Chapter 13: Malicious Code A class of unwanted software, often called “Malware”. 3 major arrival scenarios: Arrives with the help of the user (opens a contaminated file). Arrives on its own (a vulnerability or “feature” allows execution) Is left behind after an adversary breaks in. User assistance may be: Unwitting – user didn’t have a clue. Witting – user knew better, but did it anyway . Half-witting – user knew better, but took a chance.
Malicious Code – Impact May be benign or destructive. Why? Because malware typically contains an executable and can do anything an executable can do. Even if benign, consumes resources (runs, replicates, occupies storage, consumes cpu cycles, slows the system down). Takes time & effort to remove. Example is happy.exe, presented a pretty happy new year graphic message for 1999. Can’t really be sure they are benign - often don’t know. If destructive, is clearly a much more serious menace.
Malicious Code – The Threat is Growing Year New OS Know Viruses Vulnerabilities 1998 262 40,000 1999 417 48,000 2000 1,090 55,000 2001 2,437 59,000 While viruses grow rather linearly, new OS vulnerabilities are more than doubling every year !!! Source: Computerworld, April 1, 2002, page 46.
Malicious Code – Why is the threat growing? Increased # of products (e.g., wireless, PDA’s, new OS versions). Better delivery methods – web expansion in the middle to late 90s. Experience of malware developers – from an infant industry to highly experienced in the past decade. Commitment of nation states to information warfare. Do we really know who is launching the attacks & developing codes? Fast spreading time to reach # 1 in infected systems – Form virus (2-3 years), Concept macro virus (2-3 months), NIMDA (22 minutes).
Malicious Code - Taxonomy Malicious Software (Malware) Requires Host Program Does Not Require Host Program Logic Bombs Trojan Horses Viruses Worms Bacteria Do Not Replicate Do Replicate All very nice, but now we have blended threats and other newcomers!
Malicious Code – A New Category Hostile Java applets – code snippets that are executed by Java to perform some function, often embedded in a web page. May belong on the “requires a host program” list. The host in this case is your browser with Java enabled. The applet is introduced to your system when you visit a web page containing the applet. Two types – “malicious” and “attack” applets. Malicious are in the wild and for the most part are annoying, but can be serious – can result in denial of service and invasion of privacy. Attack applets are not yet in the wild, but have been extensively tested in lab settings. They attempt to compromise the Java security model and break through to your system.
<ul><li>Entrance Paths </li></ul><ul><li>Logic Bombs, Trojans, Viruses </li></ul><ul><li>Integral to or attached to an executable program, including </li></ul><ul><li>macros that are enabled to be executed when a file is opened. </li></ul><ul><li>2. Transported by media (e.g., floppy, tape, CD-ROM) OR arrive </li></ul><ul><li>over the network as attached or directly executable programs. </li></ul><ul><li>Worms, Bacteria </li></ul><ul><li>1. Do not require a host program for transport. </li></ul><ul><li>2. Arrive directly from the network – capable of self-propagation. </li></ul><ul><li>Applets </li></ul><ul><li>Are part of a web page you visit. </li></ul><ul><li>If Java is enabled, the applet will execute and do its thing. </li></ul>
Virus Behavior Aptly named - behave like biological viruses. 1. Typically small programs. 2. Are attached, or attach themselves to executable files (e.g., a program, a script, or a command string). 3. Activate when the host program is executed. 4. May be benign or malignant (i.e., destructive). 5. Capable of doing anything a program can do. 6. Generally cannot infect a system from a non-executable file. 7. Do not cause physical damage. 8. Can also infect firmware (e.g., flash ROM in modems, BIOS). 9. Typically activate on an event (e.g., when executed, on a date, after n re-boots, at some random time). 10. Often replicate and attempt to infect other files (e.g., Melissa).
Indications of a Virus 1. Computer runs slow. 2. System runs out of free space. 3. File sizes change. 4. Unexplained files appear on the hard drive. 5. Unexplained behavior: - CD-ROM drawer opens and close on its own (a joke virus). - Programs won’t execute - Files won’t open - Characters missing from displays - Obscene language appears on the display And almost any other strange behavior you can imagine.
