Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Computer and network surveillance wikipedia , lookup
Cyberattack wikipedia , lookup
Unix security wikipedia , lookup
Microsoft Security Essentials wikipedia , lookup
Antivirus software wikipedia , lookup
Cybercrime countermeasures wikipedia , lookup
Computer virus wikipedia , lookup
IST-454 Topic 12a Malicious Code Forensics IST-454 What is malicious code? (aka – Malware) Any program code (application, system, document, etc.) that seeks to alter the correct execution of a program or processing of a system •Compromise security •Steal information •Acquire control •Deny or degrade service •Provide a vector for any of the above Not all malware is malicious – but for purposes of this topic we will assume it is. IST-454 Malware forensics Serves a number of possible purposes • detection and removal • examination and understanding • malware causes significant losses to organizations • malware could be part of a larger intrusion or compromise • targeted malware increasingly used in cyber-crime and cyber-warfare IST-454 Malware forensics Example 1: • IDS detects unusual network activity off-peak, system scans reveal malware that had been acting as a spambot, forensics approaches indentify and remove malware, analysis seeks to determine how malware intrusion happened Example 2: • New malware is discovered in software for air trafficcontrol system. Analysis shows malware intercepts airplane ID and radar data and potentially mis-displays data for controllers. Further analysis indicates origin was in removable storage purchased from foreign subsidiary IST-454 Malware Taxonomy •Note that these categories are not mutually exclusive A given sample of malicious code may have properties from a number of these categories – do not get hung up on names •Vector Method of infection Early forms of malicious code were exclusively transferred via floppy disk or intentionally written into software - today there are many vectors – network, hidden code (ie. Trojan), e-mail, etc. IST-454 MalwareTaxonomy •Virus • Replicating code segment • Not complete program – requires external execution engine • Often accomplished by embedding itself in another program or a document that is interpreted by a run-time system • Can be written to be specific to an operating system, processor or application environment • Name ‘virus’ comes from similarity with biological viruses • Virus has 2 levels of activation • • Replication Detonation or Activation • Detonation happens only after virus has had a chance to replicate IST-454 MalwareTaxonomy •Worm • • • • • Self-Replicating code segment Installs as a process in a multi-processing system Exploits network to copy self to other systems • Parents may expire – giving illusion of movement through network • Hence the name ‘worm’ First worm built at Bell Labs to scan network for resource inventory Initial vector for worm infestation need not be via network • Could be via Trojan IST-454 MalwareTaxonomy •Logic Bomb • • • • Also known as ‘Easter eggs’ Programmed malfunctions or ‘unintended’ functions • Some Easter eggs were gifts to users • Early Windows version contained simple Doom-like game as Easter egg Many early logic bombs had legitimate uses • Activate debugging code • Allow for managerial super-user access • Disable software after license had expired Logic bombs are often built into other forms of malware – for example a virus set to detonate on a specific date • Such as April 1 IST-454 MalwareTaxonomy •Trojan Horse • • • Program embedded within another program • Purpose is to trick user into installing outer program – once installed the Trojan can execute • Many early Trojans were in form of games or screen-savers Trojan itself could be worm, virus, adware, spyware, etc. Early Trojans on mainframes were used for theft IST-454 MalwareTaxonomy • Exploit Code • Purposely installed on computer to support further exploits • Examples include auto-rooters, rootkits and penetration tools • Rootkit is a tool installed after system control is gained to modify logs, create backdoors, etc. IST-454 MalwareTaxonomy • Downloader • • Gains foothold and downloads other malware Many Bots work this way • Dailer • • Used with modem to dial special numbers Potential exists for use with smart phones IST-454 MalwareTaxonomy •Code Generator Kits • • • Code kits used to create malware or slight variations on malware Also known as virus kits ‘Virus Creation Laboratory’ (VCL) was an early code kit • Released in July, 1992 by a hacker with the name ‘Nowhere Man’ • Turns out that many of the viruses created were ineffective or would not complile IST-454 MalwareTaxonomy • Spammers • Code that causes e-mail program to generate spam mailings • Flooders • • DOS tools, DDOS tools Typically employed by BOTnets • Keyloggers • Log keystrokes and send to remote server IST-454 MalwareTaxonomy • Other • Hoax messages • Results in wasted effort/time • Adware • Delivers targeted ads • Spyware • Gathers data about user • Phishing attacks • Social engineering tactic IST-454 Malware Example In 2005, Sony BMG released music CDs containing extended copy protection (XCP) software. This software was functionally a rootkit that installed hidden files with no notification to the user – a special uninstaller was required to remove the software Simply playing the music CD in a windows machine resulted in infection NPR story: http://www.npr.org/templates/story/story.php?sto ryId=4989260 IST-454 Focus on Virus: “A computer