Chapter 13: Malicious Code A class of unwanted software, also called “Malware”. 3 major arrival scenarios: Aided by the user (installs/opens a contaminated file). Arrives on its own (a vulnerability or “feature” allows execution) Is left behind after an adversary breaks in. User may be: Unwitting – didn’t have a clue. Witting – knew better, did it anyway . Half-witting – knew better, took a chance. Chapter 13 Malicious Code.
Malicious Code – Impact May be benign or destructive. Why? Because malware typically contains an executable - can do anything an executable can do. Even if benign, consumes resources (runs, replicates, occupies storage, consumes cpu cycles, slows the system). Takes time & effort to remove (costs $). Example is happy.exe, presented a pretty happy new year graphic message for 1999. Modifies DLL, mails itself to others, does no additional damage. Chapter 13 Malicious Code.
Malicious Code – Impact On the other hand, can’t really be sure they are benign. At best, we often don’t know what malware does. If destructive, is clearly a much more serious menace. Example is Mydoom.F (6th variant of mydoom). Searches for files that have the extensions .mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp, and randomly deletes them. Chapter 13 Malicious Code.
Malicious Code – The Threat is Growing YearNewKnow Viruses Vulnerabilities 1998 262 40,000 1999 417 48,000 2000 1,090 55,000 2001 2,437 59,000 2003 3,820 90,000 Both viruses and vulnerabilities continue to grow rapidly. Chapter 13 Malicious Code.
Malicious Code – Why is the threat growing? More products (e.g., wireless, PDA’s, new OS versions). Better delivery – web expansion in the middle to late 90s. Experience of malware developers – from an infant industry to highly experienced in the past decade. Commitment of nation states to information warfare. Do we really know who is launching the attacks & developing codes? Chapter 13 Malicious Code.
Malicious Code – Why is the threat growing? Fast spreading time to reach # 1 in infected systems: Form virus – 1994 – floppy infector (2-3 years), Concept macro virus – 1996 – word macro infector (2-3 months), NIMDA – 2001 - (22 minutes), and Slammer – 2003 - (3 minutes – reached 90% of all Vulnerable hosts in 10 minutes) Chapter 13 Malicious Code.
Malicious Code – Taxonomy (Classification) Warning – This is a dynamic, changing list. New names and classifications are being seen all the time. It is likely that the list will grow significantly in the future. We begin with the traditional view (found in most texts). Chapter 13 Malicious Code.
Malicious Code – Traditional Taxonomy Malicious Software (Malware) Requires Host Program Does Not Require Host Program Logic Bombs Trojan Horses Viruses Worms Bacteria Do Not Replicate Do Replicate But, we now have blended threats and other newcomers! Chapter 13 Malicious Code.
Malicious Code – Another Taxonomy Dangerous Viruses/ Worms/ Applets Trojans/ Logic Bombs Keystroke Loggers Spyware Ad-ware Pop-ups/Spam History & Logs Cookies Harmless/Monitor Modify/Control Chapter 13 Malicious Code.
SpyWare – What is it? Not precisely defined, but common usage says: “SpyWare refers to software that gathers information about a computer’s use and relays that information back to a third party”. Very rarely this occurs with, but most often without, the user’s knowledge or consent (consent, when used, is almost always contained in the license agreement the user acknowledges before installing the software). Chapter 13 Malicious Code.
Classes of SpyWare Persistent cookies: Track user’s web habits. Web bugs: A hidden image embedded in a web page and saved by the SpyWare as evidence that the page was visited. Browser hijackers: Changes to a browser’s settings such as the start page or search functionality. Keyloggers: Logs keystrokes and/or web sites visited, IM sessions, windows opened, programs executed. Chapter 13 Malicious Code.
Classes of SpyWare Tracks: Captures information recorded by an OS or application such as recently visited web sites or recently opened files or programs. Malware: Viruses, worms, Trojans, logic bombs, phone dialers, etc. Spybots: Monitor user’s behavior – fields typed in web Forms, e-mail/contact address lists, URLs visited. May be used to generate spam address lists. Chapter 13 Malicious Code.
New Classes of SpyWare Adware: Displays ads, reports browsing behavior. The preceding classes are recognized in the literature. There is at least one additional classes not reported. DataLoggers: Establishes a man-in-the middle proxy between the user’s browser and any web site. All web pages pass through the proxy where they can be logged. This exists in at least one Chinese browser required to access Chinese web sites. Chapter 13 Malicious Code.
