SLIDE 1
CIS-5373: 27.January.2020
1 Week 3
CIS-5373: 27.January.2020
2
- First homework is out!
- Check out the class webpage
- Due in two weeks from today, in class
Malware Week 3 1 CIS-5373: 27.January.2020 Announcement! First - - PowerPoint PPT Presentation
Malware Week 3 1 CIS-5373: 27.January.2020 Announcement! First - - PowerPoint PPT Presentation
Malware Week 3 1 CIS-5373: 27.January.2020 Announcement! First homework is out! Check out the class webpage Due in two weeks from today, in class 2 CIS-5373: 27.January.2020 In this lecture Viruses How they attach How
SLIDE 2
SLIDE 3
CIS-5373: 27.January.2020
3
- Viruses
- How they attach
- How they gain control
- Where they are stored
- Detection …
- Worms
- Web Bugs
- Trapdoors
- …
In this lecture
SLIDE 4
CIS-5373: 27.January.2020
4
- Hard to detect
- Not easily destroyed or deactivated
- Spreads widely
- Can re-infect home program/other programs
- Easy to create
- Machine/OS independent
Qualities of Virus
SLIDE 5
CIS-5373: 27.January.2020
5
How Viruses Invade
1. Virus is on CD
- When executed, the virus can
- Install on hard drive
- Attach to any executing program in memory
2. E-mail virus
- The attacker convince victim to open attachment
- Executable file
- Graphics, photos …
SLIDE 6
CIS-5373: 27.January.2020
6
How Viruses Attach
- Append to Program
- Surround Program
- Integrate into Program
- Overwrite Program
SLIDE 7
CIS-5373: 27.January.2020
7
Targeted Executable Virus Original Program Virus
Apending Virus
- Add to beginning of target
- First instruction of new program
Virus writer doesn’t need to know target program
SLIDE 8
CIS-5373: 27.January.2020
8
Targeted Executable Virus
Surrounding Virus
Virus B Original Program Virus A
- Add to beginning and end of target
- Control before and after target program
SLIDE 9
CIS-5373: 27.January.2020
9
Surrounding Virus - Example
- Prevent user from detecting virus
- Virus attaches to ls/dir command
- When ls/dir completes, virus takes control
- Eliminate entry from listing
- Distribute space among other programs to hide size
SLIDE 10
CIS-5373: 27.January.2020
10
Targeted Executable Virus Infected host Executable Virus
Integrated Virus
- Replace some of target
Virus writer needs to know target program
SLIDE 11
CIS-5373: 27.January.2020
11
Targeted Executable Virus
Virus Part 1 Virus Part 2 Virus Part n
Integrated Virus (cont’d)
SLIDE 12
CIS-5373: 27.January.2020
12
Targeted Executable Virus Virus
Overwriting Virus
- Replace entire target
- Mimick effect of target or
- Not – user likely to perceive virus
SLIDE 13
CIS-5373: 27.January.2020
13
- One-Time execution
- Boot sector
- Memory resident
Where Are Viruses Stored
SLIDE 14
CIS-5373: 27.January.2020
14
- One-Time execution
- Boot sector
- Memory resident
Where Are Viruses Stored
SLIDE 15
CIS-5373: 27.January.2020
15
- When computer starts
- Firmware determines hardware components
- Transfer control to OS
- OS stored on disk
- Bootstrap process:
- Firmware reads boot sector to a fixed address in mem
- Jump to that address
- Boot sector contains the bootloader
- Bootloader pulls the rest of the OS from disk
Boot Sector
SLIDE 16
CIS-5373: 27.January.2020
16
- Boot sector has 512 bytes
- Bootstrap loader size > 512 bytes
- Use chaining
Boot Sector
Bootstrap Loader
Hard Disk
Bstrap Ldr (bloc 2) Bstrap Ldr (bloc 3) Boot sector
SLIDE 17
CIS-5373: 27.January.2020
17
- The virus could be placed in any bootstrap sector
- But … boot sector particularly appealing
