Malicious Code for Fun and Profit Somesh Jha [email protected] April 15, 2008.
Transcript of Malicious Code for Fun and Profit Somesh Jha [email protected] April 15, 2008.
![Page 2: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/2.jpg)
April 15, 2008 Somesh Jha 2
![Page 3: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/3.jpg)
April 15, 2008 Somesh Jha 3
What is Malicious Code?What is Malicious Code?
Viruses, worms, trojans, …Code that breaks your security policy.
Characteristics
Attack vectorPayloadSpreading algorithm
![Page 4: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/4.jpg)
April 15, 2008 Somesh Jha 4
OutlineOutline
• Attack Vectors
• Payloads
• Spreading Algorithms
• Case Studies
![Page 5: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/5.jpg)
April 15, 2008 Somesh Jha 5
Attack VectorsAttack Vectors
• Social engineering“Make them want to run it.”
• Vulnerability exploitation“Force your way into the system.”
• Piggybacking“Make it run when other programs run.”
![Page 6: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/6.jpg)
April 15, 2008 Somesh Jha 6
Social EngineeringSocial Engineering
• Suggest to user that the executable is:– A game.– A desirable picture/movie.– An important document.– A security update from Microsoft.– A security update from the IT
department.
• Spoofing the sender helps.
![Page 7: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/7.jpg)
April 15, 2008 Somesh Jha 7
OutlineOutline
• Attack Vectors: Social Engineering Vulnerability Exploitation Piggybacking
• Payloads• Spreading Algorithms• Case Studies
![Page 8: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/8.jpg)
April 15, 2008 Somesh Jha 8
Vulnerability ExploitationVulnerability Exploitation
• Make use of flaws in software input handling.
• Sample of techniques:– Buffer overflow attacks.– Format string attacks.– Return-to-libc attacks.– SQL injection attacks.
![Page 9: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/9.jpg)
April 15, 2008 Somesh Jha 9
Basic PrinciplesBasic Principles
A buffer overflow occurs when data is stored past the boundaries of an array or a string.
The additional data now overwrites nearby program variables.
Result:Attacker controls or takes over acurrently running process.
BufferOverflows
![Page 10: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/10.jpg)
April 15, 2008 Somesh Jha 10
ExampleExample
Expected input: \\hostname\path
BufferOverflows
void process_request( char * req ){ // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) );
...
return;}
process_request( “\\tux12\usr\foo.txt” ); OK
process_request( “\\aaabbbcccdddeeefffggghhh\bar” ); BAD
![Page 11: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/11.jpg)
April 15, 2008 Somesh Jha 11
A stack frame per procedure call.
Program StackProgram StackBuffer
Overflows
void process_request( char * req ){ // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) );
...
return;}
main()
process_request()
strcpy()
![Page 12: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/12.jpg)
April 15, 2008 Somesh Jha 12
A stack frame per procedure call.
Program StackProgram StackBuffer
Overflows
void process_request( char * req ){ // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) );
...
return;}
main()
process_request()
strcpy()
![Page 13: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/13.jpg)
April 15, 2008 Somesh Jha 13
A stack frame per procedure call.
Program StackProgram StackBuffer
Overflows
void process_request( char * req ){ // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) );
...
return;}
main()
process_request()
strcpy()
arg: req
![Page 14: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/14.jpg)
April 15, 2008 Somesh Jha 14
A stack frame per procedure call.
Program StackProgram StackBuffer
Overflows
void process_request( char * req ){ // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) );
...
return;}
main()
process_request()
strcpy()
arg: req
return address
frame pointer
![Page 15: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/15.jpg)
April 15, 2008 Somesh Jha 15
A stack frame per procedure call.
Program StackProgram StackBuffer
Overflows
void process_request( char * req ){ // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) );
...
return;}
main()
process_request()
strcpy()
arg: req
return address
frame pointer
local: host
![Page 16: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/16.jpg)
April 15, 2008 Somesh Jha 16
A stack frame per procedure call.
