05 by yaoyufang


									SCSC 455 Computer Security

2011 Summer

Chapter 5 Malware

   Malware Overview
   Virus
   Propagation of Viruses
   Worm
   Trojan Horses and other malware
   Methods against malware attacks

Malicious Software (Malware)

   Malicious software often masquerades as good
    software or attaches itself to good software
       Some malicious programs need host programs
           Trojan horses, viruses, logic bombs
       Others can exist and propagate independently
           Worms

   Goals of malware
       Destroy data
       Corrupt data
       Shutdown networks or systems

Malware classification
   Malicious software includes
       Virus
       Worm
       Trojan programs
       Spyware
       Adware


   Malware Overview
   Virus
   Worm
   Trojan Horses and other malware
   Methods against malware attacks

Viruses propagation
   Virus propagates by infecting other programs
       Automatically creates copies of itself, but to propagate, a human
        has to run an infected program
       In contrast, self-propagating malicious programs are usually called

   Many propagation methods …
       Insert a copy into every executable (.COM, .EXE)
       Insert a copy into boot sectors of disks
         E.g., Stoned virus infected PCs booted from infected floppies,
           stayed in memory and infected every floppy inserted into PC
       Infect TSR (terminate-and-stay-resident) routines
         By infecting a common OS routine, a virus can always stay in
           memory and infect all disks, executables, etc.
       Etc.

Virus Classification
   Stealth viruses
       Mutation
       Aliasing

   Macro viruses
       What is Macro?

   Polymorphic viruses
       Viruses that mutate and/or encrypt parts of their code with a
        randomly generated key
       changing the encryption routine, the sequence of instructions, or
        other such changes in the behavior of the virus

    Detail of each …                                                        7
Virus Stealth Techniques
                                               [Shin, Jung, Balakrishnan]

   Mutation: virus has multiple binary variants
       Defeats naïve signature-based detection
       Used by the most successful (i.e., widespread) viruses
        e.g., Tanked: 62 variants, SdDrop: 14 variants

   Aliasing: virus places its copies under different
    names into the infected host’s sharing folder
    e.g., “ICQ Lite .exe”, “ICQ Pro 2003b.exe”, “MSN
      Messenger 5.2.exe”

Macro Viruses
   Macro viruses are virus encoded as a macro
       Macro virus is lists of commands that can be used in
        destructive ways
       When infected document is opened, virus copies itself
        into global macro file and makes itself auto-executing
       Most macro viruses are very simple. Even
        nonprogrammers can create macro viruses
         Instructions posted on Web sites

(You will read more about macro viruses in the reading article 3.)

Evolution of Polymorphic Viruses (1)

   Anti-virus scanners detect viruses by looking for signatures
       signatures are snippets of known virus code

   Encrypted viruses: virus consists of a constant decryptor,
    followed by the encrypted virus body
       Relatively easy to detect because decryptor is constant
       E.g., Cascade (DOS), Mad (Win95), Zombie (Win95)

   Oligomorphic viruses: different versions of virus have different
    encryptions of the same body
       Small number of decryptors (96 for Memorial viruses);
       To detect, must understand how they are generated

Evolution of Polymorphic Viruses (2)

   Polymorphic viruses: constantly create new
    random encryptions of the same virus body
       Virus must contain a polymorphic engine for creating
        new keys and new encryptions of its body
           Rather than use an explicit decryptor in each mutation,
            it decrypts its body by brute-force key search
       E.g., Marburg (Win95), HPS (Win95), Coke (Win32)

How Hard Is It to Write a Virus?
   2268 matches for “virus creation tool” in CA’s
    Spyware Information Center
       Including dozens of poly- and metamorphic engines
   OverWritting Virus Construction Toolkit
       "The perfect choice for beginners“
   Biological Warfare Virus Creation Kit
       Note: all viruses created this way will be detected by
        Norton Anti-Virus
   Vbs Worm Generator (for Visual Basic worms)
       Used to create the Anna Kournikova worm


   Malware Overview
   Virus
   Propagation of Viruses
   Worm
   Trojan Horses and other malware
   Methods against malware attacks

Propagation of Viruses
                                             [Moshchuk et al.]