- Virus gains control right at the beginning
- Protection tools are not yet active
Placing Virus in Boot Sector
Virus Code
Hard Disk
Bstrap Ldr (bloc 2) Bstrap Ldr (bloc 3) Boot sector Bootstrap Loader
SLIDE 18
CIS-5373: 27.January.2020
18
- Changes label of infected disks to BRAIN
- From Pakistan (Believed)
- Sole purpose: to pass the infection
- Traps disk read interrupts
- Only interested in reads in the boot sector
- Believed to be proof-of-concept
- Many other variants, more efficient …
Example: The BRAIN Virus
SLIDE 19
CIS-5373: 27.January.2020
19
The BRAIN Virus Location
Boot sector BRAIN 1 Boot sector BRAIN 2 BRAIN 3 BRAIN 1-dup BRAIN 3-dup BRAIN 2-dup Before After … Marked as faulty Hard Drive
SLIDE 20
CIS-5373: 27.January.2020
20
The BRAIN Virus Infection
1. Locates in upper memory 2. System call to reset upper memory below it 3. Traps interrupt #19 (disk read) 4. Any disk read for boot sector returns content of hijacked sector Interrupt Address Table # 19 # 6 Memory To upper To lower
BRAIN
Reset Upper Memory Bound Code for interrupt 19
SLIDE 21
CIS-5373: 27.January.2020
21
- Virus cannot be completely invisible
- Code must be stored somewhere
- Code must be in memory to execute
- Executes according to a pattern
- Spreads using certain mechanisms
- Example: Code Red
Virus Detection: Signatures
Signature
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
SLIDE 22
CIS-5373: 27.January.2020
22
- Viruses
- Worms
- Web Bugs
- Trapdoors
- …
In this lecture
SLIDE 23
CIS-5373: 27.January.2020
23
- Reproducing programs that run independently
and travel across network connections.
- Unlike a simple virus, A worm can run
completely independently and spread of its own will through network connections.
What is a Worm
SLIDE 24
CIS-5373: 27.January.2020
24
- November 2nd 1988
- Internet Worm released
- Infected many computers
- Many more severed network connection
- Robert T. Morris Jr.
- $10,000 fine
- 3 year suspended jail sentence
- 400 hours community service
- Now with MIT
Example: The Internet Worm
SLIDE 25
CIS-5373: 27.January.2020
25
1. Determine where it could spread 2. Spread to new target 3. Remain undiscovered and undiscoverable
Intent of Internet Worm
SLIDE 26
CIS-5373: 27.January.2020
26
- Exploited three known vulnerabilities
1. Find user accounts to invade on target system
- Exploit password vulnerabilities
2. Fingerd: daemon which responds to queries about users
- Known buffer overflow vulnerability
- Give worm a remote shell
3. Sendmail trapdoor
- In debug mode, sendmail can execute input string
Determine Targets
SLIDE 27
CIS-5373: 27.January.2020
27
- Send a bootstrap loader to target machine
- 99 lines of C code
- Compile and execute on target machine
- Fetch rest of worm code from the sending system
- Element of good security
- Bootstrap loader required to provide password to
sending system
- If fail, sending system breaks connection
Spread Infection
SLIDE 28
CIS-5373: 27.January.2020
28
1. If transmission error occurs during worm fetch
- Bootstrap loader removes code and exits
2. Bring all worm code in memory
- Encrypt copy in memory
- Delete copy from disk
- Thus, the worm cannot easily be discovered
3. Periodic change of name and process id
- Avoid single process running a long time
Remain Undiscovered
SLIDE 29
CIS-5373: 27.January.2020
29
1. Resource exhaustion
- If target was already infected, don’t propagate
- Bug in code (): many copies did not terminate !
