Transcript Document

Malware
Ge Zhang
Karlstad Univeristy
Karlstad University
Focus
• What malware are
• Types of malware
• How do they infect hosts
• How do they propagate
• How do they hide
• How to detect them
Karlstad University
What is a malware ?
• A Malware is a set of instructions that run on your
computer and make your system do something that
an attacker wants it to do.
Karlstad University
What it is good for ?
•
•
•
•
•
Karlstad University
Steal personal information
Steal valuable data
Destroy data
Denial of Service
Use your computer as relay
Viruses
•
A malicious piece of code that spreads itself from file to file
•
A virus needs a host file
•
Requires user interaction
– Like opening a file
•
Different types of viruses
– Program viruses
– Boot viruses
– Macro viruses
Karlstad University
Infected
File
Virus
as
payload
Worms
•
A malicious piece of code that spreads itself from computer to computer by
exploiting vulnerabilities
– A worm needs no host file
– Spreads without user interaction
•
Can spread via
– e-mail attachments
– LAN or Internet
•
2nd generation of worms automatically search for vulnerable computers and infect
them
– Whole Internet can be infected in less than 20 minutes
Karlstad University
Malicious Scripts
•
Malicious scripts written in JavaScript, VBScript, ActiveX, Flash, etc
•
Can be hidden in e-mails or websites
– Flash banners and included JavaScript files
– Cross Site Script (XSS)
– Cookie steal
Karlstad University
Trojans
•
“Trojan Horse”
•
Programs with hidden
malicious functionalities
•
Appear to be screen
savers, games, or other
“useful” programs
– “There’s an app for that!”
• IPhone and Android apps
Karlstad University
Backdoors & Rootkits
•
A secret entry point into a program/system that allows someone aware of the trap
door to gain access without going through the usual security access procedures
•
Backdoors
– Usually left by programmers for debugging and testing purposes, intentionally
or unintentionally
•
Rootkits
– Usually installed by an attacker after having gained root/administrator access
– Modifies the entire system and avoids detection
Karlstad University
Logical Bombs
•
Malicious code programmed to be activated on a specific date, time or
circumstances
•
Action could be everything from formatting hard drive to display a silly message on
the user’s screen
•
Often combined with a virus/worm (e.g, Chernobyl virus)
Karlstad University
Blended Threats
•
Advanced malicious software that combines the characteristics of viruses, worms,
trojans and malicious scripts are sometimes
called “Blended Threats”
– It’s hard to know where to draw the line
•
Exploits one or many vulnerabilities in
programs or operating system
*Mick Douglas, PaulDotCom Podcast https://twitter.com/#!/haxorthematrix/statuses/2421087772
Karlstad University
Viruses
• 4 phases:
– Dormant phase: It is idle, waiting for some event
– Triggering phase: activated to perform some intended
actions
– Propagation phase: Copy itself into other programs
– Execution phase: execute the payload
Karlstad University
DOS boot Sequence
• ROM BIOS: locates the
master boot sector
• Master boot sector:
partition table
• DOS boot sector:
executable codes and FAT
ROM
Master
boot
sector
IO.SYS
MSDOS.SYS
CONFIG.SYS
COMMAND.COM
AUTOEXEC.BAT
Karlstad University
DOS
boot
sector
DOS bootstrap virus
• A bootstrap virus resides in one of the boot sectors
• Becomes active before DOS is operational
• Example: stoned virus
Master boot
sector
Master boot
sector
Karlstad University
Boot
sector
Boot
sector
Load
system
Virus
sector
Load
system
How a bootstrap virus takes control?
Load Master
boot sector
DOS boot
sector runs
Load IO.SYS
MSDOS.SYS
DOS loaded
Boot virus
loads into mem
Virus learns
location of
DOS boot
sector
Move DOS boot
sector to new
location
Write itself to
the original
location
Load Master
boot sector
Virus boot
sector runs
Virus goes
memory
resident
Runs original
DOS boot and
loads DOS
Karlstad University
Parasitic virus
• Overwriting virus
• Appending virus
Original Program File
Virus code
Header
Header
Karlstad University
What’s left of
original program
Original Program File
Virus
code
Original Program File
Companion virus
• Do not need to modify the original files
• Create a new file with a specific name
1
Filename.com
Execute
filename
DOS
2
Filename.exe
3
Filename.bat
Karlstad University
Lifecycle of virus
•
•
•
•
•
A virus gets created and released
The virus infects several machines
Samples are sent to anti-virus companies
Records a signature from the virus
The companies include the new signature in their
database
• Their scanner now can detect the virus
Karlstad University
Virus hidden mechanisms
• Encrypt virus code with random generated keys
• What happens if the boot area is encrypted?
