CSE543 Computer and Network Security Module: Malware Professor - - PowerPoint PPT Presentation

cse543 computer and network security module malware
SMART_READER_LITE
LIVE PREVIEW

CSE543 Computer and Network Security Module: Malware Professor - - PowerPoint PPT Presentation

Mar 14, 2024 265 likes •619 views

slide-1
SLIDE 1

฀฀฀฀ ฀

  • ฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

CSE543 - Introduction to Computer and Network Security Page

CSE543 Computer and Network Security Module: Malware

Professor Trent Jaeger

1

1

slide-2
SLIDE 2

CMPSC443 - Introduction to Computer and Network Security Page

Malware

  • Adversaries aim to get code running on your

computer that performs tasks of their choosing

  • This code is often called malware
  • Two main challenges for adversaries
  • How do they get trick you into getting their malware
  • nto your computer?
  • How do they get their malware to run?
  • Other practical concerns of malware distribution
  • Spread malware to as many systems as possible
  • Hide malware execution
  • Make malware difficult to remove

2

2

slide-3
SLIDE 3

CMPSC443 - Introduction to Computer and Network Security Page

Viruses

  • Is an attack that modifies programs on your host
  • Approach
  • 1. Download a program …
  • 2. Run the program …
  • 3. Searches for binaries and other code (firmware, boot

sector) that it can modify …

  • 4. Modifies these programs by adding code that the

program will run

  • What can an adversary do with this ability?

3

3

slide-4
SLIDE 4

CMPSC443 - Introduction to Computer and Network Security Page

Viruses

  • How does it work?
  • Modify the file executable format

4

4

slide-5
SLIDE 5

CMPSC443 - Introduction to Computer and Network Security Page

Viruses

  • How does it work?
  • Modify the file executable format
  • What types of modifications?
  • Overwrite the “entry point”
  • Add code anywhere and change

“address of entry point”

  • Add a new section header
  • Patch into a section
  • Add jump instruction to exploit
  • All these were well known by 90s

5

5

slide-6
SLIDE 6

CMPSC443 - Introduction to Computer and Network Security Page

PE Format Header

6

6

slide-7
SLIDE 7

CMPSC443 - Introduction to Computer and Network Security Page

Virus Infection

  • Keeping with the virus analogy, getting a virus to

run on a computer system is called infecting the system

  • How can an adversary infect another’s computer?

7

7

slide-8
SLIDE 8

CMPSC443 - Introduction to Computer and Network Security Page

Virus Infection

  • Keeping with the virus analogy, getting a virus to

run on a computer system is called infecting the system

  • How can an adversary infect another’s computer?
  • Tricking users into downloading their malware
  • Need to also trick the user into running the

malware

  • Exploiting a vulnerable program to inject code
  • By exploiting a running process, the malware can

run directly

8

8

slide-9
SLIDE 9

CMPSC443 - Introduction to Computer and Network Security Page

An Easier Way

  • Don’t really need to modify existing executable to

download and run code on a remote computer

  • Since the mid-90s systems have provided methods

for you to get a remote system to run your code

  • First, email attachments, then client-side scripts
  • Enabled by phishing attacks (more later)
  • In general, the idea is to get the user to run your

code (in email or via web link)

  • Either run directly
  • Or exploit a vulnerability in the platform (e.g.,

browser)

9

9

slide-10
SLIDE 10

CMPSC443 - Introduction to Computer and Network Security Page

Worms

  • A worm is a self-propagating program.
  • As relevant to this discussion
  • 1. Exploits some vulnerability on a target host …
  • 2. (often) embeds itself into a host …
  • 3. Searches for other vulnerable hosts …
  • 4. Goto (1)
  • Q: Why do we care?

10

10

slide-11
SLIDE 11

CMPSC443 - Introduction to Computer and Network Security Page

The Danger

  • What makes worms so dangerous is that infection

grows at an exponential rate

  • A simple model:
  • s (search) is the time it takes to find vulnerable host
  • i (infect) is the time is take to infect a host
  • Assume that t=0 is the worm outbreak, the number of hosts

infected at t=j is

2(j/(s+i))

  • For example, if (s+i = 1), what is it at time j=32?

