Outline

• More about worms
• Trojans
• Quiz
• Malware Detection
• Viruses
• Botnets and Flash Worms
• Software Reverse Engineering

Morris Worm

• Last day, we started talking about malware and gave some historical examples -- the last of which we discussed was the Morris Worm.
• We begin today by describing it in more detail.
• First appeared in 1988
• What it tried to do
  • Determine where it could spread, then...
  • ...spread its infection and...
  • ...remain undiscovered
• Morris claimed his worm had a bug!
  • It tried to re-infect infected systems
  • Led to resource exhaustion
  • Effect was like a so-called rabbit

How Morris Worm Spread

• Obtained access to machines by...
  • User account password guessing
  • Exploiting a buffer overflow in fingerd
  • Exploiting a trapdoor in sendmail
• Flaws in fingerd and sendmail were well-known, but not widely patched

Bootstrap Loader

• Once Morris worm got access...
• "Bootstrap loader" sent to victim -- 99 lines of C code
• Victim compiled and executed code
• Bootstrap loader fetched the worm
• Victim authenticated sender!
  -- Don't want user to get a bad worm...

How to Remain Undetected?

• If transmission interrupted, code deleted
• Code encrypted when downloaded
• Code deleted after decrypt/compile
• When running, worm regularly changed name and process identifier (PID)

Morris Worm: Bottom Line

• Shock to Internet community of 1988
  
  • Internet of 1988 much different than today
• Internet designed to withstand nuclear war
  • Internet designed to withstand nuclear war
  • Yet, brought down by one graduate student!
• At the time, Morris father worked at NSA...
• Could have been much worse
• Result? CERT, more security awareness
• But should have been a wakeup call

Code Red Worm

• Appeared in July 2001
• Infected more than 250,000 systems in about 15 hours
• Eventually infected 750,000 out of about 6,000,000 vulnerable systems
• Exploited buffer overflow in Microsoft IIS server software
  • Then monitored traffic on port 80, looking for other susceptible servers

Code Red: What it Did

• Day 1 to 19 of month: spread its infection
• Day 20 to 27: distributed denial of service attack (DDoS) on www.whitehouse.gov
• Later version (several variants)
  • Included trapdoor for remote access
  • Rebooted to flush worm, leaving only trapdoor
• Some say it was "beta test for info warfare"
  • But no evidence to support this

SQL Slammer

• Infected 75,000 systems in 10 minutes!
• At its peak, infections doubled every 8.5 seconds
• Spread "too fast"...

Why was Slammer Successful?

• Worm size: one 376-byte UDP packet
• Firewalls often let one packet through ...
• ...Then monitor ongoing "connections"
• Expectation was that much more data required for an attack...
• ... So no need to worry about 1 small packet
• Slammer defied "experts"

Trojan Horse Example

• Trojan: unexpected functionality
• Prototype trojan for the Mac
• File icon for freeMusic.mp3:
• For a real mp3, double click on icon
  • iTunes opens
  • Music in mp3 file plays
• But for freeMusic.mp3, unexpected results...

Mac Trojan

• Double click on freeMusic.mp3
  • iTunes opens (expected)
  • "Wild Laugh" (not expected)
  • Message box (not expected)
    

Trojan Example

• How does freeMusic.mp3 trojan work?
• This "mp3" is an application, not data
• This trojan is harmless, but...
• ...could have done anything user could do
  • Delete files, download files, launch apps, etc.

Quiz

Which of the following is true?

1. Kerberos makes use of public key cryptography.
2. A buffer stored as a local variable cannot cause a buffer overflow software flaw.
3. A race condition flaw might occur if a security process is not atomic.

Malware Detection

• Three common detection methods
  • Signature detection
  • Change detection
  • Anomaly detection
• We briefly discuss each of these
  • And consider advantages...
  • ...and disadvantages

Signature Detection

• A signature may be a string of bits in exe. Might also use wildcards, hash values, etc.
• For example, W32/Beast virus has signature
  83EB 0274 EB0E 740A 81EB 0301 0000
  That is, this string of bits appears in virus
• We can search for this signature in all files
• If string found, have we found W32/Beast?
  • Not necessarily -- string could appear elsewhere
  • At random, chance is only `1/2^(112)`
  • But software is not random

Signature Detection - Pros and Cons

• Advantages
  • Effective on "ordinary" malware
  • Minimal burden for users/administrators
• Disadvantages
  • Signature file can be large (10s of thousands)...
  • ...making scanning slow
  • Signature files must be kept up to date
  • Cannot detect unknown viruses
  • Cannot detect some advanced types of malware
• The most popular detection method

Change Detection

• Viruses must live somewhere
• If you detect a file has changed, it might have been infected
• How to detect changes?
  • Hash files and (securely) store hash values
  • Periodically re-compute hashes and compare
  • If hash changes, file might be infected

Change Detection - Pros and Cons

• Advantages
  • Virtually no false negatives
  • Can even detect previously unknown malware
• Disadvantages
  • Many files change -- and often
  • Many false alarms (false positives)
  • Heavy burden on users/administrators
  • If suspicious change detected, then what?
  • Might fall back on signature-based system

Anomaly Detection

• Monitor system for anything "unusual" or "virus-like" or potentially malicious or ...
• Examples of "unusual"
  • Files change in some unexpected way
  • System misbehaves in some way
  • Unexpected network activity
  • Unexpected file access, etc., etc., etc., etc.
• But, we must first define "normal"
  • Normal can (and must) change over time

Anomaly Detection -- Pros and Cons

• Advantages
  • Chance of detecting unknown malware
• Disadvantages
  • No proven track record
  • Trudy can make abnormal look normal (go slow)
  • Must be combined with another method (e.g., signature detection)
• Also popular in intrusion detection (IDS)
• Difficult unsolved (unsolvable?) problem

Future of Malware

• Recent trends
  • Encrypted, polymorphic, metamorphic malware
  • Fast replication/Warhol worms
  • Flash worms, slow worms
  • Botnets
• The future is bright for malware
  • Good news for the bad guys...
  • ...bad news for the good guys
• Future of malware detection?

Encrypted Viruses

• Virus writers know signature detection used
• So, how to evade signature detection?
• Encrypting the virus is a good approach
  • Ciphertext looks like random bits
  • Different key, then different "random" bits
  • So, different copies have no common signature
• Encryption often used in viruses today

How to detect encrypted viruses?

• Scan for the decryptor code
  • More-or-less standard signature detection
  • But may be more false alarms
• Why not encrypt the decryptor code?
  • Then encrypt the decryptor of the decryptor (and so on...)
• Encryption of limited value to virus writers

Polymorphic Malware

• Polymorphic worm
  • Body of worm is encrypted
  • Decryptor code is mutated (or morphed)
  • Trying to hide decryptor signature
  • Like an encrypted worm on steroids...
• Q: How to detect?
• A: Emulation -- let the code decrypt itself...
  ...Slow, and anti-emulation is possible

Metamorphic Malware

• A metamorphic worm mutates before infecting a new system...
  ...Sometimes called body polymorphic
• Such a worm can, in principle, evade signature-based detection
• Mutated worm must function the same
  • And be different enough to avoid detection
• Detection is a difficult research problem

Metamorphic Worm

• One approach to metamorphic replication...
  • The worm is disassembled
  • Worm then stripped to a base form
  • Random variations inserted into code (permute the code, insert dead code, etc., etc.)
  • Assemble the resulting code
• This results in a worm with same functionality as original, but different signature

Warhol Worm

• "In the future everybody will be world-famous for 15 minutes"-- Andy Warhol
• Warhol Worm is designed to infect the entire Internet in 15 minutes
• Slammer infected 250,000 in 10 minutes
  • "Burned out" bandwidth
  • Could not have infected entire Internet in 15 minutes -- too bandwidth intensive
• Can rapid worm do better than Slammer?

A Possible Warhol Worm

• Seed worm with an initial hit list containing a set of vulnerable IP addresses
  • Depends on the particular exploit
  • Tools exist for identifying vulnerable systems
• Each successful initial infection would attack selected part of IP address space
• Could infect entire Internet in 15 minutes!
• No worm this sophisticated has yet been seen in the wild (as of 2012)
  • Slammer generated random IP addresses

Flash Worm

• Can we do better than Warhol worm?
• Infect entire Internet in less than 15 minutes?
• Searching for vulnerable IP addresses is the slow part of any worm attack
• Searching might be bandwidth limited
  • Like Slammer
• Flash worm is designed to infect entire Internet almost instantly

Flash Worm

• Predetermine all vulnerable IP addresses
  • Depends on details of the attack
• Embed these addresses in worm(s)
  • Results in huge worm(s)
  • But, the worm replicates, it splits
• No wasted time or bandwidth!

Flash Worm

• Estimated that ideal flash worm could infect the entire Internet in 15 seconds!
  • Some debate as to actual time it would take
  • Estimates range from 2 seconds to 2 minutes
• In any case...
• ...much faster than humans could respond
• So, any defense must be fully automated
• How to defend against such attacks?

Rapid Malware Defenses

• Master IDS watches over network
  • "Infection proceeds" on part of network
  • Determines whether an attack or not
  • If so, IDS saves most of the network
  • If not, only a slight delay
• Beneficial worm
  • Disinfects faster than the worm infects
• Other approaches?

Botnet

• Botnet: a "network" of infected machines
• Infected machines are bots
  • Victim is unaware of infection (stealthy)
• Botmaster controls botnet
  • Generally, using IRC
  • P2P botnet architectures exist
• Botnets used for...
  • Spam, DoS attacks, keylogging, ID theft, etc.

Botnet Examples

• XtremBot
  • Similar bots: Agobot, Forbot, Phatbot
  • Highly modular, easily modified
  • Source code readily available (GPL license)
• UrXbot
  • Similar bots: SDBot, UrBot, Rbot
  • Less sophisticated than XtremBot type
• GT-Bots and mIRC-based bots
  • mIRC is common IRC client for Windows

More Botnet Examples

• Mariposa
  • Used to steal credit card info
  • Creator arrested in July 2010
• Conficker
  • Estimated 10M infected hosts (2009)
• Kraken
  • Largest as of 2008 (400,000 infections)
• Srizbi
  • For spam, one of largest as of 2008

SRE - Software Reverse Engineering

• Software Reverse Engineering
  • Also known as Reverse Code Engineering (RCE)
  • Or simply "reversing"
• Can be used for good...
  • Understand malware
  • Understand legacy code
• ...or not-so-good
  • Remove usage restrictions from software
  • Find and exploit flaws in software
  • Cheat at games, etc.

SRE

• We assume...
  • Reverse engineer is an attacker
  • Attacker only has exe (no source code)
  • Not bytecode (i.e., no Java, .Net)
• Attacker might want to
  • Understand the software
  • Modify (patch) the software
• SRE usually focused on Windows
  • So we focus on Windows

SRE Tools

• Disassembler
  • Converts exe to assembly (as best it can)
  • Cannot always disassemble 100% correctly
  • In general, it is not possible to re-assemble disassembly into working exe
• Debugger
  • Must step thru code to completely understand it
  • Labor intensive -- lack of useful tools
• Hex Editor
  • To patch (modify) exe file
• Process Monitor, VMware, etc.