Malware

CS155 Spring 2009

Elie Bursztein
 Welcome to the zoo
What malware are
How do they infect hosts
How do they hide
How do they propagate
Zoo visit !
How to detect them
Worms
 What is a malware ?

A Malware is a set of instructions that

run on your computer and make your
system do something that an attacker
wants it to do.
 What it is good for ?

Steal personal information

Delete files
Click fraud
Steal software serial numbers
Use your computer as relay
 A recent illustration
Christians On
Facebook

Leader hacked on
march 2009

Post Islamic
message

Lost >10 000

members
 The Malware Zoo
Virus
Backdoor
Trojan horse
Rootkit
Scareware
Adware
Worm
 What is a Virus ?

a program that can infect other programs by

modifying them to include a, possibly
evolved, version of itself

Fred Cohen 1983

 Some Virus Type

Polymorphic : uses a polymorphic

engine to mutate while keeping the
original algorithm intact (packer)
Methamorpic : Change after each
infection
 What is a trojan

A trojan describes the class of malware that appears

to perform a desirable function but in fact performs
undisclosed malicious functions that allow
unauthorized access to the victim computer

Wikipedia
 What is rootkit

A root kit is a component that uses

stealth to maintain a persistent and
undetectable presence on the machine

Symantec
 What is a worm

A computer worm is a self-replicating computer

program. It uses a network to send copies of itself
to other nodes and do so without any user
intervention.
Almost 30 years of
Malware

From Malware fighting malicious code

Melissa spread by email and share

Knark rootkit made by creed demonstrate the first ideas

love bug vb script that abused a weakness in outlook

Kernl intrusion by optyx gui and efficent hidding

History
1981 First reported virus : 1999 Melissa virus
Elk Cloner (Apple 2)
1999 Zombie concept
1983 Virus get defined
1999 Knark rootkit
1986 First PC virus MS DOS
2000 love bug
1988 First worm : Morris
2001 Code Red Worm
worm

1990 First polymorphic 2001 Kernel Intrusion

virus System

2001 Nimda worm

1998 First Java virus

1998 Back orifice 2003 SQL Slammer worm

Number of malware
signatures

2000000

1500000

1000000

500000

0
2002 2003 2004 2005 2006 2007 2008

Symantec report 2009

Malware Repartition

13%

9% Trojan
1% Worm
3%
Other
Adware

74% Spyware

Panda Q1 report 2009

Infection methods
 Outline

What malware are

How do they infect hosts
How do they propagate
Zoo visit !
How to detect them
Worms
 What to Infect

Executable
Interpreted file
Kernel
Service
MBR
Hypervisor
 Overwriting malware

Targeted Malware
Malware
Executable
 prepending malware
Malware

Infected
Targeted
Malware host
Executable
Executable
 appending malware

Infected
Targeted
Malware host
Executable
Executable

Malware
 Cavity malware

Malware
Targeted
Malware Infected
Executable
host
Executable
 Multi-Cavity malware

Malware

Targeted
Malware
Executable Malware

Malware
 Packers

Payload
Packer Infected host
Malware
Executable
Packer functionalities
Compress
Encrypt
Randomize (polymorphism)
Anti-debug technique (int / fake jmp)
Add-junk
Anti-VM
Virtualization
 Auto start

Folder auto-start : C:\Documents and Settings\[user_name]\Start Menu

\Programs\Startup

Win.ini : run=[backdoor]" or
"load=[backdoor]".
System.ini : shell=myexplorer.exe
Wininit
Config.sys
 Auto start cont.

