590.05 Lecture 5: Malware Xiaowei Yang Previous lecture
• Accountability
• OS security Today
• Malware Malware: Malicious Software 10/21/13 Malware
4 Viruses, Worms, Trojans, Rootkits • Malware can be classified into several categories, depending
on propaga on and concealment • Propaga on 10/21/13 • Virus: human-assisted propaga on (e.g., open email a achment) • Worm: automa c propaga on without human assistance Malware • Concealment • Rootkit: modifies opera ng system to hide its existence • Trojan: provides desirable func onality but hides malicious opera on • Various types of payloads, ranging from annoyance to crime
5 Insider Attacks
• An insider a ack is a security breach that is caused or facilitated by someone who is a part of the very organiza on
that controls or builds the asset that should be protected.
• In the case of malware, an insider a ack refers to a security 10/21/13 hole that is created in a so ware system by one of its
programmers. Malware
6 Backdoors
• A backdoor, which is also some mes called a trapdoor, is a hidden feature or command in a program that allows a user to perform
ac ons he or she would not normally be allowed to do.
• When used in a normal way, this program performs completely as 10/21/13 expected and adver sed.
• But if the hidden feature is ac vated, the program does something Malware unexpected, o en in viola on of security policies, such as performing a privilege escala on. • Benign example: Easter Eggs in DVDs and so ware
An Easter egg is an inten onal inside joke, hidden message, or feature in a work such as a computer program, movie, book, or 7 crossword. Logic Bombs
• A logic bomb is a program that performs a malicious ac on as a result of a certain logic condi on. • The classic example of a logic bomb is a programmer coding up the so ware for the payroll system who puts in code that makes the program crash should it ever process two consecu ve payrolls without 10/21/13 paying him. • Another classic example combines a logic bomb with a backdoor, where a programmer puts in a logic bomb that will crash the program Malware on a certain date.
8 The Omega Engineering Logic Bomb • An example of a logic bomb that was actually triggered and caused damage is one that programmer Tim Lloyd was
convicted of using on his former employer, Omega
Engineering Corpora on. On July 31, 1996, a logic bomb was 10/21/13 triggered on the server for Omega Engineering’s manufacturing opera ons, which ul mately cost the company Malware millions of dollars in damages and led to it laying off many of its employees.
9 The Omega Bomb Code
• The Logic Behind the Omega Engineering Time Bomb included the following strings: • 7/30/96 • Event that triggered the bomb • F: 10/21/13 • Focused a en on to volume F, which had cri cal files • F:\LOGIN\LOGIN 12345 Malware • Login a fic ous user, 12345 (the back door) • CD \PUBLIC • Moves to the public folder of programs • FIX.EXE /Y F:\*.* • Run a program, called FIX, which actually deletes everything • PURGE F:\/ALL 10 • Prevent recovery of the deleted files Defenses against Insider Attacks • Avoid single points of failure.
• Use code walk-throughs. • Use archiving and repor ng tools. • Limit authority and permissions. 10/21/13 • Physically secure cri cal systems. Malware • Monitor employee behavior. • Control so ware installa ons.
11 Computer Viruses
• A computer virus is computer code that can replicate itself by modifying other files or programs to insert code that is
capable of further replica on.
• This self-replica on property is what dis nguishes computer 10/21/13 viruses from other kinds of malware, such as logic bombs.
• Another dis nguishing property of a virus is that replica on Malware requires some type of user assistance, such as clicking on an email a achment or sharing a USB drive.
12 Biological Analogy • Computer viruses share some proper es with Biological viruses
10/21/13 Malware
A ack Penetra on
13
Replica on and assembly Release Early History l1972 sci-fi novel “When HARLIE Was One” features a program called VIRUS that reproduces itself
lFirst academic use of term virus by PhD student Fred Cohen in 1984, who credits advisor Len Adleman with 10/21/13 coining it Malware lIn 1982, high-school student Rich Skrenta wrote first virus released in the wild: Elk Cloner, a boot sector virus l(c)Brain, by Basit and Amjood Farooq Alvi in 1986,
credited with being the first virus to infect PCs 14 Virus Phases
• Dormant phase. During this phase, the virus just exists—the virus is laying low and avoiding detec on.
