Malicious Software (long version) Nicolas T. Courtois - University College London.

Malicious Software(long version)

Nicolas T. Courtois - University College London

CompSec Malware

Nicolas T. Courtois, December 20092

Sources of Problems

CompSec Malware


Technology FailuresSecurity as an afterthought.• Programming developed with absence of

security. • C/C++ is unsafe (Microsoft is currently blacklisting big chunks of standard C, could have

happened 10 years ago).

• Security/cryptography research developed with obsession with security. Both never met.

• Windows developed first, – networking developed later…

• Structural defects in the OS design – lack of multi-layer defense strategy [Unix not

better]

CompSec Malware


+ Failures In Operation• Over-privileged users

– Windows 98: all users can modify system files and system memory

– Unix – over-powerful root, >21 critical capabilities in one entity

• Over-privileged code– code executed by a user to access all rights of that user– Windows Vista: worse than that: built-in privilege escalation:

• if name contains setup, will run with many admin-level capabilities

CompSec Malware


Human Cognitive Failures• Mystified:

– security issues are probably always exaggerated and distorted, one way or another (downplayed OR exaggerated, Ross Anderson: “hypertrophy” of security

– Also a huge demand, but both don’t meet to frequently).

• Lack of people that would defend the public interest+ corruption of the scientific establishment by + corruption of the scientific establishment by

special interestsspecial interests……

CompSec Malware


Market Failures

• Economics/Business: – many things just don’t matter at all!– customers do not see => do not care about

security• “market for lemons”

– externalities, cost shifting• losses affect many “small” people that don’t react…

– people will not even switch to another software… – unable to defend themselves– 1 billion x very small loss

• usability: user burden, businesses don’t care

CompSec Malware


**Why So Bad?

“[…] Why do so many vulnerabilities exist in the first place?[…]”

Cf. Ross Anderson, Tyler Moore et al:

1. “The Economics of Information Security”In Science, October 2006.

2. “Security Economics and the Internal Market”: public report for ENISA (European Network and Information Security Agency), March 2008.

CompSec Malware


***Why Commercial Security Fails?

Claim: the link between “money” and security is frequently broken today: – Security is a public good. • “private” incentives are weak.

– Worse than “market for lemons”:• not only that the customer cannot see the

difference between good security and bad.

– Frequently the manufacturer cannot either.

Too frequently security remains something that money cannot buy.

CompSec Malware


**Questions:Schneier: http://www.schneier.com/essay-005.html“History has taught us: never underestimate the amount of money, time, and effort someone

will expend to thwart a security system.

No valid economical argument…. Social phenomenon [hacking].

Courtois: Why is it so that today:• 90 % of energy nowadays goes into hacking.• 10 % to research and development of secure products…Don’t believe it? • Check out: hacking the iPhone, Microsoft XBOX, etc etc…

• people work for free, • governments or private employers sponsor them willingly or

unwillingly,• press presents hackers as heroes• etc…

CompSec Malware


Explosion of Known Vulnerabilities

What about the unknown ones?

0

1000

2000

3000

4000

5000

6000

1995 1997 1999 2001 2003 2005

http://www.cert.org/stats/

CompSec Malware


Taxonomy of Malicious Software

CompSec Malware


Vectors of Infection

infects a host program


independent executable code


MaliciousCode

MaliciousCode

masquerades as a “Normal” Program


embedded in a host program

embedded in a host program Kernel-levelKernel-level

infects OS Bootinfects OS Boot

CompSec Malware


Software-Borne Threats





MaliciousCode

MaliciousCode






Trapdoors / Backdoors

Trapdoors / Backdoors Logic BombsLogic Bombs Trojan HorsesTrojan HorsesVirusesViruses WormsWorms ZombiesZombies

main function: replicating itself

RootkitsRootkits

CompSec Malware


Infection + Payload





MaliciousCode

MaliciousCode







Trapdoors / Backdoors Logic BombsLogic Bombs Trojan HorsesTrojan HorsesVirusesViruses WormsWorms ZombiesZombies


RootkitsRootkits

Stealing dataStealing dataHarmfulHarmful

payload functionality:download /install

more malware

download /install more malwareKey LoggersKey Loggers DDOS/ BotsDDOS/ Bots DialersDialers CPU cyclesCPU cycles

CompSec Malware


Also, May Be Not Intentional?


