Software Flaws and Malware II
CS 3IS3
Ryszard Janicki
Department of Computing and Software, McMaster University, Hamilton, Ontario, Canada
Acknowledgments: Material based on Information Security by Mark Stamp (Chapters 11.3-11.5)
Ryszard Janicki
Software Flaws and Malware II 1/32
Malicious Software
Malware is not new. . .
Fred Cohen’s initial virus work in 1980’s
Cohen used viruses to break MLS (Multiple Level Security) systems
Types of malware (there is no standard definition) Virus – passive propagation
Worm – active propagation
Trojan horse – unexpected functionality Trapdoor/backdoor – unauthorized access Rabbit – exhaust system resources Spyware – steals info, such as passwords
Ryszard Janicki
Software Flaws and Malware II 2/32
Where do Viruses Live?
They live just about anywhere, such as. . .
Boot sector
Take control before anything else
Memory resident Stays in memory
Applications, macros, data, etc.
Library routines
Compilers, debuggers, virus checker, etc. These would be particularly nasty!
Ryszard Janicki
Software Flaws and Malware II 3/32
Malware Examples
Brain virus (1986)
Morris worm (1988)
Code Red (2001)
SQL Slammer (2004)
Stuxnet(2010)
Botnets (currently fashionable malware)
Ryszard Janicki
Software Flaws and Malware II 4/32
Brain
First appeared in 1986
More annoying than harmful A prototype for later viruses Not much reaction by users
What it did
1 Placed itself in boot sector (and other places)
2 Screened disk calls to avoid detection
3 Each disk read, checked boot sector to see if boot sector
infected; if not, goto 1
Brain did nothing really malicious
Ryszard Janicki
Software Flaws and Malware II 5/32
Morris Worm I
First appeared in 1988 What it tried to do
Determine where it could spread, then. . . . . . spread its infection and. . .
. . . remain undiscovered
Morris claimed his worm had a bug! It tried to re-infect infected systems
Led to resource exhaustion Effect was like a so-called rabbit
How Morris Worm Spread
Obtained access to machines by. . . User account password guessing
Exploit buffer overflow in fingerd (simple popular network protocol)
Exploit trapdoor in send mail
Flaws in fingerd and send mail were well-known, but not widely patched
Ryszard Janicki
Software Flaws and Malware II 6/32
Morris Worm II
Once Morris worm got access. . .
“Bootstrap loader” sent to victim 99 lines of C code
Victim compiled and executed code
Bootstrap loader fetched the worm
Victim authenticated sender
Don’t want user to get a bad worm. . .
How to Remain Undetected?
If transmission interrupted, all code deleted Code encrypted when downloaded
Code deleted after decrypt/compile
When running, worm regularly changed name and process identifier (PID)
Ryszard Janicki
Software Flaws and Malware II 7/32
Morris Worm: Bottom Line
Shock to the Internet community of 1988 Internet of 1988 much different than today
Internet designed to survive nuclear war
Yet, brought down by one graduate student! At the time, Morris’ father worked at NSA. . .
Could have been much worse
Result? CERT, more security awareness But should have been a wakeup call
Ryszard Janicki
Software Flaws and Malware II 8/32
Code Red Worm
Appeared in July 2001
Infected more than 250,000 systems in about 15 hours
Eventually infected 750,000 out of about 6,000,000 vulnerable systems
Exploited buffer overflow in Microsoft IIS server software
Then monitor traffic on port 80, looking for other susceptible servers
Code Red: What it Did
Day 1 to 19 of month: spread its infection
Day 20 to 27: distributed denial of service attack (DDoS) on
www.whitehouse.gov
Later version (several variants)
Included trapdoor for remote access
Rebooted to flush worm, leaving only trapdoor
Some said it was “beta test for info warfare” But, no evidence to support this
Ryszard Janicki
Software Flaws and Malware II 9/32
SQL Slammer
Infected 75,000 system sin 10 minutes!
At its peak, infections doubled every 8.5 seconds
Spread too fast. . . , so it “burned out” available bandwidth
Why was Slammer Successful?
Worm size: one 376-byte UDP (User Datagram Protocol) packet
Firewalls often let one packet through Then monitor ongoing “connections”
Expectation was that much more data required for an attack So no need to worry about 1 small packet
Slammer defied “experts”
Ryszard Janicki
Software Flaws and Malware II 10/32
Trojan HTorsoejEanxaHmoprles:eMExacamTprolejan (from textbook)
Trojan::unuenxpeexcptedctfeudncftuioncaltiitoynality Mac Trojan
ProtottyppeetrtorojajannfofrorthteheMaMcac File icon for freeMusic.mp3:
File icon for freeMusic.mp3:
Double click on freeMusic.mp3 o iTunes opens
For a real mp3, double click on icon
For a real mp3, double click on icon
iTunes opens
o iTunes opens (expected) But for freeMusic.mp3, unexpected results…
o Music in mp3 file plays
Music in mp3 file plays
But for freeMusic.mp3, unexpected results. . .
o “Wild Laugh” (not expected) Part 4 Software 61
Double click on freeMusic.mp3
iTunes opens (expected) “Wild Laugh” (not expected)
o Message box (not expected) Message box (not expected)
Part 4 Software Ryszard Janicki
Software Flaws and Malware II 1612/32
Trojan Horse Example
Trojan Example
How does freeMusic.mp3 trojan work? How does freeMusic.mp3 trojan work?
