CS代写 DE01 1566 8161 1351 3135 1337 ist 325975.

Malicious Software
SFL @ TU Dortmund

Malicious Software

Copyright By PowCoder代写 加微信 powcoder

• Malicious software (malware) is software that executes on a system without the explicit consent of the user(s)
• Malware authors may have several motivations
• Espionage (e.g., to nation state or company leak secrets)
• Extortion (e.g., to add pressure on the user to the attacker’s benefit)
• Resource abuse (e.g., to send spam from a victim’s system, launch DDoS) • Stealing money (e.g., by hijacking online banking sessions)

Lifecycle of Malicious Software
Detection Disinfection Disruption …
(4) Defense
(1) Spread
Spam Drive-by Social Eng. …
Clickfraud
Banking trojans Denial-of-service …
(3) Monetize
(2) Control
Commands Feedback Infrastructures …

Major Infection Channels (1/2)
• Email spam is one of the two major malware infection channels • Attackers trick users into opening malicious email attachments
• Common attack strategies:
• Spray and pray: Send mass emails with malicious attachments
(e.g., send email with a DHL delivery notification with an attachment)
• Targeted emails: Individual email that is tailored to a particular person
(e.g., send professor an email with a malicious attachment ProjectReport.exe)
• Social engineering increases chances of success
• Relate to interests of recipient (e.g., mention recent hobbies or issues)
• Identify weak points of recipient (e.g., greed, curiosity, impulsiveness, etc.)
• Email sender spoofing eases identity theft (→ choose sender’s name/address)

Major Infection Channels (1/2)

Major Infection Channels (2/2)
• Software exploitation is the other major infection channel
• Attackers primarily target vulnerabilities in Web browsers
• Typically involves some sort of active content (Flash, JavaScript, etc.) • Regular incidents of zero-day vulnerabilities
• Browsers try to defend against exploitation
• Sandboxes aim to prevent JIT escapes
• Untrusted plugins get their own sandbox (e.g., Flash) • Constant blinding aim to prevent JITted ROP gadgets • Plugins (e.g., NoScript) disable active scripts
• CFI and secure code loading of signed code
• Still: Browsers remain the most popular exploitation target

Other Infection Channels
• Untrusted media
• Victim finds USB memory stick and opens untrustworthy files on it
• Victim downloads file an (malware-infected) friend is suggest to him
• Loss of communication integrity
• Victim downloads programs via HTTP in an untrusted WiFi
• File infectors
• Malware spreads by injecting into other executables on the same system • If any of those programs is shared with others, victim can reinfect
• Software bundles
• Victim aims to download a particular program, but is tricked into downloading
a malware-infected version of this program
• Victim downloads a (secretly malware-spreading) crack to play a commercial computer game “for free”

Malware Types

Ransomware (1/2)
• Malware that extorts victim for ransom, using varying strategies: • Encrypt files (e.g., media) and ask for ransom to decrypt
• “Lock” computer screen and ask for ransom to unlock
• Popular examples: CryptoWall, CryptoLocker

Ransomware (2/2)
• Common ransomware encryption scheme
• Encryption:
• Ransomware generates local symmetric key Ks
• Encrypt files with Ks and symmetric cryptographic algorithm
• Encrypt Ks with public key of attacker using asymmetric cryptography K’ = asymm_enc(Ks, pubkey)
• Send K’ to remote C&C server
• Delete Ks (and optionally K’ ) from disk / memory
• Decryption:
• After payment, server decrypts K’ with privkey
Ks = asymm_dec(K’, privkey)
• Victim (may or may not) obtain Ks from C&C server

Banking Trojans (1/4)
• Steal money from online banking account
• Steal credentials and initiate money transfer to attacker’s account
• Or: Manipulate destination of money transfers
• Or: Maniuplate website and ask users to refund “accidental money transfer”
• Popular examples: Zeus (P2P), Tinba, Citadel

Banking Trojans (2/4)
• Dynamic web site manipulation via web injects • “Man-in-the-Browser”
Target Pattern(s): (?:^https://banking\.postbank\.de/app/legitimation)
pcre_pattern (?:

(?P)) data_end
data_inject

%2


Target URL Target location
Injection code

Banking Trojans (3/4): IAT Hooking
• Change jump addresses in Import Address Table (IAT) • IAT contains function pointers to libraries
Internet Explorer (iexplorer.exe)
Import Address Table wininet.dll
malicious code
… … HttpSendRequestA 0x75570190830C40 … …
… HttpSendRequestA …
HttpSendReqAHook

Banking Trojans (3/4): IAT Hooking
• Change jump addresses in Import Address Table (IAT) • IAT contains function pointers to libraries
Internet Explorer (iexplorer.exe)
Import Address Table wininet.dll
malicious code
… … HttpSendRequestA 0x75570190830C40 … …
… HttpSendRequestA …
HttpSendReqAHook

Banking Trojans (4/4): Inline Hooking
• Add jump to hook in the actual library code • Overwrite existing code and hotpatching NOPs
771960BC nop
771960BD nop
771960BE nop
771960BF nop
771960C0 nop
771960C1 HttpSendRequestA proc near 771960C1 mov edi, edi
771960C3 push ebp 771960C4 mov ebp, esp 771960C6 push 13h 771960C8 …

Banking Trojans (4/4): Inline Hooking
• Add jump to hook in the actual library code • Overwrite existing code and hotpatching NOPs
771960BC jmp HttpSendReqAHook
far JMP (5B instr.)
771960C1 HttpSendRequestA proc near
771960C3 push ebp 771960C4 mov ebp, esp 771960C6 push 13h 771960C8 …
771960C1 jmp -7
near JMP (2B instr.)

Protection Against Banking Trojans (at the example of SMS-based TAN)
Second Factor (e.g., phone)
Die TAN für Ihre Überweisung von
5.000 EUR an das Konto DE01 1566 8161 1351 3135 1337 ist 325975.

RATs / RAT Trojans
• Remote Administration Tools
• Originally used for exactly that benign purpose
• Abused by attackers to spy on infiltrated systems
• RAT features:
• search for files, retrieve files, install further applications, control mouse/keyboard, …
• Examples
• Blackshades, Bifrost, PoisonIvy
• Commonly used for espionage by nation-state attackers

• ~90% of worldwide spam is sent by malware
• Act as spam relay, abusing dynamic IP address of victim • Or: authenticated spam, abusing stolen email accounts
• Financial motivation
• Spreading: sell infections via malicious attachments
• Marketing: sell products (pharmacies, etc.)
• Stock spam: advertise penny stocks and then sell them • Advance-fee scam: ask for money with fake identity
• Examples: Rustock,
• Download and executes even more malware
• Pay-per-install scheme: sell infections to others
• Typical job specialization – one actor infects, the other abuses
• Examples: GoldInstall, Virut

• Perform Distributed Denial-of-Service attacks
• Many DDoS bots jointly start attacking a target
• Any kind of DoS: SYN flood, HTTP request flood, etc.
• Examples: Dirtjumper, Yoddos, Mirai

Fake AV (Fake Anti-Virus) / Scareware / Rogueware
• Malware that pretends to be…
• … anti-virus that found malware and wants payment
• … a fine by the police for illegal activities like child porn
• Uneducated users may pay

• Runs in background and clicks on advertisements • Attacker registers for pay-per-view or per-pay-click ads • Attacker then views/clicks his own ads
• Every click/view adds small revenue

• Cryptocurrencies allow to generate virtual money by using resources • Malware may steal resources of a compromised system to generate coins
• Victim gets a high bill for power consumption and faces reduced performance

Mobile Malware (1/2)
• Online banking transactions are protected by second factor
• One typical second factor is a mobile TAN (mTAN) sent to mobile • TAN stealers may sniff on SMS to leak mTANs
• Example: Zeus in the Mobile
Source: https://mobisec.reyammer.io/slides – Thanks to

Mobile Malware (2/2)
• Other types of mobile malware exist
• RAT-style apps that gain system-level privileges
• Apps that sniff on user data and behavior (Spyware)
• Attacks on service accounts (e.g., Gooligan stole Google accounts) • Ransomware
Source: https://mobisec.reyammer.io/slides – Thanks to