Trapdoors / Backdoors Logic BombsLogic Bombs Trojan HorsesTrojan Horses



VirusesViruses WormsWorms ZombiesZombies

independent unwanted exe


MaliciousCode

MaliciousCode


RootkitsRootkits





Exploitable Features / Bugs


Kernel-levelKernel-level


aside: not intentional = malicious exploit / code injected later

but: how do you know if not intentional?

payload functionality:

Stealing dataStealing dataHarmfulHarmful download /install more malware

download /install more malwareKey LoggersKey Loggers DDOS/ BotsDDOS/ Bots DialersDialers CPU cyclesCPU cycles

CompSec Malware


More “Grayware” = Dual-Use Code

with some legitimacy

DubiousAnti-virus

DubiousAnti-virus

TrackwareTrackware



AdwareAdwareFalse

AcceleratorsGames for Children

False AcceleratorsGames for Children

Browser Hijackers

Browser Hijackers



MaliciousCode

MaliciousCode

DRM RootkitsDRM Rootkits







Kernel-levelKernel-level


intentional or not, very dangerous!

False Worm Removal tools

False Worm Removal tools

SpywareSpyware

DubiousFirewalls

DubiousFirewalls

Code Updates

Code Updates

Dubious Multi-Boot

Dubious Multi-Boot

Remote AccessServers

Remote AccessServers

Joke programs

Joke programs

IrritatingBehaviour

IrritatingBehaviour

Registry Scanners

Registry Scanners

CompSec Malware


Crimeware

Malware vs. Crimeware:

1. same infection methods, 2. different goals,

more specific forms of payload, automation of crime, malware as illegal business venture:

Example: Keyloggers and Spyware but tailored for stealing passwords

and credit card numbers

CompSec Malware


****Cryptography: Disruptive Technology for ****Cryptography: Disruptive Technology for CrimeCrime

Example: – Extortion: encrypt data, ask for $$$.

– Impossible without public key cryptography…• which is VERY difficult to make…

as difficult as going to the moon, >30 years of research, 100s of researchers…

CompSec Malware


Detailed Definitions

CompSec Malware


Hidden Mechanisms Embedded in Original Software

CompSec Malware


Trapdoor, BackdoorHidden function that can be used to circumvent

normal security. A hidden entry point into a system.– also, can be a hidden feature leaking some data…

(backdoor).

• Examples:– Special user id or special password

– Special instruction / option / keyboard sequence

– Etc…

• Commonly used by developers• “insecurity by obscurity”

• hard to distinguish legitimate reasons (testing, debugging, circumventing some bug, jokes and Easter Eggs) from intentional security compromise

• beware: can be included in a compiler as well… – source code will not help then…

– Rice Theorem : source code will not always help…

this way

CompSec Malware


Electronic SubversionPrograms can conceal an intentional subversive functionality:

– a bug, backdoor, covert channel

Mitigation measures [Schneier-Shostack’99]: • fewer security perimeter splits:

– there is and optimal number, splits impair operation and will be circumvented, too many points of failure…

• more transparency. – but secrecy is here to stay.

• 100 % open source == utopia and a fallacy.

The hidden powers of crypto developers are particularly dangerous: • large scale compromise and undetected for years• impossibility to prove intentionality: perfect crime• sometimes impossibility to prove fraud, no forensic traces whatsoever

if one updates a simple component remotely…

CompSec Malware


Application Development ManagementGoals:• Avoid backdoors, Trojans, covert channels, bugs

etc.• Kleptography: techniques to leak keys to the

attacker,

• form of perfect crime.

There are various forms of leaking keys:• intentionality impossible to prove• intentionality provable

ONLY with source code

CompSec Malware


Logic Bomb

• A malicious feature that will be activated when certain conditions are met

• e.g., presence/absence of some file; • particular date/time • particular user

• when triggered, typically will do some harm– modify/corrupt/delete files/OS, etc.

CompSec Malware


Trojan Horse

• Program has an overt (expected) and covert (malicious and unexpected) effect such that– works / appears to be a normal program,– covert effect violates the given security policy

• User is tricked into executing a Trojan– does the usual (overt) job– covert effect is performed with user’s

rights/authorization level.

CompSec Malware


Virusology

CompSec Malware


VirusesIn biology, a virus is a piece of

DNA/RNA+some proteins.• once present in the cell, it will

force the cell to produce copies of itself.– not a living creature, cannot

survive alone.– antibiotics have no effect on antibiotics have no effect on

virusesviruses

Computer Virus: term coined in 1984 by prof. Leonard Adleman

(A from RSA).