This “mp3” is an application, not data This “mp3” is an application, not data
This trojan is harmless, but… This trojan is harmless, but. . .
…could have done anything user could do Delete files, download files, launch apps, etc.
. . . could have done anything user could do
o Delete files, download files, launch apps, etc. Part 4 Software 63
Ryszard Janicki
Software Flaws and Malware II 12/32
Malware Detection
Three common detection methods Signature detection
Change detection Anomaly detection
We briefly discuss each of these
And consider advantages. . . . . . and disadvantages
Ryszard Janicki
Software Flaws and Malware II 13/32
Signature Detection I
A signature may be a string of bits in executable Might also use wildcards, hash values, etc.
For example, W32/Beast virus has signature
83EB 0274 EB0E 740A 81EB 0301 0000
That is, this string of bits appears in virus We can search for this signature in all files If string found, have we found W32/Beast?
Not necessarily – string could be in normal code At random, chance is only 1/2112
But software is not random. . .
Ryszard Janicki
Software Flaws and Malware II 14/32
Signature Detection II
Advantages
Effective on “ordinary” malware Minimal burden for users/administrators
Disadvantages
Signature file can be large (10s of thousands). . .
. . . making scanning slow
Signature files must be kept up to date Cannot detect unknown viruses
Cannot detect some advanced types of malware
The most popular detection method
Ryszard Janicki
Software Flaws and Malware II 15/32
Change Detection
Viruses must live somewhere
If you detect a file has changed, it might have been infected How to detect changes?
Hash files and (securely) store hash values Periodically re-compute hashes and compare If hash changes, file might be infected
Advantages
Virtually no false negatives
Can even detect previously unknown malware
Disadvantages
Many files change – and often
Many false alarms (false positives)
Heavy burden on users/administrators
If suspicious change detected, then what?
Might fall back on signature detection
Ryszard Janicki
Software Flaws and Malware II 16/32
Anomaly Detection
Monitor system for anything “unusual” or “virus-like” or “potentially malicious” or . . .
Examples of anomalous things
Files change in some unexpected way System misbehaves in some way Unexpected network activity
Unexpected file access, etc., etc., etc., etc.
But, we must first define “normal”
And normal can (and must) change over time
Advantages
Chance of detecting unknown malware
Disadvantages
Weak proven track record
Trudy can make abnormal look normal (go slow)
Must be combined with another method (e.g., signature detection)
Also popular in intrusion detection (IDS) Difficult unsolved (unsolvable?) yet problem
Ryszard Janicki
Software Flaws and Malware II 17/32
Advanced Malware
Encrypted, polymorphic, metamorphic malware Fast replication/Warhol worms
Flash worms, slow worms
Botnets
Ryszard Janicki
Software Flaws and Malware II 18/32
Encrypted Viruses
Virus writers know signature detection is used So, how to evade signature detection? Encrypting the virus is a good approach
Ciphertext looks like random bits
Different key, then different “random” bits
So, different copies have no common signature
Encryption often used in viruses today
How to detect encrypted viruses?
Scan for the decryptor code, it must be included!
More-or-less standard signature detection But may be more false alarms
Encryption of limited value to virus writers
Ryszard Janicki
Software Flaws and Malware II 19/32
Polymorphic Malware
Polymorphic worm
Body of worm is encrypted
Decryptor code is “mutated” (or “morphed”) Trying to hide decryptor signature
Like an encrypted worm on steroids. . .
Question: How to detect?
Answer: Emulation – let the code decrypt itself Slow, and anti-emulation is possible
Ryszard Janicki
Software Flaws and Malware II 20/32
Metamorphic Malware and Worm
A metamorphic worm mutates before infecting a new system Sometimes called “body polymorphic”
Such a worm can, in principle, evade signature-based detection
Mutated worm must function the same
And be “different enough” to avoid detection
Detection is a difficult research problem Metamorphic Worm:
One approach to metamorphic replication. . .
The worm is disassembled
Worm then stripped to a base form
Random variations inserted into code (permute the code, insert dead code, etc., etc.)
Assemble the resulting code
Result is a worm with same functionality as original, but different signature
Ryszard Janicki
Software Flaws and Malware II 21/32
Botnet
Botnet: a “network” of infected machines
Infected machines are “bots”
Victim is unaware of infection (stealthy)
Botmaster controls botnet
Generally, using IRC (Internet Relay Chat protocol) P2P botnet architectures exist
Botnets used for. . .