11

11

slide-12
SLIDE 12

CMPSC443 - Introduction to Computer and Network Security Page

The result

500,000,000 1,000,000,000 1,500,000,000 2,000,000,000 2,500,000,000 3,000,000,000 3,500,000,000 4,000,000,000 4,500,000,000 5,000,000,000

12

12

slide-13
SLIDE 13

CMPSC443 - Introduction to Computer and Network Security Page

The Morris Worm

  • Robert Morris, a 23 doctoral student from Cornell
  • Wrote a small (99 line) program
  • Launched on November 3rd, 1988
  • Simply disabled the Internet
  • How it did it
  • Exploited a buffer overflow in the “finger” daemon
  • Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts

that can be accessed without passwords

  • Reads /etc/password to perform password cracking
  • Scanned local interfaces for network information
  • Covered its tracks (set is own process name to sh, prevented

accurate cores, re-forked itself)

13

13

slide-14
SLIDE 14

CMPSC443 - Introduction to Computer and Network Security Page

Code Red

  • Exploited a Microsoft IIS web-server vulnerability
  • A vanilla buffer overflow (allows adversary to run code)
  • Scans for vulnerabilities over random IP addresses
  • Sometimes would deface the served website
  • July 16th, 2001 - outbreak
  • CRv1- contained bad randomness (fixed IPs searched)
  • CRv2 - fixed the randomness,
  • added DDOS of www.whitehouse.gov
  • Turned itself off and on (spread 1st-19th of month, attack 20-27th,

dormant 28-31st)

  • August 4 - Code Red II
  • Different code base, same exploit
  • Added local scanning (biased randomness to local IPs)
  • Killed itself in October of 2001

14

14

slide-15
SLIDE 15

CMPSC443 - Introduction to Computer and Network Security Page

Worms and infection

  • The effectiveness of a worm is determined by how good it is at

identifying vulnerable machines

  • Morris used local information at the host
  • Code Red used what?
  • Multi-vector worms use lots of ways to infect
  • E.g., network, email, drive by downloads, etc.
  • Others’ backdoors… - another worm, Nimda did this
  • Lots of scanning strategies
  • Signpost scanning (using local information, e.g., Morris)
  • Random IP - good, but waste a lot of time scanning “dark” or

unreachable addresses (e.g., Code Red)

  • Permutation scanning - instance is given part of IP space
  • What is the fastest way to infect as many machines as possible?

15

15

slide-16
SLIDE 16

CMPSC443 - Introduction to Computer and Network Security Page

Other scanning strategies

  • The doomsday worm: a flash worm
  • Create a hit list of all vulnerable hosts
  • Staniford et al. argue this is feasible
  • Would contain a 48MB list
  • Do the infect and split approach
  • Use a zero-day vulnerability
  • Result: saturate the Internet is less than 30 seconds!

16

500,000,000 1,000,000,000 1,500,000,000 2,000,000,000 2,500,000,000 3,000,000,000 3,500,000,000 4,000,000,000 4,500,000,000 5,000,000,000

16

slide-17
SLIDE 17

CMPSC443 - Introduction to Computer and Network Security Page

Worms: Defense Strategies

  • (Network) Packet Filtering: look for unnecessary or unusual

communication patterns, then drop them on the floor

  • This is the dominant method, sophisticated
  • (Network) Heterogeneity: use more than one vendor for your

networks

  • (Host) Patch Your Systems (auto): most, if not all, large worm
  • utbreaks have exploited known vulnerabilities (with patches)
  • Network and Host Intrusion Detection Systems (more later)

Operating System

Network Interface

Shield

Network Traffic

17

17

slide-18
SLIDE 18

CMPSC443 - Introduction to Computer and Network Security Page

Modern Malware

  • Now malware has a whole other level of sophistication
  • Now we speak of …
  • Advanced Persistent Malware

18

18

slide-19
SLIDE 19

CMPSC443 - Introduction to Computer and Network Security Page

Advanced

  • More like a software engineering approach
  • Growing demand for “reliable” malware
  • Want malware to feed into existing criminal enterprise
  • Online - criminals use online banking too
  • Malware ecosystem
  • Measuring Pay-per-Install: The Commoditization of

Malware Distribution, USENIX 2011

  • Tool kits
  • Sharing of exploit materials
  • Combine multiple attack methodologies
  • Not hard to find DIY kits for malware

19

19

slide-20
SLIDE 20

CMPSC443 - Introduction to Computer and Network Security Page

Malware Lifecycle

20

20

slide-21
SLIDE 21

CMPSC443 - Introduction to Computer and Network Security Page

Persistent

  • Malware writers are focused on specific task
  • Criminals willing to wait for gratification
  • Cyberwarfare
  • Low-and-slow
  • Can exfiltrate secrets at a slow rate, especially if you

don't need them right away

  • Plus can often evade or disable defenses

21

21

slide-22
SLIDE 22

CMPSC443 - Introduction to Computer and Network Security Page

Threat

  • Coordinated effort to complete objective
  • Not just for kicks anymore
  • Well-funded
  • There is money to be made
  • … At least that is the perception

