CPSC 506

Computer Security I
<MEETING TIME AND INSTRUCTOR>
WEEK 6

1
Software
Security
Preview

2
Malware
CH. 6
Software that attacks
Malware = malicious software
◦ Software purposely designed to carry out an attack on behalf of the threat agent(s)
◦ We want to think about how different malware attacks affect C, I, and A

Has become increasingly sophisticated and adaptive over the last 30 years
◦ Originally, individual criminal mischief; now organized crime groups and even governments involved
◦ Underground malware economy
Classifying Malware
We will classify malware along two axes:
◦ How it propagates (spreads)
◦ What type of action it takes / payload it carries

Types of malware typically named by their propagation method:

◦ Sharing of infected content by users: viruses
◦ Social engineering: phishing, trojan horses
◦ Exploitation of software vulnerabilities (especially on a network): worms
◦ Browser delivery: drive-by downloads, malvertising
Viruses
PROPAGATION BY INFECTED CONTENT
What is a (computer) virus?
The earliest widely prevalent type of malware – able to spread in the pre-internet personal
computer days
A fragment of code that attaches itself to (infects) an existing program or data file.
◦ Not a standalone program, depends on the host
◦ Surprisingly analogous to biological viruses

Spreads by copying itself to other files on the system, and then infected files are shared
between users
◦ Floppy disk, USB drive, email, Dropbox

Virus code has all access rights of the user who runs the program
Virus Terminology
Infection mechanism/vector: the means by which a virus propagates
Payload: what the virus does besides spreading; the portion of the code that “does the damage”
◦ Anything a user can do: Spying on data, changing permissions, opening ports for network attacks, data
corruption/deletion, random “haunting” behavior …
◦ May be nothing; a virus may have no other function than to spread itself.

Trigger: The conditions that cause the virus’s payload to be activated.

◦ Viruses often programmed to sit dormant until a specified condition is met
◦ Why? To spread as widely as possible without being detected, then trigger the payload at a specified time
– to maximize damage
◦ A logic bomb usually refers to a more sophisticated trigger, based on multiple conditions

Resident: A virus that is resident has its program code loaded into RAM, as opposed to just sitting
on disk
◦ But may still be dormant.
Virus Types
File Infector
◦ A piece of executable code that attaches itself to an executable program’s machine code.
◦ When file is executed, virus loads itself into memory, and usually continues program execution.

Boot Sector Virus

◦ Infects the boot sector(s) of drives, becomes resident when the computer is booted
◦ Potentially more damaging, as it has lower-level access to the machine.

Macro Virus
◦ Viruses written in the macro language of a software suite
◦ Propagated through sharing of document files
Traditional file infector virus operation
A traditional virus is created as a piece of executable
code attached to a program’s machine code.
◦ Usually at the beginning Code entry point Virus
When the program is executed, first the virus code
runs.
◦ This is when it may try to copy itself to other files, or
trigger its payload operations Executable
The virus then “jumps” to the start of the original
executable code and the program continues as if
nothing is wrong
A Classic infection vector - autorun.inf
The “autorun” feature of Windows allows a CD-ROM, USB stick, or floppy disk to specify a
program to be run automatically when the media is inserted.
◦ Goal is to make software installation more user-friendly.
◦ But a security disaster!
Macro Viruses
The most prevalent virus type of the 1990’s
Not a machine code virus
◦ Many productivity software packages include what is known as a macro language – an embedded
scripting language that allows users to add functionality to the document or program. (Ex: VBA)
◦ A macro is a small executable script in the macro language, saved with the document
◦ Macros can be set to execute on document open; virus then installs itself in the “standard template” of
the user’s installation, from whence it can infect every document opened with the software.
◦ Early versions had very weak or no protection against macros modifying the whole system

Document files become executables!!

