Malware PDF
Malware PDF
slide 1
Malware
◆ Malicious code often masquerades as good
software or attaches itself to good software
◆ Some malicious programs need host programs
• Trojan horses (malicious code hidden in a useful
program), logic bombs, backdoors
◆ Others can exist and propagate independently
• Worms, automated viruses
◆ Many infection vectors and propagation methods
◆ Modern malware often combines trojan, rootkit,
and worm functionality
slide 2
“Reflections on Trusting Trust”
◆ Ken Thompson’s 1983 Turing Award lecture
1. Added a backdoor-opening Trojan to login program
2. Anyone looking at source code would see this, so
changed the compiler to add backdoor at compile-time
3. Anyone looking at compiler source code would see
this, so changed the compiler to recognize when it’s
compiling a new compiler and to insert Trojan into it
◆ “The moral is obvious. You can’t trust code you
did not totally create yourself. (Especially code
from companies that employ people like me).”
slide 3
Viruses
◆ Virus propagates by infecting other programs
• Automatically creates copies of itself, but to propagate,
a human has to run an infected program
• Self-propagating viruses are often called worms
◆ Many propagation methods
• Insert a copy into every executable (.COM, .EXE)
• Insert a copy into boot sectors of disks
– PC era: “Stoned” virus infected PCs booted from infected
floppies, stayed in memory, infected every inserted floppy
• Infect common OS routines, stay in memory
slide 4
First Virus: Creeper
http://history-computer.com/Internet/Maturing/Thomas.html
slide 5
Polymorphic Viruses
◆ Encrypted viruses: constant decryptor followed
by the encrypted virus body
◆ Polymorphic viruses: each copy creates a new
random encryption of the same virus body
• Decryptor code constant and can be detected
• Historical note: “Crypto” virus decrypted its body by
brute-force key search to avoid explicit decryptor code
slide 6
Virus Detection
◆ Simple anti-virus scanners
• Look for signatures (fragments of known virus code)
• Heuristics for recognizing code associated with viruses
– Example: polymorphic viruses often use decryption loops
• Integrity checking to detect file modifications
– Keep track of file sizes, checksums, keyed HMACs of contents
◆ Generic decryption and emulation
• Emulate CPU execution for a few hundred instructions,
recognize known virus body after it has been decrypted
• Does not work very well against viruses with mutating
bodies and viruses not located near beginning of
infected executable slide 7
Virus Detection by Emulation
Randomly generates a new key Decrypt and execute
and corresponding decryptor code
Mutation A
Virus body
Mutation B
Mutation C
slide 12
Detour: Skype
[Biondi and Desclaux]
slide 13
Skype: Code Integrity Checking
[Biondi and Desclaux]
slide 14
Skype: Anti-Debugging
[Biondi and Desclaux]
slide 15
Skype: Control Flow Obfuscation (1)
[Biondi and Desclaux]
slide 16
Skype: Control Flow Obfuscation (2)
[Biondi and Desclaux]
slide 17
Propagation via Websites
[Moschuk et al.]
document.write(unescape("%3CHEAD%3E%0D%0A%3CSCRIPT%20
LANGUAGE%3D%22Javascript%22%3E%0D%0A%3C%21--%0D%0A
/*%20criptografado%20pelo%20Fal%20-%20Deboa%E7%E3o
%20gr%E1tis%20para%20seu%20site%20renda%20extra%0D
...
3C/SCRIPT%3E%0D%0A%3C/
HEAD%3E%0D%0A%3CBODY%3E%0D%0A
%3C/BODY%3E%0D%0A%3C/HTML%3E%0D%0A"));
//-->
</SCRIPT>
slide 21
“Ghost in the Browser”
◆ Large study of malicious URLs by Provos et al.
(Google security team)
◆ In-depth analysis of 4.5 million URLs
• About 10% malicious
◆ Several ways to introduce exploits
• Compromised Web servers
• User-contributed content
• Advertising
• Third-party widgets
slide 22
Compromised Web Servers
[Provos et al.]
• Interpreted by browser as
location.replace(‘http://videozfree.com’)
• Redirects user to a malware site
slide 25
Trust in Web Advertising
◆ Advertising, by definition, is ceding control of Web
content to another party
◆ Webmasters must trust advertisers not to show
malicious content
◆ Sub-syndication allows advertisers to rent out
their advertising space to other advertisers
• Companies like Doubleclick have massive ad trading
desks, also real-time auctions, exchanges, etc.
◆ Trust is not transitive!
• Webmaster may trust his advertisers, but this does not
mean he should trust those trusted by his advertisers
slide 26
Example of an Advertising Exploit
[Provos et al.]
slide 28
Not a Theoretical Threat
◆ Hundreds of thousands of malicious ads online
• 384,000 in 2013 vs. 70,000 in 2011 (source: RiskIQ)
• Google disabled ads from more than 400,000 malware
sites in 2013
◆ Dec 27, 2013 – Jan 4, 2014: Yahoo! serves a
malicious ad to European customers
• The ad attempts to exploit security holes in Java on
Windows, install multiple viruses including Zeus (used
to steal online banking credentials)
slide 29
Third-Party Widgets
[Provos et al.]
slide 33
Rootkits
◆ Rootkit is a set of trojan system binaries
◆ Main characteristic: stealthiness
• Create a hidden directory
– /dev/.lib, /usr/src/.poop and similar
– Often use invisible characters in directory name (why?)
