Ch. 7 Malicious Software Malware HW_Ch6, due on 3/11, Wen Review questions 6.2, 6.6, 6.7, 6.9 Problem 6.6, 6.7, 6.8 Hw_Ch7, due on 3/18, Wen Review questions 7.2, 7.3, 7.4, 7.5, 7.6 Problem 7.1, 7.2, 7.3, 7.6 Male-ware? Partially true malicious software exploits system vulnerabilities program fragments that need a host program» e.g. viruses, logic bombs, and backdoors independent self-contained programs run by OS» e.g. worms, bots Actively replicating or not sophisticated threat to computer systems 1 Malware Terminology Backdoor (trapdoor): secret maintenance hooks, privilege/unautherized access Logic bomb: embedded with trigger condition Trojan horse: hidden codes, open access, damage data, compiler Mobile code: java applet, ActiveX, JavaScript, VBScript Virus: execute to infect other codes Worm: replicate itself to other hosts Exploits: codes to certain vulnerability Auto-rooter Kit: to break into other machine remotely Spammer and Flooder programs Keyloggers, Spyware, Adware Rootkit: set of hacker tools to gain root-level accesses Zombie, bot: program activated to attack others Multiple-threat malware: combined several infection methods Nimda: Email, Windows file share, web servers, web clients 2 1
Viruses piece of software that infects other programs modifying them to include a copy of the virus so it executes secretly when a host program is run Spread by contact : floppy, email, share, web, etc specific to operating system and hardware taking advantage of their details and weaknesses a typical virus goes through phases of: Dormant Propagation: copy of itself Triggering: system events Execution: benign or harmful 3 Virus Structure components: infection mechanism: enables replication Trigger: event that makes payload activate Payload: what it does, malicious or benign prepended/ postpended/ embedded into a program when infected program invoked, executes virus code, then original program code We can block initial infection or propagation block initial infection is difficult: unkown at first With access control on PCs, less virus bursts seen recently 4 2
Sample Virus Structure program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file == 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if some condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next: } 5 program CV := {goto main; Compression Virus 01234567; subroutine infect-executable := {loop: file:=get-random-executable-file; if (first-line-of-file = 01234567) then goto loop; (1) compress file; (2) prepend CV to file; } main: main-program := {if ask-permission then infect-executable; (3) uncompress rest-of-file; (4) run uncompressed file;} } 6 3
Virus Classification Classification by the target to infect and method to conceal itself Based on target boot sector file infector: OS or shell programs macro virus: files interpreted by an application Based on concealment encrypted virus: encrypt with a random key stealth virus polymorphic virus: mutate every infection metamorphic virus: mutate every infection; rewrite self at each iteration; may change behavior 7 Macro Virus became very common in mid-1990s since platform independent infect documents easily spread exploit macro capability of office apps executable program embedded in office doc often a form of macro language Basic New releases of office apps include protection Macro recognized by many anti-virus programs Run scripts in a sandbox to see what happens No longer predominant threat 8 4
E-Mail Viruses more recent development e.g. Melissa exploits MS Word macro in attached doc if attachment opened, the macro is activated sends email to all on a user s address list and does local damage then saw versions triggered reading email hence much faster propagation In hours, instead of months Much hard to fight 9 Virus Countermeasures Prevention: ideal solution but difficult How to stop flu virus? Over 200 known ones realistically we need: Detection: detection and understand virus Identification: where in an infected program Removal: restore files to original states if detect but can t identify or remove, must discard and replace the infected program 10 5
Anti-Virus Evolution virus and antivirus tech have both evolved early viruses simple code, easily removed As viruses become more complex, so must the countermeasures Four generations First: specific signature scanners Second: not specific signatures, but heuristics» Fragments of codes; integrity check with secret keys Third: memory-resident program to identify actions using activity traps» No needs for signatures or segments heuristics Fourth: combination packages» Scanner, activity traps, access control 11 Advanced Anti-virus: Generic Decryption runs executable files through GD scanner As polymorphic viruses need to decrypt itself, we can detect such events using CPU emulator to interpret instructions» not real runs, not real damages virus scanner to check known virus signatures emulation control module to manage process lets virus decrypt itself in interpreter periodically scan for virus signatures issue is to take time to interpret and scan tradeoff chance of detection vs time delay 12 6
