SCSC 455 Computer Security 2011 Spring Chapter 5 Malware

2 Index Malware Overview Virus Propagation of Viruses Worm Trojan Horses and other malware Methods against malware attacks

3 Malicious Software (Malware) Malicious software often masquerades as good software or attaches itself to good software  Some malicious programs need host programs Trojan horses, viruses, logic bombs  Others can exist and propagate independently Worms Goals of malware  Destroy data  Corrupt data  Shutdown networks or systems

4 Malware classification Malicious software includes  Virus  Worm  Trojan programs  Spyware  Adware

5 Index Malware Overview Virus Worm Trojan Horses and other malware Methods against malware attacks

6 Viruses propagation Virus propagates by infecting other programs  Automatically creates copies of itself, but to propagate, a human has to run an infected program  In contrast, self-propagating malicious programs are usually called worms Many propagation methods …  Insert a copy into every executable (.COM,.EXE)  Insert a copy into boot sectors of disks E.g., Stoned virus infected PCs booted from infected floppies, stayed in memory and infected every floppy inserted into PC  Infect TSR (terminate-and-stay-resident) routines By infecting a common OS routine, a virus can always stay in memory and infect all disks, executables, etc.  Etc.

7 Virus Classification Stealth viruses  Mutation  Aliasing Macro viruses  What is Macro? Polymorphic viruses  Viruses that mutate and/or encrypt parts of their code with a randomly generated key  changing the encryption routine, the sequence of instructions, or other such changes in the behavior of the virus Detail of each …

8 Mutation: virus has multiple binary variants  Defeats naïve signature-based detection  Used by the most successful (i.e., widespread) viruses e.g., Tanked: 62 variants, SdDrop: 14 variants Aliasing: virus places its copies under different names into the infected host’s sharing folder e.g., “ICQ Lite.exe”, “ICQ Pro 2003b.exe”, “MSN Messenger 5.2.exe” Virus Stealth Techniques [Shin, Jung, Balakrishnan]

9 Macro Viruses Macro viruses are virus encoded as a macro  Macro virus is lists of commands that can be used in destructive ways  When infected document is opened, virus copies itself into global macro file and makes itself auto-executing  Most macro viruses are very simple. Even nonprogrammers can create macro viruses Instructions posted on Web sites (You will read more about macro viruses in the reading article 3.)

10 Evolution of Polymorphic Viruses (1) Anti-virus scanners detect viruses by looking for signatures  signatures are snippets of known virus code Encrypted viruses: virus consists of a constant decryptor, followed by the encrypted virus body  Relatively easy to detect because decryptor is constant  E.g., Cascade (DOS), Mad (Win95), Zombie (Win95) Oligomorphic viruses: different versions of virus have different encryptions of the same body  Small number of decryptors (96 for Memorial viruses);  To detect, must understand how they are generated

11 Evolution of Polymorphic Viruses (2) Polymorphic viruses: constantly create new random encryptions of the same virus body  Virus must contain a polymorphic engine for creating new keys and new encryptions of its body Rather than use an explicit decryptor in each mutation, it decrypts its body by brute-force key search  E.g., Marburg (Win95), HPS (Win95), Coke (Win32)

12 How Hard Is It to Write a Virus? 2268 matches for “virus creation tool” in CA’s Spyware Information Center  Including dozens of poly- and metamorphic engines OverWritting Virus Construction Toolkit  "The perfect choice for beginners“ Biological Warfare Virus Creation Kit  Note: all viruses created this way will be detected by Norton Anti-Virus Vbs Worm Generator (for Visual Basic worms)  Used to create the Anna Kournikova worm

13 Index Malware Overview Virus Propagation of Viruses Worm Trojan Horses and other malware Methods against malware attacks

14 Websites with popular content  Games: 60% of websites contain executable content, one-third contain at least one malicious executable  Celebrities, adult content, everything except news Most popular sites with malicious content (Oct 2005) Propagation of Viruses [Moshchuk et al.]

15 Millions of users willingly download files e.g., KaZaA: 2.5 million users in May 2006 Easy to insert an infected file into the network  Pretend to be an executable of a popular application e.g., “Adobe Photoshop 10 full.exe”, “WinZip 8.1.exe”, …  Infected MP3 files are rare When executed, the malicious file opens a backdoor for the remote attacker  Steal user’s confidential information; spread spam 70% of infected hosts are already on DNS spam blacklists Viruses in P2P Networks [Shin, Jung, Balakrishnan]

study of 500,000 KaZaA files  Look for 364 patterns associated with 71 viruses Up to 22% of all KaZaA files infected  52 different viruses and Trojans  Another study found that 44% of all executable files on KaZaA contain malicious code  When searching for “ICQ” or “Trillian”, chances of hitting an infected file are over 70% Prevalence of Viruses in KaZaA [Shin, Jung, Balakrishnan]

17 Dangerous KaZaA Queries [Shin, Jung, Balakrishnan]

18 Index Malware Overview Virus Propagation of Viruses Worm Trojan Horses and other malware Methods against malware attacks

19 Worms Worm are self-propagating malicious programs  Replicates and propagates without a host Worms can infect a large number of computers in a short time Infamous examples: the Morris worm, Code Red I & Code Red II, Slammer, Nimda

20 Viruses vs. Worms VIRUS Propagates by infecting other programs Usually inserted into host code (not a standalone program) WORM Propagates automatically by copying itself to target systems Is a standalone program

21 Summer of 2001 [from “How to 0wn the Internet in Your Spare Time”] Three major worm outbreaks

22 Code Red I July 13, 2001: is the first worm of the modern era  Exploited buffer overflow in Microsoft’s Internet Information Server (IIS) How does Code Red I work? 1 st through 20 th of each month: spread  Find new targets by random scan of IP address space Spawn 99 threads to generate addresses and look for IIS  Creator forgot to seed the random number generator, and every copy scanned the same set of addresses 21 st through the end of each month: attack  Deface websites !

