Title: Fundamentals
1Malicious Code Viruses and Worms
Chao-Hsien Chu College of Information Sciennces
and Technology The Pennsylvania State
University University Park, PA 16802 chu_at_ist.psu.e
du Modified by Santoro
Learning by Doing
Theory ? Practice
2Malicious Code Taxonomy
- Viruses replicating malicious code
- Worms self-replicating malicious code
- Mailing worms
- Random scanning worms
- Logic Bombs programmed malfunctions (similar to
easter eggs) - Trojan Horses malicious program that
masquerades as legitimate - Backdoors
- Password stealers
- Exploit code
- Autorooters
- White hat penetration tools
- Downloaders loads other malicious code on a
machine
3Malicious Code Taxonomy
- Dialers generate money for attackers by having
users unknowingly dial premium rate numbers - Code generator kits (e.g. Virus Creation Lab)
- Spammer programs
- Flooders DDOS tools, BotNets
- Keyloggers
- Rootkits special tool set installed after an
attacker has gained control of a system modifies
logs, installs backdoors, etc. - Other
- Hoax messages
- Adware
- Spyware
- Phishing attacks
4Malicious Code Example
- Most people I think dont even know what a
rootkit is so why should they care about it? - Thomas Hesse, Sony BMG
- In 2005, Sony BMG released music CDs containing
extended copy protection (XCP) software. - This software was functionally a rootkit that
installed hidden files with no notification to
the user a special uninstaller was required to
remove the software - Simply playing the music CD in a windows machine
resulted in infection - NPR story http//www.npr.org/templates/story/sto
ry.php?storyId4989260
5Virus Definition
- A computer virus is a program that recursively
and explicitly copies a possibly evolved version
of itself. - Peter Szor, 2005
- Key aspects of this definition
- Recursively operate on their own output
- Explicitly the copy is specifically intended as
opposed to resulting from a side-effect of some
other action - Possibly evolved the virus may alter itself
over time (metamorphism)
6Virus Environments
- For a sequence of symbols to execute
successfully, it must match the execution
environment - Many execution environments exist, e.g.
- MS Office macro invoking a Java method on a
windows XP machine running on an x86 processor - Any given virus can only be successful if its
code matches all of the various dependencies - Homogeneous environments, such as Java and MS
Office provide execution environments across many
lower level environments - For exploit-based dependencies, it may be
difficult for a virus to spread far - Dependencies
- CPU differences between families, within a
family (backward compatibility, extensions such
as MMX, prefetch queue, etc.) - Operating System different OSs and different
versions of an OS - File system virus may modify file system
metadata (e.g. FAT), NTFS stream-based hiding - File format COM, EXE, dll, ELF, etc
- Interpreter Office Macros, Shell languages,
VBScript, Jscript, etc
7Virus Infection Techniques (1)
- DOS boot process
- BIOS loads the master boot record into memory and
jumps to the first address of the bootstrap
loader - The bootstrap loader examines the MBR partition
tables (PT) and locates an active, bootable
partition - The bootstrap loader then boots the rest of the
operating system
MBR Infection
MBR
Virus
- MBR infection strategies
- Replace and save bootstrap code relocate MBR
and transfer control - Replace but do not save bootstrap code keep PT
and perform bootstrap functions (find active
partition and transfer control) - Infect MBR by altering the PT to load a different
boot sector where the virus is stored
Saved MBR
Exebug virus modified the BIOS to make it appear
that no floppy drive was present PC always boots
to infected MBR virus checks for presence of
floppy disk and transfers control if one is
present
DBR
DBR
8Boot Sector Virus Relocating Code
Boot Sector
Other Sectors
Bootstrap Loader
System Initialization
Chain
(a) Before Infection
Boot Sector
Other Sectors
Bootstrap Loader
System Initialization
Virus Code
Chain
Chain
(b) After Infection
9Virus Infection Techniques (2)
- File Infection
- Overwriting viruses
- Simply overwrite a file on disk with virus code
starting at first file byte - Do not change file size
- Cannot be disinfected
- Random overwriting viruses
- Seek to random location before overwriting file
contents entry point obscuring - A challenge for scanners that look in expected
locations for virus code - Execution cannot be guaranteed
- Appending viruses
- Virus body is appended to the end of the host
file - A jump instruction is inserted in the front of
the host to point to the virus - Over-written host bytes at the beginning are
stored in the virus body - Once executed, the virus can clean the program
by replacing the over-written bytes and
transferring execution to the program - Pre-pending viruses
- Virus code is appended before the first host
instruction, guaranteeing that all virus
instructions are executed before any host
instructions.
