1. Outlines
Mobile malcode Overview
Viruses
Worms

2. Objectives
Understand the definition and classification of malware, especially for three major types: virus, worm, and botnet
Understand the basic virus defense mechanisms: scanning, integrity checking and interception
Understand different target discovery methods: brute force port scanning and via target lists
Understand the major botnet Command and Control topologies and mechanisms: via IRC or http

3. Mobile Malcode Overview
Malicious programs which spread from machine to machine without the consent of the owners/operators/users
Windows Automatic Update is (effectively) consensual
Many strains possible
Viruses
Worms
Compromised Auto-updates
No user action required, very dangerous

4. Malicious Software Stallings Fig 19-1.
Taxonomy can be divided into two categories: those that need a host program, and those that are independent;
can also differentiate between those software threats that do not replicate and those that do.

5. Trapdoors (Back doors)
Secret entry point into a program
Allows those who know access bypassing usual security procedures, e.g., authentications
Have been commonly used by developers
A threat when left in production programs allowing exploited by attackers
Very hard to block in O/S
Requires good s/w development & update

6. Logic Bomb One of oldest types of malicious software
Code embedded in legitimate program
Activated when specified conditions met
E.g., presence/absence of some file
Particular date/time
Particular user
Particular series of keystrokes
When triggered typically damage system
Modify/delete files/disks

7. Trojan Horse
Programs that appear to have one function but actually perform another.
Modern Trojan Horse: resemble a program that the user wishes to run - usually superficially attractive
E.g., game, s/w upgrade etc
When run performs some additional tasks
Allows attacker to indirectly gain access they do not have directly
Often used to propagate a virus/worm or install a backdoor
Or simply to destroy data
The Trojan war had raged on for many years, and there seemed to be no end to it in sight. The two sides, the Greeks and Trojans, were in battle over Helen, the most beautiful woman in the world. Since the Greeks knew they could not win by force, they decided to do this by trickery. A few of the men hid themselves in a huge hollow wooden horse, now known as the Trojan Horse, and the rest packed up into their ship and left, and one Greek, named Sinon, went into Troy as a spy. The Trojans thought the Greeks had surrendered, and were persuaded by Sinon to bring the horse into the city as a victory trophy. That night, the soldiers inside the horse came out and opened the gates to Troy. The Greek ships, which were waiting around the corner, came and ransacked Troy, and thus the war was ended.

8. Zombie Program which secretly takes over another networked computer
Then uses it to indirectly launch attacks
Often used to launch distributed denial of service (DDoS) attacks
Exploits known flaws in network systems

9. Outlines
Mobile malcode Overview
Viruses
Worms

10. Viruses
Definition from RFC 1135: A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.
On execution
Search for valid target files
Usually executable files
Often only infect uninfected files
Insert a copy into targeted files
When the target is executed, the virus starts running
Only spread when contaminated files are moved from machine to machine
Mature defenses available

11. Virus Statistics 1988: Less than 10 known viruses
1990: New virus found every day
1993: new viruses per week
1999: 45,000 viruses and variants
Source: McAfee

12. Virus Operation virus phases: details usually machine/OS specific
propagation – replicating to programs/disks
dormant – waiting on trigger event
triggering – by event to execute payload
execution – of payload
details usually machine/OS specific
exploiting features/weaknesses

13. Anatomy of a Virus Two primary components Propagation
Propagation mechanism
Payload
Propagation
Method by which the virus spreads itself.
Old days: single PC, transferred to other hosts by ways of floppy diskettes.
Nowadays: Internet.