Assign know extension (.doc) to the

malware
Add a Registry key such as HKCU\SOFTWARE
\Microsoft\Windows \CurrentVersion\Run

Add a task in the task scheduler

Run as service
 Unix autostart

Init.d
/etc/rc.local
.login .xsession
crontab
crontab -e
/etc/crontab
 Macro virus

Use the builtin script engine

Example of call back used (word)
AutoExec()
AutoClose()
AutoOpen()
AutoNew()
 Document based
malware

MS Office
Open Office
Acrobat
 Userland root kit
Perform Hide activity

login ps

sshd netstat

passwd ls

find

du
 Subverting the Kernel

Kernel task What to hide

Process management
Process
File access
Files
Memory management
Network traffic
Network management
 Kernel rootkit
P1 P2
PS
P3 P3

rootkit KERNEL

Hardware :
HD, keyboard, mouse, NIC, GPU
Subverting techniques

Kernel patch
Loadable Kernel Module
Kernel memory patching (/dev/kmem)
 Windows Kernel

P1 P2 Pn Csrss.exe

Win32 subsystem DLLs Other Subsytems

User32.dll, Gdi32.dll and Kernel32.dll (OS/2 Posix)

Ntdll.dll

ntoskrnl.exe Executive
Underlying kernel
Hardware Abstraction Layer (HAL.dll)
Hardware
 Kernel Device driver
P2

Win32 subsystem DLLs

Ntdll.dll

C
Interrupt Hook
System service
System service dispatch table
dispatcher

ntoskrnl.exe New pointer

B
A
Driver Overwriting functions Driver Replacing Functions
 MBR/Bootkit

Bootkits can be used to avoid all

protections of an OS, because OS
consider that the system was in trusted
stated at the moment the OS boot loader
took control.
BIOS MBR VBS
NT
Boot
WINLOAD.EXE BOOTMGR.EXE
Sector

Windows 7 kernel HAL.DLL

 Vboot

Work on every Windows (vista,7)

3ko
Bypass checks by letting them run and
then do inflight patching
Communicate via ping
Hypervisor rootkit

App App

Target OS

Hardware
Hypervisor rootkit

App App

Rogue app Target OS

Host OS Virtual machine

Hardware
Propagation
Vector
 Outline

What malware are

How do they infect hosts
How do they propagate
Zoo visit !
How to detect them
Worms
Shared folder
Email propagation

from pandalab blog

!"#$%&&#'"#()"*+),-*)./#0).122%.")3%4#5%""'/%"6#78,%+97+11:"#;'3%#-"%(#<'&%.*).%4"#='8#*1
">+%'(#.-5%+1-"#5'&)7)1-"#71(%"#2+15#*;%#?'&%('7#2'5)&8#*;+1-/;#%5')&"#$)*;#5'&)7)1-"
-+&"@ !"#$%&$'()$&*+$%)*#,-#'#./)01#,"#$()2)3#$45)67789 6:

A ; % #! " # $ % &" ' ( ) * + # , #) " #" ) 5 ) & ' + #* 1 #* ; ' * #1 2 #* ; % #2 ) + " * #" > ' 5 #5 % " " ' / % " #' ( 3 % + * ) " ) . /

Valentine day ...

>;'+5'7%-*)7'&"6#'"#*;%8#'+%#()"*+),-*%(#3)'#%5')&6#).#*;)"#7'"%#-")./#<'&%.*).%9+%&'*%(
5%""'/%"#).21+5)./#+%7)>)%.*"#*;'*#"15%1.%#;'"#"%.*#*;%5#'#3)+*-'&#7'+(@#A;%#5%""'/%
%KB)JIAG)AFL?FMFC>?G)J>NFCFIDA)CI@BA)F?)!O
71.*')."#'#&).:#*;'*#)"#+%()+%7*%(#*1#'#5'&)7)1-"#(15').#).#1+(%+#*1#3)%$#*;%#7'+(@

B%&1$#)"#'.#%C'5>&%#12#'#5'&)7)1-"#(15').D
!"#$%&'($)*$+&%,-&.+#+$/&$/"#$0&(12/#'$3.2/&(./)0.--4$&'$/"'&25"$2*#'$),/#'.0/)&,67
8&%#9#':$;&'$/"#$+&%,-&.+$/&$<#$*200#**;2-:$2*#'*$(2*/$.5'##$/&$)/=

>)52'#$??7$@&%,-&.+$&;$/"#$(.-)0)&2*$;)-#7

E)/-+%#FG@#H'&)7)1-"#?'&%('7#(15').@
A4<#'B0'&&C*$0'#./#+$,2(#'&2*$+&(.),*$/&$+)*/')<2/#$/"#$D.-#+.0$%&'($2*),5$),&;;#,*)9#
,.(#*$*20"$.*$0.'+7#E#:$#0.'+7#E#:$-&9#7#E#:$-&9#4&27#E#:$(#.,+4&27#E#:$#/07