• Propaga on phase. During this phase, the virus is replica ng
itself, infec ng new files on new systems. 10/21/13 • Triggering phase. In this phase, some logical condi on causes
the virus to move from a dormant or propaga on phase to Malware perform its intended ac on. • Ac on phase. In this phase, the virus performs the malicious ac on that it was designed to perform, called payload. • This ac on could include something seemingly innocent, like displaying a silly picture on a computer’s screen, or something quite malicious, such as dele ng all essen al files on the hard 15 drive. Infection Types
• Overwri ng original code • Destroys original code
• Pre-pending virus
• Keeps original code, possibly 10/21/13 compressed • Infec on of libraries Malware • Allows virus to be memory compressed resident • E.g., kernel32.dll • Macro viruses • Infects MS Office documents • O en installs in main document template 16 Degrees of Complication
• Viruses have various degrees of complica on in how they can insert themselves in computer code.
10/21/13 Malware
17 Concealment
• Encrypted virus • Decryp on engine + encrypted body
• Randomly generate encryp on key
• Detec on looks for decryp on engine 10/21/13 • Polymorphic virus • Encrypted virus with random varia ons of the decryp on engine (e.g., Malware padding code) • Detec on using CPU emulator • Metamorphic virus • Different virus bodies • Approaches include code permuta on and instruc on replacement • Challenging to detect 18 Encrypted Viruses Computer Worms
• A computer worm is a malware program that spreads copies of itself without the need to inject itself in other programs,
and usually without human interac on.
• Thus, computer worms are technically not computer viruses 10/21/13 (since they don’t infect other programs), but some people
nevertheless confuse the terms, since both spread by self- Malware replica on. • In most cases, a computer worm will carry a malicious payload, such as dele ng files or installing a backdoor.
20 Early History
lFirst worms built in the labs of John Shock and Jon
Hepps at Xerox PARC in the early 80s
lCHRISTMA EXEC wri en in REXX, released in 10/21/13 December 1987, and targe ng IBM VM/CMS
systems was the first worm to use e-mail service Malware lThe first internet worm was the Morris Worm, wri en by Cornell student Robert Tappan Morris and released on November 2, 1988
21 Worm Development
• Iden fy vulnerability s ll • Worm template unpatched – Generate target list
• Write code for – For each host on target list
– Exploit of vulnerability • Check if infected 10/21/13 • Check if vulnerable – Genera on of target list • Infect
• Random hosts on the internet Malware • Recur • Hosts on LAN • Divide-and-conquer • Distributed graph search – Installa on and execu on of algorithm payload – Forward edges: infec on – Querying/repor ng if a host is – Back edges: already infected or infected not vulnerable • Ini al deployment on botnet 22 Worm Propagation • Worms propagate by finding and infec ng vulnerable hosts. • They need a way to tell if a host is vulnerable • They need a way to tell if a host is already infected.
10/21/13 Malware ini al infec on
23 Propagation: Theory
l Classic epidemic model Source: Cliff C. Zou, Weibo Gong, Don Towsley, and • N: total number of vulnerable Lixin Gao.
hosts The Monitoring and Early Detec on of Internet Worms, IEEE/ACM Transac ons on • I(t): number of infected hosts at Networking, 2005. me t 10/21/13 • S(t): number of suscep ble hosts at me t Malware • I(t) + S(t) = N • β: infec on rate l Differen al equa on for I(t): dI/dt = βI(t) S(t) l More accurate models adjust propaga on rate over me 24 Propagation: Practice
• Cumula ve total of unique IP addresses infected by the first
outbreak of Code-RedI v2 on July 19-20, 2001
Source: 10/21/13 David Moore, Colleen Shannon, and Jeffery Brown. Malware Code-Red: a case study on the spread and vic ms of an Internet worm, CAIDA, 2002
25 Trojan Horses • A Trojan horse (or Trojan) is a malware program that appears to perform some useful task, but which also does something with nega ve consequences (e.g., launches a keylogger).
