590.05 Lecture 5: Malware Xiaowei Yang Previous lecture • Accountability • OS security Today • Malware Malware: Malicious Software 10/21/13 Malware 4 Viruses, Worms, Trojans, Rootkits • Malware can be classified into several categories, depending on propagaon and concealment • Propagaon 10/21/13 • Virus: human-assisted propagaon (e.g., open email aachment) • Worm: automac propagaon without human assistance Malware • Concealment • Rootkit: modifies operang system to hide its existence • Trojan: provides desirable funcBonality but hides malicious operaon • Various types of payloads, ranging from annoyance to crime 5 Insider Attacks • An insider a)ack is a security breach that is caused or facilitated by someone who is a part of the very organizaon that controls or builds the asset that should be protected. • In the case of malware, an insider aack refers to a security 10/21/13 hole that is created in a soXware system by one of its programmers. Malware 6 Backdoors • A backdoor, which is also someBmes called a trapdoor, is a hidden feature or command in a program that allows a user to perform acBons he or she would not normally be allowed to do. • When used in a normal way, this program performs completely as 10/21/13 expected and adverBsed. • But if the hidden feature is acBvated, the program does something Malware unexpected, oXen in violaon of security policies, such as performing a privilege escalaon. • Benign example: Easter Eggs in DVDs and soXware An Easter egg is an intenBonal inside joke, hidden message, or feature in a work such as a computer program, movie, book, or 7 crossword. Logic Bombs • A logic bomb is a program that performs a malicious acBon as a result of a certain logic condiBon. • The classic example of a logic bomb is a programmer coding up the soXware for the payroll system who puts in code that makes the program crash should it ever process two consecuBve payrolls without 10/21/13 paying him. • Another classic example combines a logic bomb with a backdoor, where a programmer puts in a logic bomb that will crash the program Malware on a certain date. 8 The Omega Engineering Logic Bomb • An example of a logic bomb that was actually triggered and caused damage is one that programmer Tim Lloyd was convicted of using on his former employer, Omega Engineering Corporaon. On July 31, 1996, a logic bomb was 10/21/13 triggered on the server for Omega Engineering’s manufacturing operaons, which ulBmately cost the company Malware millions of dollars in damages and led to it laying off many of its employees. 9 The Omega Bomb Code • The Logic Behind the Omega Engineering Time Bomb included the following strings: • 7/30/96 • Event that triggered the bomb • F: 10/21/13 • Focused aenBon to volume F, which had criBcal files • F:\LOGIN\LOGIN 12345 Malware • Login a ficBBous user, 12345 (the back door) • CD \PUBLIC • Moves to the public folder of programs • FIX.EXE /Y F:\*.* • Run a program, called FIX, which actually deletes everything • PURGE F:\/ALL 10 • Prevent recovery of the deleted files Defenses against Insider Attacks • Avoid single points of failure. • Use code walk-throughs. • Use archiving and reporBng tools. • Limit authority and permissions. 10/21/13 • Physically secure criBcal systems. Malware • Monitor employee behavior. • Control soXware installaons. 11 Computer Viruses • A computer virus is computer code that can replicate itself by modifying other files or programs to insert code that is capable of further replicaon. • This self-replicaon property is what disBnguishes computer 10/21/13 viruses from other kinds of malware, such as logic bombs. • Another disBnguishing property of a virus is that replicaon Malware requires some type of user assistance, such as clicking on an email aachment or sharing a USB drive. 12 Biological Analogy • Computer viruses share some properBes with Biological viruses 10/21/13 Malware AKack Penetraon 13 Replicaon and assembly Release Early History l1972 sci-fi novel “When HARLIE Was One” features a program called VIRUS that reproduces itself lFirst academic use of term virus by PhD student Fred Cohen in 1984, who credits advisor Len Adleman with 10/21/13 coining it Malware lIn 1982, high-school student Rich Skrenta wrote first virus released in the wild: Elk Cloner, a boot sector virus l(c)Brain, by Basit and Amjood Farooq Alvi in 1986, credited with being the first virus to infect PCs 14 Virus Phases • Dormant phase. During this phase, the virus just exists—the virus is laying low and avoiding detecBon. • Propagaon phase. During this phase, the virus is replicang itself, infecBng new files on new systems. 