I 3YSTEMS��AND��)NTERNET I )NFRASTRUCTURE�3ECURITY
.ETWORK�AND�3ECURITY�2ESEARCH�#ENTER $EPARTMENT�OF�#OMPUTER�3CIENCE�AND�%NGINEERING 0ENNSYLVANIA�3TATE�5NIVERSITY �5NIVERSITY�0ARK��0!
CSE543 Computer and Network Security Module: Malware
Professor Trent Jaeger
CSE543 - Introduction to Computer and Network Security Page 1 1 Malware • Adversaries aim to get code running on your computer that performs tasks of their choosing ‣ This code is often called malware • Tw o main challenges for adversaries ‣ How do they get trick you into getting their malware onto your computer? ‣ How do they get their malware to run? • Other practical concerns of malware distribution ‣ Spread malware to as many systems as possible ‣ Hide malware execution ‣ Make malware difficult to remove
CMPSC443 - Introduction to Computer and Network Security Page 2 2 Viruses • Is an attack that modifies programs on your host • Approach 1. Download a program … 2. Run the program … 3. Searches for binaries and other code (firmware, boot sector) that it can modify … 4. Modifies these programs by adding code that the program will run
• What can an adversary do with this ability?
CMPSC443 - Introduction to Computer and Network Security Page 3 3 Viruses • How does it work? ‣ Modify the file executable format
CMPSC443 - Introduction to Computer and Network Security Page 4 4 Viruses • How does it work? ‣ Modify the file executable format • What types of modifications? ‣ Overwrite the “entry point” ‣ Add code anywhere and change “address of entry point” • Add a new section header • Patch into a section ‣ Add jump instruction to exploit • All these were well known by 90s
CMPSC443 - Introduction to Computer and Network Security Page 5 5 PE Format Header
CMPSC443 - Introduction to Computer and Network Security Page 6 6 Virus Infection • Keeping with the virus analogy, getting a virus to run on a computer system is called infecting the system ‣ How can an adversary infect another’s computer?
CMPSC443 - Introduction to Computer and Network Security Page 7 7 Virus Infection • Keeping with the virus analogy, getting a virus to run on a computer system is called infecting the system ‣ How can an adversary infect another’s computer? • Tricking users into downloading their malware ‣ Need to also trick the user into running the malware • Exploiting a vulnerable program to inject code ‣ By exploiting a running process, the malware can run directly
CMPSC443 - Introduction to Computer and Network Security Page 8 8 An Easier Way • Don’t really need to modify existing executable to download and run code on a remote computer ‣ Since the mid-90s systems have provided methods for you to get a remote system to run your code ‣ First, email attachments, then client-side scripts • Enabled by phishing attacks (more later) • In general, the idea is to get the user to run your code (in email or via web link) ‣ Either run directly ‣ Or exploit a vulnerability in the platform (e.g., browser)
CMPSC443 - Introduction to Computer and Network Security Page 9 9 Worms • A worm is a self-propagating program. • As relevant to this discussion 1. Exploits some vulnerability on a target host … 2. (often) embeds itself into a host … 3. Searches for other vulnerable hosts … 4. Goto (1)
• Q: Why do we care?
CMPSC443 - Introduction to Computer and Network Security Page 10 10 The Danger • What makes worms so dangerous is that infection grows at an exponential rate ‣ A simple model: • s (search) is the time it takes to find vulnerable host • i (infect) is the time is take to infect a host ‣ Assume that t=0 is the worm outbreak, the number of hosts infected at t=j is
2(j/(s+i))
‣ For example, if (s+i = 1), what is it at time j=32?