Program StackProgram StackBuffer
Overflows
void process_request( char * req ){ // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) );
...
return;}
main()
process_request()
strcpy()
arg: req
return address
frame pointer
local: pos
local: host
![Page 17: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/17.jpg)
April 15, 2008 Somesh Jha 17
Normal ExecutionNormal ExecutionBuffer
Overflows
void process_request( char * req ){ // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) );
...
return;}
main()
process_request()
arg: req
return address
frame pointer
local: host
local: pos
process_request( “\\tux12\usr\foo.txt” );
![Page 18: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/18.jpg)
April 15, 2008 Somesh Jha 18
Normal ExecutionNormal ExecutionBuffer
Overflows
void process_request( char * req ){ // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) );
...
return;}
main()
process_request()
arg: req
return address
frame pointer
7
local: host
process_request( “\\tux12\usr\foo.txt” );
local: post u x 1
2 \0
![Page 19: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/19.jpg)
April 15, 2008 Somesh Jha 19
Overflow ExecutionOverflow ExecutionBuffer
Overflows
void process_request( char * req ){ // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) );
...
return;}
main()
process_request()
arg: req
return address
frame pointer
32
local: host
process_request( “\\aaabbbcccdddeeefffggghhhiiijjj\bar” );
local: posa a a b
b b c c
c d d d
e e e f
f f g g
g
i i i j
h h h
j j \0
Characters that
overwrite the return
address.
![Page 20: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/20.jpg)
April 15, 2008 Somesh Jha 20
The attacker gets one chance to gain control.
Craft an input string such that:• The return address is overwritten with a
pointer to malicious code.• The malicious code is placed inside the
input string.
Smashing the StackSmashing the StackBuffer
Overflows
Malicious code can create a root shell by executing “/bin/sh”.
![Page 21: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/21.jpg)
April 15, 2008 Somesh Jha 21
Shell CodeShell Code
EB 17 5E 89 76 08 31 C0
88 46 07 89 46 0C B0 0B
89 F3 8D 4E 08 31 D2 CD
80 E8 E4 FF FF FF / b
i n / s h \0 arg 2
to code
arg 2 arg 1 pointer
BufferOverflows
Code for exec(“/bin/sh”):
mov edx, arg2mov ecx, arg1mov ebx, “/bin/sh”mov eax, 0Bhint 80h
Pointer value foroverwriting the return address.
![Page 22: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/22.jpg)
April 15, 2008 Somesh Jha 22
• Defense against stack-smashing attacks:– Bounds-checking. – Protection libraries.– Non-executable stack.
– setuid()/chroot().– Avoid running programs as root!– Address randomization.
– Behavioral monitoring.
Thicker ArmorThicker ArmorBuffer
Overflows
![Page 23: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/23.jpg)
April 15, 2008 Somesh Jha 23
More InfoMore Info
“Smashing the Stack for Fun and Profit”by Aleph One
StackGuard, RAD, PAX, ASLR
CERT
![Page 24: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/24.jpg)
April 15, 2008 Somesh Jha 24
Format String AttacksFormat String Attacks
• Another way to illegally control program values.
• Uses flaws in the design of printf():
printf( “%s: %d” , s, x );
FormatStrings
![Page 25: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/25.jpg)
April 15, 2008 Somesh Jha 25
printf()printf() Operation Operation
printf( “%s: %d, %x”,s, x, y );
FormatStrings
foo()
printf()
y
x
s
format string ptr
![Page 26: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/26.jpg)
April 15, 2008 Somesh Jha 26
Attack 1: Read Any Attack 1: Read Any ValueValue
What the code says:printf( str );
What the programmer meant:printf( “%s”, str );
If str = “%x%x%x%x%s”
FormatStrings
secret key ptr
format string ptr
![Page 27: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/27.jpg)
April 15, 2008 Somesh Jha 27
Attack 2: Write to Attack 2: Write to AddressAddress
What the code says:printf( str );
If str = “%x%x%x%x%n”
FormatStrings
return address
format string ptr
4
![Page 28: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/28.jpg)
April 15, 2008 Somesh Jha 28
DefensesDefenses
Never use printf() without a format string!
