Malware, Software Insecurity
CS166
Chris Pollett
Dec 3, 2012
Outline
More about worms
Trojans
Quiz
Malware Detection
Viruses
Botnets and Flash Worms
Software Reverse Engineering
Morris Worm
Last day, we started talking about malware and gave some historical examples -- the last of which we discussed was the Morris Worm.
We begin today by describing it in more detail.
First appeared in 1988
What it tried to do
Determine where it could spread, then...
...spread its infection and...
...remain undiscovered
Morris claimed his worm had a bug!
It tried to re-infect infected systems
Led to resource exhaustion
Effect was like a so-called rabbit
How Morris Worm Spread
Obtained access to machines by...
User account password guessing
Exploiting a buffer overflow in fingerd
Exploiting a trapdoor in sendmail
Flaws in fingerd and sendmail were well-known, but not widely patched
Bootstrap Loader
Once Morris worm got access...
"Bootstrap loader" sent to victim -- 99 lines of C code
Victim compiled and executed code
Bootstrap loader fetched the worm
Victim authenticated sender!
-- Don't want user to get a bad worm...
How to Remain Undetected?
If transmission interrupted, code deleted
Code encrypted when downloaded
Code deleted after decrypt/compile
When running, worm regularly changed name and process identifier (PID)
Morris Worm: Bottom Line
Shock to Internet community of 1988
Internet of 1988 much different than today
Internet designed to withstand nuclear war
Internet designed to withstand nuclear war
Yet, brought down by one graduate student!
At the time, Morris father worked at NSA...
Could have been much worse
Result? CERT, more security awareness
But should have been a wakeup call
Code Red Worm
Appeared in July 2001
Infected more than 250,000 systems in about 15 hours
Eventually infected 750,000 out of about 6,000,000 vulnerable systems
Exploited buffer overflow in Microsoft IIS server software
Then monitored traffic on port 80, looking for other susceptible servers
Code Red: What it Did
Day 1 to 19 of month: spread its infection
Day 20 to 27: distributed denial of service attack (DDoS) on www.whitehouse.gov
Later version (several variants)
Included trapdoor for remote access
Rebooted to flush worm, leaving only trapdoor
Some say it was "beta test for info warfare"
But no evidence to support this
SQL Slammer
Infected 75,000 systems in 10 minutes!
At its peak, infections doubled every 8.5 seconds
Spread "too fast"...
Why was Slammer Successful?
Worm size: one 376-byte UDP packet
Firewalls often let one packet through ...
...Then monitor ongoing "connections"
Expectation was that much more data required for an attack...
... So no need to worry about 1 small packet
Slammer defied "experts"
Trojan Horse Example
Trojan: unexpected functionality
Prototype trojan for the Mac
File icon for freeMusic.mp3:
For a real mp3, double click on icon
iTunes opens
Music in mp3 file plays
But for freeMusic.mp3, unexpected results...
Mac Trojan
Double click on freeMusic.mp3
iTunes opens (expected)
"Wild Laugh" (not expected)
Message box (not expected)
Trojan Example
How does freeMusic.mp3 trojan work?
This "mp3" is an application, not data
This trojan is harmless, but...
...could have done anything user could do
Delete files, download files, launch apps, etc.
Quiz
Which of the following is true?
Kerberos makes use of public key cryptography.
A buffer stored as a local variable cannot cause a buffer overflow software flaw.
A race condition flaw might occur if a security process is not atomic.
Malware Detection
Three common detection methods
Signature detection
Change detection
Anomaly detection
We briefly discuss each of these
And consider advantages...
...and disadvantages
Signature Detection
A
signature
may be a string of bits in exe. Might also use wildcards, hash values, etc.
For example, W32/Beast virus has signature
83EB 0274 EB0E 740A 81EB 0301 0000
That is, this string of bits appears in virus
We can search for this signature in all files
If string found, have we found W32/Beast?
Not necessarily -- string could appear elsewhere
At random, chance is only `1/2^(112)`
But software is not random
Signature Detection - Pros and Cons
Advantages
Effective on "ordinary" malware
Minimal burden for users/administrators
Disadvantages
Signature file can be large (10s of thousands)...
...making scanning slow
Signature files must be kept up to date
Cannot detect unknown viruses
Cannot detect some advanced types of malware
The most popular detection method
Change Detection
Viruses must live somewhere
If you detect a file has changed, it might have been infected
How to detect changes?
Hash files and (securely) store hash values
Periodically re-compute hashes and compare
If hash changes, file might be infected
Change Detection - Pros and Cons
Advantages
Virtually no false negatives
Can even detect previously unknown malware
Disadvantages
Many files change -- and often
Many false alarms (false positives)
Heavy burden on users/administrators
If suspicious change detected, then what?
Might fall back on signature-based system
Anomaly Detection
Monitor system for anything "unusual" or "virus-like" or potentially malicious or ...
Examples of "unusual"
Files change in some unexpected way
System misbehaves in some way
Unexpected network activity
Unexpected file access, etc., etc., etc., etc.