10How Virus Attach
Original Program
Virus Code
Virus Code
Virus Code (a)
Modified Program
Original Program
Original Program
Virus Code (b)
Appended to a Program
Surrounding a Program
Integrated in a Program
11Virus In-Memory Strategies (1)
- Direct Action
- Do not actively manifest themselves in memory
- Load with host program into memory
- Once running, they start looking for new objects
to infect - Simple to create
- Memory-Resident
- Remain in memory after virus initialization
- More efficient than direct action
- Typical pattern
- Virus gains control of system and allocates
memory - Virus relocates itself to an allocated memory
block - Virus hooks execution of code flow to itself
- Virus infects new objects
12Virus In-Memory Strategies (2)
- Interrupt handling and hooking
- DOS Example, INT 13 Disk operations
- Virus hooks INT by setting new interrupt handler
addr in IVT after establishing itself in memory - When the virus runs, it examines the appropriate
registers to see what kind of disk action is
being performed - Under certain actions, the virus can covertly
propagate itself (e.g. if the disk action is a
write to a floppy disk, the virus can infect the
floppy boot sector)
INT 00h ltAddr00gt INT 01h ltAddr01gt INT13h ltAddr13
gt
INT 00h ltAddr00gt INT 01h ltAddr01gt INT13h ltAddrXX
gt
program
program
IVT (Interrupt vector table)
Virus
BIOS
BIOS
Uninfected case
Infected case
13Virus In-Memory Strategies (3)
- Stealth advantages of hooking
- INT 13
- Boot virus can return the original version of an
infected sector during a disk read (read stealth) - Appending virus can save overwritten
beginning-of-file bytes in last cluster slack
space (leaving file size unmodified) and use
hooked code to return saved bytes if they are
ever accessed.
14Advanced Virus Techniques
- Encryption
- Constant decryptor followed by virus body
- Often simple XOR based encryption is used
- Decryption key can be stored in the decryptor,
host or nowhere - Oligomorphism
- Detection of an encrypted virus is simple if the
decryptor is long and unique enough - Oligomorphic viruses change the decryptor in new
generations - Can be accomplished using a set of decryptors
for a large set, detection based on the decryptor
is impractical, must dynamically decrypt and
detect based on decrypted body code - Polymorphism
- Mutates the decryptor into potentially millions
of forms (e.g. via reordering, junk instruction
insertion) - Metamorphism
- body-polymorphism change the entire virus,
rather than just the decryptor - Source code based example modify virus source
and recompile - Binary-based example (simple) use different
registers in the same code
15Virus Example Love Letter (1)
- Behavioral Description (from F-Secure)
- Found in the wild May 4, 2000
- Copies itself to the windows system directory as
- - MSKernel32.vbs - LOVE-LETTER-FOR-YOU.TXT.vbs
- and to the Windows directory as
- - Win32DLL.vbs
- Adds keys to the registry, so that it will be
executed when the system is restarted - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\Run\MSKernel32 - KEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre
ntVersion\RunServices\Win32DLL - Replaces the Internet Explorer home page with a
link that points to an executable program,
"WIN-BUGSFIX.exe - Creates an HTML file called "LOVE-LETTER-FOR-YOU.H
TM" in the Windows System directory. This file
contains the worm and it will be sent using mIRC
whenever another person joins an IRC channel
where the infected user currently is. To
accomplish this the worm replaces the
"script.ini" file from the mIRC installation
directory. - Mass mails itself to everyone in each Outlook
address book. Registry is marked to prevent
repeat mailings - Subject ILOVEYOU Body kindly check the attached
LOVELETTER coming from me. - Attachment LOVE-LETTER-FOR-YOU.TXT.vbs
- Overwrites various files with itself
Source http//www.f-secure.com/v-descs/love.shtml
16Virus Example Love Letter (2)
- Behavioral Description (from F-Secure) continued
- Downloaded executable is a password stealing
trojan - On startup, looks for a hidden window named
BAROK - If the hidden window is present, the trojan
exits, otherwise execution continues - Checks for the WinFAT32 subkey in the following
Registry key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Run - If the WinFAT32 subkey key is not found, the
trojan creates it, copies itself to the
\Windows\System\ directory as WINFAT32.EXE and
then it runs the file from that location. - Sets the IE startup page to 'aboutblank'.
- Deletes the following keys
- Software\Microsoft\Windows\CurrentVersion\Policie
s\Network\HideSharePwds - Software\Microsoft\Windows\CurrentVersion\Policie
s\Network\DisablePwdCaching - .DEFAULT\Software\Microsoft\Windows\CurrentVersio
n\Policies\Network\HideSharePwds - .DEFAULT\Software\Microsoft\Windows\CurrentVersio
n\Policies\Network\DisablePwdCaching - Registers a new window class and creates a hidden
window titled 'BAROK...' and remains resident in
the Windows memory as a hidden application. - Immediately after startup and when timer counters
reach certain values, the trojan sends stolen RAS
passwords and all cached Windows passwords to
e-mail address 'mailme_at_super.net.ph
Source http//www.f-secure.com/v-descs/love.shtml
17VBS Example Love Letter Virus (1)
Language Reference MSDN Home gt MSDN Library gt
Web Development gt Scripting gt Microsoft Windows
Script Technologies gt Script Runtime gt
FileSystemObject gt Scripting Run-Time
Reference gt
18VBS Example Love Letter Virus (2)
19VBS Example Love Letter Virus (3)
20Worm Definition
- A worm is a program that can run by itself and
can propagate a fully working version of itself
to other machines. It is derived from the word
tapeworm, a parasitic organism that lives inside
a host and saps its resources to maintain
itself. - Spafford, 1988
21Worm Taxonomy
- Target discovery
- Active scanning, hitlist, passive monitoring
- Propagation method
- Self-propagation, embedded, secondary channel
- Activation
- Self-activation, scheduled, human-mediated
- Payload
- no payload, payloads which open back doors on
victim machines, and payloads for denial of
service, spam relays, reconnaissance, and damage
to victim machines.