F&(#$&;$/"#*#$+&(.),*$%#'#$+#*)5,#+$/&$(&+);4$/"#$;)-#$/&$<#$+&%,-&.+#+$),$&'+#'$/&
+)*/')<2/#$+);;#'#,/$(.-)0)&2*$0&+#*$.,+$1'#9#,/$*#02')/4$0&(1.,)#*$;'&($+#/#0/),5$/"#(7
!")*$)+#.$&;$,2(#'&2*$*(.--$),;#0/)&,*$)*$C,&%,$.*$.$*)-#,/$#1)+#()07

!"#$)(1.0/$&;$+&(.),*$+)*/')<2/),5$(.-)0)&2*$D.-#+.0$0&+#*$%.*$*&$5'#./$/"./$*&(#
+&(.),*$%#'#$#9#,$")5"-4B'.,C#+$),$*#.'0"$#,5),#*7$!")*$0&2-+$0.2*#$2*#'*$/'4),5$/&$-&0./#
9)'/2.-$0.'+*$/&$.00#**$(.-)0)&2*$+&(.),*$<4$.00)+#,/7

Waledac malicious domain from pandalab blog

Email again

Symantec 2009
Fake codec
Fake antivirus

from pandalab blog

Hijack you browser

from pandalab blog

Fake page !

from pandalab blog

 P2P Files

Popular
query
35.5% are
malwares
(Kalafut 2006)
Backdoor
 Basic

Infected TCP
Attacker
Host
 Reverse

Infected TCP
Attacker
Host
 covert

Infected ICMP
Attacker
Host
Rendez vous backdoor

RDV
Point

Infected
Attacker
Host
Bestiary
 Outline

What malware are

How do they infect hosts
How do they propagate
Zoo visit !
How to detect them
Worms
Adware
 BackOrifice

Defcon 1998

new version in 2000

 Netbus

1998

Used for prank

Symantec pcAnywhere
Browser Toolbar ...
Toolbar again
 Ransomware

Trj/SMSlock.A

Russian
ransomware

April 2009 To unlock you need to send an SMS with the text
4121800286
to the number
3649
Enter the resulting code:

Any attempt to reinstall the system may lead to loss of

important information and computer damage
from pandalab blog
Detection
 Outline

What malware are

How do they infect hosts
How do they propagate
Zoo visit !
How to detect them
Worms
 Anti-virus

Analyze system
behavior

Analyze binary to
decide if it a virus

Type :

Scanner

Real time monitor

 Impossibility result

It is not possible to build a perfect

virus/malware detector (Cohen)
 Impossibility result

Diagonal argument
P is a perfect detection program
V is a virus
V can call P
if P(V) = true -> halt
if P(V) = false -> spread
 Virus signature

Find a string that can identify the virus

Fingerprint like
 Heuristics

Analyze program behavior

Network access
File open
Attempt to delete file
Attempt to modify the boot sector
 Checksum

Compute a checksum for

Good binary
Configuration file
Detect change by comparing checksum
At some point there will more malware
than goodware ...
 Sandbox analysis

Running the executable in a VM

Observe it
File activity
Network
Memory
 Dealing with Packer

Launch the exe

Wait until it is unpack
Dump the memory
Worms
 Outline

What malware are

How do they infect hosts
How do they propagate
Zoo visit !
How to detect them
Worms
 Worm
A worm is self-replicating software designed to
spread through the network
Typically, exploit security flaws in widely used services
Can cause enormous damage
Launch DDOS attacks, install bot networks

Access sensitive information

Cause confusion by corrupting the sensitive information

Worm vs Virus vs Trojan horse

79
 Cost of worm attacks

Morris worm, 1988

Infected approximately 6,000 machines
10% of computers connected to the
Internet
cost ~ $10 million in downtime and
cleanup
Code Red worm, July 16 2001
80
Internet Worm (First major
attack)