CMPSC443 - Introduction to Computer and Network Security Page 11 11 The result
5,000,000,000
4,500,000,000
4,000,000,000
3,500,000,000
3,000,000,000
2,500,000,000
2,000,000,000
1,500,000,000
1,000,000,000
500,000,000
0
CMPSC443 - Introduction to Computer and Network Security Page 12 12 The Morris Worm • Robert Morris, a 23 doctoral student from Cornell ‣ Wrote a small (99 line) program ‣ Launched on November 3rd, 1988 ‣ Simply disabled the Internet • How it did it ‣ Exploited a buffer overflow in the “finger” daemon ‣ Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts that can be accessed without passwords ‣ Reads /etc/password to perform password cracking ‣ Scanned local interfaces for network information ‣ Covered its tracks (set is own process name to sh, prevented accurate cores, re-forked itself)
CMPSC443 - Introduction to Computer and Network Security Page 13 13 Code Red • Exploited a Microsoft IIS web-server vulnerability ‣ A vanilla buffer overflow (allows adversary to run code) ‣ Scans for vulnerabilities over random IP addresses ‣ Sometimes would deface the served website • July 16th, 2001 - outbreak ‣ CRv1- contained bad randomness (fixed IPs searched) ‣ CRv2 - fixed the randomness, • added DDOS of www.whitehouse.gov • Turned itself off and on (spread 1st-19th of month, attack 20-27th, dormant 28-31st) ‣ August 4 - Code Red II • Different code base, same exploit • Added local scanning (biased randomness to local IPs) • Killed itself in October of 2001
CMPSC443 - Introduction to Computer and Network Security Page 14 14 Worms and infection
• The effectiveness of a worm is determined by how good it is at identifying vulnerable machines ‣ Morris used local information at the host ‣ Code Red used what? • Multi-vector worms use lots of ways to infect ‣ E.g., network, email, drive by downloads, etc. ‣ Others’ backdoors… - another worm, Nimda did this • Lots of scanning strategies ‣ Signpost scanning (using local information, e.g., Morris) ‣ Random IP - good, but waste a lot of time scanning “dark” or unreachable addresses (e.g., Code Red) ‣ Permutation scanning - instance is given part of IP space • What is the fastest way to infect as many machines as possible?
CMPSC443 - Introduction to Computer and Network Security Page 15 15 Other scanning strategies
• The doomsday worm: a flash worm ‣ Create a hit list of all vulnerable hosts • Staniford et al. argue this is feasible • Would contain a 48MB list ‣ Do the infect and split approach
5,000,000,000
‣ Use a zero-day vulnerability 4,500,000,000
4,000,000,000
3,500,000,000
3,000,000,000
2,500,000,000
2,000,000,000
1,500,000,000
1,000,000,000
500,000,000
0
• Result: saturate the Internet is less than 30 seconds!
CMPSC443 - Introduction to Computer and Network Security Page 16 16 Worms: Defense Strategies
• (Network) Packet Filtering: look for unnecessary or unusual communication patterns, then drop them on the floor ‣ This is the dominant method, sophisticated • (Network) Heterogeneity: use more than one vendor for your networks Network Shield Traffic Network Interface Operating System