◦ Document files tend to be distributed much more often than programs

Newer versions of MS Office disable the running of macros by default, for files created by
someone else
The “Melissa” virus
Macro Virus released into the wild March 1999
The fastest-spreading virus to date: across the globe within hours of initial discovery
VBA code in Word file (.doc), which runs when document is opened
◦ Used Microsoft Outlook to email itself to all addresses in address book, with subject line “Important
message from USERNAME”
◦ Recipients likely to open documents from people they know

Payload activated when the minutes of the hour matched the day of the month
◦ Inserts a Simpsons quote into a currently open Word document

After mailing itself, infects other .doc files on the system

◦ Potentially revealing confidential information when those get emailed

Collateral damage of clogging up Exchange email servers

Source: https://www.f-secure.com/v-descs/melissa.shtml
The PC threat landscape today
The base security level of OSes is much better than it used to be.
◦ Introduction of Access Controls into PC operating systems prevents arbitrary tampering of executables
◦ Some type of virus scanner is on by default in most OSes
◦ Patches to close vulnerabilities are delivered more quickly
◦ Basic protection against macro viruses exists in office suites (note “editing mode” in new versions of MS
Office)

However, the prevalence of the internet, and the way it is used, also exposes the average PC to
many more threats than previously.
◦ The web browser is the primary vector of malware delivery to PC, mainly through software
vulnerabilities in the browser scripting engine.
◦ Malware doesn’t have to fit the traditional definition of a file infector virus to do a lot of damage

The threat landscape is changing more quickly than before.

Trojan Horses
Spam
Phishing
DISTRIBUTION THROUGH HUMAN DECEPTION

15
Trojan Horse
An apparently useful program or installer that
also delivers malware.
The payload can be anything; very commonly
used to deliver adware

16
Spam – unsolicited email
Spam has non-malware-related goals:
◦ Advertising actual products (legal or illegal) for sale
◦ Traditional money-making scams

Spam can also be used as a malware propagation mechanism, where it takes the form of social
engineering
◦ Getting user to open infected attachments
◦ Directing to a drive-by download site

Relevant: Most spam today is sent by botnets of malware-infected PCs

Phishing
Phishing is a social engineering
practice in which a person is sent
an email tricking them into clicking
a link to a non-legitimate website
(such as a banking site.)
Phishing is more commonly
associated with identity theft,
leading a person to enter
passwords, personal information
Phishing emails can also be
malware vectors.

18
Windows Infection Vector:
file extension hiding
By default, Windows hides the filename extension in
the file browser
◦ Extensions are used to determine which files are
executable: .exe, .com, .bat

A malicious program can be distributed with a name

like
“lookatme.jpg.exe” and have an icon that looks
like a .jpg file
◦ If the extension “.exe” is hidden, users may be fooled
into clicking on it, thinking it is an image file.
◦ A form of social engineering
Malware discussion so far
We classify malware by how it propagates, and what type of action it takes (payload)
A virus is a fragment of code that attaches itself to (infects) an existing program or data file.
◦ File infector: attaches to an executable program
◦ Boot sector virus: attaches to system BIOS boot code
◦ Macro virus: attaches to a document

Viruses and other malware are often spread through social engineering methods
◦ Trojan horses
◦ Spam and phishing emails
◦ Any way to get a user to unknowingly execute a program.
Worms,
Drive-by
downloads
PROPAGATION THROUGH SOFTWARE
VULNERABILITY EXPLOIT
What is a worm?
A worm is malware that involves standalone code, not just a fragment attached to a host
program, and is able to propagate itself.
This means that worms typically:
◦ Are more network-oriented – actively seeks out other machines to exploit
◦ Exploit software vulnerabilities in OS, client, or server programs to infect and spread themselves without
human interaction

Once again, the payload of a worm can be anything

Worms propagate themselves actively
Email or instant messaging: the worm may email itself to other systems, or send itself as an IM
attachment
◦ Melissa, as we have seen, displayed worm-like behavior in this respect