Weaver, N., V. Paxson, et al. (2003). 'A Taxonomy
of Computer Worms'. Workshop on Rapid Malcode
(WORM'03)
22The Worm Threat
- In November, 1988 the Morris Worm infected an
unknown proportion of Unix systems on the
Internet with repair costs estimated at
100,000,000. (National Institute of Justice,
2001). Targets sendmail, finger, rsh - On July 19th, 2001 more than 359,000 computers
were infected with Code Red worm in less than 14
hours. Target MS IIS web server - On January 25th, 2003, the SQL Slammer worm
infected 90 of vulnerable hosts within 10
minutes, causing network outages and disruptions
to airline flights, and ATM machines. Target MS
SQL Server 2000
23Code Red I Timeline
- June 18, 2001 eEye Security issued an advisory
regarding a buffer overflow vulnerability in the
MS IIS web server - June 26 Microsoft releases a patch for the
vulnerability - July 12 Code Red I is released
- Memory-resident, random scanning
- Time-dependent behavior
- Before 20th day of the month infection
- 20th 28th day of the month DoS attack against
www1.whitehouse.gov - After 28th day of the month dormant
- Slow spread due to static random seed
- July 19 random variant worm, Code Red I ver 2 is
released - 359,000 machines infected in less than 14 hours
24CRv2 Growth Curve
Source D. Moore, C. Shannon, and J. Brown,
"Code-Red a Case Study on the Spread and Victims
of an Internet Worm," in Internet Measurement
Workshop, 2002.
25Worm Target Discovery
Without a priori target knowledge
With a priori target knowledge
Random Scan Uniform Local preference Sequential
Topological Scan
Hitlist Scan (limiting case is Flash Scan)
Optimizations Routable Scan Permutation Scan
26Bot and BotNet
- Bot is a zombie computer
- Bot software downloaded and installed, often as
rootkit - Bots connect through TCP/IP to controller
(mother ship) - Bots can be reprogrammed from controller
- Botnets used to launch spam, DDOS
27Bot and BotNet
- Case study Storm Botnet
- By Sep 2007 running on between 1 and 50 million
computers worldwide (at one point 8 of all
Windows malware) - Vector was XSS used phishing to get users to
activate Web link - Used in varietyu of criminal activities,
including DDOS and spam - Has displayed defensive behaviors
- Developers not caught yet believed to have
originated in Russia - Believed that code has been sold to other hacker
groups
28Network Telescopes
A commonly used monitor for worm activity is the
network telescope Network telescopes monitor
large segments of dark, or unused, address space
containing few, if any, production hosts No or
very little legitimate traffic is expected to be
observed targeting telescope address space
29Case Study Stuxnet
- Computer worm first analyzed in July, 2010
- First known case of targeted worm that attacks
industrial control systems - spreads indiscriminately, contains payload that
targets Siemens control systems - believed to have been targeted against Iran
nuclear fuel enrichment program - analysts believe it was created by nation-state,
possibly US/Israel
30Case Study Stuxnet
- First appeared June 2009 improved variants in
March and April 2010 - Primarily found in 8 countries, but over 60 of
infections in Iran - Makes itself inert if it does not detect Siemens
control software - 3-layered attack
- Windows zero-day vulnerabilities
- Step 7 industrial application
- Siemens PLC
31Case Study Stuxnet
- Two vectors
- USB storage
- P2P RPC
- contains man-in-middle attack to fake
industrial process control sensor signals - so damage is not detected until too late
- believed to have specifically targeted fuel
enrichment centrifuges
32Case Study Stuxnet
- Contains both user-mode and kernel-mode rootkits
- Valid digital certificates stolen from Veri-Sign
used to avoid driver detection - Web sites in Denmark and Malasia served as
command-and-control centers - Utilized 4 zero-day Windows vulnerabilities
- Infects project files for Siemens WinCC/PCS 7
SCADA controlers - subverts key communications dll to avoid
detection
33Case Study Stuxnet
- Stuxnet is VERY sophisticated
- indicates multi-level, evolving attack strategy
- believed to have been developed as a targeted
cyber-warfare weapon - has raised awareness among cyber-security
commands - similar attacks could target power grids,
communications, oil refineries, shipyards, etc. - (see movie Eagle Eye for hypothetical
potential)