590.05 Lecture 5: Malware Xiaowei Yang Previous lecture
• Accountability
• OS security Today
• Malware Malware: Malicious Software 10/21/13 Malware
4 Viruses, Worms, Trojans, Rootkits • Malware can be classified into several categories, depending
on propaga�on and concealment • Propaga�on 10/21/13 • Virus: human-assisted propaga�on (e.g., open email a�achment) • Worm: automa�c propaga�on without human assistance Malware • Concealment • Rootkit: modifies opera�ng system to hide its existence • Trojan: provides desirable func�onality but hides malicious opera�on • Various types of payloads, ranging from annoyance to crime
5 Insider Attacks
• An insider a�ack is a security breach that is caused or facilitated by someone who is a part of the very organiza�on
that controls or builds the asset that should be protected.
• In the case of malware, an insider a�ack refers to a security 10/21/13 hole that is created in a so�ware system by one of its
programmers. Malware
6 Backdoors
• A backdoor, which is also some�mes called a trapdoor, is a hidden feature or command in a program that allows a user to perform
ac�ons he or she would not normally be allowed to do.
• When used in a normal way, this program performs completely as 10/21/13 expected and adver�sed.
• But if the hidden feature is ac�vated, the program does something Malware unexpected, o�en in viola�on of security policies, such as performing a privilege escala�on. • Benign example: Easter Eggs in DVDs and so�ware
An Easter egg is an inten�onal inside joke, hidden message, or feature in a work such as a computer program, movie, book, or 7 crossword. Logic Bombs
• A logic bomb is a program that performs a malicious ac�on as a result of a certain logic condi�on. • The classic example of a logic bomb is a programmer coding up the so�ware for the payroll system who puts in code that makes the program crash should it ever process two consecu�ve payrolls without 10/21/13 paying him. • Another classic example combines a logic bomb with a backdoor, where a programmer puts in a logic bomb that will crash the program Malware on a certain date.
8 The Omega Engineering Logic Bomb • An example of a logic bomb that was actually triggered and caused damage is one that programmer Tim Lloyd was
convicted of using on his former employer, Omega
Engineering Corpora�on. On July 31, 1996, a logic bomb was 10/21/13 triggered on the server for Omega Engineering’s manufacturing opera�ons, which ul�mately cost the company Malware millions of dollars in damages and led to it laying off many of its employees.
9 The Omega Bomb Code
• The Logic Behind the Omega Engineering Time Bomb included the following strings: • 7/30/96 • Event that triggered the bomb • F: 10/21/13 • Focused a�en�on to volume F, which had cri�cal files • F:\LOGIN\LOGIN 12345 Malware • Login a fic��ous user, 12345 (the back door) • CD \PUBLIC • Moves to the public folder of programs • FIX.EXE /Y F:\*.* • Run a program, called FIX, which actually deletes everything • PURGE F:\/ALL 10 • Prevent recovery of the deleted files Defenses against Insider Attacks • Avoid single points of failure.
• Use code walk-throughs. • Use archiving and repor�ng tools. • Limit authority and permissions. 10/21/13 • Physically secure cri�cal systems. Malware • Monitor employee behavior. • Control so�ware installa�ons.
11 Computer Viruses
• A computer virus is computer code that can replicate itself by modifying other files or programs to insert code that is
capable of further replica�on.
• This self-replica�on property is what dis�nguishes computer 10/21/13 viruses from other kinds of malware, such as logic bombs.
• Another dis�nguishing property of a virus is that replica�on Malware requires some type of user assistance, such as clicking on an email a�achment or sharing a USB drive.
12 Biological Analogy • Computer viruses share some proper�es with Biological viruses
10/21/13 Malware
A�ack Penetra�on
13
Replica�on and assembly Release Early History l1972 sci-fi novel “When HARLIE Was One” features a program called VIRUS that reproduces itself
lFirst academic use of term virus by PhD student Fred Cohen in 1984, who credits advisor Len Adleman with 10/21/13 coining it Malware lIn 1982, high-school student Rich Skrenta wrote first virus released in the wild: Elk Cloner, a boot sector virus l(c)Brain, by Basit and Amjood Farooq Alvi in 1986,
credited with being the first virus to infect PCs 14 Virus Phases
• Dormant phase. During this phase, the virus just exists—the virus is laying low and avoiding detec�on.