Digital Immune System Goal: Fast response to spread via (1) email and (2) mobile programs Developed by IBM and refined by Symantec (1) find suspicious code; (2) send to analysis machine; (3) emulate in a safe environment and generate prescription P; (4), (5), and (6) distribute P; (7) send P to other subscribers to stop spread 13 Behavior-Blocking Software Blocking before spread, in real-time, without signatures or heuristics Monitor: attempts to modify files, disks, programs, system settings, scripting email/im, initiating communications 14 7
Worms Actively replicating program that propagates over net using email, remote exec, remote login has phases like a virus: dormant, propagation, triggering, execution Different in propagation phase: searches for other systems, connects to it, copies self to it and runs may disguise itself as a system process concept seen in Brunner s Shockwave Rider implemented by Xerox Palo Alto labs in 1980 s Search idle systems to run programs 15 Morris Worm one of best know worms http://snowplow.org/tom/worm/worm.html released by Robert Morris in 1988 various attacks on UNIX systems cracking password file to use login/password to logon to other systems exploiting a bug in the finger protocol exploiting a bug in sendmail if succeed have remote shell access sent bootstrap program to copy worm over 16 8
Worm Propagation Model Why phases? How should we deal with it? 17 Recent Worm Attacks Code Red July 2001 exploiting MS IIS bug probes random IP address, does DDoS attack consumes significant net capacity when active 360,000 servers in 14 hours Code Red II variant includes backdoor SQL Slammer, http://www.cs.ucsd.edu/~savage/papers/ieeesp03.pdf jan 2003, attacks MS SQL Server compact and very rapid spread, 10 minutes Mydoom mass-mailing e-mail worm that appeared in 2004 installed remote access backdoor in infected systems 1000 times per minutes, 100M infected msg in 36hrs Search-worm using DNS or google to spread P2P-based worm: Storm worm Worms for Smart phones; MMS 18 9
Worm Technology Multiplatform: Win, UNIX multi-exploit: Web servers, browsers, email, file sharing, IM, and other net app ultrafast spreading: prepare a hit-list Polymorphic: each instance is generated on-fly Metamorphic: change appearance and behavior patterns transport vehicles of large-scale attacks zero-day exploit: unknown before the worm is launched 19 Worm Countermeasures overlaps with anti-virus techniques once a worm on system, A/V can detect it worms also cause significant net activity No existing techniques can satisfy all requirements Generality to various of worms Timeliness to quickly respond Resiliency to evasion Minimal denial-of-service cost:» not overload the protected system Transparency: not require to change existing systems Global and local coverage: deal with both external and internal spreads 20 10
worm defense approaches signature-based worm scan filtering Generate worm scanning signature: Autograph, Polygraph, Earlybird Slow respond to polymorphic worms filter-based worm containment Examine worm content signature at hosts: Vigilante, Shield payload-classification-based worm containment Examine packets in net, look for control and data flow struc. threshold random walk scan detection Detect scanners quickly rate limiting Limit the # of connections in a period; not for slow worms rate halting Blocking outgoing traffic when exceeding a threshold Proper recovery scheme needed 21 Host-based Proactive Worm Containment (PWC) Agent monitors outgoing scan activity & detect surge: (1) issue an alert; (2) block outgoing conn.; (3) alert manager; (4) start relaxation analysis Manger propagates an alert to other Host act on an alert by blocking outgoing ports & start relaxation analysis Relaxation analysis: check if outgoing conn. in a window exceeds a threshold. If so, blocking until the #conn. below the theshold in a window PWC Agent at a host PWC Manager 22 11
Network Based Worm Defense Ingress and egress monitor Sensors deployed to capture worms, e.g., honeypot Send alert to correlation server Analysis in a protected environment, sandbox Test suspicious codes on applications and find vulnerability Generate patch and update hosts 23 Rootkits set of programs installed for admin access malicious and stealthy changes to host O/S may hide its existence subverting report mechanisms on processes, files, registry entries etc types: Persistent: activate at system boot memory-based: no persistent code on the system User Mode: Intercept calls to APIs (application program interface) and modified returned results kernel mode: intercept native API calls in kernel mode installed by user via trojan or intruder on system range of countermeasures needed RootkitRevealer: compare the results using API and the results not though API 24 12
Rootkit System Table Modification Modify system call table Modify system call table target Redirect system call table 25 Bots and Botnets Bot, Zombie, Drone -- a infected system controlled by an attacker remotely Botnet: a set of bots controlled by an attacker Use of Botnet: DoS, Spam, identity theft, keylogging, spreading malware, etc. Bot characteristics: remote control facility» via Internet Relay Chat (IRC), HTTP, DNS, Google, blog, etc spreading mechanism» attack software, vulnerability scanning» scanning strategy: random, hit-list, topological, local subnet various counter-measures applicable Destruct during its formation Take out control center 26 13
