Goals

Viruses and Worms o Introduction to taxonomy o Appreciating the evolution of viruses Encryption, polymorphism, metamorphism o General Anti-Virus (AV) detection techniques

Thrursday, November 20, 2014 o Understanding the arms race between virus writers Sources: see final slide and anti-virus detectors. o Appreciate that: if you take your time, use a few patterns, and use many levels of indirection, you are very hard to beat CS342 Computer Security

Department of Computer Science Wellesley College

Viruses and Worms 22-2

TypeMalware TaxonomyCharacteristics Malware (MALicious softWARE) Virus Self-replicating code that infects a host file. Usually requires human interaction to spread. Sometimes used as generic term for all malware. o A generic term increasingly being used to describe any form of Worm Self-replicating code that spreads across a network. malicious software like: Usually does not require human interaction to spread. Rabbit Virus or worm that multiplies without bound viruses, worms, Trojan horses, , , Disguises itself as a useful program while masking malicious mobile code, backdoors, dialers, hidden malicious purpose. o Combinations are common /Trapdoor Bypasses normal security controls to give attacker access User-level Replaces or modifies executable programs used by system administrators and Some malware are actually combinations of more basic malware users (e.g., a rootkit can be viewed as Trojan horse backdoor tool) Kernel-level Rootkit Manipulates the OS kernel to hide and create backdoors o Broadly classified according to: Spyware Monitors user interaction and collects information (e.g., via keylogger) • Infection technique: how does it propagate? Logic Bomb Dormant malicious code triggered by date or event. • Impact on target: what does it do? Easter Egg Cute but harmless behavior triggered by special input. Malicious Mobile Code Small programs downloaded and executed locally with minimal user intervention. • Type of exploited vulnerability: How (by violating which Typically written in Javascript, VBScript, Java, or ActiveX assumption) did it get in? Combination Malware Combines techniques to increase effectiveness

Viruses and Worms 22-3 Viruses and Worms 22-4 Malware evolution Virus Basics Themes: o Frederick B. Cohens definition: o Increasing complexity/sophistication o Acceleration of rate of A virus is a program that can infect other programs by tool/technique release o Movement from viruses -> worms modifying them to include a, possibly evolved, version of itself. -> kernel level exploits o Virus = code that attaches itself to host programs and runs when host program executes. Running the host program usually requires user intervention.

o Self-replication: when the virus runs, it copies (a possibly mutated version of) itself to other host programs.

• Self-replicating mutating code is a cornerstone of artificial life research.

o A virus needs a target location method to find other hosts.

Figure from Skoudis Malware, p.16. o A running virus may also execute a payload = mischievous or malicious action.

Viruses and Worms 22-5 Viruses and Worms 22-6

Highly Destructive Malicious Viruses How do Viruses Spread?

o Delete all/many files. Infected program Uninfected program owned by user 1 owned by user 2 Michelangelo virus deleted a partition on Michelangelo s birthday. o Consume resources (processor, memory, bandwidth …) virus v ⇒ denial of service.

o Such viruses can have trouble spreading. Why is Ebola relatively uncommon in apes/humans (at least until User 2 simply executes user 1s infected program. 2014 …) Unlike buffer overflow, setuid not necessary!

Infected program Infected program owned by user 1 owned by user 2

virus v virus v

Viruses and Worms 22-7 Viruses and Worms 22-8 Somewhat Destructive Malicious Viruses Nondestructive Viruses

o Install backdoors for botnots, other attacks. Many viruses spread without doing damage, but can still be o Data-diddling: modify one bit of randomly selected file, swap digits annoying or do accidental damage. in phone numbers, spreadsheets, etc. (hard to track to virus). o Elk Cloner: first microcomputer virus (Apple II) displayed poem: o Wazzu virus: randomly scramble words and insert wazzu ELK CLONER: o Typo virus: introduce typing errors for fast typists. o Random deletion: delete randomly chosen file not recently THE PROGRAM WITH A PERSONALITY

accessed. IT WILL GET ON ALL YOUR DISKS o Protection changing: change ownership and protection bits on files. IT WILL INFILTRATE YOUR CHIPS YES ITS CLONER o Executive error virus: underling installs virus that makes IT WILL STICK TO YOU LIKE GLUE supervisor incompetent. IT WILL MODIFY RAM TOO SEND IN THE CLONER o Covert channel virus: in confidentiality lattice, unclassified user introduces virus to copy secret information through covert o Marburg virus: drew random icons on desktop. channel. o Spanska virus: displayed animations o Ken Thompson, Reflections on Trusting Trust: insert login Trojan into C compiler object code that cant be detected in source! o Haiku virus displayed randomly generated haiku.

