MALWARE

Dr. Andy Wu

BCIS 4630 Fundamentals of IT Security

2

Overview

• Virus• Worms• Trojans• Buffer overflow• Rootkits

3

Milestones

• 1982: First virus, Elk Cloner, affected Apple II computers and caused a poem to be displayed on every 50th boot. It copied itself to the computer’s memory when booted and then could spread to other disks on that computer.

• 1983: Fred Cohen created an experimental virus.• 1986: First virus, Brain, to infect MS-DOS systems.• 1988: First worm, the Morris worm, was released

into the Internet.

4

Virus/Worm Hall of Fame (or Infamy)• Melissa

– First combination of Word macro and malicious code.• Affected the NORMAL.DOT template for Word.

– It used the Outlook/Outlook express address books on the infected computer to spread to other computers via email. Users only had to open the email to be infected.

– Subject line read, “Important message from” followed by the name of sender.

– The body of email read, “Here is the document you asked for…”.– Although not destructive to computers, it generated heavy

network traffic.

5

Virus/Worm Hall of Fame (or Infamy)• Love Letter

– Affected about 10% of all computers connected to the Internet.

– Very similar to Melissa virus in infection mechanism and use of Outlook address book.

– Email body read, “kindly check the attached LOVELETTER coming from me.”

– Attachment is LOVE-LETTER-FOR-YOU.TXT.vbs, which is a VB Script file.

– When infecting a computer, overwrote any files with VBS, VBE, JS, JSE, CSS, WSH,… with its own code.

6

Virus/Worm Hall of Fame (or Infamy)• Slammer Worm

– Infected over 90% of vulnerable hosts within 10 minutes of its release.

– Exploited a vulnerability in SQL Server, which failed to reject any messages over 128 bytes long.

– Slammer was able to overrun the buffer with random IP addresses and send itself to those addresses.

– If host with one of those IP addresses also had SQL Server installed, Slammer would repeat the propagation process on it.

7

Virus/Worm Hall of Fame (or Infamy)• Nimda

– Could spread in five different ways.– Affected 450,000 hosts in 12 hours.

• CodeRed– Over 300,000 hosts were infected within 24

hours.• SoBig

– Had its own SMTP mail program.

8

Damage Caused by Payload

• Jokes and mischiefs• Vandalism• Data theft/corruption/destruction• Spam• A virus hoax that takes advantage of

people’s fear of viruses sometimes can cause similar damages to those inflicted by real viruses

9

Trend in Malware• Historically, malware was designed to infect, disrupt,

disable, or destroy systems. The aim often is mischief or bragging rights for the author of malware.

• Currently, most malware is designed with criminal intention.

• Often used to capture information about a victim – credit card data, login credentials, insider information, etc.

• Malware is created with better mechanisms to evade detection.

10

Virus• Best-known category of malicious code.• Self replicating.

– Replicates by attaching itself to another file.• Usually requires human interaction to propagate.• When the host file is opened or executed, the virus also

executes and is able to infect other files and/or wreak havoc.• Used to spread mainly by sharing of floppy disks and by

affecting the boot sector.• With newer generations of computers and media, now virus

often propagate via email and by taking advantage of Microsoft macros/file templates.

11

Macro Virus• With the appearance of software with macro functionality (e.g.,

VBA), a document file can store not just data but also executable code.

• To ensure that its code will be triggered when the infected file is used, it often modifies the subroutines in the file that will be run when the file opens, e.g., Document_Open(), Document_Close(), FileNew(), FileSave().

• To ensure that it will stay on the machine and infect other documents, it often copies itself to the default template files, e.g., Normal.dot (Word), Personal.xls (Excel), Blank Presentation.pot (PowerPoint).– The Triplicate virus infects all three – Word, Excel, and PowerPoint.

12

Anti-Virus Evasion• Anti-virus programs work on the basis of virus

signatures.• To confuse anti-virus programs, some viruses are able

to encrypt themselves. They contain a decryption module but uses variable keys.

• Virus scanners cannot detect such viruses by the means of signatures. But they can detect the decryption module.

• Changing the order of subroutines can also confuse scanners.

13

Polymorphic Viruses• Polymorphic viruses modify their code for each replication.• They typically contain a random number generator and

mutation engine. • Often is done by writing numerous variations of methods in

the virus code and changing the order of parts of code.• Virus thus has signature (code pattern and hash value) that

is different from those recorded by anti-virus companies at the outbreak of the virus.

• Often is further enhanced by encrypting parts of the virus code. In each variation, encryption is done differently thus changed for each replication.

14

Logic Bomb

• Remains dormant for a period of time until some event invokes its execution.– If the trigger is some event, it’s a logic bomb.– If the trigger is a specific date or time, it’s a

time bomb.• Often installed by authorized users.• Can be difficult to detect.

15

Worm• Self-replicating.

– Spreads via networks.– Does not have to rely on other files.

• Usually does not require human interaction to propagate.