Remote file transfer: using a remote file transfer service (such as anonymous ftp), copies itself
onto new hosts
Remote login: if it can log itself as a user on a remote system, can issue commands to copy itself
onto the new system
Remote Execution Capability: Exploiting a software bug (e.g. in a network service program) that
allows code execution on a remote machine
◦ Any machine on the internet that hasn’t been patched against the vulnerability can potentially be infected
◦ Server programs are especially vulnerable, because they are configured (as we saw) to allow new
incoming connections.
◦ Potential for extremely rapid propagation
The first stage of worm propagation
Target discovery, AKA scanning
◦ Worm scans hosts on the network to find machines that are susceptible to its infection vector

Scan types:
◦ Random IP address
◦ “Hit list”, list of potentially vulnerable machines compiled over time
◦ Local network/topological: the worm tries to gain information about its host’s local network
environment to find targets
Mathematical model of worm
propagation
Slow start phase, followed by exponential
growth
In middle phase, growth slows to linear, but
spread is most rapid because of increasing
number of infected hosts
Slow finish phase, as fewer vulnerable hosts
left to find
Clearly, we want to stop a worm in the slow
start phase.
The Morris Worm – one of the first
internet worms
Written by a Cornell University grad student and released onto the internet in November 1988
(!!)
Designed to infect UNIX systems
Multiple methods of system invasion, some of which we have studied and will study later:
◦ Attempts to log on as a legitimate user, using previously discovered passwords
◦ Runs dictionary attack on the local password file
◦ Exploits bugs in the sendmail server and UNIX finger protocol

No malicious payload; more of a research project

Spread much more rapidly than its creator intended, causing significant slowdowns and loss of
service across the then-young internet
Worm propagation by exploits
Worms use multiple methods to propagate themselves.
◦ But perhaps the most dangerous is unpatched software vulnerabilities, particularly buffer overflow
bugs.

A zero-day exploit is a vulnerability that has not been disclosed to the security community at
large
◦ Thus, it can be exploited before anyone has had a chance to patch it – defenders have “zero days” to
prepare a defense against it.
◦ Underground economy for selling and buying zero-days.
The Code Red worm
July 2001
Exploited a security hole in Internet Information Server (IIS) – Microsoft’s web server program
◦ A buffer overflow bug could cause a long input stream to be written to a region of memory that would be
treated as executable code.

Propagates by probing random IP addresses to see which are running IIS

Infected nearly 360,000 servers in 14 hours
Payload: After spreading, initiated a denial-of-service attack against government websites,
including whitehouse.gov.
Caused major service disruptions across the globe
The Conficker worm
Windows-based worm, first detected 2008
◦ At its peak, infected more than 11 million PCs globally

Exploits buffer overflow vulnerability in RPC (Remote Procedure Call) protocol

◦ Machines with file/printer sharing are vulnerable, including personal computers

Changes system settings/services: prevents Windows Update from running and disables antivirus
Infected machine sets up an HTTP (web) server to send the worm to new targets
“has been unusually difficult to counter because of its combined use of many advanced malware
techniques.” (Wikipedia)
Infected machines form a botnet – so far, has not been used to carry out any malicious actions,
but anything is possible
Source: https://www.sans.org/security-resources/malwarefaq/conficker-worm.php
Client vs. Server Exploits
Most vulnerabilities exploited by worms are bugs in the code of an internet-facing program, with
the result of allowing code execution on the host machine.
◦ So far we’ve seen that they are mainly server programs (IIS, Apache, or SQL server)
◦ Server software can be attacked directly, because it provides services to any host that makes a request.
◦ Remember that personal firewalls are configured to reject incoming connections, unless an exception
has been made for a specific service.
◦ Conficker attacks Windows PCs in one of its server-type roles (answering RPC requests).

One hopes PCs and personal devices are relatively safe from these
◦ They sit behind firewalls and NAT routers, so are often not publicly reachable
◦ They run few server-style programs (Is this true?)

But there are also vulnerabilities that apply to client-side code.

◦ What is the most common internet-facing client program?
 Browser Vulnerabilities: Drive-by
downloads
A vulnerability in a web browser could be
exploited to download and install malware
without the user’s consent.