14. Virus Compression

15. Virus Infectables I -- Macros
Usually executable files: .com, .exe, .bat
Macro code attached to some data file
Interpreted by program using file
E.g., Word/Excel macros
Especially using auto command & command macros
Code is now platform independent
Is a major source of new viral infections
Blur distinction between data and program files
Classic trade-off: "ease of use" vs "security”
Have improving security in Word etc
Are no longer dominant virus threat

16. Variable Viruses Polymorphic viruses
Change with each infection
Executables virus code changing (macros: var name, line spacing, etc.)
Control flow permutations (rearrange code with goto’s)
Attempt to defeat scanners
Virus writing tool kits have been created to "simplify" creation of new viruses
Current tool kits create viruses that can be detected easily with existing scanner technology
But just a matter of time …

17. Virus Detection/Evasion
Look for changes in size
Check time stamp on file
Look for bad behavior
False alarm prone
Look for patterns (byte streams) in virus code that are unique
Look for changes in file checksum
Compression of virus and target code
Modify time stamp to original
Do bad thing insidiously
Change patterns – polymorphism
Rearrange data in the file
Disable anti-virus programs

18. More on Virus Detection
Scanning
Depend on prior knowledge of a virus
Check programs before execution
Need to be regularly updated
Integrity Checking
Read entire disk and record integrity data that acts as a signature for the files and system sectors
Use cryptographic computation technique instead of simple checksum

19. More on Virus Detection
Interception
Monitoring for system-level routines that perform destructive acts
Good for detecting logic bomb and Trojan horse as well
Cannot depend entirely upon behavior monitors as they are easily bypassed.
Combination of all three techniques can detect most viruses

20. (not required for exam)
History of Viruses
(not required for exam)

21. First Wild Viruses Apple I/II/III: 1981
Three viruses for the Apple machines emerged in 1981
Boot sector viruses
Floppies of that time had the disk operating system (DOS) on them by default
Wrote it without malice

22. First PC Virus: Pakistani Brain Virus (1986)
Written by Pakistani brothers to protect their copyright
Claim: infect only machines that had an unlicensed copy of their software
Boot sector, memory resident
Printed
“Welcome to the Dungeon (c) 1986 Basit * Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES
730 NIZAB BLOCK ALLAMA IQBAL TOWN
LAHORE-PAKISTAN PHONE :430791,443248,
Beware of this VIRUS.... Contact us for vaccination !!"
1983
Fred Cohen, while working on his dissertation, formally defines a computer virus as “a computer program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself.”
1986
Two programmers named Basit and Amjad replace the executable code in the boot sector of a floppy disk with their own code designed to infect each 360kb floppy accessed on any drive. Infected floppies had “© Brain” for a volume label.

23. Destructive Virus: Chernobyl (1998)
Designed to inflict harm
Flash BIOS: would cause permanent hardware damage to vulnerable motherboards
Also overwrote first 2K sectors of each disk
Typically resulted in a loss of data and made it unbootable
Previously believed that being benign was necessary for virus longevity
Chernobyl provided evidence to the contrary

24. Early Macro Virus: Melissa (1999)
Microsoft Word 97 Macro virus
Target first 50 entries in Outlook’s address book
Adjusted subject “Important messages from ______”
Points to attachment as a document requested
Contains a list of porn sites
Macro security was greatly increased with Melissa

25. Outlines
Mobile malcode Overview
Viruses
Worms

26. Worms
Autonomous, active code that can replicate to remote hosts without any triggering
Replicating but not infecting program
Because they propagate autonomously, they can spread much more quickly than viruses!
Speed and general lack of user interaction make them the most significant threats

27. +
Activation
Target Discovery
Attacker
Payload
Carrier
Worm Overview

28. Brute Force Port Scanning
Target Discovery
Brute Force Port Scanning
Sequential: working through an address block
Random
Target Lists
Externally generated through Meta servers
Internal target list
Passive worms

29. External Target Lists: Metaserver Worms
Many systems use a "metaserver", a server for information about other servers
Games: Use as a matchmaker for local servers
Google: Query google to find web servers
Windows Active Directory: Maintains the "Network Neighborhood"
Worm can leverage these services
Construct a query to find new targets
Each new victim also constructs queries
Creates a divide-and-conquer infection strategy
Original strategy, not yet seen
Metaserver
Server
Simple animation of metaserver protocol. Metaserver term first used/created by ERic Mehlhaff for Netrek, for a server which acts as a guide to other servers.
A worm can use a metaserver to get one or more vulnerable servers to infect. This is an original strategy, we haven’t seen it in practice. But we need to understand this strategy to build defenses in advance, as it does present a potential anomaly at the metaserver. Metaservers are quite common in practice, as many multiplayer games, google, and Windows uses metaservers