Viruses and Worms 22-9 Viruses and Worms 22-10

Benevolent Viruses Viruses Infection Techniques o Overwriting The payload of a virus can do good as well as bad. E.g. • Overwrite host program, changing behavior (easy to discover) o Antivirus virus: good virus that deletes bad viruses. • Typically overwrite beginning, but can overwrite later (in which case virus may not be executed). o Compression virus: automatically compress files to save space (but theres a time/space tradeoff). o Appending • Add virus code to end of program, and jump to virus. o Maintenance virus: install system updates, clean up undeleted temporary files, reset incorrect protection bits, defragment disk, • Typically virus jumps back to program to evade detection. etc. o Prepending o Distributed database virus: make copies of information across • Add virus code to front of host program. multiple machines and modify old copies to be consistent with • Parastic virus: variant that overwrites start of program, but moves recent changes. starting code later. Ethical questions: o Cavity Virus • Squirreled away in holes in program o Is it OK to distributed good viruses? • doesnt change program size o What if good virus goes has unexpected bad consequences – e.g., o Compressing Virus accidentally consumes lots of resources. o Compresses program and inserts self so as not to change program size. Viruses and Worms 22-11 Viruses and Worms 22-12

Viruses Propagation Methods Virus Propagation Vectors

o Insert a copy into every executable (.COM, .EXE) o Removable storage

o Insert a copy into boot sectors of disks • Floppies, writable CDs/DVDs, USB flash drives

• Stoned virus infected PCs booted from infected floppies, o Email Attachments stayed in memory and infected every floppy inserted into PC • Can contain executable parts

o Infect TSR (terminate-and-stay-resident) routines o Downloads

• By infecting a common OS routine, a virus can always stay in o Shared Directories memory and infect all disks, executables, etc. Multi-user systems, networked file system (e.g., puma), o Infect macros in documents/spreadsheets, etc. peer-to-peer (P2P) networks • A virus in MS Word Normal.dot file can infect all documents.

o Infect shell scripts and other source code.

Viruses and Worms 22-13 Viruses and Worms 22-14

Basic Anti-Virus (AV) Techniques Signature-Based Scanning o Signature-based detection • signature = pattern/fingerprint matching virus • AV engine checks files against database of signatures to (1) identify o Hex strings from virus variants and (2) disinfect file containing virus, • 67 33 74 20 73 38 6D 35 20 76 37 61 • On-demand scanning (user explicitly requests) vs. on-access scanning (done every time a file is opened, modified, and/or closed). • 67 36 74 20 73 32 6D 37 20 76 38 61 • Need to update signature database frequently • 67 39 74 20 73 37 6D 33 20 76 36 61 o Heuristic detection • Check program for virus-like behavior (access boot sector, find all o Hex string for detecting virus files in current directory, write to .EXE file, delete files) • Emulate behavior before executing or execute in sandbox. • 67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61 • o Integrity checking ?? = wildcard • Record file fingerprints (sizes, checksums, hashes) in pristine system and check later (e.g. Tripwire). • Used by some AV scanners to avoid more detailed scanning • Must store fingerprints carefully! Viruses and Worms 22-15 Viruses and Worms 22-16 Anti-Virus Problems Arms Race between Virus Writers/Detectors o False Positives: one version of McAfee flagged Excel! o Encrypted virus: virus consists of a constant decryptor, a key (that o False Negatives: fail to detect malware changes between copies), and the encrypted virus body.

o Long detection times slows down machines • Detector finds decryptor and key & uses it to decrypt/identify virus o Oligomorphic virus: mutate decryptor slightly by using o Developing signatures/keeping databases current: > 100K new viruses/week! several decryptors or build decryptors out of simple patterns.

o What to do when virus detected: Delete vs. quarantine o Polymorphic virus: mutate decryptors into millions of forms via obfuscation techniques (reordering and junk instructions), but keep o Vendors focus on big clients, not individual users (unencrypted) body same o Bad guys can disable/intercept AV scans o Metamorphic virus: mutate virus bodies via obfuscation techniques, • turn off AV scans but keep functionality • make infected file appear normal to AV detector o shuffle registers • block access to AV websites/downloads/updates o reorder instructions o Arms race o insert junk instructions • Bad guys test new viruses against AV o change source code and recompile • Stealth techniques for hiding/changing viruses Viruses and Worms 22-17 Viruses and Worms 22-18

