Topics Malicious Introduction Malicious Code Threat Model Code Survey of Malicious Code Prevention of CSH6 Chapter 16 Malicious Code Attacks “Malicious Code” Robert Guess & Eric Salveggio
CSH6 Chapter 16: “Malicious Code”
1 Copyright © 2014 M. E. Kabay. All rights reserved. 2 Copyright © 2014 M. E. Kabay. All rights reserved.
Introduction Malicious-Code Threat Model (1) Malicious code / logic ACTOR ACCESS ASSET ACTION OUTCOME Malware Hardware, software or firmware Actor: structured or unstructured threats intentionally included or inserted Individuals, organizations, nation-states in system for unauthorized purpose Access: allowed physical or logical path Classification may be difficult Asset: resource of interest Categories overlap because malware may have Action: execution of malicious code or logic multiple functions and attributes Outcome E.g., virus / worm / Trojan horse / spyware Intelligence, surveillance, reconnaissance Disruption of operations Some code may not be intended as malware by creators Destruction of assets Publicity for cause Context and intent determine whether code is Negative publicity against victim viewed as malicious
3 Copyright © 2014 M. E. Kabay. All rights reserved. 4 Copyright © 2014 M. E. Kabay. All rights reserved.
Malicious Code Threat Model (2) Self-replicating Code
Not inherently malicious Self-replicating Code Early experiments (1960s) Actors: Origin of Malicious had no evil intent Code Threats Darwin (1961) involved Actors: Structured Threats memory worms Actors: Unstructured Self-replicating code Threats Competition → resource exhaustion Access vs Action: Vector vs Payload
5 Copyright © 2014 M. E. Kabay. All rights reserved. 6 Copyright © 2014 M. E. Kabay. All rights reserved. Is a Beneficial Virus Is Writing Malware Illegal Possible? in US? Ideas for beneficial self-propagating code: No explicit law against writing malicious code Distribute antivirus programs No illegality even in sharing such code automatically through Internet among willing recipients Install patches on servers in networks Current efforts to define statutes Distribute useful information automatically Based on laws banning Consensus on Problems Preventing Use: possession of burglary tools (e.g., lock picks) What if there’s a bug or incompatibility in the self-propagating code? Require registration and licensing of locksmiths What if the patches are not appropriate for a specific Would treat malware and Trojans in same server or network? way What if the owner/user does No significant progress to date not see the patch as useful?
7 Copyright © 2014 M. E. Kabay. All rights reserved. 8 Copyright © 2014 M. E. Kabay. All rights reserved.
Actors: Origin of Actors: Structured Threats Malicious Code Threats Well-funded, systematic Structured threats Industrial espionage, information operations, large- scale fraud & theft Nation-states Organized crime responsible for 90% malware Corporate criminals Extortionists target online gambling Organized crime Pump ‘n’ dump schemes cost $B Unstructured threats Industrial espionage using spyware growing Rogue actors; e.g., China major player Individuals Major source of attacks Script kiddies PRC PLA doctrine emphasizes asymmetric warfare using information technology Total government control over hacking
9 Copyright © 2014 M. E. Kabay. All rights reserved. 10 Copyright © 2014 M. E. Kabay. All rights reserved.
Access vs Action: Actors: Unstructured Threats Vector vs Payload Random Vector Relatively limited Agent is avenue of access Does not target national Physical access via people who can enter security premises Relatively minor Network access via Web server, client systems, e-mail attachment, portable device (e.g., infected USB flash drive) Payload Function (action) inserted in system Malicious logic, remote access software, remote control software
11 Copyright © 2014 M. E. Kabay. All rights reserved. 12 Copyright © 2014 M. E. Kabay. All rights reserved. Survey of Malicious Code Virus Mechanisms
Viruses Worms Boot sector: sector 0 of disk Trojans File infector: inserts JUMP instruction, adds code, returns to original location and Spyware & Adware continues loading Rootkits Macro virus: exploits weakness of MS Bots & Botnets scripting language in Word, Malicious Mobile Code PowerPoint, Excel, Access etc.
