Malicious Code Malicious Code for Fun and Profit for Fun and - - PowerPoint PPT Presentation

Malicious Code Malicious Code

for Fun and Profit for Fun and Profit

Mihai Christodorescu

mihai@cs.wisc.edu 23 March 2006

23 March 2006 Mihai Christodorescu 2

What is Malicious Code? What is Malicious Code?

Viruses, worms, trojans, … Code that breaks your security policy. Characteristics Attack vector Payload Spreading algorithm

23 March 2006 Mihai Christodorescu 3

Outline Outline

• Attack Vectors
• Payloads
• Spreading Algorithms
• Case Studies

23 March 2006 Mihai Christodorescu 4

Attack Vectors Attack Vectors

• Social engineering

“Make them want to run it.”

• Vulnerability exploitation

“Force your way into the system.”

• Piggybacking

“Make it run when other programs run.”

23 March 2006 Mihai Christodorescu 5

Social Engineering Social Engineering

• Suggest to user that the executable is:

– A game. – A desirable picture/movie. – An important document. – A security update from Microsoft. – A security update from the IT department.

• Spoofing the sender helps.

23 March 2006 Mihai Christodorescu 6

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies

23 March 2006 Mihai Christodorescu 7

Vulnerability Exploitation Vulnerability Exploitation

• Make use of flaws in software input

handling.

• Sample techniques:

– Buffer overflow attacks. – Format string attacks. – Return-to-libc attacks. – SQL injection attacks.

23 March 2006 Mihai Christodorescu 8

Basic Principles Basic Principles

A buffer overflow occurs when data is stored past the boundaries of an array or a string. The additional data now overwrites nearby program variables. Result: Attacker controls or takes over a currently running process.

Buffer Overflows

23 March 2006 Mihai Christodorescu 9

Example Example

Expected input: \ \ host nam

e\ pat h Buffer Overflows

voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; } pr ocess_r equest ( “ \ \ t ux12\ usr \ f oo. t xt ” ) ; ⇒ O K O K pr ocess_r equest ( “ \ \ aaabbbcccdddeeef f f ggghhh\ bar ” ) ; ⇒ BAD BAD

23 March 2006 Mihai Christodorescu 10

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; }

main() process_request() strcpy()

23 March 2006 Mihai Christodorescu 11

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; }

main() process_request() strcpy()

23 March 2006 Mihai Christodorescu 12

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; }

main() process_request() strcpy()

arg: req req

23 March 2006 Mihai Christodorescu 13

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; }

main() process_request() strcpy()

return address frame pointer arg: req req

23 March 2006 Mihai Christodorescu 14

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; }

main() process_request() strcpy()

return address frame pointer arg: req req local: host host

23 March 2006 Mihai Christodorescu 15

A stack frame per procedure call.

Program Stack Program Stack

Buffer Overflows

voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; }

main() process_request() strcpy()

return address local: pos pos frame pointer arg: req req local: host host

23 March 2006 Mihai Christodorescu 16

Normal Execution Normal Execution

Buffer Overflows

voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; }

main() process_request()

return address frame pointer arg: req req local: host host local: pos pos pr ocess_r equest ( “ \ \ t ux12\ usr \ f oo. t xt ” ) ;

23 March 2006 Mihai Christodorescu 17

Normal Execution Normal Execution

Buffer Overflows

voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; }

main() process_request()

return address 7 frame pointer arg: req req local: host host pr ocess_r equest ( “ \ \ t ux12\ usr \ f oo. t xt ” ) ; local: pos pos t u x 1 2 \ 0

23 March 2006 Mihai Christodorescu 18

Overflow Execution Overflow Execution

Buffer Overflows

voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; }

main() process_request()

return address 32 32 frame pointer arg: req req local: host host pr ocess_r equest ( “ \ \ aaabbbcccdddeeef f f ggghhhi i i j j j \ bar ” ) ; local: pos pos a a a b b b c c c d d d e e e f f f g g g i i i j h h h j j \ 0 Characters that

• verwrite the

return address.

23 March 2006 Mihai Christodorescu 19

The attacker gets one chance to gain control. Craft an input string such that:

• The return address is overwritten with a pointer

to malicious code.

• The malicious code is placed inside the input

string.