Benign Code Can be Encrypted/Obfuscated Detecting Oligomorphic/Polymorphic Viruses

Q: Why not just flag all encrypted/obfuscated code as viruses? 1. Run suspect program in an emulator A: Because these techniques are commonly used in benign code to 2. Wait until it decrypts protect intellectual property by complicating reverse engineering. 3. Decrypted code will be identical for various copies Especially used in cases where code otherwise easy to inspect: 4. Use signature scanning on decrypted virus body • machine code

• virtual machine code (e.g., JVM, .NET)

• HTML

• Javascript

• Source code of interpreted languages (Python, PERL, shell scripts, etc.)

Viruses and Worms 22-19 Viruses and Worms 22-20 Virus Detection by Emulation Detecting Polymorphic Viruses: Challenges

o Determining when decryption is complete. Randomly generates a new key Decrypt and execute and corresponding decryptor code o Doesnt work very well against viruses not located near beginning Mutation A of infected executable.

Virus body o Some viruses use random code block insertion or insert millions of NOPs at the entry point prior to the main virus body.

Mutation B • Emulator executes code for a while, does not see virus body and decides the code is benign. When main virus body is finally executed, virus propagates

Mutation C o Decryptor may be able to determine whether it’s running in an emulator and behave differently in this case.

To detect an unknown mutation of a known virus , emulate CPU execution of until the current sequence of instruction opcodes matches the known sequence for virus body

Viruses and Worms 22-21 Viruses and Worms 22-22

Metamorphic Viruses Metamorphic Virus [Szor, 2001]

o Obvious next step: mutate the virus body, too!

o Virus can carry its source code (which deliberately contains some o An early generation useless junk) and recompile itself c7060F000055 mov dword ptr [esi], 550000Fh • Apparition virus (Win32) c746048BBC5151 mov dword ptr [esi+0004], 5151BCBBh • Virus first looks for an installed compiler (Unix machines have C compilers installed by default) o A later generation • Virus changes junk in its source and recompiles itself • New binary mutation looks completely different! BF0F000055 mov edi, 550000Fh 893E mov [esi], edi o Many macro and script viruses evolve and mutate their code 5F pop edi 52 push edx • Macros/scripts are usually interpreted, not compiled B640 mov dh, 40 BA8BEC5151 mov edx, 5151EC8Bh 53 push ebx 8BDA mov ebx, ebx 895E04 mov [esi+0004], ebx

Viruses and Worms 22-23 Viruses and Worms 22-24 Metamorphic Mutation Techniques Example of Zperm Mutation

o Same code, different register names

• Regswap (Win32)

o Same code, different subroutine order

• BadBoy (DOS), Ghost (Win32)

• If n subroutines, then n! possible mutations

o Decrypt virus body instruction by instruction, push instructions Hunting for Metamorphic at www.symantec.com/avcenter/reference/ on stack, insert and remove jumps, rebuild body on stack hunting.for.metamorphic.pdf • Zmorph (Win95) o Body makeup not constant • Can be detected by emulation because the rebuilt body has a o Detect by running suspect program in an emulator and analyze constant instruction sequence behaviour while running o Can also disassemble and look for virus-like instructions ! Hard problem!

Viruses and Worms 22-25 Viruses and Worms 22-26

Mutation Engines Virus-Specific Detection

o Real Permutating Engine/RPME (introduced in Zperm virus), o Many viruses cant be detected by simple scanning. Instead, need ADMutate, many others more complex analysis and/or emulation.

o Employ a large set of obfuscating techniques o AV software includes programs written in virus detection languages • Instructions are reordered, branch conditions reversed for detecting specific viruses. • Jumps and NOPs inserted in random places o Special-case detection is time-consuming, so rely on filtering to • Garbage opcodes inserted in unreachable code areas identify cases where it s likely to be productive. • Instruction sequences replaced with other instructions that have the same effect, but different opcodes • SUB EAX, EAX ⇒ XOR EAX, EAX • PUSH EBP; MOV EBP, ESP ⇒ PUSH EBP; PUSH ESP; POP EBP

o There is no constant, recognizable virus body!

