Malware (MALicious softWARE) Malware...

CS342 Computer Security Department of Computer Science Wellesley College

Viruses and Worms

Thrursday, November 20, 2014 Sources: see final slide

Goals

o  Introduction to malware taxonomy

o  Appreciating the evolution of viruses Encryption, polymorphism, metamorphism

o  General Anti-Virus (AV) detection techniques

o  Understanding the arms race between virus writers and anti-virus detectors.

o  Appreciate that: if you take your time, use a few patterns, and use many levels of indirection, you are very hard to beat

22-2 Viruses and Worms

Malware (MALicious softWARE)

o  A generic term increasingly being used to describe any form of malicious software like: viruses, worms, Trojan horses, rootkits, spyware,

malicious mobile code, backdoors, dialers, ransomware

o  Combinations are common Some malware are actually combinations of more basic malware (e.g., a rootkit can be viewed as Trojan horse backdoor tool)

o  Broadly classified according to: •  Infection technique: �how does it propagate?�

•  Impact on target: �what does it do?�

•  Type of exploited vulnerability: � How (by violating which assumption) did it get in?�


Malware Taxonomy

22-4

Type Characteristics

Virus Self-replicating code that infects a host file. Usually requires human interaction to spread. Sometimes used as generic term for all malware.

Worm Self-replicating code that spreads across a network. Usually does not require human interaction to spread.

Rabbit Virus or worm that multiplies without bound

Trojan Horse Disguises itself as a useful program while masking hidden malicious purpose.

Backdoor/Trapdoor Bypasses normal security controls to give attacker access

User-level Rootkit Replaces or modifies executable programs used by system administrators and users

Kernel-level Rootkit Manipulates the OS kernel to hide and create backdoors

Spyware Monitors user interaction and collects information (e.g., via keylogger)

Logic Bomb Dormant malicious code triggered by date or event.

Easter Egg Cute but harmless behavior triggered by special input.

Malicious Mobile Code Small programs downloaded and executed locally with minimal user intervention. Typically written in Javascript, VBScript, Java, or ActiveX

Combination Malware Combines techniques to increase effectiveness

Viruses and Worms

Malware evolution

22-5

Themes: o  Increasing complexity/sophistication o  Acceleration of rate of

tool/technique release o  Movement from viruses -> worms

-> kernel level exploits

Figure from Skoudis Malware, p.16.

Viruses and Worms

Virus Basics o  Frederick B. Cohen�s definition:

A virus is a program that can �infect� other programs by modifying them to include a, possibly evolved, version of itself.

o  Virus = code that attaches itself to host programs and runs when host program executes. Running the host program usually requires user intervention.

o  Self-replication: when the virus runs, it copies (a possibly mutated version of) itself to other host programs. •  Self-replicating mutating code is a cornerstone of artificial life

research.

o  A virus needs a target location method to find other hosts.

o  A running virus may also execute a payload = mischievous or malicious action.


How do Viruses Spread?

22-7

Uninfected program owned by user 2

Infected program owned by user 1

virus v



virus v virus v�

User 2 simply executes user 1�s infected program. Unlike buffer overflow, setuid not necessary!

Viruses and Worms

Highly Destructive Malicious Viruses

o  Delete all/many files. Michelangelo virus deleted a partition on Michelangelo�s birthday.

o  Consume resources (processor, memory, bandwidth …) ⇒ denial of service.

o  Such viruses can have trouble spreading. Why is Ebola relatively uncommon in apes/humans (at least until 2014 …)


Somewhat Destructive Malicious Viruses o  Install backdoors for botnots, other attacks. o  Data-diddling: modify one bit of randomly selected file, swap digits

in phone numbers, spreadsheets, etc. (hard to track to virus). o  Wazzu virus: randomly scramble words and insert �wazzu� o  Typo virus: introduce typing errors for fast typists. o  Random deletion: delete randomly chosen file not recently

accessed. o  Protection changing: change ownership and protection bits on files. o  Executive error virus: underling installs virus that makes

supervisor incompetent. o  Covert channel virus: in confidentiality lattice, unclassified user

introduces virus to copy secret information through covert channel.

o  Ken Thompson, Reflections on Trusting Trust: insert login Trojan into C compiler object code that can�t be detected in source!


