Presentation on theme: "Lecture 11 Malicious Software"— Presentation transcript:
1Lecture 11 Malicious Software This chapter examines the wide spectrum of malware threats and countermeasures.We begin with a survey of various types of malware, and offer a broadclassification based first on the means malware uses to spread or propagate , andthen on the variety of actions or payloads used once the malware has reached atarget. Propagation mechanisms include those used by viruses, worms, and Trojans.Payloads include system corruption, bots, phishing, spyware, and rootkits. Thediscussion concludes with a review of countermeasure approaches.modified from slides of Lawrie Brown
2Malware [NIST05] defines malware as: “a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.”Malicious software , or malware , arguably constitutes one of the most significant categoriesof threats to computer systems. [NIST05] defines malware as “a program thatis inserted into a system, usually covertly, with the intent of compromising the confidentiality,integrity, or availability of the victim’s data, applications, or operatingsystem or otherwise annoying or disrupting the victim.” Hence, we are concernedwith the threat malware poses to application programs, to utility programs, such aseditors and compilers, and to kernel-level programs. We are also concerned withits use on compromised or malicious Web sites and servers, or in especially craftedspam s or other messages, which aim to trick users into revealing sensitivepersonal information.
3Table 6.1 Malware Terminology (Table can be found on page 201 The terminology in this area presents problems because of a lack of universal agreementon all of the terms and because some of the categories overlap. Table 6.1 is auseful guide to some of the terms in use.(Table can be found on page 201in the textbook.)
4Classification of Malware classified into two broad categories based on:how it spreads or propagates to reach the desired targetsthe actions or payloads it performs once a target is reachedalso classified by:those that need a host programparasitic code such as virusesthose that are independent, self-contained programsworms, trojans, and botsmalware that does not replicatetrojans and spammalware that does replicateviruses and wormsA number of authors attempt to classify malware, as shown in the survey and proposalof [HANS04]. Although a range of aspects can be used, one useful approachclassifies malware into two broad categories, based first on how it spreads or propagatesto reach the desired targets; and then on the actions or payloads it performsonce a target is reached.Earlier approaches to malware classification distinguished between those thatneed a host program, being parasitic code such as viruses, and those that are independent,self-contained programs run on the system such as worms, trojans, andbots. Another distinction used was between malware that does not replicate, such astrojans and spam , and malware that does, including viruses and worms.
5Types of Malicious Software propagation mechanisms include:infection of existing content by viruses that is subsequently spread to other systemsexploit of software vulnerabilities by worms or drive-by-downloads to allow the malware to replicatesocial engineering attacks that convince users to bypass security mechanisms to install Trojans or to respond to phishing attackspayload actions performed by malware once it reaches a target system can include:corruption of system or data filestheft of service/make the system a zombie agent of attack as part of a botnettheft of information from the system/keyloggingstealthing/hiding its presence on the systemPropagation mechanisms include infection of existing executable or interpretedcontent by viruses that is subsequently spread to other systems; exploit of softwarevulnerabilities either locally or over a network by worms or drive-by-downloads toallow the malware to replicate; and social engineering attacks that convince users tobypass security mechanisms to install trojans, or to respond to phishing attacks.Earlier approaches to malware classification distinguished between those thatneed a host program, being parasitic code such as viruses, and those that are independent,self-contained programs run on the system such as worms, trojans, andbots. Another distinction used was between malware that does not replicate, such astrojans and spam , and malware that does, including viruses and worms.Payload actions performed by malware once it reaches a target system caninclude corruption of system or data files; theft of service in order to make thesystem a zombie agent of attack as part of a botnet; theft of information from thesystem, especially of logins, passwords, or other personal details by keylogging orspyware programs; and stealthing where the malware hides its presence on thesystem from attempts to detect and block it.While early malware tended to use a single means of propagation to delivera single payload, as it evolved, we see a growth of blended malware that incorporatesa range of both propagation mechanisms and payloads that increase its abilityto spread, hide, and perform a range of actions on targets. A blended attack usesmultiple methods of infection or propagation, to maximize the speed of contagionand the severity of the attack. Some malware even support an update mechanismthat allows it to change the range of propagation and payload mechanisms utilizedonce it is deployed.In the following sections, we survey these various categories of malware, andthen follow with a discussion of appropriate countermeasures.
6Malware Evolution 1980s 1990s Early 2000s Mid 2000s Malware for entertainment (pranks)1983: “virus”1988: Internet Worm1990sMalware for social status / experiments1990: antivirus softwareEarly 2000sMalware to spamMid 2000sCriminal malwareCS 450/650 Lecture 16: Malicious Codes
7Malware EvolutionCS 450/650 Fundamentals of Integrated Computer Security
10Attack KitsInitially the development and deployment of malware required considerable technical skill by software authorsThe development of virus-creation toolkits in the early 1990s and then more general attack kits in the 2000s greatly assisted in the development and deployment of malwareToolkits are often known as “crimeware”Include a variety of propagation mechanisms and payload modules that even novices can deployVariants that can be generated by attackers using these toolkits creates a significant problem for those defending systems against themWidely used toolkits include:Zeus, Blackhole, Sakura, PhoenixInitially, the development and deployment of malware required considerable technicalskill by software authors. This changed with the development of virus-creation toolkits in the early 1990s, and then later of more general attack kits in the 2000s,that greatly assisted in the development and deployment of malware [FOSS10].These toolkits, often known as crimeware , now include a variety of propagationmechanisms and payload modules that even novices can combine, select, anddeploy. They can also easily be customized with the latest discovered vulnerabilitiesin order to exploit the window of opportunity between the publicationof a weakness and the widespread deployment of patches to close it. These kitsgreatly enlarged the population of attackers able to deploy malware. Although themalware created with such toolkits tends to be less sophisticated than that designedfrom scratch, the sheer number of new variants that can be generated by attackersusing these toolkits creates a significant problem for those defending systemsagainst them.The Zeus crimeware toolkit is a prominent, recent, example of such an attackkit, which was used to generate a wide range of very effective, stealthed, malwarethat facilitates a range of criminal activities, in particular capturing and exploitingbanking credentials [BINS10]. Other widely used toolkits include Blackhole,Sakura, and Phoenix [SYMA13].
11Attack SourcesAnother significant malware development is the change from attackers being individuals often motivated to demonstrate their technical competence to their peers to more organized and dangerous attack sources such as:This has significantly changed the resources available and motivation behind the rise of malware and has led to development of a large underground economy involving the sale of attack kits, access to compromised hosts, and to stolen informationPolitically motivated attackersCriminalsOrganized crimeOrganizations that sell their services to companies and nationsNational government agenciesAnother significant malware development over the last couple of decades is thechange from attackers being individuals, often motivated to demonstrate theirtechnical competence to their peers, to more organized and dangerous attacksources. These include politically motivated attackers, criminals, and organizedcrime; organizations that sell their services to companies and nations, and nationalgovernment agencies, as we discuss in Section 8.1. This has significantly changed theresources available and motivation behind the rise of malware, and indeed has ledto development of a large underground economy involving the sale of attack kits,access to compromised hosts, and to stolen information.
12Advanced Persistent Threats (APTs) Well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets (usually business or political)Typically attributed to state-sponsored organizations and criminal enterprisesDiffer from other types of attack by their careful target selection and stealthy intrusion efforts over extended periodsHigh profile attacks include Aurora, RSA, APT1, and StuxnetAdvanced Persistent Threats (APTs) have risen to prominence in recent years.These are not a new type of malware, but rather the well-resourced, persistentapplication of a wide variety of intrusion technologies and malware to selected targets,usually business or political. APTs are typically attributed to state-sponsoredorganizations, with some attacks likely from criminal enterprises as well. We discussthese categories of intruders further in Section 8.1.APTs differ from other types of attack by their careful target selection, andpersistent, often stealthy, intrusion efforts over extended periods. A number ofhigh profile attacks, including Aurora, RSA, APT1, and Stuxnet, are often cited asexamples.
13APT Characteristics Advanced Persistent Threats Used by the attackers of a wide variety of intrusion technologies and malware including the development of custom malware if requiredThe individual components may not necessarily be technically advanced but are carefully selected to suit the chosen targetPersistentDetermined application of the attacks over an extended period against the chosen target in order to maximize the chance of successA variety of attacks may be progressively applied until the target is compromisedThreatsThreats to the selected targets as a result of the organized, capable, and well-funded attackers intent to compromise the specifically chosen targetsThe active involvement of people in the process greatly raises the threat level from that due to automated attacks tools, and also the likelihood of successful attacksThey are named as a result of these characteristics:• Advanced: Use by the attackers of a wide variety of intrusion technologiesand malware, including the development of custom malware if required. Theindividual components may not necessarily be technically advanced, but arecarefully selected to suit the chosen target.• Persistent: Determined application of the attacks over an extended periodagainst the chosen target in order to maximize the chance of success. A varietyof attacks may be progressively, and often stealthily, applied until the target iscompromised.• Threats: Threats to the selected targets as a result of the organized, capable,and well-funded attackers intent to compromise the specifically chosen targets.The active involvement of people in the process greatly raises the threatlevel from that due to automated attacks tools, and also the likelihood ofsuccessful attack.
14APT Attacks Aim: Techniques used: Intent: Varies from theft of intellectual property or security and infrastructure related data to the physical disruption of infrastructureTechniques used:Social engineeringSpear-phishingDrive-by-downloads from selected compromised websites likely to be visited by personnel in the target organizationIntent:To infect the target with sophisticated malware with multiple propagation mechanisms and payloadsOnce they have gained initial access to systems in the target organization a further range of attack tools are used to maintain and extend their accessThe aim of these attacks varies from theft of intellectual property or securityand infrastructure related data to the physical disruption of infrastructure. Techniquesused include social engineering, spear-phishing s, and drive-by-downloadsfrom selected compromised websites likely to be visited by personnel in the targetorganization. The intent is to infect the target with sophisticated malware with multiplepropagation mechanisms and payloads. Once they have gained initial access tosystems in the target organization, a further range of attack tools are used to maintainand extend their access.As a result, these attacks are much harder to defend against due to this specifictargeting and persistence. It requires a combination of technical countermeasures,such as we discuss later in this chapter, as well as awareness training to assistpersonnel to resist such attacks, as we discuss in Chapter 17. Even with current best practicecountermeasures, the use of zero-day exploits and new attack approachesmeans that some of these attacks are likely to succeed [SYMA13, MAND13]. Thusmultiple layers of defense are needed, with mechanisms to detect, respond andmitigate such attacks. These may include monitoring for malware command andcontrol traffic, and detection of exfiltration traffic.