CompSec Malware


Viruses – Main types1. Add-On Virus = Appending Virus2. Shell Virus (nothing to do with Unix shell)3. Intrusive Virus

=> most viruses

CompSec Malware


Common Features of Viruses• no overt action

• tries to remain totally invisible

• self-replicates• potentially unlimited spread• can have some predefined

strategy and predefined targets

CompSec Malware


PayloadPayload: frequently a virus

performs additional malicious actions

• except “zero payload” viruses

• just harmful actions• execute / download

additional code

CompSec Malware


Virus Life Cycle Elements• Dormant phase: idle• Propagation phase• Triggering phase: the virus is

activated to:• Execution phase: perform the

payload functions

CompSec Malware


Add-On Virus = Appending Virus• attaches itself to (any)

other exe program (host program)– typically 200-4000 bytes

• operates when infected exe file is executed

CompSec Malware


Shell Virusambiguous misleading name: • little to do with Unix shell• “wrapping around” a given

program or system call• the original program can be

even copied and stored elsewhere = Companion Virus

• example: p.com and p.exe

• the infected program becomes a subroutine of the virus code

• controls, hijacks and isolates the given program/routine completely

CompSec Malware


Intrusive VirusDoes not append,

rather modifies the program itself and changes the functionality of this program.

Cannot be removed if we don’t have the original copy…

CompSec Malware


Viruses by Medium of Infection• Exe file infectors• Boot infectors

• hard drive boothard drive boot• master boot record (MBR)master boot record (MBR)• OS loader hijackOS loader hijack

• CDROM autorun hijackersCDROM autorun hijackers• USB stick autorun hijackersUSB stick autorun hijackers

• Half way before system starts: Half way before system starts: • OS libraries hijack (e.g. some dll loaded early)OS libraries hijack (e.g. some dll loaded early)• driver hijackersdriver hijackers

• Data file infectors• Macro VirusesMacro Viruses• format string exploits (not called viruses)format string exploits (not called viruses)

=> most viruses

CompSec Malware


Viruses by Medium of Infection• Exe file infectors• Boot infectors

• hard drive boot• master boot record (MBR), OS indep• OS loader hijack, 1 partition

• CDROM autorun hijackers• USB stick autorun hijackers

• Half way before system starts: • OS libraries hijack (e.g. some dll loaded early)• driver hijackers

• Data file infectors• Macro Viruses• format string exploits (not called viruses)

load before any anti-virus software

CompSec Malware


Additional Infection Mechanisms

• Terminate and Stay Resident = TSR– since MS-DOS..– stays active in memory after application

exits– can then infect other targets, for example

•can trap OS calls that execute any program…

CompSec Malware


Virus Defenses

More about this later.

Oldest methods:• Black-list:

– signature-based detection.• Track changes to executables:

– Tripwire, hash functions, MACs etc…

CompSec Malware


Virus Self-Defense

“Stealth” Viruses – avoid detection• conceal code:

– Pack/compress/encrypt virus– Polymorphism

• constantly change virus code • conceal actions

• mimicry: imitate other programs• associated rootkit prevents detection• watchdog program• disable or disturb anti-virus software• remove itself after job done, such as creating 2

copies elsewhere

CompSec Malware


Macro Viruses

• infected a data file (e.g. word)– relies on macros interpreted by some

application• application-dependent• can be OS-independent

– Example: Microsoft Word: MAC and Windows

CompSec Malware


Independent / “More Sophisticated Forms of Life”

CompSec Malware


*Bacteria

Bacteria: simple functionality, program that replicates until it fills all disk space, all memory, all CPU cycles

CompSec Malware


Worms

• introduced by Shoch and Hupp in 1982.• runs independently,

– no host program– infects a host machine– propagates in a network

• a fully working version of itself copied to another host machine

• spreads totally without human intervention virus

CompSec Malware


more wormsA worm has two main components:• an exploit

– usually exploits web servers • or other exposed “DMZ-style” components

• a “payload” of hidden tasks– backdoors, spam relays, DDoS agents, etc.

Life cycle phases:probing exploitation replication running the payload

CompSec Malware


Zombie Network = Botnet

• Secretly takes over another networked computer by exploiting software flaws

• Connect the compromised computers into a zombie network or botnet = – a collection of compromised machines

• running programs such as worms, Trojan horses, or backdoors,

• under a common command and control infrastructure.