Nondestructive Viruses Many viruses spread without doing damage, but can still be

annoying or do accidental damage.

o  Elk Cloner: first microcomputer virus (Apple II) displayed poem: ELK CLONER: THE PROGRAM WITH A PERSONALITY

IT WILL GET ON ALL YOUR DISKS IT WILL INFILTRATE YOUR CHIPS YES IT�S CLONER IT WILL STICK TO YOU LIKE GLUE IT WILL MODIFY RAM TOO SEND IN THE CLONER

o  Marburg virus: drew random icons on desktop.

o  Spanska virus: displayed animations

o  Haiku virus displayed randomly generated haiku.


Benevolent Viruses The payload of a virus can do good as well as bad. E.g.

o  Antivirus virus: good virus that deletes bad viruses.

o  Compression virus: automatically compress files to save space (but there�s a time/space tradeoff).

o  Maintenance virus: install system updates, clean up undeleted temporary files, reset incorrect protection bits, defragment disk, etc.

o  Distributed database virus: make copies of information across multiple machines and modify old copies to be consistent with recent changes.

Ethical questions:

o  Is it OK to distributed �good� viruses?

o  What if good virus goes has unexpected bad consequences – e.g., accidentally consumes lots of resources.


Viruses Infection Techniques o  Overwriting

•  Overwrite host program, changing behavior (easy to discover) •  Typically overwrite beginning, but can overwrite later (in which case

virus may not be executed).

o  Appending •  Add virus code to end of program, and jump to virus. •  Typically virus jumps back to program to evade detection.

o  Prepending •  Add virus code to front of host program. •  Parastic virus: variant that overwrites start of program, but moves

starting code later.

o  Cavity Virus •  Squirreled away in �holes� in program •  doesn�t change program size

o  Compressing Virus o  Compresses program and inserts self so as not to change program size.


Viruses Propagation Methods o  Insert a copy into every executable (.COM, .EXE)

o  Insert a copy into boot sectors of disks

•  �Stoned� virus infected PCs booted from infected floppies, stayed in memory and infected every floppy inserted into PC

o  Infect TSR (terminate-and-stay-resident) routines

•  By infecting a common OS routine, a virus can always stay in memory and infect all disks, executables, etc.

o  Infect macros in documents/spreadsheets, etc.

•  A virus in MS Word Normal.dot file can infect all documents.

o  Infect shell scripts and other source code.


Virus Propagation Vectors o  Removable storage

•  Floppies, writable CDs/DVDs, USB flash drives

o  Email Attachments •  Can contain executable parts

o  Downloads

o  Shared Directories Multi-user systems, networked file system (e.g., puma),

peer-to-peer (P2P) networks


Basic Anti-Virus (AV) Techniques o  Signature-based detection

•  signature = pattern/fingerprint matching virus •  AV engine checks files against database of signatures to (1) identify

and (2) disinfect file containing virus, •  On-demand scanning (user explicitly requests) vs. on-access scanning

(done every time a file is opened, modified, and/or closed). •  Need to update signature database frequently

o  Heuristic detection •  Check program for virus-like behavior (access boot sector, find all

files in current directory, write to .EXE file, delete files) •  Emulate behavior before executing or execute in sandbox.

o  Integrity checking •  Record file fingerprints (sizes, checksums, hashes) in pristine system

and check later (e.g. Tripwire). •  Used by some AV scanners to avoid more detailed scanning •  Must store fingerprints carefully!


