Copyright (c) Lenny Zeltser The Evolution of Malicious Agents Lenny Zeltser ( SANS Institute Presented July 2000

Copyright (c) Lenny Zeltser Overview

Copyright (c) Lenny Zeltser Definition of Malicious Agents Computer program Operates on behalf of potential intruder Aids in attacking systems Viruses, worms, trojanized software

Copyright (c) Lenny Zeltser Goals of the Course Trace evolution of malicious agents Examine anatomy of advanced malicious agents based on key features of existing ones Develop an approach to assessing threats posed by malicious agents

Copyright (c) Lenny Zeltser Course Outline Rapidly spreading agents Spying agents Remotely controlled agents Coordinated attack agents Advanced malicious agents

Copyright (c) Lenny Zeltser Rapidly Spreading Agents

Copyright (c) Lenny Zeltser General Attributes Morris Worm and Melissa Virus Able to rapidly spread across the network Viruses infect other programs by explicitly copying themselves Worms self-propagate without the need for a host program

Copyright (c) Lenny Zeltser Key Features and Limitations Effectively infiltrate organizations despite many firewalls Effective replication mechanisms Limited control over propagation rates and target selection criteria

Copyright (c) Lenny Zeltser The Morris Worm Self-contained, self-propagating worm Overwhelmed the Internet in November of 1988 within hours of release Exploited known host access loopholes to replicate A program that “lived” on the Internet?

Copyright (c) Lenny Zeltser Propagation Techniques Non-standard command in sendmail Buffer overflow bug in fingerd Remote administration trust relationships of rexec and rsh Guessable user passwords Recursively infiltrated systems to replicate itself and reproduce further

Copyright (c) Lenny Zeltser Relevance to Advanced Agents Aggressive infiltration methods of the Morris Worm are still very effective For rapid propagation, program the agent to exploit common vulnerabilities

Copyright (c) Lenny Zeltser The Melissa Virus Microsoft Word-based macro virus Overwhelmed many Internet systems after the first weekend of release ed itself to address book entries Propagated primarily via

Copyright (c) Lenny Zeltser Propagation Techniques Arrived as an attachment Message recipient had to open infected attachment to activate payload ed itself to entries in Microsoft Outlook MAPI address books Recipients lowered guard when came from friends and colleagues

Copyright (c) Lenny Zeltser Relevance to Advanced Agents Penetrated firewalls via inbound Virus signatures could not be developed and applied in time For effective infiltration, program the agent to arrive via open inbound channels

Copyright (c) Lenny Zeltser Advanced Attributes Summary Propagate via open channels such as Web browsing or Once inside, replicate aggressively by exploiting known vulnerabilities Need to control replication rates, possibly by staying in touch with attacker

Copyright (c) Lenny Zeltser Spying Agents

Copyright (c) Lenny Zeltser General Attributes Caligula, Marker, and Groov viruses Transmit sensitive information from within organizations Infiltrate via open channels Use outbound connections for communications

Copyright (c) Lenny Zeltser Key Features and Limitations Can be used as reconnaissance probes Effective mechanism for communicating with authors despite many firewalls Currently agent’s behavior is limited to what was pre-programmed

Copyright (c) Lenny Zeltser The Caligula Virus Also known as W97M/Caligula Microsoft Word-based macro virus Discovered around January 1999 Transmitted PGP secret keyring file to author

Copyright (c) Lenny Zeltser Espionage Tactics Used built-in ftp.exe command to transmit information to author Used outbound sessions for communications Bypassed many firewalls because connections were initiated from inside

Copyright (c) Lenny Zeltser The Marker Virus Also known as W97M/Marker Discovered around April 1999 Recorded date and time of infection, plus victim’s personal information Most likely developed by the CodeBreakers group

Copyright (c) Lenny Zeltser Espionage Tactics Implementation characteristics similar to Caligula Realization of “bright future for espionage enabled viruses” Allowed to study relationships between people at target organization Helpful for precisely targeting attacks

Copyright (c) Lenny Zeltser The Groov Virus Also known as W97M/Groov.a Discovered around May 1998 Uploaded victim’s network configuration to external site Attempted to overwhelm a vendor’s site with network configuration reports

Copyright (c) Lenny Zeltser Espionage Tactics Used built-in ipconfig.exe command to get network information Used built-in ftp.exe for outbound transfer Helpful to get insider’s view of the network Can be correlated with external scans

Copyright (c) Lenny Zeltser Relevance to Advanced Agents Use outbound traffic for communications Obtain personal and relationship information for precise targeting Obtain network information to help reconnaissance efforts