SpyWare – Other Characteristics Many instances have automated update capability that can add new functionality. Have been demonstrated to have vulnerabilities that can be exploited. Actual exploits have not been reported, but are expected to follow announcements of weaknesses. Are present on a high percentage of systems (as high as 80% in some corporate cases) in all environments where the Internet is commonly used (i.e., homes, corporations, universities, etc.). Chapter 13 Malicious Code.
SpyWare – Number of Programs Growth industry. As of January, 2004 the SpyBot database listed 790 SpyWare instances(1). Cookies/Web Bugs: 34 Browser hijackers: 153 Keyloggers: 62 Tracks: 231 Malware: 168 Spybots: 142 (1) All software including COTS (e.g., keyloggers). Chapter 13 Malicious Code.
SpyWare – Risk Profile Compromises a user’s privacy. Can detract from the usability and stability of a system. Can introduce vulnerabilities. Can contain malware. Some spyware (e.g., cookies, adware) is relatively benign and some is malicious. It is hard to tell the difference and delivery mechanisms can be the same for both. Chapter 13 Malicious Code.
SpyWare – Threats Primary threats are malware and keystroke loggers. Remote access users are at highest risk because of lack Of physical protection, intrusion detection, firewall filtering, multiple users (e.g., family use at home), etc. However, internal corporate users are also at risk based on existing experience. Chapter 13 Malicious Code.
SpyWare – Detection/Eradication Anti-Virus vendors have not yet addressed the issue, but appear to be moving in this direction. There are products available that specifically detect, Block, and/or remove spyware. Include: SpyBot freeware: http://security.kolla.de Adaware freeware: http://www.lavasoftusa.com Pest Patrol COTS: http://www.pestpatrol.com Chapter 13 Malicious Code.
Pest Patrol – VPN Connection 2. Firewall (Checkpoint) asks if client is free of spyware. 4. If answer is “yes” VPN connection is allowed – if “no” connection is denied. 1. User requests VPN Connection. 3. Client invokes Pest Patrol to scan remote system. Chapter 13 Malicious Code.
Pest Patrol – More Characteristics Operates with Checkpoint VPN-1 policy server. Clients can be installed from a central server. Scan logs are centrally stored. Supports e-mail notification of events. Chapter 13 Malicious Code.
SpyWare – Industry Comments CIAC: “Because of their unknown nature and the high potential for abuse, parasite programs of the active adware, spyware, and stealth networks types should not be allowed on systems within companies or the government.” LANL: Prohibits SpyWare, peer-to-peer, etc. in visitor network. U of Washington: “the potential for spyware to cause substantial security problems is real.” Chapter 13 Malicious Code.
Peer-2-Peer Computing – Problems with KaZaA Peer-2-Peer computing is a relatively recent phenomena that distributes information among the peer nodes instead of concentrating it at a central location (at least in its purest form). This allows the broad sharing of information among peers. P-2-P has been widely used to share music files. There are multiple P-2-P models from centralized (Napster) to fully distributed (Gnutella). Chapter 13 Malicious Code.
Peer-2-Peer Computing – Problems with KaZaA KaZaA is an intermediate model and recent example of P-2-P and was developed in Amsterdam by Fast Track, Inc. Others similar programs include: Gnutella, Morpheus, Win MX, BearShare, Edonkey2000, Direct Connect, Audio Galaxy, Skype (from KaZaA authors), and many, many more. Chapter 13 Malicious Code.
KaZaA – How it works Centralized server maintains user registrations, logs users into the system to keep statistics, provides downloads of client software, and bootstraps the peer discovery process. Requires client installation. Client types: Supernodes (fast cpus + high bandwidth) Nodes (slower cpus and/or connections) Supernode addresses are provided in the initial download. and they maintain searchable indexes and proxy search requests for users. Chapter 13 Malicious Code.
KaZaA – Client Software A graphical user Interface (GUI) – ala Microsoft Outlook. Supports instant messaging (P-2-P, not community chat). Holds a database of supernodes and/or peers. Includes a search engine to identify the location of desired files by name and keyword (keyword descriptors are generated and stored in file descriptors for each file). Chapter 13 Malicious Code.
KaZaA – Client Software Has a rudimentary web (file) server that delivers files to peers on request. Security Issues: User downloads a client. There is no control over functionality. The client, by design, exposes files shares to the external world (anyone else with a KaZaA client). Chapter 13 Malicious Code.
KaZaA – Graphically Search Request (Title, Keyword) Central Server Supernode Initial Registration Initial Download Search Response (peer IP, File 3) User Peer1 Peer n Get File 3 File 1 File 2 . File n File 1 File 2 . File n File 1 File 2 . File n Chapter 13 Malicious Code.
