1 / 42

MAL WARE

MAL WARE. BCIS 4630 Fundamentals of IT Security. Dr. Andy Wu. Overview. Virus Worms Trojans Buffer overflow Rootkits. Trend in Malware.

manning
Download Presentation

MAL WARE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MALWARE BCIS 4630 Fundamentals of IT Security Dr. Andy Wu

  2. Overview • Virus • Worms • Trojans • Buffer overflow • Rootkits

  3. Trend in Malware • Historically, malware was designed to infect, disrupt, disable, or destroy systems. The aim often is mischief or bragging rights for the author of malware. • Currently, malware is designed with criminal intention. • Often used to capture information about a victim – credit card data, login credentials, insider information, etc. • Malware is created with better mechanisms to evade detection.

  4. Virus • Best-known category of malicious code. • Self replicating. • Replicates by attaching itself to another file. • Usually requires human interaction to propagate. • When the host file is opened or executed, the virus also executes and is able to infect other files and/or wreak havoc. • Used to spread mainly by sharing of floppy disks and by affecting the boot sector. • With newer generations of computers and media, now virus often propagate via email and by taking advantage of Microsoft macros/file templates.

  5. Macro Virus • With the appearance of software with macro functionality (e.g., VBA), a document file can store not just data but also executable code. • To ensure that its code will be triggered when the infected file is used, it often modifies the subroutines in the file that will be run when the file opens, e.g., Document_Open(), Document_Close(), FileNew(), FileSave(). • To ensure that it will stay on the machine and infect other documents, it often copies itself to the default template files, e.g., Normal.dot (Word), Personal.xls (Excel), Blank Presentation.pot (PowerPoint). • The Triplicate virus infects all three – Word, Excel, and PowerPoint.

  6. Multipartite Virus • Multipartite virus • Takes advantage of multiple vector of attack. • Harder to remove.

  7. Anti-Virus Evasion • Anti-virus programs work on the basis of virus signatures. • To confuse anti-virus programs, some viruses are able to encrypt themselves. They contain a decryption module but uses variable keys. • Virus scanners cannot detect such viruses by the means of signatures. But they can detect the decryption module. • Changing the order of subroutines can also confuse scanners.

  8. Polymorphic Viruses • Polymorphic viruses modify their code for each replication. • They typically contain a random number generator and mutation engine. • Often is done by writing numerous variations of methods in the virus code and changing the order of parts of code. • Virus thus has signature (code pattern and hash value) that is different from those recorded by anti-virus companies at the outbreak of the virus. • Often is further enhanced by encrypting parts of the virus code. In each variation, encryption is done differently thus changed for each replication.

  9. Worm • Self-replicating. • Spreads via networks. • Does not have to rely on other files. • Usually does not require human interaction to propagate.

  10. Virus/Worm Differences

  11. Virus/Worm Differences • The distinction between virus and worms has blurred. • Viruses are becoming more worm-like. • They are less dependent on floppy/media sharing and can spread faster by worm-like behaviors.

  12. Trojan Horses • A program that contains malicious code but appears to be harmless or helpful. • Appears to have some useful or benign purpose that attracts a user. • Often can indeed perform its ostensible function. • Blends in with the normal programs running on a system. • Trojan horse applications are usually masqueraded as games, utilities, or other useful applications.

  13. Trojan Horses • Typical functions for a Trojan might include: • Sending and receiving files • Viewing cached passwords • Restarting the system • Launching processes • Modifying files • Sharing files • Modifying the registry keys • Keylogging • At this time, Trojans are not able to reproduce themselves like viruses or worms. • However, they can be spread as payload of worms.

  14. Trojan Architecture • Uses client/server architecture. The server part is installed on the victim’s machine; the client part, on the attacker’s machine. • Generally run in stealth mode on the victim’s machine. The attacker needs to know the remote IP address to connect to the machine and invoke the Trojan. Some Trojans can “phone home” by transmitting back the victim’s IP address. • To auto-start when the system boots, Trojans can alter system files and settings on the machine, such as entries in the Windows registry.

  15. The Making of a Horse • A Trojan’s file is bound to another file. • Programs are available for binding EXE files with other EXE files or files of other types. • Famous Trojans such as SubSeven, NetBus, BackOrifice all have an edit program that “configures” a “server” program before it is deployed to a victim. • One “configuration” is to bind the server program to another program. • Another “configuration” may change the combined program file’s icon to that of the program used as the guise.

  16. SubSeven’s EditServer Program

  17. Bound File

  18. SubSeven

  19. Trojan Camouflage • Attackers often create another file and process with exactly the same name as an existing program on the system. • Common “camouflage” names: • *nix: init, inetd, cron • Windows: win, iexplore, notepad • Windows does not allow deletion of processes with certain names: • Csrss.exe, services.exe, smss.exe, winlogon.exe System, System Idle Process

  20. Sources Trojans Infection • Social engineering • P2P networks • Physical access • Fake programs and freeware • E-mail attachments • Scripts in HTML e-mails • Instant messenger • Files on FTP servers • Spoofed Web sites • Files offered on bulletin boards and forums • Scripts on hacked legitimate Web sites • Drive-by download

  21. Drive-By Download

  22. Drive-By Download

  23. Detection and Prevention • A key feature of trojans is that they often modify a legitimate program file. • Integrity of the legitimate file is compromised. • Detection therefore can be done by file integrity check. • Perform any or all of the following checks • Date and time • Size • Checksum • Object reconciliation • A widely used method that detects Trojans • Means “verification that things are the same” • Windows has a built-in Windows File Protection (WFP) feature

  24. Buffer Overflow • A buffer is a space in memory reserved for a variable. • If the developer forgot to create code to check the size of user input, overflow can happen. • An attacker can send more data than the original software developer planned for the variable. • Since the code does not check the variable’s size, the malicious user input not only fills up the space planned for the buffer but also overwrites the memory space next to it. • The overwritten part can contain important information such as return address. • Now by cleverly crafting tiny but effective code into the input, the attacker can instruct the program to branch to another memory location.