• (Host) Patch Your Systems (auto): most, if not all, large worm outbreaks have exploited known vulnerabilities (with patches) • Network and Host Intrusion Detection Systems (more later)
CMPSC443 - Introduction to Computer and Network Security Page 17 17 Modern Malware • Now malware has a whole other level of sophistication • Now we speak of … • Advanced Persistent Malware
CMPSC443 - Introduction to Computer and Network Security Page 18 18 Advanced • More like a software engineering approach • Growing demand for “reliable” malware • Want malware to feed into existing criminal enterprise • Online - criminals use online banking too • Malware ecosystem • Measuring Pay-per-Install: The Commoditization of Malware Distribution, USENIX 2011 • Tool kits • Sharing of exploit materials • Combine multiple attack methodologies • Not hard to find DIY kits for malware
CMPSC443 - Introduction to Computer and Network Security Page 19 19 Malware Lifecycle
CMPSC443 - Introduction to Computer and Network Security Page 20 20 Persistent • Malware writers are focused on specific task • Criminals willing to wait for gratification • Cyberwarfare • Low-and-slow • Can exfiltrate secrets at a slow rate, especially if you don't need them right away
• Plus can often evade or disable defenses
CMPSC443 - Introduction to Computer and Network Security Page 21 21 Threat • Coordinated effort to complete objective • Not just for kicks anymore • Well-funded • There is money to be made • … At least that is the perception
CMPSC443 - Introduction to Computer and Network Security Page 22 22 Threat • PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs, USENIX 2012
GlavMed SpamIt RX-Promotion Product Orders Revenue Orders Revenue Orders Revenue
ED and Related 580K (73%) $55M (75%) 670K (79%) $70M (82%) 58K (72%) $5.3M (51%) Viagra 300K (38%) $28M (38%) 290K (34%) $31M (36%) 33K (41%) $2.7M (27%) Cialis 180K (23%) $19M (26%) 190K (22%) $23M (27%) 18K (22%) $1.9M (19%) Combo Packs 49K (6.1%) $3.9M (5.4%) 110K (14%) $8.4M (9.8%) 5100 (6.4%) $350K (3.4%) Levitra 32K (4.1%) $3.2M (4.4%) 35K (4.2%) $3.9M (4.5%) 1200 (1.5%) $150K (1.5%) Abuse Potential 48K (6.1%) $4.5M (6.1%) 64K (7.6%) $6.2M (7.3%) 11K (14%) $3.3M (32%) Painkillers 29K (3.7%) $2.4M (3.3%) 53K (6.3%) $4.7M (5.5%) 10K (13%) $3.0M (29%) Opiates — — — — 8000 (10%) $2.7M (26%) Soma/Ultram/Tramadol 20K (2.5%) $1.8M (2.4%) 46K (5.5%) $4.1M (4.8%) 1000 (1.3%) $150K (1.5%) Chronic Conditions 120K (15%) $9.5M (13%) 64K (7.6%) $5.2M (6.1%) 8500 (11%) $1.3M (13%) Mental Health 23K (2.9%) $2.1M (2.9%) 16K (1.9%) $1.4M (1.7%) 6000 (7.4%) $1.1M (11%) Antibiotics 25K (3.2%) $2.1M (2.9%) 16K (1.9%) $1.4M (1.6%) 1300 (1.6%) $97K (0.9%) Heart and Related 12K (1.5%) $770K (1.1%) 9700 (1.2%) $630K (0.7%) 390 (0.5%) $35K (0.3%) Uncategorized 48K (6.0%) $4.0M (5.5%) 47K (5.6%) $3.9M (4.6%) 2400 (3.0%) $430K (4.2%)
Table 2: Product popularity in each of the three programs. Product groupings and categories are in italics; individual brands are without italics. Opiates are a further subcategory of Painkillers, and include Oxycodone, Hydrocodone, Vicodin, and Percocet.
