Copyright (c) Lenny Zeltser. 2000.1 The Evolution of Malicious Agents Lenny Zeltser () SANS...
-
Upload
dayana-wyatt -
Category
Documents
-
view
224 -
download
0
Transcript of Copyright (c) Lenny Zeltser. 2000.1 The Evolution of Malicious Agents Lenny Zeltser () SANS...
Copyright (c) Lenny Zeltser. 2000.
1
The Evolution of Malicious Agents
Lenny Zeltser (www.zeltser.com)SANS InstitutePresented July 2000
Copyright (c) Lenny Zeltser. 2000.
2
Overview
Copyright (c) Lenny Zeltser. 2000.
3
Definition of Malicious Agents
Computer programOperates on behalf of potential intruderAids in attacking systemsViruses, worms, trojanized software
Copyright (c) Lenny Zeltser. 2000.
4
Goals of the Course
Trace evolution of malicious agentsExamine anatomy of advanced malicious agents based on key features of existing onesDevelop an approach to assessing threats posed by malicious agents
Copyright (c) Lenny Zeltser. 2000.
5
Course Outline
Rapidly spreading agentsSpying agentsRemotely controlled agentsCoordinated attack agentsAdvanced malicious agents
Copyright (c) Lenny Zeltser. 2000.
6
Rapidly Spreading Agents
Copyright (c) Lenny Zeltser. 2000.
7
General Attributes
Morris Worm and Melissa VirusAble to rapidly spread across the networkViruses infect other programs by explicitly copying themselvesWorms self-propagate without the need for a host program
Copyright (c) Lenny Zeltser. 2000.
8
Key Features and Limitations
Effectively infiltrate organizations despite many firewallsEffective replication mechanismsLimited control over propagation rates and target selection criteria
Copyright (c) Lenny Zeltser. 2000.
9
The Morris Worm
Self-contained, self-propagating wormOverwhelmed the Internet in November of 1988 within hours of releaseExploited known host access loopholes to replicateA program that “lived” on the Internet?
Copyright (c) Lenny Zeltser. 2000.
10
Propagation Techniques
Non-standard command in sendmailBuffer overflow bug in fingerdRemote administration trust relationships of rexec and rshGuessable user passwordsRecursively infiltrated systems to replicate itself and reproduce further
Copyright (c) Lenny Zeltser. 2000.
11
Relevance to Advanced Agents
Aggressive infiltration methods of the Morris Worm are still very effectiveFor rapid propagation, program the agent to exploit common vulnerabilities
Copyright (c) Lenny Zeltser. 2000.
12
The Melissa Virus
Microsoft Word-based macro virusOverwhelmed many Internet systems after the first weekend of releaseE-mailed itself to address book entriesPropagated primarily via e-mail
Copyright (c) Lenny Zeltser. 2000.
13
Propagation Techniques
Arrived as an e-mail attachmentMessage recipient had to open infected attachment to activate payloadE-mailed itself to entries in Microsoft Outlook MAPI address booksRecipients lowered guard when e-mail came from friends and colleagues
Copyright (c) Lenny Zeltser. 2000.
14
Relevance to Advanced Agents
Penetrated firewalls via inbound e-mailVirus signatures could not be developed and applied in timeFor effective infiltration, program the agent to arrive via open inbound channels
Copyright (c) Lenny Zeltser. 2000.
15
Advanced Attributes Summary
Propagate via open channels such as Web browsing or e-mailOnce inside, replicate aggressively by exploiting known vulnerabilitiesNeed to control replication rates, possibly by staying in touch with attacker
Copyright (c) Lenny Zeltser. 2000.
16
Spying Agents
Copyright (c) Lenny Zeltser. 2000.
17
General Attributes
Caligula, Marker, and Groov virusesTransmit sensitive information from within organizationsInfiltrate via open channelsUse outbound connections for communications
Copyright (c) Lenny Zeltser. 2000.
18
Key Features and Limitations
Can be used as reconnaissance probesEffective mechanism for communicating with authors despite many firewallsCurrently agent’s behavior is limited to what was pre-programmed
Copyright (c) Lenny Zeltser. 2000.