Header
Header
Karlstad University
Virus program and host
file (plaintext)
Decrypt
routine
#$%&^!#%@SF{
Virus hidden mechanisms (2)
• Polymorphism: randomly changes the
encryption/decryption portion of a virus
– Change key each time the virus starts
– Change the range of plaintext
– Change the location of encryption subroutine
• Countermeasure: scan in RAM (after selfdecrypting)
Karlstad University
Virus hidden mechanisms (3)
• Entry point changes
• Random execution (JMP)
Header
Header
Karlstad University
Original Program File
Original Program
File (1)
Virus
code
Header
Original Program File
Header
Original Program
File (1)
Original Program
File (2)
Original Program
File (2)
Macro viruses
• Macro: an executable program embedded in a
document to automate repetitive tasks. (save
keystrokes)
• Application-dependent, e.g., MS office
• Cross the O.S. platform
• Why virus writers like macro viruses?
– Easy to learn
– Easy to write
– Popularity of MS office
Karlstad University
How macro virus works
• Every word document is based on a template
• When an existing or new document is opened, the
template setting are applied first
• A global template: NORMAL.DOT
Infected
document
opened
Karlstad University
Macros loaded
into memory
Auto macro
executed
Macros copy
themselves to
global template
New
documents
infected
Worm
• Worm: self-replicating over networks, but not
infecting program and files
• Example: Morris worm, blaster worm
Karlstad University
The structure of worms
•
Target locator (find the target)
– Email address collector
– IP/port scanner
•
Warhead
– Break into remote machines
•
Propagation
– Automatically sending emails
– Automatically attack remote hosts
•
Remote control and update
– Download updates from a web server
– Join a IRC channel
•
Lifecycle management
– Commit suicide
– Avoid repeatedly infecting the same host
•
Karlstad University
Payload
State of Worm Technology
•
•
•
•
Multiplatform: Windows, unix, mac, …
Multiexploit: web server, browser, email,…
Ultrafast spreading: host/port scanning
Polymorphic: Each copy has new code generated by
equivalent instructions and encryption techniques.
• Metamorphic: different behavior patterns
• Transport vehicles: for the payloads (spread attacking tools
and zombies)
• Zero-day exploit: self-updated
Karlstad University
discussion
• Is it a good idea to spread worms with system
patches?
Karlstad University
Trojan
• A program with hidden side-effects that are not
specified in the program documentation and are not
intended by the user executing the program
Karlstad University
What a trojan can do
• Remote administration trojans: attackers get the complete
control of a PC
• Backdoor: steal data and files
• Distributed attacks: zombie network
• Password stealers: capture stored passwords
• Audio, video capturing: control devices
• Keyloggers: capture inputting passwords
• Adware: popup advertisements
• Logic bomb: only executed when a specific trigger condition
is met
Karlstad University
Familiar with your PC
• Startup programs/services
• Frequently used IP ports
–
–
–
–
20/21 FTP
23 Telnet
25 SMTP
80 WWW
• Netstat
Karlstad University
Malware Payloads
• No payload
• Payload without damage
– Only display some information
• Payload with little impact
– Modify documents (wazzu virus)
• Payload with heavy impact
– Remove files, format storage
– Encrypting data (blackmail)
– Destroy hardware (W95.CIH): rewrite flash bios
• DDoS attacks
• Steal data for profit
Karlstad University
Malware naming
• CARO (computer antivirus researchers
organization)
• CARO naming convention (1991)
• <family_name>.<group_name>.<Infective_length>.
<variant>.<modifier>
– e.g., cascade.1701.A.
• Platform prefix
– win32.nimda.A@mm
Karlstad University
Malware defenses (1)
• Detection: once the infection has occurred, determine that it
has occurred and locate the virus
• Identification: once detection has been achieved, identify
the specific virus that has infected a program
• Removal: once the specific virus has been identified,
remove the virus from the infected program and restore it to
its original state
Karlstad University
Malware defenses (2)
• The first generation scanner
– Virus signature (bit pattern)
– Maintains a record of the length of programs
• The second generation scanner
– Looks for fragments of code (neglect unnecessary code)
– Checksum of files (integrity checking)
• Virus-specific detection algorithm
– Deciphering (W95.Mad, xor encrypting)
– Filtering
Karlstad University
Malware defenses (3)
• The third generation scanner
– Identify a virus by its actions
• The fourth generation scanner
– Include a variety of anti-virus techniques
• Collection method
– Using honeypots
Karlstad University
Malware in Mobile Phones
•
Karlstad University
Mobile phones are computers with great connectivity
– Internet
– WLAN
– Bluetooth
– Regular phone network (SMS, MMS)
– RFID
In the future…
• New spreading methods: e.g., RFID
Karlstad University
Questions?
Karlstad University