• Uses it to indirectly launch attacks– e.g., spamming, phishing , DDoS, password cracking

etc.

• very frequently sold or rented, – about 0.05 $ / host / week

CompSec Malware


Rootkits

• Software used after system compromise to:– Hide the attacker’s presence– Provide backdoors for easy reentry

• Simple rootkits:– Modify user programs (ls, ps)– Modify a compiler – Detectable by tools like Tripwire (stores hashes of files).

• Sophisticated rootkits:

– Modify the kernel itself– Hard to detect from userland

CompSec Malware


Rootkit Classification (1)

Traditional RootKit

Kernel

Trojan

login

Trojan

ps

Trojan

ifconfig

good

tripwire

Application-level Rootkit

Kernel

Evil Program

good

program

good

program

good

program

good

program

Hxdef, NTIllusion Lrk5, t0rn

Tripwire: detected! - maybe not detected

CompSec Malware


Rootkit Classification (2)

Under-Kernel RootKit

Kernel

good

login

good

ps

good

ifconfig

good

tripwire

Evil VMM

SubVirt, ``Blue Pill’’

Kernel-level RootKit

Kernel

good

login

good

ps

good

ifconfig

good

tripwire

Trojan

Kernel Module

Shadow Walker, adore

CompSec Malware


What’s Going On?

CompSec Malware


Is My PC Infected?

• Swedish large scale study

CompSec Malware


Another Study

PCs infected [source: Trend Micro]

CompSec Malware


According to experts:

• Today’s malware is designed to remain undetected for months.– do not get famous, get rich!– zero-day malware

CompSec Malware


Our Focus

In CompSec1 we spend more time on worms than any other malware? Why?

• Viruses and Trojans require some human actions, such as sharing a USB stick, clicking on web sites, opening ;doc email attachments etc. – spread is slow.

• Worms don’t require human presence.– Spread is MUCH faster

Moreover worms do hack/break into computers, viruses and Trojans they use legitimate access channels and just abuse these privileges.

CompSec Malware


Famous Historical Worms - Unix

CompSec Malware


Morris Worm (first major network attack)

• Released November 1988– spreading on Digital and Sun workstations – exploited several Unix security vulnerabilities

• Consequences– no immediate damage– replication

• load on network, • load on CPUs

– many systems were shut down • fearing damage (only later people found it was not

harmful)

CompSec Malware


***Morris - Author

Robert T. Morris, released it November 1988

• His father, another Robert Morris was – a cryptologist and code-breaker (broke codes for the FBI), – worked for the NSA “National Computer Security Center”, – wrote a book about UNIX Operating System Security (1984).

CompSec Malware


Morris Worm– program to spread worm

• looks for other machines that could be infected, several methods used: 'netstat -r -n‘, /etc/hosts,

• when worm successfully connects, forks a child to continue the infection while the parent keeps trying new hosts

– vector program (99 lines of C) • re-compiled and run on the infected machines

CompSec Malware


Three ways the worm spread

• Sendmail– exploited debug option in sendmail to allow

shell access

• Fingerd– exploited a buffer overflow in the fgets

function

• Remote shell– reading list of trusted hosts known to local OS– password cracking

CompSec Malware


*sendmail• Worm used debug feature

– opens TCP connection to machine's SMTP port

– invokes debug mode– sends a RCPT TO that pipes data through

shell– shell script retrieves worm main program

• places 40-line C program in temporary file called x$$,l1.c where $$ is current process ID

• compiles and executes this program• opens socket to machine that sent script• retrieves worm main program, compiles it and runs

CompSec Malware


*fingerd

• written in C and runs continuously• Array bounds attack

– Fingerd expects an input string – Worm writes long string to internal 512-byte

buffer

• Attack string – Includes machine instructions– Overwrites return address– Invokes a remote shell – Executes privileged commands

CompSec Malware


*remote shell

• Unix trust information– /etc/host.equiv – system wide trusted hosts file– /.rhosts and ~/.rhosts – users’ trusted hosts file

• Worm exploited this information – assumed reciprocal trust: maybe Y trusts X as

well..