15Viruses piece of software that infects programs modifies them to include a copy of the virusreplicates and goes on to infect other contenteasily spread through network environmentswhen attached to an executable program a virus can do anything that the program is permitted to doexecutes secretly when the host program is runspecific to operating system and hardwaretakes advantage of their details and weaknessesThe first category of malware propagation concerns parasitic software fragmentsthat attach themselves to some existing executable content. The fragment may bemachine code that infects some existing application, utility, or system program, oreven the code used to boot a computer system. More recently, the fragment hasbeen some form of scripting code, typically used to support active content withindata files such as Microsoft Word documents, Excel spreadsheets, or Adobe PDFdocuments.A computer virus is a piece of software that can “infect” other programs, or indeedany type of executable content, by modifying them. The modification includesinjecting the original code with a routine to make copies of the virus code, whichcan then go on to infect other content. Computer viruses first appeared in the early1980s, and the term itself is attributed to Fred Cohen. Cohen is the author of agroundbreaking book on the subject [COHE94]. The Brain virus, first seen in 1986,was one of the first to target MSDOS systems, and resulted in a significant numberof infections for this time.Biological viruses are tiny scraps of genetic code—DNA or RNA—thatcan take over the machinery of a living cell and trick it into making thousands offlawless replicas of the original virus. Like its biological counterpart, a computervirus carries in its instructional code the recipe for making perfect copies of itself.The typical virus becomes embedded in a program, or carrier of executable content,on a computer. Then, whenever the infected computer comes into contact with anuninfected piece of code, a fresh copy of the virus passes into the new location.Thus, the infection can spread from computer to computer, aided by unsuspectingusers, who exchange these programs or carrier files on disk or USB stick; or whosend them to one another over a network. In a network environment, the ability toaccess documents, applications, and system services on other computers provides aperfect culture for the spread of such viral code.A virus that attaches to an executable program can do anything that theprogram is permitted to do. It executes secretly when the host program is run. Oncethe virus code is executing, it can perform any function, such as erasing files andprograms, that is allowed by the privileges of the current user. One reason virusesdominated the malware scene in earlier years was the lack of user authenticationand access controls on personal computer systems at that time. This enabled a virusto infect any executable content on the system. The significant quantity of programsshared on floppy disk also enabled its easy, if somewhat slow, spread. The inclusionof tighter access controls on modern operating systems significantly hinders theease of infection of such traditional, machine executable code, viruses. This resultedin the development of macro viruses that exploit the active content supportedby some documents types, such as Microsoft Word or Excel files, or Adobe PDFdocuments. Such documents are easily modified and shared by users as part of theirnormal system use, and are not protected by the same access controls as programs.Currently, a viral mode of infection is typically one of several propagation mechanismsused by contemporary malware, which may also include worm and Trojancapabilities.
16Virus Components infection mechanism means by which a virus spreads or propagatesalso referred to as the infection vectortriggerevent or condition that determines when the payload is activated or deliveredsometimes known as a logic bomb[AYCO06] states that a computer virus has three parts. More generally, manycontemporary types of malware also include one or more variants of each of thesecomponents:• Infection mechanism : The means by which a virus spreads or propagates,enabling it to replicate. The mechanism is also referred to as the infectionvector .• Trigger: The event or condition that determines when the payload is activatedor delivered, sometimes known as a logic bomb .• Payload: What the virus does, besides spreading. The payload may involvedamage or may involve benign but noticeable activity.payloadwhat the virus does (besides spreading)may involve damage or benign but noticeable activity
17Virus Phases dormant phase triggering phase virus is idle will eventually be activated by some eventnot all viruses have this stagetriggering phasevirus is activated to perform the function for which it was intendedcan be caused by a variety of system eventspropagation phasevirus places a copy of itself into other programs or into certain system areas on the diskmay not be identical to the propagating versioneach infected program will now contain a clone of the virus which will itself enter a propagation phaseexecution phasefunction is performedmay be harmless or damagingDuring its lifetime, a typical virus goes through the following four phases:• Dormant phase: The virus is idle. The virus will eventually be activated bysome event, such as a date, the presence of another program or file, or thecapacity of the disk exceeding some limit. Not all viruses have this stage.• Propagation phase: The virus places a copy of itself into other programs orinto certain system areas on the disk. The copy may not be identical to thepropagating version; viruses often morph to evade detection. Each infectedprogram will now contain a clone of the virus, which will itself enter a propagationphase.• Triggering phase: The virus is activated to perform the function for which itwas intended. As with the dormant phase, the triggering phase can be causedby a variety of system events, including a count of the number of times thatthis copy of the virus has made copies of itself.• Execution phase: The function is performed. The function may be harmless,such as a message on the screen, or damaging, such as the destruction ofprograms and data files.Most viruses that infect executable program files carry out their work in amanner that is specific to a particular operating system and, in some cases, specificto a particular hardware platform. Thus, they are designed to take advantage of thedetails and weaknesses of particular systems. Macro viruses though, target specificdocument types, which are often supported on a variety of systems.
18Virus Structure A traditional, machine executable code, virus can be prepended or postpended to some executable program, or it can be embeddedinto it in some other fashion. The key to its operation is that the infected program,when invoked, will first execute the virus code and then execute the original codeof the program.A very general depiction of virus structure is shown in Figure 6.1 (based on[COHE94]). In this case, the virus code, V, is prepended to infected programs, andit is assumed that the entry point to the program, when invoked, is the first line ofthe program.The infected program begins with the virus code and works as follows. Thefirst line of code is a jump to the main virus program. The second line is a specialmarker that is used by the virus to determine whether or not a potential victimprogram has already been infected with this virus. When the program is invoked,control is immediately transferred to the main virus program. The virus programmay first seek out uninfected executable files and infect them. Next, the virus mayexecute its payload if the required trigger conditions, if any, are met. Finally, thevirus transfers control to the original program. If the infection phase of the programis reasonably rapid, a user is unlikely to notice any difference between the executionof an infected and an uninfected program.
19Compression Virus Logic A virus such as the one just described is easily detected because an infectedversion of a program is longer than the corresponding uninfected one. A way tothwart such a simple means of detecting a virus is to compress the executable fileso that both the infected and uninfected versions are of identical length. Figure 6.2shows in general terms the logic required. The key lines in this virus are numbered,and Figure 6.3 illustrates the operation.
20Virus Classifications targetconcealment strategyboot sector infectorinfects a master boot record or boot record and spreads when a system is booted from the disk containing the virusfile infectorinfects files that the operating system or shell considers to be executablemacro virusinfects files with macro or scripting code that is interpreted by an applicationmultipartite virusinfects files in multiple waysencrypted virusa portion of the virus creates a random encryption key and encrypts the remainder of the virusstealth virusa form of virus explicitly designed to hide itself from detection by anti-virus softwarepolymorphic virusa virus that mutates with every infectionmetamorphic virusa virus that mutates and rewrites itself completely at each iteration and may change behavior as well as appearanceThere has been a continuous arms race between virus writers and writers ofanti-virus software since viruses first appeared. As effective countermeasures aredeveloped for existing types of viruses, newer types are developed. There is nosimple or universally agreed upon classification scheme for viruses. In this section,we follow [AYCO06] and classify viruses along two orthogonal axes: the type oftarget the virus tries to infect and the method the virus uses to conceal itself fromdetection by users and anti-virus software.A virus classification by target includes the following categories:• Boot sector infector: Infects a master boot record or boot record and spreadswhen a system is booted from the disk containing the virus.• File infector: Infects files that the operating system or shell consider to beexecutable.• Macro virus : Infects files with macro or scripting code that is interpreted by anapplication.• Multipartite virus: Infects files in multiple ways. Typically, the multipartitevirus is capable of infecting multiple types of files, so that virus eradicationmust deal with all of the possible sites of infection.A virus classification by concealment strategy includes the following categories:• Encrypted virus: A typical approach is as follows. A portion of the virus createsa random encryption key and encrypts the remainder of the virus. The key isstored with the virus. When an infected program is invoked, the virus uses thestored random key to decrypt the virus. When the virus replicates, a differentrandom key is selected. Because the bulk of the virus is encrypted with a differentkey for each instance, there is no constant bit pattern to observe.Stealth virus : A form of virus explicitly designed to hide itself from detectionby anti-virus software. Thus, the entire virus, not just a payload is hidden. Itmay use both code mutation, for example compression, and rootkit techniquesto achieve this.• Polymorphic virus: A virus that mutates with every infection, making detectionby the “signature” of the virus impossible.• Metamorphic virus : As with a polymorphic virus, a metamorphic virus mutateswith every infection. The difference is that a metamorphic virus rewrites itselfcompletely at each iteration, increasing the difficulty of detection. Metamorphicviruses may change their behavior as well as their appearance.A polymorphic virus creates copies during replication that are functionally equivalentbut have distinctly different bit patterns, in order to defeat programs that scanfor viruses. In this case, the “signature” of the virus will vary with each copy. Toachieve this variation, the virus may randomly insert superfluous instructions orinterchange the order of independent instructions. A more effective approach is touse encryption. The strategy of the encryption virus is followed. The portion of thevirus that is responsible for generating keys and performing encryption/decryptionis referred to as the mutation engine . The mutation engine itself is altered witheach use.
22Worms program that actively seeks out more machines to infect each infected machine serves as an automated launching pad for attacks on other machinesexploits software vulnerabilities in client or server programscan use network connections to spread from system to systemspreads through shared mediaUSB drives, CD, DVD data disksThe next category of malware propagation concerns the exploit of softwarevulnerabilities, such as those we discuss in Chapters 10 and 11 , which are commonlyexploited by computer worms. A worm is a program that actively seeks outmore machines to infect, and then each infected machine serves as an automatedlaunching pad for attacks on other machines. Worm programs exploit softwarevulnerabilities in client or server programs to gain access to each new system. Theycan use network connections to spread from system to system. They can also spreadthrough shared media, such as USB drives or CD and DVD data disks.worms spread in macro or script code included in documents attached to orto instant messenger file transfers. Upon activation, the worm may replicate andpropagate again. In addition to propagation, the worm usually carries some form ofpayload, such as those we discuss later.The concept of a computer worm was introduced in John Brunner’s 1975 SFnovel The Shockwave Rider . The first known worm implementation was done inXerox Palo Alto Labs in the early 1980s. It was nonmalicious, searching for idlesystems to use to run a computationally intensive task.
23Wormsworms spread in macro or script code included in attachments and instant messenger file transfersupon activation the worm may replicate and propagate againusually carries some form of payloadfirst known implementation was done in Xerox Palo Alto Labs in the early 1980sThe next category of malware propagation concerns the exploit of softwarevulnerabilities, such as those we discuss in Chapters 10 and 11 , which are commonlyexploited by computer worms. A worm is a program that actively seeks outmore machines to infect, and then each infected machine serves as an automatedlaunching pad for attacks on other machines. Worm programs exploit softwarevulnerabilities in client or server programs to gain access to each new system. Theycan use network connections to spread from system to system. They can also spreadthrough shared media, such as USB drives or CD and DVD data disks.worms spread in macro or script code included in documents attached to orto instant messenger file transfers. Upon activation, the worm may replicate andpropagate again. In addition to propagation, the worm usually carries some form ofpayload, such as those we discuss later.The concept of a computer worm was introduced in John Brunner’s 1975 SFnovel The Shockwave Rider . The first known worm implementation was done inXerox Palo Alto Labs in the early 1980s. It was nonmalicious, searching for idlesystems to use to run a computationally intensive task.
