Download Michael and Leena`s slides

Networking & Malware
CS 598: Network Security
Michael Rogers & Leena Winterrowd
March 26, 2013
Types of Malware
Image courtesy of prensa.pandasecurity.com
Types of Malware
No
standardized
definitions!
Viruses 16,82%
Trojan horses
69.99%
Viruses
•
Programs capable of selfreplication
•
Spread to other systems
•
Cannot execute on their own
•
Must attach themselves to
other programs
Effectively need userinteraction to spread
•
Worms
•
Standalone programs
•
Self-replicating
•
Rely on exploits to selfexecute
•
Self-propagating
•
No user interaction!
Ye Olde Computyre Virus
Thou hast presently received ye olde virus!
Since it doth not useth 'electricitee' or
'computyres', thou art on ye olde 'Honore Systeme'.
Please deleteth all of thy files from thy hard drive
and forward ye olde virus to thy friends.
Trojans
•
Masquerade as legitimate
files
•
Often 'gifts' or free
downloads
Gives (unauthorized)
access to a system
•
•
Most often propagated
with worms
•
Most often contains
spyware
Backdoors
•
Bypass security to directly access
data/service
•
Often default/hard-coded
password
•
Maintain undetectability
•
Example (2003):
•
2-line Linux kernel change:
http://kerneltrap.org/node/1584
•
Frequently used by worms
Rootkits
•
Hide existence of a payload
•
Payload is often a trojan
•
Generally subvert/disable security programs
•
Usually enable root access (elevated privilege)
•
Modern rootkits do not do this!
•
Most often perform injection:
•
Enable a backdoor
•
Replace a library
•
Hide on devices or in BIOS
•
CompuTrace & LoJack
DAEMON Tools is actually a
beneficial rootkit!
(Intercepts Windows API calls)
Spyware
•
Collects information
without user
knowledge/permission
•
Often trojans
•
May be intentional
•
Keyloggers
Adware
•
•
Automatically renders
ads
Generates money for
developer(s)
•
Often intentional
•
Ideally non-intrusive
Typhoid Adware
• An infected machine poses as
the legitimate access point
• Intercepts and hijacks other
users connections via ARP
spoofing
• The infected machine inserts
ad-content into video
streams
• Infected machine shows no
symptoms
• Only a NAT-box proxy
Paper available at:
http://pages.cpsc.ucalgary.ca/~aycock/papers/eicar10.pdf
Infection Mechanisms
•
•
Droppers
o
Inject malware (single-stage)
o
Download malware to the machine (two-stage)
o
Pretend to be legitimate programs (Trojans)
o
Injector: dropper which installs to memory only
Drive-By Downloads
o
Placed on systems by compromised websites
o
Serves as point of entry for other malware
o
Recent Example: FBI virus (Java exploit)
Image courtesy of http://www.technobuffalo.com
Infection Mechanisms
•
•
•
•
•
•
•
•
•
DECEPTION!
Exploitation
OS design defects
o Zero-day
o Unpatched
Software bugs
Privilege elevation
Preexisting (related or unrelated) backdoors
'Auto-run' on removable devices (USB, CD, etc.)
Purposely install malicious code
Physical access
Image courtesy of http://www.technobuffalo.com
Well-Known Malware
Examples
Stuxnet
•
In June 2010, VirusBlokAda discovered an
unprecedented type of Malware – Stuxnet.
•
But what made Stuxnet different?
(usu < 1KB)
Stuxnet's Infection Mechanisms
• Infected Windows systems via USB (auto-run)
3 infections/drive; self-replicates to removable drives
• Worm attempts to spread to any Windows system for 21 days
• Systems were 'air-gapped' (not connected to internet)
• Uses four zero-day Windows exploits
o
o
o
o
o
Copies itself through LAN via a print-spooler exploit
Spreads through SMB
Exploits a Windows Server Service RPC vulnerability (same as Conficker
worm; patched in 2008)
2 escalation of privilege vulnerabilities
Image courtesy of http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process
Stuxnet's Propagation Mechanisms
• Spreads via network shares
• Looks for and injects itself into specific control software project
o
Software has a hard-coded password
o
Copies to server via SQL injection
• Can self-update or report data via 'command & control' servers
o
Self-updating via LAN or p2p
• Contained a Windows rootkit to further avoid detection
• Digitally signed with stolen certificates from Realtek & Jmicron
Image courtesy of http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process
What did Stuxnet do?
