Copyright (c) Lenny Zeltser. 2000.1 The Evolution of Malicious Agents Lenny Zeltser () SANS...

Copyright (c) Lenny Zeltser. 2000.

1

The Evolution of Malicious Agents

Lenny Zeltser (www.zeltser.com)SANS InstitutePresented July 2000


2

Overview


3

Definition of Malicious Agents

Computer programOperates on behalf of potential intruderAids in attacking systemsViruses, worms, trojanized software


4

Goals of the Course

Trace evolution of malicious agentsExamine anatomy of advanced malicious agents based on key features of existing onesDevelop an approach to assessing threats posed by malicious agents


5

Course Outline

Rapidly spreading agentsSpying agentsRemotely controlled agentsCoordinated attack agentsAdvanced malicious agents


6

Rapidly Spreading Agents


7

General Attributes

Morris Worm and Melissa VirusAble to rapidly spread across the networkViruses infect other programs by explicitly copying themselvesWorms self-propagate without the need for a host program


8

Key Features and Limitations

Effectively infiltrate organizations despite many firewallsEffective replication mechanismsLimited control over propagation rates and target selection criteria


9

The Morris Worm

Self-contained, self-propagating wormOverwhelmed the Internet in November of 1988 within hours of releaseExploited known host access loopholes to replicateA program that “lived” on the Internet?


10

Propagation Techniques

Non-standard command in sendmailBuffer overflow bug in fingerdRemote administration trust relationships of rexec and rshGuessable user passwordsRecursively infiltrated systems to replicate itself and reproduce further


11

Relevance to Advanced Agents

Aggressive infiltration methods of the Morris Worm are still very effectiveFor rapid propagation, program the agent to exploit common vulnerabilities


12

The Melissa Virus

Microsoft Word-based macro virusOverwhelmed many Internet systems after the first weekend of releaseE-mailed itself to address book entriesPropagated primarily via e-mail


13

Propagation Techniques

Arrived as an e-mail attachmentMessage recipient had to open infected attachment to activate payloadE-mailed itself to entries in Microsoft Outlook MAPI address booksRecipients lowered guard when e-mail came from friends and colleagues


14


Penetrated firewalls via inbound e-mailVirus signatures could not be developed and applied in timeFor effective infiltration, program the agent to arrive via open inbound channels


15

Advanced Attributes Summary

Propagate via open channels such as Web browsing or e-mailOnce inside, replicate aggressively by exploiting known vulnerabilitiesNeed to control replication rates, possibly by staying in touch with attacker


16

Spying Agents


17

General Attributes

Caligula, Marker, and Groov virusesTransmit sensitive information from within organizationsInfiltrate via open channelsUse outbound connections for communications


18


Can be used as reconnaissance probesEffective mechanism for communicating with authors despite many firewallsCurrently agent’s behavior is limited to what was pre-programmed


19

The Caligula Virus

Also known as W97M/CaligulaMicrosoft Word-based macro virusDiscovered around January 1999Transmitted PGP secret keyring file to author


20

Espionage Tactics

Used built-in ftp.exe command to transmit information to authorUsed outbound sessions for communicationsBypassed many firewalls because connections were initiated from inside


21

The Marker Virus

Also known as W97M/MarkerDiscovered around April 1999Recorded date and time of infection, plus victim’s personal informationMost likely developed by the CodeBreakers group


22

Espionage Tactics

Implementation characteristics similar to CaligulaRealization of “bright future for espionage enabled viruses”Allowed to study relationships between people at target organizationHelpful for precisely targeting attacks


23

The Groov Virus

Also known as W97M/Groov.aDiscovered around May 1998Uploaded victim’s network configuration to external siteAttempted to overwhelm a vendor’s site with network configuration reports


24

Espionage Tactics

Used built-in ipconfig.exe command to get network informationUsed built-in ftp.exe for outbound transferHelpful to get insider’s view of the networkCan be correlated with external scans


25


Use outbound traffic for communicationsObtain personal and relationship information for precise targetingObtain network information to help reconnaissance efforts


