Malicious Code Threat Model Code  Survey of Malicious Code  Prevention of CSH6 Chapter 16 Malicious Code Attacks “Malicious Code” Robert Guess & Eric Salveggio

Topics Malicious  Introduction  Malicious Code Threat Model Code  Survey of Malicious Code  Prevention of CSH6 Chapter 16 Malicious Code Attacks “Malicious Code” Robert Guess & Eric Salveggio

CSH6 Chapter 16: “Malicious Code”

Introduction Malicious-Code Threat Model (1)  Malicious code / logic ACTOR ACCESS ASSET ACTION OUTCOME Malware Hardware, software or firmware  Actor: structured or unstructured threats intentionally included or inserted  Individuals, organizations, nation-states in system for unauthorized purpose  Access: allowed physical or logical path  Classification may be difficult  Asset: resource of interest Categories overlap because malware may have  Action: execution of malicious code or logic multiple functions and attributes  Outcome E.g., virus / worm / Trojan horse / spyware  Intelligence, surveillance, reconnaissance  Disruption of operations  Some code may not be intended as malware by creators  Destruction of assets  Publicity for cause Context and intent determine whether code is  Negative publicity against victim viewed as malicious

Malicious Code Threat Model (2) Self-replicating Code

 Not inherently malicious Self-replicating Code  Early experiments (1960s) Actors: Origin of Malicious had no evil intent Code Threats Darwin (1961) involved Actors: Structured Threats memory worms Actors: Unstructured Self-replicating code Threats Competition → resource exhaustion Access vs Action: Vector vs Payload

5 Copyright © 2014 M. E. Kabay. All rights reserved. 6 Copyright © 2014 M. E. Kabay. All rights reserved. Is a Beneficial Virus Is Writing Malware Illegal Possible? in US?  Ideas for beneficial self-propagating code:  No explicit law against writing malicious code Distribute antivirus programs  No illegality even in sharing such code automatically through Internet among willing recipients Install patches on servers in networks  Current efforts to define statutes Distribute useful information automatically Based on laws banning  Consensus on Problems Preventing Use: possession of burglary tools (e.g., lock picks) What if there’s a bug or incompatibility in the self-propagating code? Require registration and licensing of locksmiths What if the patches are not appropriate for a specific Would treat malware and Trojans in same server or network? way What if the owner/user does No significant progress to date not see the patch as useful?

Actors: Origin of Actors: Structured Threats Malicious Code Threats  Well-funded, systematic  Structured threats  Industrial espionage, information operations, large- scale fraud & theft Nation-states  Organized crime responsible for 90% malware Corporate criminals Extortionists target online gambling Organized crime Pump ‘n’ dump schemes cost $B  Unstructured threats Industrial espionage using spyware growing Rogue actors; e.g.,  China major player Individuals Major source of attacks Script kiddies PRC PLA doctrine emphasizes asymmetric warfare using information technology Total government control over hacking

Access vs Action: Actors: Unstructured Threats Vector vs Payload  Random  Vector  Relatively limited Agent is avenue of access  Does not target national Physical access via people who can enter security premises  Relatively minor Network access via Web server, client systems, e-mail attachment, portable device (e.g., infected USB flash drive)  Payload Function (action) inserted in system Malicious logic, remote access software, remote control software

 Viruses  Worms  Boot sector: sector 0 of disk  Trojans  File infector: inserts JUMP instruction, adds code, returns to original location and  Spyware & Adware continues loading  Rootkits  Macro virus: exploits weakness of MS  Bots & Botnets scripting language in Word,  Malicious Mobile Code PowerPoint, Excel, Access etc.

Viruses (1) Viruses (2)

 Boot sector  Program infectors

1995-1996: Early Macro Viruses (3) Viruses  Macro  MS-Word macro virus (concept) released Aug 95 MS-Word macro viruses reached more than half all infections in the wild by 2009  About 1000 types of macro viruses of all types known to date (Sep 2013)  MS-Excel virus discovered June 96 Anti-virus available within days Spreading more slowly than Word macro viruses because of lower rate of exchange of spreadsheets