Speed
Settings
Centrifuge
• Targeted Siemen's 315 and 417 PLCs
o
Fingerprinted by model number, configuration, and actual
PLC code
• Exploited a driver DLL to copy itself to the PLCs
• Changed frequency controller drives' speeds
o
o
Alternated between slowing down and speeding up the
normal frequency
Could cause a PLC-controlled centrifuge to fly apart over
time
Image courtesy of http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process
Flame
•
"Arguably the most sophisticated malware
ever found"
o
~20 MB
•
Spreads via LAN or USB
•
Compromised Microsoft code-signing
certificate
o
•
MD5 chosen-prefix collision attack
Modular design
What did Flame do?
•
Steals information
•
Records Skype calls
•
Activates Bluetooth
o
•
Steals information from other Bluetooth devices
Communicates information back to
command & control server and awaits further
instructions
DNSChanger
•
Drive-by download claiming to be a required
video codec
•
Modified DNS config to go through a rogue
name server
•
Injected/substituted advertising on web pages &
redirected some links
•
Could spread within a LAN
•
o
Mimicked a DHCP server
o
Pointed others towards the rogue DNS servers
Perpetrators apprehended, but rogue DNS
servers left running for fear of knocking infected
machines off the internet
Nimda
•
Virus/worm hybrid
•
Infected via multiple avenues
o
Email
o
Network shares
o
Compromised websites
o
Microsoft IIS vulnerability exploits
o
•
Backdoors left by other worms (Code Red II and
sadmind/IIS)
Became the internet's most widespread worm
within 22 minutes
Why Malware is Written
•
'For teh lulz' (entertainment value)
o
•
To show off
o
•
Attacks may act as the victim
Sociopolitical
o
o
o
•
Exploit remote systems as a show of skill
Anonymity
o
•
Causing distraction or destruction just because it's
amusing
Anonymous, Lulzsec, hacktivists
Stuxnet & Flame
May cause physical damage! (Stuxnet)
For profit
Malware for Profit
•
Spyware
o
o
o
•
Botnets
o
•
Cloud-based attacks (DDOS, click fraud, spam)
Adware/scareware/ransomware
o
•
Gain personal information for various purposes
Targeted marketing or identity theft
Corporate espionage/sabotage
Directly bilk money from victims
Recursive
o
o
Sell dropper/backdoor kits
Promote further infection
Malware Propagation
Target Selection
•
Completely targeted
•
Semi-targeted
•
Brute-force/random
•
Pseudorandom
•
Diffusion
Completely Targeted
•
•
•
Predetermined list of targets
Common to spam/phishing
Tend to employ social engineering
techniques
Semi-Targeted
•
•
•
Takes a good guess at the next target
Often target machines on the local
network (worms)
Uses the concept of homogeneity
Exploit one in network → may be able
to exploit all
E-mail contact lists (trojans)
o
•
Brute-Force
•
•
Port-scanning and IP scanning the
entire address space
Often start from a randomized offset
and skip around
Pseudorandom
•
•
•
Brute-force with restrictions (for better
performance)
Example: Blacklist known
darknet/honeypot addresses
Example: Prioritize IPs belonging to a
specific country
Diffusion
•
•
•
•
Design malware to use alternate
channels of infection (USB drives or
smartphones)
Hope someone plugs the wrong thing in
the wrong place
Can be random or targeted
Targeted often requires research on
habits/behaviors of individuals in the
target environment
Actual Propagation
•
Self-propagation
•
Social engineering
•
Secondary infections
•
Malicious code sources:
o
From central source
o
From infector
o
Inject as part of exploitation
Self-Propagation
•
Uses exploits on the remote machine to selfinstall
•
Examples:
o
o
o
Unpatched network daemons (several in older
versions of Samba)
Insecure driver code (thumb drives and other
out-channel exploits)
Insecure system settings (autoplay, no UAC)
Social Engineering
•
Sends a copy of the malware disguised as
something innocuous
o
•
"Funny cat video!.mpg.exe"
Spread by malicious user, unwitting infected
user, or the malware itself
Secondary Infections
•
Create an artificial vulnerability or exploit
•
Serves as the vehicle for other malware
•
Primary approach of droppers & backdoors
Honeypots
•
Detection mechanism that exploits random/pseudorandom
propagation
o Pose as a vulnerable system
•
•
o Capture malware samples
Often run by known organizations
o Known IP spaces = easy to avoid
Low interaction honeypots
o Emulate aspects of a vulnerable system
•
o Safer but only emulate specific aspects
High interaction honeypots
o Actual full systems/VMs
o Specialized firewall
o Infection (hopefully) cannot spread
Communication and
Control
Four different classifications
• Uncontrolled and silent
• Controlled and silent
• Uncontrolled and noisy
• Controlled and noisy
Uncontrolled and Silent
• No interaction with programmer in either direction
• No transmitting of information back to source
• Behavior must be pre-programmed, e.g. Stuxnet
• Often used simply to cause destruction
Uncontrolled and Silent
• Pros