24Worm Replication electronic mail or instant messenger facility worm s a copy of itself to other systemssends itself as an attachment via an instant message servicefile sharingcreates a copy of itself or infects a file as a virus on removable mediaremote execution capabilityworm executes a copy of itself on another systemremote file access or transfer capabilityworm uses a remote file access or transfer service to copy itself from one system to the otherTo replicate itself, a worm uses some means to access remote systems. Theseinclude the following, most of which are still seen in active use [SYMA11]:• Electronic mail or instant messenger facility: A worm s a copy of itself toother systems, or sends itself as an attachment via an of instant message service,so that its code is run when the or attachment is received or viewed.• File sharing: A worm either creates a copy of itself or infects other suitablefiles as a virus on removable media such as a USB drive; it then executes whenthe drive is connected to another system using the autorun mechanism byexploiting some software vulnerability, or when a user opens the infected fileon the target system.• Remote execution capability: A worm executes a copy of itself on anothersystem, either by using an explicit remote execution facility or by exploiting aprogram flaw in a network service to subvert its operations (as we discuss inChapters 10 and 11 ).• Remote file access or transfer capability: A worm uses a remote file access ortransfer service to another system to copy itself from one system to the other,where users on that system may then execute it.• Remote login capability: A worm logs onto a remote system as a user andthen uses commands to copy itself from one system to the other, where it thenexecutes.The new copy of the worm program is then run on the remote system where, inaddition to any payload functions that it performs on that system, it continues topropagate.A worm typically uses the same phases as a computer virus: dormant, propagation,triggering, and execution. The propagation phase generally performs thefollowing functions:• Search for appropriate access mechanisms to other systems to infect by examininghost tables, address books, buddy lists, trusted peers, and other similarrepositories of remote system access details; by scanning possible target hostaddresses; or by searching for suitable removable media devices to use.• Use the access mechanisms found to transfer a copy of itself to the remotesystem, and cause the copy to be run.The worm may also attempt to determine whether a system has previouslybeen infected before copying itself to the system. In a multiprogramming system,it can also disguise its presence by naming itself as a system process or using someother name that may not be noticed by a system operator. More recent worms caneven inject their code into existing processes on the system, and run using additionalthreads in that process, to further disguise their presence.remote login capabilityworm logs onto a remote system as a user and then uses commands to copy itself from one system to the other
25Target Discovery Scanning (or fingerprinting) First function in the propagation phase for a network wormSearches for other systems to infectScanning strategies that a worm can use:RandomEach compromised host probes random addresses in the IP address space using a different seedThis produces a high volume of Internet traffic which may cause generalized disruption even before the actual attack is launchedHit-listThe attacker first compiles a long list of potential vulnerable machinesOnce the list is compiled the attacker begins infecting machines on the listEach infected machine is provided with a portion of the list to scanThis results in a very short scanning period which may make it difficult to detect that infection is taking placeTopologicalThis method uses information contained on an infected victim machine to find more hosts to scanLocal subnetIf a host can be infected behind a firewall that host then looks for targets in its own local networkThe host uses the subnet address structure to find other hosts that would otherwise be protected by the firewallThe first function in the propagation phase for a network worm is for it to searchfor other systems to infect, a process known as scanning or fingerprinting. Forsuch worms, which exploit software vulnerabilities in remotely accessible networkservices, it must identify potential systems running the vulnerable service, and theninfect them. Then, typically, the worm code now installed on the infected machinesrepeats the same scanning process, until a large distributed network of infectedmachines is created.[MIRK04] lists the following types of network address scanning strategies thatsuch a worm can use:• Random: Each compromised host probes random addresses in the IP addressspace, using a different seed. This technique produces a high volume of Internettraffic, which may cause generalized disruption even before the actualattack is launched.• Hit-List: The attacker first compiles a long list of potential vulnerable machines.This can be a slow process done over a long period to avoid detection thatan attack is underway. Once the list is compiled, the attacker begins infectingmachines on the list. Each infected machine is provided with a portion of thelist to scan. This strategy results in a very short scanning period, which maymake it difficult to detect that infection is taking place.• Topological: This method uses information contained on an infected victimmachine to find more hosts to scan.• Local subnet: If a host can be infected behind a firewall, that host then looksfor targets in its own local network. The host uses the subnet address structureto find other hosts that would otherwise be protected by the firewall.
26Worm Propagation Model [ZOU05] describes a model for worm propagation based on an analysis of networkworm attacks at that time. The speed of propagation and the total number of hostsinfected depend on a number of factors, including the mode of propagation, thevulnerability or vulnerabilities exploited, and the degree of similarity to precedingattacks. For the latter factor, an attack that is a variation of a recent previous attackmay be countered more effectively than a more novel attack. Figure 6.4 showsthe dynamics for one typical set of parameters. Propagation proceeds through threephases. In the initial phase, the number of hosts increases exponentially. To seethat this is so, consider a simplified case in which a worm is launched from a singlehost and infects two nearby hosts. Each of these hosts infects two more hosts, andso on. This results in exponential growth. After a time, infecting hosts waste sometime attacking already infected hosts, which reduces the rate of infection. Duringthis middle phase, growth is approximately linear, but the rate of infection is rapid.When most vulnerable computers have been infected, the attack enters a slow finishphase as the worm seeks out those remaining hosts that are difficult to identify.Clearly, the objective in countering a worm is to catch the worm in its slowstart phase, at a time when few hosts have been infected.
27A well-designed worm can spread rapidly and infect massive numbers of hosts. It is useful to have a general model for the rate of worm propagation. Computer virusesand worms exhibit similar self-replication and propagation behavior to biologicalviruses. Thus we can look to classic epidemic models for understanding computervirus and worm propagation behavior.Figure 6.3 shows the dynamics of worm propagation using this model. Propagationproceeds through three phases. In the initial phase, the number of hostsincreases exponentially. To see that this is so, consider a simplified case in whicha worm is launched from a single host and infects two nearby hosts. Each of thesehosts infects two more hosts, and so on. This results in exponential growth. Aftera time, infecting hosts waste some time attacking already infected hosts, whichreduces the rate of infection. During this middle phase, growth is approximately linear,but the rate of infection is rapid. When most vulnerable computers have beeninfected, the attack enters a slow finish phase as the worm seeks out those remaininghosts that are difficult to identify.Clearly, the objective in countering a worm is to catch the worm in its slowstart phase, at a time when few hosts have been infected.Zou, et al [ZOU05] describe a model for worm propagation based on an analysisof network worm attacks at that time. The speed of propagation and the totalnumber of hosts infected depend on a number of factors, including the mode ofpropagation, the vulnerability or vulnerabilities exploited, and the degree of similarityto preceding attacks. For the latter factor, an attack that is a variation of arecent previous attack may be countered more effectively than a more novel attack.Zou’s model agrees closely with Figure 6.3.
28Morris Worm earliest significant worm infection released by Robert Morris in 1988designed to spread on UNIX systemsattempted to crack local password file to use login/password to logon to other systemsexploited a bug in the finger protocol which reports the whereabouts of a remote userexploited a trapdoor in the debug option of the remote process that receives and sends mailsuccessful attacks achieved communication with the operating system command interpretersent interpreter a bootstrap program to copy worm overArguably, the earliest significant, and hence well-known, worm infection wasreleased onto the Internet by Robert Morris in 1988 [ORMA03]. The Morrisworm was designed to spread on UNIX systems and used a number of differenttechniques for propagation. When a copy began execution, its first task was to discoverother hosts known to this host that would allow entry from this host. Theworm performed this task by examining a variety of lists and tables, including systemtables that declared which other machines were trusted by this host, users’ mail forwardingfiles, tables by which users gave themselves permission for access to remoteaccounts, and from a program that reported the status of network connections. Foreach discovered host, the worm tried a number of methods for gaining access:1. It attempted to log on to a remote host as a legitimate user. In this method, theworm first attempted to crack the local password file and then used the discoveredpasswords and corresponding user IDs. The assumption was that many users woulduse the same password on different systems. To obtain the passwords, the wormran a password-cracking program that trieda. Each user’s account name and simple permutations of itb. A list of 432 built-in passwords that Morris thought to be likely candidates 1c. All the words in the local system dictionary2. It exploited a bug in the UNIX finger protocol, which reports the whereaboutsof a remote user.3. It exploited a trapdoor in the debug option of the remote process that receivesand sends mail.If any of these attacks succeeded, the worm achieved communication with theoperating system command interpreter. It then sent this interpreter a short bootstrapprogram, issued a command to execute that program, and then logged off.The bootstrap program then called back the parent program and downloaded theremainder of the worm. The new worm was then executed.
