1 / 93

Networking & Malware

Networking & Malware. CS 598: Network Security Michael Rogers & Leena Winterrowd March 26, 2013. Types of Malware. Image courtesy of prensa.pandasecurity.com. Types of Malware. No standardized definitions!. Viruses 16,82%. Trojan horses 69.99%. Viruses.

gladys
Download Presentation

Networking & Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Networking & Malware CS 598: Network Security Michael Rogers & Leena Winterrowd March 26, 2013

  2. Types of Malware Image courtesy of prensa.pandasecurity.com

  3. Types of Malware No standardized definitions! Viruses 16,82% Trojan horses 69.99%

  4. Viruses • Programs capable of self-replication • Spread to other systems • Cannot execute on their own • Must attach themselves to other programs • Effectively need user-interaction to spread

  5. Worms • Standalone programs • Self-replicating • Rely on exploits to self-execute • Self-propagating • No user interaction!

  6. Ye Olde Computyre Virus Thou hast presently received ye olde virus! Since it doth not useth 'electricitee' or 'computyres', thou art on ye olde 'Honore Systeme'. Please deleteth all of thy files from thy hard drive and forward ye olde virus to thy friends.

  7. Trojans • Masquerade as legitimate files • Often 'gifts' or free downloads • Gives (unauthorized) access to a system • Most often propagated with worms • Most often contains spyware

  8. Backdoors • Bypass security to directly access data/service • Often default/hard-coded password • Maintain undetectability • Example (2003): • 2-line Linux kernel change: http://kerneltrap.org/node/1584 • Frequently used by worms

  9. Rootkits • Hide existence of a payload • Payload is often a trojan • Generally subvert/disable security programs • Usually enable root access (elevated privilege) • Modern rootkits do not do this! • Most often perform injection: • Enable a backdoor • Replace a library • Hide on devices or in BIOS • CompuTrace & LoJack DAEMON Tools is actually a beneficial rootkit! (Intercepts Windows API calls)

  10. Spyware • Collects information without user knowledge/permission • Often trojans • May be intentional • Keyloggers

  11. Adware • Automatically renders ads • Generates money for developer(s) • Often intentional • Ideally non-intrusive

  12. Typhoid Adware • An infected machine poses as the legitimate access point • Intercepts and hijacks other users connections via ARP spoofing • The infected machine inserts ad-content into video streams • Infected machine shows no symptoms • Only a NAT-box proxy Paper available at: http://pages.cpsc.ucalgary.ca/~aycock/papers/eicar10.pdf

  13. Infection Mechanisms • Droppers • Inject malware (single-stage) • Download malware to the machine (two-stage) • Pretend to be legitimate programs (Trojans) • Injector: dropper which installs to memory only • Drive-By Downloads • Placed on systems by compromised websites • Serves as point of entry for other malware • Recent Example: FBI virus (Java exploit) Image courtesy of http://www.technobuffalo.com

  14. Infection Mechanisms • DECEPTION! • Exploitation • OS design defects • Zero-day • Unpatched • Software bugs • Privilege elevation • Preexisting (related or unrelated) backdoors • 'Auto-run' on removable devices (USB, CD, etc.) • Purposely install malicious code • Physical access Image courtesy of http://www.technobuffalo.com

  15. Well-Known Malware Examples

  16. Stuxnet • In June 2010, VirusBlokAda discovered an unprecedented type of Malware – Stuxnet. • But what made Stuxnet different? (usu < 1KB)

  17. Stuxnet's Infection Mechanisms • Infected Windows systems via USB (auto-run) • 3 infections/drive; self-replicates to removable drives • Worm attempts to spread to any Windows system for 21 days • Systems were 'air-gapped' (not connected to internet) • Uses four zero-day Windows exploits • Copies itself through LAN via a print-spooler exploit • Spreads through SMB • Exploits a Windows Server Service RPC vulnerability (same as Conficker worm; patched in 2008) • 2 escalation of privilege vulnerabilities Image courtesy of http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process

  18. Stuxnet's Propagation Mechanisms • Spreads via network shares • Looks for and injects itself into specific control software project • Software has a hard-coded password • Copies to server via SQL injection • Can self-update or report data via 'command & control' servers • Self-updating via LAN or p2p • Contained a Windows rootkit to further avoid detection • Digitally signed with stolen certificates from Realtek & Jmicron Image courtesy of http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process

  19. What did Stuxnetdo? • Targeted Siemen's 315 and 417 PLCs • Fingerprinted by model number, configuration, and actual PLC code • Exploited a driver DLL to copy itself to the PLCs • Changed frequency controller drives' speeds • Alternated between slowing down and speeding up the normal frequency • Could cause a PLC-controlled centrifuge to fly apart over time Speed Settings Centrifuge Image courtesy of http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process

  20. Flame • "Arguably the most sophisticated malware ever found" • ~20 MB • Spreads via LAN or USB • Compromised Microsoft code-signing certificate • MD5 chosen-prefix collision attack • Modular design

  21. What did Flame do? • Steals information • Records Skype calls • Activates Bluetooth • Steals information from other Bluetooth devices • Communicates information back to command & control server and awaits further instructions