Signature-Based Scanning

o  Hex strings from virus variants •  67 33 74 20 73 38 6D 35 20 76 37 61

•  67 36 74 20 73 32 6D 37 20 76 38 61

•  67 39 74 20 73 37 6D 33 20 76 36 61

o  Hex string for detecting virus •  67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61

•  ?? = wildcard


Anti-Virus Problems o  False Positives: one version of McAfee flagged Excel!

o  False Negatives: fail to detect malware

o  Long detection times slows down machines

o  Developing signatures/keeping databases current: > 100K new viruses/week!

o  What to do when virus detected: Delete vs. quarantine

o  Vendors focus on big clients, not individual users

o  Bad guys can disable/intercept AV scans •  turn off AV scans •  make infected file appear �normal� to AV detector •  block access to AV websites/downloads/updates

o  Arms race •  Bad guys test new viruses against AV •  Stealth techniques for hiding/changing viruses


Arms Race between Virus Writers/Detectors o  Encrypted virus: virus consists of a constant decryptor, a key (that

changes between copies), and the encrypted virus body. •  Detector finds decryptor and key & uses it to decrypt/identify virus

o  Oligomorphic virus: mutate decryptor slightly by using several decryptors or build decryptors out of simple patterns.

o  Polymorphic virus: mutate decryptors into millions of forms via obfuscation techniques (reordering and junk instructions), but keep (unencrypted) body same

o  Metamorphic virus: mutate virus bodies via obfuscation techniques, but keep functionality

o  shuffle registers o  reorder instructions o  insert junk instructions o  change source code and recompile


Benign Code Can be Encrypted/Obfuscated Q: Why not just flag all encrypted/obfuscated code as viruses?

A: Because these techniques are commonly used in benign code to protect intellectual property by complicating reverse engineering. Especially used in cases where code otherwise easy to inspect:

•  machine code

•  virtual machine code (e.g., JVM, .NET)

•  HTML

•  Javascript

•  Source code of interpreted languages (Python, PERL, shell scripts, etc.)


Detecting Oligomorphic/Polymorphic Viruses

1.  Run suspect program in an emulator

2.  Wait until it decrypts

3.  Decrypted code will be identical for various copies

4.  Use signature scanning on decrypted virus body


Virus Detection by Emulation

Virus body

Randomly generates a new key and corresponding decryptor code

Mutation A

Decrypt and execute

Mutation C

Mutation B

To detect an unknown mutation of a known virus ,

emulate CPU execution of until the current sequence of instruction opcodes matches the known sequence for virus body


Detecting Polymorphic Viruses: Challenges o  Determining when decryption is complete.

o  Doesn�t work very well against viruses not located near beginning of infected executable.

o  Some viruses use random code block insertion or insert millions of NOPs at the entry point prior to the main virus body. •  Emulator executes code for a while, does not see virus body and

decides the code is benign. When main virus body is finally executed, virus propagates

o  Decryptor may be able to determine whether it’s running in an emulator and behave differently in this case.


Metamorphic Viruses o  Obvious next step: mutate the virus body, too!

o  Virus can carry its source code (which deliberately contains some useless junk) and recompile itself •  Apparition virus (Win32) •  Virus first looks for an installed compiler (Unix machines have C

compilers installed by default) •  Virus changes junk in its source and recompiles itself •  New binary mutation looks completely different!

o  Many macro and script viruses evolve and mutate their code •  Macros/scripts are usually interpreted, not compiled


Metamorphic Virus [Szor, 2001]

o  An early generation c7060F000055 mov dword ptr [esi], 550000Fh c746048BBC5151 mov dword ptr [esi+0004], 5151BCBBh

o  A later generation

BF0F000055 mov edi, 550000Fh 893E mov [esi], edi 5F pop edi 52 push edx B640 mov dh, 40 BA8BEC5151 mov edx, 5151EC8Bh 53 push ebx 8BDA mov ebx, ebx 895E04 mov [esi+0004], ebx