But, we must first define "normal"
Normal can (and must) change over time
Anomaly Detection -- Pros and Cons
Advantages
Chance of detecting unknown malware
Disadvantages
No proven track record
Trudy can make abnormal look normal (go slow)
Must be combined with another method (e.g., signature detection)
Also popular in intrusion detection (IDS)
Difficult unsolved (unsolvable?) problem
Future of Malware
Recent trends
Encrypted, polymorphic, metamorphic malware
Fast replication/Warhol worms
Flash worms, slow worms
Botnets
The future is bright for malware
Good news for the bad guys...
...bad news for the good guys
Future of malware detection?
Encrypted Viruses
Virus writers know
signature detection
used
So, how to evade signature detection?
Encrypting the virus is a good approach
Ciphertext looks like random bits
Different key, then different "random" bits
So, different copies have no common signature
Encryption often used in viruses today
How to detect encrypted viruses?
Scan for the decryptor code
More-or-less standard signature detection
But may be more false alarms
Why not encrypt the decryptor code?
Then encrypt the decryptor of the decryptor (and so on...)
Encryption of limited value to virus writers
Polymorphic Malware
Polymorphic worm
Body of worm is encrypted
Decryptor code is mutated (or morphed)
Trying to hide decryptor signature
Like an encrypted worm on steroids...
Q: How to detect?
A: Emulation -- let the code decrypt itself...
...Slow, and anti-emulation is possible
Metamorphic Malware
A metamorphic worm mutates before infecting a new system...
...Sometimes called body polymorphic
Such a worm can, in principle, evade signature-based detection
Mutated worm must function the same
And be different enough to avoid detection
Detection is a difficult research problem
Metamorphic Worm
One approach to metamorphic replication...
The worm is disassembled
Worm then stripped to a base form
Random variations inserted into code (permute the code, insert dead code, etc., etc.)
Assemble the resulting code
This results in a worm with same functionality as original, but different signature
Warhol Worm
"In the future everybody will be world-famous for 15 minutes"-- Andy Warhol
Warhol Worm is designed to infect the entire Internet in 15 minutes
Slammer infected 250,000 in 10 minutes
"Burned out" bandwidth
Could not have infected entire Internet in 15 minutes -- too bandwidth intensive
Can rapid worm do better than Slammer?
A Possible Warhol Worm
Seed worm with an initial hit list containing a set of vulnerable IP addresses
Depends on the particular exploit
Tools exist for identifying vulnerable systems
Each successful initial infection would attack selected part of IP address space
Could infect entire Internet in 15 minutes!
No worm this sophisticated has yet been seen in the wild (as of 2012)
Slammer generated random IP addresses
Flash Worm
Can we do better than Warhol worm?
Infect entire Internet in less than 15 minutes?
Searching for vulnerable IP addresses is the slow part of any worm attack
Searching might be bandwidth limited
Like Slammer
Flash worm
is designed to infect entire Internet almost instantly
Flash Worm
Predetermine all vulnerable IP addresses
Depends on details of the attack
Embed these addresses in worm(s)
Results in huge worm(s)
But, the worm replicates, it splits
No wasted time or bandwidth!
Flash Worm
Estimated that ideal flash worm could infect the entire Internet in 15 seconds!
Some debate as to actual time it would take
Estimates range from 2 seconds to 2 minutes
In any case...
...much faster than humans could respond
So, any defense must be fully automated
How to defend against such attacks?
Rapid Malware Defenses
Master IDS watches over network
"Infection proceeds" on part of network
Determines whether an attack or not
If so, IDS saves most of the network
If not, only a slight delay
Beneficial worm
Disinfects faster than the worm infects
Other approaches?
Botnet
Botnet: a "network" of infected machines
Infected machines are bots
Victim is unaware of infection (stealthy)
Botmaster controls botnet
Generally, using IRC
P2P botnet architectures exist
Botnets used for...
Spam, DoS attacks, keylogging, ID theft, etc.
Botnet Examples
XtremBot
Similar bots: Agobot, Forbot, Phatbot
Highly modular, easily modified
Source code readily available (GPL license)
UrXbot
Similar bots: SDBot, UrBot, Rbot
Less sophisticated than XtremBot type
GT-Bots and mIRC-based bots
mIRC is common IRC client for Windows
More Botnet Examples
Mariposa
Used to steal credit card info
Creator arrested in July 2010
Conficker
Estimated 10M infected hosts (2009)
Kraken
Largest as of 2008 (400,000 infections)
Srizbi
For spam, one of largest as of 2008
SRE - Software Reverse Engineering
Software Reverse Engineering
Also known as Reverse Code Engineering (RCE)
Or simply "reversing"
Can be used for good...
Understand malware
Understand legacy code
...or not-so-good
Remove usage restrictions from software
Find and exploit flaws in software
Cheat at games, etc.
SRE
We assume...
Reverse engineer is an attacker
Attacker only has exe (no source code)
Not bytecode (i.e., no Java, .Net)
Attacker might want to
Understand the software
Modify (patch) the software
SRE usually focused on Windows
So we focus on Windows
SRE Tools
Disassembler
Converts exe to assembly (as best it can)
Cannot always disassemble 100% correctly
In general, it is not possible to re-assemble disassembly into working exe
Debugger
Must step thru code to completely understand it
Labor intensive -- lack of useful tools
Hex Editor
To patch (modify) exe file
Process Monitor, VMware, etc.