Virus - USC Upstate: Faculty

Download Report

Transcript Virus - USC Upstate: Faculty

SCSC 455 Computer Security
Chapter 5 Malware
Index






Malware Overview
Virus
Propagation of Viruses
Worm
Trojan Horses and other malware
Methods against malware attacks
2
Malicious Software (Malware)

Malicious software often masquerades as good
software or attaches itself to good software

Some malicious programs need host programs


Others can exist and propagate independently


Trojan horses, viruses, logic bombs
Worms
Goals of malware



Destroy data
Corrupt data
Shutdown networks or systems
3
Malware classification

Malicious software includes





Virus
Worm
Trojan programs
Spyware
Adware
4
Index





Malware Overview
Virus
Worm
Trojan Horses and other malware
Methods against malware attacks
5
Viruses propagation

Virus propagates by infecting other programs



Automatically creates copies of itself, but to propagate, a human
has to run an infected program
In contrast, self-propagating malicious programs are usually called
worms
Many propagation methods …




Insert a copy into every executable (.COM, .EXE)
Insert a copy into boot sectors of disks
 E.g., Stoned virus infected PCs booted from infected floppies,
stayed in memory and infected every floppy inserted into PC
Infect TSR (terminate-and-stay-resident) routines
 By infecting a common OS routine, a virus can always stay in
memory and infect all disks, executables, etc.
Etc.
6
Virus Classification

Stealth viruses



Macro viruses


Mutation
Aliasing
What is Macro?
Polymorphic viruses


Viruses that mutate and/or encrypt parts of their code with a
randomly generated key
changing the encryption routine, the sequence of instructions, or
other such changes in the behavior of the virus
Detail of each …
7
Virus Stealth Techniques

[Shin, Jung, Balakrishnan]
Mutation: virus has multiple binary variants


Defeats naïve signature-based detection
Used by the most successful (i.e., widespread) viruses
e.g., Tanked: 62 variants, SdDrop: 14 variants

Aliasing: virus places its copies under different
names into the infected host’s sharing folder
e.g., “ICQ Lite .exe”, “ICQ Pro 2003b.exe”, “MSN
Messenger 5.2.exe”
8
Macro Viruses

Macro viruses are virus encoded as a macro



Macro virus is lists of commands that can be used in
destructive ways
When infected document is opened, virus copies itself
into global macro file and makes itself auto-executing
Most macro viruses are very simple. Even
nonprogrammers can create macro viruses
 Instructions posted on Web sites
(You will read more about macro viruses in the reading article 3.)
9
Evolution of Polymorphic Viruses (1)

Anti-virus scanners detect viruses by looking for signatures


Encrypted viruses: virus consists of a constant decryptor,
followed by the encrypted virus body



signatures are snippets of known virus code
Relatively easy to detect because decryptor is constant
E.g., Cascade (DOS), Mad (Win95), Zombie (Win95)
Oligomorphic viruses: different versions of virus have different
encryptions of the same body


Small number of decryptors (96 for Memorial viruses);
To detect, must understand how they are generated
10
Evolution of Polymorphic Viruses (2)

Polymorphic viruses: constantly create new
random encryptions of the same virus body

Virus must contain a polymorphic engine for creating
new keys and new encryptions of its body


Rather than use an explicit decryptor in each mutation,
it decrypts its body by brute-force key search
E.g., Marburg (Win95), HPS (Win95), Coke (Win32)
11
How Hard Is It to Write a Virus?

2268 matches for “virus creation tool” in CA’s
Spyware Information Center


OverWritting Virus Construction Toolkit


"The perfect choice for beginners“
Biological Warfare Virus Creation Kit


Including dozens of poly- and metamorphic engines
Note: all viruses created this way will be detected by
Norton Anti-Virus
Vbs Worm Generator (for Visual Basic worms)

Used to create the Anna Kournikova worm
12
Index






Malware Overview
Virus
Propagation of Viruses
Worm
Trojan Horses and other malware
Methods against malware attacks
13
Propagation of Viruses
[Moshchuk et al.]

