Topic Malicious Software

Outline
z Introduce types of malicious software
E.g. backdoor, logic bomb, trojan horse, mobile

z Discuss
Virus types and countermeasures Worm types and countermeasures Bots Rootkits

(C) Davar Pishva, 2013

Security and Information System Management

Malicious Software
Introduction
z Programs that exploit vulnerabilities in computing systems are referred to as malicious software, or malware. z They can be divided into two categories:
Program fragments that need a host program
e.g. viruses, logic bombs, and backdoors

Independent self-contained programs

e.g. worms, bots

z They are perhaps the most sophisticated types of threats to computer systems.
Some of them have even replicating nature.
e.g. viruses, worms

(C) Davar Pishva, 2013

Security and Information System Management

Malware Terminology
Although there is a lack of universal agreement on terminology, due to overlapping categories, the following can serve as a useful guide:
z z z z z z z z z z z Virus Worm Logic bomb Trojan horse Backdoor (trapdoor) Mobile code Auto-rooter Kit (virus generator) Spammer and Flooder programs Keyloggers Rootkit Zombie, bot

(C) Davar Pishva, 2013

Security and Information System Management

Viruses
A virus is a piece of software that can "infect" other programs by modifying them. Modification includes:
z Copying itself (the virus) in to the program. z Secretly executing when host program runs.

It is specific to operating system and hardware.

z It takes advantage of their details and weaknesses.

A typical virus goes through phases of:

z dormant z propagation z triggering z execution

(C) Davar Pishva, 2013

Security and Information System Management

Virus Structure
A computer virus has three components:
z Infection mechanism - enables replication z Trigger - event that makes payload activate z Payload - what it does, malicious or benign

It can be prepended / postpended / embedded When infected program invoked, it

z will first execute the virus code and z then execute the original code of the program.

We can block its

z initial infection (difficult), or z propagation (with access controls)
more
(C) Davar Pishva, 2013

Security and Information System Management

Virus Structure (cont.)

A very general depiction of virus structure is shown here.
z The virus code, V, is prepended to infected programs. z It is assumed that the entry point to the program, when invoked, is the first line of the program. z The first line of code is a jump to the main virus program. z The second line is a special marker that is used by the virus to determine whether or not a potential victim program has already been infected with this virus.

(C) Davar Pishva, 2013

Security and Information System Management

Compression Virus
Done to prevent virus detection.
z When infected file P1 is launched, it
1. Compress uninfected file P2 into P2 2. Prepend virus CV into P2 3. Decompress P1 into P1 4. Launch P1

z This way, virus CV simply propagates. z If CV included logic bomb, then .

(C) Davar Pishva, 2013

Security and Information System Management

Virus Classification
Boot Sector
z Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.

File Infector
z Infects files that the operating system or shell consider to be executable.

Macro Virus
z Infects files with macro code that is interpreted by an application.

Encrypted Virus
z The virus creates a random encryption key, stored with the virus, and encrypts the remainder of the virus.

Stealth Virus
z Hide itself from detection by antivirus software.

Polymorphic Virus
z Mutates with every infection, making detection by the signature" of the virus impossible.

Metamorphic Virus
z Mutates and rewrites itself completely at each iteration.

(C) Davar Pishva, 2013

Security and Information System Management

Macro Virus
They became very common in mid-1990s.
z They are platform independent. z They infect documents. z They easily spread (via email).

They usually exploit macro capability of the Office applications.

z Executable program is embedded in office document
In form of macro language which is similar to Basic programming language.

However,
z More recent releases of the Office applications include protection. z They are also recognized by many anti-virus programs now.

(C) Davar Pishva, 2013

Security and Information System Management

E-Mail Viruses
These are more recent developments. The first rapidly spreading versions made use of a Microsoft Word macro embedded in an attachment
z e.g. Melissa
exploits MS Word macro in attached doc if attachment opened, macro activates sends email to all on users address list and does local damage

At the end of 1999, a more powerful version of the e-mail virus appeared.
z This newer version can be activated merely by opening an e-mail that contains the virus rather than opening an attachment. z Hence, they propagate much faster (e.g. in few hours).
This makes it very difficult for antivirus software to respond before much damage is done.

(C) Davar Pishva, 2013

Security and Information System Management

10

Virus Countermeasures
Ideal solution
z Prevention, but it is difficult.

Realistic Approach:
z Detection
Determine that it has occurred and locate the virus.

z Identification
Once detected, identify the specific virus that has infected a program.

z Removal
Once identified, remove all traces of the virus from the infected program and restore it to its original state.

z If detected but cant identify or remove, then we must discard and replace infected program.

(C) Davar Pishva, 2013

Security and Information System Management

11

Anti-Virus Evolution
Viruses & antivirus technology have both evolved.
z Early viruses were simple code and easily removed. z Recent viruses are more complex and more challenging.