17 Copyright © 2014 M. E. Kabay. All rights reserved. 18 Copyright © 2014 M. E. Kabay. All rights reserved. 1999-03: Melissa Virus Viruses (4)  Logic Bombs Friday 26 March: CERT-CC initial reports of fast-spreading new MS-Word macro virus Any malicious code, replicating or not, that  Melissa written to infect Word documents delivers a payload as a result of a logic test (e.g.,  Uses victim's MAPI-standard e-mail address specific date, absence of employee record) book Time bombs (set off on a date or category of  Sends copies of itself to first 50 people on list date) are a subset of logic bombs  E-mail message w/ subject line "Important  Cross-site scripting malware Message From ” Exploit flaws in Web application servers & client  Spread faster than any previous virus code  Followed by similar e-mail-enabled viruses In 2005, “Samy” created script that generated >1M “friends” on MySpace using flaw in Internet Explorer to use JavaScript insertion exploit Sentenced to 3 years probation, 90 days

Viruses (5) Viruses vs Worms  Polymorphic viruses  Viruses integrate into host code Intended to defeat signature- Replicate upon execution of infected code based antivirus tools  Worms are free-standing code Modify themselves at time of Replicate via networks replication  Polymorphic Engine E-mail (e.g., Outlook) especially common vector Encrypts code  Some worms have viral properties Includes self-decryption capability Integrate themselves into e-mail Dark Avenger wrote MtE (aka messages and convert them to Mutation Engine) in late 1980s executable files Programmer from Sofia, Bulgaria Frequently conceal executable file type Detested Vesselin Bontchev, famous AV expert Depend on default suppression of file Also attacked researcher Sarah Gordon by suffix (e.g., AnnaKournikova.jpg.vbs.txt) name

1987: IBM Christmas Tree Worm 1988: The Morris Worm

 E-mail sent via IBM internal e-mail network  Robert T. Morris (not a “Robert T. Morris, Jr”!)  Included program to draw ASCII Christmas tree on screen Cornell University grad student Son of famed NSA cryptographer  Used recipient’s e-mail address book to Robert H. Morris mail itself to everyone on the network Wrote paper on sendmail and fingerd  No mechanism to prevent vulnerabilities on UNIX systems superinfection Seems to have intended to  Overloaded worldwide IBM networks demonstrate significance  Messages escaped from IBM into  Released a defective version of his demo worm BITNET Originally intended to replicate slowly, avoid superinfection In fact grew fast and superinfected systems worldwide

23 Copyright © 2014 M. E. Kabay. All rights reserved. 24 Copyright © 2014 M. E. Kabay. All rights reserved. 1999-12 W.95.Babylonia Morris Worm (cont’d) Virus/Worm  Launched Worm at 17:00 on 2 November 1988  Extensible virus  By 06:00 next morning the Internet was effectively  Payload modified remotely down  Trojan virus-dropper ~6,000-9,000 systems crashed or taken offline Disguised as Y2K bug fix for internet relay  Computer scientists worked feverishly all night chat (IRC) users analyzing the Worm  Sent itself other users Distributed fixes by telephone and fax (no ‘Net)  Polled Internet site in Japan Led to formation of CERT-CC® in Dec 1988 Looked for updated plugins  Morris convicted of violating 1986 Computer Fraud and Abuse Act (18 USC §1030) 400 hours community service + $10K fine

2000-05: ILOVEYOU 2000-06: Timofonica Worm Worm  E-mail subject ILOVEYOU  E-mail attachment  E-mail enabled malware LOVE-LETTER-FOR-YOU.TEXT.vbs  Automatically sent pager  Used all addresses in address book message to block of Telefonica cell phones  Became #1 infectious code in Europe, Asia, USA  Tried to delete all data on  Variants appeared quickly hard disk  Created by 27-yr-old Filipino computer student Onel de Guzman No local laws against spreading viruses Creator given job as programmer! 

2001-03: SirCam Worm 2001-06: CodeRed Worm  Propagated on Windows systems  Infected vulnerable Web servers  Used standard e-mail address books Windows NT or Windows 2000 or CISCO equipment running MS-IIS software that has not been patched  Infected document, converts to executable  Showed message on Web home page: Most naïve users turn off suffix display HELLO! Welcome to http://www.worm.com! Hacked By Chinese! So myfile.doc.exe looks like myfile.doc  Sent copies of itself to computers in list of IP addresses  Created e-mail message with random subject  On 20th through 28th of month, tried to swamp specific and randomized text asking for comment target with DoS (denial-of-service) attack Original worm attacked numerical address of White  Sent infected file to everyone on e-mail list House  Documents may contain confidential info Later versions received instructions from remote master computer program controlled by criminal  See hacker http://www.cert.org/advisories/CA-2001-22.html  See http://www.cert.org/advisories/CA-2001-19.html