<ul><li>Flash Memory Viruses </li></ul><ul><li>Flash memory - writeable firmware. Found in: </li></ul><ul><li>PCBIOS, Modems, Video cards, Printers, Routers, etc. </li></ul><ul><li>Increasing use - allows changes to a hardware devices after </li></ul><ul><li>Manufacture. </li></ul><ul><li>Example uses of flash memory: </li></ul><ul><li>56k modem - two pre-standard designs - sold with flash </li></ul><ul><li>memory - when V.90 standard issued, downloadable upgrade. </li></ul><ul><li>2. Routers - downloadable protocol changes, support new </li></ul><ul><li>protocols. </li></ul><ul><li>3. Other devices – bug, performance updates fixes. </li></ul>
Virus Types Companion - uses the execution hierarchy (order) of the system. Parasitic - attaches to a host program and executes when host program executes. OS Structure - attaches to OS components (e.g., boot blocks). Macro - infect macro languages (e.g., Word, Excel). Polymorphic - mutate with each infection. Stealth - attempt to hide from detection. Jokes & Hoaxes - Do nothing but excite some users.
Companion Viruses Rely on the execution order of a system (e.g., in Windows the order is .COM, .EXE, and .BAT). User specifies execute WP meaning WP.EXE. The OS will search for WP.COM, then WP.EXE. If a virus exists called WP.COM - it will execute first and often attach itself to WP.EXE. Using common names has been an often used technique to trick users into unwittingly executing a virus program.
Typical Method of Infection Scenario: Shows before/after virus infection with a programmed target of certain .EXE and .COM files Hdr IP JUMP Hdr IP JUMP START END START END START END START END Virus Jump Virus Jump Before Infection After Infection .EXE .COM .COM .EXE
Virus Wars - A Typical Scenario - .EXE File MZ CS IP Size START END MZ Signature = Executable File CS & IP are pointers to the start of the program image Size specifies the image size Program Load Image Overlay data (e.g., buffer space) File header Virus must change size of the image. Respond by storing the size somewhere else. Then virus writer compresses the infected image to be the same as before. Respond by using a digital signature……. On and on it goes!
Parasitic Viruses Enter a system already attached to what appears to be a legitimate executable file. In the preceding example, a parasitic virus would enter a system already attached to, for example, a .COM or .EXE file as shown in the "after infection" case. Once run, the virus code could seek out other existing files with the same .COM or .EXE extensions and infect them.
Operating System Structure Viruses Attach themselves to executable parts of the OS structure and/or insert themselves in unused OS structures. These are prime targets since they execute when the system boots. For example: Master Boot Record (MBR & Partition table) Unused sectors at beginning of the disk Boot record File Allocation Table (FAT) Directory record Bad sectors Unused tracks at the end of the disk In Microsoft – modify the registry so the virus executes at startup.
Typical Bootstrap Process Execute H/W boot Read S/W boot to RAM Transfer Control to RAM Find & Load Operating Sys. Transfer Control to OS On power-up, BIOS ROM holds program to test basic h/w and identify boot device (e.g., floppy, hard drive). BIOS program completes checks and executes a set of simple load to memory instructions to load a more robust loader (e.g., the initial loader)into primary memory. Once, the initial loader is resident, control is transferred to the starting location of the initial loader. The initial loader identifies the location of the operating system and loads the resident parts of the OS to memory. When loading completes, control is transferred to the operating system (e.g., the null cli prompt appears). The process includes a number of validation tests including simple signatures (not cryptographic), such as a 2 Byte checksum.
Typical Bootstrap Process - Infected Boot Record Execute H/W boot Read S/W boot to RAM Transfer Control to RAM Find & Load Operating Sys. Transfer Control to OS In an infected system, the initial loader is replaced with an infected loader BIOS program completes checks and and loads the infected loader into primary memory. Once the infected loader is resident control is transferred to the starting location of the virus. The virus loads 1st, makes changes it was designed for (e.g., may erase its tracks, infect the hard drive, etc.) and then transfers control to the original loader. The OS then loads normally and control is transferred to the operating system (e.g., the null cli prompt appears). At this point the virus is resident and executable - it will execute and act according to its design. Virus loads
<ul><li>A Specific Infection - The Michelangelo Virus </li></ul><ul><li>1. Infected diskette is placed in the A: drive and booted. </li></ul><ul><li>2. Diskette boot program loads the virus into main memory. </li></ul><ul><li>3. Infects the hard drive by moving the hard drive's original boot block to another location on the disk, and installing itself in the </li></ul><ul><li>boot block. </li></ul><ul><li>Every time a disk is mounted on the system that disk is infected </li></ul><ul><li>as well. </li></ul><ul><li>Part of the virus program reads the system date. On March 6, </li></ul><ul><li>the virus activates and overwrites: </li></ul><ul><ul><ul><li>Any mounted diskette with random characters, and </li></ul></ul></ul><ul><ul><ul><li>hard disk sectors 1-17, heads 0-3, and tracks 0-255 </li></ul></ul></ul><ul><ul><ul><li>(with random characters). </li></ul></ul></ul>
LOVE LETTER VIRUS – WORM? May 4, 2000 “Love Letter” is released from the Phillipines. Uses Microsoft vbs scripting language (requires Windows scripting host be installed before it could run). Check My Computer, View, Options, File Types & look for VBScript. Infects Microsoft Windows machines if the scripting host is enabled. Infection is by e-mail, but can also be via shared files, USENET news, and Internet Relay Chat. E-mail – Outlook users get a message with subject line “ILOVE YOU” and a body that reads “kindly check the attached LOVELETTER coming from me”. It has an attachment named: LOVE-LETTER-FOR-YOU.TXT.VBS Usually, the return address will be a person known to the victim.