Metamorphic Mutation Techniques o  Same code, different register names

•  Regswap (Win32)

o  Same code, different subroutine order

•  BadBoy (DOS), Ghost (Win32)

•  If n subroutines, then n! possible mutations

o  Decrypt virus body instruction by instruction, push instructions on stack, insert and remove jumps, rebuild body on stack

•  Zmorph (Win95)

•  Can be detected by emulation because the rebuilt body has a constant instruction sequence


Example of Zperm Mutation

�Hunting for Metamorphic� at www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf

o  Body makeup not constant o  Detect by running suspect program in an emulator and analyze

behaviour while running o  Can also disassemble and look for virus-like instructions ! Hard problem!


Mutation Engines o  Real Permutating Engine/RPME (introduced in Zperm virus),

ADMutate, many others

o  Employ a large set of obfuscating techniques •  Instructions are reordered, branch conditions reversed •  Jumps and NOPs inserted in random places •  Garbage opcodes inserted in unreachable code areas •  Instruction sequences replaced with other instructions that have

the same effect, but different opcodes •  SUB EAX, EAX ⇒ XOR EAX, EAX •  PUSH EBP; MOV EBP, ESP ⇒ PUSH EBP; PUSH ESP; POP EBP

o  There is no constant, recognizable virus body!


Virus-Specific Detection o  Many viruses can�t be detected by simple scanning. Instead, need

more complex analysis and/or emulation.

o  AV software includes programs written in virus detection languages for detecting specific viruses.

o  Special-case detection is time-consuming, so rely on filtering to identify cases where it�s likely to be productive.


How Hard Is It to Write a Virus? o  Can be challenging to write a virus from scratch

(just ask Audrey Kao & Era Vuksani from CS342 Fall ‘10!)

o  In practice, study and modify existing viruses.

o  Many virus construction kits available.

•  AV vendors familiar with such kits and defend against the kinds of viruses they create.


Worms vs. Viruses o  Both are self-replicating programs

o  Worms are (usually) self-contained; viruses attach to a host program

o  Worms are (usually) self-activating; viruses require human intervention to spread.

o  Worms spread via networks; viruses can, too, but can also spread via other means.

o  Worms offer a scale of propagation (in terms of speed, number of hosts infected, potential for damage) not easily achieved by other mechanisms. They are the tool of choice for recruiting �zombie� computers.

o  One copy of a worm is called a segment or node.

Viruses and Worms 22-30

Worm Components Exploit to get �in� to the target – e.g., password guessing & cracking, buffer overflow, file shares, automatically executed email attachments, misconfigurations, etc.

Pull rest of worm code into target via FTP, HTTP, etc. (sometimes already contained in warhead)

Select target addresses of next victims Scan targets and

infect vulnerable targets

Implements specific actions on behalf of attacker on the target: install backdoor, DDOS agent, steal info, use computrons and storage, etc.

picture from Skoudis, p. 79.

Other components in some worms: •  Intelligence to locate other worm segments. •  Communication with other worm segments •  Control of other worm segments Viruses and Worms 22-31

Worms: Target Selection & Scanning

o  Goal: Find new targets to attack

o  Common techniques: •  Statistical: Scan 'random' IP addresses

•  Topological: Use information on infected hosts, e.g., machines with same IP prefix, email address list, .rhosts file, network neighborhood, ...

o  Scan targets to see which are uninfected: avoid double infections!


Worm History, Part 1 Name Date Notes Creeper 1971 Program designed to move across a network of air

traffic control systems Xerox PARC worms 1982 Shoch & Hupp distributed computation experiments

Morris Worm Nov. 1988 Disabled early Internet by infecting Unix hosts

Melissa Mar. 1999 MS word macro virus spread via Outlook email

I Love You (Love Bug)

May 2000 VBScript worm spread via Outlook email with �I Love You� title, appeared to be from friends (spread by email address list), used default enabling of until-that-time little known scripting engine. Infected 50 millions users.

