malicious software (long version) nicolas t. courtois - university college london
TRANSCRIPT
CompSec Malware
Nicolas T. Courtois, December 20093
Technology FailuresSecurity as an afterthought.• Programming developed with absence of
security. • C/C++ is unsafe (Microsoft is currently blacklisting big chunks of standard C, could have
happened 10 years ago).
• Security/cryptography research developed with obsession with security. Both never met.
• Windows developed first, – networking developed later…
• Structural defects in the OS design – lack of multi-layer defense strategy [Unix not
better]
CompSec Malware
Nicolas T. Courtois, December 20094
+ Failures In Operation• Over-privileged users
– Windows 98: all users can modify system files and system memory
– Unix – over-powerful root, >21 critical capabilities in one entity
• Over-privileged code– code executed by a user to access all rights of that user– Windows Vista: worse than that: built-in privilege escalation:
• if name contains setup, will run with many admin-level capabilities
CompSec Malware
Nicolas T. Courtois, December 20095
Human Cognitive Failures• Mystified:
– security issues are probably always exaggerated and distorted, one way or another (downplayed OR exaggerated, Ross Anderson: “hypertrophy” of security
– Also a huge demand, but both don’t meet to frequently).
• Lack of people that would defend the public interest+ corruption of the scientific establishment by + corruption of the scientific establishment by
special interestsspecial interests……
CompSec Malware
Nicolas T. Courtois, December 20096
Market Failures
• Economics/Business: – many things just don’t matter at all!– customers do not see => do not care about
security• “market for lemons”
– externalities, cost shifting• losses affect many “small” people that don’t react…
– people will not even switch to another software… – unable to defend themselves– 1 billion x very small loss
• usability: user burden, businesses don’t care
CompSec Malware
Nicolas T. Courtois, December 20097
**Why So Bad?
“[…] Why do so many vulnerabilities exist in the first place?[…]”
Cf. Ross Anderson, Tyler Moore et al:
1. “The Economics of Information Security”In Science, October 2006.
2. “Security Economics and the Internal Market”: public report for ENISA (European Network and Information Security Agency), March 2008.
CompSec Malware
Nicolas T. Courtois, December 20098
***Why Commercial Security Fails?
Claim: the link between “money” and security is frequently broken today: – Security is a public good. • “private” incentives are weak.
– Worse than “market for lemons”:• not only that the customer cannot see the
difference between good security and bad.
– Frequently the manufacturer cannot either.
Too frequently security remains something that money cannot buy.
CompSec Malware
Nicolas T. Courtois, December 20099
**Questions:Schneier: http://www.schneier.com/essay-005.html“History has taught us: never underestimate the amount of money, time, and effort someone
will expend to thwart a security system.
No valid economical argument…. Social phenomenon [hacking].
Courtois: Why is it so that today:• 90 % of energy nowadays goes into hacking.• 10 % to research and development of secure products…Don’t believe it? • Check out: hacking the iPhone, Microsoft XBOX, etc etc…
• people work for free, • governments or private employers sponsor them willingly or
unwillingly,• press presents hackers as heroes• etc…
CompSec Malware
Nicolas T. Courtois, December 200910
Explosion of Known Vulnerabilities
What about the unknown ones?