30. How Fast Are Metaserver Worms?
Game Metaserver: Used to attack a small population (eg, all Half-Life servers)
~1 minute to infect all targets
Google: Used to enhance a scanning web worm
Each worm conducts initial queries to find URLs
This metaserver acceleration simulation: Each new worm queries a metaserver to find ONE potential victim, and then scans normally. This victim is randomly chosen from only 1/3 of the vulnerable population. 300,000 vulnerable machines.
This would be a “code red” style worm (10 scans/second) which can do a google query at the start, to find ONE vulnerable machine. That alone drastically changes the spread rate of the worm. If it discovers 2 vulnerable machines in the process, the speed is increased even more, as now the metaserver portion grows on the exponential/logistic graph instead of linear.
The game observation is critical, as these systems are not generally written with high security in mind, as they would seem to be too small to worry about. But a metaserver attack enables a large, fast compromise of all game servers listed in the matchmaking/metaserver.

31. Internal Target Lists: Topological Information
Look for local information to find new targets
URLs on disk and in caches
Mail addresses
.ssh/known_hosts
Ubiquitous in mail worms
More recent mail worms are more aggressive at finding new addresses
Basis of the Morris worm (1988)
Address space was too sparse for scanning to work
Topological worms are particularly fast, originally used in the Morris worm. In a topological worm, the worm simply uses local information to find new targets.
As a result, they can be very fast, depending on what the topology involved looks like. The Morris worm was a topological worm, as the Internet was too sparse and slow for scanning to work
/etc/hosts

32. How Fast are Topological Worms?
Depends on the topology G = (V, E)
Vulnerable machines are vertices, edges are local information
Time to infect is a function of the shortest paths from the initial point of infection
Power law or similar graph (KaZaA)
Depends greatly on the parameters, but generally very, VERY fast
The speed of a topological worm depends on the connectivity in the network, the longest shortest-path from the initial point of infection. Thus it can be very fast.
EG, for a power-law or similar enough graph (where there are numerous supernodes, which we believe KaZaA to be like) are very fast: hundreds or even tens of timesteps. If ~1 second/step, such worms can be incredibly fast.
Similarly, Chord (Robert Morris's "ring with fingers" structure) has lg(n) time to infect all nodes, as the worm follows the finger pointers.
This graph is a "vaguely Chord-ish" network, using one forward pointer and one finger. Its very fast.
Hypothesis: If, in a peer-to-peer network, one can find or reach an arbitrary datum in expected lg(n) time and there is a fixed (constant) maximum amount of replication, then one can create a worm which would infect the P2P network in O(lg(n)) time. No proof yet, this is just a hunch.

33. Passive Worms Wait for information about other targets
E.g., CRclean, an anti-CodeRed II worm
Wait for Code Red, respond with counterattack
Remove Code Red II and install itself on the machine
Speed is highly variable
Depends on normal communication traffic
Highly stealthy
Have to detect the act of infection, not target selection
Passive worms DON'T actively look for targets, instead they wait for targets to come.
CRclean was written and posted (with deliberate flaws) to bugtraq, but not released in the wild. It was a passive anti-worm to code red.
Nimda used a passive attack (to an IE exploit) to try to cross firewalls.
Finally, the contagion strategy (which KaZaA may be vulnerable to) is a passive strategy.
The speed of passive worms is highly variable, it depends on the traffic they are using to spread. But they are very stealthy as they don't do active, only reactive communication.

