1 / 220

Malware: Scanners, Sniffers, Viruses, Worms, Mobile Code

Malware: Scanners, Sniffers, Viruses, Worms, Mobile Code. COEN 252 / 152: Computer Forensics. Scanning. Wireless Scanners War driving: Finding Wireless Access Points Normal WLAN needs < 100 m to access point to function well. Good antenna can get a signals from miles away.

bisa
Download Presentation

Malware: Scanners, Sniffers, Viruses, Worms, Mobile Code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Malware:Scanners, Sniffers, Viruses, Worms, Mobile Code COEN 252 / 152: Computer Forensics

  2. Scanning • Wireless Scanners • War driving: Finding Wireless Access Points • Normal WLAN needs < 100 m to access point to function well. • Good antenna can get a signals from miles away. • Omni-directional antenna make war driving easy. • Directional antenna yield better results. • Can build a good one out of a Pringles box.

  3. Scanning Home-made War Driving Antenna

  4. Scanning • War driving goal: • Locate WLANs • Determine Extended Service Set Identifier (ESSID) • Access points transmit beacon packets approximately every 100 msec.

  5. Scanning • Active Scanning: • Broadcast 802.11 probe packets with ESSID of “Any” • Implemented by netstumbler. • Or Windows XP SP 2. • Listening for Beacons • Put wireless card into the monitor mode. • AKA rfmon • Read all packages. • Implemented by Wellenreiter, Kismet, • Forcing Deauthentication • Some WLANs ignore probes with an ESSID of “any”. • First, get MAC address of access point. • Tool sends a wireless deauthenticate message to client with spoofed MAC of access point. • Clients now need to reassociate, revealing the ESSID.

  6. Scanning • Hardening • Set ESSID to something that does not contain the name of your organization. • Configure access points to ignore probe requests that don’t include the ESSID. • Use stronger authentication mechanism. • Do not rely on MAC address alone, since this can be spoofed. • Switch from WEP to WPA • Reset transmission power of access points.

  7. Scanning • War Dialing • Looking for modems by dialing all numbers of an organization. • Target are ill-configured modems. • Especially those connected to computers with remote control products such as VNC, psAnywhere, Mini Remote Control, Laplink Gold, …

  8. Scanning • Network Mapping (Assume that attackers have gained access to the target system.) • Sweeping: • Attempting to ping all possible addresses. • Port mapping: • Identify services listening on ports: • TCP Connect Scan • Tries to complete TCP threeway handshake. • TCP Syn Scan • Attacker sends Syn, but does not ack to the Syn-Ack response by the target. • (Many systems do not log these interrupted connection attempts.) • Could result into an accidental DOS attack, since target buffers these attempts waiting for completion. Attacker could send Reset instead of the final Ack to avoid this.

  9. Scanning • Network Mapping • Port mapping: • Identify services listening on ports: • Protocol Violators: • TCP FIN • Attacker sends FIN packet. • Target supposed to send RESET packet, if port is closed. • Target does not send anything back if the port is open. • Xmas Tree Scan: • Attacker sends packets with URG, ACK, PSH, RST, SYN, and FIN flags. • Null Scan: • Attacker sends packet without any flags set. • Closed port sends RESET, listening port sends nothing.

  10. Scanning • Network Mapping • Port mapping: • Identify services listening on ports: • Protocol Violators: • TCP ACK Scan • “Firewall Friendly”: Stateless firewalls will only let TCP packages through with the ACK flag set. • If packet passes through the firewall, then the internal system answers with a RESET packet. • Response of target is somewhat OS dependent.

  11. Scanning • FTP Bounce Scans: • Goal: Source IP address does not show up in target logs. • Exploits old FTP option (sometimes available with printers that support FTP): • FTP server allows a user to connect to them and requests that the server send a file to another system. • Attacker requests that a file is sent to every port on the target. • If the target port is open, then the FTP server tells the attacker that it opened the connection, but could not communicate. • If the target port is closed, then the FTP server tells the attacker that it could not communicate with the target.