0
1000
2000
3000
4000
5000
6000
1995 1997 1999 2001 2003 2005
http://www.cert.org/stats/
CompSec Malware
Nicolas T. Courtois, December 200912
Vectors of Infection
infects a host program
infects a host program
independent executable code
independent executable code
MaliciousCode
MaliciousCode
masquerades as a “Normal” Program
masquerades as a “Normal” Program
embedded in a host program
embedded in a host program Kernel-levelKernel-level
infects OS Bootinfects OS Boot
CompSec Malware
Nicolas T. Courtois, December 200913
Software-Borne Threats
infects a host program
infects a host program
independent executable code
independent executable code
MaliciousCode
MaliciousCode
masquerades as a “Normal” Program
masquerades as a “Normal” Program
embedded in a host program
embedded in a host program Kernel-levelKernel-level
infects OS Bootinfects OS Boot
Trapdoors / Backdoors
Trapdoors / Backdoors Logic BombsLogic Bombs Trojan HorsesTrojan HorsesVirusesViruses WormsWorms ZombiesZombies
main function: replicating itself
RootkitsRootkits
CompSec Malware
Nicolas T. Courtois, December 200914
Infection + Payload
infects a host program
infects a host program
independent executable code
independent executable code
MaliciousCode
MaliciousCode
masquerades as a “Normal” Program
masquerades as a “Normal” Program
embedded in a host program
embedded in a host program Kernel-levelKernel-level
infects OS Bootinfects OS Boot
Trapdoors / Backdoors
Trapdoors / Backdoors Logic BombsLogic Bombs Trojan HorsesTrojan HorsesVirusesViruses WormsWorms ZombiesZombies
main function: replicating itself
RootkitsRootkits
Stealing dataStealing dataHarmfulHarmful
payload functionality:download /install
more malware
download /install more malwareKey LoggersKey Loggers DDOS/ BotsDDOS/ Bots DialersDialers CPU cyclesCPU cycles
CompSec Malware
Nicolas T. Courtois, December 200915
Also, May Be Not Intentional?
Trapdoors / Backdoors
Trapdoors / Backdoors Logic BombsLogic Bombs Trojan HorsesTrojan Horses
infects a host program
infects a host program
VirusesViruses WormsWorms ZombiesZombies
independent unwanted exe
independent unwanted exe
MaliciousCode
MaliciousCode
main function: replicating itself
RootkitsRootkits
masquerades as a “Normal” Program
masquerades as a “Normal” Program
embedded in a host program
embedded in a host program
Exploitable Features / Bugs
Exploitable Features / Bugs
Kernel-levelKernel-level
infects OS Bootinfects OS Boot
aside: not intentional = malicious exploit / code injected later
but: how do you know if not intentional?
payload functionality:
Stealing dataStealing dataHarmfulHarmful download /install more malware
download /install more malwareKey LoggersKey Loggers DDOS/ BotsDDOS/ Bots DialersDialers CPU cyclesCPU cycles
CompSec Malware
Nicolas T. Courtois, December 200916
More “Grayware” = Dual-Use Code
with some legitimacy
DubiousAnti-virus
DubiousAnti-virus
TrackwareTrackware
infects a host program
infects a host program
AdwareAdwareFalse
AcceleratorsGames for Children
False AcceleratorsGames for Children
Browser Hijackers
Browser Hijackers
independent unwanted exe
independent unwanted exe
MaliciousCode
MaliciousCode
DRM RootkitsDRM Rootkits
masquerades as a “Normal” Program
masquerades as a “Normal” Program
embedded in a host program
embedded in a host program
Exploitable Features / Bugs
Exploitable Features / Bugs
Kernel-levelKernel-level
infects OS Bootinfects OS Boot
intentional or not, very dangerous!
False Worm Removal tools
False Worm Removal tools
SpywareSpyware
DubiousFirewalls
DubiousFirewalls
Code Updates
Code Updates
Dubious Multi-Boot
Dubious Multi-Boot
Remote AccessServers
Remote AccessServers
Joke programs
Joke programs
IrritatingBehaviour
IrritatingBehaviour
Registry Scanners
Registry Scanners
CompSec Malware
Nicolas T. Courtois, December 200917
Crimeware
Malware vs. Crimeware:
1. same infection methods, 2. different goals,
more specific forms of payload, automation of crime, malware as illegal business venture:
Example: Keyloggers and Spyware but tailored for stealing passwords
and credit card numbers
CompSec Malware
Nicolas T. Courtois, December 200918
****Cryptography: Disruptive Technology for ****Cryptography: Disruptive Technology for CrimeCrime
Example: – Extortion: encrypt data, ask for $$$.
– Impossible without public key cryptography…• which is VERY difficult to make…
as difficult as going to the moon, >30 years of research, 100s of researchers…
CompSec Malware
Nicolas T. Courtois, December 200920
Hidden Mechanisms Embedded in Original Software
CompSec Malware
Nicolas T. Courtois, December 200921
Trapdoor, BackdoorHidden function that can be used to circumvent
normal security. A hidden entry point into a system.– also, can be a hidden feature leaking some data…
(backdoor).