Ramen Jan 2001 Linux worm exploiting 3 buffer overflows, modified default web page to say �Hackers loooove noodles�

Code Red Jul 2001 Infected >350K Windows IIS servers in 13 hours with goal of packet flood against whitehouse.gov.


Name Date Notes Nimda Sep 2001 Multiexploit worm with 12 spreading mechanisms released

soon after 9/11. Became most widespread worm in 22 minutes.

Klez Jan 2002 Mildly polymorphic (randomized email subject lines and attachment types); tried to disable antivirus

Slapper Sep 2002 Spread via Apcher SSL flaw; built massive DDOS P2P network

Slammer Jan 2003 Small worm spreading in a matter of minutes via flaw in MS SQL Server database

Blaster 2003 Launched denial of service against Windows Update. Included message "billy gates why do you make this possible? Stop making money and fix your software!!"

Sasser 2004 Exploited buffer overflow on vulnerable network ports. Disrupted satellite communications, airline flights, X-ray machines.

Storm 2007 Spread by email attachment to create huge botnet. Conficker 2008-10 Created worldwide infrastructure for as-yet unknown

purpose: maybe cybercrime botnet? Stuxnet 2010 Exploited 4 zero-day Windows bugs to disrupt large-scale

industrial control systems.

Worm History, Part 2


Morris (or Cornell or Unix) Worm (1988)

o  Robert Tappan Morris, Jr. •  23 years old, Cornell grad student, father worked at the NSA •  He asked himself: �I wonder how large the Internet is?“

o  Wrote a self-propagating program as a �test concept� •  Exploited Unix vulnerabilities in sendmail and fingerd •  Released at MIT •  Bug in the worm caused it to go haywire – it was not planned to wreak

havoc

o  The first worm that propagated using the Internet •  Internet was designed with functionality in mind!

o  Details on following slides from Eichin/Rochlis With Microscope and Tweezers paper


How it entered (multiple means)

o  Send mail in debug mode (as released in SunOS) allowed connections to spawn a shell.

o  fingerd (VAX systems) buffer overflow to spawn shell

o  In shell, compiled & executed C program to download rest of worm program

o  r-services (no-password access to other machines) •  rexec

•  rsh


Whom it attacked:

o  accounts with obvious passwords:

•  none at all

•  the user name (once and appended to itself)

•  the “nickname”

•  last name (both spelled forwards and backwards)

•  passwords from a 432 word included dictionary

•  used the words from /usr/dict/words as passwd

o  trusted accounts through .rhosts


Systems affected

o  SUN and VAX

o  Gained hostnames and account names through: •  /etc/hosts.equiv •  /.rhosts •  .forward •  .rhosts •  routing tables

•  serial P2P links •  randomly guessed first-hop addresses


Covering Tracks o  Erased argument list so could not tell how it was invoked

o  Deleted binary after use

o  Used resource limit functions to prevent a core dump

o  Named itself “sh” to avoid suspicion

o  Refreshed itself by forking about every 3 minutes

o  Constant strings obscured by XORing


Example modern worm: Code Red (2001) o  Worm probed random IP addresses and infected Microsoft Internet

Information Services (IIS) web server with buffer overflow vulnerability.

o  Defaced English websites hosted on server with message:

Welcome to http://www.worm.com! Hacked by Chinese!

o  On July 19 over 359,000 hosts infected in 13-hour period •  over 2,000 hosts infected per minute at peak •  at 5:00 pm, worm attempted DoS attack against 198.137.240.91

(www.whitehouse.gov) •  For details, see Moore & Shannon

http://www.caida.org/research/security/code-red/coderedv2_analysis.xml

o  Estimated 975,000 servers infected by end of August with losses of $2.4 billion – Computer Economics

o  Shut down Japan Airline computer affecting ticketing & check-in, delaying 55 flights and 15,000 passengers 1-2 hours