16

Worm Propagation• The warhead breaks into a system.

– Buffer overflow, file shares, email, etc.• The propagation engine allows the rest of the worm

code to “crawl” into the infected system.– The warhead can execute instructions that use file transfer

programs, e.g., FTP, TFTP, HTTP, to move worm code.• The worm installs itself on the system, load its process

into memory, and changes system configuration.• The target selection algorithm looks for new victims on

the network to attack.– Email addresses, host name files (/etc/hosts, LMHOSTS) DNS

queries, NetBIOS queries, random selection, etc.

17

Worm Propagation• Using the information collected by the target

selection algorithm, the scanning engine scans across the network to determine suitable victims.– When a victim is found, the worm will spread to the

new victim.• A worm also carries its payload, a chunk of code

to implement the action desired by the attacker.– Installing a backdoor– Planting zombie code for DDoS– Doing part of a complex mathematical operation

18

Virus/Worm DifferencesVirus Worm

An infected file cannot be spread to other systems unless it is replicated and sent to another system.

A worm, after being installed, can replicate itself and spread via network connections and/or email.

An infect file (.exe, .com, .sys, etc.) is no longer what it was. It contains malicious code and payload.

A worm typically does not modify any files stored on the system.

Not prone to spreading to a large number of systems. It depends a lot on user intervention.

Can spread very quickly over networks.

19

Virus/Worm Differences• The distinction between virus and worms has

blurred.– Viruses are becoming more worm-like.– They are less dependent on floppy/media sharing and

can spread faster by worm-like behaviors.

20

Trojan Horses

• A program that contains malicious code but appears to be harmless or helpful.

• Appears to have some useful or benign purpose that attracts a user.– Often can indeed perform its ostensible function.

• Blends in with the normal programs running on a system.

• Trojan horse applications are usually masqueraded as games, utilities, or other useful applications.

21

Trojan Horses• Typical functions for a Trojan might include:

– Sending and receiving files– Viewing cached passwords– Restarting the system– Launching processes– Modifying files– Sharing files– Modifying the registry keys– Keylogging

• At this time, Trojans are not able to reproduce themselves like viruses or worms.

• However, they can be spread as payload of worms.

22

Trojan Architecture• Uses client/server architecture. The server part is installed

on the victim’s machine; the client part, on the attacker’s machine.

• Generally run in stealth mode on the victim’s machine. The attacker needs to know the remote IP address to connect to the machine and invoke the Trojan. Some Trojans can “phone home” by transmitting back the victim’s IP address.

• To auto-start when the system boots, Trojans can alter system files and settings on the machine, such as entries in the Windows registry.

23

The Making of a Horse• A Trojan’s file is bound to another file.

– Programs are available for binding EXE files with other EXE files or files of other types.

• Famous Trojans such as SubSeven, NetBus, BackOrifice all have an edit program that “configures” a “server” program before it is deployed to a victim.– One “configuration” is to bind the server program to

another program.– Another “configuration” may change the combined

program file’s icon to that of the program used as the guise.

24

SubSeven’s EditServer Program

25

Bound File

26

SubSeven

27

Trojan Camouflage • Attackers often create another file and process

with exactly the same name as an existing program on the system.

• Common “camouflage” names:– *nix: init, inetd, cron– Windows: win, iexplore, notepad

• Windows does not allow deletion of processes with certain names:– Csrss.exe, services.exe, smss.exe, winlogon.exe

System, System Idle Process

28

Sources Trojans Infection• Social engineering• P2P networks• Physical access• Fake programs and freeware• E-mail attachments• Scripts in HTML e-mails• Instant messenger• Files on FTP servers• Spoofed Web sites• Files offered on bulletin boards and forums• Scripts on hacked legitimate Web sites

– Drive-by download

29

Drive-By Download

30

Drive-By Download

31

Detection and Prevention• A key feature of trojans is that they often modify a legitimate

program file.– Integrity of the legitimate file is compromised.– Detection therefore can be done by file integrity check.

• Perform any or all of the following checks– Date and time– Size– Checksum

• Object reconciliation– A widely used method that detects Trojans– Means “verification that things are the same”– Windows has a built-in Windows File Protection (WFP) feature

32

Buffer Overflow• A buffer is a space in memory reserved for a variable.• If the developer forgot to create code to check the size of

user input, overflow can happen.• An attacker can send more data than the original software

developer planned for the variable.• Since the code does not check the variable’s size, the

malicious user input not only fills up the space planned for the buffer but also overwrites the memory space next to it.

• The overwritten part can contain important information such as return address.

• Now by cleverly crafting tiny but effective code into the input, the attacker can instruct the program to branch to another memory location.

33

Shellcode

• That small bit of extra input often carries shellcode.• It is malicious and abuses security holes in the

application discovered by the attacker.• The shellcode contains the rogue instruction that

will be executed.– So named because it often provides access to a

computer’s shell.– Typically consists of assembly language code

represented in escape sequences.