  12. Scanning • Idle Scanning • IP header includes a field “IP Identification”. • Bunches together a bunch of fragments. • Windows increases IP ID by one whenever it needs a new number. • Attacker first identifies a system that is being blamed. • Attacker then determines the current IP ID at the blamed system. • Attacker then sends fake message purporting to be from the blamed system to the target. • Target will increment IP ID number at the blamed system if it sends a reset. • Attacker determines whether the IP ID number has increased.

  13. Scanning target SYN scapegoat

  14. Scanning ACK IP-ID = 5

  15. Scanning SYN to TCP port 12345

  16. Scanning SYN-ACK from Port 12345

  17. Scanning Port open: Reset, IP-ID = 6

  18. Scanning SYN

  19. Scanning SYN-ACK IP-ID = 7

  20. Scanning Aha: Target must have sent a reset attack.

  21. Virus: The Principle • Virus attaches itself to a host that can execute instructions contained in the virus. • When the host is invoked, the virus copies itself to other locations on the system.

  22. Executables • Companion Infection Technique • OS will call the virus when the user requests the companion file. • Windows: • Virus is Notepad.com to hide as Notepad.exe. • Set the hidden attribute to prevent the virus from being seen. • Launch the true notebook.exe file from the virus. • If the user selects Start  Run and types in notebook, then windows starts the virus (notebook.com instead of notebook.exe)

  23. Executables • Companion Infection Technique • Windows: • Virus renames Notepad.exe to Notepad.ex_ and hides it. • Virus takes the place of Notepad.exe. • Works with shortcuts. • Used in the Trilisa virus / worm (2002)

  24. Executables • Companion Infection Technique • Virus uses alternate data stream feature of NTFS: • Streams look like one file in explorer and directory listings. • System activates the default stream, the virus. • Virus calls alternate stream. • Win2KStream Virus (2000)

  25. Executables • Overwriting Techniques • Virus replaces part of an executable. • Usually the executable looses functionality. • Users will know that there is something wrong. • Prepending Techniques • Virus placed in front of executable. • After virus executes, host program is called. • Very easy for .com files. • Easy to clean files. • Bliss virus had a disinfect mode built into it. • Used by the NIMDA worm.

  26. Executables • Appending Infection Technique • Insert itself at the end of host file. • Add a jump at the beginning of host file. • Stealth Techniques for Prepending and Appending: • Compress host. • When virus calls hosts, host is uncompressed into RAM. • Fill up total package (virus, compressed host) to same size as original host. • Change filler so that checksum is not changed.

  27. Boot Sector Modification • Target Master Boot Record or Partition Boot Sector. • Michelangelo Virus (1991). • Replaced MBR boot strap to elsewhere on disk. • First the virus loads itself into memory, then it passes control to the original MBR boot sector. • Places itself into all boot sector of all floppies. • Memory-resident copy of the virus is attached to low-level BIOS drivers. • Gets called when these are executed. • Can no longer spread under WinNT, Win2K, WinXP, only wreak havoc, e.g. by overwriting the sectors right after the partition boot sector.

  28. Boot Sector Modification • Michelangelo Virus (1991). Bios initializes hardware and starts drivers. MBR executes and reads partition table. PBS locates OS start files.

  29. Infection of Document Files • Many software use Macros: • MS Office, WordPerfect Office, StarOffice, OpenOffice, AutoCAD, Excel, … • WinOffice runs code in subroutines • Document_Open() • Document_Close() • AutoExec() • …. • These subroutines are executed with every document.

  30. Infection of Document Files • Melissa (1999): • Resides in Document_Open() • Copies itself into the Normal.dot file. • Normal.dot is processed whenever MS Office starts up. • Melissa changed the Document_Close() routine. http://www.cert.org/advisories/CA-1999-04.html

  31. Infection of Document Files • Excel Version: • Virus infects Personal.xls • This file can contains macros and is used whenever excel runs. • Laroux (1996) used auto_open() subroutine to execute whenever an excel file was opened.