23 August 4, 2001: explore the same IIS vulnerability, completely different code,  Worked only on Windows 2000, crashed NT  Died by design on October 1, 2001 Scanning algorithm preferred nearby addresses  Chose addresses from same class A with probability ½, same class B with probability 3/8, and randomly from the entire Internet with probability 1/8 Payload: installed root backdoor in IIS servers for unrestricted remote access Code Red II Q: what is the class A, class B …?

24 Slammer Worm January 24/25, 2003: UDP worm exploiting buffer overflow in Microsoft’s SQL Server  Buffer overflow was already known and patched by Microsoft  but not everybody installed the patch Entire code fits into a single 404-byte UDP packet  Worm binary followed by overflow pointer back to itself Classic buffer overflow combined with random scanning:  once control is passed to worm code, it randomly generates IP addresses and attempts to send a copy of itself to port 1434  MS-SQL listens at port 1434 (We’ll see how buffer overflow works in the next chapter “network attacks”)

25 Slammer Propagation Scan rate of 55,000,000 addresses per second  Scan rate = rate at which worm generates IP addresses of potential targets  Up to 30,000 single-packet worm copies per second Initial infection was doubling in 8.5 seconds (!!)  Doubling time of Code Red was 37 minutes Worm-generated packets saturated carrying capacity of the Internet in 10 minutes  75,000 SQL servers compromised  And that’s in spite of broken pseudo-random number generator used for IP address generation

26 05:29:00 UTC, January 25, 2003 [from Moore et al. “The Spread of the Sapphire/Slammer Worm”]

27 30 Minutes Later [from Moore et al. “The Spread of the Slammer Worm”]

28 Secret of Slammer’s Speed Old-style worms (Code Red) spawn a new thread which tries to establish a TCP connection and, if successful, send a copy of itself over TCP  Limited by latency of the network Slammer was a connectionless UDP worm  No connection establishment, simply send 404-byte UDP packet to randomly generated IP addresses  Limited only by bandwidth of the network

29 Slammer Impact $1.25 Billion of damage Temporarily knocked out many elements of critical infrastructure  Bank of America ATM network  Entire cell phone network in South Korea  Five root DNS servers  Continental Airlines’ ticket processing software The worm did not even have malicious payload  simply bandwidth exhaustion on the network and resource exhaustion on infected machines

30 Index Malware Overview Virus Propagation of Viruses Worm Trojan Horses and other malware Methods against malware attacks

31 Trojan Horses Trojan horse is malicious code hidden in an apparently useful host program When the host program is executed, Trojan does something harmful or unwanted  User must be tricked into executing the host program  E.g., In 1995, a program distributed as PKZ300B.EXE looked like a new version of PKZIP… When executed, it formatted your hard drive. Trojans do NOT replicate  This is the main difference from worms and viruses

32 Trojan Insidious attack Trojan insidious attack against networks  Disguise themselves as useful programs, hide malicious contents (Backdoors, Rootkits) in program  Allow attackers remote access Trojan programs also use known ports  HTTP (TCP 80) or DNS (UDP 53)

33 Common Trojan Programs and Ports Used (details are not required)

34 Rootkits (revisit) Rootkit is a set of Trojan program binaries  Main characteristic: stealthiness (hides infection from the host’s owner)  Create a hidden directory /dev/.lib, /usr/src/.poop and similar Often use invisible characters in directory name Install hacked binaries for system programs such as netstat, ps, ls, du, login Typical infection path:  Use stolen password or dictionary attack to log in  Use buffer overflow in rdist, sendmail, loadmodule, rpc.ypupdated, lpr, or passwd to gain root access  Download rootkit by FTP, unpack, compile and install

35 Detecting Rootkit Presence Sad way to find out  Run out of physical disk space because of sniffer logs  Logs are invisible because du and ls have been hacked! Manual confirmation  Reinstall clean ps and see what processes are running Automatic detection  Host-based intrusion detection can find rootkit files assuming an rootkit did not disable your intrusion detection system!

36 Spyware Sends information from the infected computer to the attacker  Confidential financial data  Passwords  PINs  Any other stored data Can even registered each keystroke entered

37 Adware Similar to spyware  Can be installed without the user being aware  Display unwanted pop-up ads. Main goal  Determine user’s online purchasing habits  Tailored advertisement Problem of Adwares  Slows down computers

38 Index Malware Overview Virus Propagation of Viruses Worm Trojan Horses and other malware Methods against malware attacks

39 Protecting Against Malware Attacks Protecting against malware is a difficult task  New viruses, worms, Trojan programs appear daily  Most of antivirus software use signature to check known viruses.

40 Educating Your Users Structural training  Includes all employees and management monthly security updates  Is a simple but effective training method Recommend that users update virus signature database  Activate automatic updates

41 Defense via Software and Hardware Anti-virus software SpyBot and Ad-Aware  Help protect against spyware and adware Firewalls  Hardware (enterprise solution)  Software (personal solution) Intrusion Detection System (IDS)  Monitors your network 24/7