However, the user still needs to visit a malicious

site
◦ Could be done through phishing or links in spam
◦ Or, a trusted site may inadvertently display an
advertisement with malicious code.

All modern browsers now keep an updated

database of known attack sites
Difference between Trojans and Drive-by
Downloads
Trojan means that a human being is tricked to downloading and installing infected software
Drive-by downloads use attack sites that exploit vulnerabilities in the browser code to
automatically download & install malware
◦ Requires knowledge of an exploitable vulnerability in the browser

Of course, once a system is compromised by malware, the malware itself can automatically
download and install additional malware
The web of code
The WWW has progressed from originally being a medium for serving static hyperlinked pages
to an environment overflowing with executable code
A web browser is an extremely complex piece of software
◦ Has essentially become a virtual machine for running website code
◦ The Javascript interpreter should be “sandboxed”, but bugs in the interpreter can potentially allow code
to ‘escape’ into the system at large.
Mobile Malware
In the US, mobile phone infection rate remains low—
why?
◦ App stores
◦ Though apps that show intrusive advertisements (adware)
are exceedingly common

Shows the flexibility/security tradeoff

Multimedia messaging (MMS) is a potential infection
vector for smartphones.
◦ Complex code that automatically runs to display a
multimedia message could have exploitable bugs.
Stagefright
“Arguably the most serious security flaw ever
to hit Android” (Techworld)
Critical flaws discovered in Android media
library “libstagefright”
Proof-of-concept exploit generates an MP4
media file that, when opened by the
messaging app, will give the attacker a
command shell
◦ Attacker can take pictures and listen to audio
through the microphone Sep. 9 2015: “Attack code exploiting
Android has a problem with security updates,
Android’s critical Stagefright bugs is
since so many customized versions are now public”
deployed by carriers. (Source: arstechnica.com)
Propagation Methods Summary
Infected Content (“virus”)
Social Engineering (“trojan“)
Software Vulnerability Exploits (“worm”)

Today’s threats often display a combination of Trojan, Virus, and Worm attributes.
https://www.symantec.com/security_response/landing/threats.jsp
Malware Payloads
WHAT IT CAN DO
Payload Types
Data destruction
◦ Wiping out data

Information theft
◦ Backdoors, stealing passwords and credentials

Revenue-generating activity
◦ Adware
◦ Ad fraud (click-jacking)
◦ Spambots
◦ Bitcoin mining

Opening system to further access

◦ Installer for botnets
 "Bonzi buddy". Licensed under Fair use via
Wikipedia -
https://en.wikipedia.org/wiki/File:Bonzi_b

Adware and Spyware

uddy.jpg#/media/File:Bonzi_buddy.jpg

Many programs gain revenue for the creators by showing advertising within the application.
A more serious kind is adware that installs itself as a system service and displays advertisements
in other programs and throughout the operating system.
Controversy was caused when (formerly) reputable shareware/freeware download sites began
to “bundle” adware installers with their downloads.
◦ The “search assistant toolbar” was one of the most common types

Potential privacy issues caused by adware that gathers information from user’s computer usage
in order to display targeted ads – spyware
Ad fraud/clickjacking
The other side of the online advertising economy is that advertisers pay the
advertising hosting company for the number of times their ad is viewed or
clicked on (“clicks”, “impressions”).
Malware can simulate viewing or clicking on online ads in order to fraudulently
generate revenue for the ad hosting company.
Listed as the 2nd largest Malware concern of 2016 (after ransomware) by
MalwareBytes: https://
www.malwarebytes.com/pdf/white-papers/stateofmalware.pdf

40
Backdoors & Rootkits
OBTAINING FURTHER ACCESS
Backdoors
A backdoor is a secret entry point into a system, which allows the one who knows about it to gain
access without going through the usual authentication procedure.

Backdoors can be built into software or opened by malware

◦ Malware backdoors typically implemented as a network service listening on a non-standard port.