  32. Infection of Document Files • Frequent macro targets in MS Office: • AutoExec() • AutoClose() • AutoOpen() • AutoNew() • AutoExit() • FileClose() • FileOpen() • FileNew()

  33. Other Targets • Source Code • Scripts • Visual Basic Scripts (.vbs) used by OS: • Startup.vbs • Exec.vbs • Shell scripts, Perl scripts • Java Class Files • Platform independent viruses

  34. Propagation Techniques • Removable Storage • Boot sector viruses, executable viruses • Yamaha’s CD-R drive firmware update contained the Chernobyl virus. • Email attachments • Shared directories • Windows file sharing via Server Message Block (SMB) protocol. • Network File System shares • P2P services such as Gnutella or Morpheus

  35. Anti-Virus Defense • Antivirus software on gateways: • User workstations • File servers • Mail servers • Application servers • Border firewalls • Handhelds.

  36. Anti-Virus Defense • Virus signatures • Looks for small patterns indicative of a known virus. • Polymorphic viruses • Heuristics • Looks for programs with bad behavior: • Attempts to access the boot sector • Attempts to locate all files in a directory • Attempts to write to an exe file • Attempts to delete hard drive contents • …

  37. Anti-Virus Defense • Integrity Verification • Generate database of hashes of important files. • Recalculate these hashes and compare them to known values. • Configuration Hardening • Least privilege • Minimize active components. • Set warnings (e.g. against macros) • User education

  38. Anti-Anti-Virus Defense • Stealthing • Hide virus files. • Intercept scanning of infected files. • Slow rate of infection. • … • Polymorphism and Metamorphism • Change order of instructions in virus code • Use equivalent code (increment = subtracting with -1) • Encryption of most of the virus body. • Slightly change functionality of virus as it spreads.

  39. Anti-Anti-Virus Defense • Antivirus software deactivation • Kill processes known to be antivirus processes. • Disable internet access to antivirus vendor’s pages. • Change security settings (e.g. allow Word macros to run)

  40. Worms Worms: • Propagates across a network • Typically, does not require user action for propagation. Virus: • Infects files. • Typically requires user interaction.

  41. Worms Worm Components • Warhead • Propagation Engine • Target Selection Algorithm • Scanning Engine • Payload

  42. Worm Warhead • A piece of code that exploits a vulnerability on the target system • Exploits such as Buffer Overflow Exploits • File Sharing Attacks • E-mail • Common Mis-configurations

  43. Worm Propagation Engine • After gaining access, the worm must transfer itself to the target machine. • Some worms are completely contained in the warhead. • File Transfer Mechanisms • FTP • TFTP • HTTP • SMB (MS Server Message Block) • Windows file sharing • Unix servers running SAMBA

  44. Worm Target Selection Algorithm • Once the worm has gained control of a target, it starts looking for new targets. • E-mail addresses • Host lists • Trusted Systems • Network Neighborhood • DNS queries • Randomly selected ip address.

  45. Worm Scanning Engine • Once targets are identified, the worm scans for the original vulnerability.

  46. Worm Payload • Some specific action done on behalf of the attacker. • Opening up a backdoor. • Planting a distributed denial of service attack. • Performing complex calculations: • password cracking • math research (actually happened)

  47. Worm Spread • Worm spread is limited • Diversity of machines • “Tiny Worm” • targeted only machines running security software from a medium company • was successful in infecting most machines with that software. • Worms can contain support for multiple entry methods. • Too many victims crash • Fast worms can cause network congestion

  48. Worm Trends • Multiplatform worms • Multiexploit worms • Zero-day exploit worms • No chance to patch • Fast-spreading worms: Warhol / Flash • pre-scan targets • Polymorphic worms • Change appearance • Metamorphic worms • Change functionality

  49. Worm Defenses • Ethical (?) Worms • Antivirus tools • Fast patching services • Firewalling • Block arbitrarily outbound connections • Prevents spreading • Establishment of Incident Response Capabilities

  50. Sniffers • Sniffers: a program that gathers traffic from the local network. • Primary attack example: • Sniffers look for authentication information from clear-text protocols such as ftp or telnet. • Passive Sniffing: • Sniffer only gathers packets but does not change the network. • Active Sniffing: • Sniffer changes network settings. • Example: ARP poisoning in order to route traffic through the machine with the sniffer.

More Related