virus is a program that recursively and explicitly copies a possibly evolved version of itself.” Peter Szor, 2005 Key aspects of this definition: Recursively: operate on their own output Explicitly: the copy is specifically intended as opposed to resulting from a side-effect of some other action Possibly evolved: the virus may alter itself over time (metamorphism) IST-454 Focus on Virus: First academic description by John Von Neuman (1949) Described how a computer program could be designed to reproduce itself In 1972 Veith Risak published an article describing a fully-functional assembler virus for a SEIMENS 4004/35 computer In 1984, Fred Cohen (USC) wrote a paper that coined the term ‘virus’ for replicating software First academic paper using term ‘virus’ IST-454 Focus on Virus: Science Fiction: David Gerrold used term ‘virus’ to denote a selfreplicating program in a Galaxy Magazine short story in 1969 Michael Crichton’s ‘The Terminal Man’ describes a program that randomly dials phone numbers until it reaches a computer – then programs that computer to do the same thing – expanding exponentially IST-454 Focus on Virus: First virus anywhere was ‘creeper’ developed by Bob Thomas at BBN Technologies (1971) using ARPANET to infect Dec PDP-10 computers running Tenex Reaper program was written to eradicate Creeper Elk Cloner written in 1981 by Richard Skrenka as a practical joke – spread through floppy disk to Apple DOS 3.3 – first virus in wild First IBM-PC virus in wild was (c) Brain crated by Pakistani Farooq Alvi brothers IST-454 Focus on Virus: What is the difference between ‘replicating’ and ‘self-replicating’? For a virus to replicate, another program or action must allow it access to execute in memory This is typically accomplished by exploiting the run-time or execution environment of another program A worm is ‘self-replicating’ because it is a complete program with access to memory IST-454 Focus on Virus: For virus code to execute successfully, it must match the execution environment Many execution environments exist, e.g.: MS Office macro invoking a Java method on a windows XP machine running on an x86 processor Any given virus can only be successful if its code matches all of the various dependencies Homogeneous environments, such as Java and MS Office provide execution environments across many lower level environments Dependencies: CPU: differences between families, within a family (backward compatibility, extensions such as MMX, prefetch queue, etc.) Operating System: different OSs and different versions of an OS File system: virus may modify file system metadata (e.g. FAT), NTFS stream-based hiding File format: COM, EXE, dll, ELF, etc… Interpreter: Office Macros, Shell languages, VBScript, Jscript, etc… IST-454 Virus Stealth: Read request intercepts: Virus injects code replacing OS code that handles read requests Injected code then intercepts request to read a file that is infected After executing, injected code that returns uninfected file This circumvents AV that would otherwise detect infected file File hashes to indentify altered Windows files can be overwritten so that System File Checker will report that files are originals The only reliable way to avoid stealth is to boot from a medium that is known to be clean IST-454 Virus Stealth: Self-modification Virus alters itself upon each replication to attempt to foil AV software looking for identification strings Variable-key encryption Virus consists of small decryption module and encrypted viral code Different encryption key is used for each replication IST-454 Virus Stealth: Polymorphic code Creates both encrypted code and modified decryptor Metamorphic code Virus is completely re-written on each replication – this technique is complex and bulky IST-454 General Protection • Good anti-malware and anti-spyware • Run regularly and keep updated • Anti-malware and anti-spyware can look for different kinds of malware – useful to have both installed • Good Firewall • set for least access • periodically re-examine rules • pen testing on network important to determine vulnerabilities • perimeter, server and desktop defenses IST-454 General Protection • Good Intrusion-detection system • provides notification of unusual network or server activity • Least-privilege accounts and care in Web browsing • LPA can prevent up to 70% of malware • Many Web sites provide infection via cross-site scripting • Good vulnerability patch management • some malware exploits known vulnerabilities that could have been patched IST-454 Network Telescopes and Honeypots A commonly used monitor for worm activity is the network telescope Network telescopes monitor large segments of dark, or unused, address space containing few, if any, production hosts No or very little legitimate traffic is expected to be observed targeting telescope address space Honeypot can be used to gather data for a controlled intrusion Server/service configured to specifically gather worm or Bot data IST-454 In general it is far easier to prevent infection than to recover from infection! IST-454 Reverse Engineering • Technique used to identify malware and determine its methods, targets and possibly origins • Requires knowledge of assembly language • beyond scope of 454 – but many resources for learning AL exist • Requires isolated systems and/or networks • to prevent malware from ‘escaping’ • use of a virtual machine may help • Requires in-depth systems knowledge • malware may reveal itself in altered or unusual