Smashing the Stack Smashing the Stack

Buffer Overflows Malicious code can create a root shell by executing “/ bi n/ sh”.

23 March 2006 Mihai Christodorescu 20

Shell Code Shell Code

C0 31 08 76 89 5E 17 EB 0B B0 0C 46 89 07 46 88 CD D2 31 08 4E 8D F3 89 b / FF FF FF E4 E8 80 i n / s h \ 0 ar g 2 t o code poi nt er ar g 1 ar g 2

Buffer Overflows

Code for exec(“/bin/sh”): m

• v edx, ar g2

m

• v ecx, ar g1

m

• v ebx, “ / bi n/ sh”

m

• v eax, 0Bh

i nt 80h Pointer value for

• verwriting the return

address.

23 March 2006 Mihai Christodorescu 21

• Defense against stack-smashing attacks:

– Bounds-checking. – Protection libraries. – Non-executable stack. – setuid()/chroot(). – Avoid running programs as root! – Address randomization. – Behavioral monitoring.

Thicker Armor Thicker Armor

Buffer Overflows

23 March 2006 Mihai Christodorescu 22

More Info More Info

“Smashing the Stack for Fun and Profit” by Aleph One StackGuard, RAD, PAX, ASLR CERT

23 March 2006 Mihai Christodorescu 23

Format String Attacks Format String Attacks

• Another way to illegally control program

values.

• Uses flaws in the design of pr i nt f ( )

pr i nt f ( ) : pr i nt f ( “ % s: % d” , s, x ) ; pr i nt f ( “ % s: % d” , s, x ) ; Format Strings

23 March 2006 Mihai Christodorescu 24

pr i nt f pr i nt f pr i nt f pr i nt f ( ) ( ) ( ) ( ) Operation

Operation

pr i nt f ( “ % s: % d, % x” , pr i nt f ( “ % s: % d, % x” , s, x, y ) ; s, x, y ) ; Format Strings

foo() printf()

y x s format string ptr

23 March 2006 Mihai Christodorescu 25

Attack 1: Read Any Value Attack 1: Read Any Value

What the code says: pr i nt f ( st r pr i nt f ( st r ) ; What the programmer meant: pr i nt f ( “ % s” , st r pr i nt f ( “ % s” , st r ) ;

If str = “% x% x% x% x% s % x% x% x% x% s”

Format Strings

secret key ptr format string ptr

23 March 2006 Mihai Christodorescu 26

Attack 2: Write to Address Attack 2: Write to Address

What the code says: pr i nt f ( st r pr i nt f ( st r ) ;

If str = “% x% x% x% x% n % x% x% x% x% n”

Format Strings

return address format string ptr 4

23 March 2006 Mihai Christodorescu 27

Defenses Defenses

Never use pr i nt f ( )

pr i nt f ( ) without a format string!

FormatGuard.

Format Strings

23 March 2006 Mihai Christodorescu 28

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies

23 March 2006 Mihai Christodorescu 29

Piggybacking Piggybacking

Malicious code injected into a benign program or data file.

• Host file can be:

– An executable. – A document with some executable content (Word documents with macros, etc.).

23 March 2006 Mihai Christodorescu 30

Piggybacking Executables Piggybacking Executables

• Modify program on disk:

Variations:

• Jump to malicious code
• nly on certain actions.
• Spread malicious code

throughout program.

23 March 2006 Mihai Christodorescu 31

Piggybacking Executables Piggybacking Executables

• Modify program on disk:

Variations:

• Jump to malicious code
• nly on certain actions.
• Spread malicious code

throughout program.

23 March 2006 Mihai Christodorescu 32

Piggybacking Executables Piggybacking Executables

• Modify program on disk:

jmp evil_code

Variations:

• Jump to malicious code
• nly on certain actions.
• Spread malicious code

throughout program.

23 March 2006 Mihai Christodorescu 33

Piggybacking Executables Piggybacking Executables

• Modify program on disk:

jmp evil_code

Variations:

• Jump to malicious code
• nly on certain actions.
• Spread malicious code

throughout program.

23 March 2006 Mihai Christodorescu 34

Piggybacking Documents Piggybacking Documents

• Documents with macros:

Microsoft Office supports documents with macros scripted in Visual Basic (VBA).