• Examples:– Special user id or special password
– Special instruction / option / keyboard sequence
– Etc…
• Commonly used by developers• “insecurity by obscurity”
• hard to distinguish legitimate reasons (testing, debugging, circumventing some bug, jokes and Easter Eggs) from intentional security compromise
• beware: can be included in a compiler as well… – source code will not help then…
– Rice Theorem : source code will not always help…
this way
CompSec Malware
Nicolas T. Courtois, December 200922
Electronic SubversionPrograms can conceal an intentional subversive functionality:
– a bug, backdoor, covert channel
Mitigation measures [Schneier-Shostack’99]: • fewer security perimeter splits:
– there is and optimal number, splits impair operation and will be circumvented, too many points of failure…
• more transparency. – but secrecy is here to stay.
• 100 % open source == utopia and a fallacy.
The hidden powers of crypto developers are particularly dangerous: • large scale compromise and undetected for years• impossibility to prove intentionality: perfect crime• sometimes impossibility to prove fraud, no forensic traces whatsoever
if one updates a simple component remotely…
CompSec Malware
Nicolas T. Courtois, December 200923
Application Development ManagementGoals:• Avoid backdoors, Trojans, covert channels, bugs
etc.• Kleptography: techniques to leak keys to the
attacker,
• form of perfect crime.
There are various forms of leaking keys:• intentionality impossible to prove• intentionality provable
ONLY with source code
CompSec Malware
Nicolas T. Courtois, December 200924
Logic Bomb
• A malicious feature that will be activated when certain conditions are met
• e.g., presence/absence of some file; • particular date/time • particular user
• when triggered, typically will do some harm– modify/corrupt/delete files/OS, etc.
CompSec Malware
Nicolas T. Courtois, December 200925
Trojan Horse
• Program has an overt (expected) and covert (malicious and unexpected) effect such that– works / appears to be a normal program,– covert effect violates the given security policy
• User is tricked into executing a Trojan– does the usual (overt) job– covert effect is performed with user’s
rights/authorization level.
CompSec Malware
Nicolas T. Courtois, December 200927
VirusesIn biology, a virus is a piece of
DNA/RNA+some proteins.• once present in the cell, it will
force the cell to produce copies of itself.– not a living creature, cannot
survive alone.– antibiotics have no effect on antibiotics have no effect on
virusesviruses
Computer Virus: term coined in 1984 by prof. Leonard Adleman
(A from RSA).
CompSec Malware
Nicolas T. Courtois, December 200928
Viruses – Main types1. Add-On Virus = Appending Virus2. Shell Virus (nothing to do with Unix shell)3. Intrusive Virus
=> most viruses
CompSec Malware
Nicolas T. Courtois, December 200929
Common Features of Viruses• no overt action
• tries to remain totally invisible
• self-replicates• potentially unlimited spread• can have some predefined
strategy and predefined targets
CompSec Malware
Nicolas T. Courtois, December 200930
PayloadPayload: frequently a virus
performs additional malicious actions
• except “zero payload” viruses
• just harmful actions• execute / download
additional code
CompSec Malware
Nicolas T. Courtois, December 200931
Virus Life Cycle Elements• Dormant phase: idle• Propagation phase• Triggering phase: the virus is
activated to:• Execution phase: perform the
payload functions
CompSec Malware
Nicolas T. Courtois, December 200932
Add-On Virus = Appending Virus• attaches itself to (any)
other exe program (host program)– typically 200-4000 bytes
• operates when infected exe file is executed
CompSec Malware
Nicolas T. Courtois, December 200933
Shell Virusambiguous misleading name: • little to do with Unix shell• “wrapping around” a given
program or system call• the original program can be
even copied and stored elsewhere = Companion Virus
• example: p.com and p.exe
• the infected program becomes a subroutine of the virus code
• controls, hijacks and isolates the given program/routine completely
CompSec Malware
Nicolas T. Courtois, December 200934
Intrusive VirusDoes not append,
rather modifies the program itself and changes the functionality of this program.