RX-Promotion, they account for nearly a third of pro- tive health products (peak 25–30).12 Mental health and gram revenue, with the Schedule-II opiates—only avail- pain/inflammation products are roughly equally popular able at RX-Promotion—accounting for a quarter of rev- for men and women, with an older age bias for men. enue. Indeed, during the period when RX-Promotion had In contrast to GlavMed, just a few categories predomi- working credit card processing for controlled meds, sales nate for SpamIt in Figure 5(b): pain/inflammation, infec- of Schedule II, III and IV drugs produced 48% of all rev- tion, and mental health for both men and women, male enue! The fact that such drugs are over-represented in re- enhancement for men. Other categories more popular in CMPSC443 - Introduction to Computerpeat orders and as Network well (roughly Security 50% more prevalent in both GlavMed, such as acne and male pattern baldness, are Page 23 RX-Promotion and, for drugs like Soma and Tramdol, in smaller. One explanation is that the differences in prod- SpamIt) reinforces the hypothesis that abuse may be a 23uct popularity correlates with the vector used to adver- substantial driver for this component of demand. tise the different affiliate programs. Since GlavMed is more likely to be involved in search engine optimiza- 5.1.4 Demographics tion (SEO) oriented advertising, they have an opportu- nity to target narrower markets (e.g., by manipulating Although ED drugs account for the majority of business search results for keywords correlated with specific prod- for affiliate programs, focusing on the remaining prod- uct categories). By contrast, spam is an indiscriminate ucts reveals remarkably pronounced age and sex trends advertising medium and customers clicking on spam- among customers. advertised links are predominantly taken to storefronts Focusing on customers reporting age and sex infor- advertising ED products. Thus, for these customers to mation, Figure 5 shows the percentage of all items or- buy other products would require additional initiative to dered as a function of age, sex, and detailed product cat- search within the site. egory for GlavMed and SpamIt (excluding ED products, as they would overwhelm the graph). The left half of 5.1.5 Geography each graph shows results for women, and the right half shows results for men. The y-axis is the self-reported age While both affiliate programs are located in Russia, most of customers, and the x-axis is the percent of all items of their customers are not. Based on customer ship- these customers ordered. For each age the graphs show ping addresses, we can determine that, across GlavMed stacked horizontal bars, with segments for the top ten and SpamIt programs, customers from the United States non-ED product categories. dominate at 75% of orders, with Canada, Australia, and Both age and sex purchasing patterns emerge from populous countries in Western Europe following in sin- this visualization. For example, male GlavMed cus- gle digits. Emphatically, Western money fuels these af- tomers in Figure 5(a) purchase male pattern baldness 12 products (peaking between ages 20–30) and male en- Interestingly, male customers also purchase the estrogen drug Clo- mid, which we have come to understand may be explained by body hancement products (peak 45–50), while women pre- builders who commonly abuse the drug to counter some of the side- dominantly purchase obesity (peak 40–45) and reproduc- effects of steroids.
9 Example: Sirefef • Windows malware - Trojan to install rootkit • See http://antivirus.about.com/od/virusdescriptions/a/What-Is- Sirefef-Malware.htm • Attack: “Sirefef gives attackers full access to your system” • Runs as a Trojan software update (GoogleUpdate) • Runs on each boot by setting a Windows registry entry • Some versions replace device drivers • Downloads code to run a P2P communication • Steal software keys and crack password for software piracy • Downloads other files to propagate the attack to other computers