• Cannot be disrupted by compromising command method
• Less likely to be detected by network monitoring (under
correct conditions)
Uncontrolled and Silent
• Cons
• No dynamic control
• Cannot be used for data theft, reconnaissance
Controlled and Silent
• Can receive commands
• Numerous channels available, such as IRC, DHT, Google link
bombing, establishing direct network contact, P2P networks,
file drops
• Does not transmit information
• Often used for targeted attacks, occasionally used for
botnets, planting backdoors
Controlled and Silent
• Pros
• Behavior can change dynamically after launch in direct
response to controller
• Less likely to be detected by network monitoring (under
correct conditions, initially)
Controlled and Silent
• Cons
• Cannot be used for data theft, reconnaissance
• Can be disrupted or even destroyed by subversion of
command mechanism
Uncontrolled and Noisy
• Can communicate information about infected systems
• Methods include file drops on a central server or to online
hosting services (e.g. Mega), IRC channels, P2P services
• More useful for reconnaissance, smash-and-grab
Uncontrolled and Noisy
• Pros
• Easiest for ‘blitz’ style attacks
• Good for blind mapping
Uncontrolled and Noisy
• Cons
• No dynamic control
• More likely to be detected
Controlled and Noisy
• Allows for both control and communication
• Allows for targeting and exploiting specific systems
• Frequently used for more sophisticated malware
• High-end botnets, spyware, backdoors
Controlled and Noisy
• Pros
• Can dynamically alter behavior
• Can gain information about infected systems
• Allows for most sophisticated behavior
Controlled and Noisy
• Cons
• Most likely to be detected
• Can be disrupted or destroyed by subversion of
communication mechanism
• Provides most chances for perpetrator to be caught
Detecting Malware
Warning signs at the network level
Detecting the Act of Infection
• Look for network packets which indicate an attack or
exploit
• Known bad packets
• Malformed packets
• Often requires deep packet inspection (NIDS such as Snort and
Bro)
Detecting Suspicious Traffic Types
• Probes on multiple ports from the same source (singleorigin port scanning)
• Can be frustrated or defeated by a distributed scan (likely via
botnet), use of proxies or anonymization services such as Tor,
cooldown periods
Detecting Suspicious Traffic Types
• Encrypted traffic on unusual ports
• Can be frustrated or defeated by tunneling through normally
encrypted ports such as 443 for HTTPS
Detecting Suspicious Traffic Types
• Requests for multiple IP addresses on the same LAN
from a single source
• Can be frustrated or defeated by a distributed scan (likely via
botnet) and/or use of proxies or anonymization services such
as Tor if done remotely, cooldown periods
Detecting Suspicious Traffic Types
• Requests with unusual strings and/or misspellings
• Browser type "MoZilla", "InertNet Esplorer"
• User-Agent: %^&NQvt
• Requests with unusual IP headers and/or flags
• <!--- malicious message --->
Detecting Suspicious Traffic Volume
• Observe the (networking) behavior of a suspect machine
• Look for large traffic spikes
• Look for strange traffic behavior
Detecting Suspicious Traffic Volume
• Large traffic spikes may indicate an attempt at a ‘fire
hose’ or ‘spray and pray’ method of infection
• Large traffic spikes may also indicate cooption of system
resources such as Bitcoin mining, click fraud, or
distributed cryptographic attacks
Detecting Suspicious Traffic Volume
• Strange behavior is more subtle
• Look for port scanning behavior
• Look for network communications while the system is
otherwise idle
• Look for network communications to a large number of
IP addresses in a relatively short time
• ESPECIALLY if the IP addresses are sequential
• Look for network communications using unusual
protocols
• IRC traffic when no IRC client is installed
Detecting Suspicious Traffic End
Points
• Blacklist approach
• Look for communication attempts with known bad IP
addresses
• Look for suspicious network requests
• A DNS lookup for “pwnz0rd-j00.l33t.net” is unlikely to be a
good thing
• A VPN connection being established FROM a workplace
(depending on the workplace)
• Unexpected P2P or Tor traffic
Reverse Engineering Networking
•
Given a malware binary, look for networking code
o
o
o
o
o
Check for common API calls
Identify how the malware puts networking requests together
Create an outline of the protocol and possible values placed
in the traffic
Identify how/if this differs from normal traffic
Write signatures based on the differences
Anti Techniques
•Anti-Disassembly
•Anti-Debugger
•Anti-Virtual Machine
•Goal: Make it too difficult for beginners or even
average malware analysts to handle
Anti-Disassembly
•Goal: Trick Disassemblers into showing incorrect
code
•Raises the bar for malware analysts
•Debugging assembly is difficult enough already
•Can make it too difficult for novice malware
analysts….