22

22

slide-23
SLIDE 23

CMPSC443 - Introduction to Computer and Network Security Page

Threat

  • PharmaLeaks: Understanding the Business of Online

Pharmaceutical Affiliate Programs, USENIX 2012

23

GlavMed SpamIt RX-Promotion Product Orders Revenue Orders Revenue Orders Revenue ED and Related 580K (73%) $55M (75%) 670K (79%) $70M (82%) 58K (72%) $5.3M (51%) Viagra 300K (38%) $28M (38%) 290K (34%) $31M (36%) 33K (41%) $2.7M (27%) Cialis 180K (23%) $19M (26%) 190K (22%) $23M (27%) 18K (22%) $1.9M (19%) Combo Packs 49K (6.1%) $3.9M (5.4%) 110K (14%) $8.4M (9.8%) 5100 (6.4%) $350K (3.4%) Levitra 32K (4.1%) $3.2M (4.4%) 35K (4.2%) $3.9M (4.5%) 1200 (1.5%) $150K (1.5%) Abuse Potential 48K (6.1%) $4.5M (6.1%) 64K (7.6%) $6.2M (7.3%) 11K (14%) $3.3M (32%) Painkillers 29K (3.7%) $2.4M (3.3%) 53K (6.3%) $4.7M (5.5%) 10K (13%) $3.0M (29%) Opiates — — — — 8000 (10%) $2.7M (26%) Soma/Ultram/Tramadol 20K (2.5%) $1.8M (2.4%) 46K (5.5%) $4.1M (4.8%) 1000 (1.3%) $150K (1.5%) Chronic Conditions 120K (15%) $9.5M (13%) 64K (7.6%) $5.2M (6.1%) 8500 (11%) $1.3M (13%) Mental Health 23K (2.9%) $2.1M (2.9%) 16K (1.9%) $1.4M (1.7%) 6000 (7.4%) $1.1M (11%) Antibiotics 25K (3.2%) $2.1M (2.9%) 16K (1.9%) $1.4M (1.6%) 1300 (1.6%) $97K (0.9%) Heart and Related 12K (1.5%) $770K (1.1%) 9700 (1.2%) $630K (0.7%) 390 (0.5%) $35K (0.3%) Uncategorized 48K (6.0%) $4.0M (5.5%) 47K (5.6%) $3.9M (4.6%) 2400 (3.0%) $430K (4.2%) Table 2: Product popularity in each of the three programs. Product groupings and categories are in italics; individual brands are without italics. Opiates are a further subcategory of Painkillers, and include Oxycodone, Hydrocodone, Vicodin, and Percocet.

23

slide-24
SLIDE 24

CMPSC443 - Introduction to Computer and Network Security Page

Example: Sirefef

  • Windows malware - Trojan to install rootkit
  • See http://antivirus.about.com/od/virusdescriptions/a/What-Is-

Sirefef-Malware.htm

  • Attack: “Sirefef gives attackers full access to your system”
  • Runs as a Trojan software update (GoogleUpdate)
  • Runs on each boot by setting a Windows registry entry
  • Some versions replace device drivers
  • Downloads code to run a P2P communication
  • Steal software keys and crack password for software piracy
  • Downloads other files to propagate the attack to other

computers

24

24

slide-25
SLIDE 25

CMPSC443 - Introduction to Computer and Network Security Page

Example: Sirefef

  • Windows malware - Trojan to install rootkit
  • See http://antivirus.about.com/od/virusdescriptions/a/What-Is-

Sirefef-Malware.htm

  • Stealth: “while using stealth techniques in order to hide its

presence”

  • “altering the internal processes of an operating system so

that your antivirus and anti-spyware can't detect it.”

  • Disable: Windows firewall, Windows defender
  • Changes: Browser settings
  • Join bot
  • Microsoft: “This list is incomplete”

25

25

slide-26
SLIDE 26

CMPSC443 - Introduction to Computer and Network Security Page

Example: Stuxnet

  • Symantec’s slides

26

Real%world%example:%Stuxnet%Worm %

26

slide-27
SLIDE 27

CMPSC443 - Introduction to Computer and Network Security Page

Example: Stuxnet

  • Symantec’s slides

27

Stuxnet:(Overview(

  • June(2010:(A(worm(targe7ng(Siemens(WinCC(

industrial(control(system.(

  • Targets(high(speed(variableDfrequency(

programmable(logic(motor(controllers(from(just( two(vendors:(Vacon((Finland)(and(Fararo(Paya( (Iran)(