Spread of Code Red Worm

July 19 01:05:00 2001 Viruses and Worms 22-41

19 Hours Later

July 19 20:15:00 2001 Viruses and Worms 22-42

Vulnerabilities spawn Exploits

Example: Code Red •  June 18, 2001 Eeye Digital Security discloses vulnerability in

Microsoft IIS web server

•  June 18, 2001 Microsoft issues alert, patch

•  June 19, 2001 CERT® Advisory CA-2001-13 Buffer Overflow In IIS

•  July 12, 2001 Code Red v. 1 is released

•  July 19, 2001 Code Red v.2 is released

•  August 4, 2001 Code Red II is released

•  Sept. 18, 2001 Nimda is released


Vulnerability and exploit portals

o  Mitre�s CVE (Common Vulnerabilities and Exposures) http://cve.mitre.org

o  Network Security News http://www.security-update.com Updated ever hour, variety of sources

!  Vendor�s sites have sometimes very good vulnerability info


Code Red: Scanning technique

o  Code Red I: 99 threads scan for vulnerable IIS installations, using random number generator

o  Worm deactivated itself after a few days, but was designed to reactivate every month

2,000

1,000

1,500

0

500

2,500

0 50 100 150

Dis

tinct

rem

ote

host

s at

tack

ing

LBN

L

Days since Sept. 20, 2001


Code Red: Analytical model o  Simplifying assumptions:

•  No patching

•  No firewalls

o  Infection rate is proportional to •  # hosts already infected

•  # hosts not infected, but susceptible

o  Result: Logistic equation

o  Well known for epidemics in finite systems )1( aaK

dtda

−⋅⋅= )(

)(

1 TtK

TtK

eea

−

−⋅

+=

Saturation

Initial compromise rate

Infected fraction


Improvements: Localized scanning

o  Observation: Density of vulnerable hosts in IP address space is not uniform

o  Idea: Bias scanning towards local network

o  Used in CodeRed II •  P=0.50: Choose address from local class-A network (/8)

•  P=0.38: Choose address from local class-B network (/16)

•  P=0.12: Choose random address

o  Allows worm to spread more quickly


Improvements: Multi-vector o  Idea: Use multiple

propagation methods simultaneously

o  Example: Morris worm •  fingerd attack •  sendmail DEBUG cmd •  rhosts files •  Password cracking

o  Example: Nimda •  IIS vulnerability (both

server and client!) •  Autoexec code in

Outlook email •  Windows file sharing •  Code Red II backdoor

Onset of Nimda

Time (PDT) 18 September, 2001

HTT

P co

nnec

tions

/sec

ond

seen

at

LBN

L (o

nly

conf

irmed

Nim

da a

ttac

ks) 1/2 hour


Improvements: Hit-list scanning

o  Problem: Spread is slow during initial phase

o  Idea: Collect a list of promising targets before worm is released •  Low-profile 'stealthy' scan •  Distributed scan •  Spider/crawler •  Surveys or databases •  Attacks from other worms

o  Low overhead, since list shrinks quickly


Improvements: Permutation scanning

o  Problem: Many addresses are scanned multiple times

o  Idea: Generate random permutation of all IP addresses shared by all worm instances. •  Hit-list hosts scan permutation list in order starting at their

own position in the permutation.

•  When an infected host is found, restart at a random point.