Types of Disassembly
•Linear Disassembly
• Disassemble one instruction at a time
• Do not look at type of instruction
•Flow-oriented Disassembly
• Look at instruction and disassemble based on program
flow
• Used by IDA Pro and other commercial products
Jump Tricks
•Fool Linear Disassembly with jump instructions
• Same target (jz and jnz)
• Constant condition (xor to zero and jz)
•Example
33 C0
xor
XOR
eax,eax
eax,
eax
74 01
jz
short near ptr loc+1
E9 58 C3junk
68 94
jmp near ptr 94A8D521h
58
Pop
eax
C3
retn
Impossible Disassembly
•Recall Assembly instructions are multiple byte
lengths depending on instruction
•Jump back a byte into an instruction already
disassembled and use it as part of another
instruction
•Screws over disassemblers
Impossible Disassembly cont.
EB FF
C0 48
FF CO INC EAX
JMP
???
-1
66 B8 EB 05
mov
ax, 5EBh
31 C0
xor
eax, eax
74 F9
jz
(-7)
E8 58 C3 90 90
call
near ptr 98A8D525h
48
DEC EAX
EB 05
jmp
58
Pop eax
C3
ret
5
Hiding Cross Referenced Code
•Graph view in IDA is nice but….
•It is easy to hide function calls made through
pointers
•C++ uses this extensively
•Be aware that function calls through pointers can get
lost!!!
Fun with Ret
•When a program returns, it pops the return
address from the stack and jumps execution
there
004011C0
var_4
= byte ptr -4
004011C0
call
$+5
004011C5
add [esp+4+var_4], 5
004011C9
ret
004011C9
sp-analysis failed
004011CA
Confused IDA Pro…..
Handling Exception Handlers
•Exception handling is common in C
•When an exception is thrown, handlers are
searched by looking through a linked list data
structure
•New exception handlers are added to the list by
appending to the end
•During an exception, each exception handler is
called in sequence pushing itself onto the stack
Stack Example
00401050
00401055
00401058
00401059
00401060
00401067
00401069
0040106B
00401070
00401071
mov
eax, (offset loc_40106B+1)
add
eax, 14h
push
eax
push
large dword ptr fs:0
mov
large fs:0, esp
xor
ecx, ecx
div
ecx
call
whatever
retn
IDA Panic Time ??????
Screwing up Automated Function Analysis
•Automated analysis of function parameters is
determined by looking at what variables are
accessed
00401543
sub
esp, 8
00401546
sub
esp, 4
00401549
cmp
esp, 1000h
0040154F
jl
short loc_401556
00401551
add
esp, 4
00401554
jmp
short loc_40155C
00401556
add
esp, 104h
0040155C
IDA confusion ensues…..