Generations of Antivirus Software

z First - signature scanners
Limited to the detection of known viruses containing signature (wildcards).

z Second heuristics
They use heuristic rules such as
Looking for fragments of code that are often associated with viruses. Integrity checking, using a hash function rather than a simpler checksum.

z Third - identify actions

These are memory-resident programs that identify a virus by its actions rather than structure in an infected program.

z Fourth - combination packages

These include scanning and activity trap components. They also include access control capability
To limit the ability of viruses to penetrate a system, update files in order to pass on the infection.
(C) Davar Pishva, 2013

Security and Information System Management

12

Generic Decryption
More sophisticated antivirus products runs executable files through GD scanner consisting of the following modules:
z CPU emulator
A software-based virtual computer that interprets instructions.

z Virus scanner
Scans the target code looking for known virus signatures.

z Emulation control
Manage the process, i.e. controls the execution of the target code.

Lets virus decrypt itself in interpreter Periodically scan for virus signatures Issue is long to interpret and scan
z tradeoff chance of detection vs. time delay
(C) Davar Pishva, 2013

Security and Information System Management

13

Digital Immune System

This is a comprehensive approach to virus protection
z It is developed by IBM and z refined by Symantec.

This system is to provide rapid response time so that viruses can be stamped out almost as soon as they are introduced. When a new virus enters an organization,
z the immune system automatically captures it, z analyzes it, z adds detection and shielding for it, z removes it, and z passes information about that virus to other systems.
more
(C) Davar Pishva, 2013

Security and Information System Management

14

Digital Immune System (cont.)

(C) Davar Pishva, 2013

Security and Information System Management

15

Behavior-Blocking Software
This software integrates with the operating system of a host computer and monitors program behavior in realtime for malicious actions. It blocks potentially malicious actions before they can affect the system. Monitored behaviors can include:
z Attempts to open, view, delete, and/or modify files; z Attempts to format disk drives and other unrecoverable disk operations; z Modifications to the logic of executable files or macros; z Modification of critical system settings, such as start-up settings; z Scripting of e-mail and instant messaging clients to send executable content; and z Initiation of network communications.
Security and Information System Management

more
(C) Davar Pishva, 2013

16

Behavior-Blocking Software (cont.)

(C) Davar Pishva, 2013

Security and Information System Management

17

Worms
It is a program that can replicate itself and send copies from computer to computer across network connections
z using email, remote exec, remote login

It has phases like a virus:

z dormant, propagation, triggering, execution
In the propagation phase, it searches for other systems, connects to it, copies self to it and runs.

In a multiprogramming system, it may also disguise its presence by naming itself as a system process or using some other name that may not be noticed by a system operator. The concept of a computer worm was introduced in John Brunners 1975 SF novel The Shockwave Rider. The first known worm implementation was done in Xerox Palo Alto Labs in the early 1980s.

(C) Davar Pishva, 2013

Security and Information System Management

18

Morris Worm
This is one of best known worms. It was released by Robert Morris in 1988. It was designed to spread on UNIX systems and used a number of different techniques for propagation.
z cracking password file to use login/password to logon to other systems z exploiting a bug in the finger protocol z exploiting a bug in sendmail

If succeed to gain remote shell access

z sent bootstrap program to copy worm over

(C) Davar Pishva, 2013

Security and Information System Management

19

Worm Propagation Model

Typically, propagation proceeds through three phases:
z Slow Start
Growth is exponential, but infecting hosts waste some time attacking already-infected hosts.

z Fast Spread
Growth is almost linear, but the rate of infection is rapid.

z Slow Finish
Exponentially decaying, as the worm seeks out those remaining hosts that are difficult to identify.

(C) Davar Pishva, 2013

Security and Information System Management

20

Recent Worm Attacks

Code Red
z Released in July 2001, exploiting Microsoft Internet Information Server (IIS) bug. z The worm probes random IP address, does DDoS attack. z It consumes significant net capacity when active.

Code Red II variant includes backdoor

z In addition, this newer worm installs a backdoor allowing a hacker to direct activities of victim computers.

SQL Slammer
z Early 2003, attacks MS SQL Server, by exploiting its buffer overflow vulnerability. z Extremely compact and spread rapidly, infecting 90% of vulnerable hosts within 10 minutes.

Mydoom
z mass-mailing e-mail worm that appeared in 2004 z installed remote access backdoor in infected systems.
It replicated up to 1000 times per minute and reportedly flooded the Internet with 100 million infected messages in 36 hours.

(C) Davar Pishva, 2013

Security and Information System Management

21

Worm Technology
Multiplatform
z Not limited to Windows platform.

Multi-exploit
z Penetrate systems in a variety of ways.

Ultrafast spreading
z E.g., by means of prior Internet scan to accumulate Internet addresses of vulnerable machines.