Released November 1988

Program spread through Digital, Sun
workstations
Exploited Unix security vulnerabilities
VAX computers and SUN-3
workstations running versions 4.2 and
4.3 Berkeley UNIX code

81
 Some historical worms
of note
Worm Date Distinction
Morris 11/88 Used multiple vulnerabilities, propagate to nearby sys
ADM 5/98 Random scanning of IP address space
Ramen 1/01 Exploited three vulnerabilities
Lion 3/01 Stealthy, rootkit worm
Cheese 6/01 Vigilante worm that secured vulnerable systems
Code Red 7/01 First sig Windows worm; Completely memory resident
Walk 8/01 Recompiled source code locally
Nimda 9/01 Windows worm: client-to-server, c-to-c, s-to-s,
11 days after announcement of vulnerability; peer-to-peer
Scalper 6/02
network of compromised systems
Slammer 1/03 Used a single UDP packet for explosive growth
Kienzle and
82
Elder
Increasing propagation
speed
Code Red, July 2001
Affects Microsoft Index Server 2.0,
Windows 2000 Indexing service on Windows NT 4.0.

Windows 2000 that run IIS 4.0 and 5.0 Web servers

Exploits known buffer overflow in Idq.dll

Vulnerable population (360,000 servers) infected in 14 hours

SQL Slammer, January 2003

Affects in Microsoft SQL 2000
Exploits known buffer overflow vulnerability

83
 Code Red

Initial version released July 13, 2001

Sends its code as an HTTP request
HTTP request exploits buffer overflow
Malicious code is not stored in a file
Placed in memory and then run
When executed,
Worm checks for the file C:\Notworm
84
 Code Red of July 13 and July 19

Initial release of July 13

1st through 20th month: Spread
via random scan of 32-bit IP addr space

20th through end of each month: attack.

Flooding attack against 198.137.240.91 (www.whitehouse.gov)

Failure to seed random number generator linear growth

Revision released July 19, 2001.

White House responds to threat of flooding attack by changing
the address of www.whitehouse.gov
Causes Code Red to die for date 20th of the month.
Slides: Vern
But: this time random number generator correctly seeded
85
Paxson
Infection rate

86
 Measuring activity: network
telescope

Monitor cross-section of Internet address space, measure traffic

Backscatter from DOS floods
Attackers probing blindly
Random scanning from worms
LBNLs cross-section: 1/32,768 of Internet
UCSD, UWiscs cross-section:871/256.
 Spread of Code Red

Network telescopes estimate of # infected hosts:

360K. (Beware DHCP & NAT)
Course of infection fits classic logistic.
Note: larger the vulnerable population, faster the
worm spreads.

That night ( 20th), worm dies

except for hosts with inaccurate clocks!
It just takes one of these to restart the worm on
August 1st
Slides: Vern
88
Paxson
 Slides: Vern
89
Paxson
 Code Red 2

Released August 4, 2001.

Comment in code: Code Red 2.
But in fact completely different code base.
Payload: a root backdoor, resilient to reboots.
Bug: crashes NT, only works on Windows 2000.
Localized scanning: prefers nearby addresses.

Kills Code Red 1.

Safety valve: programmed to die Oct 1, 2001.

Slides: Vern
90
Paxson
 Striving for Greater
Virulence: Nimda

Released September 18, 2001.

Multi-mode spreading:
attack IIS servers via infected clients
email itself to address book as a virus
copy itself across open network shares
modifying Web pages on infected servers w/ client
exploit
scanning for Code Red II backdoors (!)
worms form an ecosystem!
Leaped across firewalls.
Slides: Vern
91
Paxson
 Code Red 2 kills
off Code Red 1

Nimda enters the

CR 1 ecosystem
returns
thanks
to bad Code Red 2 settles into Code Red 2 dies off as
clocks weekly pattern programmed

Slides: Vern
92
Paxson
 How do worms
propagate?
Scanning worms : Worm chooses random address
Coordinated scanning : Different worm instances scan different addresses
Flash worms
Assemble tree of vulnerable hosts in advance, propagate along tree
Not observed in the wild, yet

Potential for 106 hosts in < 2 sec ! [Staniford]