Copyright (c) Lenny Zeltser Advanced Attributes Summary Propagate via open channels or aggressive vulnerability exploitation Use outbound channels for communication Gather insider’s perspective of infrastructure Need to remotely control agent’s behavior

Copyright (c) Lenny Zeltser Remotely Controlled Agents

Copyright (c) Lenny Zeltser General Attributes Back Orifice and NetBus trojans Provide full control over victim’s host Comprised of client and server modules Server modules “infect” victim hosts Client modules send remote commands Infiltrate via open channels

Copyright (c) Lenny Zeltser Key Features and Limitations Server modules are very stealthy Level of control is thorough and expandable Client and server modules must be reunited before controlling Typically controlled via inbound traffic with respect to server modules

Copyright (c) Lenny Zeltser Back Orifice Original version released August 1998, updated July 1999 Created by Cult of the Dead Cow Much functionality similar to standard remote administration tools Classification often depends on intended use

Copyright (c) Lenny Zeltser Native Capabilities Keystroke, video, audio capture File share management File and registry access Cached password retrieval Port redirection Process control Many other capabilities

Copyright (c) Lenny Zeltser Enhancement Capabilities Provides plug-in API support Communication channel encryption Server component location announcement via outbound IRC Many other capabilities

Copyright (c) Lenny Zeltser NetBus Original version released March 1998 to “have some fun with his/her friends” New version February 1999 marketed as “remote administration and spy tool” New version required physical access to install stealthy server component, but unofficial restriction-free versions exist

Copyright (c) Lenny Zeltser Remote Control Capabilities Functionality similar to Back Orifice Also supports plug-ins, but not as popular among developers as Back Orifice Primitively controls multiple server components from single client module, but not in parallel

Copyright (c) Lenny Zeltser Relevance to Advanced Agents Operate agents in stealthy mode to minimize chances of discovery Offer extensive remote controlling functionality Support enhancements to native features via plug-ins

Copyright (c) Lenny Zeltser Advanced Attributes Summary Propagate via open channels or aggressive vulnerability exploitation Use outbound channels for communication Gather insider’s perspective of infrastructure

Copyright (c) Lenny Zeltser Advanced Attributes Summary Provide stealthy and extensible remote- control functionality Need to control multiple agents from a single point

Copyright (c) Lenny Zeltser Coordinated Attack Agents

Copyright (c) Lenny Zeltser General Attributes Trinoo and Tribe Flood Network Disrupt normal system functions via network floods Attacker can control several clients, each controlling multiple attack servers Networks scanned for vulnerabilities and attack agents are planted

Copyright (c) Lenny Zeltser Key Features and Limitations Client as well as server modules run on compromised machines Attacker further removed from target Agents typically beyond administrative control of single entity Single purpose, designed specifically for denial-of-service attacks

Copyright (c) Lenny Zeltser Trinoo Discovered on compromised Solaris systems in August 1999 Initial testing dates back to June 1999 First Windows version February 2000 Attacks via UDP packet flood

Copyright (c) Lenny Zeltser Coordination Mechanisms Attacker connects to client module (“master”) via telnet to specific port Warning issued if another connection attempt during ongoing session Password-based access control for communication between all nodes

Copyright (c) Lenny Zeltser Coordination Mechanisms Master relays commands to server modules (“daemons”) via proprietary text-based protocol over UDP For example, “do” command to master relayed as “aaa” command to daemons Attack terminated via timeout or “mdie” command to master (“die” to daemons)

Copyright (c) Lenny Zeltser Relevance to Advanced Agents Control of multiple agents in coordinated manner All traffic is inbound with respect to destination of particular communication Master to daemons channels can be disrupted by blocking high-numbered UDP ports

Copyright (c) Lenny Zeltser Tribe Flood Network Discovered around October 1999 Similar to Trinoo in purpose and architecture Attacks via ICMP, UDP, and Smurf-style floods, offers back door to agent’s host Client to server module communication via ICMP “echo reply” packets

Copyright (c) Lenny Zeltser Coordination Mechanisms Normally ICMP “echo reply” generated to “echo request” by ping command Use ICMP packet identifier field to specify commands Firewalls may accept ICMP “echo reply” Some network monitoring tools do not process ICMP traffic properly

Copyright (c) Lenny Zeltser Relevance to Advanced Agents Control of multiple agents in coordinated manner Exploit protocols by violating specifications Follow specifications, but use protocols in unexpected ways This forms the basis of many attacks