29 Copyright © 2014 M. E. Kabay. All rights reserved. 30 Copyright © 2014 M. E. Kabay. All rights reserved. Spread of the CodeRed Worm Trojans  Named for the Trojan Horse in the Iliad  Overt function useful or harmless  Covert function unauthorized, usually harmful  Functionality may be associated with all types of malware Worms Standalone programs  Early Trojans included PC-Cyborg (“AIDS Information Disk”) of 1989 Replaced autoexec.bat to count boots On 90th boot, encrypted file/directory names Author, Dr Joseph Popp arrested, extradited to US from UK, but never convicted due to mental incompetence

2000-01: Haiku Worm Spyware & Adware (Trojan)  Software that collects user information without permission F-Secure (formerly Data Tracking & reporting Web usage Fellows) Monitoring use of licensed programs  E-mail enabled virus/worm Monitoring or blocking copying of music  Carrier: detailed e-mail message about Haiku Click-fraud (automatically clicks on ads for profit) generator  Spyware serving unwanted ads = adware Actually works — Haiku in Windows box  Legal issue is EULA (end-user license agreement)  Worm code spreads through victim's e-mail If no clear statement of functions, spyware/adware may address list be violation of 18 US1030(a) (Computer Fraud & Abuse  Occasionally downloads and plays a .wav file Act of 1986) from a Web site If EULA is clear and user agrees, matter of contract law But many users never read EULA at all…  Some spyware/adware difficult to uninstall (hides itself)

Rootkits Bots & Botnets (1)  Program that allows covert access after installation  Bots Automated processes on the Compromise application, library, kernel, Internet & WWW hypervisor & hardware levels Carry out specific tasks; Early versions replaced Unix components e.g., Kernel-level rootkits run as device drivers Web spidering: collecting files from Web (e.g., GOOGLE engine bots)  Classic examples: BO & BO2K Monitoring conversations on talk channels (e.g., Back Orifice by Sir Dystic of Cult of the Dead Cow for suppression of profanity or automated (cDc) presented at DEF CON 6 in 1998 responses to questions) Back Orifice 2000 by Dildog of cDc presented at  IRC Bots DEF CON 7 in 1999 Internet Relay Chat used for communications Both provide “remote systems administration” IRC bots widespread for criminal activity Both used by Trojan droppers  Bot Herders control 100K bots for commercial (criminal) activity such as DDoS, spam BO2K hides itself from discovery

 Grum: 18 billion spam messages per day  ZeroAccess: fastest growing botnet: 2M  Lethic: 28% of all spam in 2012 nodes – ad-click fraud  Festi: infected 250,000 unique IP addresses  TDL-4: “…removes competing malware, hides from detection and installs a master boot  Cutwail: DDoS attacks vs 100s Websites record. The newest variant of TDL-4 has  Zeus: 944 Zeus command and control (C&C) infected approximately 250,000 unique servers – botnets steal banking info victims.”  SpyEye: steal consumer banking data (~278  Flashback: 100k Mac computers infected – SpyEye C&C servers in use collects passwords (e.g., Google, Paypal) …  Citadel: “…social network allowing users to infected 10 percent of home networks with report bugs and even suggest new features. Mac computers by Apr 2012 2012 has seen a 20 % increase in Citadel Trojan attacks” Morgan, C. “The Worst Botnets of 2012.” Storagecraft (2012-11-15). Morgan, C. “The Worst Botnets of 2012.” Storagecraft (2012-11-15). http://www.storagecraft.com/blog/the-worst-botnets-of-2012/ http://www.storagecraft.com/blog/the-worst-botnets-of-2012/

Malicious Mobile Code Detection of Malicious Code

 Web servers host pages with active content  Mobile code may be written in (e.g.) Signature-Based ActiveX controls Network-Based Java applets JavaScript Behavioral Adobe Flash Heuristic  Often involved in phishing attacks  See CSH6 Chapter 17, Mobile Code.

Signature-Based Malware Network-Based Malware Detection Detection  Oldest method of recognizing malware  Look for effects of running malware; e.g., Identify known strings of code/text Connection to unusual / characteristic Defeated by polymorphism server (like IRC)  Hashes Unusual protocols (not normal for system) Compute cryptographic hash of all executables on system; e.g., Peculiar packets (nor normal for protocol) MD5  Can establish baseline for behavior SHA-1 Monitor KNOWN-CLEAN system Digital signature using public key cryptosystem Critically important not to include malicious code in baseline Identify unauthorized changes (caused by malware) by checking table of hash values Compare observed behavior with baseline Look for outliers & investigate deviations