• Propaga�on phase. During this phase, the virus is replica�ng
itself, infec�ng new files on new systems. 10/21/13 • Triggering phase. In this phase, some logical condi�on causes
the virus to move from a dormant or propaga�on phase to Malware perform its intended ac�on. • Ac�on phase. In this phase, the virus performs the malicious ac�on that it was designed to perform, called payload. • This ac�on could include something seemingly innocent, like displaying a silly picture on a computer’s screen, or something quite malicious, such as dele�ng all essen�al files on the hard 15 drive. Infection Types
• Overwri�ng original code • Destroys original code
• Pre-pending virus
• Keeps original code, possibly 10/21/13 compressed • Infec�on of libraries Malware • Allows virus to be memory compressed resident • E.g., kernel32.dll • Macro viruses • Infects MS Office documents • O�en installs in main document template 16 Degrees of Complication
• Viruses have various degrees of complica�on in how they can insert themselves in computer code.
10/21/13 Malware
17 Concealment
• Encrypted virus • Decryp�on engine + encrypted body
• Randomly generate encryp�on key
• Detec�on looks for decryp�on engine 10/21/13 • Polymorphic virus • Encrypted virus with random varia�ons of the decryp�on engine (e.g., Malware padding code) • Detec�on using CPU emulator • Metamorphic virus • Different virus bodies • Approaches include code permuta�on and instruc�on replacement • Challenging to detect 18 Encrypted Viruses Computer Worms
• A computer worm is a malware program that spreads copies of itself without the need to inject itself in other programs,
and usually without human interac�on.
• Thus, computer worms are technically not computer viruses 10/21/13 (since they don’t infect other programs), but some people
nevertheless confuse the terms, since both spread by self- Malware replica�on. • In most cases, a computer worm will carry a malicious payload, such as dele�ng files or installing a backdoor.
20 Early History
lFirst worms built in the labs of John Shock and Jon
Hepps at Xerox PARC in the early 80s
lCHRISTMA EXEC wri�en in REXX, released in 10/21/13 December 1987, and targe�ng IBM VM/CMS
systems was the first worm to use e-mail service Malware lThe first internet worm was the Morris Worm, wri�en by Cornell student Robert Tappan Morris and released on November 2, 1988
21 Worm Development
• Iden�fy vulnerability s�ll • Worm template unpatched – Generate target list
• Write code for – For each host on target list
– Exploit of vulnerability • Check if infected 10/21/13 • Check if vulnerable – Genera�on of target list • Infect
• Random hosts on the internet Malware • Recur • Hosts on LAN • Divide-and-conquer • Distributed graph search – Installa�on and execu�on of algorithm payload – Forward edges: infec�on – Querying/repor�ng if a host is – Back edges: already infected or infected not vulnerable • Ini�al deployment on botnet 22 Worm Propagation • Worms propagate by finding and infec�ng vulnerable hosts. • They need a way to tell if a host is vulnerable • They need a way to tell if a host is already infected.
10/21/13 Malware ini�al infec�on
23 Propagation: Theory
l Classic epidemic model Source: Cliff C. Zou, Weibo Gong, Don Towsley, and • N: total number of vulnerable Lixin Gao.
hosts The Monitoring and Early Detec�on of Internet Worms, IEEE/ACM Transac�ons on • I(t): number of infected hosts at Networking, 2005. �me t 10/21/13 • S(t): number of suscep�ble hosts at �me t Malware • I(t) + S(t) = N • β: infec�on rate l Differen�al equa�on for I(t): dI/dt = βI(t) S(t) l More accurate models adjust propaga�on rate over �me 24 Propagation: Practice
• Cumula�ve total of unique IP addresses infected by the first
outbreak of Code-RedI v2 on July 19-20, 2001
Source: 10/21/13 David Moore, Colleen Shannon, and Jeffery Brown. Malware Code-Red: a case study on the spread and vic�ms of an Internet worm, CAIDA, 2002
25 Trojan Horses • A Trojan horse (or Trojan) is a malware program that appears to perform some useful task, but which also does something with nega�ve consequences (e.g., launches a keylogger).
