Malicious Code for Fun and Profit

1
Malicious Codefor Fun and Profit

• Mihai Christodorescu
• ltmihai_at_cs.wisc.edugt

2
What is Malicious Code?

• Code that breaks your security policy
• Characteristics
• Attack vector
• Payload
• Spreading algorithm

3
Outline

• Attack Vectors
• Payloads
• Spreading Algorithms
• Case Studies
• Defenses

4
? Attack Vectors

• Social engineering
• Make them want to run it.
• Vulnerability exploitation
• Force your way into the system.
• Piggybacking
• Make it run when other programs run.

5
Social Engineering

• Suggest that executable is
• A game
• A desirable picture/movie
• An important document
• A security update from Microsoft
• A security update from the IT department
• Spoof sender

6
Outline

• Attack Vectors
• Social Engineering
• Vulnerability Exploitation
• Piggybacking
• Payloads
• Spreading Algorithms
• Case Studies
• Defenses

7
Vulnerability Exploitation

• Use flaws in software input handling
• Sample techniques
• Buffer overflow attacks
• Format string attacks
• Return-to-libc attacks
• SQL injection attacks

8
Basic Principles

• Take over a currently running process
• Use its privileges for your own nefarious
  purposes
• Normally, this means getting a shell (/bin/sh)
  running as superuser (root)

9
How to Get a Shell

• How do we get a root shell?
• Cause a process to execute the following C code
• Original process is replaced by an interactive
  shell running as root.

exec( /bin/sh )
10
Program Stack

• Data local to the procedure
• Actual arguments
• Local variables
• Saved registers
• Return address

function foo( int x , char y
) float d Obj b Obj p new Obj()
...
11
Sample Stack

• main() calls foo(), foo() calls bar()

main()

Saved main() frame pointer
Return address (in main())
Local variables
Expression stack
Arguments to bar()

foo()
bar()
12
Smashing the Stack

1. Load malicious code into memory
2. Overwrite return address to point to malicious
   code
3. Wait for function to return

function main() ... call foo() ...
function foo() ... return


Return address
Local variables



malicious code ... ... ...
Malicious code
13
Overwriting a Variable


Return address Return address Return address Return address








function foo( char a ) char buffer 16
strcpy( buffer, a ) ... return
\0
r
d
!
l
o
?
w
o
buffer
H
e
l
l
foo( Hello world! )
14
Overwriting a Variable


Return address Return address Return address Return address








function foo( char a ) char buffer 16
strcpy( buffer, a ) ... return
V
E
I
L
e
d
f
g
a
9
b
c
5
6
7
8
buffer
1
2
3
4
foo( 123456789abcdefgEVIL )
15
Taking Control


Return address Return address Return address Return address








Shell code
buffer
16
Shell Code

• Just call the exec system call

mov edx, arg2 mov ecx, arg1 mov ebx,
/bin/sh mov eax, 0Bh int 80h
required arguments path to
executable subfunction exec system call
sys_execve
17
Shell Code
EB 17 5E 89 76 08 31 C0
88 46 07 89 46 0C B0 0B
89 F3 8D 4E 08 31 D2 CD
80 E8 E4 FF FF FF
18
Shell Code
EB 17 5E 89 76 08 31 C0
88 46 07 89 46 0C B0 0B
89 F3 8D 4E 08 31 D2 CD
80 E8 E4 FF FF FF / b
i n / s h \0
19
Shell Code
EB 17 5E 89 76 08 31 C0
88 46 07 89 46 0C B0 0B
89 F3 8D 4E 08 31 D2 CD
80 E8 E4 FF FF FF / b
i n / s h \0 arg 2
arg 2 arg 2
20
Shell Code
EB 17 5E 89 76 08 31 C0
88 46 07 89 46 0C B0 0B
89 F3 8D 4E 08 31 D2 CD
80 E8 E4 FF FF FF / b
i n / s h \0 arg 2
arg 2 arg 2 return
address
21
Thicker Armor

• Defense against stack-smashing attacks
• Bounds-checking
• Protection libraries
• Non-executable stack
• setuid()/chroot()
• Avoid running programs as root!
• Address randomization
• Behavioral monitoring

22
More Info

• Smashing the Stack for Fun and Profit
• by Aleph One
• StackGuard, RAD, PAX, ASLR
• CERT

23
Format String Attacks

• Another way to illegally control program values
• Uses flaws in the design of printf()
• printf( s d , s, x )

24
printf() Operation

• printf( s d, x, s, x, y )

Return address

y
x
s
Format pointer


25
On to the Attack

• foo()
• char str100
• ...
• printf(str)
• ...