Viruses and Worms 22-27 Viruses and Worms 22-28 How Hard Is It to Write a Virus? Worms vs. Viruses

o Can be challenging to write a virus from scratch o Both are self-replicating programs (just ask Audrey Kao & Era Vuksani from CS342 Fall ‘10!) o Worms are (usually) self-contained; viruses attach to a host o In practice, study and modify existing viruses. program

o Many virus construction kits available. o Worms are (usually) self-activating; viruses require human intervention to spread. • AV vendors familiar with such kits and defend against the kinds of viruses they create. o Worms spread via networks; viruses can, too, but can also spread via other means.

o Worms offer a scale of propagation (in terms of speed, number of hosts infected, potential for damage) not easily achieved by other mechanisms. They are the tool of choice for recruiting computers.

o One copy of a worm is called a segment or node.

Viruses and Worms 22-29 Viruses and Worms 22-30

Worm Components Worms: Target Selection & Scanning Exploit to get in to the target – e.g., password guessing & cracking, buffer overflow, file shares, picture from automatically executed email attachments, Skoudis, p. 79. misconfigurations, etc.

Implements specific actions on behalf of attacker on the target: install backdoor, DDOS agent, o steal info, Goal: Find new targets to attack Pull rest of worm code Select target addresses use computrons into target via FTP, o Common techniques: of next victims Scan targets and and storage, etc. HTTP, etc. (sometimes infect vulnerable • Statistical: Scan 'random' IP addresses already contained in targets warhead) • Topological: Use information on infected hosts, e.g., machines with same IP prefix, email address list, Other components in some worms: .rhosts file, network neighborhood, ... • Intelligence to locate other worm segments. o Scan targets to see which are uninfected: • Communication with other worm segments avoid double infections! • Control of other worm segments Viruses and Worms 22-31 Viruses and Worms 22-32 Worm History, Part 1 Worm History, Part 2

Name Date Notes Name Date Notes Nimda Sep 2001 Multiexploit worm with 12 spreading mechanisms released Creeper 1971 Program designed to move across a network of air soon after 9/11. Became most widespread worm in 22 traffic control systems minutes. Xerox PARC worms 1982 Shoch & Hupp distributed computation experiments Klez Jan 2002 Mildly polymorphic (randomized email subject lines Morris Worm Nov. 1988 Disabled early by infecting Unix hosts and attachment types); tried to disable antivirus Slapper Sep 2002 Spread via Apcher SSL flaw; built massive DDOS P2P Melissa Mar. 1999 MS word spread via Outlook email network I Love You May 2000 VBScript worm spread via Outlook email with I Love Slammer Jan 2003 Small worm spreading in a matter of minutes via flaw in MS (Love Bug) You title, appeared to be from friends (spread by SQL Server database email address list), used default enabling of until- Blaster 2003 Launched denial of service against Windows Update. that-time little known scripting engine. Infected 50 Included message "billy gates why do you make this millions users. possible? Stop making money and fix your software!!" Ramen Jan 2001 Linux worm exploiting 3 buffer overflows, modified Sasser 2004 Exploited buffer overflow on vulnerable network ports. default web page to say Hackers loooove noodles Disrupted satellite communications, airline flights, X-ray Code Red Jul 2001 Infected >350K Windows IIS servers in 13 hours machines. with goal of packet flood against whitehouse.gov. Storm 2007 Spread by email attachment to create huge . Conficker 2008-10 Created worldwide infrastructure for as-yet unknown purpose: maybe cybercrime botnet? Stuxnet 2010 Exploited 4 zero-day Windows bugs to disrupt large-scale industrial control systems. Viruses and Worms 22-33 Viruses and Worms 22-34

Morris (or Cornell or Unix) How it entered (multiple means) Worm (1988) o Send mail in debug mode (as released in SunOS) allowed connections to spawn a shell. o Robert Tappan Morris, Jr. o fingerd (VAX systems) buffer overflow to spawn shell • 23 years old, Cornell grad student, father worked at the NSA • He asked himself: I wonder how large the Internet is?“ o In shell, compiled & executed C program to download rest of worm program o Wrote a self-propagating program as a test concept • Exploited Unix vulnerabilities in sendmail and fingerd o r-services (no-password access to other machines) • Released at MIT • rexec • Bug in the worm caused it to go haywire – it was not planned to wreak • rsh havoc o The first worm that propagated using the Internet • Internet was designed with functionality in mind!