<ul><li>LOVE LETTER VIRUS – What it does or trys </li></ul><ul><ul><li>Replaces certain files with a copy of itself. </li></ul></ul><ul><ul><li>Sends itself to other potential victims found in the previous </li></ul></ul><ul><ul><li>victims Outlook address book. </li></ul></ul><ul><ul><li>Modifies Explorer’s home page URL. </li></ul></ul><ul><ul><li>Modifies several registry keys. </li></ul></ul><ul><ul><li>Makes an Internet relay Chat script. </li></ul></ul><ul><ul><li>Sniffs passwords and attempts to mail them to an Internet </li></ul></ul><ul><ul><li>site. </li></ul></ul>
Main regruns html spreadtoemail listadriv LOVE LETTER VIRUS – Program Structure
<ul><li>LOVE LETTER VIRUS – File Replacement - listadriv </li></ul><ul><li>Main copies virus to multiple locations and calls the subroutines. </li></ul><ul><li>Searches for all drives and certain file extensions and takes the </li></ul><ul><li>following file-dependent actions </li></ul><ul><li>If file = vbs or vbe (Visual basic), replace the file with a copy of </li></ul><ul><li>itself. </li></ul><ul><li>If file is js, jse, css, wsh, sct, or hta, replace the file with itself and </li></ul><ul><li>change the extension to vbs. </li></ul><ul><li>If file is jpg or jpeg, replace the file with itself and append a vbs </li></ul><ul><li>extension (abc.jpeg becomes abc.jpeg.vbs. </li></ul><ul><li>If file is mp3 or mp2, replace the file with itself and append a vbs </li></ul><ul><li>extension (abc.mp3 becomes abc.mp3.vbs) and mark as hidden. </li></ul>
<ul><li>LOVE LETTER – send e-mail - spreadtoemail </li></ul><ul><li>Generates e-mail with sender = current victim sends itself to every </li></ul><ul><li>entry in the local Outlook mailbox. Also tries to read the Exchange </li></ul><ul><li>server’s mail directory and send itself to every address found there. </li></ul><ul><li>Set out = Wscript.CreateObject(“Outlook application”) </li></ul><ul><li>Set mail – out.Createitem(0) </li></ul><ul><li>Set mailaddress = %scriptto get user from address book% </li></ul><ul><li>Mail.Recipients.add (mailaddress) </li></ul><ul><li>Mail.Subject = “I LOVE YOU” </li></ul><ul><li>Mail.body = vbcrlf&”kindly check the attached LOVELETTER </li></ul><ul><li>coming from me.” </li></ul><ul><li>Mail.Attachments.Add (dirsystem&”LOVE-LETTERE-FOR-YOU. </li></ul><ul><li>TXT.vbs”) </li></ul><ul><li>Mail.send </li></ul>
<ul><li>LOVE LETTER VIRUS – Home page - html </li></ul><ul><li>If the file <DIRSYSTEM>WinFAT32.exe does not exist, the worm: </li></ul><ul><ul><li>Set Explorer home page to one of four randomly selected pages. </li></ul></ul><ul><ul><li>These URLs all refer to locations that contain a file </li></ul></ul><ul><ul><li>WIN-BUGSFIX.exe </li></ul></ul><ul><ul><li>WIN-BUGSFIX.exe contains code for cracking passwords on the </li></ul></ul><ul><ul><li>victim’s machine and mailing them to an ISP in the Phillipines </li></ul></ul><ul><ul><li>The worm also looks for this code in the Explorer download </li></ul></ul><ul><ul><li>directory and when it is found, it is added to the victim’s start </li></ul></ul><ul><ul><li>list of programs that run at startup </li></ul></ul><ul><ul><li>Finally, the Explorer start page is set to “about:blank” </li></ul></ul>