29Recent Worm Attacks Melissa 1998 e-mail worm first to include virus, worm and Trojan in one packageCode RedJuly 2001exploited Microsoft IIS bugprobes random IP addressesconsumes significant Internet capacity when activeCode Red IIAugust 2001also targeted Microsoft IISinstalls a backdoor for accessNimdaSeptember 2001had worm, virus and mobile code characteristicsspread using , Windows shares, Web servers, Web clients, backdoorsSQL SlammerEarly 2003exploited a buffer overflow vulnerability in SQL servercompact and spread rapidlySobig.FLate 2003exploited open proxy servers to turn infected machines into spam enginesMydoom2004mass-mailing worminstalled a backdoor in infected machinesWarezov2006creates executables in system directoriessends itself as an attachmentcan disable security related productsConficker (Downadup)November 2008exploits a Windows buffer overflow vulnerabilitymost widespread infection since SQL SlammerStuxnet2010restricted rate of spread to reduce chance of detectiontargeted industrial control systemsThe Melissa worm that appeared in 1998 was the first of a new generation ofmalware that included aspects of virus, worm, and Trojan in one package [CASS01].Melissa made use of a Microsoft Word macro embedded in an attachment. If therecipient opens the attachment, the Word macro is activated. Then itsends itself to everyone on the mailing list in the user’s package, propagatingas a worm; and2. does local damage on the user’s system, including disabling some securitytools, and also copying itself into other documents, propagating as avirus; and3. if a trigger time was seen, it displayed a Simpson quote as its payload.In 1999, a more powerful version of this virus appeared. This versioncould be activated merely by opening an that contains the virus, ratherthan by opening an attachment. The virus uses the Visual Basic scripting languagesupported by the package.Melissa propagates itself as soon as it is activated (either by opening anattachment or by opening the ) to all of the addresses known to theinfected host. As a result, whereas viruses used to take months or years to propagate,this next generation of malware could do so in hours. [CASS01] notes that ittook only three days for Melissa to infect over 100,000 computers, compared to themonths it took the Brain virus to infect a few thousand computers a decade before.This makes it very difficult for anti-virus software to respond to new attacks beforemuch damage is done.The Code Red worm first appeared in July Code Red exploits a securityhole in the Microsoft Internet Information Server (IIS) to penetrate and spread.It also disables the system file checker in Windows. The worm probes random IPaddresses to spread to other hosts. During a certain period of time, it only spreads.It then initiates a denial-of-service attack against a government Web site by floodingthe site with packets from numerous hosts. The worm then suspends activitiesand reactivates periodically. In the second wave of attack, Code Red infected nearly360,000 servers in 14 hours. In addition to the havoc it caused at the targeted server,Code Red consumed enormous amounts of Internet capacity, disrupting service[MOOR02].Code Red II is another, distinct, variant that first appeared in August 2001,and also targeted Microsoft IIS. It tried to infect systems on the same subnet as theinfected system. Also, this newer worm installs a backdoor, allowing a hacker toremotely execute commands on victim computers.The Nimda worm that appeared in September 2001 also has worm, virus, andmobile code characteristics. It spread using a variety of distribution methods:• A user on a vulnerable host opens an infected attachment;Nimda looks for addresses on the host and then sends copies of itself tothose addresses.• Windows shares: Nimda scans hosts for unsecured Windows file shares; it canthen use NetBIOS86 as a transport mechanism to infect files on that host inthe hopes that a user will run an infected file, which will activate Nimda onthat host.• Web servers: Nimda scans Web servers, looking for known vulnerabilities inMicrosoft IIS. If it finds a vulnerable server, it attempts to transfer a copy ofitself to the server and infects it and its files.Web clients: If a vulnerable Web client visits a Web server that has beeninfected by Nimda, the client’s workstation will become infected.• Backdoors: If a workstation was infected by earlier worms, such as “Code RedII,” then Nimda will use the backdoor access left by these earlier infections toaccess the system.In early 2003, the SQL Slammer worm appeared. This worm exploited abuffer overflow vulnerability in Microsoft SQL server. The Slammer was extremelycompact and spread rapidly, infecting 90% of vulnerable hosts within 10 minutes.This rapid spread caused significant congestion on the Internet.Late 2003 saw the arrival of the Sobig.F worm, which exploited open proxyservers to turn infected machines into spam engines. At its peak, Sobig.F reportedlyaccounted for one in every 17 messages and produced more than one million copiesof itself within the first 24 hours.Mydoom is a mass-mailing worm that appeared in It followeda growing trend of installing a backdoor in infected computers, thereby enablinghackers to gain remote access to data such as passwords and credit card numbers.Mydoom replicated up to 1,000 times per minute and reportedly flooded theInternet with 100 million infected messages in 36 hours.The Warezov family of worms appeared in 2006 [KIRK06]. When the wormis launched, it creates several executables in system directories and sets itself torun every time Windows starts by creating a registry entry. Warezov scans severaltypes of files for addresses and sends itself as an attachment. Somevariants are capable of downloading other malware, such as Trojan horses andadware. Many variants disable security-related products and/or disable theirupdating capability.The Conficker (or Downadup) worm was first detected in November 2008and spread quickly to become one of the most widespread infections since SQLSlammer in 2003 [LAWT09]. It spread initially by exploiting a Windows bufferoverflow vulnerability, though later versions could also spread via USB drives andnetwork file shares. In 2010, it still comprised the second most common family ofmalware observed by Symantec [SYMA11], even though patches were availablefrom Microsoft to close the main vulnerabilities it exploits.In 2010, the Stuxnet worm was detected, though it had been spreading quietlyfor some time previously [CHEN11]. Unlike many previous worms, it deliberatelyrestricted its rate of spread to reduce its chance of detection. It also targeted industrialcontrol systems, most likely those associated with the Iranian nuclear program,with the likely aim of disrupting the operation of their equipment. It supported arange of propagation mechanisms, including via USB drives, network file shares,and using no less than four unknown, zero-day vulnerability exploits. Considerabledebate resulted from the size and complexity of its code, the use of an unprecedentedfour zero-day exploits, and the cost and effort apparent in its development.There are claims that it appears to be the first serious use of a cyberwarfare weaponagainst a nation’s physical infrastructure. The researchers at Symantec who analyzedStuxnet noted that while they were expecting to find espionage, they never expectedto see malware with targeted sabotage as its aim. As a result, greater attention is nowbeing directed at the use of malware as a weapon by a number of nations.
30Worm Technology multiplatform multi-exploit ultrafast spreading polymorphicmetamorphicThe state of the art in worm technology includes the following:• Multiplatform: Newer worms are not limited to Windows machines but canattack a variety of platforms, especially the popular varieties of UNIX; orexploit macro or scripting languages supported in popular document types.• Multi-exploit: New worms penetrate systems in a variety of ways, using exploitsagainst Web servers, browsers, , file sharing, and other network-basedapplications; or via shared media.• Ultrafast spreading: Exploit various techniques to optimize the rate of spreadof a worm to maximize its likelihood of locating as many vulnerable machinesas possible in a short time period.• Polymorphic: To evade detection, skip past filters, and foil real-time analysis,worms adopt the virus polymorphic technique. Each copy of the worm hasnew code generated on the fly using functionally equivalent instructions andencryption techniques.• Metamorphic: In addition to changing their appearance, metamorphic wormshave a repertoire of behavior patterns that are unleashed at different stages ofpropagation.• Transport vehicles: Because worms can rapidly compromise a large number ofsystems, they are ideal for spreading a wide variety of malicious payloads, such asdistributed denial-of-service bots, rootkits, spam generators, and spyware.• Zero-day exploit : To achieve maximum surprise and distribution, a wormshould exploit an unknown vulnerability that is only discovered by the generalnetwork community when the worm is launched.Zero-day exploit
31Code-Red WormOn July 19, 2001, more than 359,000 computers connected to the Internet were infected with the Code-Red (CRv2) worm in less than 14 hoursSpreadCS 450/650 Lecture 16: Malicious Codes
32Sapphire/Slammer Worm was the fastest computer worm in historydoubled in size every 8.5 secondsinfected more than 90 percent of vulnerable ~75K hosts within 10 minutes.CS 450/650 Lecture 16: Malicious Codes
33Witty Worm reached its peak activity after approximately 45 minutes at which point the majority of vulnerable hosts had been infectedWorldUSACS 450/650 Lecture 16: Malicious Codes
35Mobile Phone Worms Cabir worm in 2004 Lasco and CommWarrior in 2005 communicate through Bluetooth wireless connections or MMStarget is the smartphonecan completely disable the phone, delete data on the phone, or force the device to send costly messagesCommWarrior replicates by means of Bluetoothsends itself as an MMS file to contacts andas an auto reply to incoming text messagesWorms first appeared on mobile phones with the discovery of the Cabir worm in2004, and then Lasco and CommWarrior in These worms communicate throughBluetooth wireless connections or via the multimedia messaging service (MMS).The target is the smartphone, which is a mobile phone that permits users to installsoftware applications from sources other than the cellular network operator. Allthese early mobile worms targeted mobile phones using the Symbian operatingsystem. More recent malware targets Android and iPhone systems. Mobile phonemalware can completely disable the phone, delete data on the phone, or force thedevice to send costly messages to premium-priced numbers.The CommWarrior worm replicates by means of Bluetooth to other phonesin the receiving area. It also sends itself as an MMS file to numbers in the phone’saddress book and in automatic replies to incoming text messages and MMS messages.In addition, it copies itself to the removable memory card and inserts itselfinto the program installation files on the phone.
36Drive-By-Downloads exploits browser vulnerabilities to download and install malware on the systemwhen a user views a Web page controlled by the attackerin most cases does not actively propagatespreads when users visit the malicious Web pageAnother approach to exploiting software vulnerabilities involves the exploit ofbugs in user applications to install malware. One common approach to this exploitsbrowser vulnerabilities so that when the user views a Web page controlled by theattacker, it contains code that exploits the browser bug to download and installmalware on the system without the user’s knowledge or consent. This is known asa drive-by-download and is a common exploit in recent attack kits. In most cases,this malware does not actively propagate as a worm does, but rather waits for unsuspectingusers to visit the malicious Web page in order to spread to their systems.Related variants can exploit bugs in common clients, such as the Klezmass-mailing worm seen in October 2001, which targeted a bug in the HTMLhandling in Microsoft’s Outlook and Outlook Express programs to automaticallyrun itself. Or, such malware may target common PDF viewers to also download andinstall malware without the user’s consent when they view a malicious PDF document[STEV11]. Such documents may be spread by spam , or be part of atargeted phishing attack, as we discuss next.
38Social Engineering“tricking” users to assist in the compromise of their own systemsspamTrojan horsemobile phone trojansprogram or utility containing harmful hidden codeunsolicited bulkfirst appeared in 2004 (Skuller)The final category of malware propagation we consider involves social engineering,“tricking” users to assist in the compromise of their own systems or personalinformation. This can occur when a user views and responds to some SPAM, or permits the installation and execution of some Trojan horse program orscripting code.Spam (Unsolicited Bulk)With the explosive growth of the Internet over the last few decades, the widespreaduse of , and the extremely low cost required to send large volumesof , has come the rise of unsolicited bulk , commonly known as spam.A number of recent estimates suggest that spam may account for 90% ormore of all sent. This imposes significant costs on both the network infrastructureneeded to relay this traffic, and on users who need to filter their legitimates out of this flood. In response to this explosive growth, there has been theequally rapid growth of the anti-spam industry that provides products to detect andfilter spam s. This has led to an arms race between the spammers devisingtechniques to sneak their content through, and with the defenders efforts to blockthem [KREI09].While some spam is sent from legitimate mail servers, most recent spam issent by botnets using compromised user systems, as we discuss in Section Asignificant portion of spam content is just advertising, trying to convincethe recipient to purchase some product online, such as pharmaceuticals, or used inscams, such as stock scams or money mule job ads. But spam is also a significantcarrier of malware. The may have an attached document, which, if opened,may exploit a software vulnerability to install malware on the user’s system, as wediscussed in the previous section. Or, it may have an attached Trojan horse programor scripting code that, if run, also installs malware on the user’s system. Sometrojans avoid the need for user agreement by exploiting a software vulnerability inorder to install themselves, as we discuss next. Finally the spam may be used in aphishing attack, typically directing the user either to a fake Web site that mirrorssome legitimate service, such as an online banking site, where it attempts to capturethe user’s login and password details; or to complete some form with sufficientpersonal