   Websites with popular content
       Games: 60% of websites contain executable content,
        one-third contain at least one malicious executable
       Celebrities, adult content, everything except news

   Most popular sites with
    malicious content (Oct 2005)

Viruses in P2P Networks                        [Shin, Jung, Balakrishnan]

   Millions of users willingly download files
        e.g., KaZaA: 2.5 million users in May 2006
   Easy to insert an infected file into the network
       Pretend to be an executable of a popular application
        e.g., “Adobe Photoshop 10 full.exe”, “WinZip 8.1.exe”, …
       Infected MP3 files are rare
   When executed, the malicious file opens a backdoor
    for the remote attacker
       Steal user’s confidential information; spread spam
           70% of infected hosts are already on DNS spam
Prevalence of Viruses in KaZaA
                                            [Shin, Jung, Balakrishnan]

   2006 study of 500,000 KaZaA files
       Look for 364 patterns associated with 71 viruses

   Up to 22% of all KaZaA files infected
       52 different viruses and Trojans
       Another study found that 44% of all executable files on
        KaZaA contain malicious code
       When searching for “ICQ” or “Trillian”, chances of
        hitting an infected file are over 70%

Dangerous KaZaA Queries
                          [Shin, Jung, Balakrishnan]


   Malware Overview
   Virus
   Propagation of Viruses
   Worm
   Trojan Horses and other malware
   Methods against malware attacks

   Worm are self-propagating malicious programs
       Replicates and propagates without a host

   Worms can infect a large number of computers in a
    short time
   Infamous examples: the Morris worm, Code Red I &
    Code Red II, Slammer, Nimda

Viruses vs. Worms

            VIRUS                            WORM
   Propagates by infecting         Propagates automatically
    other programs                   by copying itself to target
   Usually inserted into host      Is a standalone program
    code (not a standalone

Summer of 2001
                   [from “How to 0wn the Internet in Your Spare Time”]

Three major worm
Code Red I
   July 13, 2001: is the first worm of the modern era
       Exploited buffer overflow in Microsoft’s Internet
        Information Server (IIS)
How does Code Red I work?
 1st through 20th of each month: spread
       Find new targets by random scan of IP address space
           Spawn 99 threads to generate addresses and look for IIS
       Creator forgot to seed the random number generator,
        and every copy scanned the same set of addresses 
   21st through the end of each month: attack
       Deface websites !

Code Red II

    August 4, 2001: explore the same IIS vulnerability,
     completely different code,
        Worked only on Windows 2000, crashed NT
        Died by design on October 1, 2001
    Scanning algorithm preferred nearby addresses
        Chose addresses from same class A with probability
         ½, same class B with probability 3/8, and randomly
         from the entire Internet with probability 1/8
    Payload: installed root backdoor in IIS servers for
     unrestricted remote access

Q: what is the class A, class B …?                            23
 Slammer Worm

    January 24/25, 2003: UDP worm exploiting buffer overflow in
     Microsoft’s SQL Server
        Buffer overflow was already known and patched by Microsoft
        but not everybody installed the patch

    Entire code fits into a single 404-byte UDP packet
        Worm binary followed by overflow pointer back to itself

    Classic buffer overflow combined with random scanning:
        once control is passed to worm code, it randomly generates IP
         addresses and attempts to send a copy of itself to port 1434
        MS-SQL listens at port 1434

(We’ll see how buffer overflow works in the next chapter “network attacks”)   24
Slammer Propagation

   Scan rate of 55,000,000 addresses per second
       Scan rate = rate at which worm generates IP addresses of
        potential targets
       Up to 30,000 single-packet worm copies per second

   Initial infection was doubling in 8.5 seconds (!!)
       Doubling time of Code Red was 37 minutes

