Lecture 13 Malicious Code Thierry Sans 15-349: Introduction to Computer and Network Security What is a malicious code? ➢ You may have heard about these words • Malware • Virus • Logic Bomb • Rabbits • Worm • Trojan horse • Backdoor • Rootkit • Spyware How do we get infected by malicious code? ➢ A “non well-known” program may be executed by the user (social engineering) • ➢ The program is a Trojan horse A malicious program might be executed without the consent of the user • It may be a worm exploiting a security faw How do we get infected by malicious code? ➢ ➢ A user might execute a “well-known” program that does not behave as expected • Has been infected by a virus • Or contains a trapdoor (security faw) A “well-known” program has a hidden functionality • The program contains a spyware What does a malicious code can do? ➢ ➢ A malicious code • may need user action to be activated (virus) • Or may be totally autonomous (worms) Everything .... depending on the execution context • ➢ privileges of the program The effects of the malicious code depends on the payload • From a simple joke up to severe consequences (fnancial losses) The history of malicious code ➢ 70's • ➢ 80's • ➢ The era of maturity and pandemics 90's • ➢ The era of the frst self-replicating programs: virus The era of self-modifying virus code 2000's • The era of internet worms The era of the frst self-replicating programs (70's) ➢ ➢ ANIMAL (a popular game) • Replication: through the flesystem • Effects: none Creeper (and Reaper) on Tenex OS (Arpanet) • • ➢ Simple joke Replication: through a modem and copied itself to the remote system Effects: displaying the message 'I'M THE CREEPER : CATCH ME IF YOU CAN The Rabbit program Disruptive Destructive • Replication: through the flesystem • Effects: reducing system performance till crashing What is a “virus”? ➢ A self-replicating program ... • ➢ ... that may change the system behavior • ➢ concept of infection Concept of payload So far, the users needs to execute a infected programs to activate the virus and starts the infection How a virus can spread: the infection method ➢ Infection strategies • • The malicious program exists by itself and replicates through the flesystem or network The malicious code is embedded in an existing program and replicates itself by infecting other programs through the flesystem or the network • • Non-resident viruses: the virus becomes inactive as soon as the infected program terminates Resident viruses: the virus remains in memory even after the infected programs terminates What a virus can do: the payload ➢ It could be • A simple joke (such as displaying a message at once) • Disruptive (annoying behaviors of the system) • Destructive: data losses and system crashes • • Example: The Michelangelo logic bomb (1992) A boot sector virus that remains dormant until March 6 (the birthday of Renaissance artist Michelangelo) Intrusive: Backdoors (also called trapdoors) • Since 2000, it's the new trend • Used for Spam and Botnets The maturity of viruses (80's) ➢ Apparition of boot sector viruses such as • The Elk Cloner virus (Apple II) in 1982 • • An infected computer would display a short poem on every 50th boot The Brain virus (IBM/PC) in 1984 • The disk label is changed to “Brain” and an advertisement text is written in boot sectors What is a “boot sector” virus 1987: The beginning of pandemics • Jerusalem (MS-DOS) • • • Destroys all executable fles on infected machines upon every occurrence of Friday the 13th SCA virus (Amiga) • Displays a text every 15th boot • 40% of the Amiga owners were infected Christmas Tree EXEC (IBM/PC) • • Displays a snow fow animation Paralyzed several international computer networks in December 1987 The frst anti-virus softwares (end of 80's) ➢ Virus scanner (detection) • Signature based • • Behavior based • ➢ Using a signature database of existing viruses Looking for suspicious code patterns that can be used by viruses Virus removal tools (sanitation) • Cleaning the memory and infected programs Avoiding detection: the Cascade virus (1997) ➢ Each instance of the Cascade virus does not look the same • How? The virus encrypts itself with a cryptographic key and changes this key when replicating itself • So, how to detect it? Detecting the small piece of code used to decipher the rest of the code Later, this work will inspired polymorphic viruses The era of self-modifying virus (90's) ➢ The Chameleon family: the frst family of polymorphic virus • ➢ Started with the release of 1260 1996 "Ply" • DOS 16-bit based complicated polymorphic virus appeared with built-in permutation engine What is a “polymorphic” virus? ➢ A polymorphic virus mutates when replicating (but keeps the original algorithm intact) • • • ➢ Using cryptographic techniques (like the Cascade virus) By injecting garbage code By doing permutations within certain instructions or block of