details to allow the attacker to impersonate the user in an identity theft.All of these uses make spam s a significant security concern. However, inmany cases, it requires the user’s active choice to view the and any attacheddocument, or to permit the installation of some program, in order for the compromiseto occur.Trojan HorsesA Trojan horse 2 is a useful, or apparently useful, program or utility containinghidden code that, when invoked, performs some unwanted or harmful function.Trojan horse programs can be used to accomplish functions indirectly thatthe attacker could not accomplish directly. For example, to gain access to sensitive,personal information stored in the files of a user, an attacker could create a Trojanhorse program that, when executed, scans the user’s files for the desired sensitiveinformation and sends a copy of it to the attacker via a Web form or or textmessage. The author could then entice users to run the program by incorporating itinto a game or useful utility program, and making it available via a known softwaredistribution site or app store. This approach has been used recently with utilitiesthat “claim” to be the latest anti-virus scanner, or security update, for systems, butwhich are actually malicious trojans, often carrying payloads such as spyware thatsearches for banking credentials. Hence, users need to take precautions to validatethe source of any software they install.Trojan horses fit into one of three models:• Continuing to perform the function of the original program and additionallyperforming a separate malicious activity• Continuing to perform the function of the original program but modifying thefunction to perform malicious activity (e.g., a Trojan horse version of a loginprogram that collects passwords) or to disguise other malicious activity (e.g., aTrojan horse version of a process listing program that does not display certainprocesses that are malicious)• Performing a malicious function that completely replaces the function of theoriginal programSome trojans avoid the requirement for user assistance by exploiting some softwarevulnerability to enable their automatic installation and execution. In this theyshare some features of a worm, but unlike it, they do not replicate. A prominentexample of such an attack was the Hydraq Trojan used in Operation Aurora in2009 and early This exploited a vulnerability in Internet Explorer to installitself, and targeted several high-profile companies [SYMA11]. It was typicallydistributed using either spam or via a compromised Web site using a “driveby-download.”Mobile Phone TrojansMobile phone trojans also first appeared in 2004 with the discovery of Skuller. Aswith mobile worms, the target is the smartphone, and the early mobile trojans targetedSymbian phones. More recently, a number of trojans have been detected thattarget Android phones and Apple iPhones.In 2011, Google removed a number of apps from the Android Market thatwere trojans containing the DroidDream malware. This is a powerful zombie agentthat exploited vulnerabilities in some versions of Android used at this time to gainfull access to the system to monitor data and install additional code.The tighter controls that Apple impose on their app store, mean that mostiPhone trojans seen to date target “jail-broken” phones, and are distributed viaunofficial sites. However a number of versions of the iPhone O/S included someform of graphic or PDF vulnerability. Indeed these vulnerabilities were the mainmeans used to “jail-break” the phones. But they also provided a path that malwarecould use to target the phones. While Apple has fixed a number of these vulnerabilities,new variants continued to be discovered. This is yet another illustration of justhow difficult it is, for even well resourced organizations, to write secure softwarewithin a complex system, such as an operating system. We return to this topic inChapters 10 and 11 .significant carrier of malwareaccomplish functions that the attacker can not access directlytarget is the smartphoneused for phishing attacks
39System Corruption data destruction Chernobyl virus Klez ransomware first seen in 1998Windows 95 and 98 virusinfects executable files and corrupts the entire file system when a trigger date is reachedKlezmass mailing worm infecting Windows 95 to XP systemson trigger date causes files on the hard drive to become emptyransomwareencrypts the user’s data and demands payment in order to access the key needed to recover the informationPC Cyborg Trojan (1989)Gpcode Trojan (2006)Once malware is active on the target system, the next concern is what actions itwill take on this system. That is, what payload does it carry. Some malware has anonexistent or nonfunctional payload. Its only purpose, either deliberate or due toaccidental early release, is to spread. More commonly, it carries one or more payloadsthat perform covert actions for the attacker.An early payload seen in a number of viruses and worms resulted in datadestruction on the infected system when certain trigger conditions were met[WEAV03]. A related payload is one that displays unwanted messages or contenton the user’s system when triggered. More seriously, another variant attempts toinflict real-world damage on the system. All of these actions target the integrity ofthe computer system’s software or hardware, or of the user’s data. These changesmay not occur immediately, but only when specific trigger conditions are met thatsatisfy their logic-bomb code.The Chernobyl virus is an early example of a destructive parasitic memory-residentWindows-95 and 98 virus, that was first seen in It infects executable files whenthey’re opened. And when a trigger date is reached, it deletes data on the infectedsystem by overwriting the first megabyte of the hard drive with zeroes, resulting inmassive corruption of the entire file system. This first occurred on April 26, 1999,when estimates suggest more than one million computers were affected.Similarly, the Klez mass-mailing worm is an early example of a destructiveworm infecting Windows-95 to XP systems, and was first seen in October Itspreads by ing copies of itself to addresses found in the address book and infiles on the system. It can stop and delete some anti-virus programs running on thesystem. On trigger dates, being the 13th of several months each year, it causes fileson the local hard drive to become empty.As an alternative to just destroying data, some malware encrypts the user’sdata, and demands payment in order to access the key needed to recover this information.This is sometimes known as ransomware . The PC Cyborg Trojan seen in1989 was an early example of this. However, around mid-2006, a number of wormsand trojans appeared, such as the Gpcode Trojan, that used public-key cryptographywith increasingly larger key sizes to encrypt data. The user needed to paya ransom, or to make a purchase from certain sites, in order to receive the key todecrypt this data. While earlier instances used weaker cryptography that could becracked without paying the ransom, the later versions using public-key cryptographywith large key sizes could not be broken this way.
40System Corruption real-world damage logic bomb causes damage to physical equipmentChernobyl virus rewrites BIOS codeStuxnet wormtargets specific industrial control system softwarethere are concerns about using sophisticated targeted malware for industrial sabotagelogic bombcode embedded in the malware that is set to “explode” when certain conditions are metA further variant of system corruption payloads aims to cause damage to physicalequipment. The infected system is clearly the device most easily targeted. TheChernobyl virus mentioned above not only corrupts data, but attempts to rewritethe BIOS code used to initially boot the computer. If it is successful, the boot processfails, and the system is unusable until the BIOS chip is either re-programmed orreplaced.More recently, the Stuxnet worm that we discussed previously targets somespecific industrial control system software as its key payload [CHEN11]. If controlsystems using certain Siemens industrial control software with a specific configurationof devices are infected, then the worm replaces the original control code with codethat deliberately drives the controlled equipment outside its normal operating range,resulting in the failure of the attached equipment. The centrifuges used in the Iranianuranium enrichment program were strongly suspected as the target, with reports ofmuch higher than normal failure rates observed in them over the period when thisworm was active. As noted in our earlier discussion, this has raised concerns over theuse of sophisticated targeted malware for industrial sabotage.A key component of data corrupting malware is the logic bomb. The logic bomb iscode embedded in the malware that is set to “explode” when certain conditions aremet. Examples of conditions that can be used as triggers for a logic bomb are the presenceor absence of certain files or devices on the system, a particular day of the weekor date, a particular version or configuration of some software, or a particular userrunning the application. Once triggered, a bomb may alter or delete data or entire files,cause a machine halt, or do some other damage. All of the examples we describe in thissection include such code.A striking example of how logic bombs can be employed was the case of TimLloyd, who was convicted of setting a logic bomb that cost his employer, OmegaEngineering, more than $10 million, derailed its corporate growth strategy, andeventually led to the layoff of 80 workers [GAUD00]. Ultimately, Lloyd wassentenced to 41 months in prison and ordered to pay $2 million in restitution.
41Attack Agents: Botstakes over another Internet attached computer and uses that computer to launch or manage attacksBotnet: collection of bots capable of acting in a coordinated mannerdistributed denial-of-service (DDoS) attacksspammingsniffing traffickeyloggingspreading new malwareinstalling advertisement add-ons and browser helper objects attacking IRC chat networksmanipulating online polls/gamesThe next category of payload we discuss is where the malware subverts the computationaland network resources of the infected system for use by the attacker.Such a system is known as a bot (robot), zombie or drone, and secretly takes overanother Internet-attached computer and then uses that computer to launch or manageattacks that are difficult to trace to the bot’s creator. The bot is typically plantedon hundreds or thousands of computers belonging to unsuspecting third parties.The collection of bots often is capable of acting in a coordinated manner; such acollection is referred to as a botnet . This type of payload attacks the integrity andavailability of the infected system.Uses of Bots[HONE05] lists the following uses of bots:• Distributed denial-of-service (DDoS) attacks: A DDoS attack is an attack ona computer system or network that causes a loss of service to users. We examineDDoS attacks in Chapter 7 .• Spamming: With the help of a botnet and thousands of bots, an attacker is ableto send massive amounts of bulk (spam).• Sniffing traffic: Bots can also use a packet sniffer to watch for interesting cleartextdata passing by a compromised machine. The sniffers are mostly used toretrieve sensitive information like usernames and passwords.Keylogging: If the compromised machine uses encrypted communicationchannels (e.g. HTTPS or POP3S), then just sniffing the network packets onthe victim’s computer is useless because the appropriate key to decrypt thepackets is missing. But by using a keylogger, which captures keystrokes on theinfected machine, an attacker can retrieve sensitive information.• Spreading new malware: Botnets are used to spread new bots. This is veryeasy since all bots implement mechanisms to download and execute a file viaHTTP or FTP. A botnet with 10,000 hosts that acts as the start base for aworm or mail virus allows very fast spreading and thus causes more harm.• Installing advertisement add-ons and browser helper objects (BHOs): Botnetscan also be used to gain financial advantages. This works by setting up a fakeWeb site with some advertisements: The operator of this Web site negotiates adeal with some hosting companies that pay for clicks on ads. With the help ofa botnet, these clicks can be “automated” so that instantly a few thousand botsclick on the pop-ups. This process can be further enhanced if the bot hijacksthe start-page of a compromised machine so that the “clicks” are executedeach time the victim uses the browser.• Attacking IRC chat networks: Botnets are also used for attacks againstInternet Relay Chat (IRC) networks. Popular among attackers is especiallythe so-called clone attack: In this kind of attack, the controller orders each botto connect a large number of clones to the victim IRC network. The victim isflooded by service requests from thousands of bots or thousands of channeljoinsby these cloned bots. In this way, the victim IRC network is broughtdown, similar to a DDoS attack.• Manipulating online polls/games: Online polls/games are getting more andmore attention and it is rather easy to manipulate them with botnets. Sinceevery bot has a distinct IP address, every vote will have the same credibility asa vote cast by a real person. Online games can be manipulated in a similar way.
42Remote Control Facility distinguishes a bot from a wormworm propagates itself and activates itselfbot is initially controlled from some central facilitytypical means of implementing the remote control facility is on an IRC serverbots join a specific channel on this server and treat incoming messages as commandsmore recent botnets use covert communication channels via protocols such as HTTPdistributed control mechanisms use peer-to-peer protocols to avoid a single point of failureThe remote control facility is what distinguishes a bot from a worm. A worm propagatesitself and activates itself, whereas a bot is controlled from some central facility,at least initially.A typical means of implementing the remote control facility is on an IRCserver. All bots join a specific channel on this server and treat incoming messagesas commands. More recent botnets tend to avoid IRC mechanisms and use covertcommunication channels via protocols such as HTTP. Distributed control mechanisms,using peer-to-peer protocols, are also used, to avoid a single point of failure.Once a communications path is established between a control module andthe bots, the control module can activate the bots. In its simplest form, the controlmodule simply issues command to the bot that causes the bot to execute routinesthat are already implemented in the bot. For greater flexibility, the control modulecan issue update commands that instruct the bots to download a file from someInternet location and execute it. The bot in this latter case becomes a more general purposetool that can be used for multiple attacks.