41 Copyright © 2014 M. E. Kabay. All rights reserved. 42 Copyright © 2014 M. E. Kabay. All rights reserved. Behavioral Malware Heuristic Malware Detection Detection  Heuristic in this context means able to  Monitor behavior of code change / learn Look for violations of security standards;  Apply statistical modeling & theoretical e.g., behavioral models Attempting to modify areas of memory Computer score / metric to outside local stack of process evaluate likelihood that Attempting to raise privilege level program is legitimate  Sandboxes Can detect new variations of malware Run code in restricted environment Even if signature not yet registered by E.g., Java sandbox conventional scanners  Virtual machines a form of sandbox  Modern antimalware products include option Increasingly popular for heuristic scanning Should enable it!

Prevention of Malicious Code Defense in Depth vs Malware Attacks  No one AV program can  Defense in Depth vs Malware protect against all malware  Operational Controls  Defense in depth uses multiple concurrent vs Malware strategies  Human Controls vs Operational controls Malware Human controls  Technical Controls vs Technical controls Malware  Different approach is to define orthogonal systems Function in only one demonstrably correct way But no one wants single- purpose, rigid systems

Operational Controls vs Human Controls vs Malware Malware  Provide training on malware policies &  Written policies and procedures procedures Govern introduction of programs into  Topics production environment Current threats; e.g., Who can install programs? Advance-fee fraud (Nigerian 419 fraud) Acceptable use policies for Internet and e- mail use (CSH6 Chapter 48, “E-mail and Social engineering (see CSH6 Chapter Internet Use Policies”) 29, “Social Engineering & Low-Tech Attacks”) How to respond to suspected attack Malicious attachments See CSH6 Chapter 47, “Operations Security & Production Controls” Detecting the threats – not ignoring AV popups!  Employment policies & procedures Proper response CSH6 Chapter 45, “Employment Practices & Policies” Contact Help Desk at once

47 Copyright © 2014 M. E. Kabay. All rights reserved. 48 Copyright © 2014 M. E. Kabay. All rights reserved. Technical Controls vs Implementing Antivirus Malware Systems  Implementing Antivirus  Use both network-based & host-based Systems systems  Host Configuration  Choose products from different vendors to Controls & Security run concurrently  Network-Based Security  Run updates automatically on all systems Controls daily at least  Network Monitoring  E-mail may require separate appliance/ system to control malware attachments, spam, fraud, phishing….

See CSH6 Chapter 41, “Antivirus Technology”

Host Configuration Network-Based Security Controls Controls & Security  Configure layered defense to interfere with malware propagation  Automatic updates / patches essential  Eliminate non-critical software & services Routers Minimize threats that target growing complexity of Firewalls environment Proxies Current software development Switched virtual local area introduces average of 4.5 errors per networks (VLANs) 1000 lines of code  Filter aggressively Inevitably, more code means more errors Bogus inbound network addresses (BOGONs) Simplify environment to degree Packet from an unassigned region of IP address possible space  Browsers Spoofed internal addresses Eliminate if possible Claim to be from inside the target system Otherwise, apply tight security Packets from hostile countries (e.g., PRC) with Use secure Web proxy whom you need no communications

Network Monitoring Awareness Tools  ICSA Labs  Monitor & aggregate data from sensors https://www.icsalabs.com/products Device logs  Virus Bulletin http://www.virusbtn.com/index Server logs  Avast! Host logs http://www.avast.com/virus-monitor Intrusion detection alerts  McAfee Virus Information Network flow data http://home.mcafee.com/virusinfo  Define historical database of  Microsoft Malware Protection Center normal behavior http://www.microsoft.com/security/portal/  Look for anomalies – statistical outliers  Sophos http://www.sophos.com/en-us/security-news- trends.aspx  Trend Micro http://us.trendmicro.com/us/trendwatch/

Details available through all the links

Lots more info below

Up to date details available online anytime. http://www.trendmicro.com/us/security-intelligence/index.html

55 Recent Statistics (Q2 2013) http://www.securelist.com/en/analysis/204792299/IT_Threat_Evolution_Q2_2013Copyright © 2014 M. E. Kabay. All rights reserved. 56 Copyright © 2014 M. E. Kabay. All rights reserved.

DISCUSSION rity-intelligence/current-threat-

57 Current Situation (Sep 2013) http://www.trendmicro.com/us/secu activity/malicious-top-ten/index.html Copyright © 2014 M. E. Kabay. All rights reserved. 58 Copyright © 2014 M. E. Kabay. All rights reserved.