CS 330 Malware

Viruses and worms(slides from Prof. Dooley)

Lecture for 5/18/20

23

CS 330 Malware

Administrivia

• Last CS Career Summit talk on Tuesday (7pm): Women in Computing panel (Extra credit!)

CS 330 Malware

Recall: Classification of Malicious Software

25

however, the definitions all overlap

CS 330 Malware

Recall: Viruses

• Piece of self-replicating code attached to some other code– cf. biological virus

• Both propagates itself within the target host & carries a payload– carries code to make copies of itself– as well as code to perform some covert task

• But the virus itself must be transported via some other means

26

CS 330 Malware

Recall: Simple Virus Structureprogram V := {

goto main;1234567;subroutine infect-executable :={ loop (as long as there are executables):

file := get-random-executable-file;if (second-line-of-file == 1234567) then continueelse prepend V to file and stop;

}subroutine do-damage := { whatever damage is to be done }subroutine trigger-pulled := { return true if some condition holds }main: main-program := { infect-executable;

if trigger-pulled then do-damage;goto next;}

next:rest of the legitimate program;

}

27

CS 330 Malware

Infector structures

28

CS 330 Malware

Problem with this type of virus?

• It makes the executable file larger, making it easy to detect

29

CS 330 Malware

Problem with this type of virus?

• It makes the executable file larger, making it easy to detect

• Solution: write a virus that compresses the new executable so it’s the same size as the old

• Known as a “compression virus”

30

CS 330 Malware

Types of Viruses

• Can classify viruses on the basis of how they attack – parasitic virus– memory-resident virus (aka TSR viruses)– boot sector virus – stealth virus– polymorphic virus – macro virus

31

CS 330 Malware

Encrypted viruses

– One of the above types, but with the code encrypted to try to avoid anti-virus software

– Very common these days

32

CS 330 Malware

Macro Virus

• Macro code attached to some data file • Interpreted by program using file

– e.g. Word or Excel macros– esp. using autoexec, auto command & command

macros• Code is now platform independent

– well, kinda sorta. Still doesn’t really affect Macs & it won’t affect Linux systems either

33

CS 330 Malware

Macro Virus

• Was a major source of new viral infections– but MS has plugged most holes in Word and Excel– the holes are now in the email programs & the internet

servers• Blurs the distinction between data and program files,

making the task of detection much harder • Classic trade-off: "ease of use" vs "security"

34

CS 330 Malware

Email Virus

• Spread using email with attachment containing a macro virus– e.g., Melissa, Nimda, etc.

• Triggered when user opens attachment• Or worse: when mail viewed by using scripting features in

mail agent

35

CS 330 Malware

Example…• The Brain virus for IBM PCs is a boot sector virus

– when the system boots from an infected disk the virus is in the boot sector and is loaded.

– it moves the disk interrupt vector (at location 13H) to a different interrupt vector (at 6dH) and sets the interrupt vector to invoke the brain virus (which is now in memory)

– it then loads the real boot sector and continues the boot.– whenever the user inserts a new floppy disk the interrupt

at location 13H is invoked. The virus checks for a signature (1234H) at location 4H. If the signature is present, control is transferred to location 6dH and things proceed normally.

– if the signature is NOT present, it overwrites the boot sector on the floppy with the one including the virus.

36

CS 330 Malware

Worms• Replicating but not (necessarily) infecting program• Typically spreads over a network

– e.g. Morris Internet Worm in 1988– led to creation of CERT at CMU

• Using users’ distributed privileges or by exploiting system vulnerabilities

• Widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS

• Major issue is lack of security of permanently connected systems, especially Windows PC's – no, really, you do have to apply those security patch

updates!!!