  • Only(when(the(controllers(are(running(at(807Hz((

to(1210Hz.(Makes(the(frequency(of(those( controllers(vary(from(1410Hz(to(2Hz(to(1064Hz.(

  • hVp://en.wikipedia.org/wiki/Stuxnet(

2

27

slide-28
SLIDE 28

CMPSC443 - Introduction to Computer and Network Security Page

Example: Stuxnet

  • Symantec’s slides

28

Timeline'

  • 2009'June:'Earliest'Stuxnet'seen'

– Does'not'have'signed'drivers'

  • 2010'Jan:'Stuxnet'driver'signed'

– With'a'valid'cer>ficate'belonging'to'Realtek'Semiconductors'

  • 2010'June:'Virusblokada'reports'W32.Stuxnet'

– Verisign'revokes'Realtek'cer>ficate'

  • 2010'July:'An>Ivirus'vendor'Eset'iden>fies'new'Stuxnet'

driver'

– 'With'a'valid'cer>ficate'belonging'to'JMicron'Technology'Corp'

  • 2010'July:'Siemens'report'they'are'inves>ga>ng'malware'

SCADA'systems'

– Verisign'revokes'JMicron'cer>ficate'

28

slide-29
SLIDE 29

CMPSC443 - Introduction to Computer and Network Security Page

Example: Stuxnet

  • Symantec’s slides

29

Possible(A*ack(Scenario((Conjecture)(

  • Reconnaissance(

– Each(PLC(is(configured(in(a(unique(manner( – Targeted(ICS’s(schemaCcs(needed( – Design(docs(stolen(by(an(insider?( – Retrieved(by(an(early(version(of(Stuxnet( – Stuxnet(developed(with(the(goal(of(sabotaging(a(specific(set(of(ICS.(

  • Development((

– Mirrored(development(Environment(needed(

  • ICS(Hardware(
  • PLC(modules(
  • PLC(development(soOware(

– EsCmaCon((

  • 6+(manRyears(by(an(experienced(and(well(funded(development((team((

29

slide-30
SLIDE 30

CMPSC443 - Introduction to Computer and Network Security Page

Example: Stuxnet

  • Symantec’s slides

30

A"ack&Scenario&(2)&

  • The&malicious&binaries&need&to&be&signed&to&avoid&suspicion&

– Two&digital&cer=ficates&were&compromised.& – High&probability&that&the&digital&cer=ficates/keys&were&stolen& from&the&companies&premises.& – Realtek&and&JMicron&are&in&close&proximity.&

  • Ini=al&Infec=on&&

– Stuxnet&needed&to&be&introduced&to&the&targeted&environment&

  • Insider&
  • Third&party,&such&as&a&contractor&

– Delivery&method&&

  • USB&drive&
  • Windows&Maintenance&Laptop&
  • Targeted&email&a"ack&

30

slide-31
SLIDE 31

CMPSC443 - Introduction to Computer and Network Security Page

Example: Stuxnet

  • Symantec’s slides

31

A"ack&Scenario&(3)&

  • Infec2on&Spread&

– Look&for&Windows&computer&that&program&the& PLC’s&

  • The&Field&PG&are&typically&not&networked&
  • Spread&the&Infec2on&on&computers&on&the&local&LAN&

– ZeroHday&vulnerabili2es& – TwoHyear&old&vulnerability& – Spread&to&all&available&USB&drives&

– When&a&USB&drive&is&connected&to&the&Field&PG,& the&Infec2on&jumps&to&the&Field&PG&&

  • The&“airgap”&is&thus&breached&

31

slide-32
SLIDE 32

CMPSC443 - Introduction to Computer and Network Security Page

Example: Stuxnet

  • Symantec’s slides

32

A"ack&Scenario&(4)&

  • Target&Infec5on&&

– Look&for&Specific&PLC&&

  • Running&Step&7&Opera5ng&System&

– Change&PLC&code&

  • Sabotage&system&
  • Hide&modifica5ons&

– Command&and&Control&may&not&be&possible&

  • Due&to&the&“airgap”&
  • Func5onality&already&embedded&

32

slide-33
SLIDE 33

CMPSC443 - Introduction to Computer and Network Security Page

Take Away

  • Malware is now very functional and effective
  • Tools for building and hiding malware from detection
  • Malware can be difficult to notice much less detect and

remove

  • Malware leverages multiple vulnerabilities to escalate

privileges and disable defenses

  • Getting code running on the host enables control of host
  • And there are lots of ways to download code to hosts
  • What are the nature of the vulnerabilities? Next time

33

33