1 / 53

SEC511 Principles of Information Assurance and Security Lecture 9 Malware

King Fahd University of Petroleum & Minerals College of Computer Science & Engineering. SEC511 Principles of Information Assurance and Security Lecture 9 Malware. These slides are based on: Chapters: 1, 2 and 3, Computer Viruses and Malware, John Aycock. Outline. Malware Taxonomy

edris
Download Presentation

SEC511 Principles of Information Assurance and Security Lecture 9 Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. King Fahd University of Petroleum & Minerals College of Computer Science & Engineering SEC511 Principles of Information Assurance and Security Lecture 9 Malware These slides are based on: Chapters: 1, 2 and 3, Computer Viruses and Malware, John Aycock

  2. Outline • Malware Taxonomy • Malware Infection • Malware Concealment

  3. Types of Malware • Logic Bomb • Trojan • Back Door • Virus • Worm • Spyware/Adware • Hybrid

  4. General Malware Characteristics • Self-replicating malware actively attempts to propagate by creating new copies of itself. • The population growth of malware describes the overall change in the number of malware instances due to self-replication. • Parasitic malware requires some other executable code in order to exist. • Such as : boot block code on a disk and binary code in applications

  5. Logic Bomb • A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious payload when a specified condition is met. • Self-replicating: no • Population growth: 0 • Parasitic: possibly • Consists of 2 parts • Payload --- action to be performed • Trigger --- event to execute payload legitimate code if (date is Saturday the 13th): Crash_computer() legitimate code

  6. Logic Bombs • Logic bombs are concise and unobtrusive (inside millions of lines of source code) • The mere threat of a logic bomb could be easily used to extort money from a company • Example: Shamoon

  7. Trojan Horse • A Trojan is a program that appears to perform a desirable function but secretly performs a malicious task. • Self-replicating: no • Population growth: 0 • Parasitic: yes • Name comes from ancient world • Pretends to be innocent, but it’s not • Trojans may use drive-by downloads or install via online games or internet-driven applications in order to reach target computers. • Trojans account for more than 83% of all detected malware1. 1 BitDefender.com Malware and Spam Survey, 2009.

  8. Back Door • A mechanism which bypasses a normal security check and authentication. • Self-replicating: no • Population growth: 0 • Parasitic: possibly • Can be created by programmers for legitimate reasons (e.g. skipping a time-consuming authentication process). username = read_username() password = read_password() if (username is "133t h4ck0r“) return ALLOW_LOGIN if (username and password are valid) return ALLOW_LOGIN else return DENY_LOGIN

  9. Virus • A virus is a malware that, when executed, tries to replicate itself into other executable code. • Self-replicating: yes • Population growth: positive • Parasitic: yes • A virus relies in some way on other code. • Viruses can propagate within a single computer, or may travel from one computer to another using human-transported media (CD, USB, etc.) • Viruses do not propagate via network • Networks are the domain of Worms.

  10. Virus def virus(): infect() if trigger() is true: payload() def infect(): repeat k times: target = select_target() if no target: return infect_code(target)

  11. Worm • A Worm is a virus that spreads over network and does not rely on other code to execute (Standalone) • Self-replication: yes • Population growth: positive • Parasitic: no • Many worms are designed only to spread (even this can be harmful: consuming bandwidth) • A worm can be equipped with a malicious payload.

  12. Worm Target Selection: - E-mail address harvesting - Network share enumeration - Network scanning - Web searching Propagation Methods: - FTP - HTTP - SMB - TFTP Payload: - DOS - Data theft - Ransomware - Spam Initial Infection Vector: - B.O. Exploits - Network shares - Social Engineering - Weak passwords Scanning Engine: - Check targets for vulnerabilites - Scan for vulnerable services - OS Check - Version Checking

  13. Rootkit • Rootkits are Kernel Programs that have the ability to hide themselves and cover up traces of activities. • The two main goals for a rootkits are: • Conceal existence (Stealth) • Maintain Access • The latest generations of rootkits use their stealth abilities to help other malwares (Trojans, Spywares, etc.) to hide from users and anti-malware tools. • The teaming of malware with rootkits has caused rootkit developers to improve the quality and effectiveness of their stealth techniques dramatically.

  14. Spyware, Adware • Collects information from one computer and transmits it to someone else • Self-replicating: no • Population growth: 0 • Parasitic: no • Gathered information include: • Username/password, bank info, credit card info, software license info, etc. • May arrive on a machine: • Bundled with other software, exploit flaws in web-browsers (“drive-by download”), etc. • Adware is similar to Spyware but focused on marketing (advertisement, etc.).

  15. Hybrids, Droppers, etc. • The nature of software makes it easy to create hybrid malware which has characteristics belonging to several different types: • Trojan that acts like a virus, etc. • Dropper is malware that deposits other malware • Worm might leave behind a back door…

  16. Zombies • Compromised machines that can be used by an attacker • Spam • Denial of service (DoS) • Distributed denial of service (DDoS) • Today, usually part of a botnet

  17. Malware Cheat Sheet • Trojan Horse • Tricks user into executing malicious code. • Virus • When run by user, copies self into other files. • Worm • Copies self from computer to computer. • Backdoor • Leaves opening for attacker to gain access. • Rootkit • Hides attacker activities from system administrators.

  18. Outline • Malware Taxonomy • Malware Infection • Malware Concealment

  19. File Infection • OS views some files as executable • Like “exe” and similar • Files that can be run by a command-line "shell" also considered executable • Batch files, shell scripts, … • File infector --- infects executable file • Exe, shell code, consider executable • Binary executable is most common target

  20. File Infectors • Two main issues… • Where to put the virus within file? • How to execute the virus when infected file is run?