19
The Caligula Virus
Also known as W97M/CaligulaMicrosoft Word-based macro virusDiscovered around January 1999Transmitted PGP secret keyring file to author
Copyright (c) Lenny Zeltser. 2000.
20
Espionage Tactics
Used built-in ftp.exe command to transmit information to authorUsed outbound sessions for communicationsBypassed many firewalls because connections were initiated from inside
Copyright (c) Lenny Zeltser. 2000.
21
The Marker Virus
Also known as W97M/MarkerDiscovered around April 1999Recorded date and time of infection, plus victim’s personal informationMost likely developed by the CodeBreakers group
Copyright (c) Lenny Zeltser. 2000.
22
Espionage Tactics
Implementation characteristics similar to CaligulaRealization of “bright future for espionage enabled viruses”Allowed to study relationships between people at target organizationHelpful for precisely targeting attacks
Copyright (c) Lenny Zeltser. 2000.
23
The Groov Virus
Also known as W97M/Groov.aDiscovered around May 1998Uploaded victim’s network configuration to external siteAttempted to overwhelm a vendor’s site with network configuration reports
Copyright (c) Lenny Zeltser. 2000.
24
Espionage Tactics
Used built-in ipconfig.exe command to get network informationUsed built-in ftp.exe for outbound transferHelpful to get insider’s view of the networkCan be correlated with external scans
Copyright (c) Lenny Zeltser. 2000.
25
Relevance to Advanced Agents
Use outbound traffic for communicationsObtain personal and relationship information for precise targetingObtain network information to help reconnaissance efforts
Copyright (c) Lenny Zeltser. 2000.
26
Advanced Attributes Summary
Propagate via open channels or aggressive vulnerability exploitationUse outbound channels for communicationGather insider’s perspective of infrastructureNeed to remotely control agent’s behavior
Copyright (c) Lenny Zeltser. 2000.
27
Remotely Controlled Agents
Copyright (c) Lenny Zeltser. 2000.
28
General Attributes
Back Orifice and NetBus trojansProvide full control over victim’s hostComprised of client and server modulesServer modules “infect” victim hostsClient modules send remote commandsInfiltrate via open channels
Copyright (c) Lenny Zeltser. 2000.
29
Key Features and Limitations
Server modules are very stealthyLevel of control is thorough and expandableClient and server modules must be reunited before controllingTypically controlled via inbound traffic with respect to server modules
Copyright (c) Lenny Zeltser. 2000.
30
Back Orifice
Original version released August 1998, updated July 1999Created by Cult of the Dead CowMuch functionality similar to standard remote administration toolsClassification often depends on intended use
Copyright (c) Lenny Zeltser. 2000.
31
Native Capabilities
Keystroke, video, audio captureFile share managementFile and registry accessCached password retrievalPort redirectionProcess controlMany other capabilities
Copyright (c) Lenny Zeltser. 2000.
32
Enhancement Capabilities
Provides plug-in API supportCommunication channel encryptionServer component location announcement via outbound IRCMany other capabilities
Copyright (c) Lenny Zeltser. 2000.
33
NetBus
Original version released March 1998 to “have some fun with his/her friends”New version February 1999 marketed as “remote administration and spy tool”New version required physical access to install stealthy server component, but unofficial restriction-free versions exist
Copyright (c) Lenny Zeltser. 2000.
34
Remote Control Capabilities
Functionality similar to Back OrificeAlso supports plug-ins, but not as popular among developers as Back OrificePrimitively controls multiple server components from single client module, but not in parallel
Copyright (c) Lenny Zeltser. 2000.
35
Relevance to Advanced Agents
Operate agents in stealthy mode to minimize chances of discoveryOffer extensive remote controlling functionalitySupport enhancements to native features via plug-ins
Copyright (c) Lenny Zeltser. 2000.
36
Advanced Attributes Summary
Propagate via open channels or aggressive vulnerability exploitationUse outbound channels for communicationGather insider’s perspective of infrastructure
Copyright (c) Lenny Zeltser. 2000.