KaZaA – Some Details On initial registration, the client may be provided with a list of more than one supernode. Supernodes are “elected” by the central server – users can decline. Supernodes can come and go so links may fail over time. If a peer attempts a connection and fails, it can request a referral – becomes important when a firewall is used. File transfers use http protocol and port 1214 (the KaZaA port). Chapter 13 Malicious Code.
KaZaA – The Firewall Breach – Part 1 Protected Network Internet Insider initiates: SYN, SYN ACK, ACK, Search + Response: Outbound any is OK 1 A B 2 Insider initiates: SYN, SYN ACK, ACK, Get File: Outbound any is OK Chapter 13 Malicious Code.
KaZaA – The Firewall Breach – Part 2 Protected Network Internet No activity, but connection is always ON Outsider initiates: SYN, SYN ACK, ACK, Search + Response: Response Ids system behind the firewall 1 2 Outsider initiates: SYN: Firewall drops Inbound not OK for this service Chapter 13 Malicious Code.
KaZaA – The Firewall Breach – Part 3 Protected Network Internet During on-going activity an Urgent Message is sent to A to Connect to B 2 Outsider initiates: SYN, SYN ACK, ACK, Message: Tell A to Connect to B A 1 3 Insider initiates: SYN, SYN ACK, ACK, Message: Several, but result is the file is transferred. Tricky way to get past a firewall. B Chapter 13 Malicious Code.
KaZaA – Consequences Bandwidth – U of Vermont (45% of Internet bandwidth) Potential for original client download to be a Trojan – it is. Potential for files downloaded into the protected network to also be Trojans. On the plus side: P-2-P is coming and many think is the next Internet KILLER APP. Web centralizes information access, P-2-P distributes. Commercial products will have security controls. Chapter 13 Malicious Code.
KaZaA – The Trojan KaZaA clients come complete with a Trojan from Brilliant Digital Entertainment. 3D advertising technology + node software that can be controlled by Brilliant Digital. Intent is to use the massed horsepower to host and distribute content for a fee. With the user’s permission of course – opt out basis (not opt in!). Content to include advertising, music, video. Also mentioned tapping unused cycles for compute work. Chapter 13 Malicious Code.
Malicious Code – Yet Another Category Hostile Java applets – code snippets that are executed by Java to perform some function, often embedded in a web page. This is essentially mobile code (code that can move to different execution environments). A “feature” with side Effects. May belong on the “requires a host program” list. The host in this case is your browser with Java enabled. The applet is introduced to your system when you visit a web page containing the applet. Chapter 13 Malicious Code.
Malicious Code – Bad Applet Types “malicious” and “attack” applets. Malicious applets are in the wild. For the most part they are annoying, but can be serious – can result in denial of service and invasion of privacy. Attack applets are not yet in the wild, but have been extensively tested in lab settings. They attempt to compromise the Java security model and break through The Java sandbox and take over a system. Chapter 13 Malicious Code.
Entrance Paths • Logic Bombs, Trojans, Viruses • Integral to or attached to an executable program, • including macros that are enabled to be executed when • a file is opened. • 2. Transported by media (e.g., floppy, tape, CD-ROM) • OR arrive over the network as attached or directly • executable programs. • Worms, Bacteria • 1. Do not require a host program for transport. • 2. Arrive directly from the network – self-propagate. Chapter 13 Malicious Code.
Entrance Paths • Applets • Are part of a web page you visit. • If Java is enabled, the applet will execute and do • its thing. • Spyware • Multiple as discussed earlier. Chapter 13 Malicious Code.
Virus Behavior – Like Biological Viruses • Typically small programs, attached, or attach • themselves to executable files (e.g., a program, a script, • or a command string). • 3. Activate when the host program is executed. • 4. May be benign or malignant (i.e., destructive). Can do • anything a program can do! • 6. Cannot infect a system from a non-executable file. • 7. Might/might not cause physical damage. • 8. Can infect firmware (e.g., flash ROM, BIOS). • 9. Activate on an event (e.g., when executed, on a date, • after n re-boots, at some random time). • 10. Replicate/attempt to infect other files (e.g., Melissa). Chapter 13 Malicious Code.
Indications of a Virus 1.Computer runs slow. 2. System runs out of free space. 3. Unexplained file size changes. 4. Unexplained files appear on the hard drive. 5. Unexplained behavior: - CD-ROM drawer opens and close on its own (a joke). - Programs won’t execute - Files won’t open - Characters missing from displays - Obscene language appears on the display And almost any other strange behavior you can imagine. Chapter 13 Malicious Code.