Spam, DoS attacks, key logging, ID theft, etc
Ryszard Janicki
Software Flaws and Malware II 22/32
Some Known (Classical) Botnet Examples
Mariposa
Used to steal credit card info Creator arrested in July 2010
Conficker
Estimated 10M infected hosts (2009)
Kraken
Largest as of 2008 (400,000 infections)
Srizbi
For spam, one of largest as of 2008
Ryszard Janicki
Software Flaws and Malware II 23/32
Future Malware Detection?
Malware today far outnumbers “goodware” Metamorphic copies of existing malware Many virus toolkits available
Trudy can recycle old viruses,new signatures
So, may be better to “detect” good code
If code not on approved list, assume it is bad That is, use whitelist instead of blacklist
Ryszard Janicki
Software Flaws and Malware II 24/32
Miscellaneous Attacks
Numerous attacks involve software
We will discuss a few issues that do not fit into previous categories
Salami attack
Linearization attack
Time bomb
Can you ever trust software? NO.
Ryszard Janicki
Software Flaws and Malware II 25/32
Salami Attack I
What is Salami attack?
Programmer “slices off” small amounts of money Slices are hard for victim to detect
Example
Bank calculates interest on accounts
Programmer “slices off” any fraction of a cent and puts it in his own account
No customer notices missing partial cent
Bank may not notice any problem
Over time, programmer makes lots of money
Ryszard Janicki
Software Flaws and Malware II 26/32
Salami Attack II
Such attacks are possible for insiders Do salami attacks actually occur?
Programmer added a few cents to every employee payroll tax withholding
But money credited to programmer’s tax
Programmer got a big tax refund!
Rent-a-car franchise in Florida inflated gas tank capacity to
overcharge customers
Employee reprogrammed Taco Bell cash register: $2.99 item registered as $0.01
Employee pocketed $2.98 on each such item
A large“slice” of salami!
In Los Angeles, four men installed computer chip that overstated amount of gas pumped
Customers complained when they had to pay for more gas than tank could hold
Hard to detect since chip programmed to give correct amount when 5 or 10 gallons purchased
Inspector usually asked for 5 or 10 gallons
Ryszard Janicki
Software Flaws and Malware II 27/32
Linearization Attack I
Linearization Attack
Program checks for serial number
Program checks for serial
S123N456
number S123N456
For efficiency,
For efficiency, check made
check made one
character at a time
one character at a time
Can attacker take
Can attacker take advantage of this?
advantage of this?
Part 4 Software 95
Ryszard Janicki
Software Flaws and Malware II 28/32
Linearization Attack II
Correct number takes longer than incorrect Trudy tries all 1st characters
Find that S takes longest
Then she guesses all 2nd characters: S*
Finds S1 takes longest
And so on…
Trudy can recover one character at a time!
Same principle as used in lock picking
What is the advantage to attacking serial number one
character at a time?
Suppose serial number is 8 characters and each has 128 possible values
Then 1288 = 256 possible serial numbers
Attacker would guess the serial number in about 255 tries – a lot of work!
Using the linearization attack, the work is about
8 · (128/2) = 29 which is rather easy
Ryszard Janicki
Software Flaws and Malware II 29/32
Linearization Attack III
A real-world linearization attack TENEX (an ancient timeshare system)
Passwords checked one character at a time
Careful timing was not necessary, instead. . .
. . . could arrange for a “page fault” when next unknown character guessed correctly
Page fault register was user accessible
Attack was very easy in practice
Ryszard Janicki
Software Flaws and Malware II 30/32
Time Bomb
In 1986 Donald Gene Burleson told employer to stop
withholding taxes from his paycheck His company refused
He planned to sue his company
He used company time to prepare legal docs
Company found out and fired him Burleson had been working on malware. . .
After being fired, his software “time bomb” deleted
important company data
Company was reluctant to pursue the case So Burleson sued company for back pay!
Then company finally sued Burleson In 1988 Burleson fined $11,800
Case took years to prosecute. . .
Cost company thousands of dollars. . . Resulted in a slap on the wrist for attacker
One of the first computer crime cases Many cases since follow a similar pattern
Companies reluctant to prosecute
Ryszard Janicki
Software Flaws and Malware II 31/32
Trusting Software
Can you ever trust software? NO. Consider the following thought experiment Suppose C compiler has a virus
When compiling login program, virus creates backdoor (account with known password)
When recompiling the C compiler, virus incorporates itself into new C compiler
Difficult to get rid of this virus!
Suppose you notice something is wrong So you start over from scratch
First, you recompile the C compiler
Then you recompile the Operating System
Including login program. . .
You have not gotten rid of the problem! In the real world
Attackers try to hide viruses in virus scanner
Imagine damage that would be done by attack on virus signature updates
Ryszard Janicki
Software Flaws and Malware II 32/32