process/server activity • Requires specialized tools • Disassembler, hex editor, etc. IST-454 Malware Analysis Process (from Reverse Malware Cheat Sheet by Larry Zeltser) • Set up controlled, isolated, laboratory • Examine specimen's interactions with its environment • Perform static code analysis • will involve reverse engineering of malware code at various stages • Perform dynamic code analysis • examine code activity in detail IST-454 Malware Analysis Process (from Reverse Malware Cheat Sheet by Larry Zeltser) • if necessary, unpack the specimen • allow it to infect target system/network – under carefully controlled conditions • Repeat until sufficient analysis objectives are met • Document findings and clean up laboratory – wipe all systems IST-454 Malware Behavioral Analysis (from Reverse Malware Cheat Sheet by Larry Zeltser) • Be prepared to revert to known state via dd, VMWare snapshots, CoreRestore, or other tools • Monitor local (Process Monitor, Process Explorer) and network (Wireshark, TCPdump) interactions • Detect major local changes (RegShot, Autoruns) • Redirect network traffic (hosts file, DNS,Honeyd) • Activate services as needed to evoke new behavior from specimen (IRC, HTTP, SMTP, etc.) IST-454 Bot and Botnet • Bot is a zombie computer • Bot software downloaded and installed, often as rootkit • Bots connect through TCP/IP to controller (mother ship) • Bots can be reprogrammed from controller • Botnets used to launch spam, DDOS IST-454 Bot and Botnet • Case study: Storm Botnet • By Sep 2007 running on between 1 and 50 million computers worldwide (at one point 8% of all Windows malware) • Vector was XSS – used phishing to get users to activate Web link • Used in variety of criminal activities, including DDOS and spam • Has displayed defensive behaviors • Developers not caught yet – believed to have originated in Russia • Believed that code has been sold to other hacker groups IST-454 Case study - Stuxnet • Computer worm first analyzed in July, 2010 • First known case of ‘targeted’ worm that attacks industrial control systems • spreads indiscriminately, contains payload that targets Siemens control systems • believed to have been targeted against Iran nuclear fuel enrichment program • analysts believe it was created by nationstate, possibly US/Israel IST-454 Case study - Stuxnet • First appeared June 2009 – improved variants in March and April 2010 • Primarily found in 8 countries, but over 60% of infections in Iran • Makes itself inert if it does not detect Siemens control software • 3-layered attack: • Windows zero-day vulnerabilities • Step 7 industrial application • Siemens PLC IST-454 Case study - Stuxnet • Two vectors: • USB storage • P2P RPC • contains ‘man-in-middle’ attack to fake industrial process control sensor signals • so damage is not detected until too late • believed to have specifically targeted fuel enrichment centrifuges IST-454 Case study - Stuxnet • Contains both user-mode and kernel-mode rootkits • Valid digital certificates stolen from Veri-Sign used to avoid driver detection • Web sites in Denmark and Malaysia served as command-and-control centers • Utilized 4 zero-day Windows vulnerabilities • Infects project files for Siemens WinCC/PCS 7 SCADA controllers • subverts key communications dll to avoid detection IST-454 Case study - Stuxnet •Stuxnet is VERY sophisticated • indicates multi-level, evolving attack strategy • believed to have been developed as a targeted cyberwarfare weapon • has raised awareness among cyber-security commands • similar attacks could target power grids, communications, oil refineries, shipyards, etc. • (see movie ‘Eagle Eye’ for hypothetical potential) IST-454 Case study - Duqu •Sept, 2011 researchers found Stuxnet variant • named DuQu for repeating letters DQ • discovered by researchers at Budapest University of Technology and Economics • Written in various code – mostly C++ but also ‘Objectoriented C’ (a little known variant from 1980’s) • may indicate ‘old school’ programmers IST-454 Case study - Duqu • appears designed to gather information about vulnerabilities on industrial systems control code • some analysts believe it was authored by same people who authored Stuxnet • new variant discovered by Symantec in Feb, 2012 • so work on it appears to be continuing IST-454 Case study - Flame • discovered in 2012 – infects MS Windows OS • appears to be targeted for espionage in Middle Eastern countries • According to Kaspersky most infections have been Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt IST-454 Case study - Flame • written in Lua scripting language with C++ components • downloads other components • uses 5 different encryption methods • stores structured information in SQLlite DB • identifies any installed AV software and customizes self to avoid detection IST-454 Case study - Flame • spreads via USB stick and network • uploads local documents • can intercept Skype communications • although apparently targeted at Middle East, possibility of further spread exists • some analysts suspect flame originated with Israel, or Stuxnet authors IST-454 Summary • Malware poses a unique challenge to security • Forensic analysis on malware can be useful in determining its purpose, methods, targets and possibly origins • Malware forensic analysis requires knowledge of assembly language, knowledge of systems, access to special tools, access to isolated systems • Check the 454 resources page for links to articles, tutorials and tools for malware forensics