Cannot be removed if we don’t have the original copy…
CompSec Malware
Nicolas T. Courtois, December 200935
Viruses by Medium of Infection• Exe file infectors• Boot infectors
• hard drive boothard drive boot• master boot record (MBR)master boot record (MBR)• OS loader hijackOS loader hijack
• CDROM autorun hijackersCDROM autorun hijackers• USB stick autorun hijackersUSB stick autorun hijackers
• Half way before system starts: Half way before system starts: • OS libraries hijack (e.g. some dll loaded early)OS libraries hijack (e.g. some dll loaded early)• driver hijackersdriver hijackers
• Data file infectors• Macro VirusesMacro Viruses• format string exploits (not called viruses)format string exploits (not called viruses)
=> most viruses
CompSec Malware
Nicolas T. Courtois, December 200936
Viruses by Medium of Infection• Exe file infectors• Boot infectors
• hard drive boot• master boot record (MBR), OS indep• OS loader hijack, 1 partition
• CDROM autorun hijackers• USB stick autorun hijackers
• Half way before system starts: • OS libraries hijack (e.g. some dll loaded early)• driver hijackers
• Data file infectors• Macro Viruses• format string exploits (not called viruses)
load before any anti-virus software
CompSec Malware
Nicolas T. Courtois, December 200937
Additional Infection Mechanisms
• Terminate and Stay Resident = TSR– since MS-DOS..– stays active in memory after application
exits– can then infect other targets, for example
•can trap OS calls that execute any program…
CompSec Malware
Nicolas T. Courtois, December 200938
Virus Defenses
More about this later.
Oldest methods:• Black-list:
– signature-based detection.• Track changes to executables:
– Tripwire, hash functions, MACs etc…
CompSec Malware
Nicolas T. Courtois, December 200939
Virus Self-Defense
“Stealth” Viruses – avoid detection• conceal code:
– Pack/compress/encrypt virus– Polymorphism
• constantly change virus code • conceal actions
• mimicry: imitate other programs• associated rootkit prevents detection• watchdog program• disable or disturb anti-virus software• remove itself after job done, such as creating 2
copies elsewhere
CompSec Malware
Nicolas T. Courtois, December 200940
Macro Viruses
• infected a data file (e.g. word)– relies on macros interpreted by some
application• application-dependent• can be OS-independent
– Example: Microsoft Word: MAC and Windows
CompSec Malware
Nicolas T. Courtois, December 200941
Independent / “More Sophisticated Forms of Life”
CompSec Malware
Nicolas T. Courtois, December 200942
*Bacteria
Bacteria: simple functionality, program that replicates until it fills all disk space, all memory, all CPU cycles
CompSec Malware
Nicolas T. Courtois, December 200943
Worms
• introduced by Shoch and Hupp in 1982.• runs independently,
– no host program– infects a host machine– propagates in a network
• a fully working version of itself copied to another host machine
• spreads totally without human intervention virus
CompSec Malware
Nicolas T. Courtois, December 200944
more wormsA worm has two main components:• an exploit
– usually exploits web servers • or other exposed “DMZ-style” components
• a “payload” of hidden tasks– backdoors, spam relays, DDoS agents, etc.
Life cycle phases:probing exploitation replication running the payload
CompSec Malware
Nicolas T. Courtois, December 200945
Zombie Network = Botnet
• Secretly takes over another networked computer by exploiting software flaws
• Connect the compromised computers into a zombie network or botnet = – a collection of compromised machines
• running programs such as worms, Trojan horses, or backdoors,
• under a common command and control infrastructure.
• Uses it to indirectly launch attacks– e.g., spamming, phishing , DDoS, password cracking
etc.
• very frequently sold or rented, – about 0.05 $ / host / week
CompSec Malware
Nicolas T. Courtois, December 200946
Rootkits
• Software used after system compromise to:– Hide the attacker’s presence– Provide backdoors for easy reentry
• Simple rootkits:– Modify user programs (ls, ps)– Modify a compiler – Detectable by tools like Tripwire (stores hashes of files).