<ul><li>LOVE LETTER VIRUS – Registry changes -regruns </li></ul><ul><li>Creates registry entry: </li></ul><ul><li>HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionMskernel </li></ul><ul><li>32”,dirsystem&”MSKernel32.vbs </li></ul><ul><li>HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesWin32DLL </li></ul><ul><li>HKLMSoftwareMicrosoftWindowsCurrentVersionRunWIN-BUGSFIX </li></ul><ul><li>HKLUSoftwareMicrosoftWindows Scripting HostSettingsTimeout </li></ul><ul><li>HKLUSoftwareMicrosoftInternet ExplorerMainStart Page </li></ul><ul><li>HKLUSoftwareMicrosoftWAB* </li></ul><ul><li>This virus was widespread – worldwide within a few hours. </li></ul><ul><li>Would have done more damage, except scripting was not enabled </li></ul><ul><li>on many systems. </li></ul><ul><li>Damage was mainly the cost of eradication. </li></ul>
Macro Viruses Very popular virus family that relies on the use of executable macro languages that can be embedded in documents - often to create formatting for templates, etc. For example, in Microsoft Word, anytime a template file is opened, it is scanned for macros. If it contains an AutoOpen, the Macro instructions are immediately executed. If the AutoOpen Macro is infected the user only has to open the file for the virus to run. One of the things these viruses often do is to update the global macro pool so other documents that use the Macro pool will also be infected.
Polymorphic Viruses - Multiple Versions Conventional methods of virus eradication rely on detecting the unique signature of a virus. In order to make this more difficult, virus developers often build viruses that contain self-modifying code. Structures for these viruses include: The original virus A program that encodes the original code A decoder to recover the original virus A mutation engine that changes the decoding routine (adding code like LOOPS or NO OPERATION instructions) These change the external signature of the code, do not change the decoded result. Consequently, they mask the virus from detection.
Stealth Viruses Infects a program and then attempts to hide itself from detection by active measures. Two types - Size stealth and read stealth: Size stealth attempt to 1) measure the length of the good file, 2) infect it, and 3) compress the infected file back to the length of the original. Read stealth inserts the virus code between the OS and all calls to read files (e.g., by a virus scanner). On read, the virus intercepts the call and returns an un-infected file. The Stoned Monkey Master Boot Record virus is a read stealth virus. These methods require the virus to be memory resident so they can intercept system I/O calls. Booting from a known clean floppy and scanning will find these infections (if they are known).
Bacteria Do not require host programs, but replicate and spread. In 1987, the IBM Christmas Bacteria was launched in BitNet, a WAN for university e-mail. It arrived as an e-mail attachment. When opened, it rendered a Christmas tree on the screen, replicated itself, and sent a copy of itself to every mailbox on the user’s local mail distribution list. It spread so rapidly that BitNet had to be shut down for several days. Sound familiar? Like perhaps, Melissa? Melissa was uniformly labeled a virus - since it used an e-mail message as the host - not clear if there are any real bacteria.
Worms No requirement for a host program - independently travels over the network, finding, infecting, replicating, and moving on. No requirement for a user to take any action - infection happens! These capabilities are also considered useful tools for: Propagating useful network information (e.g., configuration files). Remote software distribution & installation (e.g., automatic downloads). There are some requirements: 1. An initial system to act as the launch platform. 2. Access to a network (typically via e-mail or IP address). 3. Network services enabled (e.g., mail).