• Trojan horses can be installed as part of the payload of other malware but are o�en installed by a user or administrator, either deliberately or accidentally. 10/21/13 Malware
26 Current Trends
• Trojans currently have largest infec�on poten�al • O�en exploit browser vulnerabili�es
• Typically used to download other malware in mul�-stage a�acks
Source: 10/21/13 Symantec Internet
Security Threat Malware Report, April 2009
27 Rootkits
• A rootkit modifies the opera�ng system to hide its existence – E.g., modifies file system explora�on u�li�es
– Hard to detect using so�ware that relies on the OS itself
• Rootkit Revealer 10/21/13 – By Bryce Cogswell and Mark Russinovich (Sysinternals) Malware – Two scans of file system – High-level scan using the Windows API – Raw scan using disk access methods – Discrepancy reveals presence of rootkit – Could be defeated by rootkit that intercepts and modifies results of raw scan opera�ons 28 Malware Zombies • Malware can turn a computer in to a zombie, which is a machine that is controlled externally to perform
malicious a�acks, usually as a part of a botnet. Botnet Controller (A�acker) 10/21/13
A�ack Commands
Botnet:
A�ack Ac�ons 29
Vic�m Financial Impact
l Malware o�en affects a large user popula�on Source:(Computer(
Economics( l Significant financial impact, though es�mates vary widely, up to $100B per year (mi2g) !$15B! 10/21/13 l Examples Malware ¡ LoveBug (2000) caused $8.75B in !$10B! damages and shut down the Bri�sh parliament !$5B! ¡ In 2004, 8% of emails infected by W32/MyDoom.A at its peak !$! ¡ In February 2006, the Russian 1997! 1999! 2001! 2003! 2005! Stock Exchange was taken down 30 by a virus. Economics of Malware
• Source: New malware threats Symantec Internet
have grown from 20K to Security Threat Report, April 2009
1.7M in the period 10/21/13 2002-2008
• Most of the growth has Malware been from 2006 to 2008 • Number of new threats per year appears to be growing an exponen�al rate. 31 Professional Malware
• Growth in professional cybercrime and online fraud has led to demand for professionally developed
malware
• New malware is o�en a custom- 10/21/13 designed varia�ons of known exploits, so the malware designer can sell different “products” to his/ Malware her customers. • Like every product, professional malware is subject to the laws of supply and demand. • Recent studies put the price of a so�ware keystroke logger at $23 and a botnet use at $225. 32 Image by User:SilverStar from h�p://commons.wikimedia.org/wiki/File:Supply-demand-equilibrium.svg used by permission under the Crea�ve Commons A�ribu�on ShareAlike 3.0 License Adware Adware so�ware payload Computer user Adware engine infects a user’s computer
10/21/13 Adware engine requests adver�sements
Adver�sers contract with from adware agent Malware adware agent for content
Adware agent delivers ad content to user Adware agent 33 Adver�sers Spyware
Spyware so�ware payload Computer user 1. Spyware engine infects a user’s computer.