Meta-server worm :Ask server for hosts to infect (e.g., Google for
powered by phpbb)
Topological worm: Use information from infected hosts (web server logs,
email address books, config files, SSH known hosts)
Contagion worm : Propagate parasitically along with normally initiated
communication
93
 slammer

01/25/2003
Vulnerability disclosed : 25 june 2002
Better scanning algorithm
UDP Single packet : 380bytes
Slammer propagation
Number of scan/sec
Packet loss
A server view
 Consequences

ATM systems not available

Phone network overloaded (no 911!)
5 DNS root down
Planes delayed
Worm Detection and Defense
Detect via honeyfarms: collections of honeypots fed
by a network telescope.
Any outbound connection from honeyfarm = worm.
(at least, thats the theory)
Distill signature from inbound/outbound traffic.
If telescope covers N addresses, expect detection when worm
has infected 1/N of population.

Thwart via scan suppressors: network elements that

block traffic from hosts that make failed connection
attempts to too many other hosts
5 minutes to several weeks to write a signature
Several hours or more for testing
100
 Need for automation
Current threats can spread faster than defenses can reaction
Manual capture/analyze/signature/rollout model too slow
Contagion Period

Response Period
Program
months Viruses Macro
Viruses E-mail

Signature
Worms Network
days Worms
Pre- Post-
automation automation
hrs
Flash
mins
Contagion Period Worms
secs Signature Response Period

1990 2005
Time

Slide: Carey Nachenberg, Symantec

101
 Signature inference

Challenge
need to automatically learn a content signature for each
new worm potentially in less than a second!

Some proposed solutions

Singh et al, Automated Worm Fingerprinting, OSDI 04
Kim et al, Autograph: Toward Automated, Distributed
Worm Signature Detection, USENIX Sec 04

102
 Signature inference
Monitor network and look for strings
common to traffic with worm-like
behavior
Signatures can then be used for content
filtering

103 Slide: S Savage

 Content sifting
Assume there exists some (relatively) unique invariant
bitstring W across all instances of a particular worm (true
today, not tomorrow...)
Two consequences
Content Prevalence: W will be more common in traffic than
other bitstrings of the same length
Address Dispersion: the set of packets containing W will address
a disproportionate number of distinct sources and destinations

Content sifting: find Ws with high content prevalence

and high address dispersion and drop that traffic

104 Slide: S Savage

 Observation:
High-prevalence strings are rare

Only 0.6% of the 40 byte substrings repeat more

than 3 times in a minute

(Stefan Savage, UCSD *)

105
 The basic algorithm
Detector in
network
B
A

C
cnn.com

E D

Address Dispersion Table

Prevalence Table Sources Destinations

(Stefan Savage, UCSD *) 106

 Detector in
network
B
A

C
cnn.com

E D

Address Dispersion Table

Prevalence Table Sources Destinations

1 1 (A) 1 (B)

(Stefan Savage, UCSD *) 107

 Detector in
network
B
A

C
cnn.com

E D

Address Dispersion Table

Prevalence Table Sources Destinations

1 1 (A) 1 (B)
1 1 (C) 1 (A)
(Stefan Savage, UCSD *) 108
 Detector in
network
B
A

C
cnn.com

E D

Address Dispersion Table

Prevalence Table Sources Destinations

2 2 (A,B) 2 (B,D)
1 1 (C) 1 (A)
(Stefan Savage, UCSD *) 109
 Detector in
network
B
A

C
cnn.com

E D

Address Dispersion Table

Prevalence Table Sources Destinations
3 3
3
(A,B,D) (B,D,E)
1 1 (C) 1 (A)
(Stefan Savage, UCSD *) 110
 Challenges
Computation
To support a 1Gbps line rate we have 12us to process each
packet, at 10Gbps 1.2us, at 40Gbps
Dominated by memory references; state expensive

Content sifting requires looking at every byte in a packet

State
On a fully-loaded 1Gbps link a nave implementation can easily
consume 100MB/sec for table
Computation/memory duality: on high-speed (ASIC)
implementation, latency requirements may limit state to
on-chip SRAM

(Stefan Savage, UCSD *) 111