34. Activation

35. Activation Human activation Human activity-based activation
Needs social engineering, especially for worms
Melissa – “Attached is an important message for you!”
Iloveyou – “Open this message to see who loves you!”
Human activity-based activation
E.g. logging in, rebooting (Nimda’s secondary propagation)
Scheduled process activation
E.g. updates, backup etc.
Self activation, most common
E.g. Code Red exploit the IIS web servers
Activation: how worm gets activated on a host.
Self activation the fastest one

36. Melissa Worm: One of the most infamous worms

38. Klez worm

39. Payload

40. Payloads None/nonfunctional Internet Remote Control
Most common
Still can have significant effects through traffic and machine load (e.g., Morris worm)
Internet Remote Control
Code Red II open backdoor on victim machines: anyone with a web browser can execute arbitrary code
Internet Denial of Service (DOS)
E.g., Code Red, Yaha
Data Collection
Data Damage: Klez
Worm maintenance
According to its creator, the Morris worm was not written to cause damage, but to gauge the size of the internet. An unintended consequence of the code, however, caused it to be more damaging: a computer could be infected multiple times and each additional process would slow the machine down to the point of being unusable.

41. Attacker Experimental Curiosity, e.g., I Love You worm Pride and Power
Commercial Advantage
Extortion and Criminal Gain
Terrorism
Cyber Warfare
Reason for this: sometimes the best defense is to remove the motivation in the first place
ILoveYou worm was designed by a student and proposed as a thesis project
before it was released.
a desire to acquire (limited) power, and to show off their knowledge and ability

43. IIS, Code Red 2 backdoor, etc
Some Major Worms
Worm
Year
Strategy
Victims
Other Notes
Morris
1988
Topological
6000
First major autonomous worm. Attacked multiple vulnerabilities.
Code Red
2001
Scanning
~300,000
First recent "fast" worm, 2nd wave infected 360,000 servers in 14 hours
CRClean
Passive
none
Unreleased Anti-Code-Red worm.
Nimda
IIS, Code Red 2 backdoor, etc
~200,000
Local subnet scanning. Effective mix of techniques
Scalper
2002
<10,000
Released 10 days after vulnerability revealed
Slammer
2003
>75,000
Spread worldwide in 10 minutes
Strategy is the target selection strategy, which will be discussed in detail later.
There have been numerous other worms, but these are a good representative sample of major incidents. I’ll refer to these elsewhere in the talk, you don’t need to memorize this list.
Nimda was so effective partially because it uses 5 different infection vectors:
via
via open network shares
via browsing of compromised web sites
exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities.
Both Code Red, and Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS server. " [1] "
via back doors left behind by the "Code Red II" and "sadmind/IIS" worms.
Scalper worm, attack freeBSD system.

44. Backup Slides

45. The Spread of the Sapphire/Slammer SQL Worm
Before January 25th, this talk contains a considerable amount of motivation as to why fast Internet worms are a potential threat. They are now a real threat.
In the first 30 minutes of Sapphire’s spread, we recorded nearly 75,000 unique infections. Most of these infections actually occurred within 10 minutes.
This graphic is more for effect rather than technical detail: We couldn’t determine a detailed location for all infections, and the diameter of each circle is proportional to the lg() of the number of infections, underrepresenting larger infections. Nevertheless, it gives a good feel for where Sapphire spread.
We monitored the spread using several “Network Telescopes”, address ranges where we had sampled or complete packet traces at single sources. We also used the D-shield distributed intrusion detection system to determine IPs of infected machines, but we couldn’t use this data for calculating the scanning rate.

46. How Fast was Slammer? Infected ~75,000 machines in 10 minutes
Full scanning rate in ~3 minutes
>55 Million IPs/s
Initial doubling rate was about every 8.5 seconds
Local saturations occur in <1 minute
The somewhat surprising part is just how fast. We start to see local links saturating in less than a minute (where Sapphire stops following the RCS model), and general internet scanning saturates at 3 minutes.
Based on the size of our windows and the number of packets received, Sapphire's peak was over 55 million IPs/second, randomly chosen from the 232 bit IP address space.
At a rate of 55 million packets per second, this easily saturates the bulk of the Internet in less than 10 minutes. The most significant exceptions are large addresses connected by low-bandwidth links, as these connections will not receive all intended scans.