  22. DNSChanger • Drive-by download claiming to be a required video codec • Modified DNS config to go through a rogue name server • Injected/substituted advertising on web pages & redirected some links • Could spread within a LAN • Mimicked a DHCP server • Pointed others towards the rogue DNS servers • Perpetrators apprehended, but rogue DNS servers left running for fear of knocking infected machines off the internet

  23. Nimda • Virus/worm hybrid • Infected via multiple avenues • Email • Network shares • Compromised websites • Microsoft IIS vulnerability exploits • Backdoors left by other worms (Code Red II and sadmind/IIS) • Became the internet's most widespread worm within 22 minutes

  24. Why Malware is Written • 'For tehlulz' (entertainment value) • Causing distraction or destruction just because it's amusing • To show off • Exploit remote systems as a show of skill • Anonymity • Attacks may act as the victim • Sociopolitical • Anonymous, Lulzsec, hacktivists • Stuxnet & Flame • May cause physical damage! (Stuxnet) • For profit

  25. Malware for Profit • Spyware • Gain personal information for various purposes • Targeted marketing or identity theft • Corporate espionage/sabotage • Botnets • Cloud-based attacks (DDOS, click fraud, spam) • Adware/scareware/ransomware • Directly bilk money from victims • Recursive • Sell dropper/backdoor kits • Promote further infection

  26. Malware Propagation

  27. Target Selection • Completely targeted • Semi-targeted • Brute-force/random • Pseudorandom • Diffusion

  28. Completely Targeted • Predetermined list of targets • Common to spam/phishing • Tend to employ social engineering techniques

  29. Semi-Targeted • Takes a good guess at the next target • Often target machines on the local network (worms) • Uses the concept of homogeneity • Exploit one in network → may be able to exploit all • E-mail contact lists (trojans)

  30. Brute-Force • Port-scanning and IP scanning the entire address space • Often start from a randomized offset and skip around

  31. Pseudorandom • Brute-force with restrictions (for better performance) • Example: Blacklist known darknet/honeypot addresses • Example: Prioritize IPs belonging to a specific country

  32. Diffusion • Design malware to use alternate channels of infection (USB drives or smartphones) • Hope someone plugs the wrong thing in the wrong place • Can be random or targeted • Targeted often requires research on habits/behaviors of individuals in the target environment

  33. Actual Propagation • Self-propagation • Social engineering • Secondary infections • Malicious code sources: • From central source • From infector • Inject as part of exploitation

  34. Self-Propagation • Uses exploits on the remote machine to self-install • Examples: • Unpatched network daemons (several in older versions of Samba) • Insecure driver code (thumb drives and other out-channel exploits) • Insecure system settings (autoplay, no UAC)

  35. Social Engineering • Sends a copy of the malware disguised as something innocuous • "Funny cat video!.mpg.exe" • Spread by malicious user, unwitting infected user, or the malware itself

  36. Secondary Infections • Create an artificial vulnerability or exploit • Serves as the vehicle for other malware • Primary approach of droppers & backdoors

  37. Honeypots • Detection mechanism that exploits random/pseudorandom propagation • Pose as a vulnerable system • Capture malware samples • Often run by known organizations • Known IP spaces = easy to avoid • Low interaction honeypots • Emulate aspects of a vulnerable system • Safer but only emulate specific aspects • High interaction honeypots • Actual full systems/VMs • Specialized firewall • Infection (hopefully) cannot spread

  38. Communication and Control

  39. Four different classifications • Uncontrolled and silent • Controlled and silent • Uncontrolled and noisy • Controlled and noisy

  40. Uncontrolled and Silent • No interaction with programmer in either direction • No transmitting of information back to source • Behavior must be pre-programmed, e.g. Stuxnet • Often used simply to cause destruction

  41. Uncontrolled and Silent • Pros • Cannot be disrupted by compromising command method • Less likely to be detected by network monitoring (under correct conditions)

  42. Uncontrolled and Silent • Cons • No dynamic control • Cannot be used for data theft, reconnaissance

  43. Controlled and Silent • Can receive commands • Numerous channels available, such as IRC, DHT, Google link bombing, establishing direct network contact, P2P networks, file drops • Does not transmit information • Often used for targeted attacks, occasionally used for botnets, planting backdoors

  44. Controlled and Silent • Pros • Behavior can change dynamically after launch in direct response to controller • Less likely to be detected by network monitoring (under correct conditions, initially)

  45. Controlled and Silent • Cons • Cannot be used for data theft, reconnaissance • Can be disrupted or even destroyed by subversion of command mechanism

  46. Uncontrolled and Noisy • Can communicate information about infected systems • Methods include file drops on a central server or to online hosting services (e.g. Mega), IRC channels, P2P services • More useful for reconnaissance, smash-and-grab

  47. Uncontrolled and Noisy • Pros • Easiest for ‘blitz’ style attacks • Good for blind mapping

  48. Uncontrolled and Noisy • Cons • No dynamic control • More likely to be detected

  49. Controlled and Noisy • Allows for both control and communication • Allows for targeting and exploiting specific systems • Frequently used for more sophisticated malware • High-end botnets, spyware, backdoors

  50. Controlled and Noisy • Pros • Can dynamically alter behavior • Can gain information about infected systems • Allows for most sophisticated behavior

More Related