• Sophisticated rootkits:
– Modify the kernel itself– Hard to detect from userland
CompSec Malware
Nicolas T. Courtois, December 200947
Rootkit Classification (1)
Traditional RootKit
Kernel
Trojan
login
Trojan
ps
Trojan
ifconfig
good
tripwire
Application-level Rootkit
Kernel
Evil Program
good
program
good
program
good
program
good
program
Hxdef, NTIllusion Lrk5, t0rn
Tripwire: detected! - maybe not detected
CompSec Malware
Nicolas T. Courtois, December 200948
Rootkit Classification (2)
Under-Kernel RootKit
Kernel
good
login
good
ps
good
ifconfig
good
tripwire
Evil VMM
SubVirt, ``Blue Pill’’
Kernel-level RootKit
Kernel
good
login
good
ps
good
ifconfig
good
tripwire
Trojan
Kernel Module
Shadow Walker, adore
CompSec Malware
Nicolas T. Courtois, December 200951
Another Study
PCs infected [source: Trend Micro]
CompSec Malware
Nicolas T. Courtois, December 200952
According to experts:
• Today’s malware is designed to remain undetected for months.– do not get famous, get rich!– zero-day malware
CompSec Malware
Nicolas T. Courtois, December 200953
Our Focus
In CompSec1 we spend more time on worms than any other malware? Why?
• Viruses and Trojans require some human actions, such as sharing a USB stick, clicking on web sites, opening ;doc email attachments etc. – spread is slow.
• Worms don’t require human presence.– Spread is MUCH faster
Moreover worms do hack/break into computers, viruses and Trojans they use legitimate access channels and just abuse these privileges.
CompSec Malware
Nicolas T. Courtois, December 200955
Morris Worm (first major network attack)
• Released November 1988– spreading on Digital and Sun workstations – exploited several Unix security vulnerabilities
• Consequences– no immediate damage– replication
• load on network, • load on CPUs
– many systems were shut down • fearing damage (only later people found it was not
harmful)
CompSec Malware
Nicolas T. Courtois, December 200956
***Morris - Author
Robert T. Morris, released it November 1988
• His father, another Robert Morris was – a cryptologist and code-breaker (broke codes for the FBI), – worked for the NSA “National Computer Security Center”, – wrote a book about UNIX Operating System Security (1984).
CompSec Malware
Nicolas T. Courtois, December 200957
Morris Worm– program to spread worm
• looks for other machines that could be infected, several methods used: 'netstat -r -n‘, /etc/hosts,
• when worm successfully connects, forks a child to continue the infection while the parent keeps trying new hosts
– vector program (99 lines of C) • re-compiled and run on the infected machines
CompSec Malware
Nicolas T. Courtois, December 200958
Three ways the worm spread
• Sendmail– exploited debug option in sendmail to allow
shell access
• Fingerd– exploited a buffer overflow in the fgets
function
• Remote shell– reading list of trusted hosts known to local OS– password cracking
CompSec Malware
Nicolas T. Courtois, December 200959
*sendmail• Worm used debug feature
– opens TCP connection to machine's SMTP port
– invokes debug mode– sends a RCPT TO that pipes data through
shell– shell script retrieves worm main program
• places 40-line C program in temporary file called x$$,l1.c where $$ is current process ID
• compiles and executes this program• opens socket to machine that sent script• retrieves worm main program, compiles it and runs
CompSec Malware
Nicolas T. Courtois, December 200960
*fingerd
• written in C and runs continuously• Array bounds attack
– Fingerd expects an input string – Worm writes long string to internal 512-byte
buffer
• Attack string – Includes machine instructions– Overwrites return address– Invokes a remote shell – Executes privileged commands
CompSec Malware
Nicolas T. Courtois, December 200961
*remote shell
• Unix trust information– /etc/host.equiv – system wide trusted hosts file– /.rhosts and ~/.rhosts – users’ trusted hosts file
• Worm exploited this information – assumed reciprocal trust: maybe Y trusts X as
well..