• Macro triggered on:

– Document open – Document close – Document save – Send document by email

23 March 2006 Mihai Christodorescu 35

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies
• Defenses

23 March 2006 Mihai Christodorescu 36

• Payload

Payload

Target the interesting data:

• Passwords
• Financial data
• User behavior
• User attention

Keylogger Screen scraper Spyware Adware

23 March 2006 Mihai Christodorescu 37

Keylogger Keylogger Use Use

23 March 2006 Mihai Christodorescu 38

Screen Scraper Use Screen Scraper Use

23 March 2006 Mihai Christodorescu 39

More Payload Ideas More Payload Ideas

Victim machines are pawns in larger attack:

– Botnets. – Distributed denial of service (DDoS). – Spam proxies. – Anonymous FTP sites. – IRC servers.

23 March 2006 Mihai Christodorescu 40

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies
• Defenses

23 March 2006 Mihai Christodorescu 41

• Spreading Methods

Spreading Methods

Depends on the attack vector:

Email-based ⇒ need email addresses Vulnerability-based ⇒ need IP addresses of hosts running the vulnerable service Piggybacking ⇒ need more files to infect

23 March 2006 Mihai Christodorescu 42

Spreading through Email Spreading through Email

Malware Internet

HTML files (from cache) Windows Address Book Outlook Express folders Outlook folders

23 March 2006 Mihai Christodorescu 43

Vulnerable Target Discovery Vulnerable Target Discovery

Need to find Internet (IP) addresses.

• Scanning:
• Target list:
• Passive: Contagion worms

Random Sequential Bandwidth-limited Pre-generated Externally-generated ⇒ Metaserver worms Internal target list ⇒ Topological worms

23 March 2006 Mihai Christodorescu 44

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies

23 March 2006 Mihai Christodorescu 45

Types of Malicious Code Types of Malicious Code

• Virus

Self-replicating, infects programs and documents.

e.g.: Chernobyl/CIH, Melissa, Elkern

• Worm

Self-replicating, spreads across a network.

e.g.: ILoveYou, Code Red, B(e)agle, Witty

McGraw and Morrisett “Attacking malicious code: A report to the Infosec Research Council” Sept./Oct. 2000.

23 March 2006 Mihai Christodorescu 46

Types of Malicious Code Types of Malicious Code

• Trojan

– Malware hidden inside useful programs

e.g.: NoUpdate, KillAV, Bookmarker

• Backdoor

– Tool allowing unauthorized remote access

e.g.: BackOrifice, SdBot, Subseven

23 March 2006 Mihai Christodorescu 47

Types of Malicious Code Types of Malicious Code

• Spyware

– Secretly monitors system activity

e.g.: ISpynow, KeyLoggerPro, Look2me

• Adware

– Monitors user activity for advertising purposes

e.g.: WildTangent, Gator, BargainBuddy

23 March 2006 Mihai Christodorescu 48

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies: Sobig

23 March 2006 Mihai Christodorescu 49

The The Sobig Sobig Worm Worm

• Mass-mailing, network-aware worm
• Multi-stage update capabilities

10 Sept 2003 18 Aug 2003 Sobig.F 14 July 2003 25 June 2003 Sobig.E 2 July 2003 18 June 2003 Sobig.D 8 June 2003 31 May 2003 Sobig.C 31 May 2003 18 May 2003 Sobig.B

• 9 Jan. 2003

Sobig.A

Deactivation Launch

23 March 2006 Mihai Christodorescu 50

• E-mail
• Network shares

Sobig Sobig: Attack Vector : Attack Vector

big@boss.com From: Subject: support@microsoft.com bill@microsoft.com admin@support.com support@yahoo.com

• Compressed executable

attachment with renamed extension.

• Later: attachment in ZIP file.

23 March 2006 Mihai Christodorescu 51

Sobig Sobig: Payload : Payload

Geocities web page Trojan web server

• 1st stage:

Backdoor (Lala) & keylogger

• 2nd stage:

Proxy (WinGate)

23 March 2006 Mihai Christodorescu 52

Sobig Sobig: Payload : Payload

...

Hacked DSL/cable hosts Trojan web server

1 22

23 March 2006 Mihai Christodorescu 53

Sobig Sobig: Spreading Algorithm : Spreading Algorithm

• E-mail addresses extracted from files on

disk.