CMPSC443 - Introduction to Computer and Network Security Page 24 24 Example: Sirefef • Windows malware - Trojan to install rootkit • See http://antivirus.about.com/od/virusdescriptions/a/What-Is- Sirefef-Malware.htm • Stealth: “while using stealth techniques in order to hide its presence” • “altering the internal processes of an operating system so that your antivirus and anti-spyware can't detect it.” • Disable: Windows firewall, Windows defender • Changes: Browser settings • Join bot
• Microsoft: “This list is incomplete”
CMPSC443 - Introduction to Computer and Network Security Page 25 25 Example: Stuxnet • Symantec’s slides Real%world%example:%Stuxnet%Worm %
CMPSC443 - Introduction to Computer and Network Security Page 26 26 Example: Stuxnet
• Symantec’s slides
Stuxnet:(Overview(
• June(2010:(A(worm(targe7ng(Siemens(WinCC( industrial(control(system.( • Targets(high(speed(variableDfrequency( programmable(logic(motor(controllers(from(just( two(vendors:(Vacon((Finland)(and(Fararo(Paya( (Iran)( • Only(when(the(controllers(are(running(at(807Hz(( to(1210Hz.(Makes(the(frequency(of(those( controllers(vary(from(1410Hz(to(2Hz(to(1064Hz.( • hVp://en.wikipedia.org/wiki/Stuxnet(
2
CMPSC443 - Introduction to Computer and Network Security Page 27 27 Example: Stuxnet • Symantec’s slides Timeline'
• 2009'June:'Earliest'Stuxnet'seen' – Does'not'have'signed'drivers' • 2010'Jan:'Stuxnet'driver'signed' – With'a'valid'cer>ficate'belonging'to'Realtek'Semiconductors' • 2010'June:'Virusblokada'reports'W32.Stuxnet' – Verisign'revokes'Realtek'cer>ficate' • 2010'July:'An>Ivirus'vendor'Eset'iden>fies'new'Stuxnet' driver' – 'With'a'valid'cer>ficate'belonging'to'JMicron'Technology'Corp' • 2010'July:'Siemens'report'they'are'inves>ga>ng'malware' SCADA'systems' – Verisign'revokes'JMicron'cer>ficate'
CMPSC443 - Introduction to Computer and Network Security Page 28 28 Example: Stuxnet • Symantec’s slides
Possible(A*ack(Scenario((Conjecture)(
• Reconnaissance( – Each(PLC(is(configured(in(a(unique(manner( – Targeted(ICS’s(schemaCcs(needed( – Design(docs(stolen(by(an(insider?( – Retrieved(by(an(early(version(of(Stuxnet( – Stuxnet(developed(with(the(goal(of(sabotaging(a(specific(set(of(ICS.( • Development(( – Mirrored(development(Environment(needed( • ICS(Hardware( • PLC(modules( • PLC(development(soOware( – EsCmaCon(( • 6+(manRyears(by(an(experienced(and(well(funded(development((team((
CMPSC443 - Introduction to Computer and Network Security Page 29 29 Example: Stuxnet • Symantec’s slides
A"ack&Scenario&(2)&
• The&malicious&binaries&need&to&be&signed&to&avoid&suspicion& – Two&digital&cer=ficates&were&compromised.& – High&probability&that&the&digital&cer=ficates/keys&were&stolen& from&the&companies&premises.& – Realtek&and&JMicron&are&in&close&proximity.& • Ini=al&Infec=on&& – Stuxnet&needed&to&be&introduced&to&the&targeted&environment& • Insider& • Third&party,&such&as&a&contractor& – Delivery&method&& • USB&drive& • Windows&Maintenance&Laptop& • Targeted&email&a"ack&
CMPSC443 - Introduction to Computer and Network Security Page 30 30 Example: Stuxnet • Symantec’s slides
A"ack&Scenario&(3)&
• Infec2on&Spread& – Look&for&Windows&computer&that&program&the& PLC’s& • The&Field&PG&are&typically¬&networked& • Spread&the&Infec2on&on&computers&on&the&local&LAN& – ZeroHday&vulnerabili2es& – TwoHyear&old&vulnerability& – Spread&to&all&available&USB&drives& – When&a&USB&drive&is&connected&to&the&Field&PG,& the&Infec2on&jumps&to&the&Field&PG&& • The&“airgap”&is&thus&breached&
CMPSC443 - Introduction to Computer and Network Security Page 31 31 Example: Stuxnet • Symantec’s slides
A"ack&Scenario&(4)&
• Target&Infec5on&& – Look&for&Specific&PLC&& • Running&Step&7&Opera5ng&System& – Change&PLC&code& • Sabotage&system& • Hide&modifica5ons& – Command&and&Control&may¬&be&possible& • Due&to&the&“airgap”& • Func5onality&already&embedded&
CMPSC443 - Introduction to Computer and Network Security Page 32 32 Take Away • Malware is now very functional and effective • To o l s for building and hiding malware from detection • Malware can be difficult to notice much less detect and remove • Malware leverages multiple vulnerabilities to escalate privileges and disable defenses • Getting code running on the host enables control of host • And there are lots of ways to download code to hosts
• What are the nature of the vulnerabilities? Next time
CMPSC443 - Introduction to Computer and Network Security Page 33 33