Anti-Disassembly
•Disassemblers are nice but not infallible
•We get to keep our jobs ☺
•Good malware analysts can recognize impossible
assembly and run through the code to figure out what
is going on
•IDA supports manually re-classifying code as well as
code replacement to “fix” problem areas
Anti-Debugging
•Goal is to cause malware to exit or skip important
behavior during debugging
•As a malware analyst, we need to find this code to
get to the fun parts
•Thus, we need to jump over and circumvent antidebugging techniques
Windows API Calls
•IsDebuggerPresent
•CheckRemoteDebuggerPresent
•NTQueryInformationProcess
•OutputDebugString
• Watch for fun calls to OutputDebugString
• OutputDebugString(“%s%s%s%s%s”)
•If these calls exist, the program is looking for an
attached debugger
Manual Checks for Debuggers
•Check the PEB
• Structure of this header is available on MSDN
• BeingDebuggedFlag: Set if process is being debugged
• ProcessHeap flag: Pointer to the first entry of the heap
for a program
• Contains a header with a flag telling the kernel if a debugger is
present
• Offset 0x10 in XP and 0x40 in Windows 7
Manual Checks cont.
•NTGlobalFlag
• Debuggers set different heap flags when running
programs
• Typically:
• Enable Tail Check
• Enable Free Check
• Validate parameters
• All allow the debugger to watch for heap errors
Manual Checks cont.
•Debuggers leave residue on the system:
•Check to see if the default debugger (DrWatson)
has been replaced in the registry
•Look for key:
KHLM\SOFTWARE\Microsoft\Windows\CurrentVersi
on\AeDebug
•Malware may also look for known Debug windows
with FindWindow
Looking for Debugger Behavior
•Malware can scan its own code in memory looking
for software breakpoints inserted by debuggers
• Int 3 (0xCC): Most common software breakpoint
•Or just calculate an MD5 checksum of the loaded
memory
• If it does not match, quit
Debugger Behavior cont.
•Timing Checks
• Debugged programs run slower especially if the analyst
is stepping through code
• Strategy: Perform system time check, run code, perform
another time check
• If time 2 is too much later than time 1, then quit
assuming a debugger
Debugger Behavior cont.
•Common ways to check system time:
• Rdtsc: Number of ticks since last reboot
• QueryPerformanceCounter:
• GetTickCount: Windows API time since last boot in
milliseconds
•Look for two calls to these functions along with a
compare
•Then jump over the compare to continue to the good
stuff
Messing with Debuggers
•Thread Local Storage
• Another cool place to hide code
• Supposed to be used to initialize thread specific storage
variables
• Of course can be used for anything and often skipped
by debuggers (debuggers break on the main code)
• Easy to find requires a separate .tls section in the PE
header
• If found force your debugger to load the code
Playing with Exceptions
•By default, debuggers break on exceptions to let the
programmer view what caused the error
•Timing detection works really well here since
debugger (almost) always stop execution
•When debugging, step back into the code’s
exception handlers to make sure they are clean
Inserting Breakpoints
•Debuggers use 0xCC to trigger a breakpoint
•Malware can insert these too!!!!
•Often this is used as 0xDC (valid instruction when
not debugging)
•When debugged, the debugger will pause at 0xCC
then set the SP to the next byte
•All subsequent code is then out of alignment
Invalid PE headers
•Debuggers are often more strict when reading PE
headers than the Windows loader
•Certain Size variables have a well known maximum
value that the Windows loader enforces
•Debuggers can take these at face value
• NumberOfRVAandSizes
• SizeOfRawData
Detecting Virtual Machines
•This is becoming less popular as virtual machines
become more popular
•In the beginning, most virtual machines were bad
targets because they were power users and malware
analysts
•Virtualization is now popular for everyday use
•Just because a system is running in a VM does not
mean it is not useful now!!!!
VMWare
•VMWare does not try to hide…..
•Drivers are named with well known names
•VMTools is commonly installed
• VMTools in program files
• VMTray
• System services
•Look for any string with VMWare to find these
checks
Virtualization Artifacts
•VMWare and others run the VM in an isolated
environment
•The software traps most CPU calls which request
hardware information through interrupts
•Unfortunately, some of these instructions do not
generate interrupts
•To virtualize these, every instruction would need to
be tested before they were run
Virtualization Artifacts cont
•This would be a huge performance hit!!!!
•Strategy is then:
• Query one of these functions
• Check through another method what the value is (Often
implemented in a virtualized fashion)
• If the values differ, then we are running in a VM
Vulnerable Instructions
•Sidt – Store interrupt descriptor table
•Sgdt – Store global descriptor table
•Sldt – Store local descriptor table
•Smsw – Store machine status word
•Str – Store task Register
•In (with second operand VX)
•cpuid
Circumvention
•These instructions will not normally be used in
programs
•Search for them in IDA and analyze…..