Flash Memory Viruses • Flash memory - writeable firmware. Found in: Modems • PCBIOS, Video cards, Printers, Routers, etc. • Increasing use - allows changes to a hardware devices • after manufacture. For example: • 56k modem - two pre-standard designs used flash. • When V.90 standard issued, downloadable upgrade. • 2. Routers - downloadable protocol changes, support • new protocols, features. • 3. Other devices – bug and performance updates fixes. Chapter 13 Malicious Code.
Virus Types Companion - uses the execution hierarchy (order) of the system. Parasitic - attaches to a host program and executes when host program executes. OS Structure - attaches to OS components (e.g., boot blocks). Chapter 13 Malicious Code.
Virus Types Macro - infect macro languages (e.g., Word, Excel). Polymorphic - mutate with each infection. Stealth - attempt to hide from detection. Jokes & Hoaxes - Do nothing but excite some users. Chapter 13 Malicious Code.
Companion Viruses Rely on the execution order of a system (e.g., in Windows the order is .COM, .EXE, and .BAT). User specifies execute WP meaning WP.EXE. The OS will search for WP.COM, then WP.EXE. If a virus exists called WP.COM - it will execute first and often attach itself to WP.EXE. Using common names has been used to trick users into unwittingly executing a virus program. Chapter 13 Malicious Code.
Typical Method of Infection Scenario: Shows before/after virus infection with a programmed target of certain .EXE and .COM files Before Infection After Infection .EXE .COM .EXE .COM Hdr IP JUMP Hdr IP JUMP START END START END START END START END Virus Jump Virus Jump Chapter 13 Malicious Code.
Virus Wars - A Typical Scenario - .EXE File MZ MZ Signature = Executable File CS & IP are pointers to the start of the program image Size specifies the image size Program Load Image Overlay data (e.g., buffer space) CS File header IP Size START END Virus must change size of the image. Respond by storing the size somewhere else. Then virus writer compresses the infected image to be the same as before. Respond by using a digital signature……. On and on it goes! Chapter 13 Malicious Code.
Parasitic Viruses Enter a system already attached to what appears to be a legitimate executable file. In the preceding example, a parasitic virus would enter a system already attached to, for example, a .COM or .EXE file as shown in the "after infection" case. Once run, the virus code could seek out other existing files with the same .COM or .EXE extensions and infect them. Chapter 13 Malicious Code.
Operating System Structure Viruses Attach to executable parts of the OS and/or insert themselves in unused structures. These are prime targets since they execute when the system boots. For example: Master Boot Record (MBR & Partition table) Unused sectors at beginning of the disk Boot record & File Allocation Table (FAT) Directory record Bad sectors Unused tracks at the end of the disk Microsoft: modify the registry - virus executes at startup. Chapter 13 Malicious Code.
Typical Bootstrap Process On power-up, BIOS ROM holds program to test basic h/w and identify boot device (e.g., floppy, hard drive). BIOS program completes checks and executes a set of simple load to memory instructions to load a more robust loader (e.g., the initial loader)into primary memory. Once, the initial loader is resident, control is transferred to the starting location of the initial loader. The initial loader identifies the location of the operating system and loads the resident parts of the OS to memory. When loading completes, control is transferred to the operating system (e.g., the null cli prompt appears). Execute H/W boot Read S/W boot to RAM Transfer Control to RAM Find & Load Operating Sys. Transfer Control to OS The process includes a number of validation tests including simple signatures (not cryptographic), such as a 2 Byte checksum. Chapter 13 Malicious Code.
Typical Bootstrap Process - Infected Boot Record In an infected system, the initial loader is replaced with an infected loader BIOS program completes checks and and loads the infected loader into primary memory. Once the infected loader is resident control is transferred to the starting location of the virus. The virus loads 1st, makes changes it was designed for (e.g., may erase its tracks, infect the hard drive, etc.) and then transfers control to the original loader. The OS then loads normally and control is transferred to the operating system (e.g., the null cli prompt appears). At this point the virus is resident and executable - it will execute and act according to its design. Execute H/W boot Read S/W boot to RAM Transfer Control to RAM Virus loads Find & Load Operating Sys. Transfer Control to OS Chapter 13 Malicious Code.
A Specific Infection - Michelangelo Virus 1. Infected diskette is placed in the A: drive and booted. 2. Boot program loads the virus into main memory. 3. Infects hard drive by moving the hard drive's original boot block to another location on the disk, and installs itself in the boot block. Every disk mounted on the system is infected. Part of the virus program reads the system date. On March 6, the virus activates and overwrites any diskette with random characters and hard disk sectors 1-17, heads 0-3, and tracks 0-255 (with random characters). Chapter 13 Malicious Code.