13 Copyright © 2014 M. E. Kabay. All rights reserved. 14 Copyright © 2014 M. E. Kabay. All rights reserved.
Viruses (1) Viruses (2)
Boot sector Program infectors
15 Copyright © 2014 M. E. Kabay. All rights reserved. 16 Copyright © 2014 M. E. Kabay. All rights reserved.
1995-1996: Early Macro Viruses (3) Viruses Macro MS-Word macro virus (concept) released Aug 95 MS-Word macro viruses reached more than half all infections in the wild by 2009 About 1000 types of macro viruses of all types known to date (Sep 2013) MS-Excel virus discovered June 96 Anti-virus available within days Spreading more slowly than Word macro viruses because of lower rate of exchange of spreadsheets
17 Copyright © 2014 M. E. Kabay. All rights reserved. 18 Copyright © 2014 M. E. Kabay. All rights reserved. 1999-03: Melissa Virus Viruses (4) Logic Bombs Friday 26 March: CERT-CC initial reports of fast-spreading new MS-Word macro virus Any malicious code, replicating or not, that Melissa written to infect Word documents delivers a payload as a result of a logic test (e.g., Uses victim's MAPI-standard e-mail address specific date, absence of employee record) book Time bombs (set off on a date or category of Sends copies of itself to first 50 people on list date) are a subset of logic bombs E-mail message w/ subject line "Important Cross-site scripting malware Message From
19 Copyright © 2014 M. E. Kabay. All rights reserved. 20 community Copyrightservice © 2014 M. E. Kabay. All rights reserved.
Viruses (5) Viruses vs Worms Polymorphic viruses Viruses integrate into host code Intended to defeat signature- Replicate upon execution of infected code based antivirus tools Worms are free-standing code Modify themselves at time of Replicate via networks replication Polymorphic Engine E-mail (e.g., Outlook) especially common vector Encrypts code Some worms have viral properties Includes self-decryption capability Integrate themselves into e-mail Dark Avenger wrote MtE (aka messages and convert them to Mutation Engine) in late 1980s executable files Programmer from Sofia, Bulgaria Frequently conceal executable file type Detested Vesselin Bontchev, famous AV expert Depend on default suppression of file Also attacked researcher Sarah Gordon by suffix (e.g., AnnaKournikova.jpg.vbs.txt) name
21 Copyright © 2014 M. E. Kabay. All rights reserved. 22 Copyright © 2014 M. E. Kabay. All rights reserved.
1987: IBM Christmas Tree Worm 1988: The Morris Worm
E-mail sent via IBM internal e-mail network Robert T. Morris (not a “Robert T. Morris, Jr”!) Included program to draw ASCII Christmas tree on screen Cornell University grad student Son of famed NSA cryptographer Used recipient’s e-mail address book to Robert H. Morris mail itself to everyone on the network Wrote paper on sendmail and fingerd No mechanism to prevent vulnerabilities on UNIX systems superinfection Seems to have intended to Overloaded worldwide IBM networks demonstrate significance Messages escaped from IBM into Released a defective version of his demo worm BITNET Originally intended to replicate slowly, avoid superinfection In fact grew fast and superinfected systems worldwide
23 Copyright © 2014 M. E. Kabay. All rights reserved. 24 Copyright © 2014 M. E. Kabay. All rights reserved. 1999-12 W.95.Babylonia Morris Worm (cont’d) Virus/Worm Launched Worm at 17:00 on 2 November 1988 Extensible virus By 06:00 next morning the Internet was effectively Payload modified remotely down Trojan virus-dropper ~6,000-9,000 systems crashed or taken offline Disguised as Y2K bug fix for internet relay Computer scientists worked feverishly all night chat (IRC) users analyzing the Worm Sent itself other users Distributed fixes by telephone and fax (no ‘Net) Polled Internet site in Japan Led to formation of CERT-CC® in Dec 1988 Looked for updated plugins Morris convicted of violating 1986 Computer Fraud and Abuse Act (18 USC §1030) 400 hours community service + $10K fine