Copyright (c) Lenny Zeltser Advanced Attributes Summary Propagate via open channels or aggressive vulnerability exploitation Use outbound channels for communication Gather insider’s perspective of infrastructure

Copyright (c) Lenny Zeltser Advanced Attributes Summary Provide stealthy and extensible remote controlling functionality Control multiple agents in coordinated manner Employ covert techniques for communication These attributes can be used to assess threat level of a particular agent

Copyright (c) Lenny Zeltser Advanced Malicious Agents

Copyright (c) Lenny Zeltser General Attributes RingZero Trojan, Samhain Worm Combine key features of other agents Offers attacker tight control over agent’s actions Difficult to defend against without proper infrastructure and resources

Copyright (c) Lenny Zeltser The RingZero Trojan Activity reports around September 1999 Sightings in August 1999 of messages with a “really class program” Several variants of trojanized program attachments Agent scanned for Web proxy servers Attributes rarely seen in single agent

Copyright (c) Lenny Zeltser Observed Behavior Detailed analysis October 1999 Scanned for Web proxy servers via connection attempts to known ports Proxy servers typically access Web resources on user’s behalf Used the discovered server to report server’s existence to external site

Copyright (c) Lenny Zeltser Observed Behavior Retrieved encoded/encrypted file from two external sites Send mass mailing to ICQ users from spoofed address Encouraged recipients to visit the “Biggest Proxy List” on external site

Copyright (c) Lenny Zeltser Relevance to Advanced Agents Propagated via open channels Outbound traffic for communications View from internal network Stealthy remote control capabilities Operated in distributed manner

Copyright (c) Lenny Zeltser Room for improvement Analysis based on single data file Not especially malicious, though some reports of password stealing variants No specific firewall bypassing attributes No aggressive vulnerability exploitation Louder than needs to be

Copyright (c) Lenny Zeltser The Samhain Worm Written winter , announced on Bugtraq May 2000, never released Research prototype of a “deadly harmful Internet worm” Defined alternative set of characteristics desired of advanced agents

Copyright (c) Lenny Zeltser Desired Characteristics Portability for target OS independence Invisibility for stealth operation Autonomy for automatic spread via built-in exploit database Polymorphism to avoid detection

Copyright (c) Lenny Zeltser Desired Characteristics Learning for obtaining new techniques via central communication channel Integrity to prevent modification or destruction Awareness of mission objective to perform specific tasks and cease activity

Copyright (c) Lenny Zeltser Key Implementation Details Uses “wormnet” to get programs and updates for target platform Supports controlled broadcasting of requests to wormnet members Family tree passed from parent to child, used to control broadcasts via maximum number of wormnet hops

Copyright (c) Lenny Zeltser Key Implementation Details Uses polymorphic engine and encryption to avoid constant strings Intercepts system calls when root, as well as other techniques to hide Uses exploits unknown at the time, sorted by scope and effectiveness Victims chosen via active connection monitoring and qualifying attributes

Copyright (c) Lenny Zeltser Relevance to Advanced Agents Detailed design and implementation details, plus code fragments provided Gradual attack approach suggests to propagate “harmlessly,” then update Designed specifically to maximize potential harm and difficulty of eradication

Copyright (c) Lenny Zeltser Threat of Malicious Agents

Copyright (c) Lenny Zeltser Advanced Agents Advanced agents are especially dangerous because of features combined into a single package Stealth operation, firewall traversal, and coordination are particularly powerful Feature sets and experimental nature of agents suggests active development

Copyright (c) Lenny Zeltser Assessing the Threat Defense techniques depend on priorities and technologies of the organization Use a structured framework to assess threat of particular agents Analyze extent of “advanced” attributes, assign weight, react appropriately

Copyright (c) Lenny Zeltser Malicious Agents Attributes Matrix summarizes key attributes of agents in terms of presented framework The Samhain Worm not included because of slightly different feature set Refer to earlier slides for discussion of items in the matrix Use for future reference

Aggressive self- propagation Propagation despite firewalls Aggressive attack when no firewalls Aggressive attack despite firewalls Revealing confidential information Remotely controlled when no firewalls Remotely controlled despite firewalls Acting in coordinated distributed fashion Morris Worm Melissa Virus Marker Virus Caligula Virus Groov Virus Back Orifice NetBusTrinooTFNRingZero YesNo Possibly Yes Partly Yes Partly (DoS) No Partly (DoS) Yes Possibly NoPartly (DoS) No Partly (DoS) No Partly (DoS) Possibly No Yes No Yes No Yes No Yes No Yes

Copyright (c) Lenny Zeltser The End See for electronic copies of this material