• Trojan horses can be installed as part of the payload of other malware but are o en installed by a user or administrator, either deliberately or accidentally. 10/21/13 Malware
26 Current Trends
• Trojans currently have largest infec on poten al • O en exploit browser vulnerabili es
• Typically used to download other malware in mul -stage a acks
Source: 10/21/13 Symantec Internet
Security Threat Malware Report, April 2009
27 Rootkits
• A rootkit modifies the opera ng system to hide its existence – E.g., modifies file system explora on u li es
– Hard to detect using so ware that relies on the OS itself
• Rootkit Revealer 10/21/13 – By Bryce Cogswell and Mark Russinovich (Sysinternals) Malware – Two scans of file system – High-level scan using the Windows API – Raw scan using disk access methods – Discrepancy reveals presence of rootkit – Could be defeated by rootkit that intercepts and modifies results of raw scan opera ons 28 Malware Zombies • Malware can turn a computer in to a zombie, which is a machine that is controlled externally to perform
malicious a acks, usually as a part of a botnet. Botnet Controller (A acker) 10/21/13
A ack Commands
Botnet:
A ack Ac ons 29
Vic m Financial Impact
l Malware o en affects a large user popula on Source:(Computer(
Economics( l Significant financial impact, though es mates vary widely, up to $100B per year (mi2g) !$15B! 10/21/13 l Examples Malware ¡ LoveBug (2000) caused $8.75B in !$10B! damages and shut down the Bri sh parliament !$5B! ¡ In 2004, 8% of emails infected by W32/MyDoom.A at its peak !$! ¡ In February 2006, the Russian 1997! 1999! 2001! 2003! 2005! Stock Exchange was taken down 30 by a virus. Economics of Malware
• Source: New malware threats Symantec Internet
have grown from 20K to Security Threat Report, April 2009
1.7M in the period 10/21/13 2002-2008
• Most of the growth has Malware been from 2006 to 2008 • Number of new threats per year appears to be growing an exponen al rate. 31 Professional Malware
• Growth in professional cybercrime and online fraud has led to demand for professionally developed
malware
• New malware is o en a custom- 10/21/13 designed varia ons of known exploits, so the malware designer can sell different “products” to his/ Malware her customers. • Like every product, professional malware is subject to the laws of supply and demand. • Recent studies put the price of a so ware keystroke logger at $23 and a botnet use at $225. 32 Image by User:SilverStar from h p://commons.wikimedia.org/wiki/File:Supply-demand-equilibrium.svg used by permission under the Crea ve Commons A ribu on ShareAlike 3.0 License Adware Adware so ware payload Computer user Adware engine infects a user’s computer
10/21/13 Adware engine requests adver sements
Adver sers contract with from adware agent Malware adware agent for content
Adware agent delivers ad content to user Adware agent 33 Adver sers Spyware
Spyware so ware payload Computer user 1. Spyware engine infects a user’s computer.