FormatGuard.
FormatStrings
![Page 29: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/29.jpg)
April 15, 2008 Somesh Jha 29
OutlineOutline
• Attack Vectors: Social Engineering Vulnerability Exploitation Piggybacking
• Payloads• Spreading Algorithms• Case Studies
![Page 30: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/30.jpg)
April 15, 2008 Somesh Jha 30
PiggybackingPiggybacking
Malicious code injected into a benign program or data file.
• Host file can be:– An executable.– A document with some executable
content(Word documents with macros, etc.).
![Page 31: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/31.jpg)
April 15, 2008 Somesh Jha 31
Piggybacking ExecutablesPiggybacking Executables
• Modify program on disk:
jmp evil_code
Variations:
• Jump to malicious code only on certain actions.
• Spread malicious code throughout program.
![Page 32: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/32.jpg)
April 15, 2008 Somesh Jha 32
Piggybacking DocumentsPiggybacking Documents
• Documents with macros:Microsoft Office supports documents with
macros scripted in Visual Basic (VBA).
• Macro triggered on:– Document open– Document close– Document save– Send document by email
![Page 33: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/33.jpg)
April 15, 2008 Somesh Jha 33
OutlineOutline
• Attack Vectors: Social Engineering Vulnerability Exploitation Piggybacking
• Payloads• Spreading Algorithms• Case Studies• Defenses
![Page 34: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/34.jpg)
April 15, 2008 Somesh Jha 34
PayloadPayload
Target the interesting data:
• Passwords
• Financial data
• User behavior
• User attention
Keylogger
Screen scraper
Spyware
Adware
![Page 35: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/35.jpg)
April 15, 2008 Somesh Jha 35
Keylogger UseKeylogger Use
![Page 36: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/36.jpg)
April 15, 2008 Somesh Jha 36
Screen Scraper UseScreen Scraper Use
![Page 37: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/37.jpg)
April 15, 2008 Somesh Jha 37
More Payload IdeasMore Payload Ideas
Victim machines are pawns in larger attack:
– Botnets.
– Distributed denial of service (DDoS).
– Spam proxies.
– Anonymous FTP sites.
– IRC servers.
![Page 38: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/38.jpg)
April 15, 2008 Somesh Jha 38
OutlineOutline
• Attack Vectors: Social Engineering Vulnerability Exploitation Piggybacking
• Payloads• Spreading Algorithms• Case Studies• Defenses
![Page 39: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/39.jpg)
April 15, 2008 Somesh Jha 39
Spreading MethodsSpreading Methods
Depends on the attack vector:Email-based
need email addresses
Vulnerability-based need IP addresses of hosts running the vulnerable service
Piggybacking need more files to infect
![Page 40: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/40.jpg)
April 15, 2008 Somesh Jha 40
Spreading through EmailSpreading through Email
MalwareInternet
HTML files (from cache)
Windows Address Book
Outlook Express folders
Outlook folders
![Page 41: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/41.jpg)
April 15, 2008 Somesh Jha 41
Vulnerable Target DiscoveryVulnerable Target Discovery
Need to find Internet (IP) addresses.
• Scanning:
• Target list:
• Passive: Contagion worms
RandomSequentialBandwidth-limited
Pre-generatedExternally-generated Metaserver wormsInternal target list Topological worms
![Page 42: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/42.jpg)
April 15, 2008 Somesh Jha 42
OutlineOutline
• Attack Vectors: Social Engineering Vulnerability Exploitation Piggybacking
• Payloads• Spreading Algorithms• Case Studies
![Page 43: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/43.jpg)
April 15, 2008 Somesh Jha 43
Types of Malicious CodeTypes of Malicious Code
• VirusSelf-replicating, infects programs and
documents.
e.g.: Chernobyl/CIH, Melissa, Elkern
• WormSelf-replicating, spreads across a network.
e.g.: ILoveYou, Code Red, B(e)agle, Witty
McGraw and Morrisett “Attacking malicious code: A report to the Infosec Research Council” Sept./Oct. 2000.