34

Stack Overflow• Attackers write the code for a buffer overflow in such

a manner that the code to which a function’s pointers are indicating is code of the Attacker’s choosing.

• Process of an exploit– Attacker searches for a chance to overflow the buffer.– Attacker determines memory assigned to the variable.– Attacker specifies a value greater than the maximum

capacity of the variable.– Variable takes the value.

35

Function Callvoid main ( )

{ // some code foo( arg1, arg2 ); // function call // some more code}

void foo ( para1, para2 ){ // some code // function done // go back to calling function}

Program relies on the value of return pointer (EIP) to know where to go after function call. If EIP is modified by attacker, it will go to another place in memory, at the attacker’s discretion.

36

Push to the Stack• Memory stacks are used to store information associated with

function calls.• The information is accessed in a last-in first-out (LIFO) basis.

1. Function call arguments (if any) is “pushed” onto the stack.2. System copies the value of the CPU’s Extended Instruction

Pointer (EIP) register to the stack. This marks the point to resume after the function call is done.

3. A “frame pointer” is stored on the stack.4. Local variables of the called function uses are stored.

• By changing the value of EIP, you can control what code is executed after the function call.

37

Pop from the Stack• After the called function finishes running, the local

variables (result in our example) are “popped” from the stack.

• The Frame Pointer also is removed.• Then, the value of return pointer (EIP) is copied back to

the CPU’s “instruction pointer” register.• Finally, the arguments are removed from the stack.

38

Normal Stack Operations

39

A “Smashed” Stack

40

Heap Overflow• The heap is a block of memory that the program can use

dynamically for storing data. It is needed when:– A larger buffer is needed.– The programmer doesn’t know the size of the value to be

stored.• Is allocated using the malloc() function and freed using

the free() function.• A heap is “smashed” in a way similar to the stack.

41

Rootkits

• The attacks covered so far are separate programs an attacker adds to a system.– They don’t change operating system program on the

victim.• Rootkits rise the ante by changing or replacing

existing OS software executables or libraries.• This allows the attacker to have backdoor access

or cover up his/her presence.

42

Rootkits

43

Rootkits• Rootkits are a type of trojans that take normal programs associated with the OS and

replace them with malicious versions, e.g.,– On a Unix system, it can replace the ls command with a malicious version that hides the

attacker’s files.– Can act as a backdoor: offer attackers access by implementing a remote shell listener, e.g.,

“impersonate” the sshd program.• Rootkits allow an attacker to maintain access to and can remain “invisible” on

a system by hiding:– Processes– Files– Registry keys– Network connections

• Rootkits achieve their goals by using a few techniques:– Abuse of Windows API– DLL injection– API hooking

44

Abusing Windows API

• Microsoft has design well defined interfaces in Windows for extending its built-in functionality through third party tools.

• An attacker, however, can abuse the Windows API by inserting malicious code between the Windows API and the user.

45

FakeGINA• The Windows logon process invokes a library of code

(msgina.dll) for graphical identification and authentication (GINA).

• It’s likely that third party logon mechanisms based on biometrics, PKI, etc., are needed to authenticate users.

• Therefore, in addition to Microsoft’s own version of GINA, Windows allows third party programs to be developed and to interact with authentication mechanism (e.g., the Local Security Authority) through msgina.dll.

46

FakeGINA• An attacker thus can abuse this by inserting a Fake

GINA between the logon process and msgina.dll.• It still interacts with msgina.dll like other third party

authentication programs would.• However, the real purpose of FakeGINA is to

capture users’ keystrokes; store users credentials in a text file; and send the file to the attacker.– This is much faster than password cracking!

47

The Role of DLL• A dynamic link libraries (DLL) file is not executable but it

provides functionality to a running .exe file through function calls to the library.– An execution file can call functions from a number of DLL files.– A DLL file can provide functionality to multiple .exe files.

• Each individual function in a DLL takes some action on the system.

• Windows DLLs provide basic functionality such as displaying files and folders, showing running processes, etc.

48

DLL Injection

• Through a series of delicate manipulation of threads and memory spaces, an attacker can fool a running .exe file and force it to accept a DLL that it never requested.

• This rogue DLL contains malicious code and, once in the victim process’ memory space, can insert new “functionality” into any other running process.

49

API Hooking• One thing the injected DLL does is to divert important

execution files’ API function calls and “hook” those calls to the injected malicious code.

• From now on, those function calls are in effect intercepted by the attacker’s malicious code, which gets to determine whether it will let the call pass to the real API or it will provide fake results to the calling exe file.

• This is analogous to the “man-in-the-middle” network attack.– API hooking: intercepts functional calls.– MitM attack: intercepts network packets.

50

Examples of Rootkits

• AFX Windows Rootkit can hide/mask four different aspects of a backdoor program: process, files, registry keys, TCP/UDP ports.

• Hacker Defender is a full-fledged rootkit with features similar to those of AFX.