Spamming Botnets Name Est. Bot # Spam Capacity Conficker 9,000,000 10 billion/day Kraken 495,000 9 billion/day Srizbi 450,000 60 billion/day Bobax1 85,000 9 billion/day Rustock 150,000 30 billion/day Cutwail 125,000 16 billion/day 27 Most commonly used Bot families (2006) some slides modified from Usman Jafarey talk Agobot (aka Forbot, Phatbot, Urxbot, Rxbot, Rbot) Most sophisticated Open source 20,000 lines C/C++ code IRC-based command/control Window/Linux Large collection of target exploits: remote buffer overflow Key features:» Password Protected IRC Client control interface» Remotely update and remove the installed bot» Execute programs and commands» Port scanner used to find and infect other hosts» DDoS attacks used to takedown networks Packet sniffer, Keylogger, Polymorphic code, Rootkit installer Information harvest: Email Addresses, Software Product Keys, Passwords SMTP Client: Spam, Spreading copies of itself HTTP client: Click Fraud, DDoS Attacks 28 14
SDBot Simpler than Agobot, 2,000 lines C code Non-malicious at base Utilitarian IRC-based command/control Easily extended for malicious purposes Scanning DoS Attacks Sniffers Information harvesting Encryption 29 SpyBot <3,000 lines C code Possibly evolved from SDBot»Similar command/control engine»no attempts to hide malicious purposes GT Bot Functions based on mirc scripting capabilities HideWindow program hides bot on local system Features» Port scanning, DoS attacks, exploits for RPC and NetBIOS 30 15
Botnet basics Variance in codebase size, structure, complexity, implementation Convergence in set of functions Possibility for defense systems effective across bot families Bot families extensible Agobot likely to become dominant A new area, very little known; many research is going on 31 Botnet Control All of the above use IRC for command/control Disrupt IRC, disable bots Sniff IRC traffic for commands Shutdown channels used for Botnets IRC operators play central role in stopping botnet traffic Automated traffic identification required Future botnets may move away from IRC New directions: HTTP, p2p, DNS, search engine, blogs, news forum Move to P2P communication Storm worm detected in early 2007 probably the largest botnets, 10M up! Traffic fingerprinting still useful for identification 32 16
Bot Host control Fortify system against other malicious attacks Disable anti-virus software Harvest sensitive information PayPal, software keys, etc. Economic incentives for botnets Stresses need to patch/protect systems prior to attack Stronger protection boundaries required across applications in OSes 33 Propagation Horizontal scans Single port across address range Vertical scans Single IP across range of ports Current scanning techniques simple Fingerprinting to identify scans Future methods Flash, more stealthy Source code examination Propagation models 34 17
Exploits and Attacks Agobot Has the most elaborate set Several scanners, various flooding mechanisms for DDoS SDBot None in standard UDP/ICMP packet modules usable for flooding Variants include DDoS SpyBot NetBIOS attacks UDP/TCP/ICMP SYN Floods, similar to SDBot Variants include more GTBot RPC-DCOM exploits ICMP Floods, variants include UDP/TCP SYN floods 35 Countermeasures Required for protection Host-based anti-virus Network intrusion detection Prevention signatures sets Future Threats More bots capable of launching multiple exploits Current Damages DDoS highlight danger of large botnets Large-scale spamming campaigns show the longterm damage Increased ID-theft 36 18
Code Delivery shell encoders for distribution Malware packaged in a single script Agobot separates exploits from delivery Exploit vulnerability: remote Buffer overflow Open shell on host Then, Upload binary via HTTP or FTP Encoder can be used across multiple exploits Streamlines codebase NIDS/NIPS need knowledge of shell codes and perform simple decoding NIDS incorporate follow-up connection detection for exploit/delivery separation prevention 37 Obfuscation Hide details of network transmissions Only slightly provided by encoding Same key used in encoding --> signature matching Polymorphism: generate random encodings, evades signature matching Agobot» POLY_TYPE_XOR» POLY_TYPE_SWAP (swap consecutive bytes)» POLY_TYPE_ROR (rotate right)» POLY_TYPE_ROL (rotate left) NIDS/Anti-virus eventually need to develop protection against polymorphism 38 19
Deception Detection evasion once installed a.k.a. rootkits Agobot Debugger tests VMWare tests Anti-virus process termination Pointing DNS for anti-virus to localhost Shows merging between botnets/trojans/etc. Honeynet monitors must be aware of VM attacks Better tools for dynamic malware analysis Improved rootkit detection/anti-virus as deception improves 39 The Zombie Roundup Paper http://www.eecs.umich.edu/~emcooke/pubs/botnets-sruti05.pdf 40 20
Dramatic Escalation 41 Rise of Zombies We discuss 42 21
Botnet example 43 Botnet history and structure 44 22
Botnet: bad and big some botnets have over 1 million bots Some cut into smaller ones to sell separately 60,000 bots per day in 2007 and 2008, [symantec] One estimation: one out four home PCs are bots Difficult to measure, trace, and take down 45 Botnet measurements: operators 46 23
Botnet measurements: honeypots 47 Detect and stop Botnet 48 24
Prevent infection 49 Detecting communication 50 25
Detecting future bot communication 51 Advanced Detection 52 26
Detecting behaviour 53 Disrupting botnet 54 27
Paper summary 55 28