<ul><li>Worm - Methods </li></ul><ul><li>Searches for other network systems known to the original host. </li></ul><ul><li>computer (e.g., by e-mail or IP address). </li></ul><ul><li>On ID - establish a communications link to the remote system. </li></ul><ul><li>Attempts to exploit a software weakness. </li></ul><ul><li>On success, downloads a copy of the worm from the attacking system. </li></ul><ul><li>Process is repeated for every successful intrusion. </li></ul><ul><li>Spreads rapidly and can easily monopolize the system and network. </li></ul><ul><li>The best known worm: "Internet worm" – Robert Morris </li></ul><ul><ul><ul><li>Attacked Unix BSD systems </li></ul></ul></ul><ul><ul><ul><li>(e.g., Sun 3 & VAX running BSD) </li></ul></ul></ul><ul><ul><ul><li>Launched on 11/2/88 - 6000 systems </li></ul></ul></ul><ul><li>Three-pronged attack: “Remote Shell” </li></ul><ul><li>“ Sendmail” </li></ul><ul><li>“ fingerid” </li></ul>
Remote Shell Attack Remote shell allows a user to run a shell from a remote location. Attack # 1: try to spawn remote shell (rsh) process, try /usr/ucb/rsh, or /usr/bin/rsh, or /bin/rsh If rsh enabled, establish a TCP/IP connection back to the attacking machine, and download the worm so it could be compiled, linked and executed. When done disconnect.
Sendmail Attack Sendmail is a Unix mailer designed to route mail in a network environment using a mailer daemon (background process). When enabled, the mailer listens on TCP Port #25 for attempts to deliver mail by Simple Mail Transfer Protocol (SMTP). On a successful TCP connection attempt, the daemon makes the connection and gets: Sender Recipient Delivery instructions, and Message contents Trouble was, there was a debug option in the Sendmail program that was not turned off.
Sendmail Attack The worm issued a DEBUG command to the remote system, and a command string instead of the user address. Such commands are not allowed in normal mode, but OK in debug so testers can determine mail is arriving at remote locations without actually sending mail or remotely logging in. If debug is turned on - this made it easy to configure sendmail to further testing --- However, this also allowed the same actions as for rsh. This means a remote user had user privileges on the system.
Fingerid Attack Fingerid is a utility that allows a user to get information about other network users. It is used to get full name or login name of a user and whether they are logged in, their telephone number, etc. It is a daemon running in background to respond to requests. It accepts remote connections, reads a single line, and returns requested information. The exploit overran the fingerid buffer by sending a special 536 byte string to fingerid causing the stack to be overwritten such that the return was corrupted and returned to a remote shell program that proceeded to establish the TCP/IP connection as before.
Sidebar – Buffer Overflow Attacks Manipulates the input buffer to allow the attacker to execute arbitrary commands on the target machine. Result of the poor programming practice of not writing code that checks the bounds on an input data string supplied to a program. When receiving input, a program calls the input routine and passes arguments specifying the location of buffers for the input data. The call passes the arguments and the return address to the input routine and transfers control to the input routine. The input routine pushes the arguments and the return pointer on the stack, then pushes the input data stream on the stack. When complete, the input routine returns control to the calling program specified in the return address.
Stack – LIFO Architecture Low Memory High Memory Input variable 2 Input variable 1 Return Pointer Call Arguments Last-In, First-Out (LIFO): Items are pushed on the Stack in order and popped Off the stack in reverse order.
Corrupting the Stack Low Memory High Memory Input variable 2 Executable code (e.g., a shell command) New Pointer to executable code Call Arguments When return is executed, the Shell is run – the attacker then connects to the shell.
Worm Code - Main Main collected information on other computers known to this one by reading public configuration files. It also ran system utilities. This information formed the database for further attacks. In each successful case the worm attempted to hide its existence by unlinking its binary, killing its parent process, encrypting and reading its files into memory, and deleting files created during entry. Periodically it forked itself and killed its parent so it had a continuously changing process ID to help avoid detection. Every 12 hours it erased its own records of hosts it had infected so they became eligible for infection again.
It also reads and cracks local password files. Password cracker: UNIX passwords are stored in a public file, but encrypted with a DES variant. The algorithm is non-invertible However, Unix allowed the encryption of password lists and comparison to the password file without calling an OS function (i.e., no log interception). Didn’t do anything exotic - just tried lists of common words until it found an encrypted MATCH - No encryption breakage Some sites reported 50% of passwords were compromised. This gave the worm access to additional accounts and more possible destinations for mail and IP. Worm Code - Main
Worm - Impact Eventually contaminated over 6000 Unix systems. First fix was available within 12 hours of discovery. By 28 hours a method to stop propagation was posted. Trouble was, there was no structured response - all was “ad hoc” and through the informal network of colleagues. Resulted in establishment of DARPA funded CERT "Computer Emergency Response Team" at Carnegie Mellon University. Later DOE created CIAC - Computer Incident Advisory Capability at Lawrence Livermore National Laboratory.