25 Copyright © 2014 M. E. Kabay. All rights reserved. 26 Copyright © 2014 M. E. Kabay. All rights reserved.
2000-05: ILOVEYOU 2000-06: Timofonica Worm Worm E-mail subject ILOVEYOU E-mail attachment E-mail enabled malware LOVE-LETTER-FOR-YOU.TEXT.vbs Automatically sent pager Used all addresses in address book message to block of Telefonica cell phones Became #1 infectious code in Europe, Asia, USA Tried to delete all data on Variants appeared quickly hard disk Created by 27-yr-old Filipino computer student Onel de Guzman No local laws against spreading viruses Creator given job as programmer!
27 Copyright © 2014 M. E. Kabay. All rights reserved. 28 Copyright © 2014 M. E. Kabay. All rights reserved.
2001-03: SirCam Worm 2001-06: CodeRed Worm Propagated on Windows systems Infected vulnerable Web servers Used standard e-mail address books Windows NT or Windows 2000 or CISCO equipment running MS-IIS software that has not been patched Infected document, converts to executable Showed message on Web home page: Most naïve users turn off suffix display HELLO! Welcome to http://www.worm.com! Hacked By Chinese! So myfile.doc.exe looks like myfile.doc Sent copies of itself to computers in list of IP addresses Created e-mail message with random subject On 20th through 28th of month, tried to swamp specific and randomized text asking for comment target with DoS (denial-of-service) attack Original worm attacked numerical address of White Sent infected file to everyone on e-mail list House Documents may contain confidential info Later versions received instructions from remote master computer program controlled by criminal See hacker http://www.cert.org/advisories/CA-2001-22.html See http://www.cert.org/advisories/CA-2001-19.html
29 Copyright © 2014 M. E. Kabay. All rights reserved. 30 Copyright © 2014 M. E. Kabay. All rights reserved. Spread of the CodeRed Worm Trojans Named for the Trojan Horse in the Iliad Overt function useful or harmless Covert function unauthorized, usually harmful Functionality may be associated with all types of malware Worms Standalone programs Early Trojans included PC-Cyborg (“AIDS Information Disk”) of 1989 Replaced autoexec.bat to count boots On 90th boot, encrypted file/directory names Author, Dr Joseph Popp arrested, extradited to US from UK, but never convicted due to mental incompetence
31 Copyright © 2014 M. E. Kabay. All rights reserved. 32 Copyright © 2014 M. E. Kabay. All rights reserved.
2000-01: Haiku Worm Spyware & Adware (Trojan) Software that collects user information without permission F-Secure (formerly Data Tracking & reporting Web usage Fellows) Monitoring use of licensed programs E-mail enabled virus/worm Monitoring or blocking copying of music Carrier: detailed e-mail message about Haiku Click-fraud (automatically clicks on ads for profit) generator Spyware serving unwanted ads = adware Actually works — Haiku in Windows box Legal issue is EULA (end-user license agreement) Worm code spreads through victim's e-mail If no clear statement of functions, spyware/adware may address list be violation of 18 US1030(a) (Computer Fraud & Abuse Occasionally downloads and plays a .wav file Act of 1986) from a Web site If EULA is clear and user agrees, matter of contract law But many users never read EULA at all… Some spyware/adware difficult to uninstall (hides itself)