43Information Theft keylogger spyware captures keystrokes to allow attacker to monitor sensitive informationtypically uses some form of filtering mechanism that only returns information close to keywords“login”, “password”spywaresubverts the compromised machine to allow monitoring of a wide range of activity on the systemmonitoring history and content of browsing activityredirecting certain Web page requests to fake sitesdynamically modifying data exchanged between the browser and certain Web sites of interestWe now consider payloads where the malware gathers data stored on the infectedsystem for use by the attacker. A common target is the user’s login and passwordcredentials to banking, gaming, and related sites, which the attacker then uses toimpersonate the user to access these sites for gain. Less commonly, the payload maytarget documents or system configuration details for the purpose of reconnaissanceor espionage. These attacks target the confidentiality of this information.Credential Theft, Keyloggers, and SpywareTypically, users send their login and password credentials to banking, gaming, andrelated sites over encrypted communication channels (e.g., HTTPS or POP3S),which protects them from capture by monitoring network packets. To bypass this,an attacker can install a keylogger , which captures keystrokes on the infectedmachine to allow an attacker to monitor this sensitive information. Since this wouldresult in the attacker receiving a copy of all text entered on the compromisedmachine, keyloggers typical implement some form of filtering mechanism thatonly returns information close to desired keywords (e.g., “login” or “password” or“paypal.com”).In response to the use of keyloggers, some banking and other sites switched tousing a graphical applet to enter critical information, such as passwords. Since thesedo not use text entered via the keyboard, traditional keyloggers do not capture thisinformation. In response, attackers developed more general spyware payloads,which subvert the compromised machine to allow monitoring of a wide range ofactivity on the system. This may include monitoring the history and content ofbrowsing activity, redirecting certain Web page requests to fake sites controlled bythe attacker, and dynamically modifying data exchanged between the browser andcertain Web sites of interest. All of which can result in significant compromise ofthe user’s personal information.The Zeus banking Trojan, created from its crimeware toolkit, is a prominentexample of such spyware that has been widely deployed in recent years [BINS10].It steals banking and financial credentials using both a keylogger and capturing andpossibly altering form data for certain Web sites. It is typically deployed using eitherspam s or via a compromised Web site in a “drive-by-download.”
44Information Theft: Phishing exploits social engineering to leverage a user’s trustby masquerading as communication from a trusted sourceinclude a URL in a spam that links to a fake Web site that mimics the login page ofa banking, gaming, or similar sitesuggests that urgent action is required by the user to authenticate their accountexploits the account using captured credentialsAnother approach used to capture a user’s login and password credentials is toinclude a URL in a spam that links to a fake Web site controlled by theattacker, but which mimics the login page of some banking, gaming, or similar site.This is normally included in some message suggesting that urgent action is requiredby the user to authenticate their account, to prevent it being locked. If the user iscareless, and doesn’t realize that they are being conned, then following the link andsupplying the requested details will certainly result in the attackers exploiting theiraccount using the captured credentials.More generally, such a spam may direct a user to a fake Web sitecontrolled by the attacker, or to complete some enclosed form and return to anaccessible to the attacker, which is used to gather a range of private, personal, informationon the user. Given sufficient details, the attacker can then “assume” the user’sidentity for the purpose of obtaining credit, or sensitive access to other resources.This is known as a phishing attack and exploits social engineering to leverage user’strust by masquerading as communications from a trusted source [GOLD10].Such general spam s are typically widely distributed to very large numbersof users, often via a botnet. While the content will not match appropriatetrusted sources for a significant fraction of the recipients, the attackers rely on itreaching sufficient users of the named trusted source, a gullible portion of whomwill respond, for it to be profitable.A more dangerous variant of this is the spear-phishing attack. This again is anclaiming to be from a trusted source. However, the recipients are carefullyresearched by the attacker, and each is carefully crafted to suit its recipient specifically,often quoting a range of information to convince them of its authenticity. Thisgreatly increases the likelihood of the recipient responding as desired by the attacker.Reconnaissance and EspionageCredential theft and identity theft are special cases of a more general reconnaissancepayload, which aims to obtain certain types of desired information and returnthis to the attacker. These special cases are certainly the most common; however,other targets are known. Operation Aurora in 2009 used a Trojan to gain accessto and potentially modify source code repositories at a range of high tech, security,and defense contractor companies [SYMA11]. The Stuxnet worm discoveredin 2010 included capture of hardware and software configuration details in order todetermine whether it had compromised the specific desired target systems. Earlyversions of this worm returned this same information, which was then used todevelop the attacks deployed in later versions [CHEN11].
45Information Theft: Phishing spear-phishingrecipients are carefully researched by the attackeris crafted to specifically suit its recipient,often quoting a range of information to convince them of its authenticityAnother approach used to capture a user’s login and password credentials is toinclude a URL in a spam that links to a fake Web site controlled by theattacker, but which mimics the login page of some banking, gaming, or similar site.This is normally included in some message suggesting that urgent action is requiredby the user to authenticate their account, to prevent it being locked. If the user iscareless, and doesn’t realize that they are being conned, then following the link andsupplying the requested details will certainly result in the attackers exploiting theiraccount using the captured credentials.More generally, such a spam may direct a user to a fake Web sitecontrolled by the attacker, or to complete some enclosed form and return to anaccessible to the attacker, which is used to gather a range of private, personal, informationon the user. Given sufficient details, the attacker can then “assume” the user’sidentity for the purpose of obtaining credit, or sensitive access to other resources.This is known as a phishing attack and exploits social engineering to leverage user’strust by masquerading as communications from a trusted source [GOLD10].Such general spam s are typically widely distributed to very large numbersof users, often via a botnet. While the content will not match appropriatetrusted sources for a significant fraction of the recipients, the attackers rely on itreaching sufficient users of the named trusted source, a gullible portion of whomwill respond, for it to be profitable.A more dangerous variant of this is the spear-phishing attack. This again is anclaiming to be from a trusted source. However, the recipients are carefullyresearched by the attacker, and each is carefully crafted to suit its recipient specifically,often quoting a range of information to convince them of its authenticity. Thisgreatly increases the likelihood of the recipient responding as desired by the attacker.Reconnaissance and EspionageCredential theft and identity theft are special cases of a more general reconnaissancepayload, which aims to obtain certain types of desired information and returnthis to the attacker. These special cases are certainly the most common; however,other targets are known. Operation Aurora in 2009 used a Trojan to gain accessto and potentially modify source code repositories at a range of high tech, security,and defense contractor companies [SYMA11]. The Stuxnet worm discoveredin 2010 included capture of hardware and software configuration details in order todetermine whether it had compromised the specific desired target systems. Earlyversions of this worm returned this same information, which was then used todevelop the attacks deployed in later versions [CHEN11].
46Stealthing: Backdoor, Trapdoor secret entry point into a program allowing the attacker to gain access and bypass the security access proceduresmaintenance hook is a backdoor used by programmers to debug and test programsdifficult to implement operating system controls for backdoors in applicationsThe final category of payload we discuss concerns techniques used by malware tohide its presence on the infected system, and to provide covert access to that system.This type of payload also attacks the integrity of the infected system.BackdoorA backdoor , also known as a trapdoor , is a secret entry point into a programthat allows someone who is aware of the backdoor to gain access without goingthrough the usual security access procedures. Programmers have used backdoorslegitimately for many years to debug and test programs; such a backdoor is calleda maintenance hook . This usually is done when the programmer is developing anapplication that has an authentication procedure, or a long setup, requiring the userto enter many different values to run the application. To debug the program, thedeveloper may wish to gain special privileges or to avoid all the necessary setup andauthentication. The programmer may also want to ensure that there is a method ofactivating the program should something be wrong with the authentication procedurethat is being built into the application. The backdoor is code that recognizessome special sequence of input or is triggered by being run from a certain user ID orby an unlikely sequence of events.Backdoors become threats when unscrupulous programmers use them togain unauthorized access. The backdoor was the basic idea for the vulnerabilityportrayed in the movie War Games . Another example is that during the developmentof Multics, penetration tests were conducted by an Air Force “tiger team”(simulating adversaries). One tactic employed was to send a bogus operating systemupdate to a site running Multics. The update contained a Trojan horse that could beactivated by a backdoor and that allowed the tiger team to gain access. The threatwas so well implemented that the Multics developers could not find it, even afterthey were informed of its presence [ENGE80].In more recent times, a backdoor is usually implemented as a network servicelistening on some non-standard port that the attacker can connect to and issuecommands through to be run on the compromised system.It is difficult to implement operating system controls for backdoors inapplications. Security measures must focus on the program development andsoftware update activities, and on programs that wish to offer a network service.
47Stealthing: Rootkitset of hidden programs installed on a system to maintain covert access to that systemhides by subverting the mechanisms that monitor and report on the processes, files, and registries on a computergives admin privileges to attackercan add or change programs and files,monitor processes,send and receive network traffic, andget backdoor access on demandA rootkit is a set of programs installed on a system to maintain covert access to thatsystem with administrator (or root) 3 privileges, while hiding evidence of its presenceto the greatest extent possible. This provides access to all the functions andservices of the operating system. The rootkit alters the host’s standard functionalityin a malicious and stealthy way. With root access, an attacker has complete controlof the system and can add or change programs and files, monitor processes, send andreceive network traffic, and get backdoor access on demand.A rootkit can make many changes to a system to hide its existence, makingit difficult for the user to determine that the rootkit is present and to identify whatchanges have been made. In essence, a rootkit hides by subverting the mechanismsthat monitor and report on the processes, files, and registries on a computer.
48Rootkit Classification Characteristics persistentmemory baseduser modekernel modevirtual machine basedexternal modeA rootkit can be classified using the following characteristics:• Persistent: Activates each time the system boots. The rootkit must store codein a persistent store, such as the registry or file system, and configure a methodby which the code executes without user intervention. This means it is easierto detect, as the copy in persistent storage can potentially be scanned.• Memory based: Has no persistent code and therefore cannot survive a reboot.However, because it is only in memory, it can be harder to detect.• User mode: Intercepts calls to APIs (application program interfaces) and modifiesreturned results. For example, when an application performs a directorylisting, the return results don’t include entries identifying the files associatedwith the rootkit.• Kernel mode: Can intercept calls to native APIs in kernel mode. 4 The rootkitcan also hide the presence of a malware process by removing it from thekernel’s list of active processes.• Virtual machine based: This type of rootkit installs a lightweight virtualmachine monitor, and then runs the operating system in a virtual machineabove it. The rootkit can then transparently intercept and modify states andevents occurring in the virtualized system.• External mode: The malware is located outside the normal operation modeof the targeted system, in BIOS or system management mode, where it candirectly access hardware.This classification shows a continuing arms race between rootkit authors, whoexploit ever more stealthy mechanisms to hide their code, and those who developmechanisms to harden systems against such subversion, or to detect when it hasoccurred. Much of this advance is associated with finding “layer-below” forms ofattack. The early rootkits worked in user mode, modifying utility programs andlibraries in order to hide their presence. The changes they made could be detectedby code in the kernel, as this operated in the layer below the user. Later-generationrootkits used more stealthy techniques, as we discuss next.
49System Call Table Modification The next generation of rootkits moved down a layer, making changes inside thekernel and co-existing with the operating systems code, in order to make theirdetection much harder. Any “anti-virus” program would now be subject to thesame “low-level” modifications that the rootkit uses to hide its presence. However,methods were developed to detect these changes.Programs operating at the user level interact with the kernel through systemcalls. Thus, system calls are a primary target of kernel-level rootkits to achieve concealment.As an example of how rootkits operate, we look at the implementation ofsystem calls in Linux. In Linux, each system call is assigned a unique syscall number .When a user-mode process executes a system call, the process refers to the systemcall by this number. The kernel maintains a system call table with one entry persystem call routine; each entry contains a pointer to the corresponding routine. Thesyscall number serves as an index into the system call table.[LEVI06] lists three techniques that can be used to change system calls:• Modify the system call table: The attacker modifies selected syscall addressesstored in the system call table. This enables the rootkit to direct a system callaway from the legitimate routine to the rootkit’s replacement. Figure 6.5shows how the knark rootkit achieves this.Modify system call table targets: The attacker overwrites selected legitimatesystem call routines with malicious code. The system call table is not changed.• Redirect the system call table: The attacker redirects references to the entiresystem call table to a new table in a new kernel memory location.
