Goals Viruses and Worms o Introduction to malware taxonomy o Appreciating the evolution of viruses Encryption, polymorphism, metamorphism o General Anti-Virus (AV) detection techniques Thrursday, November 20, 2014 o Understanding the arms race between virus writers Sources: see final slide and anti-virus detectors. o Appreciate that: if you take your time, use a few patterns, and use many levels of indirection, you are very hard to beat CS342 Computer Security Department of Computer Science Wellesley College Viruses and Worms 22-2 TypeMalware TaxonomyCharacteristics Malware (MALicious softWARE) Virus Self-replicating code that infects a host file. Usually requires human interaction to spread. Sometimes used as generic term for all malware. o A generic term increasingly being used to describe any form of Worm Self-replicating code that spreads across a network. malicious software like: Usually does not require human interaction to spread. Rabbit Virus or worm that multiplies without bound viruses, worms, Trojan horses, rootkits, spyware, Trojan Horse Disguises itself as a useful program while masking malicious mobile code, backdoors, dialers, ransomware hidden malicious purpose. o Combinations are common Backdoor/Trapdoor Bypasses normal security controls to give attacker access User-level Rootkit Replaces or modifies executable programs used by system administrators and Some malware are actually combinations of more basic malware users (e.g., a rootkit can be viewed as Trojan horse backdoor tool) Kernel-level Rootkit Manipulates the OS kernel to hide and create backdoors o Broadly classified according to: Spyware Monitors user interaction and collects information (e.g., via keylogger) • Infection technique: how does it propagate? Logic Bomb Dormant malicious code triggered by date or event. • Impact on target: what does it do? Easter Egg Cute but harmless behavior triggered by special input. Malicious Mobile Code Small programs downloaded and executed locally with minimal user intervention. • Type of exploited vulnerability: How (by violating which Typically written in Javascript, VBScript, Java, or ActiveX assumption) did it get in? Combination Malware Combines techniques to increase effectiveness Viruses and Worms 22-3 Viruses and Worms 22-4 Malware evolution Virus Basics Themes: o Frederick B. Cohens definition: o Increasing complexity/sophistication o Acceleration of rate of A virus is a program that can infect other programs by tool/technique release o Movement from viruses -> worms modifying them to include a, possibly evolved, version of itself. -> kernel level exploits o Virus = code that attaches itself to host programs and runs when host program executes. Running the host program usually requires user intervention. o Self-replication: when the virus runs, it copies (a possibly mutated version of) itself to other host programs. • Self-replicating mutating code is a cornerstone of artificial life research. o A virus needs a target location method to find other hosts. Figure from Skoudis Malware, p.16. o A running virus may also execute a payload = mischievous or malicious action. Viruses and Worms 22-5 Viruses and Worms 22-6 Highly Destructive Malicious Viruses How do Viruses Spread? o Delete all/many files. Infected program Uninfected program owned by user 1 owned by user 2 Michelangelo virus deleted a partition on Michelangelo s birthday. o Consume resources (processor, memory, bandwidth …) virus v ⇒ denial of service. o Such viruses can have trouble spreading. Why is Ebola relatively uncommon in apes/humans (at least until User 2 simply executes user 1s infected program. 2014 …) Unlike buffer overflow, setuid not necessary! Infected program Infected program owned by user 1 owned by user 2 virus v virus v Viruses and Worms 22-7 Viruses and Worms 22-8 Somewhat Destructive Malicious Viruses Nondestructive Viruses o Install backdoors for botnots, other attacks. Many viruses spread without doing damage, but can still be o Data-diddling: modify one bit of randomly selected file, swap digits annoying or do accidental damage. in phone numbers, spreadsheets, etc. (hard to track to virus). o Elk Cloner: first microcomputer virus (Apple II) displayed poem: o Wazzu virus: randomly scramble words and insert wazzu ELK CLONER: o Typo virus: introduce typing errors for fast typists. o Random deletion: delete randomly chosen file not recently THE PROGRAM WITH A PERSONALITY accessed. IT WILL GET ON ALL YOUR DISKS o Protection changing: change ownership and protection bits on files. IT WILL INFILTRATE YOUR CHIPS YES ITS CLONER o Executive error virus: underling installs virus that makes IT WILL STICK TO YOU LIKE GLUE supervisor incompetent. IT WILL MODIFY RAM TOO SEND IN THE CLONER o Covert channel virus: in confidentiality lattice, unclassified user introduces virus to copy secret information through covert o Marburg virus: drew random icons on desktop. channel. o Spanska virus: displayed animations o Ken Thompson, Reflections on Trusting Trust: insert login Trojan into C compiler object code that cant be detected in source! o Haiku