Lesson 11a - Malicious Software (Malware)

Download Report

Transcript Lesson 11a - Malicious Software (Malware)

IST-454
Topic 12a
Malicious Code Forensics
IST-454
What is malicious code?
(aka – Malware)
Any program code (application, system, document,
etc.) that seeks to alter the correct execution of a
program or processing of a system
•Compromise security
•Steal information
•Acquire control
•Deny or degrade service
•Provide a vector for any of the above
Not all malware is malicious – but for purposes of this
topic we will assume it is.
IST-454
Malware forensics
Serves a number of possible purposes
• detection and removal
• examination and understanding
• malware causes significant losses to
organizations
• malware could be part of a larger intrusion
or compromise
• targeted malware increasingly used in
cyber-crime and cyber-warfare
IST-454
Malware forensics
Example 1:
• IDS detects unusual network activity off-peak, system
scans reveal malware that had been acting as a
spambot, forensics approaches indentify and remove
malware, analysis seeks to determine how malware
intrusion happened
Example 2:
• New malware is discovered in software for air trafficcontrol system. Analysis shows malware intercepts
airplane ID and radar data and potentially mis-displays
data for controllers. Further analysis indicates origin was
in removable storage purchased from foreign subsidiary
IST-454
Malware Taxonomy
•Note that these categories are not
mutually exclusive
A given sample of malicious code may
have properties from a number of these
categories – do not get hung up on names
•Vector
Method of infection
Early forms of malicious code were
exclusively transferred via floppy disk or
intentionally written into software - today
there are many vectors – network, hidden
code (ie. Trojan), e-mail, etc.
IST-454
MalwareTaxonomy
•Virus
• Replicating code segment
• Not complete program – requires
external execution engine
•
Often accomplished by embedding itself in
another program or a document that is
interpreted by a run-time system
• Can be written to be specific to an
operating system, processor or
application environment
• Name ‘virus’ comes from similarity with
biological viruses
• Virus has 2 levels of activation
•
•
Replication
Detonation or Activation
• Detonation happens only after virus has
had a chance to replicate
IST-454
MalwareTaxonomy
•Worm
•
•
•
•
•
Self-Replicating code segment
Installs as a process in a multi-processing
system
Exploits network to copy self to other
systems
• Parents may expire – giving illusion of
movement through network
• Hence the name ‘worm’
First worm built at Bell Labs to scan network
for resource inventory
Initial vector for worm infestation need not
be via network
• Could be via Trojan
IST-454
MalwareTaxonomy
•Logic Bomb
•
•
•
•
Also known as ‘Easter eggs’
Programmed malfunctions or ‘unintended’
functions
• Some Easter eggs were gifts to users
• Early Windows version contained
simple Doom-like game as Easter egg
Many early logic bombs had legitimate uses
• Activate debugging code
• Allow for managerial super-user access
• Disable software after license had
expired
Logic bombs are often built into other forms
of malware – for example a virus set to
detonate on a specific date
• Such as April 1
IST-454
MalwareTaxonomy
•Trojan Horse
•
•
•
Program embedded within another program
• Purpose is to trick user into installing
outer program – once installed the
Trojan can execute
• Many early Trojans were in form of
games or screen-savers
Trojan itself could be worm, virus, adware,
spyware, etc.
Early Trojans on mainframes were used for
theft
IST-454
MalwareTaxonomy
• Exploit Code
•
Purposely installed on computer to support
further exploits
•
Examples include auto-rooters, rootkits and
penetration tools
•
Rootkit is a tool installed after system
control is gained to modify logs, create
backdoors, etc.
IST-454
MalwareTaxonomy
• Downloader
•
•
Gains foothold and downloads other
malware
Many Bots work this way
• Dailer
•
•
Used with modem to dial special
numbers
Potential exists for use with smart
phones
IST-454
MalwareTaxonomy
•Code Generator Kits
•
•
•
Code kits used to create malware or
slight variations on malware
Also known as virus kits
‘Virus Creation Laboratory’ (VCL) was
an early code kit
• Released in July, 1992 by a hacker
with the name ‘Nowhere Man’
• Turns out that many of the viruses
created were ineffective or would
not complile
IST-454
MalwareTaxonomy
• Spammers
•
Code that causes e-mail program to
generate spam mailings
• Flooders
•
•
DOS tools, DDOS tools
Typically employed by BOTnets
• Keyloggers
•
Log keystrokes and send to remote
server
IST-454
MalwareTaxonomy
• Other
• Hoax messages
•
Results in wasted effort/time
• Adware
•
Delivers targeted ads
• Spyware
•
Gathers data about user
• Phishing attacks
•
Social engineering tactic
IST-454
Malware Example
In 2005, Sony BMG released music CDs containing
extended copy protection (XCP) software.
This software was functionally a rootkit that installed
hidden files with no notification to the user – a special
uninstaller was required to remove the software
Simply playing the music CD in a windows machine
resulted in infection
NPR story:
http://www.npr.org/templates/story/story.php?sto
ryId=4989260
IST-454
Focus on Virus:
“A computer virus is a program that
recursively and explicitly copies a possibly
evolved version of itself.”