10/21/13
2. Spyware process collects keystrokes, passwords, and screen captures. Malware
3. Spyware process periodically sends collected data to spyware data collec�on agent.
34
Spyware data collec�on agent Signatures: A Malware Countermeasure
• Scan compare the analyzed object with a database of signatures
• A signature is a virus fingerprint – E.g.,a string with a sequence of instruc�ons specific for each virus
– Different from a digital signature 10/21/13 • A file is infected if there is a signature inside its code – Fast pa�ern matching techniques to search for signatures Malware • All the signatures together create the malware database that usually is proprietary
35 Signatures Database
• Common Malware Enumera�on (CME)
– aims to provide unique, common iden�fiers to new 10/21/13 virus threats
– Hosted by MITRE Malware – h�p://cme.mitre.org/ data/list.html • Digital Immune System (DIS) – Create automa�cally new signatures
36 White/Black Listing
• Maintain database of cryptographic hashes for • Opera�ng system files
• Popular applica�ons
• Known infected files 10/21/13 • Compute hash of each file • Look up into database Malware • Needs to protect the integrity of the database
37 Heuristic Analysis
• Useful to iden�fy new and “zero day” malware
• Code analysis – Based on the instruc�ons, the an�virus can determine whether or not the program is malicious, i.e., program contains instruc�on to 10/21/13 delete system files, Malware • Execu�on emula�on – Run code in isolated emula�on environment – Monitor ac�ons that target file takes – If the ac�ons are harmful, mark as virus • Heuris�c methods can trigger false alarms 38 Shield vs. On-demand
• Shield On-demand • Background process • Scan on explicit user request or (service/daemon) according to regular schedule • On a suspicious file, directory, • Scans each �me a file is drive, etc. 10/21/13 touched (open, copy,
execute, etc.) Malware
Performance test of scan techniques o Compara�ve: check the number of already known viruses that are found and the �me to perform the scan o Retrospec�ve: test the proac�ve detec�on of the scanner for unknown viruses, to verify which vendor uses be�er heuris�cs An�-viruses are ranked using both parameters: h�p://www.av-compara�ves.org/ 39 Online vs Of�line Anti Virus Software
Online Offline • • Free browser plug-in Paid annual subscrip�on • Authen�ca�on through third • Installed on the OS party cer�ficate (i.e. VeriSign) • So�ware distributed securely by 10/21/13 • No shielding the vendor online or a retailer • So�ware and signatures update • System shielding Malware at each scan • Scheduled so�ware and • Poorly configurable signatures updates • Scan needs internet connec�on • Easily configurable • Report collected by the company • Scan without internet connec�on that offers the service • Report collected locally and may 40 be sent to vendor Quarantine
• A suspicious file can be isolated in a folder called quaran�ne:
– E.g,. if the result of the heuris�c analysis is posi�ve and you are wai�ng for db signatures update 10/21/13 • The suspicious file is not deleted but made harmless: the user can
decide when to remove it or eventually restore for a false posi�ve Malware – Interac�ng with a file in quaran�ne it is possible only through the an�virus program • The file in quaran�ne is harmless because it is encrypted • Usually the quaran�ne technique is proprietary and the details are kept secret 41 Static vs. Dynamic Analysis
Sta�c Analysis Dynamic Analysis • Checks the code without trying to • Check the execu�on of codes inside a
execute it virtual sandbox • Quick scan in white list • Monitor
• Filtering: scan with different an�virus – File changes 10/21/13 and check if they return same result – Registry changes with different name – Processes and threads Malware • Weeding: remove the correct part of – Networks ports files as junk to be�er iden�fy the virus • Code analysis: check binary code to understand if it is an executable, e.g., PE • Disassembling: check if the byte code shows something unusual 42 Virus Detection is Undecidable
• Theore�cal result by Fred • Suppose program
Cohen (1987) isVirus(P) determines whether program P is a • Virus abstractly modeled virus 10/21/13 as program that • Define new program Q eventually executes infect as follows: Malware • Code for infect may be if (not isVirus(Q)) generated at run�me infect • Proof by contradic�on stop similar to that of the • Running isVirus on Q hal�ng problem achieves a contradic�on 43 Other Undecidable Detection Problems
• Detec�on of a virus – by its appearance – by its behavior • Detec�on of an evolu�on of a known virus • Detec�on of a triggering mechanism 10/21/13 – by its appearance
– by its behavior Malware • Detec�on of a virus detector – by its appearance – by its behavior • Detec�on of an evolu�on of – a known virus – a known triggering mechanism – a virus detector 44 Resources
• Computer Emergency Response Team • Research center funded by the US federal government • Vulnerabili�es database • Symantec 10/21/13 • Reports on malware trends • Database of malware Malware • Art of Computer Virus Research and Defense by Peter Szor
45