•  Efficiently explores IP address list.

o  Can be combined with divide-and-conquer approach

H0 H4 H1 H3 H2 H1 (Restart)


Warhol worms o  Worm using both hit-list

and permutation scanning could infect most vulnerable targets in about 15 minutes.

o  Simulation: Compare •  10 scans/second

(Code Red) •  100 scans/second •  100 scans/second plus

10,000 entry hit list (Warhol worm)

"In the future, everyone will have 15 minutes of fame"

-- Andy Warhol

Num

ber

of I

nsta

nces

Time (hours)


Flash worms o  A flash worm would start with a hit list that contains most/

all vulnerable hosts

o  Realistic scenario: o  Complete advance scan takes 2h with an OC-12 (high-speed

network link)

o  Internet warfare?

o  Problem: Size of the hit list •  9 million hosts ⇒ 36 MB

•  Compression works: 7.5MB

•  Can be sent over a 256kbps DSL link in 3 seconds

o  Extremely fast: •  Full infection in tens of seconds!


Surreptitious worms o  Idea: Hide worms in

inconspicuous traffic to avoid detection

o  Example: HTTP

o  Leverage P2P systems? •  High node degree

•  Lots of traffic to hide in

•  Proprietary protocols

•  Homogeneous software

•  Immense size


Conficker o  Discovered Nov. 2008. Also known as Downadup, Kido.

o  Early spread through exploit of MS network service vulnerability in port 445 (RPC for printing & file sharing). Also spread via removable media & file sharing.

o  Small code: only 35 KB.

o  Repairs vulnerability it used to access machine, so less competition with other worms.

o  Self-destructed on Ukranian IP addresses.

o  Tries to prevent security updates and disable system restore points.

o  Has created botnet thought to control > 7M govt, home, business computers in 200 countries.


Bowden’s The Enemy Within (Atlantic, Jun 2010) o  �It [Conficker] has been activated only once, to perform a relatively

mundane spamming operation—enough to demonstrate that it is not benign. No one knows who created it. No one yet fully understands how it works. No one knows how to stop it or kill it. And no one even knows for sure why it exists.�

o  Conficker Cabal = good guys working to understand and stop Conficker.

o  �The good guys have gone to unprecedented lengths, and have had successes beyond anything they would have thought possible when they started. But a year and a half into the battle, here�s the bottom line: The worm is winning.


Conficker Arms Race o  Conficker �phones home� at regular intervals with small messages.

o  Initially generated list of 250 new domain names over 5 top level domains (TLDs) and contacted sequentially. Only needed to find controller at one.

o  Generation tied to network clock (harder for good guys to reset). Good guys used website proxy, and blocked sites in advance.

o  Conficker B (Dec. 29, 2008): o  Generates domain names over 8 TLDs, making blocking more difficult o  Stops connections to Microsoft update o  Modified to spread via USB drives. o  For communications with mother ship, used MD6 = Rivest�s proposal

for SHA-3 (largely unknown outside very small community).


The Arms Race Continues o  Conficker C (Feb, 2009)

o  Rivest finds and corrects bug in MD6. Bug corrected in next version of Conficker!

o  Microsoft offers $250K for arrest & conviction of worm creators. o  Conficker D (March, 2009):

o  Generates up to 50K new domain names. Good guys can�t register them all!

o  Old versions of Conficker updated with new version upon contacting mother ship.

o  Changed to P2P communication, so no longer needed to call mother ship. Makes it much harder for good guys to track!

o  Disables Windows Safe Mode. o  April 1, 2009: distributes email spam malware. Seems like a bust, but

good guys think it�s biding time.


Stuxnet o  Discovered June 2010. Found mainly in Iran. Targeting nuclear facilities?

o  Targets Sieman’s software for SCADA (supervisory control and data acquisition) systems, which control power plants, factory machinery, etc. Reprograms operation of particular motors in particular frequency range.

o  Enters network via infected USB flash drive. Limits spread to no more than 3 machines to stay within targeted facility.

o  Exploits four zero-day (unknown to software developers) Windows bugs + bug exploited by Conficker.

o  Elevates privilege to attack other local PCs, seeks out Sieman’s software, and uses default passwords to access it.

o  Attack code signed by stolen digital certificates to seem legitimate.

o  Creating Stuxnet was big project: required wide range of expertise, access to hardware, many man-months/years. State sponsored? Israeli?

o  Kasperksy: "a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world."