• Password cracking• worm was running as daemon (not root) so needed to

break into accounts to use .rhosts feature• read /etc/passwd, used 400 common password

strings & local dictionary to do a dictionary attack

CompSec Malware


Not so bad…• Morris worm did not:

– delete system's files, – modify user files, – install Trojans, – make any other use of cracked passwords

• e.g. record or re-transmit elsewhere

– it never took superuser privileges…

CompSec Malware


Detecting Morris Internet Worm

• Files– Strange files appeared in infected systems– Strange log messages for certain programs

• System load– Infection generates a number of processes– Password cracking uses lots of resources– Systems were reinfected => number of processes

grew and systems became overloaded• Apparently not intended by worm’s creator

Thousands of systems were shut down

CompSec Malware


Famous Windows Worms

CompSec Malware


Increasing propagation speed

• Code Red, July 2001– fascinating story, see Brad Karp slides

• Released AFTER Microsoft released the patch• affecting like 500 000 hosts in hours

• SQL Slammer, January 2003– See Brad Karp too.

• vulnerable population infected in less than 10 minutes• its growth was limited… by the speed of the Internet

Remark: both exploited an already known and already patched buffer overflow vulnerability!

CompSec Malware


Nimda worm• Spreads via 5 methods to Windows PCs and

servers– e-mails itself as an attachment (every 10 days)

• runs once viewed in preview plane (due to bugs in IE)

– scans for and infects vulnerable MS IIS servers• exploits various IIS directory traversal vulnerabilities

– copies itself to shared disk drives on networked PCs – appends JavaScript code to Web pages

• surfers pick up worm when they view the page.

– scans for the back doors left behind by the "Code Red II" and "sadmind/IIS" worms

CompSec Malware


Nimda worm

• Nimda worm also– enables the sharing of the c: drive as C$ – creates a "Guest" account on Windows NT and

2000 systems – adds this account to the "Administrator" group.

CompSec Malware


Cost of worm attacks

• Morris worm, November 1988– Infected approximately 6,000 machines

• was 10% of all computers connected to the Internet!

– cost ~ $10 million in downtime and cleanup

• Code Red worm, July 16 2001– Direct descendant of Morris’ worm– Infected more than 500,000 servers– Caused ~ $2.6 Billion in damages,

• Love Bug worm: May 3, 2000, $8.75 billion

Statistics: Computer Economics Inc., Carlsbad, California

CompSec Malware


Malware Defences

CompSec Malware


Virus Defenses

Today’s “anti-virus software”:Just a name. Virus + firewall + etc…Defends against all sorts of malware.

classical viruses are only about 5% nowadays…

CompSec Malware


Tips

• do not execute programs obtained by email

• maybe do not install any new software– ???

• very few software companies can be trusted to care about their customers,

– lack of liability, lack of legal obligations, culture of irresponsibility, need to renew products range etc etc…

– do they even understand how secure is their own software?

CompSec Malware


Automated Virus Defenses

White list: accept only trusted digitally signed programs. Examples: Nokia Symbian software Microsoft: OS updates, drivers, anti-virus

Prevalent methods in PCs:• Black-list, signature-based detection.• Networks firewalls• control application calls and IPC• monitor and prevent “privileged” system calls,

e.g. registry modification, plug-ins install etc.• track changes to executables (hash/MAC/sign)

CompSec Malware


Network Defences

CompSec Malware


Internet-Wide Defences

Cyberspace: • a new dimension of national defense.• a critical infrastructure

Goal: monitor the Internet at a larger scale, detect anomalies.

CompSec Malware


*Traditional Military Doctrine• Each country has 3 frontiers:

• land• sea• air, space

as a consequence they have 3 armies.

Now, we have a new frontier, the digital frontier. Shouldn’t we have a fourth army?• It would be totally useless and waste of money?

• Arguably less than the 3 above (better technical education for young people).

CompSec Malware


Network Telescopes

Monitor traffic arriving at large sizeable regions of Internet address space. Reveals, e.g.,:– “Backscatter”

= responses to randomly source-spoofed DDoS attacks

– Worms’ random scanning of IP addresses– Attackers randomly scanning for a particular

port, servers running a particular service, etc…

Examples:– LBNL: 1/215 of Internet address space– UCSD/Univ. Wisconsin: covers 1/28.

CompSec Malware


Internet Intrusion Detection Systems = IDS

Malicious Software (long version) Nicolas T. Courtois - University College London.

Documents

Transcript of Malicious Software (long version) Nicolas T. Courtois - University College London.