Polymorphic
z Each copy of the worm has new code generated on the fly using functionally equivalent instructions and encryption techniques.

Metamorphic
z Worm with changing appearance and behavior.

Transport vehicles
z Used for spreading other distributed attack tools, such as distributed denial of service bots.

Zero-day exploit
z Worm that exploit an unknown vulnerability which is only discovered by the general network community when the worm is launched.
(C) Davar Pishva, 2013

Security and Information System Management

22

Worm Countermeasures
Overlaps with anti-virus techniques
z Once resident on a system A/V can detect them.
They also cause significant net activity, hence detectable.

Defense approaches include:

z Signature-based worm scan filtering
Generates a worm signature, which is then used to prevent worm scans from entering/leaving a network/host.

z Filter-based worm containment

Focuses on worm content rather than a scan signature

z Payload-classification-based worm containment

examine packets to see if they contain a worm using anomaly detection techniques

z Threshold random walk (TRW) scan detection

exploits randomness in picking destinations to connect to as a way of detecting if a scanner is in operation.

z Rate limiting and rate halting

Limits or halts the rate of scan like traffic from an infected host
(C) Davar Pishva, 2013

Security and Information System Management

23

Proactive Worm Containment (PWC)

A scheme using host based software that looks for surges in the rate of frequency of outgoing connection attempts and the diversity of connections to remote hosts. When a surge is detected in the architecture shown (next slide), a PWC agent
z issues an alert to local system; z blocks all outgoing connection attempts; z transmits the alert to the PWC manager; and z starts a relaxation analysis. z When such a surge is detected, the software immediately blocks its host from further connection attempts.

An agent which monitors outgoing activity for a fixed window of time to see if outgoing connections exceed a threshold.
more

(C) Davar Pishva, 2013

Security and Information System Management

24

Proactive Worm Containment (cont.)

(C) Davar Pishva, 2013

Security and Information System Management

25

Network Based Worm Defense

The key element of a network-based worm defense is worm monitoring software. Two types of monitoring software are needed.
z Ingress monitors: z Egress monitors:
located at the border between the enterprise network and the Internet, in a border router, external firewall, separate passive monitor, or honeypot. located at the egress point of individual LANs on the enterprise network as well as at the external border, in a LAN router or switch, external firewall or honeypot.

It is designed to catch the source of a worm attack by monitoring outgoing traffic for signs of scanning etc. Worm monitors can act in the manner of intrusion detection systems and generate alerts to a central administrative system. It is also possible to implement a system that attempts to react in real time to a worm attack, so as to counter zero-day exploits effectively. An example of a worm countermeasure architecture is shown in the next slide:

more
(C) Davar Pishva, 2013

Security and Information System Management

26

Network Based Worm Defense (cont.)

(C) Davar Pishva, 2013

Security and Information System Management

27

Bots
A bot (robot), also known as a zombie or drone, is a program that secretly takes over hundreds or thousands of Internet-attached computer.
z It uses those computers to launch attacks that are difficult to trace to the bot's creator. z The collection of bots is referred to as a botnet.

Characteristics:
z remote control facility
via IRC (Internet relay chat) or HTTP etc

z spreading mechanism
attack software, vulnerability, scanning strategy

Various counter-measures applicable

z E.g. IDSs, honeypots, and digital immune systems.
(C) Davar Pishva, 2013

Security and Information System Management

28

Rootkits
It is a set of programs installed for administrator access It can do malicious and stealthy changes to host O/S It may hide its existence
z subverting report mechanisms on processes, files, registry entries etc

It may be:
z persistent or memory-based z user or kernel mode

It can be installed by user via trojan or intruder on system Range of countermeasures are needed.
(C) Davar Pishva, 2013

Security and Information System Management

29

Rootkit System Table Modes

System calls are a primary target of kernel-level rootkits to achieve concealment. Three techniques that can be used to change system calls:
z Modify the system call table
The attacker modifies selected syscall addresses stored in the system call table.
Next slide shows how the knark rootkit achieves this

z Modify system call table targets

The attacker overwrites selected legitimate system call routines with malicious code.
The system call table is not changed

z Redirect the system call table

If a kernel-level rootkit is detected, by any means, the only secure and reliable way to recover is to do an entire new OS install on the infected machine.
(C) Davar Pishva, 2013

The attacker redirects references to the entire system call table to a new table in a new kernel memory location.

more
Security and Information System Management 30

Network Based Worm Defense (cont.)

(C) Davar Pishva, 2013

Security and Information System Management

31

Topic Malicious Software

Summary
z introduced types of malicious software
including backdoor, logic bomb, trojan horse, mobile

z Discussed
Virus types and countermeasures Worm types and countermeasures Bots Rootkits

(C) Davar Pishva, 2013

Security and Information System Management

32