Fast Forward – Sophistication – Nimda Appeared September 18, 2001. Affected Windows 95/98, ME, NT4, 2000 – clever version code. Combination virus/worm – it is not clear distinction is useful any more. Serious impact to infected systems. Side effect created large volumes of Internet traffic at web servers known to the Internet. Few sites escaped from Nimda.
Nimda Propagation & Infection – 4 modes Modifies .exe files on the victim so they include the worm. Sends email containing the worm to all addresses found in the in-box and address book of the victim. Searches for vulnerable IIS servers, compromises the server and down-loads the worm. Worm infects web pages so other systems browsing the server will also be infected. Searches the Local Area Network for shared files on servers or workstations and puts a hidden copy of the worm on file shares. Opening documents in these directories cause the worm to be executed.
e-Mail Compromise Impacts Outlook and Outlook Express. An e-mail arrives with an attachment named “readme.exe. On older un-patched systems, the attachment is automatically executed when the e-Mail is opened and readme.exe, the worm, is executed. On patched or un-patched systems, readme will execute if doubleclicked. The worm then harvests e-mail address from the in-box and address book of the infected system.
<ul><li>IIS (Microsoft Web Server) Compromise </li></ul><ul><li>Infected systems form IP addresses (some targeted, some random) and </li></ul><ul><li>attempts to compromise IIS servers with 4 different attacks: </li></ul><ul><li>Two scripts to exploit the root.exe back-door left by Code Red II or </li></ul><ul><li>Sadmind prior infections. If successful gives root privilege to the worm. </li></ul><ul><li>GET/scripts/root.exe?/c+dir HTTP/1.0” 404 210”-” ”-” </li></ul><ul><li>GET/MSADC/root.exe?/c+dir HTTP/1.0 404 201 “-” “-” </li></ul><ul><li>2. Two more for Code Red II backdoors where the C: and D: drives </li></ul><ul><li>were mapped to IIS virtual folders allowing access to cmd.exe (Win </li></ul><ul><li>CLI with administrator privilege). </li></ul><ul><li>GET/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 218 “-” “-” </li></ul><ul><li>GET/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 404 218 “-” “-” </li></ul>
IIS (Microsoft Web Server) Compromise 3. Two scripts to exploit the IIS/PWS Escaped Character Decoding Command Execution vulnerability GET/scripts/..%255c../winnt/system32/cmd.exe?/…….. GET/_vti_bin/..%255../..%255../winnt/system32/cmd.exe?/….. If un-patched, causes server to decode the requested pathname twice. On decode 1, security is checked. If security is OK, the second decode is not checked again. The first script is legal and passes security, but the second is not and allows the execution of cmd.exe, the Windows command line interpreter with administrator privilege. A patch has been available for some time from Microsoft.
IIS (Microsoft Web Server) Compromise 4. 8 scripts to exploit the IIS/PWS Extended Unicode Directory Traversal vulnerability (only 2 are shown below): GET/scripts/..%c1%1c../winnt/system32/cmd.exe?/…….. GET/scripts/..%c0%2f../winnt/system32/cmd.exe?/….. If un-patched, IIS does not validate the input correctly and allows inappropriate directory access when the / and characters are encoded with their Unicode equivalents. In the examples: %c1%1c is / and %c0%2f is in the Chinese Unicode character set Note: Unicode is the extended character encoding standard used to represent letters and symbols from all the languages in the world.
<ul><li>IIS (Microsoft Web Server) Compromise – Summary </li></ul><ul><li>Exploit root.exe or cmd.exe backdoors left by Code Red II. </li></ul><ul><li>Exploit IIS Directory Traversal vulnerability allowing files to be </li></ul><ul><li>accessed if they reside on the same drive as the server web folders. </li></ul><ul><li>Exploit the IIS Escaped Character Decoding Commend </li></ul><ul><li>execution vulnerability that allows files to be accessed and executed. </li></ul><ul><li>If successful, the worm uses the trivial file transfer protocol (tftp) to </li></ul><ul><li>connect back to the system originating the attack to download and </li></ul><ul><li>execute Admin.dll the main body of the worm. </li></ul><ul><li>END OF MALWARE CHAPTER </li></ul>
Modifications to the Victim after infection Searches for executable files on hard drive, inserts itself into the executable and runs whenever the executable runs. Includes: All files in registry application path. SYSTEM.INI so it runs every time the system boots. All folders containing .DOC files so it runs when WORD or WordPad runs. All folders containing HTM, HTML, or ASP files so it runs when a browser opens one of these files. On NT/2000 systems adds an account named guest to the local administrators group, gives it a blank password, and turns the account “on”. On 9x/ME systems, configures all local drives as shared for user “guest”.