33 Copyright © 2014 M. E. Kabay. All rights reserved. 34 Copyright © 2014 M. E. Kabay. All rights reserved.
Rootkits Bots & Botnets (1) Program that allows covert access after installation Bots Automated processes on the Compromise application, library, kernel, Internet & WWW hypervisor & hardware levels Carry out specific tasks; Early versions replaced Unix components e.g., Kernel-level rootkits run as device drivers Web spidering: collecting files from Web (e.g., GOOGLE engine bots) Classic examples: BO & BO2K Monitoring conversations on talk channels (e.g., Back Orifice by Sir Dystic of Cult of the Dead Cow for suppression of profanity or automated (cDc) presented at DEF CON 6 in 1998 responses to questions) Back Orifice 2000 by Dildog of cDc presented at IRC Bots DEF CON 7 in 1999 Internet Relay Chat used for communications Both provide “remote systems administration” IRC bots widespread for criminal activity Both used by Trojan droppers Bot Herders control 100K bots for commercial (criminal) activity such as DDoS, spam BO2K hides itself from discovery
35 Copyright © 2014 M. E. Kabay. All rights reserved. 36 Copyright © 2014 M. E. Kabay. All rights reserved. Bots & Botnets (2) Bots & Botnets (3) Nov 15, 2012
Grum: 18 billion spam messages per day ZeroAccess: fastest growing botnet: 2M Lethic: 28% of all spam in 2012 nodes – ad-click fraud Festi: infected 250,000 unique IP addresses TDL-4: “…removes competing malware, hides from detection and installs a master boot Cutwail: DDoS attacks vs 100s Websites record. The newest variant of TDL-4 has Zeus: 944 Zeus command and control (C&C) infected approximately 250,000 unique servers – botnets steal banking info victims.” SpyEye: steal consumer banking data (~278 Flashback: 100k Mac computers infected – SpyEye C&C servers in use collects passwords (e.g., Google, Paypal) … Citadel: “…social network allowing users to infected 10 percent of home networks with report bugs and even suggest new features. Mac computers by Apr 2012 2012 has seen a 20 % increase in Citadel Trojan attacks” Morgan, C. “The Worst Botnets of 2012.” Storagecraft (2012-11-15). Morgan, C. “The Worst Botnets of 2012.” Storagecraft (2012-11-15). http://www.storagecraft.com/blog/the-worst-botnets-of-2012/ http://www.storagecraft.com/blog/the-worst-botnets-of-2012/
37 Copyright © 2014 M. E. Kabay. All rights reserved. 38 Copyright © 2014 M. E. Kabay. All rights reserved.
Malicious Mobile Code Detection of Malicious Code
Web servers host pages with active content Mobile code may be written in (e.g.) Signature-Based ActiveX controls Network-Based Java applets JavaScript Behavioral Adobe Flash Heuristic Often involved in phishing attacks See CSH6 Chapter 17, Mobile Code.
39 Copyright © 2014 M. E. Kabay. All rights reserved. 40 Copyright © 2014 M. E. Kabay. All rights reserved.
Signature-Based Malware Network-Based Malware Detection Detection Oldest method of recognizing malware Look for effects of running malware; e.g., Identify known strings of code/text Connection to unusual / characteristic Defeated by polymorphism server (like IRC) Hashes Unusual protocols (not normal for system) Compute cryptographic hash of all executables on system; e.g., Peculiar packets (nor normal for protocol) MD5 Can establish baseline for behavior SHA-1 Monitor KNOWN-CLEAN system Digital signature using public key cryptosystem Critically important not to include malicious code in baseline Identify unauthorized changes (caused by malware) by checking table of hash values Compare observed behavior with baseline Look for outliers & investigate deviations
41 Copyright © 2014 M. E. Kabay. All rights reserved. 42 Copyright © 2014 M. E. Kabay. All rights reserved. Behavioral Malware Heuristic Malware Detection Detection Heuristic in this context means able to Monitor behavior of code change / learn Look for violations of security standards; Apply statistical modeling & theoretical e.g., behavioral models Attempting to modify areas of memory Computer score / metric to outside local stack of process evaluate likelihood that Attempting to raise privilege level program is legitimate Sandboxes Can detect new variations of malware Run code in restricted environment Even if signature not yet registered by E.g., Java sandbox conventional scanners Virtual machines a form of sandbox Modern antimalware products include option Increasingly popular for heuristic scanning Should enable it!