10/21/13 • Triggering phase. In this phase, some logical condiBon causes the virus to move from a dormant or propagaon phase to Malware perform its intended acBon. • Ac;on phase. In this phase, the virus performs the malicious acBon that it was designed to perform, called payload. • This acBon could include something seemingly innocent, like displaying a silly picture on a computer’s screen, or something quite malicious, such as deleBng all essenBal files on the hard 15 drive. Infection Types • Overwring original code • Destroys original code • Pre-pending virus • Keeps original code, possibly 10/21/13 compressed • InfecBon of libraries Malware • Allows virus to be memory compressed resident • E.g., kernel32.dll • Macro viruses • Infects MS Office documents • OXen installs in main document template 16 Degrees of Complication • Viruses have various degrees of complicaon in how they can insert themselves in computer code. 10/21/13 Malware 17 Concealment • Encrypted virus • DecrypBon engine + encrypted body • Randomly generate encrypBon key • DetecBon looks for decrypBon engine 10/21/13 • Polymorphic virus • Encrypted virus with random variaons of the decrypBon engine (e.g., Malware padding code) • DetecBon using CPU emulator • Metamorphic virus • Different virus bodies • Approaches include code permutaon and instrucBon replacement • Challenging to detect 18 Encrypted Viruses Computer Worms • A computer worm is a malware program that spreads copies of itself without the need to inject itself in other programs, and usually without human interacBon. • Thus, computer worms are technically not computer viruses 10/21/13 (since they don’t infect other programs), but some people nevertheless confuse the terms, since both spread by self- Malware replicaon. • In most cases, a computer worm will carry a malicious payload, such as deleBng files or installing a backdoor. 20 Early History lFirst worms built in the labs of John Shock and Jon Hepps at Xerox PARC in the early 80s lCHRISTMA EXEC wriKen in REXX, released in 10/21/13 December 1987, and targeBng IBM VM/CMS systems was the first worm to use e-mail service Malware lThe first internet worm was the Morris Worm, wriKen by Cornell student Robert Tappan Morris and released on November 2, 1988 21 Worm Development • IdenBfy vulnerability sBll • Worm template unpatched – Generate target list • Write code for – For each host on target list – Exploit of vulnerability • Check if infected 10/21/13 • Check if vulnerable – Generaon of target list • Infect • Random hosts on the internet Malware • Recur • Hosts on LAN • Divide-and-conquer • Distributed graph search – Installaon and execuBon of algorithm payload – Forward edges: infecBon – Querying/reporBng if a host is – Back edges: already infected or infected not vulnerable • IniBal deployment on botnet 22 Worm Propagation • Worms propagate by finding and infecBng vulnerable hosts. • They need a way to tell if a host is vulnerable • They need a way to tell if a host is already infected. 10/21/13 Malware iniBal infecBon 23 Propagation: Theory l Classic epidemic model Source: Cliff C. Zou, Weibo Gong, Don Towsley, and • N: total number of vulnerable Lixin Gao. hosts The Monitoring and Early DetecBon of Internet Worms, IEEE/ACM TransacBons on • I(t): number of infected hosts at Networking, 2005. me t 10/21/13 • S(t): number of suscepBble hosts at Bme t Malware • I(t) + S(t) = N • β: infecBon rate l DifferenBal equaon for I(t): dI/dt = βI(t) S(t) l More accurate models adjust propagaon rate over Bme 24 Propagation: Practice • Cumulave total of unique IP addresses infected by the first outbreak of Code-RedI v2 on July 19-20, 2001 Source: 10/21/13 David Moore, Colleen Shannon, and Jeffery Brown. Malware Code-Red: a case study on the spread and vicBms of an Internet worm, CAIDA, 2002 25 Trojan Horses • A Trojan horse (or Trojan) is a malware program that appears to perform some useful task, but which also does something with negave consequences (e.g., launches a keylogger). • Trojan horses can be installed as part of the payload of other malware but are oXen installed by a user or administrator, either deliberately or accidentally. 10/21/13 Malware 26 Current Trends • Trojans currently have largest infecBon potenBal • OXen exploit browser vulnerabiliBes • Typically used to download other malware in mulB-stage aacks Source: 10/21/13 Symantec Internet Security Threat Malware Report, April 2009 27 Rootkits • A rootkit modifies the operang system to hide its existence – E.g., modifies file system exploraon uBliBes – Hard to detect using soXware that relies on the OS itself • Rootkit Revealer 10/21/13 – By Bryce Cogswell and Mark Russinovich (Sysinternals) Malware – Two scans of file system – High-level scan using the Windows API – Raw scan using disk access methods – Discrepancy reveals presence of rootkit – Could be defeated by rootkit that intercepts and modifies results of raw scan operaons 28 Malware Zombies • Malware can turn a computer in to a zombie, which is a machine that is controlled externally to perform malicious aacks, usually as a part of a botnet. Botnet Controller (AKacker) 10/21/13 AKack Commands Botnet: AKack AcBons 29 Vicm Financial Impact l Malware oXen affects a large user populaon Source:(Computer( Economics( l Significant financial impact, though esBmates vary widely, up to $100B per year (mi2g) !$15B! 10/21/13 l Examples Malware ¡ LoveBug (2000) caused $8.75B in !$10B! damages and shut down the BriBsh parliament !$5B! ¡ In 2004, 8% of emails infected by W32/MyDoom.A at its peak !$! ¡ In February 2006, the Russian 1997! 1999! 2001! 2003! 2005! Stock Exchange was taken down 30 by a virus.