Websites with popular content



Games: 60% of websites contain executable content,
one-third contain at least one malicious executable
Celebrities, adult content, everything except news
Most popular sites with
malicious content (Oct 2005)
14
Viruses in P2P Networks

[Shin, Jung, Balakrishnan]
Millions of users willingly download files
e.g., KaZaA: 2.5 million users in May 2006

Easy to insert an infected file into the network

Pretend to be an executable of a popular application
e.g., “Adobe Photoshop 10 full.exe”, “WinZip 8.1.exe”, …


Infected MP3 files are rare
When executed, the malicious file opens a backdoor
for the remote attacker

Steal user’s confidential information; spread spam

70% of infected hosts are already on DNS spam
blacklists
15
Prevalence of Viruses in KaZaA
[Shin, Jung, Balakrishnan]

2006 study of 500,000 KaZaA files


Look for 364 patterns associated with 71 viruses
Up to 22% of all KaZaA files infected



52 different viruses and Trojans
Another study found that 44% of all executable files on
KaZaA contain malicious code
When searching for “ICQ” or “Trillian”, chances of
hitting an infected file are over 70%
16
Dangerous KaZaA Queries
[Shin, Jung, Balakrishnan]
17
Index






Malware Overview
Virus
Propagation of Viruses
Worm
Trojan Horses and other malware
Methods against malware attacks
18
Worms

Worm are self-propagating malicious programs



Replicates and propagates without a host
Worms can infect a large number of computers in a
short time
Infamous examples: the Morris worm, Code Red I &
Code Red II, Slammer, Nimda
19
Viruses vs. Worms
VIRUS
WORM

Propagates by infecting
other programs


Usually inserted into host
code (not a standalone
program)

Propagates automatically
by copying itself to target
systems
Is a standalone program
20
Summer of 2001
[from “How to 0wn the Internet in Your Spare Time”]
Three major worm
outbreaks
21
Code Red I

July 13, 2001: is the first worm of the modern era

Exploited buffer overflow in Microsoft’s Internet
Information Server (IIS)
How does Code Red I work?
 1st through 20th of each month: spread

Find new targets by random scan of IP address space



Spawn 99 threads to generate addresses and look for IIS
Creator forgot to seed the random number generator,
and every copy scanned the same set of addresses 
21st through the end of each month: attack

Deface websites !
22
Code Red II

August 4, 2001: explore the same IIS vulnerability,
completely different code,



Scanning algorithm preferred nearby addresses


Worked only on Windows 2000, crashed NT
Died by design on October 1, 2001
Chose addresses from same class A with probability
½, same class B with probability 3/8, and randomly
from the entire Internet with probability 1/8
Payload: installed root backdoor in IIS servers for
unrestricted remote access
Q: what is the class A, class B …?
23
Slammer Worm

January 24/25, 2003: UDP worm exploiting buffer overflow in
Microsoft’s SQL Server



Entire code fits into a single 404-byte UDP packet


Buffer overflow was already known and patched by Microsoft
but not everybody installed the patch
Worm binary followed by overflow pointer back to itself
Classic buffer overflow combined with random scanning:


once control is passed to worm code, it randomly generates IP
addresses and attempts to send a copy of itself to port 1434
MS-SQL listens at port 1434
(We’ll see how buffer overflow works in the next chapter “network attacks”)
24
Slammer Propagation

Scan rate of 55,000,000 addresses per second



Initial infection was doubling in 8.5 seconds (!!)


