Slides 5 - USC Upstate: Faculty
Download
Report
Transcript Slides 5 - USC Upstate: Faculty
SCSC 455 Computer Security
2011 Spring
Chapter 5 Malware
Index
Malware Overview
Virus
Propagation of Viruses
Worm
Trojan Horses and other malware
Methods against malware attacks
2
Malicious Software (Malware)
Malicious software often masquerades as good
software or attaches itself to good software
Some malicious programs need host programs
Others can exist and propagate independently
Trojan horses, viruses, logic bombs
Worms
Goals of malware
Destroy data
Corrupt data
Shutdown networks or systems
3
Malware classification
Malicious software includes
Virus
Worm
Trojan programs
Spyware
Adware
4
Index
Malware Overview
Virus
Worm
Trojan Horses and other malware
Methods against malware attacks
5
Viruses propagation
Virus propagates by infecting other programs
Automatically creates copies of itself, but to propagate, a human
has to run an infected program
In contrast, self-propagating malicious programs are usually called
worms
Many propagation methods …
Insert a copy into every executable (.COM, .EXE)
Insert a copy into boot sectors of disks
E.g., Stoned virus infected PCs booted from infected floppies,
stayed in memory and infected every floppy inserted into PC
Infect TSR (terminate-and-stay-resident) routines
By infecting a common OS routine, a virus can always stay in
memory and infect all disks, executables, etc.
Etc.
6
Virus Classification
Stealth viruses
Macro viruses
Mutation
Aliasing
What is Macro?
Polymorphic viruses
Viruses that mutate and/or encrypt parts of their code with a
randomly generated key
changing the encryption routine, the sequence of instructions, or
other such changes in the behavior of the virus
Detail of each …
7
Virus Stealth Techniques
[Shin, Jung, Balakrishnan]
Mutation: virus has multiple binary variants
Defeats naïve signature-based detection
Used by the most successful (i.e., widespread) viruses
e.g., Tanked: 62 variants, SdDrop: 14 variants
Aliasing: virus places its copies under different
names into the infected host’s sharing folder
e.g., “ICQ Lite .exe”, “ICQ Pro 2003b.exe”, “MSN
Messenger 5.2.exe”
8
Macro Viruses
Macro viruses are virus encoded as a macro
Macro virus is lists of commands that can be used in
destructive ways
When infected document is opened, virus copies itself
into global macro file and makes itself auto-executing
Most macro viruses are very simple. Even
nonprogrammers can create macro viruses
Instructions posted on Web sites
(You will read more about macro viruses in the reading article 3.)
9
Evolution of Polymorphic Viruses (1)
Anti-virus scanners detect viruses by looking for signatures
Encrypted viruses: virus consists of a constant decryptor,
followed by the encrypted virus body
signatures are snippets of known virus code
Relatively easy to detect because decryptor is constant
E.g., Cascade (DOS), Mad (Win95), Zombie (Win95)
Oligomorphic viruses: different versions of virus have different
encryptions of the same body
Small number of decryptors (96 for Memorial viruses);
To detect, must understand how they are generated
10
Evolution of Polymorphic Viruses (2)
Polymorphic viruses: constantly create new
random encryptions of the same virus body
Virus must contain a polymorphic engine for creating
new keys and new encryptions of its body
Rather than use an explicit decryptor in each mutation,
it decrypts its body by brute-force key search
E.g., Marburg (Win95), HPS (Win95), Coke (Win32)
11
How Hard Is It to Write a Virus?
2268 matches for “virus creation tool” in CA’s
Spyware Information Center
OverWritting Virus Construction Toolkit
"The perfect choice for beginners“
Biological Warfare Virus Creation Kit
Including dozens of poly- and metamorphic engines
Note: all viruses created this way will be detected by
Norton Anti-Virus
Vbs Worm Generator (for Visual Basic worms)
Used to create the Anna Kournikova worm
12
Index
Malware Overview
Virus
Propagation of Viruses
Worm
Trojan Horses and other malware
Methods against malware attacks
13
Propagation of Viruses
[Moshchuk et al.]