NIMDA Prevention Apply Microsoft patches to IIS Servers. Check for Code Red II backdoors from earlier infection. Patch Internet Explore to eliminate automatic execution of embedded MIME types. Disable Java script. Don’t execute attached e-mail files.
Trojan Horses Based on the well-known story by Virgil in Aeneid, Book II. Appears to perform a useful function, but contains code that performs and unexpected, typically not useful, possibly malicious function. Trojans include: Excel Easter Egg NetBus BackOrifice Backnote Aolfree.com The important thing is these codes typically advertise themselves as performing useful functions to get users to download and execute them.
Excel Easter Egg Excel 97 contained a program embedded inside the spreadsheet program – the program performed a very different, and unexpected function. If the user pressed the F5 key and entered X97:L97 <enter><tab>, Then held down ,Ctrl-Shft>, and clicked on the wizard chart Behold …. A flight simulator appeared with a rudimentary landscape that could be navigated (flown over). If the user navigated to the correct point, the names of the developers could be observed. Rather a boring program…but classical Trojan For others – search Google on “Easter Eggs”.
Netbus Aliases: Netbus.153, Netbus.160, Netbus.170 Distribution: Typically e-mail, but found in newsgroups as well. Function: Client-Server application that allows a remote user to control a PC (Windows 95/98 & NT). Server is installed on the victim in Windows dir and executes when Windows boots. It is stealthy - hides process name, denies delete/rename access, can vary its execution schedule & remove itself. Client (at hacker end) controls the system over TCP/IP and allows many functions to be performed - some really nasty.
Netbus Features Open/Close CD tray; show BMP or JPEG image, swap mouse buttons. Start an application, play WAV file, point mouse to some coordinate. Show a message box and allow the victim to respond. Shutdown Windows, reboot, logoff, power off. Send keystrokes to the active application on the victim. Get a screenshot from the victim, return system information. Upload (push) any file to the victim. Change sound volume, records sounds from the victim’s microphone. Download and/or delete any file on the victim’s system. Make clicking sounds every time the victim presses a key. Block certain keys on the victims system. … ...
Back Orifice Alias: BO, BOSniffer, CDC-BO, BOSERVE, BOCLIENT, Ofrifice.srv Orifice.addon, Hacktool. Distribution: e-mail, newsgroups, bulletin boards. Function: Very similar to Netbus (Netbus pre-dates back Orifice). One of the aliases, BOSniffer, claims to be able to detect Back Orifice, while in reality it is the Back orifice application itself.
Backnote Aliases: URLSnoop, PICTURE.EXE, MANAGER.EXE Size: ~ 350kB Distributed: e-mail attachment and newsgroup postings. Function: Copy themselves to Windows dir; NOTE.EXE. Register themselves for execution when Windows boots. On execution, gathers machine information, including usernames & passwords. Copies information to an encrypted .DAT file Attempts to e-mail the file to firstname.lastname@example.org & email@example.com.
AOL Free - A Whole Series of Trojans At one time AOL distributed AOL4FREE to Mac users. In early 1997, an e-mail went around saying AOL4FREE.COM was a destructive virus. In March 1997, the major anti-virus vendors declared AOL4FREE.COM a virus hoax. In April 1997, a real virus named AOL4FREE.COM was released - never spread very far, but did the following: C: CD DELTREE /y *.*
Logic Bombs Program or block of code embedded in a useful program. Scheduled to execute based on some future event (time, day, if a certain user account exists or a certain file exists - many options). On e-day, the program executes, usually with disastrous results. 1985 Insurance Company example. Two days after an employee was fired, the bomb went off. Deleted 168,000 employee records. Perpetrator was fined $11,800 and served 7 years probation.
Prevention Measures - Better than the cure Perform regular backups of all important files. Do not introduce new media (CD, floppy, zip) to a system that has not been backed up. Better, scan all media for viruses with a current scanner. Do not open e-mail attachments, download executables, etc. unless you are sure of the source. For any software you import, scan it before opening & executing. Even some commercial software distributions have been contaminated.