47. Why Was Sapphire Fast: A Bandwidth-Limited Scanner
Code Red's scanner is latency-limited
In many threads: send SYN to random address, wait for response or timeout
Code Red  ~6 scans/second,
population doubles about every 40 minutes
Every Sapphire copy sent infectious packets at maximum rate
1 Mb upload bandwidth  280 scans/second
100 Mb upload bandwidth  28,000 scans/second
Any reasonably small TCP worm can spread like Sapphire
Needs to construct SYNs at line rate, receive ACKs in a separate thread
Sapphire didn't infect significantly more machines than Code Red, if anything it infected substantially less. Nevertheless, code red was nearly two orders of magnitude slower than Sapphire, with the population doubling approximately every 40 minutes (37 minutes is our best estimate).
Code Red and previous TCP worms have always used one or more threads, with each thread trying to connect() to individual machines, and, if successful, infecting it. Thus any given thread is limited by the network latency: the time to receive a response (positive or negative) or for the connect call to timeout. Even with several hundred threads, the worm is still limited by the latency.
Sapphire, on the other hand, since its scan also infects, never waits for a response. It simply sends out packets at line rate. So obviously it scans the net, especially before saturation effects occur, much faster than Code Red.
Note that bandwidth-limited scanners change scanning from being just "fast" to "very fast", enabling <15 minute spread times.

48. Virus Infectables (cont’d)
System sector viruses
Infect control sectors on a disk
DOS boot sectors
Partition (MBR) sectors
System sector viruses spread easily via floppy disk infections
Companion viruses
Create a .com files for each .exe files
DOS runs COM files before EXE files
Relatively easy to find and eliminate
Cluster viruses
Change the DOS directory info so that directory entries point to the virus code instead of the real program
Even though every program on the disk may be "infected“, there is only one copy of the virus on the disk
Master Boot Record, a small program that is executed when a computer boots up. Typically, the MBR resides on the first sector of the hard disk.

49. Virus Recovery
Extricate the virus from the infected file to leave the original behind
Remove the redirection to the virus code
Recover the file from backup
Delete the files and move on with life

50. Structure of A Virus Virus() { infectExecutable(); if (triggered()) {
doDamage(); }
jump to main of infected program;
void infectExecutable() {
file = choose an uninfected executable file;
prepend V to file;
void doDamage() { ... }
int triggered() { return (some test? 1 : 0); }

51. Fred Cohen’s Work: 1983 First documented work with viruses
Cohen’s PhD advisor, Leo Adelman, coined the term “virus”
Virus: “a program that can infect other programs by modifying them to include a … version of itself”
Viruses can quickly (~30 min) spread through a networked file system
Dissertation (1986) conclusion: "universal" detection of a virus is undecidable
No 100% guaranteed detection for virus/worm

52. Early Mail Virus: Happy99 (1999)
One of the earliest viruses that propagated automatically when an infected attachment is executed
Did not infect files, only user accounts
sent from infected person to others in address book (novelty at the time)

53. Morris Worm best known classic worm released by Robert Morris in 1988
targeted Unix systems
using several propagation techniques
simple password cracking of local pw file
exploit bug in finger daemon
exploit debug trapdoor in sendmail daemon
if any attack succeeds then replicated self

54. Carrier Self-Carried Transmit itself as part of the infection process
Second Channel E.g. blaster worm use RPC to exploit, but use TFTP to download the whole virus body
Blaster [31], require
a secondary communication channel to complete the
infection. Although the exploit uses RPC, the victim machine
connects back to the infecting machine using TFTP to
download the worm body, completing the infection process.
An embedded worm sends itself along as
part of a normal communication channel, either appending
to or replacing normal messages. As a result, the propagation
does not appear as anomalous when viewed as a pattern
of communication. The contagion strategy [47] is an example
of a passive worm that uses embedded propagation.