Scan rate = rate at which worm generates IP addresses of
potential targets
Up to 30,000 single-packet worm copies per second
Doubling time of Code Red was 37 minutes
Worm-generated packets saturated carrying capacity of the
Internet in 10 minutes


75,000 SQL servers compromised
And that’s in spite of broken pseudo-random number generator
used for IP address generation
25
05:29:00 UTC, January 25, 2003
[from Moore et al. “The Spread of the Sapphire/Slammer Worm”]
26
30 Minutes Later
[from Moore et al. “The Spread of the Slammer Worm”]
27
Secret of Slammer’s Speed

Old-style worms (Code Red) spawn a new thread
which tries to establish a TCP connection and, if
successful, send a copy of itself over TCP


Limited by latency of the network
Slammer was a connectionless UDP worm


No connection establishment, simply send 404-byte
UDP packet to randomly generated IP addresses
Limited only by bandwidth of the network
28
Slammer Impact


$1.25 Billion of damage
Temporarily knocked out many elements of critical
infrastructure





Bank of America ATM network
Entire cell phone network in South Korea
Five root DNS servers
Continental Airlines’ ticket processing software
The worm did not even have malicious payload

simply bandwidth exhaustion on the network and
resource exhaustion on infected machines
29
Index






Malware Overview
Virus
Propagation of Viruses
Worm
Trojan Horses and other malware
Methods against malware attacks
30
Trojan Horses


Trojan horse is malicious code hidden in an
apparently useful host program
When the host program is executed, Trojan does
something harmful or unwanted



User must be tricked into executing the host program
E.g., In 1995, a program distributed as PKZ300B.EXE
looked like a new version of PKZIP… When executed, it
formatted your hard drive.
Trojans do NOT replicate

This is the main difference from worms and viruses
31
Trojan Insidious attack

Trojan insidious attack against networks



Disguise themselves as useful programs, hide
malicious contents (Backdoors, Rootkits) in program
Allow attackers remote access
Trojan programs also use known ports

HTTP (TCP 80) or DNS (UDP 53)
32
Common Trojan Programs and Ports
Used (details are not required)
33
Rootkits

Rootkit is a set of Trojan program binaries


Main characteristic: stealthiness (hides infection from the host’s
owner)
Create a hidden directory




(revisit)
/dev/.lib, /usr/src/.poop and similar
Often use invisible characters in directory name
Install hacked binaries for system programs such as
netstat, ps, ls, du, login
Typical infection path:



Use stolen password or dictionary attack to log in
Use buffer overflow in rdist, sendmail, loadmodule, rpc.ypupdated,
lpr, or passwd to gain root access
Download rootkit by FTP, unpack, compile and install
34
Detecting Rootkit Presence

Sad way to find out



Manual confirmation


Run out of physical disk space because of sniffer logs
Logs are invisible because du and ls have been hacked!
Reinstall clean ps and see what processes are running
Automatic detection

Host-based intrusion detection can find rootkit files

assuming an rootkit did not disable your intrusion
detection system!
35
Spyware

Sends information from the infected computer to the
attacker





Confidential financial data
Passwords
PINs
Any other stored data
Can even registered each keystroke entered
36
Adware

Similar to spyware



Main goal



Can be installed without the user being aware
Display unwanted pop-up ads.
Determine user’s online purchasing habits
Tailored advertisement
Problem of Adwares

Slows down computers
37
Logic Bomb



What is logic bomb
Who make logic bomb
How to prevent logic bomb
Study shows more than 50% of attacks are from
insiders.
38
Index






Malware Overview
Virus
Propagation of Viruses
Worm
Trojan Horses and other malware
Methods against malware attacks
39
Protecting Against Malware Attacks

Protecting against malware is a difficult task


New viruses, worms, Trojan programs appear daily
Most of antivirus software use signature to check known
viruses.
40
Educating Your Users

Structural training


E-mail monthly security updates


Includes all employees and management
Is a simple but effective training method
Recommend that users update virus signature
database

Activate automatic updates
41
Defense via Software and Hardware

Anti-virus software

SpyBot and Ad-Aware



Help protect against spyware and adware
Firewalls

Hardware (enterprise solution)

Software (personal solution)
Intrusion Detection System (IDS)

Monitors your network 24/7
42