- Thus, serious performance degradation
2. Disconnection of machines from Internet
- To prevent copies from trying to propagate
- … or to prevent infection
3. Isolation and inability to perform work
- Estimated cost $100,000 - $97 million
- Thousands of systems were disconnected
Effect of Internet Worm
SLIDE 30
CIS-5373: 27.January.2020
30
- Viruses
- Worms
- Web Bugs
- Trapdoors
- Salami Attack
- Rootkits
- Privilege Escalation
- Keystroke Logging
- Covert Channels
What do we cover
SLIDE 31
CIS-5373: 27.January.2020
31
- Pixel tag, clear gif/one-by-one/invisible gif
- Part of a web page
- Invisible to user
- Track activities of the user
- Plants a cookie in your computer
Web Bugs
SLIDE 32
CIS-5373: 27.January.2020
32
- Set by web sites
- To push storage from web sites to user platform
- Have 6 fields
- (name, value, expiration, path to server, server domain,
SSL-req?)
- Used to remember values for subsequent usage
- (“visa credit card”, 1234 1234 1234 1234, …)
- (“user id”, carbunar, …)
- (“password”, ****, …)
- Used to build browsing profile
- (“visits for www.abc.com”, 10, …)
Cookies
SLIDE 33
CIS-5373: 27.January.2020
33
- Plant cookie on user computer to track web use
- Can be used for good or bad purposes
- How ?
- Can build a profile for the user containing
- Surfing habits
- Personal data: name, DOB, address, IP address, etc
Web Bugs (cont’d)
SLIDE 34
CIS-5373: 27.January.2020
34
- Viruses
- Worms
- Web Bugs
- Trapdoors
- Salami Attack
- Rootkits
- Privilege Escalation
- Keystroke Logging
- Covert Channels
What do we cover
SLIDE 35
CIS-5373: 27.January.2020
35
- Undocumented entry point to a software module
- For testing purposes
- For future updates
- For access in case of future failures
Trapdoors
SLIDE 36
CIS-5373: 27.January.2020
36
- Hidden trap door in Linux, Nov 2003
- Allows attacker to take over a computer
- Practically undetectable change
- Uncovered by anomaly in CVS usage
- Inserted line in wait4()
if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL;
See: http://lwn.net/Articles/57135/
Trapdoor: Example
- Looks like a standard error check
- Anyone see the problem?
SLIDE 37
CIS-5373: 27.January.2020
37
- Rob Harris case - slot machines
- Insider: worked for Gaming Control Board
- Malicious code in testing unit
- When testers checked slot machines
- Downloaded malicious code to slot machine
- Was never detected
- Special sequence of coins activated “winning mode”
- Caught when greed sparked investigation
- $100,000 jackpot
Trapdoor: Example 2
SLIDE 38
CIS-5373: 27.January.2020
38
- Reason for persistence: developers
- Forget to remove them
- Leave them for testing
- Leave them for maintenance
- Leave them as covert means of access to component
Trapdoors (cont’d)
SLIDE 39
CIS-5373: 27.January.2020
39
- Viruses
- Worms
- Web Bugs
- Trapdoors
- Salami Attack
- Rootkits
- Privilege Escalation
- Keystroke Logging
- Covert Channels
What do we cover
SLIDE 40
CIS-5373: 27.January.2020
40
- Perform many inconsequential operations with
powerful final results
- Example 1 – bank interest
- Account has $102.87
- Interest rate is 6.5% per year
- After one month interest = 31/365 * 0.065 * 102.87 =
$0.5495726
- Round to 0.54 instead of 0.55: nobody notices !
- $0.0095726 goes into attacker’s account
- Example 2 – steal a few cents from each account
- Who checks balance ?
Salami Attack
SLIDE 41
CIS-5373: 27.January.2020
41
- Viruses
- Worms
- Web Bugs
- Trapdoors
- Salami Attack
- Rootkits
- Privilege Escalation
- Keystroke Logging
- Covert Channels
What do we cover
SLIDE 42
CIS-5373: 27.January.2020
42
- Virus variation
- Attempts to operate as root
- While staying undiscovered
- And attempting to reinstall itself if removed
- How to go undiscovered ?