o Details on following slides from Eichin/Rochlis With Microscope and Tweezers paper Viruses and Worms 22-35 Viruses and Worms 22-36 Whom it attacked: Systems affected o accounts with obvious passwords: o SUN and VAX

• none at all o Gained hostnames and account names through:

• the user name (once and appended to itself) • /etc/hosts.equiv • /.rhosts • the “nickname” • .forward • last name (both spelled forwards and backwards) • .rhosts • passwords from a 432 word included dictionary • routing tables

• serial P2P links • used the words from /usr/dict/words as passwd • randomly guessed first-hop addresses o trusted accounts through .rhosts

Viruses and Worms 22-37 Viruses and Worms 22-38

Covering Tracks Example modern worm: Code Red (2001)

o Erased argument list so could not tell how it was invoked o Worm probed random IP addresses and infected Microsoft Internet Information Services (IIS) web server with buffer overflow

o Deleted binary after use vulnerability.

o Used resource limit functions to prevent a core dump o Defaced English websites hosted on server with message: o Named itself “sh” to avoid suspicion Welcome to http://www.worm.com! Hacked by Chinese!

o Refreshed itself by forking about every 3 minutes o On July 19 over 359,000 hosts infected in 13-hour period • over 2,000 hosts infected per minute at peak o Constant strings obscured by XORing • at 5:00 pm, worm attempted DoS attack against 198.137.240.91 (www.whitehouse.gov) • For details, see Moore & Shannon http://www.caida.org/research/security/code-red/coderedv2_analysis.xml

o Estimated 975,000 servers infected by end of August with losses of $2.4 billion – Computer Economics

o Shut down Japan Airline computer affecting ticketing & check-in, delaying 55 flights and 15,000 passengers 1-2 hours

Viruses and Worms 22-39 Viruses and Worms 22-40 Spread of Code Red Worm 19 Hours Later

July 19 01:05:00 2001 July 19 20:15:00 2001 Viruses and Worms 22-41 Viruses and Worms 22-42

Vulnerabilities spawn Exploits Vulnerability and exploit portals

Example: Code Red o Mitres CVE (Common Vulnerabilities and Exposures) • June 18, 2001 Eeye Digital Security discloses vulnerability in http://cve.mitre.org Microsoft IIS web server o News http://www.security-update.com • June 18, 2001 Microsoft issues alert, patch Updated ever hour, variety of sources • June 19, 2001 CERT® Advisory CA-2001-13 Buffer Overflow In IIS

• July 12, 2001 Code Red v. 1 is released ! Vendors sites have sometimes very good vulnerability info • July 19, 2001 Code Red v.2 is released

• August 4, 2001 Code Red II is released

• Sept. 18, 2001 Nimda is released

Viruses and Worms 22-43 Viruses and Worms 22-44 Code Red: Scanning technique Code Red: Analytical model 2,500

2,000 o Simplifying assumptions:

1,500 Saturation • No patching • No firewalls 1,000

attacking LBNL attacking o Infection rate is

Distinct remote hosts Distinctremote 500 proportional to 0 • # hosts already infected 0 50 100 150 • # hosts not infected, but Days since Sept. 20, 2001 susceptible

o Code Red I: 99 threads scan for vulnerable IIS installations, o Result: Logistic equation using random number generator Infected fraction o Well known for epidemics in K⋅(t−T ) da e finite systems o Worm deactivated itself after a few days, but was designed = K ⋅a ⋅(1− a) a = to reactivate every month dt 1+ eK (t−T ) Initial compromise rate

Viruses and Worms 22-45 Viruses and Worms 22-46

Improvements: Localized scanning Improvements: Multi-vector o Idea: Use multiple Onset of Nimda propagation methods o Observation: Density of vulnerable hosts in simultaneously IP address space is not uniform o Example: Morris worm o Idea: Bias scanning towards local network 1/2 hour • fingerd attack o Used in CodeRed II • sendmail DEBUG cmd • P=0.50: Choose address from local class-A network (/8) • rhosts files • P=0.38: Choose address from local class-B network (/16) • Password cracking • P=0.12: Choose random address o Example: Nimda • o Allows worm to spread more quickly IIS vulnerability (both

(only confirmed Nimda attacks) attacks) Nimda confirmed (only server and client!)