37

CS 330 Malware

Worm Operation

• Worm phases are like those of viruses:– dormant– triggering– propagation

• search for other systems to infect• establish connection to target remote system• replicate self onto remote system

– execution

38

CS 330 Malware

Morris Worm

• Best known classic worm

• Released by Robert Morris in 1988

• Targeted Unix (BSD and Solaris) systems

• Used several propagation techniques– simple password cracking of local password file– exploited a bug in the finger daemon (fingerd)– exploited a debug trapdoor in the sendmail daemon

• If any attack succeeded, it replicated itself– and went looking for another system to infect– infected over 4,000 systems in a matter of hours

39

CS 330 Malware

Recent Worm Attacks• New spate of attacks from mid-2001• Code Red

– exploited bug in MicroSoft IIS to penetrate & spread– probes random IPs for systems running IIS– had a trigger time for a denial-of-service attack

• Code Red 2– 2nd wave infected 360,000 servers in 14 hours– had backdoor installed to allow remote control

• Nimda– used multiple infection mechanisms

• email, shares, web client, IIS, Code Red 2 backdoor• MySQL Worm

40

CS 330 Malware

Code Red II

• On August 4, 2001, a new worm, CodeRed II began to exploit a buffer-overflow vulnerability in Microsoft's IIS webservers. Although the new worm is completely unrelated to the original Code-Red worm, the source code of the worm contained the string "CodeRedII" which became the name of the new worm.

41

CS 330 Malware 42

When a worm infects a new host, it first determines if the system has already been infected.

If not, the worm initiates its propagation mechanism, sets up a "backdoor" into the infected machine, becomes dormant for a day, and then reboots the machine.

Unlike Code-Red, CodeRedII is not memory resident, so rebooting an infected machine does not eliminate CodeRedII.

After rebooting the machine, the CodeRedII worm begins to spread.

If the host infected with CodeRedII has Chinese (Taiwanese) or Chinese (PRC) as the system language, it uses 600 threads to probe other machines. All other machines use 300 threads.

CodeRedII uses a more complex method of selecting hosts to probe than Code-Red. CodeRedII generates a random IP address and then applies a mask to produce the IP address to probe.

CS 330 Malware 43

The length of the mask determines the similarity between the IPaddress of the infected machine and the probed machine.

1/8th of the time, CodeRedII probes a completely random IP address.

1/2 of the time, CodeRedII probes a machine in the same /8 (so if the infected machine had the IP address 10.9.8.7, the IP address probed would start with 10.), while 3/8ths of the time, it probes a machine on the same /16 (so the IP address probed would start with 10.9.).

Like Code-Red, CodeRedII avoids probing IP addresses in 224.0.0.0/8 (multicast) and 127.0.0.0/8 (loopback).

The bias towards the local /16 and /8 networks means that an infected machine may be more likely to probe a susceptible machine, based on the supposition that machines on a single network are more likely to be running the same software as machines on unrelated IP addresses.

CS 330 Malware 44

On July 19, 2001 more than 359,000 computers were infected with the Code-Red (CRv2) worm in less than 14 hours.

At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute.

43% of all infected hosts were in the United States, while 11%originated in Korea followed by 5% in China and 4% in Taiwan.

The .NET Top Level Domain (TLD) accounted for 19% of all compromised machines, followed by .COM with 14% and .EDU with 2%.

We also observed 136 (0.04%) .MIL and 213 (0.05%) .GOV hosts infected by the worm.

http://www.caida.org/analysis/security/code-red/newframes-small-log.mov

CS 330 Malware

Defense against viruses and worms

• Attacks exploit lack of integrity control on systems– that is, they exploit known security holes that haven’t

been patched• To defend against them, sysadmins need to add such

controls • Typically by one or more of:

– prevention - block virus infection mechanism– detection - of viruses in infected system – reaction - restoring system to clean state

45

CS 330 Malware

Prevention countermeasures

• Reducing and restricting process rights– sandboxing– instrument programs to trap if they violate security

policies• Restricting user’s rights• Of course, plug all those OS and program security holes

46

CS 330 Malware

Anti-Virus Software

• First-generation– scanner uses virus signature to identify virus– or change in length of programs

• Second-generation – uses heuristic rules to spot viral infection– or uses program checksums to spot changes

• Third-generation – memory-resident programs identify virus by actions

• Fourth-generation – packages with a variety of antivirus techniques– eg scanning & activity traps, access-controls

47

CS 330 Malware

Advanced Anti-Virus Techniques

• Digital immune system (IBM)– general purpose emulation & virus detection– any virus entering org is captured, analyzed,

detection/shielding created for it, removed– see

http://www.research.ibm.com/antivirus/SciPapers.htm

48

CS 330 Malware

More Examples...