43 Copyright © 2014 M. E. Kabay. All rights reserved. 44 Copyright © 2014 M. E. Kabay. All rights reserved.
Prevention of Malicious Code Defense in Depth vs Malware Attacks No one AV program can Defense in Depth vs Malware protect against all malware Operational Controls Defense in depth uses multiple concurrent vs Malware strategies Human Controls vs Operational controls Malware Human controls Technical Controls vs Technical controls Malware Different approach is to define orthogonal systems Function in only one demonstrably correct way But no one wants single- purpose, rigid systems
45 Copyright © 2014 M. E. Kabay. All rights reserved. 46 Copyright © 2014 M. E. Kabay. All rights reserved.
Operational Controls vs Human Controls vs Malware Malware Provide training on malware policies & Written policies and procedures procedures Govern introduction of programs into Topics production environment Current threats; e.g., Who can install programs? Advance-fee fraud (Nigerian 419 fraud) Acceptable use policies for Internet and e- mail use (CSH6 Chapter 48, “E-mail and Social engineering (see CSH6 Chapter Internet Use Policies”) 29, “Social Engineering & Low-Tech Attacks”) How to respond to suspected attack Malicious attachments See CSH6 Chapter 47, “Operations Security & Production Controls” Detecting the threats – not ignoring AV popups! Employment policies & procedures Proper response CSH6 Chapter 45, “Employment Practices & Policies” Contact Help Desk at once
47 Copyright © 2014 M. E. Kabay. All rights reserved. 48 Copyright © 2014 M. E. Kabay. All rights reserved. Technical Controls vs Implementing Antivirus Malware Systems Implementing Antivirus Use both network-based & host-based Systems systems Host Configuration Choose products from different vendors to Controls & Security run concurrently Network-Based Security Run updates automatically on all systems Controls daily at least Network Monitoring E-mail may require separate appliance/ system to control malware attachments, spam, fraud, phishing….
See CSH6 Chapter 41, “Antivirus Technology”
49 Copyright © 2014 M. E. Kabay. All rights reserved. 50 Copyright © 2014 M. E. Kabay. All rights reserved.
Host Configuration Network-Based Security Controls Controls & Security Configure layered defense to interfere with malware propagation Automatic updates / patches essential Eliminate non-critical software & services Routers Minimize threats that target growing complexity of Firewalls environment Proxies Current software development Switched virtual local area introduces average of 4.5 errors per networks (VLANs) 1000 lines of code Filter aggressively Inevitably, more code means more errors Bogus inbound network addresses (BOGONs) Simplify environment to degree Packet from an unassigned region of IP address possible space Browsers Spoofed internal addresses Eliminate if possible Claim to be from inside the target system Otherwise, apply tight security Packets from hostile countries (e.g., PRC) with Use secure Web proxy whom you need no communications
51 Copyright © 2014 M. E. Kabay. All rights reserved. 52 Copyright © 2014 M. E. Kabay. All rights reserved.
Network Monitoring Awareness Tools ICSA Labs Monitor & aggregate data from sensors https://www.icsalabs.com/products Device logs Virus Bulletin http://www.virusbtn.com/index Server logs Avast! Host logs http://www.avast.com/virus-monitor Intrusion detection alerts McAfee Virus Information Network flow data http://home.mcafee.com/virusinfo Define historical database of Microsoft Malware Protection Center normal behavior http://www.microsoft.com/security/portal/ Look for anomalies – statistical outliers Sophos http://www.sophos.com/en-us/security-news- trends.aspx Trend Micro http://us.trendmicro.com/us/trendwatch/
53 Copyright © 2014 M. E. Kabay. All rights reserved. 54 Copyright © 2014 M. E. Kabay. All rights reserved. Quarterly & monthly reports always online Recent Statistics (24 Sep 2013)
Details available through all the links
Lots more info below
Up to date details available online anytime. http://www.trendmicro.com/us/security-intelligence/index.html
55 Recent Statistics (Q2 2013) http://www.securelist.com/en/analysis/204792299/IT_Threat_Evolution_Q2_2013Copyright © 2014 M. E. Kabay. All rights reserved. 56 Copyright © 2014 M. E. Kabay. All rights reserved.
DISCUSSION rity-intelligence/current-threat-
57 Current Situation (Sep 2013) http://www.trendmicro.com/us/secu activity/malicious-top-ten/index.html Copyright © 2014 M. E. Kabay. All rights reserved. 58 Copyright © 2014 M. E. Kabay. All rights reserved.