Virus Scanners - Scanning & Remediation Scan the entire system including memory & disk files. Detect the presence of a virus - if the scanner knows the virus. Identifies the specific virus infesting the system. Removes the offending virus restoring the system. NOT ALWAYS SUCCESSFUL - may not recognize or remove. Then Restore from backups. Worst case, re-format the hard drive, and Rebuild the system
<ul><li>Virus Scanners - Early Years </li></ul><ul><li>In the beginning, there were few viruses. Respond by: </li></ul><ul><li>Get virus - key point is to have a copy of the virus. </li></ul><ul><li>Examine it. </li></ul><ul><li>Build recognizer and dis-infector. </li></ul><ul><ul><ul><li>Methods used were based on how viruses infect. </li></ul></ul></ul><ul><ul><ul><li>Used simple string scanning and pattern recognition. </li></ul></ul></ul><ul><ul><ul><li>Memory and secondary storage locations including disk boot </li></ul></ul></ul><ul><ul><ul><li>records were scanned. </li></ul></ul></ul><ul><ul><ul><li>Specific bit sequences were used to identified specific viruses. </li></ul></ul></ul><ul><ul><ul><li>Relied on known lengths to identify and remove malicious code. </li></ul></ul></ul><ul><li>The volume of viruses have overwhelmed these largely manual methods. </li></ul>
Virus Scanners - Simple Example of Infection Adds itself to the end of an executable (any one will do). Modifies the header code to point at the virus (JUMP to virus). Saves the beginning part of the file it changed (from jump to real program to jump to virus). Entry Point Legitimate program header VVVVVVV The virus jump code Victim program The legitimate program code Exit Original exit Virus The virus action code Restore victim Virus code that restores the victim so it executes JUMP Virus return to repaired victim
Virus Scanners - Remediation 1. Find the virus: do a string search 2. Find original beginning of victim: After virus jump 3. Find size of virus - look-up based on virus lab examination Fix by: Remove Jump, move original entry point to jump. Truncate the file at original end of victim by calculating from size. This is: Tedious To slow with virus population expanding Easily defeated by adding superfluous instructions to virus string during replication (varying size)
Virus Scanners - Anti-Virus Developers Added wild card scanner, looking only for special signatures. Heuristic scanning rules to look for generic behavior. Add integrity checks to executables, test before execution. Trouble was: Signature database grew to be cumbersome Scanning got slower and intrusive Move has been to more generic scanners, interception of suspicious behavior (e.g., writing to master boot blocks).
Modern Scanners Memory resident - scan every file on access On-line profile updates - to keep database current Signature scanning - looking for unique signatures Generic decryptors: Operate in single step instruction mode. Scan for suspicious activity. Simulators - Emulate instruction execution in a virtual mode - don’t actually execute the instruction on the real machine, execute it in a protected “sandbox” while observing behavior. Combine simulation and signature analysis.
Combining Simulation & Signatures - Virus Signs: 1. Encryption. A code decryptor is found. 2. Attempts to Open an executable file. 3. Suspicious file access (certain files like system files). 4. Time/date event trigger routines (time/date test). 5. Memory resident code. 6. Interrupt hooks. 7. Undocumented interrupt calls.
Combining Simulation & Signatures - Virus Signs (more): 8. Self-Relocation in memory, especially if non-standard. 9. Programs that scan for memory size. 10. File search code - search for exe, com, bat files. 11. Strange memory allocation. 12. Replication - the code overwrites the start of other codes. 13. Anti-debugging code. 14. Direct disk access - not by OS call.
<ul><li>Combining Simulation & Signatures - Virus Signs (more): </li></ul><ul><li>15. Use of undocumented DOS features. </li></ul><ul><li>16. Program checks for .exe, .com extensions. </li></ul><ul><li>17. Program load trap. </li></ul><ul><li>18. Attempts to perform BIOS access. </li></ul><ul><li>Continuing effort on part of the virus developers to void </li></ul><ul><li>actions of anti-virus community and by anti-virus community to stay </li></ul><ul><li>even with the virus developers. </li></ul><ul><li>Very much like the real world of biological viruses. </li></ul>
Summary Detect - based on samples of the virus contributed to an anti-virus vendor for action. Analysis I - vendor observes the code and determines whether it is reliably detected with existing signature and heuristics capability. Analysis II - determine the method to remove the virus by defining the entry point & length. Remediation - write dis-infecting code for the specific virus. Distribution - update profile, signature, and remediation library for on-line distribution.