• Network shares automatically discovered.

23 March 2006 Mihai Christodorescu 54

Sobig.F Sobig.F in Numbers in Numbers

August: 19 20 21 22 23

Courtesy of MessageLabs.com

23 March 2006 Mihai Christodorescu 55

Outline Outline

• Attack Vectors:

Social Engineering Vulnerability Exploitation Piggybacking

• Payloads
• Spreading Algorithms
• Case Studies: Sobig, Blaster

23 March 2006 Mihai Christodorescu 56

The The Blaster Blaster Worm Worm

• Multi-stage worm exploiting Windows

vulnerability

17 August 2003: July 19 17 15 13 11 31 25 16

Microsoft releases patch LSD Research exploit released CERT advisory Blaster appears 1.2 million hosts infected Metasploit refined exploit FRB Atlanta, MD DMV, BMW Scandinavian bank closes all 70 branches

23 March 2006 Mihai Christodorescu 57

Blaster: Attack Vector Blaster: Attack Vector

• Uses a Microsoft Windows RPC DCOM

vulnerability.

• Coding flaw:
• 1. The RPC service passes part of the request to

function G

et M achi neNam e( ) .

• 2. G

et M achi neNam e( ) copies machine name to

a fixed 32-byte buffer.

23 March 2006 Mihai Christodorescu 58

Blaster: Attack Vector Blaster: Attack Vector

Exploit 1

23 March 2006 Mihai Christodorescu 59

Blaster: Attack Vector Blaster: Attack Vector

Exploit 1

“ t f t p G ET m sbl ast . exe” 2

23 March 2006 Mihai Christodorescu 60

Blaster: Attack Vector Blaster: Attack Vector

Exploit 1

“ t f t p G ET m sbl ast . exe” 2

TFTP Server

“ G ET m sbl ast . exe” 3

23 March 2006 Mihai Christodorescu 61

Blaster: Attack Vector Blaster: Attack Vector

Exploit 1

“ t f t p G ET m sbl ast . exe” 2

TFTP Server

“ G ET m sbl ast . exe” 3 4

23 March 2006 Mihai Christodorescu 62

Blaster: Attack Vector Blaster: Attack Vector

Exploit 1

“ t f t p G ET m sbl ast . exe” 2

TFTP Server

“ G ET m sbl ast . exe” 3 4 “ st ar t m sbl ast . exe” 5

23 March 2006 Mihai Christodorescu 63

Blaster: Payload Blaster: Payload

• Worm installs itself to start automatically.
• All infected hosts perform DDoS against

windowsupdate.com .

– SYN flood attack with spoofed source IP, Aug 15 → Dec 31 and after the 15th of all other months.

23 March 2006 Mihai Christodorescu 64

Blaster: Effect on Local Host Blaster: Effect on Local Host

• RPC/DCOM disabled:

– Inability to cut/paste. – Inability to move icons. – Add/Remove Programs list empty. – DLL errors in most Microsoft Office programs. – Generally slow, or unresponsive system performance.

23 March 2006 Mihai Christodorescu 65

Blaster: Spreading Algorithm Blaster: Spreading Algorithm

• Build IP address list:

40% chance to start with local IP address. 60% chance to generate random IP address.

• Probe 20 IPs at a time.
• Exploit type:

80% Windows XP. 20% Windows 2000.

23 March 2006 Mihai Christodorescu 66

Blaster: Infection Rate Blaster: Infection Rate

23 March 2006 Mihai Christodorescu 67

Future Threat: Future Threat: Superworm Superworm

“Curious Yellow: the First Coordinated Worm Design” – Brandon Wiley

• Fast replication & adaptability:

– Pre-scan the network for targets. – Worm instances communicate to coordinate infection process. – Attack vectors can be updated. – Worm code mutates.

23 March 2006 Mihai Christodorescu 68

Conclusions Conclusions

• Vulnerabilities left unpatched can and will

be used against you.

• Attackers are more sophisticated.
• Need to understand the attackers’

perspective.

Malicious Code Malicious Code

for Fun and Profit for Fun and Profit

Mihai Christodorescu

mihai@cs.wisc.edu 23 March 2006