Ethical Worms? What about “ethical” (“white”, good) worms to combat the bad worms? Pros:

o  Install patches more quickly than human or update tool o  Avoid human frailties in patch installation o  Could require opt-in to use

Cons: o  May inflict unintentional damage, especially if buggy o  Some applications require security hole to work o  Often need careful testing after patch installation o  Possible legal action for breaking systems o  Using machine resources without permission is problematic


Worm Defenses o  Anti-virus effective against some worms, but not fast-spreading ones

o  Harden systems •  Install systems with secure configuration

•  Apply patches religiously

•  Track vulnerabilities via Bugtraq and other lists.

•  Develop security policies/processes

o  Block arbitrary outbound connections from public machines to limit worm spreading (many orgs. flter incoming connections but neglect outgoing ones).

o  Egress antispoof filters

o  Establish incident response team

o  Don’t play with worms!


Skoudis Prediction (2004) “ I strongly believe that a determined hacker will temporarily disable major portions of the Internet in the next five years. Using the worm techniques described throughout this chapter, an attacker sould write a worm that disables the Internet for a couple of days.

...

I admit, this opinion is controversial, and I’d be happy to be wrong.

...

Based on where worms are heading, I frankly think we’re heading for a giant Internet snow day. The only down side of this whole snow storm analogy is that you and I are the folks who drive the snowplows of the computer world.


Resources (Viruses) o  Daniel Bilar, Intro To Malware, CS342 slides, Oct. 6, 2006 o  Frederick B. Cohen, A Short Course on Computer Viruses. John Wiley,

1994. o  Ed Skoudis, Malware: Fighting Malicious Code. Pearson Edcation,

2004 o  Sean Smith and John Marchesini, The Craft of System Security,

Chapter 6: Implementation Security. o  Peter Szor, The Art of Computer Virus Research and Defense.

Addison Wesley, 2005. o  John Viega, The Myths of Computer Security: What the Computer

Security Industry Doesn�t Want you to Know. O�Reilly Media, 2009. o  John Viega,�Why Anti-Virus Sucks, and How to Fix It�, Talk to

Harvard�s Center for Research on Computation and Society (CRCS), Wed. Oct. 8, 2008 (see video of talk at http://crcs.seas.harvard.edu/2008/09/24/wednesday-october-8-2008-john-viega-on-tbd/


Resources (Worms) o  Daniel Bilar, Worms, CS342 slides, Oct. 17, 2006 o  Mark Bowden, The Enemy Within. Atlantic, June 2010.

http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098/

o  Mark W. Eichin and Jon A. Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November, 1988. Proceedings of the 1989 IEEE Computer Society Symposium on Security and Privacy. http://www.mit.edu/people/eichin/virus/main.html

o  David Moore and Colleen Shannon, The Spread of the Code Red Worm (CRv2), http://www.caida.org/research/security/code-red/coderedv2_analysis.xml

o  Jerome Saltzer, Slammer: An Urgent Wake-up Call, Feb. 1, 2003, http://web.mit.edu/Saltzer/www/publications/Slammer.html

o  John Shoch and Jon Hupp, The �Worm� Programs – Early Experience with a Distributed Computation. Communications of the ACM, Mar. 1982. http://www.cs.berkeley.edu/~prabal/resources/osprelim/SH82.pdf

o  Ed Skoudis, Malware: Fighting Malicious Code, Prentice Hall, 2004 o  Stuart Staniford, Vern Paxson, and Nicholas Weaver, How to 0wn the

Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, 2002. http://www.icir.org/vern/papers/cdc-usenix-sec02/

o  Stuxnet Wikipedia article, http://en.wikipedia.org/wiki/Stuxnet Viruses and Worms 22-63

Malware (MALicious softWARE) Malware...

Documents

Transcript of Malware (MALicious softWARE) Malware...