• Password cracking• worm was running as daemon (not root) so needed to
break into accounts to use .rhosts feature• read /etc/passwd, used 400 common password
strings & local dictionary to do a dictionary attack
CompSec Malware
Nicolas T. Courtois, December 200962
Not so bad…• Morris worm did not:
– delete system's files, – modify user files, – install Trojans, – make any other use of cracked passwords
• e.g. record or re-transmit elsewhere
– it never took superuser privileges…
CompSec Malware
Nicolas T. Courtois, December 200963
Detecting Morris Internet Worm
• Files– Strange files appeared in infected systems– Strange log messages for certain programs
• System load– Infection generates a number of processes– Password cracking uses lots of resources– Systems were reinfected => number of processes
grew and systems became overloaded• Apparently not intended by worm’s creator
Thousands of systems were shut down
CompSec Malware
Nicolas T. Courtois, December 200965
Increasing propagation speed
• Code Red, July 2001– fascinating story, see Brad Karp slides
• Released AFTER Microsoft released the patch• affecting like 500 000 hosts in hours
• SQL Slammer, January 2003– See Brad Karp too.
• vulnerable population infected in less than 10 minutes• its growth was limited… by the speed of the Internet
Remark: both exploited an already known and already patched buffer overflow vulnerability!
CompSec Malware
Nicolas T. Courtois, December 200966
Nimda worm• Spreads via 5 methods to Windows PCs and
servers– e-mails itself as an attachment (every 10 days)
• runs once viewed in preview plane (due to bugs in IE)
– scans for and infects vulnerable MS IIS servers• exploits various IIS directory traversal vulnerabilities
– copies itself to shared disk drives on networked PCs – appends JavaScript code to Web pages
• surfers pick up worm when they view the page.
– scans for the back doors left behind by the "Code Red II" and "sadmind/IIS" worms
CompSec Malware
Nicolas T. Courtois, December 200967
Nimda worm
• Nimda worm also– enables the sharing of the c: drive as C$ – creates a "Guest" account on Windows NT and
2000 systems – adds this account to the "Administrator" group.
CompSec Malware
Nicolas T. Courtois, December 200968
Cost of worm attacks
• Morris worm, November 1988– Infected approximately 6,000 machines
• was 10% of all computers connected to the Internet!
– cost ~ $10 million in downtime and cleanup
• Code Red worm, July 16 2001– Direct descendant of Morris’ worm– Infected more than 500,000 servers– Caused ~ $2.6 Billion in damages,
• Love Bug worm: May 3, 2000, $8.75 billion
Statistics: Computer Economics Inc., Carlsbad, California
CompSec Malware
Nicolas T. Courtois, December 200970
Virus Defenses
Today’s “anti-virus software”:Just a name. Virus + firewall + etc…Defends against all sorts of malware.
classical viruses are only about 5% nowadays…
CompSec Malware
Nicolas T. Courtois, December 200971
Tips
• do not execute programs obtained by email
• maybe do not install any new software– ???
• very few software companies can be trusted to care about their customers,
– lack of liability, lack of legal obligations, culture of irresponsibility, need to renew products range etc etc…
– do they even understand how secure is their own software?
CompSec Malware
Nicolas T. Courtois, December 200972
Automated Virus Defenses
White list: accept only trusted digitally signed programs. Examples: Nokia Symbian software Microsoft: OS updates, drivers, anti-virus
Prevalent methods in PCs:• Black-list, signature-based detection.• Networks firewalls• control application calls and IPC• monitor and prevent “privileged” system calls,
e.g. registry modification, plug-ins install etc.• track changes to executables (hash/MAC/sign)
CompSec Malware
Nicolas T. Courtois, December 200974
Internet-Wide Defences
Cyberspace: • a new dimension of national defense.• a critical infrastructure
Goal: monitor the Internet at a larger scale, detect anomalies.
CompSec Malware
Nicolas T. Courtois, December 200975
*Traditional Military Doctrine• Each country has 3 frontiers:
• land• sea• air, space
as a consequence they have 3 armies.
Now, we have a new frontier, the digital frontier. Shouldn’t we have a fourth army?• It would be totally useless and waste of money?
• Arguably less than the 3 above (better technical education for young people).
CompSec Malware
Nicolas T. Courtois, December 200976
Network Telescopes
Monitor traffic arriving at large sizeable regions of Internet address space. Reveals, e.g.,:– “Backscatter”
= responses to randomly source-spoofed DDoS attacks
– Worms’ random scanning of IP addresses– Attackers randomly scanning for a particular
port, servers running a particular service, etc…
Examples:– LBNL: 1/215 of Internet address space– UCSD/Univ. Wisconsin: covers 1/28.