  25. Shellcode • That small bit of extra input often carries shellcode. • It is malicious and abuses security holes in the application discovered by the attacker. • The shellcode contains the rogue instruction that will be executed. • So named because it often provides access to a computer’s shell. • Typically consists of assembly language code represented in escape sequences.

  26. Stack Overflow • Attackers write the code for a buffer overflow in such a manner that the code to which a function’s pointers are indicating is code of the Attacker’s choosing. • Process of an exploit • Attacker searches for a chance to overflow the buffer. • Attacker determines memory assigned to the variable. • Attacker specifies a value greater than the maximum capacity of the variable. • Variable takes the value.

  27. Function Call void main ( ) { // some code foo( arg1, arg2 ); // function call // some more code } void foo( para1, para2 ) { // some code // function done // go back to calling function } Program relies on the value of return pointer (EIP) to know where to go after function call. If EIP is modified by attacker, it will go to another place in memory, at the attacker’s discretion.

  28. Push to the Stack • Memory stacks are used to store information associated with function calls. • The information is accessed in a last-in first-out (LIFO) basis. • Function call arguments (if any) is “pushed” onto the stack. • System copies the value of the CPU’s Extended Instruction Pointer (EIP) register to the stack. This marks the point to resume after the function call is done. • A “frame pointer” is stored on the stack. • Local variables of the called function uses are stored. • By changing the value of EIP, you can control what code is executed after the function call.

  29. Pop from the Stack • After the called function finishes running, the local variables (result in our example) are “popped” from the stack. • The Frame Pointer also is removed. • Then, the value of return pointer (EIP) is copied back to the CPU’s “instruction pointer” register. • Finally, the arguments are removed from the stack.

  30. Normal Stack Operations

  31. A “Smashed” Stack

  32. Heap Overflow • The heap is a block of memory that the program can use dynamically for storing data. It is needed when: • A larger buffer is needed. • The programmer doesn’t know the size of the value to be stored. • Is allocated using the malloc() function and freed using the free() function. • A heap is “smashed” in a way similar to the stack.

  33. Rootkits • The attacks covered so far are separate programs an attacker adds to a system. • They don’t change operating system program on the victim. • Rootkits rise the ante by changing or replacing existing OS software executables or libraries. • This allows the attacker to have backdoor access or cover up his/her presence.

  34. Rootkits

  35. Rootkits • Rootkits are a type of trojans that take normal programs associated with the OS and replace them with malicious versions, e.g., • On a Unix system, it can replace the ls command with a malicious version that hides the attacker’s files. • Can act as a backdoor: offer attackers access by implementing a remote shell listener, e.g., “impersonate” the sshd program. • Rootkits allow an attacker to maintain access to and can remain “invisible” on a system by hiding: • Processes • Files • Registry keys • Network connections • Rootkits achieve their goals by using a few techniques: • Abuse of Windows API • DLL injection • API hooking

  36. Abusing Windows API • Microsoft has design well defined interfaces in Windows for extending its built-in functionality through third party tools. • An attacker, however, can abuse the Windows API by inserting malicious code between the Windows API and the user.

  37. FakeGINA • The Windows logon process invokes a library of code (msgina.dll) for graphical identification and authentication (GINA). • It’s likely that third party logon mechanisms based on biometrics, PKI, etc., are needed to authenticate users. • Therefore, in addition to Microsoft’s own version of GINA, Windows allows third party programs to be developed and to interact with authentication mechanism (e.g., the Local Security Authority) through msgina.dll.

  38. FakeGINA • An attacker thus can abuse this by inserting a Fake GINA between the logon process and msgina.dll. • It still interacts with msgina.dll like other third party authentication programs would. • However, the real purpose of FakeGINA is to capture users’ keystrokes; store users credentials in a text file; and send the file to the attacker. • This is much faster than password cracking!

  39. The Role of DLL • A dynamic link libraries (DLL) file is not executable but it provides functionality to a running .exe file through function calls to the library. • An execution file can call functions from a number of DLL files. • A DLL file can provide functionality to multiple .exe files. • Each individual function in a DLL takes some action on the system. • Windows DLLs provide basic functionality such as displaying files and folders, showing running processes, etc.

  40. DLL Injection • Through a series of delicate manipulation of threads and memory spaces, an attacker can fool a running .exe file and force it to accept a DLL that it never requested. • This rogue DLL contains malicious code and, once in the victim process’ memory space, can insert new “functionality” into any other running process.

  41. API Hooking • One thing the injected DLL does is to divert important execution files’ API function calls and “hook” those calls to the injected malicious code. • From now on, those function calls are in effect intercepted by the attacker’s malicious code, which gets to determine whether it will let the call pass to the real API or it will provide fake results to the calling exe file. • This is analogous to the “man-in-the-middle” network attack. • API hooking: intercepts functional calls. • MitMattack: intercepts network packets.

  42. Examples of Rootkits • AFX Windows Rootkit can hide/mask four different aspects of a backdoor program: process, files, registry keys, TCP/UDP ports. • Hacker Defender is a full-fledged rootkit with features similar to those of AFX.

More Related