HTTP connections/second seenLBNL at HTTP • Autoexec code in Outlook email

Time (PDT) 18 September, 2001 • Windows file sharing • Code Red II backdoor Viruses and Worms 22-47 Viruses and Worms 22-48 Improvements: Hit-list scanning Improvements: Permutation scanning

H0 H4 H1 H3 H1 (Restart) H2 o Problem: Spread is slow during initial phase

o Idea: Collect a list of promising targets before worm is released o Problem: Many addresses are scanned multiple times • Low-profile 'stealthy' scan o Idea: Generate random permutation of all IP addresses • Distributed scan shared by all worm instances. • Spider/crawler • Hit-list hosts scan permutation list in order starting at their • Surveys or databases own position in the permutation. • Attacks from other worms • When an infected host is found, restart at a random point. o Low overhead, since list • Efficiently explores IP address list. shrinks quickly o Can be combined with divide-and-conquer approach

Viruses and Worms 22-49 Viruses and Worms 22-50

Flash worms Warhol worms o Worm using both hit-list o A flash worm would start with a hit list that contains most/ "In the future, everyone will have and permutation scanning all vulnerable hosts 15 minutes of fame" could infect most o Realistic scenario: -- Andy Warhol vulnerable targets in about 15 minutes. o Complete advance scan takes 2h with an OC-12 (high-speed network link) o Simulation: Compare o Internet warfare? • 10 scans/second (Code Red) o Problem: Size of the hit list • 100 scans/second • 9 million hosts ⇒ 36 MB • 100 scans/second plus 10,000 entry hit list • Compression works: 7.5MB Number of Instances Instances ofNumber (Warhol worm) • Can be sent over a 256kbps DSL link in 3 seconds Time (hours) o Extremely fast: • Full infection in tens of seconds!

Viruses and Worms 22-51 Viruses and Worms 22-52 Surreptitious worms Conficker o Discovered Nov. 2008. Also known as Downadup, Kido. o Idea: Hide worms in o Early spread through exploit of MS network service vulnerability in port inconspicuous traffic to avoid 445 (RPC for printing & file sharing). Also spread via removable media & file detection sharing.

o Example: HTTP o Small code: only 35 KB. o Repairs vulnerability it used to access machine, so less competition with o Leverage P2P systems? other worms. • High node degree o Self-destructed on Ukranian IP addresses. • Lots of traffic to hide in o Tries to prevent security updates and disable system restore points. • Proprietary protocols o Has created botnet thought to control > 7M govt, home, business computers • Homogeneous software in 200 countries. • Immense size

Viruses and Worms 22-53 Viruses and Worms 22-54

Bowden’s The Enemy Within (Atlantic, Jun 2010) Conficker Arms Race o Conficker phones home at regular intervals with small messages. o It [Conficker] has been activated only once, to perform a relatively mundane spamming operation—enough to demonstrate that it is not o Initially generated list of 250 new domain names over 5 top level benign. No one knows who created it. No one yet fully understands domains (TLDs) and contacted sequentially. Only needed to find how it works. No one knows how to stop it or kill it. And no one even controller at one. knows for sure why it exists. o Generation tied to network clock (harder for good guys to reset). o Conficker Cabal = good guys working to understand and stop Good guys used website proxy, and blocked sites in advance. Conficker. o Conficker B (Dec. 29, 2008): o The good guys have gone to unprecedented lengths, and have had o Generates domain names over 8 TLDs, making blocking more difficult successes beyond anything they would have thought possible when o Stops connections to Microsoft update they started. But a year and a half into the battle, heres the o Modified to spread via USB drives. bottom line: The worm is winning. o For communications with mother ship, used MD6 = Rivests proposal for SHA-3 (largely unknown outside very small community).

Viruses and Worms 22-55 Viruses and Worms 22-56 The Arms Race Continues Stuxnet o Conficker C (Feb, 2009) o Discovered June 2010. Found mainly in Iran. Targeting nuclear facilities? o Rivest finds and corrects bug in MD6. Bug corrected in next version of o Targets Sieman’s software for SCADA (supervisory control and data Conficker! acquisition) systems, which control power plants, factory machinery, etc. o Microsoft offers $250K for arrest & conviction of worm creators. Reprograms operation of particular motors in particular frequency range. o Conficker D (March, 2009): o Enters network via infected USB flash drive. Limits spread to no more than 3 machines to stay within targeted facility. o Generates up to 50K new domain names. Good guys cant register them all! o Exploits four zero-day (unknown to software developers) Windows bugs + o Old versions of Conficker updated with new version upon contacting bug exploited by Conficker. mother ship. o Elevates privilege to attack other local PCs, seeks out Sieman’s software, o Changed to P2P communication, so no longer needed to call mother ship. and uses default passwords to access it. Makes it much harder for good guys to track! o Attack code signed by stolen digital certificates to seem legitimate. o Disables Windows Safe Mode. o Creating Stuxnet was big project: required wide range of expertise, access o April 1, 2009: distributes email spam malware. Seems like a bust, but good guys think its biding time. to hardware, many man-months/years. State sponsored? Israeli? o Kasperksy: "a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world."