Not all backdoors are bad

◦ Inserting a “developer mode” in software to aid in debugging during development is a common practice
◦ Forgetting to remove it in the release version is a big mistake!
◦ Unethical developers may insert a backdoor into software they develop, to provide themselves access to
customer or company data, even after leaving the company
Rootkits
A rootkit is malware for providing system-level access to an attacker, which installs itself
at a low level in the system.
Rootkits often intercept program calls to the OS (syscalls)
◦ Enables extensive information-gathering

Makes detection and removal extremely difficult: a rootkit

can effectively “fool” anti-virus software, as it controls the User Programs
data that is seen by the anti-virus.
Rootkit

OS
The Sony XCP Rootkit (2005)
Distributed on audio CDs published by Sony to prevent copying (DRM)
When CD is inserted into Windows PC, EULA pops up.
If user accepts, installs a driver to intercept all system accesses to the CD
◦ Prevents all other software from playing or accessing the audio tracks on a Sony CD
◦ Employs cloaking to make processes invisible to task manager
◦ No visible means of uninstalling the software

After discovery by security researchers, a PR fiasco ensued

Virtual Machine Rootkits
Even lower-level access: run below the level of
the operating system
Malware installs a VM hypervisor, so that the
operating system itself becomes virtualized
Invisible to the OS – how can antivirus “look
outside” the machine it’s running on?
Not a lot of these seen in the wild (that we
know of) OS
Malicious Hypervisor

Hardware
Defense against virtualization-based
rootkits
Need a secure boot process
◦ Maintain the integrity of the bootloader and low-level OS code
◦ Code signing mechanisms built into hardware, such as UEFI “Secure Boot”
Ransomware
ONE OF THE FASTEST-GROWING THREATS
Definition
Ransomware is a type of malicious software designed to block access to a computer system
and/or data until a sum of money is paid.

We’ll consider different categories of ransomware.

48
Non-encrypting ransomware –
“Scareware”
Scareware is a type of malware designed to trick users into purchasing bogus software or sending
money
◦ Fake antivirus
◦ “FBI alerts”
Encrypting Ransomware
Actually encrypts user data to make it inaccessible.
Some types of ransomware can be broken and the files decrypted without paying, due to storing
the secret key on the user’s own computer or a mistake in the implementation.
More sophisticated kinds are considered unbreakable.
WannaCry
The biggest ransomware attack of
2017, starting on May 12.
Exploited a vulnerability in
unpatched versions of Windows 7.
Infected 230,000 computers in
over 150 countries within the first
day.
Affected many critical service
sectors: England’s National Health
Service, FedEx, …
Internet Hero: Marcus Hutchins, a
22-year-old web security
researcher, discovered an effective
kill switch by registering a domain
name he found in the code of the
ransomware. This greatly slowed
the spread of the infection.
Growth of Ransomware
“6 in 10 malware payloads were
ransomware in Q1 2017.”

Possible cause: emergence of largely-

anonymous online currencies (e.g.
Bitcoin) have made it easier for
ransomware authors to collect
Rise of “ransomware-as-a-service”,
allowing technical novices to buy attacks
Source:
https://blog.barkly.com/ransomware-stat
istics-2017
What is the best defense against
ransomware?

Back up your data regularly to an external device.

Botnet Review
Definition
A network of thousands of malware-infected machines, all under the centralized control of the
attacker, is called a botnet
An infected machine is called a bot or zombie
Can be used to carry out further attacks, which are difficult to stop because of the distributed
nature of the botnet
◦ How do you block an attack launched by thousands of machines with widely differing IP addresses from
all over the globe?
Worm vs. Bot
Worms independently propagate and activate themselves, and have a fixed, built-in payload
Bot software receives commands from a central server (or network of servers) known as C & C
(command-and-control) and thus can be used by humans to carry out a wide variety of attacks
over a span of time
Botnet Command & Control using IRC
IRC = Internet Relay Chat:
traditional protocol for
forming group chatrooms
All bots join the room;
human operator types
commands, which the bots
listen to and carry out
Botnet Uses
Distributed denial-of-service (DDOS) attacks
Sending spam
Sniffing traffic to gather confidential data
Spreading new bots
Bitcoin mining
◦ Direct revenue generation