50Countermeasure Approaches ideal solution to the threat of malware is preventionif prevention fails, technical mechanisms can be used to support the following threat mitigation options:detectionidentificationremovalmain elements of prevention:policyawarenessvulnerability mitigationthreat mitigationThe ideal solution to the threat of malware is prevention: Do not allow malware toto harden systems and users in preventing infection can significantlyThis goal is, in general, nearly impossible to achieve, although taking suitable countermeasuresget into the system in the first place, or block the ability of it to modify the system.reduce the number of successful malware attacks. [NIST05] suggests there are fourfor implementing appropriate preventative countermeasures.mitigation. Having a suitable policy to address malware prevention provides a basismain elements of prevention: policy, awareness, vulnerability mitigation, and threatOne of the first countermeasures that should be employed is to ensure allappropriate access controls on the applications and data stored on the system, tonumber of vulnerabilities that might be exploited on the system. The next is to setsystems are as current as possible, with all patches applied, in order to reduce thereduce the number of files that any user can access, and hence potentially infect orWe discuss them further in Chapter 12 when we discuss hardening operating s systemstarget the key propagation mechanisms used by worms, viruses, and some trojans.corrupt, as a result of them executing some malware code. These measures directlyand applications.engineering attack, can be countered using appropriate user awareness and training.The third common propagation mechanism, which targets users in a socialThis aims to equip users to be more aware of these attacks, and less likely toawareness issues. We return to this topic in Chapter 17 .take actions that result in their compromise. [NIST05] provides examples of suitablefollowing threat mitigation options:If prevention fails, then technical mechanisms can be used to support theand locate the malware.• Detection: Once the infection has occurred, determine that it has occurred• Identification: Once detection has been achieved, identify the specific malwarethat has infected the system.malware virus from all infected systems so that it cannot spread further.• Removal: Once the specific malware has been identified, remove all traces ofalternative is to discard any infected or malicious files and reload a clean backupIf detection succeeds but either identification or removal is not possible, then thewipe of all storage, and rebuild of the infected system from known clean media.version. In the case of some particularly nasty infections, this may require a completeTo begin, let us consider some requirements for effective malware countermeasures:• Generality: The approach taken should be able to handle a wide variety of attacks.infected programs or systems and the consequent activity.• Timeliness: The approach should respond quickly so as to limit the number of• Resiliency: The approach should be resistant to evasion techniques employedby attackers to hide the presence of their malware.in capacity or service due to the actions of the countermeasure software,• Minimal denial-of-service costs: The approach should result in minimal reductionand should not significantly disrupt normal operation.modification to existing (legacy) OSs, application software, and hardware.• Transparency: The countermeasure software and devices should not require• Global and local coverage: The approach should be able to deal with attackAchieving all these requirements often requires the use of multiple approaches.sources both from outside and inside the enterprise network.Detection of the presence of malware can occur in a number of locations. Itof programs running on the system. Or, it may take place as part of the perimeterrunning, monitoring data imported into the system, and the execution and behaviormay occur on the infected system, where some host-based “anti-virus” program isfrom both host-based and perimeter sensors, potentially over a large number ofsystems (IDS). Lastly, detection may use distributed mechanisms that gather datasecurity mechanisms used in an organization’s firewall and intrusion detectionof malware. We now consider each of these approaches in more detail.networks and organizations, in order to obtain the largest scale view of the movement
51Generations of Anti-Virus Software first generation: simple scannersrequires a malware signature to identify the malwarelimited to the detection of known malwaresecond generation: heuristic scannersuses heuristic rules to search for probable malware instancesanother approach is integrity checkingthird generation: activity trapsmemory-resident programs that identify malware by its actions rather than its structure in an infected programfourth generation: full-featured protectionpackages consisting of a variety of anti-virus techniques used in conjunctioninclude scanning and activity trap components and access control capabilityThe first location where anti-virus software is used is on each end system. This givesthe software the maximum access to information on not only the behavior of themalware as it interacts with the targeted system, but also the smallest overall viewof malware activity. The use of anti-virus software on personal computers is nowwidespread, in part caused by the explosive growth in malware volume and activity.Advances in virus and other malware technology, and in anti-virus technology andother countermeasures, go hand in hand. Early malware used relatively simple andeasily detected code, and hence could be identified and purged with relatively simpleanti-virus software packages. As the malware arms race has evolved, both the malwarecode and, necessarily, anti-virus software have grown more complex and sophisticated.[STEP93] identifies four generations of anti-virus software:• First generation: simple scanners• Second generation: heuristic scannersThird generation: activity traps• Fourth generation: full-featured protectionA first-generation scanner requires a malware signature to identify the malware.The signature may contain “wildcards” but matches essentially the same structureand bit pattern in all copies of the malware. Such signature-specific scanners arelimited to the detection of known malware. Another type of first-generation scannermaintains a record of the length of programs and looks for changes in length as aresult of virus infection.A second-generation scanner does not rely on a specific signature. Rather, thescanner uses heuristic rules to search for probable malware instances. One class ofsuch scanners looks for fragments of code that are often associated with malware.For example, a scanner may look for the beginning of an encryption loop used in apolymorphic virus and discover the encryption key. Once the key is discovered, thescanner can decrypt the malware to identify it, then remove the infection and returnthe program to service.Another second-generation approach is integrity checking. A checksumcan be appended to each program. If malware alters or replaces some programwithout changing the checksum, then an integrity check will catch this change.To counter malware that is sophisticated enough to change the checksum whenit alters a program, an encrypted hash function can be used. The encryption keyis stored separately from the program so that the malware cannot generate a newhash code and encrypt that. By using a hash function rather than a simpler checksum,the malware is prevented from adjusting the program to produce the samehash code as before. If a protected list of programs in trusted locations is kept, thisapproach can also detect attempts to replace or install rogue code or programs inthese locations.Third-generation programs are memory-resident programs that identifymalware by its actions rather than its structure in an infected program. Suchprograms have the advantage that it is not necessary to develop signatures andheuristics for a wide array of malware. Rather, it is necessary only to identify thesmall set of actions that indicate malicious activity is being attempted and then tointervene.Fourth-generation products are packages consisting of a variety of anti-virustechniques used in conjunction. These include scanning and activity trap components.In addition, such a package includes access control capability, which limitsthe ability of malware to penetrate a system and then limits the ability of a malwareto update files in order to propagate.The arms race continues. With fourth-generation packages, a more comprehensivedefense strategy is employed, broadening the scope of defense to moregeneral-purpose computer security measures. These include more sophisticatedanti-virus approaches. We now highlight two of the most important.
52Generic Decryption (GD) enables the anti-virus program to easily detect complex polymorphic viruses and other malwarewhile maintaining fast scanning speedsexecutable files are run through a GD scanner which contains the following elements:CPU emulatorvirus signature scanneremulation control moduleGeneric decryption (GD) technology enables the antivirusprogram to easily detect even the most complex polymorphic viruses and othermalware, while maintaining fast scanning speeds [NACH97]. Recall that when a filecontaining a polymorphic virus is executed, the virus must decrypt itself to activate. In order to detect such a structure, executable files are run through a GD scanner,which contains the following elements:• CPU emulator: A software-based virtual computer. Instructions in an executablefile are interpreted by the emulator rather than executed on the underlyingprocessor. The emulator includes software versions of all registers and otherprocessor hardware, so that the underlying processor is unaffected by programsinterpreted on the emulator.• Virus signature scanner: A module that scans the target code looking forknown malware signatures.• Emulation control module: Controls the execution of the target code.At the start of each simulation, the emulator begins interpreting instructionsin the target code, one at a time. Thus, if the code includes a decryption routinethat decrypts and hence exposes the malware, that code is interpreted. In effect, themalware does the work for the anti-virus program by exposing itself. Periodically,the control module interrupts interpretation to scan the target code for malwaresignatures.During interpretation, the target code can cause no damage to the actualpersonal computer environment, because it is being interpreted in a completelycontrolled environment.The most difficult design issue with a GD scanner is to determine how longto run each interpretation. Typically, malware elements are activated soon aftera program begins executing, but this need not be the case. The longer the scanneremulates a particular program, the more likely it is to catch any hidden malware.However, the anti-virus program can take up only a limited amount of time andresources before users complain of degraded system performance.
53Host-Based Behavior-Blocking integrates with the operating system of a host computer and monitors program behavior in real time for malicious actionblocks potentially malicious actions before they have a chance to affect the systemblocks software in real time so it has an advantage over anti-virus detection techniques such as fingerprinting or heuristicslimitationsbecause malicious code must run on the target machine before all its behaviors can be identified, it can cause harm before it has been detected and blockedUnlike heuristics or fingerprint basedscanners, behavior-blocking software integrates with the operating system ofa host computer and monitors program behavior in real time for malicious actions[CONR02, NACH02]. The behavior blocking software then blocks potentiallymalicious actions before they have a chance to affect the system. Monitoredbehaviors can include• Attempts to open, view, delete, and/or modify files;• Attempts to format disk drives and other unrecoverable disk operations;• Modifications to the logic of executable files or macros;• Modification of critical system settings, such as start-up settings;• Scripting of and instant messaging clients to send executable content; and• Initiation of network communications.Because a behavior blocker can block suspicious software in real time, it has anadvantage over such established anti-virus detection techniques as fingerprinting orheuristics. There are literally trillions of different ways to obfuscate and rearrange theinstructions of a virus or worm, many of which will evade detection by a fingerprintscanner or heuristic. But eventually, malicious code must make a well-defined requestto the operating system. Given that the behavior blocker can intercept all suchrequests, it can identify and block malicious actions regardless of how obfuscated theprogram logic appears to be.Behavior blocking alone has limitations. Because the malicious code mustrun on the target machine before all its behaviors can be identified, it can causeharm before it has been detected and blocked. For example, a new item of malwaremight shuffle a number of seemingly unimportant files around the hard drive beforemodifying a single file and being blocked. Even though the actual modification wasblocked, the user may be unable to locate his or her files, causing a loss to productivityor possibly worse.