- If the system call is ls or dir
1. Intercept system call result 2. Remove itself from the list 3. Adjust sizes of other files so free space seems legitimate
Rootkits
SLIDE 43
CIS-5373: 27.January.2020
43
- Prevents users from copying music CDs
- Allows them to play music
- Has its own music player
- Garbles the results of any other access to CD
- Installs with first insertion of CD
- Due to autorun feature of Microsoft
- To conceal existence, XCP
- Blocks display of any program starting with $sys$
- Including a virus called $sys$virus-1 …
Sony XCP Rootkit
SLIDE 44
CIS-5373: 27.January.2020
44
- Viruses
- Worms
- Web Bugs
- Trapdoors
- Salami Attack
- Rootkits
- Privilege Escalation
- Keystroke Logging
- Covert Channels
What do we cover
SLIDE 45
CIS-5373: 27.January.2020
45
- Assume malicious code has installed on your
account
- Can run processes with your capabilities
- Can access all your resources
- … But not other resources
- Attacker wants to run with superuser capabilities
- To access system resources
- Or other user’s resources
Privilege Escalation
SLIDE 46
CIS-5373: 27.January.2020
46
- Symantec: software security company
- Virus scanners, spam filters, system integrity tools …
- Has a Live Update feature
- Ensure you are running the latest version
- Periodic or manual invocation
- Runs with elevated privileges
- Installs programs in system directory
Privilege Escalation Example
SLIDE 47
CIS-5373: 27.January.2020
47
- Assume Live Update consists of two components
Example (cont’d)
LU1.exe Live Update component sys2.exe OS component Runs with elevated privileges !
Invokes
SLIDE 48
CIS-5373: 27.January.2020
48
- Search Path:
- Mechanism allowing OS to find program to execute
- E.g., Path = C:\program files\symantec (LU1.exe)
- OS uses first instance found in path
- User can specify the search path (add/remove)
Search Path
SLIDE 49
CIS-5373: 27.January.2020
49
1. Attacker has infected user account 2. Attacker creates its own sys2.exe version
- D:\Documents\sys2.exe
- Path = D:\Documents\::C:\program files\symantec
3. Launch Live Update
- When LU1 invokes sys2.exe
- The OS uses first sys2.exe instance in search path
- Which runs with elevated privileges
Privilege Escalation Attack
SLIDE 50
CIS-5373: 27.January.2020
50
- Viruses
- Web Bugs
- Trapdoors
- Salami Attack
- Rootkits
- Privilege Escalation
- Keystroke Logging
- Covert Channels
What do we cover
SLIDE 51
CIS-5373: 27.January.2020
51
Keystroke Logging
Signal
Keyboard Device driver
Pass along
Key press
Log keys
Keylogger
Types of keyloggers
Independent – log of all keystrokes Tied to a certain app – log only keystrokes for banking app
Word processor
SLIDE 52
CIS-5373: 27.January.2020
52
- Viruses
- Web Bugs
- Trapdoors
- Salami Attack
- Rootkits
- Privilege Escalation
- Keystroke Logging
- Ransomware
- Covert Channels
What do we cover
SLIDE 53
CIS-5373: 27.January.2020
53
- Malicious software
- Restricts access to computer or network and threatens to
delete data within allotted time unless ransom is paid
Ransomware
SLIDE 54
CIS-5373: 27.January.2020
54
WannaCry
SLIDE 55
CIS-5373: 27.January.2020
55
- EternalBlue exploit
- Affects various Windows operating systems from XP to
Windows 7 & Windows Server 2003 & 2008
- Inject shellcode into vulnerable systems
- Uses SMB (Server Message Block) port 445
- Transfer files between computers
- NSA discovered and Shadow Brokers leaked it (alleged)