49

CS 330 Malware

Conficker worm

• First detected in November 2008• Only affects Windows systems• Exploits a defect in a Windows network service (see

http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx ) - released Oct 23 2008.

• Can also propagate through removable media and network shares

• Tries to decrypt administrator passwords on the Windows system using dictionary attacks

• Infected French Navy, UK Dept of Defence, German armed forces network, etc. in total > 9M computers

50

CS 330 Malware

Conficker worm

• Five variants found A - E• Starting with B, the virus begins to defend itself against

different strategies to eradicate it• Starting with C can use removable media and network

shares to propagate• Uses several different methods to upload and deliver

payloads (which makes it harder to eradicate)• Payloads are encrypted to keep them secret• Variant E is the first to install malicious payloads

– the Waledac spambot– SpyProtect 2009 a scareware product

51

CS 330 Malware

Conficker Responses

• MS offered a $250K reward for information• ICANN shuts down domains the virus tries to use• All the third-party anti-virus vendors have released

detection and removal patches• Origin of Conficker is probably the Ukraine

– that’s where the encrypted payloads came from

52

CS 330 Malware

Stuxnet

• Discovered in July 2010• Only infects Windows systems

– but it’s ultimate target is Siemens Supervisory Control and Data Acquisition systems (SCADA)

• 60% of infected system worldwide were in Iran– their nuclear fuel enrichment infrastructure– this number is disputed

• Infected > 50K systems by end of 2010.

53

CS 330 Malware

Stuxnet - first govt sponsored virus (?)

• “The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens Supervisory Control And Data Acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.” (from Wikipedia)

54

• “Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements; ‘The attackers took great care to make sure that only their designated targets were hit...It was a marksman’s job.’”

CS 330 Malware

Stuxnet

• The worm looks for specific Siemens software on all target systems.

• If no such software is found, it goes inert and never tries to replicate itself again

• It is set to erase itself on June 24, 2012 (a “kill date”)

• If it does find itself on a system with Siemens software it uses a man-in-the-middle technique to fake industrial control signals so the software doesn’t get any abnormal behavior indications.

55

CS 330 Malware

Stuxnet

• Worm uses a three-layered attack against different systems– Windows system– Siemens PCS 7, WinCC and STEP7 industrial software

applications that run on Windows and– Siemens S7 PLCs

• Uses four different zero-day attacks against Windows– very unusual

• Propagates via flash drives, network services (same one as Conficker), and peer-to-peer RPC

• Unusually large worm - > 512K bytes

56

CS 330 Malware

Stuxnet

• Under Windows has both user-mode and kernel rootkits available

• Uses stolen digital certificates to install device drivers• Once on a Windows system it infects Seimens SIMATIC

WinCC/PCS 7 SCADA control software• Subverts a WinCC communications library s7otbxdx.dll

– allows it to intercept and change communications between the PCS 7 software and the industrial control device.

– uses a zero-day exploit on the PLC device in the form of a hardcoded database password.

57

CS 330 Malware

Stuxnet

• Siemens has released detection and removal software patch

• Also need to install the MS patch MS08-067 (same as for Conficker)

• good analysis at http://www.schneier.com/blog/archives/2010/10/stuxnet.html

• So who wrote Stuxnet???

58

CS 330 Malware

Flashback

• The Trojan targets a Java vulnerability on Mac OS X

• The system is infected after the user is redirected to a compromised bogus site, where JavaScript code causes an applet containing an exploit to load

• An executable file is saved on the local machine, which is used to download and run malicious code from a remote location

59

CS 330 Malware

Flashback

• The malware also switches between various servers for optimized load balancing

• Each bot is given a unique ID that is sent to the control server

• The trojan, however, will only infect the user visiting the infected web page, meaning other users on the computer are not infected unless their user accounts have been infected separately. This is due to the UNIX security system

• Patched by Apple (twice) in April 2012

60

CS 330 Malware

Flashback• CVE-2012-0507• Unspecified vulnerability in the Java Runtime Environment

(JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency.

• NOTE: the previous information was obtained from the February 2012 Oracle CPU.

• Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object[] type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions.

61

CS 330 Malware

Flashback

• See http://www.securityfocus.com/bid/52161/info

• and http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

62