54Perimeter Scanning Approaches anti-virus software typically included in and Web proxy services running on an organization’s firewall and IDSmay also be included in the traffic analysis component of an IDSmay include intrusion prevention measures, blocking the flow of any suspicious trafficapproach is limited to scanning malwareThe next location where anti-virus software is used is on an organization’s firewalland IDS. It is typically included in and Web proxy services running on thesesystems. It may also be included in the traffic analysis component of an IDS. Thisgives the anti-virus software access to malware in transit over a network connectionto any of the organization’s systems, providing a larger scale view of malware activity.This software may also include intrusion prevention measures, blocking the flowof any suspicious traffic, thus preventing it reaching and compromising some targetsystem, either inside or outside the organization.However, this approach is limited to scanning the malware content, as it doesnot have access to any behavior observed when it runs on an infected system. Twotypes of monitoring software may be used:
55Perimeter Scanning Approaches ingress monitorslocated at the border between the enterprise network and the Internetone technique is to look for incoming traffic to unused local IP addressesegress monitorslocated at the egress point of individual LANs as well as at the border between the enterprise network and the Internetmonitors outgoing traffic for signs of scanning or other suspicious behavior• Ingress monitors: These are located at the border between the enterprisenetwork and the Internet. They can be part of the ingress filtering softwareof a border router or external firewall or a separate passive monitor. Ahoneypot can also capture incoming malware traffic. An example of a detectiontechnique for an ingress monitor is to look for incoming traffic to unusedlocal IP addresses.• Egress monitors: These can be located at the egress point of individual LANson the enterprise network as well as at the border between the enterprisenetwork and the Internet. In the former case, the egress monitor can be partof the egress filtering software of a LAN router or switch. As with ingressmonitors, the external firewall or a honeypot can house the monitoring software.Indeed, the two types of monitors can be collocated. The egress monitoris designed to catch the source of a malware attack by monitoring outgoingtraffic for signs of scanning or other suspicious behavior.Perimeter monitoring can also assist in detecting and responding to botnet activityby detecting abnormal traffic patterns associated with this activity. Once bots areactivated and an attack is underway, such monitoring can be used to detect theattack. However, the primary objective is to try to detect and disable the botnetduring its construction phase, using the various scanning techniques we have justdiscussed, identifying and blocking the malware that is used to propagate this typeof payload.two types of monitoring software
56Worm Countermeasuresconsiderable overlap in techniques for dealing with viruses and wormsonce a worm is resident on a machine anti-virus software can be used to detect and possibly remove itperimeter network activity and usage monitoring can form the basis of a worm defenseThere is considerable overlap in techniques fordealing with viruses and worms. Once a worm is resident on a machine, anti-virussoftware can be used to detect it, and possibly remove it. In addition, because wormpropagation generates considerable network activity, perimeter network activityand usage monitoring can form the basis of a worm defense. Following [JHI07], welist six classes of worm defense that address the network activity it may generate:A. Signature-based worm scan filtering: This type of approach generates a wormsignature, which is then used to prevent worm scans from entering/leaving anetwork/host. Typically, this approach involves identifying suspicious flowsand generating a worm signature. This approach is vulnerable to the use ofpolymorphic worms: Either the detection software misses the worm or, if itis sufficiently sophisticated to deal with polymorphic worms, the scheme maytake a long time to react. [NEWS05] is an example of this approach.B. Filter-based worm containment: This approach is similar to class A but focuses onworm content rather than a scan signature. The filter checks a message to determineif it contains worm code. An example is Vigilante [COST05], which relieson collaborative worm detection at end hosts. This approach can be quite effectivebut requires efficient detection algorithms and rapid alert dissemination.C. Payload-classification-based worm containment: These network-basedtechniques examine packets to see if they contain a worm. Various anomalydetection techniques can be used, but care is needed to avoid high levelsof false positives or negatives. An example of this approach is reported in[CHIN05], which looks for exploit code in network flows. This approach doesnot generate signatures based on byte patterns but rather looks for controland data flow structures that suggest an exploit.D. Threshold random walk (TRW) scan detection: TRW exploits randomness inpicking destinations to connect to as a way of detecting if a scanner is in operation[JUNG04]. TRW is suitable for deployment in high-speed, low-cost networkdevices. It is effective against the common behavior seen in worm scans.E. Rate limiting: This class limits the rate of scanlike traffic from an infected host.Various strategies can be used, including limiting the number of new machinesa host can connect to in a window of time, detecting a high connection failurerate, and limiting the number of unique IP addresses a host can scan in awindow of time. [CHEN04] is an example. This class of countermeasures mayintroduce longer delays for normal traffic. This class is also not suited for slow,stealthy worms that spread slowly to avoid detection based on activity level.F. Rate halting: This approach immediately blocks outgoing traffic when a thresholdis exceeded either in outgoing connection rate or in diversity of connectionattempts [JHI07]. The approach must include measures to quickly unblockmistakenly blocked hosts in a transparent way. Rate halting can integrate witha signature- or filter-based approach so that once a signature or filter is generated,every blocked host can be unblocked. Rate halting appears to offer a veryeffective countermeasure. As with rate limiting, rate halting techniques are notsuitable for slow, stealthy worms.
57Worm Countermeasures worm defense approaches include: signature-based worm scan filteringfilter-based worm containmentpayload-classification-based worm containmentthreshold random walk (TRW) scan detectionrate limitingrate haltingThere is considerable overlap in techniques fordealing with viruses and worms. Once a worm is resident on a machine, anti-virussoftware can be used to detect it, and possibly remove it. In addition, because wormpropagation generates considerable network activity, perimeter network activityand usage monitoring can form the basis of a worm defense. Following [JHI07], welist six classes of worm defense that address the network activity it may generate:A. Signature-based worm scan filtering: This type of approach generates a wormsignature, which is then used to prevent worm scans from entering/leaving anetwork/host. Typically, this approach involves identifying suspicious flowsand generating a worm signature. This approach is vulnerable to the use ofpolymorphic worms: Either the detection software misses the worm or, if itis sufficiently sophisticated to deal with polymorphic worms, the scheme maytake a long time to react. [NEWS05] is an example of this approach.B. Filter-based worm containment: This approach is similar to class A but focuses onworm content rather than a scan signature. The filter checks a message to determineif it contains worm code. An example is Vigilante [COST05], which relieson collaborative worm detection at end hosts. This approach can be quite effectivebut requires efficient detection algorithms and rapid alert dissemination.C. Payload-classification-based worm containment: These network-basedtechniques examine packets to see if they contain a worm. Various anomalydetection techniques can be used, but care is needed to avoid high levelsof false positives or negatives. An example of this approach is reported in[CHIN05], which looks for exploit code in network flows. This approach doesnot generate signatures based on byte patterns but rather looks for controland data flow structures that suggest an exploit.D. Threshold random walk (TRW) scan detection: TRW exploits randomness inpicking destinations to connect to as a way of detecting if a scanner is in operation[JUNG04]. TRW is suitable for deployment in high-speed, low-cost networkdevices. It is effective against the common behavior seen in worm scans.E. Rate limiting: This class limits the rate of scanlike traffic from an infected host.Various strategies can be used, including limiting the number of new machinesa host can connect to in a window of time, detecting a high connection failurerate, and limiting the number of unique IP addresses a host can scan in awindow of time. [CHEN04] is an example. This class of countermeasures mayintroduce longer delays for normal traffic. This class is also not suited for slow,stealthy worms that spread slowly to avoid detection based on activity level.F. Rate halting: This approach immediately blocks outgoing traffic when a thresholdis exceeded either in outgoing connection rate or in diversity of connectionattempts [JHI07]. The approach must include measures to quickly unblockmistakenly blocked hosts in a transparent way. Rate halting can integrate witha signature- or filter-based approach so that once a signature or filter is generated,every blocked host can be unblocked. Rate halting appears to offer a veryeffective countermeasure. As with rate limiting, rate halting techniques are notsuitable for slow, stealthy worms.
58Digital Immune System The digital immune system is a comprehensive approach to virus protection developed by IBM [KEPH97a, KEPH97b, WHIT99]and subsequently refined by Symantec [SYMA01]. In 2010, their resulting GlobalIntelligence Network comprised more than 240,000 sensors, and gathered intelligenceon malicious code from more than 133 million client, server, and gateway systemsthat have deployed Symantec anti-virus products [SYMA11]. The motivation forthis development has been the rising threat of Internet-based virus propagation, andthe need to acquire a global view of the situation.Traditionally, the virus threat was characterized by the relatively slow spreadof new viruses and new mutations. Anti-virus software was typically updated on amonthly basis, and this was sufficient to control the problem. Also traditionally, theInternet played a comparatively small role in the spread of viruses. But as [CHES97]points out, two major trends in Internet technology have had an increasing impacton the rate of virus propagation over recent decades:• Integrated mail systems: Systems such as Lotus Notes and Microsoft Outlookmake it very simple to send anything to anyone and to work with objects thatare received.• Mobile-program systems: Capabilities such as Java and ActiveX allowprograms to move on their own from one system to another.In response to the threat posed by these Internet-based capabilities, IBMdeveloped the original prototype digital immune system. This system expands onthe use of program emulation, discussed in the preceding subsection, and providesa general-purpose emulation and malware detection system. The objective of thissystem is to provide rapid response time so that malware can be stamped out almostas soon as they are introduced. When new malware enters an organization, theimmune system automatically captures it, analyzes it, adds detection and shieldingfor it, removes it, and passes information about it to client systems, so the malwarecan be detected before it is allowed to run elsewhere.Figure 6.6 illustrates the typical steps in early proposals for digital immunesystem operation:1. A monitoring program on each PC uses a variety of heuristics based on systembehavior, suspicious changes to programs, or family signature to infer thatmalware may be present. The monitoring program forwards a copy of anysuspect program to an administrative machine within the organization.The administrative machine encrypts the sample and sends it to a centralmalware analysis system.3. This machine creates an environment in which the suspect program can besafely run for analysis. Techniques used for this purpose include emulation,or the creation of a protected environment within which the suspect programcan be executed and monitored. The malware analysis system then produces aprescription for identifying and removing the malware.4. The resulting prescription is sent back to the administrative machine.5. The administrative machine forwards the prescription to the original client.6. The prescription is also forwarded to other clients in the organization.7. Subscribers around the world receive regular anti-virus updates that protectthem from the new malware.
59Worm Countermeasure Architecture The success of the digital immune system depends on the ability of the malwareanalysis system to detect new and innovative malware strains. By constantly analyzingand monitoring malware found in the wild, it should be possible to continuallyupdate the digital immune software to keep up with the threat.This type of functionality may be further augmented by gathering intelligencefrom perimeter sensors as well. Figure 6.7 shows an example of a worm countermeasurearchitecture [SIDI05]. The system works as follows (numbers in figure refer tonumbers in the following list):1. Sensors deployed at various network locations detect a potential worm. Thesensor logic can also be incorporated in IDS sensors.The sensors send alerts to a central server, which correlates and analyzes theincoming alerts. The correlation server determines the likelihood that a wormattack is being observed and the key characteristics of the attack.3. The server forwards its information to a protected environment, where thepotential worm may be sandboxed for analysis and testing.4. The protected system tests the suspicious software against an appropriatelyinstrumented version of the targeted application to identify the vulnerability.5. The protected system generates one or more software patches and tests these.6. If the patch is not susceptible to the infection and does not compromise theapplication’s functionality, the system sends the patch to the application hostto update the targeted application.
60Summary types of malicious software (malware) payload – system corruptiondata destruction, real world damageramsomware, logic bombpayload – attack agentbotsremote control facilitypayload – information theftcredential theft, keyloggers, spywarephishing, identity theftpayload – stealthingbackdoor/trapdoorrootkitkernel mode rootkitsvirtual machine/external rootkitscountermeasurespreventiondetection, identification, removalhost based scanners/behavior blocking softwaredigital immune systemtypes of malicious software (malware)terminology for malicious softwareviruses – infected contentinfection mechanism, trigger, payloaddormant, propagation, triggering, and execution phasesboot sector infector, file infector, macro virus, and multipartite virusencrypted, stealth, polymorphic, and metamorphic virusesworms – vulnerability exploitreplicates via remote systems, file sharing, remote execution, remote file access, remote login capabilityscanning/fingerprintingspam /trojans – social engineeringChapter 6 summary.