37
Advanced Attributes Summary
Provide stealthy and extensible remote-control functionalityNeed to control multiple agents from a single point
Copyright (c) Lenny Zeltser. 2000.
38
Coordinated Attack Agents
Copyright (c) Lenny Zeltser. 2000.
39
General Attributes
Trinoo and Tribe Flood NetworkDisrupt normal system functions via network floodsAttacker can control several clients, each controlling multiple attack serversNetworks scanned for vulnerabilities and attack agents are planted
Copyright (c) Lenny Zeltser. 2000.
40
Key Features and Limitations
Client as well as server modules run on compromised machinesAttacker further removed from targetAgents typically beyond administrative control of single entitySingle purpose, designed specifically for denial-of-service attacks
Copyright (c) Lenny Zeltser. 2000.
41
Trinoo
Discovered on compromised Solaris systems in August 1999Initial testing dates back to June 1999First Windows version February 2000Attacks via UDP packet flood
Copyright (c) Lenny Zeltser. 2000.
42
Coordination Mechanisms
Attacker connects to client module (“master”) via telnet to specific portWarning issued if another connection attempt during ongoing sessionPassword-based access control for communication between all nodes
Copyright (c) Lenny Zeltser. 2000.
43
Coordination Mechanisms
Master relays commands to server modules (“daemons”) via proprietary text-based protocol over UDPFor example, “do” command to master relayed as “aaa” command to daemonsAttack terminated via timeout or “mdie” command to master (“die” to daemons)
Copyright (c) Lenny Zeltser. 2000.
44
Relevance to Advanced Agents
Control of multiple agents in coordinated mannerAll traffic is inbound with respect to destination of particular communicationMaster to daemons channels can be disrupted by blocking high-numbered UDP ports
Copyright (c) Lenny Zeltser. 2000.
45
Tribe Flood Network
Discovered around October 1999Similar to Trinoo in purpose and architectureAttacks via ICMP, UDP, and Smurf-style floods, offers back door to agent’s hostClient to server module communication via ICMP “echo reply” packets
Copyright (c) Lenny Zeltser. 2000.
46
Coordination Mechanisms
Normally ICMP “echo reply” generated to “echo request” by ping commandUse ICMP packet identifier field to specify commandsFirewalls may accept ICMP “echo reply”Some network monitoring tools do not process ICMP traffic properly
Copyright (c) Lenny Zeltser. 2000.
47
Relevance to Advanced Agents
Control of multiple agents in coordinated mannerExploit protocols by violating specificationsFollow specifications, but use protocols in unexpected waysThis forms the basis of many attacks
Copyright (c) Lenny Zeltser. 2000.
48
Advanced Attributes Summary
Propagate via open channels or aggressive vulnerability exploitationUse outbound channels for communicationGather insider’s perspective of infrastructure
Copyright (c) Lenny Zeltser. 2000.
49
Advanced Attributes Summary
Provide stealthy and extensible remote controlling functionalityControl multiple agents in coordinated mannerEmploy covert techniques for communicationThese attributes can be used to assess threat level of a particular agent
Copyright (c) Lenny Zeltser. 2000.
50
Advanced Malicious Agents
Copyright (c) Lenny Zeltser. 2000.
51
General Attributes
RingZero Trojan, Samhain WormCombine key features of other agentsOffers attacker tight control over agent’s actionsDifficult to defend against without proper infrastructure and resources
Copyright (c) Lenny Zeltser. 2000.
52
The RingZero Trojan
Activity reports around September 1999Sightings in August 1999 of e-mail messages with a “really class program”Several variants of trojanized program attachmentsAgent scanned for Web proxy serversAttributes rarely seen in single agent
Copyright (c) Lenny Zeltser. 2000.
53
Observed Behavior
Detailed analysis October 1999Scanned for Web proxy servers via connection attempts to known portsProxy servers typically access Web resources on user’s behalfUsed the discovered server to report server’s existence to external site
Copyright (c) Lenny Zeltser. 2000.