• Back in the modem time…
• Disconnect from Internet and dial premium numbers that the attacker had
registered (e.g., $5 per minute)
• Dialers disappeared from the PC market when dial modems were replaced by cable Internet / DSL
• Dialers resurrected on smartphones
• Once infected, again dial premium number • Requires special system permissions, though

• Worms is self-spreading malware
• After infecting a system, a worm immediately scans Internet for other victims • Exponential growth and rapid infection rates once critical mass is reached
• Infections spread way faster than the vulnerable software can be patched
• Typically, an unpatched system is reinfected within a few seconds
• Several popular examples
• Blaster: Malware exploiting buffer overflow in Windows’ DCOM RPC service
(2003; knocked several millions of system down within a day)
• Conficker: Malware exploiting buffer overflow in Windows’ NetBIOS code (2008; several million infections within hours)
• Mirai: Malware abusing weak Telnet passwords in Internet-of-Things devices (2015; two million infections within hours, abuse for DDoS attacks)

• Rootkits are special malware kinds that embed and hide in the system • Main goal is to hide from anti-virus software
• User-mode rootkits operate entirely in user space • Inject malicious library into existing, benign process
• Inject backdoor into otherwise-benign process (e.g., sshd)
• Kernel-mode rootkits modify the kernel space
• Unlink process from list of running processes
• Rewrite system call table (e.g., SSDT in Windows) to pointer to attacker code
• Yet: Recent OSes have been hardened against kernel-mode rootkits (e.g., Windows requires device drivers to be signed)

Command & Control

Communication Protocols
• Malware communication often tries to hide
• Blends in HTTP(S) traffic
– Koobface: communicate via Facebook
– iWorm: fetch botnet servers via Reddit user comments
– Waledac: fetch commands from images via steganography
– Misc malware strains abuse tweets
• Abuse DNS for exchanging data
• Dozens of proprietary protocols
• Anything on top of UDP/TCP
• But: easier to notice and possibly firewalled

Centralized Architectures
• Star topology: centralized server • Command & Control (C&C or C2)
• Bots can connect to the server
• Upload data or download
updates and command • Single point of failure

Hybrid: Domain Generation Algorithms
• Semi-Centralized: DGAs
• DGA generates DNS domains based on some input • Typically, DGAs are date/time-based
• DGA is a shared secret between bot and botmaster
iuqo…ttyz.com b82k..28aj.com zzpl…1nbq.com ll18…rtuz.com spxu…8qer.com po3b…8nuz.com rrsw…38zy.com
asf9..gz2f.com 1u9b…dzbv.com

Peer-to-Peer (P2P) Botnets
• Bots make up a P2P network
• Bots know a subset of other bots • Bot commands are signed
• Structured P2P
• Distributed Hash Table • Commands stored at IDs
• Unstructured P2P
• No distributed hash table • Commands via broadcast
Peer list: Ev := {(v,u) ∈ E}
G := (V, E)

Malware Countermeasures

Anti-Virus Software
• Anti-virus software integrates into a system to shield against malware • Typically deep integration that requires kernel modules / filter drivers
• Can monitor any program’s system interactions (e.g., API calls, forks, etc.)
• A/V detection strategies
• Search executables for malicious patterns of known malware (“signatures”) • Check the behavior of a program (e.g., hooking is deemed suspicious)
• Validate whether executable hash is in malware blacklists
• Upload unknown programs to cloud to analyze it in malware sandboxes
• The malware arms race: A/V is not perfect
• Polymorphic malware can evade static malware signatures and hashes
• Hooks can be placed in alternative manners (e.g., not at the beginning)
• Malware tries to evade behavioral checks by deferring malicious behavior

Further Countermeasures
• Install system and software updates
• More recent software fixes software vulnerabilities of older releases • Never use OSes that are out-of-life (e.g., Windows XP, CentOS 5, …)
• User education
• Do no open potential malicious attachments
• Disable active scripts in browsers (if possible) or use VM for unsafe sites • Never blindly trust media (e.g., memory sticks)
• Malware sandboxes
• Execute unknown program in contained environment
• Judge whether program is malicious based on its behavior

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com