  21. Where to insert virus • Beginning of file • End of file • Overwrite file • Insert into code

  22. Beginning of File (Parasitic) • Older exe formats (e.g., .COM) treat entire file as chunk of code and data • Entire file loaded into memory • Execution starts by jumping to the beginning of the loaded file • Can put virus at start of such a file • That is, prepend the virus code

  23. End of File • Append a virus (even easier???) • Then how does virus get executed? • Some possibilities… • Replace first line(s) with a jump to viral code --- save overwritten code • Later, transfer control back to code • How to do this?

  24. End of File • How to transfer control back to code? • Run saved instructions in saved location • Restore the infected code back to its original state and run it • Many exe file formats specify start location in file header • If so, virus can change start location to point to its own code and jump to the original start location when done

  25. Appended Virus

  26. Overwritten into File • Virus places itself atop original code • Can avoid changes in file size • Easy for virus to get control • But… overwriting code will break the original code • Making virus easier to discover • Is it possible to overwrite without breaking the code?

  27. Overwrite into File • Smart ways to overwrite? • Overwrite repeated data • Save overwritten data (e.g. in a jpeg file) • Use over-allocated space in a file (Cavity) • Compress code to make space • For these to work, virus must be small

  28. Outline • Malware Taxonomy • Malware Infection • Malware Concealment

  29. Malware Concealment Strategies • Encryption • Packing • Oligomorphism • Polymorphism • Metamorphism • Strong Encryption • Stealth Infection • Data Fabrication • Multi-stage Dropping

  30. No Concealment • Do nothing to hide • This is easiest for virus writer… • …but also easiest to detect, analyze

  31. Encrypted Virus

  32. Encryption • How to encrypt? • Let me count the ways… • Simple encryption • Rotate, increment, negate, etc. • Static encryption key • E.g., XOR fixed byte to all bytes • Variable encryption key • Like static, but key changes

  33. Encryption (Continued) • Substitution cipher • Permute the bytes • Could be via lookup table • Could even have multiple ciphertexts decrypt to same plaintext • Strong encryption • DES, AES, RC4, etc. • Might use crypto libraries

  34. Encryption: Key Issues • Key embedded within the executable itself • Simple, but easy to find • Use camouflage to keep analyst busy for a period of time • Key changes at every infection • Encrypting different parts of the executable with different keys which are generated at runtime • Forensic Investigator will have a difficult time • The problem remains: the malware is carrying its decryption key inside!

  35. Strong Encryption: Key • Store key on the web • Malware retrieves the key from a website • Problem: website name inside the malware • Use of web search engine • Binary malware • The virus is in two parts. • Does not trigger only if both parts are present • One part would be a strongly encrypted code • The other part contains the key. • “Environmental” key generation • Key based on machine-specific info • Key derived at runtime

  36. Packers • A packer is like a cryptor, but instead of encrypting the binary, the packer compresses it. • One fundamental difference is that packers do not require a key ! this makes packers inherently less secure. • A commonly used packer is UPX.

  37. UPX Packer • UPX: the Ultimate Packer for eXecutables

  38. Packers • The most powerful part of using a packer is the malware never needs to hit the hard disk. Everything is run as in-process memory which can bypass most antivirus products.

  39. Oligomorphism • Oligomorphic (aka semi-polymorphic) malware is an encrypted code which uses a different decryption loop at every infection. • Decryption loop is morphed • But not too many different decryptors • For example • Whale had 30 different decryptors • Memorial had 96 decryptors

  40. Polymorphism • Like oligomorphic, but lots more decryptors • Essentially, an infinite number • For example • Tremor has almost 6 billion decryptors • So, AV software cannot have a signature for each decryptor • How to have that many decryption loops?

  41. Mutation Engine • Equivalent instruction substitution • One or more instructions • Instruction reordering • Register swap • Reorder data • Spaghetti code • Insert junk code • Run-time code modification/generation

  42. Mutation Engine • Subroutine permutation • DIY virtual machine • Concurrency --- threads • Inlining/outlining • “Threaded” code --- not threads • Jump directly from one subroutine to another, without returning • Many, many other possibilities

  43. Mutation Engine Example • All of these lines set register r1 to 0 clear r1 xor r1,r1 and 0,r1 mov 0,r1

  44. Mutation • Mutation also can be used for good • Makes reverse engineering attacks more difficult • Make software more “diverse” • Hence, Software protection techniques can be used to produce more armored malware !

  45. Metamorphism • Apply polymorphism to virus body • Aka, “body polymorphic” • No encryption/decryption • Body must change a lot • Goal is to have no common signature • Mutation code must be mutated too! • Otherwise, a signature will exist • Different from polymorphic (why?)

  46. Metamorphism • Metamorphics difficult to detect • Machine learning works well on hacker malware, but can be defeated • Metamorphics also difficult to write • Most “metamorphic” generators aren’t • Current state of the art? • “Undetectable” metamorphic viruses

  47. Metamorphism Example

  48. Malware Concealment Strategies • Encryption • Packing • Oligomorphism • Polymorphism • Metamorphism • Strong Encryption • Stealth Infection • Data Fabrication • Multi-stage Dropping Armoring

  49. The Argument against Armoring • If a malware is aromored, a forensic investigator can easily detect it. • Very few strings • Very few imports • High degree of entropy (Red Curtain tool) • However, a malware should remain low and slow! • Looking suspicious is bad because it indicates that a machine has been compromised.

  50. Stealth Infection • Tries to hide the infection • Not just hide the virus signature • Examples of stealth techniques • Change timestamp and/or other file info to pre-infection values • Intercept I/O calls to hide presence (in MS-DOS user-accessible interrupts) • Hijack secondary boot loader • In practice: using a rootkit (more on this later).

More Related