Click fraud
◦ Computer-generated clicks on web advertisements in order to generate money in pay-per-click
advertising schemes

Manipulating online polls

Botnet Rental
In the underground economy, botnets can be rented for a certain amount of time or bandwidth
◦ To carry out, for instance, a spam or malware distribution campaign
Cutwail Botnet
Classic spam-sending botnet: not the most sophisticated but extremely widespread
Controlled up to 2 million computers in 2009
At peak, sent 74 billion spam emails per day
In 2010, researchers from UCSB and Ruhr University in Bochum, Germany, disabled 2/3 of
Cutwail’s control servers.
ZeroAccess Botnet
ZeroAccess
◦ Uses a peer-to-peer (P2P) command-and-control
scheme; prevents botnet from being taken down
by attacking a single server or set of servers
Botnet Takedowns
International law enforcement agencies (FBI, EC3) have collaborated to actively disrupt and shut
down botnets, with several major successes.
2014: disruption of Gameover Zeus botnet: “Operation Tovar”
◦ Also a P2P botnet
◦ Used for banking fraud: Captures banking credentials and transmits them back to botnet administrators
◦ Used for distribution of CryptoLocker ransomware
◦ Disrupted by multi-national collaboration led by FBI
◦ Combination of legal and technical measures

Source:
http://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botn
et-and-cryptolocker-ransomware
Malware Defenses
MALWARE-SPECIFIC DEFENSES
Why can there be no perfect defense against malware?
Because malware is just programs. If you stop everything that malware can do, you stop
everything that any program can do.
For this reason, one of the best defenses is user education.
◦ Help people be aware of what their devices are running.
User awareness-based defense against
potentially unsafe code
Dialog boxes to warn users about programs downloaded from internet

Increases user awareness of code trust issues

Useful for slowing the spread of malicious or infected software
Antivirus scanners
Traditionally a host-based method, meaning that it is run separately on each endpoint system
◦ But now antivirus runs on e.g., email servers, to scan attachments

Work by scanning files and checking for the known viruses or malware, or detecting suspicious
code patterns
Basic Scanning Techniques
Simplest: Signature-based scanning
◦ Detect a fixed bit pattern corresponding to the code of known malware

Heuristic scanning: Look for fragments of code often associated with malware
◦ Decryption/inflation routines
◦ Self-modifying code

Integrity checking
◦ Scanner separately stores a checksum (hash) of executable files on the system, then rechecks to detect
modifications.
On-demand vs. real time scanning
On-demand scanning means that the anti-virus program is only run occasionally or at preset
times, to scan for viruses on disk or in memory
◦ Up side: no performance penalty when the scan is not running
◦ Down side: no ability to catch malware as it enters the system perimeter

In real-time scanning, the antivirus remains resident in memory, and inserts hooks into the
operating system to scan code as it enters the system perimeter
◦ File downloaded or extracted, program loaded
◦ Up side: can often catch malware before it can do any damage.
◦ Down side: may reduce system performance
Anti-anti-virus
Sophisticated viruses can employ various techniques attempt to hide themselves from anti-virus
software.
Encrypted virus: A portion of the virus creates a random encryption key and encrypts another
portion of the virus, decrypting it in memory when the virus executes.
◦ Some part has to remain unencrypted for the virus to run at all.

Stealth virus: General term for viruses that actively work to hide themselves, including use of
rootkit techniques (intercepting system calls)
Polymorphic virus: each copy the virus makes of itself is slightly different
◦ If the change is small and/or predictable, the AV scanner can still detect it using pattern matching.

Metamorphic virus: more sophisticated version of polymorphic viruses; rewrites itself using
multiple transformation techniques.
The increasing sophistication of viruses, and the response of antivirus software to detect them,
produces a kind of “arms race”
70
Assignments
1. Read through Chapter 10 of the textbook
2. Homework 6, posted on Blackboard
3. Research Paper Discussion

71