Intended printf(s, str)
26
Read Any Address
printf(str)

Secret value




Format pointer


if str xxxxs
27
Write to Any Address
printf(str)

Return address




Format pointer


4
if str xxxxn
28
Defenses

• Never use printf() without a format string!
• FormatGuard

29
Outline

• Attack Vectors
• Social Engineering
• Vulnerability Exploitation
• Piggybacking
• Payloads
• Spreading Algorithms
• Case Studies
• Defenses

30
Piggybacking

• Malicious code injected into benign program or
  data
• Host file can be
• An executable
• A document with some executable content

31
Piggybacking Executables

• Modify program on disk

jmp evil_code

• Variations
• Jump to malicious code only on certain actions
• Spread malicious code throughout program

32
Piggybacking Documents

• Documents with macros
• Microsoft Office supports documents with macros
  scripted in Visual Basic (VBA)
• Macro triggered on
• Open
• Close
• Save
• Email

33
Outline

• Attack Vectors
• Social Engineering
• Vulnerability Exploitation
• Piggybacking
• Payloads
• Spreading Algorithms
• Case Studies
• Defenses

34
? Payload

• Target the interesting data
• Passwords
• Financial data
• User behavior
• User attention

• Keylogger
• Screen scraper
• Spyware
• Adware

35
More Payload Ideas

• Victim machines pawns in large attack
• Botnets
• Distributed denial of service (DDoS)
• Spam proxies
• Anonymous FTP sites
• IRC servers

36
Outline

• Attack Vectors
• Social Engineering
• Vulnerability Exploitation
• Piggybacking
• Payloads
• Spreading Algorithms
• Case Studies
• Defenses

37
? Spreading Methods

• Depends on the attack vector
• Email-based
• gt need email addresses
• Vulnerability-based
• gt need IP addresses of hosts with vulnerable
  service
• Piggybacking
• gt need more files to infect

38
Spreading through Email
Internet
Malware
39
Types of Malicious Code
McGraw and Morrisett Attacking malicious code A
report to the Infosec Research Council
Sept./Oct. 2000.

• Virus
• Self-replicating, infects programs and documents
• e.g. Chernobyl/CIH, Melissa, Elkern
• Worm
• Self-replicator, spreads across a network
• e.g. ILoveYou, Code Red, B(e)agle, Witty

40
Types of Malicious Code

• Trojan
• Malware hidden inside useful programs
• e.g. NoUpdate, KillAV, Bookmarker
• Backdoor
• Tool allowing unauthorized remote access
• e.g. BackOrifice, SdBot, Subseven

41
Types of Malicious Code

• Spyware
• Secretly monitors system activity
• e.g. ISpynow, KeyLoggerPro, Look2me
• Adware
• Monitors user activity for advertising purposes
• e.g. WildTangent, Gator, BargainBuddy

42
Outline

• Attack Vectors
• Social Engineering
• Vulnerability Exploitation
• Piggybacking
• Payloads
• Spreading Algorithms
• Case Studies Sobig
• Defenses

43
The Sobig Worm

• Mass-mailing, network-aware worm
• Multi-stage update capabilities

Launch Deactivation
Sobig.A 9 Jan. 2003 -
Sobig.B 18 May 2003 31 May 2003
Sobig.C 31 May 2003 8 June 2003
Sobig.D 18 June 2003 2 July 2003
Sobig.E 25 June 2003 14 July 2003
Sobig.F 18 Aug 2003 10 Sept 2003
44
Sobig Attack Vector

• E-mail
• Network shares

From Subject
big_at_boss.com
support_at_microsoft.com
bill_at_microsoft.com
admin_at_support.com
support_at_yahoo.com

• Compressed executable attachment with renamed
  extension.
• Later attachment in ZIP file.

45
Sobig Payload

• 1st stage
• Backdoor (Lala)
• keylogger
• 2nd stage
• Proxy (WinGate)

Geocities web page
Trojan web server
46
Sobig Payload
1
...
22
Hacked DSL/cable hosts
Trojan web server
47
Sobig Spreading Algorithm

• E-mail addresses extracted from files on disk
• Network shares automatically discovered

48
Sobig.F in Numbers
Courtesy of MessageLabs.com
August 19 20
21 22
23
49
Outline

• Attack Vectors
• Social Engineering
• Vulnerability Exploitation
• Piggybacking
• Payloads
• Spreading Algorithms
• Case Studies Sobig, Blaster
• Defenses

50
The Blaster Worm

• Multi-stage worm exploiting Windows vulnerability

2003 July 2003 July 2003 July 2003 July 2003 July 2003 July 2003 July 2003 July 2003 July 2003 July 2003 July August August August August August August August August August August August August August August August
16 16 17 17 25 25 31 31 11 11 13 13 15 15 17 17 19 19


Metasploit refined exploit
Scandinavian bank closes all 70 branches
CERT advisory
LSD Research exploit released
FRB Atlanta, MD DMV, BMW
Microsoft releases patch
Blaster appears
1.2 million hosts infected
51
Blaster Attack Vector