26


Propagate via open channels or aggressive vulnerability exploitationUse outbound channels for communicationGather insider’s perspective of infrastructureNeed to remotely control agent’s behavior


27

Remotely Controlled Agents


28

General Attributes

Back Orifice and NetBus trojansProvide full control over victim’s hostComprised of client and server modulesServer modules “infect” victim hostsClient modules send remote commandsInfiltrate via open channels


29


Server modules are very stealthyLevel of control is thorough and expandableClient and server modules must be reunited before controllingTypically controlled via inbound traffic with respect to server modules


30

Back Orifice

Original version released August 1998, updated July 1999Created by Cult of the Dead CowMuch functionality similar to standard remote administration toolsClassification often depends on intended use


31

Native Capabilities

Keystroke, video, audio captureFile share managementFile and registry accessCached password retrievalPort redirectionProcess controlMany other capabilities


32

Enhancement Capabilities

Provides plug-in API supportCommunication channel encryptionServer component location announcement via outbound IRCMany other capabilities


33

NetBus

Original version released March 1998 to “have some fun with his/her friends”New version February 1999 marketed as “remote administration and spy tool”New version required physical access to install stealthy server component, but unofficial restriction-free versions exist


34

Remote Control Capabilities

Functionality similar to Back OrificeAlso supports plug-ins, but not as popular among developers as Back OrificePrimitively controls multiple server components from single client module, but not in parallel


35


Operate agents in stealthy mode to minimize chances of discoveryOffer extensive remote controlling functionalitySupport enhancements to native features via plug-ins


36


Propagate via open channels or aggressive vulnerability exploitationUse outbound channels for communicationGather insider’s perspective of infrastructure


37


Provide stealthy and extensible remote-control functionalityNeed to control multiple agents from a single point


38

Coordinated Attack Agents


39

General Attributes

Trinoo and Tribe Flood NetworkDisrupt normal system functions via network floodsAttacker can control several clients, each controlling multiple attack serversNetworks scanned for vulnerabilities and attack agents are planted


40


Client as well as server modules run on compromised machinesAttacker further removed from targetAgents typically beyond administrative control of single entitySingle purpose, designed specifically for denial-of-service attacks


41

Trinoo

Discovered on compromised Solaris systems in August 1999Initial testing dates back to June 1999First Windows version February 2000Attacks via UDP packet flood


42

Coordination Mechanisms

Attacker connects to client module (“master”) via telnet to specific portWarning issued if another connection attempt during ongoing sessionPassword-based access control for communication between all nodes


43


Master relays commands to server modules (“daemons”) via proprietary text-based protocol over UDPFor example, “do” command to master relayed as “aaa” command to daemonsAttack terminated via timeout or “mdie” command to master (“die” to daemons)


44


Control of multiple agents in coordinated mannerAll traffic is inbound with respect to destination of particular communicationMaster to daemons channels can be disrupted by blocking high-numbered UDP ports


45

Tribe Flood Network

Discovered around October 1999Similar to Trinoo in purpose and architectureAttacks via ICMP, UDP, and Smurf-style floods, offers back door to agent’s hostClient to server module communication via ICMP “echo reply” packets


46


Normally ICMP “echo reply” generated to “echo request” by ping commandUse ICMP packet identifier field to specify commandsFirewalls may accept ICMP “echo reply”Some network monitoring tools do not process ICMP traffic properly


47


Control of multiple agents in coordinated mannerExploit protocols by violating specificationsFollow specifications, but use protocols in unexpected waysThis forms the basis of many attacks


48


Propagate via open channels or aggressive vulnerability exploitationUse outbound channels for communicationGather insider’s perspective of infrastructure


49


Provide stealthy and extensible remote controlling functionalityControl multiple agents in coordinated mannerEmploy covert techniques for communicationThese attributes can be used to assess threat level of a particular agent


50

Advanced Malicious Agents


51

General Attributes

RingZero Trojan, Samhain WormCombine key features of other agentsOffers attacker tight control over agent’s actionsDifficult to defend against without proper infrastructure and resources