Websites with popular content
Games: 60% of websites contain executable content,
one-third contain at least one malicious executable
Celebrities, adult content, everything except news
Most popular sites with
malicious content (Oct 2005)
14
Viruses in P2P Networks
[Shin, Jung, Balakrishnan]
Millions of users willingly download files
e.g., KaZaA: 2.5 million users in May 2006
Easy to insert an infected file into the network
Pretend to be an executable of a popular application
e.g., “Adobe Photoshop 10 full.exe”, “WinZip 8.1.exe”, …
Infected MP3 files are rare
When executed, the malicious file opens a backdoor
for the remote attacker
Steal user’s confidential information; spread spam
70% of infected hosts are already on DNS spam
blacklists
15
Prevalence of Viruses in KaZaA
[Shin, Jung, Balakrishnan]
2006 study of 500,000 KaZaA files
Look for 364 patterns associated with 71 viruses
Up to 22% of all KaZaA files infected
52 different viruses and Trojans
Another study found that 44% of all executable files on
KaZaA contain malicious code
When searching for “ICQ” or “Trillian”, chances of
hitting an infected file are over 70%
16
Dangerous KaZaA Queries
[Shin, Jung, Balakrishnan]
17
Index
Malware Overview
Virus
Propagation of Viruses
Worm
Trojan Horses and other malware
Methods against malware attacks
18
Worms
Worm are self-propagating malicious programs
Replicates and propagates without a host
Worms can infect a large number of computers in a
short time
Infamous examples: the Morris worm, Code Red I &
Code Red II, Slammer, Nimda
19
Viruses vs. Worms
VIRUS
WORM
Propagates by infecting
other programs
Usually inserted into host
code (not a standalone
program)
Propagates automatically
by copying itself to target
systems
Is a standalone program
20
Summer of 2001
[from “How to 0wn the Internet in Your Spare Time”]
Three major worm
outbreaks
21
Code Red I
July 13, 2001: is the first worm of the modern era
Exploited buffer overflow in Microsoft’s Internet
Information Server (IIS)
How does Code Red I work?
1st through 20th of each month: spread
Find new targets by random scan of IP address space
Spawn 99 threads to generate addresses and look for IIS
Creator forgot to seed the random number generator,
and every copy scanned the same set of addresses
21st through the end of each month: attack
Deface websites !
22
Code Red II
August 4, 2001: explore the same IIS vulnerability,
completely different code,
Scanning algorithm preferred nearby addresses
Worked only on Windows 2000, crashed NT
Died by design on October 1, 2001
Chose addresses from same class A with probability
½, same class B with probability 3/8, and randomly
from the entire Internet with probability 1/8
Payload: installed root backdoor in IIS servers for
unrestricted remote access
Q: what is the class A, class B …?
23
Slammer Worm
January 24/25, 2003: UDP worm exploiting buffer overflow in
Microsoft’s SQL Server
Entire code fits into a single 404-byte UDP packet
Buffer overflow was already known and patched by Microsoft
but not everybody installed the patch
Worm binary followed by overflow pointer back to itself
Classic buffer overflow combined with random scanning:
once control is passed to worm code, it randomly generates IP
addresses and attempts to send a copy of itself to port 1434
MS-SQL listens at port 1434
(We’ll see how buffer overflow works in the next chapter “network attacks”)
24
Slammer Propagation
Scan rate of 55,000,000 addresses per second
Initial infection was doubling in 8.5 seconds (!!)