![Page 44: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/44.jpg)
April 15, 2008 Somesh Jha 44
Types of Malicious CodeTypes of Malicious Code
• Trojan– Malware hidden inside useful programs
e.g.: NoUpdate, KillAV, Bookmarker
• Backdoor– Tool allowing unauthorized remote access
e.g.: BackOrifice, SdBot, Subseven
![Page 45: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/45.jpg)
April 15, 2008 Somesh Jha 45
Types of Malicious CodeTypes of Malicious Code
• Spyware– Secretly monitors system activity
e.g.: ISpynow, KeyLoggerPro, Look2me
• Adware– Monitors user activity for advertising purposes
e.g.: WildTangent, Gator, BargainBuddy
![Page 46: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/46.jpg)
April 15, 2008 Somesh Jha 46
OutlineOutline
• Attack Vectors: Social Engineering Vulnerability Exploitation Piggybacking
• Payloads• Spreading Algorithms• Case Studies: Sobig
![Page 47: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/47.jpg)
April 15, 2008 Somesh Jha 47
The The SobigSobig Worm Worm
• Mass-mailing, network-aware worm• Multi-stage update capabilities
Launch Deactivation
Sobig.A 9 Jan. 2003 -
Sobig.B 18 May 2003 31 May 2003
Sobig.C 31 May 2003 8 June 2003
Sobig.D 18 June 2003 2 July 2003
Sobig.E 25 June 2003 14 July 2003
Sobig.F 18 Aug 2003 10 Sept 2003
![Page 48: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/48.jpg)
April 15, 2008 Somesh Jha 48
• Network shares
Sobig: Attack VectorSobig: Attack Vector
Subject:
[email protected]@[email protected]@yahoo.com
• Compressed executable attachment with renamed extension.
• Later: attachment in ZIP file.
![Page 49: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/49.jpg)
April 15, 2008 Somesh Jha 49
Sobig: PayloadSobig: Payload
Geocities web page
Trojan web server
• 1st stage:Backdoor (Lala)& keylogger
• 2nd stage:Proxy (WinGate)
![Page 50: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/50.jpg)
April 15, 2008 Somesh Jha 50
Sobig: PayloadSobig: Payload
...Hacked DSL/cable hosts
Trojan web server
1
22
![Page 51: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/51.jpg)
April 15, 2008 Somesh Jha 51
Sobig: Spreading AlgorithmSobig: Spreading Algorithm
• E-mail addresses extracted from files on disk.
• Network shares automatically discovered.
![Page 52: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/52.jpg)
April 15, 2008 Somesh Jha 52
Sobig.F in NumbersSobig.F in Numbers
August: 19 20 21 22 23
Court
esy
of
Mess
ageLa
bs.
com
![Page 53: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/53.jpg)
April 15, 2008 Somesh Jha 53
OutlineOutline
• Attack Vectors: Social Engineering Vulnerability Exploitation Piggybacking
• Payloads• Spreading Algorithms• Case Studies: Sobig, Blaster
![Page 54: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/54.jpg)
April 15, 2008 Somesh Jha 54
The The BlasterBlaster Worm Worm
• Multi-stage worm exploiting Windows vulnerability
2003: July August
16 17 25 31 11 13 15 17 19
Microsoft releases patch
LSD Research exploit released
CERT advisory
Blaster appears 1.2 million hosts infected
Metasploit refined exploit
FRB Atlanta, MD DMV, BMW
Scandinavian bank closes all 70 branches
![Page 55: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/55.jpg)
April 15, 2008 Somesh Jha 55
Blaster: Attack VectorBlaster: Attack Vector
• Uses a Microsoft Windows RPC DCOM vulnerability.
• Coding flaw:1. The RPC service passes part of the
request to function GetMachineName().2. GetMachineName() copies machine
name to a fixed 32-byte buffer.