   Worm-generated packets saturated carrying capacity of the
    Internet in 10 minutes
       75,000 SQL servers compromised
       And that’s in spite of broken pseudo-random number generator
        used for IP address generation

05:29:00 UTC, January 25, 2003
     [from Moore et al. “The Spread of the Sapphire/Slammer Worm”]

30 Minutes Later
       [from Moore et al. “The Spread of the Slammer Worm”]

Secret of Slammer’s Speed

   Old-style worms (Code Red) spawn a new thread
    which tries to establish a TCP connection and, if
    successful, send a copy of itself over TCP
       Limited by latency of the network

   Slammer was a connectionless UDP worm
       No connection establishment, simply send 404-byte
        UDP packet to randomly generated IP addresses
       Limited only by bandwidth of the network

Slammer Impact
   $1.25 Billion of damage
   Temporarily knocked out many elements of critical
       Bank of America ATM network
       Entire cell phone network in South Korea
       Five root DNS servers
       Continental Airlines’ ticket processing software
   The worm did not even have malicious payload
       simply bandwidth exhaustion on the network and
        resource exhaustion on infected machines


   Malware Overview
   Virus
   Propagation of Viruses
   Worm
   Trojan Horses and other malware
   Methods against malware attacks

    Trojan Horses
   Trojan horse is malicious code hidden in an
    apparently useful host program
   When the host program is executed, Trojan does
    something harmful or unwanted
       User must be tricked into executing the host program
       E.g., In 1995, a program distributed as PKZ300B.EXE
        looked like a new version of PKZIP… When executed, it
        formatted your hard drive.
   Trojans do NOT replicate
       This is the main difference from worms and viruses

Trojan Insidious attack

   Trojan insidious attack against networks
       Disguise themselves as useful programs, hide
        malicious contents (Backdoors, Rootkits) in program
       Allow attackers remote access

   Trojan programs also use known ports
       HTTP (TCP 80) or DNS (UDP 53)

Common Trojan Programs and Ports
Used (details are not required)

Rootkits (revisit)
   Rootkit is a set of Trojan program binaries
       Main characteristic: stealthiness (hides infection from the host’s
       Create a hidden directory
           /dev/.lib, /usr/src/.poop and similar
           Often use invisible characters in directory name
           Install hacked binaries for system programs such as
            netstat, ps, ls, du, login
   Typical infection path:
       Use stolen password or dictionary attack to log in
       Use buffer overflow in rdist, sendmail, loadmodule, rpc.ypupdated,
        lpr, or passwd to gain root access
       Download rootkit by FTP, unpack, compile and install

Detecting Rootkit Presence

   Sad way to find out
       Run out of physical disk space because of sniffer logs
       Logs are invisible because du and ls have been hacked!

   Manual confirmation
       Reinstall clean ps and see what processes are running

   Automatic detection
       Host-based intrusion detection can find rootkit files
           assuming an rootkit did not disable your intrusion
            detection system!


   Sends information from the infected computer to the
       Confidential financial data
       Passwords
       PINs
       Any other stored data

   Can even registered each keystroke entered

   Similar to spyware
       Can be installed without the user being aware
       Display unwanted pop-up ads.

   Main goal
       Determine user’s online purchasing habits
       Tailored advertisement

   Problem of Adwares
       Slows down computers


   Malware Overview
   Virus
   Propagation of Viruses
   Worm
   Trojan Horses and other malware
   Methods against malware attacks

Protecting Against Malware Attacks
   Protecting against malware is a difficult task
       New viruses, worms, Trojan programs appear daily
       Most of antivirus software use signature to check known

Educating Your Users

   Structural training
       Includes all employees and management

   E-mail monthly security updates
       Is a simple but effective training method

   Recommend that users update virus signature
       Activate automatic updates

Defense via Software and Hardware

   Anti-virus software
   SpyBot and Ad-Aware
       Help protect against spyware and adware
   Firewalls
       Hardware (enterprise solution)
       Software (personal solution)
   Intrusion Detection System (IDS)
       Monitors your network 24/7


To top