• Uses Microsoft Windows RPC DCOM vulnerability
• Coding flaw
• The RPC service passes part of the request to
  function GetMachineName()
• GetMachineName() copies machine name to a fixed
  32-byte buffer

52
Blaster Attack Vector
53
Blaster Payload

• Worm installs itself to start automatically
• All infected hosts perform DDoS against
  windowsupdate.com
• SYN flood attack with spoofed source IP
• Aug 15 -gt Dec 31 and after the 15th of all other
  months

54
Blaster Effect on Local Host

• RPC/DCOM disabled
• Inability to cut/paste
• Inability to move icons
• Add/Remove Programs list empty
• DLL errors in most Microsoft Office programs
• Generally slow, or unresponsive system performance

55
Blaster Spreading Algorithm

• Build address list
• 40 chance to start with local IP address
• 60 chance to generate random IP address
• Probe 20 IPs at a time
• Exploit type
• 80 Windows XP
• 20 Windows 2000

56
Blaster Infection Rate
57
Outline

• Attack Vectors
• Social Engineering
• Vulnerability Exploitation
• Piggybacking
• Payloads
• Spreading Algorithms
• Case Studies
• Defenses

58
Short History of Malicious CodeAncient Times

• 1981 First virus in the wild
• Apple II virus Elk Cloner
• 1983 Term computer virus appears
• Coined by Fred Cohen
• 1986 First IBM PC virus
• Brain virus
• 1988 First anti-virus program
• Detects, removes, and immunizes against the
  Brain virus

59
Short History of Malicious CodeAncient Times

• 1988 First true worm
• Morris worm
• 1989 First slow infector
• Dark Avenger virus
• 1989 Full stealth infector
• Frodo virus

60
Short History of Malicious CodeMiddle Ages

• 1990 Boom in the anti-virus market
• IBM, McAfee, Digital Dispatch, Iris,
• 1991(?) First polymorphic virus
• Chameleon virus
• 1992 First viral construction set
• VCL 1.00 Virus Creation Laboratory
• 1992 First mass media scare
• Michaelangelo virus
• Anti-virus software sales soar

61
Polymorphic Viruses

• Encrypted virus body
• morphed decryption routine

62
Short History of Malicious CodeRenaissance

• 1992 First polymorphic generator
• MtE mutation engine
• 1992 First virus for Windows
• 1993 First 100 polymorphic virus
• Bootache virus
• 1993 First script-kiddie wannabes
• Enabled by scriptable virus generators
• Phalcon/Skism Mass-Produced Code generator

63
Short History of Malicious CodeModern Times 1

• 1995 First macro virus
• Concept MS Word macro virus
• 1996 First macro virus construction set
• 1996 First Excel macro virus
• Laroux macro virus
• 1997 First Linux virus
• Linux Bliss virus
• 1997 First mIRC worm

64
Short History of Malicious CodeModern Times 2

• 1998 First MS Access macro virus
• AccessiV virus
• 1998 First Win32 polymorphic virus
• Win95.HPS and Win95.Marburg viruses
• 1998 Chernobyl (CIH) virus epidemic
• CIH can erase Flash BIOS
• Thousands of computers infected
• 1998 First version of BackOrifice
• Widely-used remote management trojan

65
Short History of Malicious CodePost-Modern
Times 1

• 1998 First virus to infect Java class files
• Java.StrangeBrew virus
• 1999 First macro virus to spread through e-mail
• Melissa macro virus
• 2000 I Love You macro virus
• Spread automatically through e-mail
• 2001 Code Red worm (I II)

66
Short History of Malicious CodePost-Modern
Times 2

• 2001 Sircam worm
• Spreads through e-mail and network shares
• 2001 Nimda worm
• Spreads through backdoors left by Code Red II,
  e-mail, network shares
• 2002 Klez worm
• Carries and deploys a virus called Elkern
• 2003 SQL Slammer worm
• Fastest infection rate ever

67
z0mbie-6.b Metamorphic

• Metamorphic viruses
• Morph the whole virus body

Virus
Program
68
z0mbie-6.b Code Integration

• Integration of virus and program
• e.g. Mistfall Virus Engine

Program

• Mistfall Virus Engine
• Parse program to infect
• Insert code where necessary
• Fix code and data references
• Rebuild new executable from old program infected
  with virus body

69
Future Threat Superworm

• Curious Yellow the First Coordinated Worm
  Design Brandon Wiley
• Fast replication adaptability
• Pre-scan the network for targets
• Worm instances communicate to coordinate
  infection process
• Attack vectors can be updated
• Worm code mutates

70
Conclusions

• Vulnerabilities left unpatched can and will be
  used against you.
• Attackers are more sophisticated.
• Understand the attackers perspective.

71
Malicious Codefor Fun and Profit

• Mihai Christodorescu
• ltmihai_at_cs.wisc.edugt