Wannacry: Spreading
SLIDE 56
CIS-5373: 27.January.2020
56
- Has two master key pairs
- pkA, prA: attack keys
- pkD, prD : demo keys
- For each victim
- Generate key pair pkV, prV: victim keys
- Store pkV in 00000000.pky using CryptExportKey on victim
machine
- Store E(pkA, prV) in 00000000.eky on victim machine
Wannacry: Encrypting
SLIDE 57
CIS-5373: 27.January.2020
57
- For each file F on victim machine:
- Generate symmetric key K
- Encrypt F: E(K, F)
- Encrypt K:
- E(pkV, K): with victim public key or
- E(pkD, K): with demo key
- Replace F with E(K, F) along with encrypted file key
Wannacry: Encrypting (cont’d)
SLIDE 58
CIS-5373: 27.January.2020
58
- Prove to victim ability to decrypt some files
- For file F where it stored E(pkD, K) and E(K, F)
- D(prD, E(pkD, K)) = K
- D(K, E(K, F)) = F
Wannacry: Demo
SLIDE 59
CIS-5373: 27.January.2020
59
- Once the user pays ransom ($300 or $600) in Bitcoins
- For each file F where it stored E(pkA, K) and E(K, F)
- 1. D(prA, E(pkA, prV)) = prV
- 2. D(prV, E(pkV, K)) = K
- 3. D(K, E(K, F)) = F
Wannacry: Decrypting Files
SLIDE 60
CIS-5373: 27.January.2020
60
- Viruses
- Worms
- Web Bugs
- Trapdoors
- Salami Attack
- Rootkits
- Privilege Escalation
- Keystroke Logging
- Covert Channels
What do we cover
SLIDE 61
CIS-5373: 27.January.2020
61
- Attacker needs access to data
Covert Channels: The Problem
Data Trojan Horse Organization Attacker
Read data Signal data
Attacker cannot simply send the data (even encrypted) Why ?
SLIDE 62
CIS-5373: 27.January.2020
62
- Communicate information surreptitiously
- How ?
- Use existing communication channels to hide
information
- Example: cheating students
- One student knows the material
- Four types of answers: a, b, c, d
- Cough for a, yawn for b, …
- Problem !
- If student looses track, it may get the answer for wrong
question
Example
SLIDE 63
CIS-5373: 27.January.2020
63
- Modify existing communication in slight ways
- Assumes attacker and trojan horse share a code
- Example:
- Change header of file:
- Word TOTAL implies bit=0
- Word TOTALS implies bit=1
- Add spaces
- Modify last digit in insignificant field
- Use of . instead of :
Covert Channels: How To
SLIDE 64
CIS-5373: 27.January.2020
64
- Pass information using presence of absence of
- bjects in storage
- Assumes attacker and trojan horse
- Divide time into intervals
- Are time synchronized
Storage Channels
SLIDE 65
CIS-5373: 27.January.2020
65
- File lock channel
- Used to provide atomic operations on file
- Trojan and attacker share a file
- In each interval
- If bit=1 then trojan locks the file
- Attacker tries to access file. If fail, bit=1
- Disk quota
- If bit=1, trojan creates large file, otherwise does nothing
- Attacker tries to create file; if not able, bit=1
Storage Channels: Example
SLIDE 66
CIS-5373: 27.January.2020
66
- Trojan
- bit = 1 enter computation intensive loop
- bit = 0 go to sleep
- Attacker
- perform a task with known computational requirements
- if completed quickly then bit = 0 otherwise bit = 1
Computing (CPU-Based) Channel
SLIDE 67
CIS-5373: 27.January.2020
67
- Malicious code – Malware
- What attackers can do with vulnerabilities
- Many other attacks- the list is by far incomplete
- Why a problem
- Good code is hard to write
- Patching vulnerabilities is error prone
- Not everyone does it
- Cat-and-mouse game between attackers and defense