Scan rate = rate at which worm generates IP addresses of
potential targets
Up to 30,000 single-packet worm copies per second
Doubling time of Code Red was 37 minutes
Worm-generated packets saturated carrying capacity of the
Internet in 10 minutes
75,000 SQL servers compromised
And that’s in spite of broken pseudo-random number generator
used for IP address generation
25
05:29:00 UTC, January 25, 2003
[from Moore et al. “The Spread of the Sapphire/Slammer Worm”]
26
30 Minutes Later
[from Moore et al. “The Spread of the Slammer Worm”]
27
Secret of Slammer’s Speed
Old-style worms (Code Red) spawn a new thread
which tries to establish a TCP connection and, if
successful, send a copy of itself over TCP
Limited by latency of the network
Slammer was a connectionless UDP worm
No connection establishment, simply send 404-byte
UDP packet to randomly generated IP addresses
Limited only by bandwidth of the network
28
Slammer Impact
$1.25 Billion of damage
Temporarily knocked out many elements of critical
infrastructure
Bank of America ATM network
Entire cell phone network in South Korea
Five root DNS servers
Continental Airlines’ ticket processing software
The worm did not even have malicious payload
simply bandwidth exhaustion on the network and
resource exhaustion on infected machines
29
Index
Malware Overview
Virus
Propagation of Viruses
Worm
Trojan Horses and other malware
Methods against malware attacks
30
Trojan Horses
Trojan horse is malicious code hidden in an
apparently useful host program
When the host program is executed, Trojan does
something harmful or unwanted
User must be tricked into executing the host program
E.g., In 1995, a program distributed as PKZ300B.EXE
looked like a new version of PKZIP… When executed, it
formatted your hard drive.
Trojans do NOT replicate
This is the main difference from worms and viruses
31
Trojan Insidious attack
Trojan insidious attack against networks
Disguise themselves as useful programs, hide
malicious contents (Backdoors, Rootkits) in program
Allow attackers remote access
Trojan programs also use known ports
HTTP (TCP 80) or DNS (UDP 53)
32
Common Trojan Programs and Ports
Used (details are not required)
33
Rootkits
Rootkit is a set of Trojan program binaries
Main characteristic: stealthiness (hides infection from the host’s
owner)
Create a hidden directory
(revisit)
/dev/.lib, /usr/src/.poop and similar
Often use invisible characters in directory name
Install hacked binaries for system programs such as
netstat, ps, ls, du, login
Typical infection path:
Use stolen password or dictionary attack to log in
Use buffer overflow in rdist, sendmail, loadmodule, rpc.ypupdated,
lpr, or passwd to gain root access
Download rootkit by FTP, unpack, compile and install
34
Detecting Rootkit Presence
Sad way to find out
Manual confirmation
Run out of physical disk space because of sniffer logs
Logs are invisible because du and ls have been hacked!
Reinstall clean ps and see what processes are running
Automatic detection
Host-based intrusion detection can find rootkit files
assuming an rootkit did not disable your intrusion
detection system!
35
Spyware
Sends information from the infected computer to the
attacker
Confidential financial data
Passwords
PINs
Any other stored data
Can even registered each keystroke entered
36
Adware
Similar to spyware
Main goal
Can be installed without the user being aware
Display unwanted pop-up ads.
Determine user’s online purchasing habits
Tailored advertisement
Problem of Adwares
Slows down computers
37
Index
Malware Overview
Virus
Propagation of Viruses
Worm
Trojan Horses and other malware
Methods against malware attacks
38
Protecting Against Malware Attacks
Protecting against malware is a difficult task
New viruses, worms, Trojan programs appear daily
Most of antivirus software use signature to check known
viruses.
39
Educating Your Users
Structural training
E-mail monthly security updates
Includes all employees and management
Is a simple but effective training method
Recommend that users update virus signature
database
Activate automatic updates
40
Defense via Software and Hardware
Anti-virus software
SpyBot and Ad-Aware
Help protect against spyware and adware
Firewalls
Hardware (enterprise solution)
Software (personal solution)
Intrusion Detection System (IDS)
Monitors your network 24/7
41