virus displayed randomly generated haiku. Viruses and Worms 22-9 Viruses and Worms 22-10 Benevolent Viruses Viruses Infection Techniques o Overwriting The payload of a virus can do good as well as bad. E.g. • Overwrite host program, changing behavior (easy to discover) o Antivirus virus: good virus that deletes bad viruses. • Typically overwrite beginning, but can overwrite later (in which case virus may not be executed). o Compression virus: automatically compress files to save space (but theres a time/space tradeoff). o Appending • Add virus code to end of program, and jump to virus. o Maintenance virus: install system updates, clean up undeleted temporary files, reset incorrect protection bits, defragment disk, • Typically virus jumps back to program to evade detection. etc. o Prepending o Distributed database virus: make copies of information across • Add virus code to front of host program. multiple machines and modify old copies to be consistent with • Parastic virus: variant that overwrites start of program, but moves recent changes. starting code later. Ethical questions: o Cavity Virus • Squirreled away in holes in program o Is it OK to distributed good viruses? • doesnt change program size o What if good virus goes has unexpected bad consequences – e.g., o Compressing Virus accidentally consumes lots of resources. o Compresses program and inserts self so as not to change program size. Viruses and Worms 22-11 Viruses and Worms 22-12 Viruses Propagation Methods Virus Propagation Vectors o Insert a copy into every executable (.COM, .EXE) o Removable storage o Insert a copy into boot sectors of disks • Floppies, writable CDs/DVDs, USB flash drives • Stoned virus infected PCs booted from infected floppies, o Email Attachments stayed in memory and infected every floppy inserted into PC • Can contain executable parts o Infect TSR (terminate-and-stay-resident) routines o Downloads • By infecting a common OS routine, a virus can always stay in o Shared Directories memory and infect all disks, executables, etc. Multi-user systems, networked file system (e.g., puma), o Infect macros in documents/spreadsheets, etc. peer-to-peer (P2P) networks • A virus in MS Word Normal.dot file can infect all documents. o Infect shell scripts and other source code. Viruses and Worms 22-13 Viruses and Worms 22-14 Basic Anti-Virus (AV) Techniques Signature-Based Scanning o Signature-based detection • signature = pattern/fingerprint matching virus • AV engine checks files against database of signatures to (1) identify o Hex strings from virus variants and (2) disinfect file containing virus, • 67 33 74 20 73 38 6D 35 20 76 37 61 • On-demand scanning (user explicitly requests) vs. on-access scanning (done every time a file is opened, modified, and/or closed). • 67 36 74 20 73 32 6D 37 20 76 38 61 • Need to update signature database frequently • 67 39 74 20 73 37 6D 33 20 76 36 61 o Heuristic detection • Check program for virus-like behavior (access boot sector, find all o Hex string for detecting virus files in current directory, write to .EXE file, delete files) • Emulate behavior before executing or execute in sandbox. • 67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61 • o Integrity checking ?? = wildcard • Record file fingerprints (sizes, checksums, hashes) in pristine system and check later (e.g. Tripwire). • Used by some AV scanners to avoid more detailed scanning • Must store fingerprints carefully! Viruses and Worms 22-15 Viruses and Worms 22-16 Anti-Virus Problems Arms Race between Virus Writers/Detectors o False Positives: one version of McAfee flagged Excel! o Encrypted virus: virus consists of a constant decryptor, a key (that o False Negatives: fail to detect malware changes between copies), and the encrypted virus body. o Long detection times slows down machines • Detector finds decryptor and key & uses it to decrypt/identify virus o Oligomorphic virus: mutate decryptor slightly by using o Developing signatures/keeping databases current: > 100K new viruses/week! several decryptors or build decryptors out of simple patterns. o What to do when virus detected: Delete vs. quarantine o Polymorphic virus: mutate decryptors into millions of forms via obfuscation techniques (reordering and junk instructions), but keep o Vendors focus on big clients, not individual users (unencrypted) body same o Bad guys can disable/intercept AV scans o Metamorphic virus: mutate virus bodies via obfuscation techniques, • turn off AV scans but keep functionality • make infected file appear normal to AV detector o shuffle registers • block access to AV websites/downloads/updates o reorder instructions o Arms race o insert junk instructions • Bad guys test new viruses against AV o change source code and recompile • Stealth techniques for hiding/changing viruses Viruses and Worms 22-17 Viruses and Worms 22-18 Benign Code Can be Encrypted/Obfuscated Detecting Oligomorphic/Polymorphic Viruses Q: Why not just flag all encrypted/obfuscated code as viruses? 1. Run suspect program in an emulator A: Because these techniques are commonly used in benign code to 2.