Viruses and Worms 22-57 Viruses and Worms 22-58

Ethical Worms? Worm Defenses

What about “ethical” (“white”, good) worms to combat the bad worms? o Anti-virus effective against some worms, but not fast-spreading ones Pros: o Harden systems

o Install patches more quickly than human or update tool • Install systems with secure configuration o Avoid human frailties in patch installation • Apply patches religiously o Could require opt-in to use • Track vulnerabilities via Bugtraq and other lists. Cons: • Develop security policies/processes o May inflict unintentional damage, especially if buggy o Some applications require security hole to work o Block arbitrary outbound connections from public machines to limit o Often need careful testing after patch installation worm spreading (many orgs. flter incoming connections but neglect outgoing ones). o Possible legal action for breaking systems o Using machine resources without permission is problematic o Egress antispoof filters o Establish incident response team

o Don’t play with worms!

Viruses and Worms 22-59 Viruses and Worms 22-60 Skoudis Prediction (2004) Resources (Viruses)

“ I strongly believe that a determined hacker will temporarily disable o Daniel Bilar, Intro To Malware, CS342 slides, Oct. 6, 2006 major portions of the Internet in the next five years. Using the worm o Frederick B. Cohen, A Short Course on Computer Viruses. John Wiley, techniques described throughout this chapter, an attacker sould write 1994. a worm that disables the Internet for a couple of days. o Ed Skoudis, Malware: Fighting Malicious Code. Pearson Edcation, 2004 ... o Sean Smith and John Marchesini, The Craft of System Security, I admit, this opinion is controversial, and I’d be happy to be wrong. Chapter 6: Implementation Security. ... o Peter Szor, The Art of Research and Defense. Addison Wesley, 2005. Based on where worms are heading, I frankly think we’re heading for a o John Viega, The Myths of Computer Security: What the Computer giant Internet snow day. The only down side of this whole snow storm Security Industry Doesnt Want you to Know. OReilly Media, 2009. analogy is that you and I are the folks who drive the snowplows of the o John Viega,Why Anti-Virus Sucks, and How to Fix It, Talk to computer world. Harvards Center for Research on Computation and Society (CRCS), Wed. Oct. 8, 2008 (see video of talk at http://crcs.seas.harvard.edu/2008/09/24/wednesday- october-8-2008-john-viega-on-tbd/

Viruses and Worms 22-61 Viruses and Worms 22-62

Resources (Worms)

o Daniel Bilar, Worms, CS342 slides, Oct. 17, 2006 o Mark Bowden, The Enemy Within. Atlantic, June 2010. http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/ 8098/ o Mark W. Eichin and Jon A. Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November, 1988. Proceedings of the 1989 IEEE Computer Society Symposium on Security and Privacy. http://www.mit.edu/people/eichin/virus/main.html o David Moore and Colleen Shannon, The Spread of the Code Red Worm (CRv2), http://www.caida.org/research/security/code-red/coderedv2_analysis.xml o Jerome Saltzer, Slammer: An Urgent Wake-up Call, Feb. 1, 2003, http://web.mit.edu/Saltzer/www/publications/Slammer.html o John Shoch and Jon Hupp, The Worm Programs – Early Experience with a Distributed Computation. Communications of the ACM, Mar. 1982. http://www.cs.berkeley.edu/~prabal/resources/osprelim/SH82.pdf o Ed Skoudis, Malware: Fighting Malicious Code, Prentice Hall, 2004 o Stuart Staniford, Vern Paxson, and Nicholas Weaver, How to 0wn the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, 2002. http://www.icir.org/vern/papers/cdc-usenix-sec02/ o Stuxnet Wikipedia article, http://en.wikipedia.org/wiki/Stuxnet Viruses and Worms 22-63