• Install hacked binaries for system programs such as
netstat, ps, ls, du, login
Can’t detect attacker’s processes,
files or network connections by
running standard UNIX commands!
slide 35
Function Hooking
◆ Rootkit may “re-route” a legitimate system
function to the address of malicious code
◆ Pointer hooking
• Modify the pointer in OS’s Global Offset Table, where
function addresses are stored
◆ “Detour” or “inline” hooking
• Insert a jump in first few bytes of a legitimate function
• This requires subverting memory protection
◆ Modifications may be detectable by a clever
rootkit detector
slide 36
Kernel Rootkits
◆ Get loaded into OS kernel as an external module
• For example, via compromised device driver or a badly
implemented “digital rights” module (e.g., Sony XCP)
◆ Replace addresses in system call table, interrupt
descriptor table, etc.
◆ If kernel modules disabled, directly patch kernel
memory through /dev/kmem (SucKIT rootkit)
◆ Inject malicious code into a running process via
PTRACE_ATTACH and PTRACE_DETACH
• Security and antivirus software are often the first
injection targets
slide 37
Mebroot (Windows)
◆ Replaces the host’s Master Boot Record (MBR)
• First physical sector of the hard drive
• Launches before Windows loads
◆ No registry changes, very little hooking
◆ Stores data in physical sectors, not files
• Invisible through the normal OS interface
◆ Uses its own version of network driver API to
send and receive packets
• Invisible to “personal firewall” in Windows
◆ Used in Torpig botnet
slide 38
Detecting Rootkit’s Presence
◆ Sad way to find out
• Run out of physical disk space because of sniffer logs
• Logs are invisible because du and ls have been hacked
◆ Manual confirmation
• Reinstall clean ps and see what processes are running
◆ Automatic detection
• Rootkit does not alter the data structures normally used
by netstat, ps, ls, du, ifconfig
• Host-based intrusion detection can find rootkit files
– …assuming an updated version of rootkit did not disable the
intrusion detection system!
slide 39
Remote Administration Tools
◆ Legitimate tools are often abused
• Citrix MetaFrame, WinVNC, PC Anywhere
– Complete remote control over the machine
– Easily found by port scan (e.g., port 1494 – Citrix)
• Bad installations, crackable password authentication
– “The Art of Intrusion” – hijacking remote admin tools to break
into a cash transfer company, a bank’s IBM AS/400 server
◆ Semi-legitimate tools
• Back Orifice, NetBus
• Rootkit-like behavior: hide themselves, log keystrokes
• Considered malicious by anti-virus software
slide 40
Communicating Via Backdoors
◆ All sorts of standard and non-standard tunnels
◆ SSH daemons on a high port
• Communication encrypted ⇒ hard to recognize for a
network-based intrusion detector
• Hide SSH activity from the host by patching netstat
◆ UDP listeners
◆ Passively sniffing the network for master’s
commands
slide 41
Byzantine Hades
◆ 2006-09 cyber-espionage attacks against US
companies and government agencies
• Attack websites located in China, use same precise
postal code as People's Liberation Army Chengdu
Province First Technical Reconnaissance Bureau
◆ Targeted email results in installing a Trojan
• Gh0stNet / Poison Ivy Remote Access Tool
• Stole 50 megabytes of email, documents, usernames
and passwords from a US government agency
◆ Same tools used to penetrate Tibetan exile
groups, foreign diplomatic missions, etc.
slide 42
Night Dragon
◆ Started in November 2009
◆ Targets: oil, energy, petrochemical companies
◆ Propagation vectors
• SQL injection on external Web servers to harvest
account credentials
• Targeted emails to company executives (spear-
phishing)
• Password cracking and “pass the hash” attacks
◆ Install customized RAT tools, steal internal
documents, deliver them to China
slide 43
RAT Capabilities
◆ “Dropper” program installs RAT DLL, launches it
as persistent Windows service, deletes itself
◆ RAT notifies specified C&C server, waits for
instructions
◆ Attacker at C&C server
has full control of the
infected machine, can
view files, desktop,
manipulate registry,
launch command shell
slide 44
Who Was Behind Night Dragon?
◆ C&C servers hosted in Heze City,
Shandong Province, China
◆ All data exfiltration to IP addresses in Beijing, on
weekdays, between 9a and 5p Beijing time
◆ Uses generic tools from Chinese hacking sites
• Hookmsgina and WinlogonHack: password stealing
• ASPXSpy:
Web-based RAT
Make in China
E-mail: [email protected]
slide 45
Sources say hackers using servers in China gained control of a
number of Canadian government computers belonging to top
federal officials.
The hackers, then posing as the federal executives, sent emails
to departmental technical staffers, conning them into providing
key passwords unlocking access to government networks.
At the same time, the hackers sent other staff seemingly
innocuous memos as attachments. The moment an attachment
was opened by a recipient, a viral program was unleashed on
the network.
The program hunts for specific kinds of classified government
information, and sends it back to the hackers over the internet.
One source involved in the investigation said spear-phishing is
deadly in its simplicity: "There is nothing particularly innovative
about it. It's just that it is dreadfully effective."
slide 46
http://blogs.rsa.com/rivner/anatomy-of-an-attack/
slide 48
Luckycat
[Trend Micro 2012 research paper]
slide 51
It All Starts with an Email…
◆ A targeted, spear-phishing email is sent to
sysadmins, developers, etc. within the company
◆ Victims are tricked into visiting a page hosting this
Javascript:
slide 53
Aurora Exploit (2)
http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit
1. Sets up an array of
two hundred “COMMENT” objects
4. Sets up a timer to
call this code every 50 milliseconds
slide 54
Aurora Exploit (3)
http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit