viruses and worms - iis windows server
Post on 26-Feb-2023
0 Views
Preview:
TRANSCRIPT
CS 330 Malware
Administrivia
• Last CS Career Summit talk on Tuesday (7pm): Women in Computing panel (Extra credit!)
CS 330 Malware
Recall: Viruses
• Piece of self-replicating code attached to some other code– cf. biological virus
• Both propagates itself within the target host & carries a payload– carries code to make copies of itself– as well as code to perform some covert task
• But the virus itself must be transported via some other means
26
CS 330 Malware
Recall: Simple Virus Structureprogram V := {
goto main;1234567;subroutine infect-executable :={ loop (as long as there are executables):
file := get-random-executable-file;if (second-line-of-file == 1234567) then continueelse prepend V to file and stop;
}subroutine do-damage := { whatever damage is to be done }subroutine trigger-pulled := { return true if some condition holds }main: main-program := { infect-executable;
if trigger-pulled then do-damage;goto next;}
next:rest of the legitimate program;
}
27
CS 330 Malware
Problem with this type of virus?
• It makes the executable file larger, making it easy to detect
29
CS 330 Malware
Problem with this type of virus?
• It makes the executable file larger, making it easy to detect
• Solution: write a virus that compresses the new executable so it’s the same size as the old
• Known as a “compression virus”
30
CS 330 Malware
Types of Viruses
• Can classify viruses on the basis of how they attack – parasitic virus– memory-resident virus (aka TSR viruses)– boot sector virus – stealth virus– polymorphic virus – macro virus
31
CS 330 Malware
Encrypted viruses
– One of the above types, but with the code encrypted to try to avoid anti-virus software
– Very common these days
32
CS 330 Malware
Macro Virus
• Macro code attached to some data file • Interpreted by program using file
– e.g. Word or Excel macros– esp. using autoexec, auto command & command
macros• Code is now platform independent
– well, kinda sorta. Still doesn’t really affect Macs & it won’t affect Linux systems either
33
CS 330 Malware
Macro Virus
• Was a major source of new viral infections– but MS has plugged most holes in Word and Excel– the holes are now in the email programs & the internet
servers• Blurs the distinction between data and program files,
making the task of detection much harder • Classic trade-off: "ease of use" vs "security"
34
CS 330 Malware
Email Virus
• Spread using email with attachment containing a macro virus– e.g., Melissa, Nimda, etc.
• Triggered when user opens attachment• Or worse: when mail viewed by using scripting features in
mail agent
35
CS 330 Malware
Example…• The Brain virus for IBM PCs is a boot sector virus
– when the system boots from an infected disk the virus is in the boot sector and is loaded.
– it moves the disk interrupt vector (at location 13H) to a different interrupt vector (at 6dH) and sets the interrupt vector to invoke the brain virus (which is now in memory)
– it then loads the real boot sector and continues the boot.– whenever the user inserts a new floppy disk the interrupt
at location 13H is invoked. The virus checks for a signature (1234H) at location 4H. If the signature is present, control is transferred to location 6dH and things proceed normally.
– if the signature is NOT present, it overwrites the boot sector on the floppy with the one including the virus.
36
CS 330 Malware
Worms• Replicating but not (necessarily) infecting program• Typically spreads over a network
– e.g. Morris Internet Worm in 1988– led to creation of CERT at CMU
• Using users’ distributed privileges or by exploiting system vulnerabilities
• Widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS
• Major issue is lack of security of permanently connected systems, especially Windows PC's – no, really, you do have to apply those security patch
updates!!!
37
CS 330 Malware
Worm Operation
• Worm phases are like those of viruses:– dormant– triggering– propagation
• search for other systems to infect• establish connection to target remote system• replicate self onto remote system
– execution
38
CS 330 Malware
Morris Worm
• Best known classic worm
• Released by Robert Morris in 1988
• Targeted Unix (BSD and Solaris) systems
• Used several propagation techniques– simple password cracking of local password file– exploited a bug in the finger daemon (fingerd)– exploited a debug trapdoor in the sendmail daemon
• If any attack succeeded, it replicated itself– and went looking for another system to infect– infected over 4,000 systems in a matter of hours
39
CS 330 Malware
Recent Worm Attacks• New spate of attacks from mid-2001• Code Red
– exploited bug in MicroSoft IIS to penetrate & spread– probes random IPs for systems running IIS– had a trigger time for a denial-of-service attack
• Code Red 2– 2nd wave infected 360,000 servers in 14 hours– had backdoor installed to allow remote control
• Nimda– used multiple infection mechanisms
• email, shares, web client, IIS, Code Red 2 backdoor• MySQL Worm
40
CS 330 Malware
Code Red II
• On August 4, 2001, a new worm, CodeRed II began to exploit a buffer-overflow vulnerability in Microsoft's IIS webservers. Although the new worm is completely unrelated to the original Code-Red worm, the source code of the worm contained the string "CodeRedII" which became the name of the new worm.
41
CS 330 Malware 42
When a worm infects a new host, it first determines if the system has already been infected.
If not, the worm initiates its propagation mechanism, sets up a "backdoor" into the infected machine, becomes dormant for a day, and then reboots the machine.
Unlike Code-Red, CodeRedII is not memory resident, so rebooting an infected machine does not eliminate CodeRedII.
After rebooting the machine, the CodeRedII worm begins to spread.
If the host infected with CodeRedII has Chinese (Taiwanese) or Chinese (PRC) as the system language, it uses 600 threads to probe other machines. All other machines use 300 threads.
CodeRedII uses a more complex method of selecting hosts to probe than Code-Red. CodeRedII generates a random IP address and then applies a mask to produce the IP address to probe.
CS 330 Malware 43
The length of the mask determines the similarity between the IPaddress of the infected machine and the probed machine.
1/8th of the time, CodeRedII probes a completely random IP address.
1/2 of the time, CodeRedII probes a machine in the same /8 (so if the infected machine had the IP address 10.9.8.7, the IP address probed would start with 10.), while 3/8ths of the time, it probes a machine on the same /16 (so the IP address probed would start with 10.9.).
Like Code-Red, CodeRedII avoids probing IP addresses in 224.0.0.0/8 (multicast) and 127.0.0.0/8 (loopback).
The bias towards the local /16 and /8 networks means that an infected machine may be more likely to probe a susceptible machine, based on the supposition that machines on a single network are more likely to be running the same software as machines on unrelated IP addresses.
CS 330 Malware 44
On July 19, 2001 more than 359,000 computers were infected with the Code-Red (CRv2) worm in less than 14 hours.
At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute.
43% of all infected hosts were in the United States, while 11%originated in Korea followed by 5% in China and 4% in Taiwan.
The .NET Top Level Domain (TLD) accounted for 19% of all compromised machines, followed by .COM with 14% and .EDU with 2%.
We also observed 136 (0.04%) .MIL and 213 (0.05%) .GOV hosts infected by the worm.
http://www.caida.org/analysis/security/code-red/newframes-small-log.mov
CS 330 Malware
Defense against viruses and worms
• Attacks exploit lack of integrity control on systems– that is, they exploit known security holes that haven’t
been patched• To defend against them, sysadmins need to add such
controls • Typically by one or more of:
– prevention - block virus infection mechanism– detection - of viruses in infected system – reaction - restoring system to clean state
45
CS 330 Malware
Prevention countermeasures
• Reducing and restricting process rights– sandboxing– instrument programs to trap if they violate security
policies• Restricting user’s rights• Of course, plug all those OS and program security holes
46
CS 330 Malware
Anti-Virus Software
• First-generation– scanner uses virus signature to identify virus– or change in length of programs
• Second-generation – uses heuristic rules to spot viral infection– or uses program checksums to spot changes
• Third-generation – memory-resident programs identify virus by actions
• Fourth-generation – packages with a variety of antivirus techniques– eg scanning & activity traps, access-controls
47
CS 330 Malware
Advanced Anti-Virus Techniques
• Digital immune system (IBM)– general purpose emulation & virus detection– any virus entering org is captured, analyzed,
detection/shielding created for it, removed– see
http://www.research.ibm.com/antivirus/SciPapers.htm
48
CS 330 Malware
Conficker worm
• First detected in November 2008• Only affects Windows systems• Exploits a defect in a Windows network service (see
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx ) - released Oct 23 2008.
• Can also propagate through removable media and network shares
• Tries to decrypt administrator passwords on the Windows system using dictionary attacks
• Infected French Navy, UK Dept of Defence, German armed forces network, etc. in total > 9M computers
50
CS 330 Malware
Conficker worm
• Five variants found A - E• Starting with B, the virus begins to defend itself against
different strategies to eradicate it• Starting with C can use removable media and network
shares to propagate• Uses several different methods to upload and deliver
payloads (which makes it harder to eradicate)• Payloads are encrypted to keep them secret• Variant E is the first to install malicious payloads
– the Waledac spambot– SpyProtect 2009 a scareware product
51
CS 330 Malware
Conficker Responses
• MS offered a $250K reward for information• ICANN shuts down domains the virus tries to use• All the third-party anti-virus vendors have released
detection and removal patches• Origin of Conficker is probably the Ukraine
– that’s where the encrypted payloads came from
52
CS 330 Malware
Stuxnet
• Discovered in July 2010• Only infects Windows systems
– but it’s ultimate target is Siemens Supervisory Control and Data Acquisition systems (SCADA)
• 60% of infected system worldwide were in Iran– their nuclear fuel enrichment infrastructure– this number is disputed
• Infected > 50K systems by end of 2010.
53
CS 330 Malware
Stuxnet - first govt sponsored virus (?)
• “The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens Supervisory Control And Data Acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.” (from Wikipedia)
54
• “Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements; ‘The attackers took great care to make sure that only their designated targets were hit...It was a marksman’s job.’”
CS 330 Malware
Stuxnet
• The worm looks for specific Siemens software on all target systems.
• If no such software is found, it goes inert and never tries to replicate itself again
• It is set to erase itself on June 24, 2012 (a “kill date”)
• If it does find itself on a system with Siemens software it uses a man-in-the-middle technique to fake industrial control signals so the software doesn’t get any abnormal behavior indications.
55
CS 330 Malware
Stuxnet
• Worm uses a three-layered attack against different systems– Windows system– Siemens PCS 7, WinCC and STEP7 industrial software
applications that run on Windows and– Siemens S7 PLCs
• Uses four different zero-day attacks against Windows– very unusual
• Propagates via flash drives, network services (same one as Conficker), and peer-to-peer RPC
• Unusually large worm - > 512K bytes
56
CS 330 Malware
Stuxnet
• Under Windows has both user-mode and kernel rootkits available
• Uses stolen digital certificates to install device drivers• Once on a Windows system it infects Seimens SIMATIC
WinCC/PCS 7 SCADA control software• Subverts a WinCC communications library s7otbxdx.dll
– allows it to intercept and change communications between the PCS 7 software and the industrial control device.
– uses a zero-day exploit on the PLC device in the form of a hardcoded database password.
57
CS 330 Malware
Stuxnet
• Siemens has released detection and removal software patch
• Also need to install the MS patch MS08-067 (same as for Conficker)
• good analysis at http://www.schneier.com/blog/archives/2010/10/stuxnet.html
• So who wrote Stuxnet???
58
CS 330 Malware
Flashback
• The Trojan targets a Java vulnerability on Mac OS X
• The system is infected after the user is redirected to a compromised bogus site, where JavaScript code causes an applet containing an exploit to load
• An executable file is saved on the local machine, which is used to download and run malicious code from a remote location
59
CS 330 Malware
Flashback
• The malware also switches between various servers for optimized load balancing
• Each bot is given a unique ID that is sent to the control server
• The trojan, however, will only infect the user visiting the infected web page, meaning other users on the computer are not infected unless their user accounts have been infected separately. This is due to the UNIX security system
• Patched by Apple (twice) in April 2012
60
CS 330 Malware
Flashback• CVE-2012-0507• Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency.
• NOTE: the previous information was obtained from the February 2012 Oracle CPU.
• Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object[] type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions.
61
CS 330 Malware
Flashback
• See http://www.securityfocus.com/bid/52161/info
• and http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
62
top related