Peter Szor, 2005
Key aspects of this definition:
Recursively: operate on their own output
Explicitly: the copy is specifically intended as
opposed to resulting from a side-effect of some
other action
Possibly evolved: the virus may alter itself over
time (metamorphism)
IST-454
Focus on Virus:
First academic description by John Von
Neuman (1949)
Described how a computer program could be
designed to reproduce itself
In 1972 Veith Risak published an article describing a
fully-functional assembler virus for a SEIMENS 4004/35
computer
In 1984, Fred Cohen (USC) wrote a paper that coined
the term ‘virus’ for replicating software
First academic paper using term ‘virus’
IST-454
Focus on Virus:
Science Fiction:
David Gerrold used term ‘virus’ to denote a selfreplicating program in a Galaxy Magazine short
story in 1969
Michael Crichton’s ‘The Terminal Man’ describes
a program that randomly dials phone numbers until
it reaches a computer – then programs that
computer to do the same thing – expanding
exponentially
IST-454
Focus on Virus:
First virus anywhere was ‘creeper’ developed by
Bob Thomas at BBN Technologies (1971) using
ARPANET to infect Dec PDP-10 computers running
Tenex
Reaper program was written to eradicate
Creeper
Elk Cloner written in 1981 by Richard Skrenka as a
practical joke – spread through floppy disk to Apple
DOS 3.3 – first virus in wild
First IBM-PC virus in wild was (c) Brain crated by
Pakistani Farooq Alvi brothers
IST-454
Focus on Virus:
What is the difference between ‘replicating’ and
‘self-replicating’?
For a virus to replicate, another program or
action must allow it access to execute in
memory
This is typically accomplished by exploiting the
run-time or execution environment of another
program
A worm is ‘self-replicating’ because it is a
complete program with access to memory
IST-454
Focus on Virus:
For virus code to execute successfully, it must match the
execution environment
Many execution environments exist, e.g.:
MS Office macro invoking a Java method on a windows XP machine
running on an x86 processor
Any given virus can only be successful if its code matches all of the
various dependencies
Homogeneous environments, such as Java and MS Office provide
execution environments across many lower level environments
Dependencies:
CPU: differences between families, within a family (backward
compatibility, extensions such as MMX, prefetch queue, etc.)
Operating System: different OSs and different versions of an OS
File system: virus may modify file system metadata (e.g. FAT), NTFS
stream-based hiding
File format: COM, EXE, dll, ELF, etc…
Interpreter: Office Macros, Shell languages, VBScript, Jscript, etc…
IST-454
Virus Stealth:
Read request intercepts:
Virus injects code replacing OS code that handles read
requests
Injected code then intercepts request to read a file that is
infected
After executing, injected code that returns uninfected file
This circumvents AV that would otherwise detect
infected file
File hashes to indentify altered Windows files can be
overwritten so that System File Checker will report that files
are originals
The only reliable way to avoid stealth is to boot
from a medium that is known to be clean
IST-454
Virus Stealth:
Self-modification
Virus alters itself upon each replication to attempt
to foil AV software looking for identification
strings
Variable-key encryption
Virus consists of small decryption module and
encrypted viral code
Different encryption key is used for each
replication
IST-454
Virus Stealth:
Polymorphic code
Creates both encrypted code and modified
decryptor
Metamorphic code
Virus is completely re-written on each
replication – this technique is complex and
bulky
IST-454
General Protection
• Good anti-malware and anti-spyware
• Run regularly and keep updated
• Anti-malware and anti-spyware can look for different
kinds of malware – useful to have both installed
• Good Firewall
• set for least access
• periodically re-examine rules
• pen testing on network important to determine
vulnerabilities
• perimeter, server and desktop defenses
IST-454
General Protection
• Good Intrusion-detection system
• provides notification of unusual network or server activity
• Least-privilege accounts and care in Web browsing
• LPA can prevent up to 70% of malware
• Many Web sites provide infection via cross-site scripting
• Good vulnerability patch management
• some malware exploits known vulnerabilities that could
have been patched
IST-454
Network Telescopes and Honeypots
A commonly used monitor for worm activity is the
network telescope
Network telescopes monitor large segments of dark, or
unused, address space containing few, if any, production
hosts
No or very little legitimate traffic is expected to be
observed targeting telescope address space
Honeypot can be used to gather data for a controlled
intrusion
Server/service configured to specifically gather
worm or Bot data
IST-454
In general it is far easier to prevent
infection than to recover from infection!
IST-454
Reverse Engineering
• Technique used to identify malware and determine its methods, targets
and possibly origins
• Requires knowledge of assembly language
• beyond scope of 454 – but many resources for learning AL exist
• Requires isolated systems and/or networks
• to prevent malware from ‘escaping’
• use of a virtual machine may help
• Requires in-depth systems knowledge
• malware may reveal itself in altered or unusual process/server
activity
• Requires specialized tools
• Disassembler, hex editor, etc.