![Page 56: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/56.jpg)
April 15, 2008 Somesh Jha 56
Blaster: Attack VectorBlaster: Attack Vector
Exploit 1
“tftp GET msblast.exe” 2
TFTPServer
“GET msblast.exe”3
4
“start msblast.exe” 5
![Page 57: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/57.jpg)
April 15, 2008 Somesh Jha 57
Blaster: PayloadBlaster: Payload
• Worm installs itself to start automatically.
• All infected hosts perform DDoS against windowsupdate.com .– SYN flood attack with spoofed source IP,
Aug 15 → Dec 31 andafter the 15th of all other months.
![Page 58: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/58.jpg)
April 15, 2008 Somesh Jha 58
Blaster: Effect on Local HostBlaster: Effect on Local Host
• RPC/DCOM disabled:– Inability to cut/paste.– Inability to move icons.– Add/Remove Programs list empty.– DLL errors in most Microsoft Office
programs.– Generally slow, or unresponsive system
performance.
![Page 59: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/59.jpg)
April 15, 2008 Somesh Jha 59
Blaster: Spreading Blaster: Spreading AlgorithmAlgorithm
• Build IP address list:40% chance to start with local IP address.60% chance to generate random IP
address.
• Probe 20 IPs at a time.
• Exploit type:80% Windows XP.20% Windows 2000.
![Page 60: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/60.jpg)
April 15, 2008 Somesh Jha 60
Blaster: Infection RateBlaster: Infection Rate
![Page 61: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/61.jpg)
April 15, 2008 Somesh Jha 73
Future Threat: Future Threat: SuperwormSuperworm
“Curious Yellow: the First Coordinated Worm Design” – Brandon Wiley
• Fast replication & adaptability:– Pre-scan the network for targets.– Worm instances communicate to
coordinate infection process.– Attack vectors can be updated.– Worm code mutates.
![Page 62: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/62.jpg)
April 15, 2008 Somesh Jha 74
New Infection Vector: WebNew Infection Vector: Web
• Drive-by-downloads (DBDs)• You go to a tainted web-page www.xyz.com• What it means for a web-page to be tainted?
– Compromised web-server– Sometimes banner ads have malicious content
• Browser vulnerabilities used to download executables (Trojans and rootkits) on your computer– Windows Metafile vulnerability (nice article in
Wikipedia)– Vulnerabilities in javascript
![Page 63: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/63.jpg)
April 15, 2008 Somesh Jha 75
Some statisticsSome statistics
• Source: All Your iFrames Point to Us, N. Provos and P. Mavrommatis (Google), M.A. Rajab and F. Monrose (Johns Hopkins), Usenix Security 2008
• 3 million URLS initiate drive-by-downloads
• 1.3% of the search queries to Google returned at least one URL that is malicious
• Multiple re-directions
![Page 64: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/64.jpg)
April 15, 2008 Somesh Jha 76
Email I ReceivedEmail I Received
Dear My Bank First United member! Our Technical Unit is carrying out an arranged Bankline software update By following the link below please launch the form of the client login approval:
http://www.mybanfirstunited-corporatesfinance.com/login.htm
These instructions are to be emailed and followed by all clients of the My Bank First United Personal and Commercial. (C) '08 My Bank First United Bankline Internet Banking.
![Page 65: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/65.jpg)
April 15, 2008 Somesh Jha 77
Recommended BookRecommended Book
Byron Acohido and Jon Swartz(available on Amazon)
![Page 66: Malicious Code for Fun and Profit Somesh Jha jha@cs.wisc.edu April 15, 2008.](https://reader035.fdocuments.net/reader035/viewer/2022062408/56649f155503460f94c2ae9c/html5/thumbnails/66.jpg)
April 15, 2008 Somesh Jha 78
ConclusionsConclusions
• Vulnerabilities left unpatched can and will be used against you.
• Attackers are more sophisticated.
• Need to understand the attackers’ perspective.