10/21/13
2. Spyware process collects keystrokes, passwords, and screen captures. Malware
3. Spyware process periodically sends collected data to spyware data collec on agent.
34
Spyware data collec on agent Signatures: A Malware Countermeasure
• Scan compare the analyzed object with a database of signatures
• A signature is a virus fingerprint – E.g.,a string with a sequence of instruc ons specific for each virus
– Different from a digital signature 10/21/13 • A file is infected if there is a signature inside its code – Fast pa ern matching techniques to search for signatures Malware • All the signatures together create the malware database that usually is proprietary
35 Signatures Database
• Common Malware Enumera on (CME)
– aims to provide unique, common iden fiers to new 10/21/13 virus threats
– Hosted by MITRE Malware – h p://cme.mitre.org/ data/list.html • Digital Immune System (DIS) – Create automa cally new signatures
36 White/Black Listing
• Maintain database of cryptographic hashes for • Opera ng system files
• Popular applica ons
• Known infected files 10/21/13 • Compute hash of each file • Look up into database Malware • Needs to protect the integrity of the database
37 Heuristic Analysis
• Useful to iden fy new and “zero day” malware
• Code analysis – Based on the instruc ons, the an virus can determine whether or not the program is malicious, i.e., program contains instruc on to 10/21/13 delete system files, Malware • Execu on emula on – Run code in isolated emula on environment – Monitor ac ons that target file takes – If the ac ons are harmful, mark as virus • Heuris c methods can trigger false alarms 38 Shield vs. On-demand
• Shield On-demand • Background process • Scan on explicit user request or (service/daemon) according to regular schedule • On a suspicious file, directory, • Scans each me a file is drive, etc. 10/21/13 touched (open, copy,
execute, etc.) Malware
Performance test of scan techniques o Compara ve: check the number of already known viruses that are found and the me to perform the scan o Retrospec ve: test the proac ve detec on of the scanner for unknown viruses, to verify which vendor uses be er heuris cs An -viruses are ranked using both parameters: h p://www.av-compara ves.org/ 39 Online vs Of line Anti Virus Software
Online Offline • • Free browser plug-in Paid annual subscrip on • Authen ca on through third • Installed on the OS party cer ficate (i.e. VeriSign) • So ware distributed securely by 10/21/13 • No shielding the vendor online or a retailer • So ware and signatures update • System shielding Malware at each scan • Scheduled so ware and • Poorly configurable signatures updates • Scan needs internet connec on • Easily configurable • Report collected by the company • Scan without internet connec on that offers the service • Report collected locally and may 40 be sent to vendor Quarantine
• A suspicious file can be isolated in a folder called quaran ne:
– E.g,. if the result of the heuris c analysis is posi ve and you are wai ng for db signatures update 10/21/13 • The suspicious file is not deleted but made harmless: the user can
decide when to remove it or eventually restore for a false posi ve Malware – Interac ng with a file in quaran ne it is possible only through the an virus program • The file in quaran ne is harmless because it is encrypted • Usually the quaran ne technique is proprietary and the details are kept secret 41 Static vs. Dynamic Analysis
Sta c Analysis Dynamic Analysis • Checks the code without trying to • Check the execu on of codes inside a
execute it virtual sandbox • Quick scan in white list • Monitor
• Filtering: scan with different an virus – File changes 10/21/13 and check if they return same result – Registry changes with different name – Processes and threads Malware • Weeding: remove the correct part of – Networks ports files as junk to be er iden fy the virus • Code analysis: check binary code to understand if it is an executable, e.g., PE • Disassembling: check if the byte code shows something unusual 42 Virus Detection is Undecidable
• Theore cal result by Fred • Suppose program
Cohen (1987) isVirus(P) determines whether program P is a • Virus abstractly modeled virus 10/21/13 as program that • Define new program Q eventually executes infect as follows: Malware • Code for infect may be if (not isVirus(Q)) generated at run me infect • Proof by contradic on stop similar to that of the • Running isVirus on Q hal ng problem achieves a contradic on 43 Other Undecidable Detection Problems
• Detec on of a virus – by its appearance – by its behavior • Detec on of an evolu on of a known virus • Detec on of a triggering mechanism 10/21/13 – by its appearance
– by its behavior Malware • Detec on of a virus detector – by its appearance – by its behavior • Detec on of an evolu on of – a known virus – a known triggering mechanism – a virus detector 44 Resources
• Computer Emergency Response Team • Research center funded by the US federal government • Vulnerabili es database • Symantec 10/21/13 • Reports on malware trends • Database of malware Malware • Art of Computer Virus Research and Defense by Peter Szor
45