IST-454
Malware Analysis Process
(from Reverse Malware Cheat Sheet by
Larry Zeltser)
• Set up controlled, isolated, laboratory
• Examine specimen's interactions with its environment
• Perform static code analysis
• will involve reverse engineering of malware code at
various stages
• Perform dynamic code analysis
• examine code activity in detail
IST-454
Malware Analysis Process
(from Reverse Malware Cheat Sheet by
Larry Zeltser)
• if necessary, unpack the specimen
• allow it to infect target system/network –
under carefully controlled conditions
• Repeat until sufficient analysis objectives are met
• Document findings and clean up laboratory – wipe
all systems
IST-454
Malware Behavioral Analysis
(from Reverse Malware Cheat Sheet by
Larry Zeltser)
• Be prepared to revert to known state via dd, VMWare
snapshots, CoreRestore, or other tools
• Monitor local (Process Monitor, Process Explorer) and
network (Wireshark, TCPdump) interactions
• Detect major local changes (RegShot, Autoruns)
• Redirect network traffic (hosts file, DNS,Honeyd)
• Activate services as needed to evoke new behavior from
specimen (IRC, HTTP, SMTP, etc.)
IST-454
Bot and Botnet
• Bot is a zombie computer
• Bot software downloaded and installed,
often as rootkit
• Bots connect through TCP/IP to controller
(mother ship)
• Bots can be reprogrammed from controller
• Botnets used to launch spam, DDOS
IST-454
Bot and Botnet
• Case study: Storm Botnet
• By Sep 2007 running on between 1 and 50 million
computers worldwide (at one point 8% of all
Windows malware)
• Vector was XSS – used phishing to get users to
activate Web link
• Used in variety of criminal activities, including
DDOS and spam
• Has displayed defensive behaviors
• Developers not caught yet – believed to have
originated in Russia
• Believed that code has been sold to other hacker
groups
IST-454
Case study - Stuxnet
• Computer worm first analyzed in July, 2010
• First known case of ‘targeted’ worm that
attacks industrial control systems
• spreads indiscriminately, contains payload
that targets Siemens control systems
• believed to have been targeted against Iran
nuclear fuel enrichment program
• analysts believe it was created by nationstate, possibly US/Israel
IST-454
Case study - Stuxnet
• First appeared June 2009 – improved
variants in March and April 2010
• Primarily found in 8 countries, but over 60%
of infections in Iran
• Makes itself inert if it does not detect
Siemens control software
• 3-layered attack:
• Windows zero-day vulnerabilities
• Step 7 industrial application
• Siemens PLC
IST-454
Case study - Stuxnet
•
Two vectors:
• USB storage
• P2P RPC
• contains ‘man-in-middle’ attack to fake
industrial process control sensor signals
• so damage is not detected until too late
• believed to have specifically targeted
fuel enrichment centrifuges
IST-454
Case study - Stuxnet
• Contains both user-mode and kernel-mode rootkits
• Valid digital certificates stolen from Veri-Sign used to
avoid driver detection
• Web sites in Denmark and Malaysia served as
command-and-control centers
• Utilized 4 zero-day Windows vulnerabilities
• Infects project files for Siemens WinCC/PCS 7 SCADA
controllers
• subverts key communications dll to avoid detection
IST-454
Case study - Stuxnet
•Stuxnet is VERY sophisticated
• indicates multi-level, evolving attack strategy
• believed to have been developed as a targeted cyberwarfare weapon
• has raised awareness among cyber-security commands
• similar attacks could target power grids,
communications, oil refineries, shipyards, etc.
• (see movie ‘Eagle Eye’ for hypothetical potential)
IST-454
Case study - Duqu
•Sept, 2011 researchers found Stuxnet variant
• named DuQu for repeating letters DQ
• discovered by researchers at Budapest University of
Technology and Economics
• Written in various code – mostly C++ but also ‘Objectoriented C’ (a little known variant from 1980’s)
• may indicate ‘old school’ programmers
IST-454
Case study - Duqu
• appears designed to gather information about
vulnerabilities on industrial systems control
code
• some analysts believe it was authored by same
people who authored Stuxnet
• new variant discovered by Symantec in Feb,
2012
• so work on it appears to be continuing
IST-454
Case study - Flame
• discovered in 2012 – infects MS Windows OS
• appears to be targeted for espionage in Middle
Eastern countries
• According to Kaspersky most infections
have been Iran, Israel, Sudan, Syria,
Lebanon, Saudi Arabia and Egypt
IST-454
Case study - Flame
• written in Lua scripting language with C++
components
• downloads other components
• uses 5 different encryption methods
• stores structured information in SQLlite DB
• identifies any installed AV software and
customizes self to avoid detection
IST-454
Case study - Flame
• spreads via USB stick and network
• uploads local documents
• can intercept Skype communications
• although apparently targeted at Middle East,
possibility of further spread exists
• some analysts suspect flame originated with
Israel, or Stuxnet authors
IST-454
Summary
• Malware poses a unique challenge to security
• Forensic analysis on malware can be useful in
determining its purpose, methods, targets and
possibly origins
• Malware forensic analysis requires knowledge of
assembly language, knowledge of systems, access to
special tools, access to isolated systems
• Check the 454 resources page for links to articles,
tutorials and tools for malware forensics