foreign affairs: cyberwar warnings. [Based on Stallings&Brown]
Summary Types: virus, worm, trojan Virus infection types Worm replication techniques Effects: damage, blackmail, bots, theft Countermeasures
[ Table 6.1] Table 6.1 Terminology for Malicious Software (Malware) Name Adware Attack Kit Auto-rooter Backdoor (trapdoor) Downloaders Drive-by-Download Virus Exploits Flooders (DoS client) Worm Keyloggers Logic Zombie, bomb bot Macro Virus Description Advertising that is integrated into software. It can result in pop-up ads or redirection of a browser to a commercial site. Set of tools for generating new malware automatically using a variety of supplied propagation and payload mechanisms Malicious hacker tools used to break into new machines remotely. Any mechanisms that bypasses a normal security check; it may allow unauthorized access to functionality in a program, or onto a compromised system. Code that installs other items on a machine that is under attack. It is normally included in the malware code first inserted on to a compromised system to then import a larger malware package. An system attack entity using that code invokes a compromised the Trojan horse web program. site that exploits a browser vulnerability Malware that, to when attack executed, a client system tries to when replicate the itself site is into viewed. other Code executable specific machine to a single or script vulnerability code; when or set it succeeds of vulnerabilities. the code is said to be infected. When the infected code is executed, the virus also executes. Used to generate a large volume of data to attack networked computer systems, A computer by carrying program out that some can run form independently of denial-of-service and can (DoS) propagate attack. a complete working version of itself onto other hosts on a network, Captures usually by keystrokes exploiting on software a compromised vulnerabilities system. in the target system. Code Program inserted activated into on malware an infected by an machine intruder. that A logic is activated bomb lies to launch dormant until attacks a predefined on other machines. condition is met; the code then triggers an unauthorized act. A type of virus that uses macro or scripting code, typically embedded in a document, and triggered when the document is viewed or edited, to
Aspects/classes How does it spread? Stop and ask actively, through users, at execution What does it do? damage, theft of info, become a bot Self-contained or parasitic? worm/trojan/bot vs. virus
Viruses
Virus Modifies programs to include virus copy Spreads by USB sticks, PDF/Flash/Office Executes when host program is run Typically OS and hardware specific
[ Figure 6.1] Typical virus pseudocode program V := Explain slowly {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} program V (virus) Original program subroutine trigger-pulled := {return true if some condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next: } Size change can be detected!
Compression virus program CV := {goto main; 01234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 01234567) then goto loop; (1) compress file; (2) prepend CV to file; } main: main-program := {if ask-permission then infect-executable; (3) uncompress rest-of-file; (4) run uncompressed file;} } Original program Virus (CV) Compressed original Figure 6.2 Logic for a Compression Virus (Can still be detected - how?)
Virus infections boot record on hard disk: executed when system is booted executable file: runs when program is run macro virus: application script (e.g. Office), runs when document is opened Plus combinations
How does it hide? Goal: hide from detection e.g by signature (structure) polymorphic (mutates each time it infects) encrypted (partly) metamorphic (may change both behaviour and appearance) more advanced stealth techniques rootkits: modify system to prevent detection
Macro virus Documents may include code/macros (e.g. Excel, Word, PDF ) interpreted when document is opened/viewed Examples: Visual Basic, Javascript Often spreads by email Separate code from data!
Mobile phones Bill Shocker: virus attacking Android phones Impact: 620,000 users in China Sends spam & text msgs to profit advertisers 38% of Chinese ios users jailbroken App store, Google Play difficult to access (censorship) New market for anti-virus! http://www.net-security.org/malware_news.php?id=2391
Worms
Worms Actively seeks new machines to infect Spreads by network, USB sticks, email
Worm replication email, instant messaging (as attachment) file sharing, e.g. by auto-run feature when inserting media (USB stick, CD, DVD) network protocol flaws (remote procedure calls, login, file transfer etc)
Classic: the Morris worm The first Internet worm, Nov 2, 1988 Intention: peaceful visit to all hosts on Internet Problem: bug in worm, hosts multiply infected Result: major DoS attack (10% of net, only Sun 3 and VAX machines)
Morris exploits Remote login: try host-based authentication (no password needed), password cracking Buffer overflow in finger protocol server: room for 512 bytes, send 536 (with VAX machine code) Trapdoor for debugging common mail server + send code/commands to receive worm; execute and repeat
More recent worms 1998: Melissa (email attack) 2001: Code Red (MS web server) 2003: SQL Slammer (buffer overflow in SQL server) 2004: Mydoom (mass-mailing) 2008: Conficker (Window, buffer overflow) 2010: Stuxnet (Iranian nuclear industry)
Trojans Where is a really good place for a trojan? Example: SSH server process (daemon) backdoor: let hardcoded password and ssh key in log all usernames/passwords, send to attacker (currently Iceland) Similar attack at UU years ago http://blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords
Drive-by downloads Click, download virus, lose Not necessarily this obvious/visible
Social engineering http://geobandwm.com/im
Effects/payload Damages: corrupt file system, empty files, rewrite BIOS, destroy boot sector Ransomware: encrypt user data, ask for payment to get decryption key Real-world: industrial espionage/sabotage (Stuxnet, Duqu, Flame) Effects may trigger at date or other condition
Botnets (Ro)bot: remote-controlled code installed by virus/worm/etc Botnet: thousands of bots for coordinated attacks DDoS, spamming, keylogging BIG BUSINESS! Rent your own botnet to take down competitors!
Countermeasures
Countermeasures Prevention (ideally): for example, keep system up-to-date do not use Admin/root accounts except when necessary ( least privilege principle) do not jailbreak your phone/device Detection, identification, removal anti-virus/malware software: big business Sandboxing: later in the course
Anti-virus generations 1. Simple scanners: detect known malware by signature (structure, size changes etc) 2. Heuristic scanners: clever tricks, common code fragments, integrity checksums 3. Detect by actions/behaviour of malware (instead of code/structure) 4. Generic decryption: run code in emulator, let virus decrypt itself and then detect it
Serious approach [ Figure 6.7 ]
Summary Types: virus, worm, trojan Virus infection types Worm replication techniques Effects: damage, blackmail, bots, theft Countermeasures Also read about rootkits
Monday: Network-related security Please browse chapters 7, 8, 9