instructions How to detect it? • By detecting code patterns used for the selfmodifcation A new generation: metamorphic code ➢ A Metamorphic virus can reprogram itself • • by using different instructions and by using different strategies to implement a functionality • Zmist in 2000 was the frst metamorphic virus • Simile in 2001 was a multi-OS metamorphic virus Macro Viruses ➢ So far, a virus is an executable fle • ➢ Targets a given architecture and/or a given OS A new trend appeared: the macro-viruses • Written in scripting languages used by some offce applications (can be then cross-platform) • The Concept virus (1995) • The Melissa virus (1999) • • Written in VBS, embedded in a MS-offce document, activated when the document is open (autoload function) March 26 1999, Melissa shut down Internet mail systems that got clogged with infected e-mails propagating from the worm Trojan horse viruses (social engineering) ➢ A users is tricked by an email with the malicious code in attachment ... • ➢ as a “Trojan Horse” .. and this program replicates itself by email • as a “Virus” The big stars among trojan horse viruses ➢ The VBS/Loveletter ILOVEYOU in 2000 • ➢ The Sobig virus in 2002 • ➢ Caused 5.5 to 10 billion dollars in damage Sobig.F set a record in sheer volume of e-mails The MyDoom virus in 2002 • Broke the record set by Sobig.F The era of internet worms (2000's) ➢ The context of the wide adoption of internet • More machines interconnected • • • The global network is a good medium for virus pandemics (fast transmission and more victims) The multiplication of internet applications and services • Fast publication of program faws • Slow release of corrective patches • Slower adoption of these patches (not automatic) A perfect context for internet worms What is a worm? ➢ A worm is a self-replicating program that does not need a user intervention to be activated • ➢ How does is it work? • ➢ Contrary to viruses Exploits a security faw (often of a network service) to infect the machine and replicates itself through the network Characteristics • Very fast infection • Has a payload as well (more or less harmful) The big stars of 2001 ➢ Code-Red • • ➢ Exploits a security faw (buffer overfaw) of Microsoft IIS web server (MS01-033) patched one month earlier In few days, 359 000 machines infected Nimda • • Exploits another security faw of MS-IIS The Internet’s most widespread worm so far (The most part of the infection was done in 22min) The big stars of 2001 ➢ Klez • • Exploits a security faw of Microsoft Internet Explorer layout engine used by Outlook and IE Infection through email attachment however the user does not have to open this attachment to get infected The big stars of 2002 ➢ SQL-Slammer (also called Sapphire) • • ➢ Exploits a security faw in MS-SQL servers for which a patch had been released six months earlier (MS02-039) Infected 75,000 machines in 10 minutes causing caused a massive denial of service and dramatically slowed down general Internet traffc Sasser • • Exploiting a buffer overfow of Microsoft LSASS on Windows 200 and XP systems Many companies had to shut down their services The big star of 2003 ➢ Blaster (also known as Lovesan) • • ➢ Exploits a security faw in DCOM-RPC services on Windows 2000 and XP Was supposed to do SYN food on August 15, 2003 against port 80 of windowsupdate.com Welchia (also known as Nachia) • Exploits the same security faw than Blaster • Corrects the security faw by patching the system The big star of 2004 ➢ Santy • • • Exploited a vulnerability in phpBB and used Google in order to fnd new targets It infected around 40000 sites before Google fltered the search query used by the worm, preventing it from spreading The frst web-worm The big star of 2008 ➢ Confcker • Exploits a security faw in NetBIOS • Disables auto-update • • Embeds a dictionary password cracker and a backdoor to turn the machine into a “bot” Believed to be originated from Ukraine and/or Russia The new trend of web-worms: XSS worms ➢ Exploiting a cross site scripting (XSS) within a website • See lectures 23-24 • Samy in 2005 • • JTV.worm in 2008 • • Targeting MySpace (social network) Targeting Justin.tv (video casting) “Twitter worm” in 2010 (Sept 27th) • Targetting Twitter (micro-blogging) 2010 – The era of cyberwar virus ➢ W32.Dozor (July 2009) • • ➢ A virus that created a botnet dedicated to perform a DDoS attack South Korea and US government website on July 4th Believed to be originated from China and/or North Korea Stuxnet (Sept 2010) • Tell me about it A stupid trend: the virus hoax ➢ Receiving an email about a new virus ... • • ➢ and/or giving you the method to detect and remove the virus (often a real and important system fle) Effects • ➢ asking you to transfer this email to your contact Hoax virus are harmless (almost) and do nothing by themselves (but the user may do) Counter-measures • Delete the email :)