52

The RingZero Trojan

Activity reports around September 1999Sightings in August 1999 of e-mail messages with a “really class program”Several variants of trojanized program attachmentsAgent scanned for Web proxy serversAttributes rarely seen in single agent


53

Observed Behavior

Detailed analysis October 1999Scanned for Web proxy servers via connection attempts to known portsProxy servers typically access Web resources on user’s behalfUsed the discovered server to report server’s existence to external site


54

Observed Behavior

Retrieved encoded/encrypted file from two external sitesSend mass mailing to ICQ users from spoofed addressEncouraged recipients to visit the “Biggest Proxy List” on external site


55


Propagated via open channelsOutbound traffic for communicationsView from internal networkStealthy remote control capabilitiesOperated in distributed manner


56

Room for improvement

Analysis based on single data fileNot especially malicious, though some reports of password stealing variantsNo specific firewall bypassing attributesNo aggressive vulnerability exploitationLouder than needs to be


57

The Samhain Worm

Written winter 1998-1999, announced on Bugtraq May 2000, never releasedResearch prototype of a “deadly harmful Internet worm”Defined alternative set of characteristics desired of advanced agents


58

Desired Characteristics

Portability for target OS independenceInvisibility for stealth operationAutonomy for automatic spread via built-in exploit databasePolymorphism to avoid detection


59

Desired Characteristics

Learning for obtaining new techniques via central communication channelIntegrity to prevent modification or destructionAwareness of mission objective to perform specific tasks and cease activity


60

Key Implementation Details

Uses “wormnet” to get programs and updates for target platformSupports controlled broadcasting of requests to wormnet membersFamily tree passed from parent to child, used to control broadcasts via maximum number of wormnet hops


61

Key Implementation Details

Uses polymorphic engine and encryption to avoid constant stringsIntercepts system calls when root, as well as other techniques to hideUses exploits unknown at the time, sorted by scope and effectivenessVictims chosen via active connection monitoring and qualifying attributes


62


Detailed design and implementation details, plus code fragments providedGradual attack approach suggests to propagate “harmlessly,” then updateDesigned specifically to maximize potential harm and difficulty of eradication


63

Threat of Malicious Agents


64

Advanced Agents

Advanced agents are especially dangerous because of features combined into a single packageStealth operation, firewall traversal, and coordination are particularly powerfulFeature sets and experimental nature of agents suggests active development


65

Assessing the Threat

Defense techniques depend on priorities and technologies of the organizationUse a structured framework to assess threat of particular agentsAnalyze extent of “advanced” attributes, assign weight, react appropriately


66

Malicious Agents Attributes

Matrix summarizes key attributes of agents in terms of presented frameworkThe Samhain Worm not included because of slightly different feature setRefer to earlier slides for discussion of items in the matrixUse for future reference

Aggressive self-propagation

Propagation despite firewalls

Aggressive attack when no firewalls

Aggressive attack despite firewalls

Revealing confidential information

Remotely controlled when no firewalls

Remotely controlled despite firewalls

Acting in coordinated distributed fashion

Morris Worm

Melissa Virus

Marker Virus

Caligula Virus

Groov Virus

Back Orifice

NetBus Trinoo TFN RingZero

Yes No No No No No No No No Possibly

Yes Yes Yes Yes Yes Yes Yes Partly Partly Yes

Yes Partly (DoS)

No No Partly (DoS)

Yes Yes Yes Yes Possibly

No Partly (DoS)

No No Partly (DoS)

No No Partly (DoS)

Partly (DoS)

Possibly

No No Yes Yes Yes Yes Yes No No Yes

No No No No No Yes Yes Yes Yes Yes

No No No No No No No No No Yes

No No No No No No No Yes Yes Yes


68

The End

See http://www.zeltser.com/ for electronic copies of this material

Copyright (c) Lenny Zeltser. 2000.1 The Evolution of Malicious Agents Lenny Zeltser () SANS...

Documents

Transcript of Copyright (c) Lenny Zeltser. 2000.1 The Evolution of Malicious Agents Lenny Zeltser () SANS...