54
Observed Behavior
Retrieved encoded/encrypted file from two external sitesSend mass mailing to ICQ users from spoofed addressEncouraged recipients to visit the “Biggest Proxy List” on external site
Copyright (c) Lenny Zeltser. 2000.
55
Relevance to Advanced Agents
Propagated via open channelsOutbound traffic for communicationsView from internal networkStealthy remote control capabilitiesOperated in distributed manner
Copyright (c) Lenny Zeltser. 2000.
56
Room for improvement
Analysis based on single data fileNot especially malicious, though some reports of password stealing variantsNo specific firewall bypassing attributesNo aggressive vulnerability exploitationLouder than needs to be
Copyright (c) Lenny Zeltser. 2000.
57
The Samhain Worm
Written winter 1998-1999, announced on Bugtraq May 2000, never releasedResearch prototype of a “deadly harmful Internet worm”Defined alternative set of characteristics desired of advanced agents
Copyright (c) Lenny Zeltser. 2000.
58
Desired Characteristics
Portability for target OS independenceInvisibility for stealth operationAutonomy for automatic spread via built-in exploit databasePolymorphism to avoid detection
Copyright (c) Lenny Zeltser. 2000.
59
Desired Characteristics
Learning for obtaining new techniques via central communication channelIntegrity to prevent modification or destructionAwareness of mission objective to perform specific tasks and cease activity
Copyright (c) Lenny Zeltser. 2000.
60
Key Implementation Details
Uses “wormnet” to get programs and updates for target platformSupports controlled broadcasting of requests to wormnet membersFamily tree passed from parent to child, used to control broadcasts via maximum number of wormnet hops
Copyright (c) Lenny Zeltser. 2000.
61
Key Implementation Details
Uses polymorphic engine and encryption to avoid constant stringsIntercepts system calls when root, as well as other techniques to hideUses exploits unknown at the time, sorted by scope and effectivenessVictims chosen via active connection monitoring and qualifying attributes
Copyright (c) Lenny Zeltser. 2000.
62
Relevance to Advanced Agents
Detailed design and implementation details, plus code fragments providedGradual attack approach suggests to propagate “harmlessly,” then updateDesigned specifically to maximize potential harm and difficulty of eradication
Copyright (c) Lenny Zeltser. 2000.
63
Threat of Malicious Agents
Copyright (c) Lenny Zeltser. 2000.
64
Advanced Agents
Advanced agents are especially dangerous because of features combined into a single packageStealth operation, firewall traversal, and coordination are particularly powerfulFeature sets and experimental nature of agents suggests active development
Copyright (c) Lenny Zeltser. 2000.
65
Assessing the Threat
Defense techniques depend on priorities and technologies of the organizationUse a structured framework to assess threat of particular agentsAnalyze extent of “advanced” attributes, assign weight, react appropriately
Copyright (c) Lenny Zeltser. 2000.
66
Malicious Agents Attributes
Matrix summarizes key attributes of agents in terms of presented frameworkThe Samhain Worm not included because of slightly different feature setRefer to earlier slides for discussion of items in the matrixUse for future reference
Aggressive self-propagation
Propagation despite firewalls
Aggressive attack when no firewalls
Aggressive attack despite firewalls
Revealing confidential information
Remotely controlled when no firewalls
Remotely controlled despite firewalls
Acting in coordinated distributed fashion
Morris Worm
Melissa Virus
Marker Virus
Caligula Virus
Groov Virus
Back Orifice
NetBus Trinoo TFN RingZero
Yes No No No No No No No No Possibly
Yes Yes Yes Yes Yes Yes Yes Partly Partly Yes
Yes Partly (DoS)
No No Partly (DoS)
Yes Yes Yes Yes Possibly
No Partly (DoS)
No No Partly (DoS)
No No Partly (DoS)
Partly (DoS)
Possibly
No No Yes Yes Yes Yes Yes No No Yes
No No No No No Yes Yes Yes Yes Yes
No No No No No No No No No Yes
No No No No No No No Yes Yes Yes
Copyright (c) Lenny Zeltser. 2000.
68
The End
See http://www.zeltser.com/ for electronic copies of this material