WIXLIB

Malware:Malicious Software10/21/2010Malware1Viruses, Worms, Trojans, Rootkits Malware can be classified into several categories, dependingon propagation and concealment Propagation– Virus: human-assisted propagation (e.g., open email attachment)– Worm: automatic propagation without human assistance Concealment– Rootkit: modifies operating system to hide its existence– Trojan: provides desirable functionality but hides malicious operation Various types of payloads, ranging from annoyance to crime10/21/2010Malware2

Insider Attacks An insider attack is a security breach that iscaused or facilitated by someone who is a partof the very organization that controls or buildsthe asset that should be protected. In the case of malware, an insider attack refersto a security hole that is created in a softwaresystem by one of its programmers.10/21/2010Malware3Backdoors A backdoor, which is also sometimes called atrapdoor, is a hidden feature or command in aprogram that allows a user to perform actions heor she would not normally be allowed to do. When used in a normal way, this programperforms completely as expected and advertised. But if the hidden feature is activated, the programdoes something unexpected, often in violation ofsecurity policies, such as performing a privilegeescalation. Benign example: Easter Eggs in DVDs and software10/21/2010Malware4

Logic Bombs A logic bomb is a program that performs a malicious action asa result of a certain logic condition. The classic example of a logic bomb is a programmer codingup the software for the payroll system who puts in code thatmakes the program crash should it ever process twoconsecutive payrolls without paying him. Another classic example combines a logic bomb with abackdoor, where a programmer puts in a logic bomb that willcrash the program on a certain date.10/21/2010Malware5The Omega Engineering Logic Bomb An example of a logic bomb that was actuallytriggered and caused damage is one thatprogrammer Tim Lloyd was convicted of usingon his former employer, Omega EngineeringCorporation. On July 31, 1996, a logic bombwas triggered on the server for OmegaEngineering’s manufacturing operations,which ultimately cost the company millions ofdollars in damages and led to it laying offmany of its employees.10/21/2010Malware6

The Omega Bomb Code The Logic Behind the Omega Engineering Time Bomb included thefollowing strings: 7/30/96– Event that triggered the bomb F:– Focused attention to volume F, which had critical files F:\LOGIN\LOGIN 12345– Login a fictitious user, 12345 (the back door) CD \PUBLIC– Moves to the public folder of programs FIX.EXE /Y F:\*.*– Run a program, called FIX, which actually deletes everything PURGE F:\/ALL– Prevent recovery of the deleted files10/21/2010Malware7Defenses against Insider Attacks Avoid single points of failure.Use code walk-throughs.Use archiving and reporting tools.Limit authority and permissions.Physically secure critical systems.Monitor employee behavior.Control software installations.10/21/2010Malware8

Computer Viruses A computer virus is computer code that canreplicate itself by modifying other files orprograms to insert code that is capable of furtherreplication. This self-replication property is whatdistinguishes computer viruses from other kindsof malware, such as logic bombs. Another distinguishing property of a virus is thatreplication requires some type of user assistance,such as clicking on an email attachment orsharing a USB drive.10/21/2010Malware9Biological Analogy Computer viruses share some properties withBiological virusesPenetrationAttackReplication and assembly10/21/2010MalwareRelease10

Early Historyz 1972 sci-fi novel “When HARLIE Was One” features aprogram called VIRUS that reproduces itselfz First academic use of term virus by PhD student FredCohen in 1984, who credits advisor Len Adleman withcoining itz In 1982, high-school student Rich Skrenta wrote firstvirus released in the wild: Elk Cloner, a boot sectorvirusz (c)Brain, by Basit and Amjood Farooq Alvi in 1986,credited with being the first virus to infect PCs10/21/2010Malware11Virus Phases Dormant phase. During this phase, the virus just exists—the virus is laying low and avoiding detection. Propagation phase. During this phase, the virus isreplicating itself, infecting new files on new systems. Triggering phase. In this phase, some logical conditioncauses the virus to move from a dormant or propagationphase to perform its intended action. Action phase. In this phase, the virus performs themalicious action that it was designed to perform, calledpayload.– This action could include something seemingly innocent, likedisplaying a silly picture on a computer’s screen, or somethingquite malicious, such as deleting all essential files on the harddrive.10/21/2010Malware12

Infection Typesoriginal code Overwriting– Destroys original code Pre-pendingvirus– Keeps original code, possiblycompressed Infection of libraries– Allows virus to be memoryresident– E.g., kernel32.dllcompressed Macro viruses– Infects MS Office documents– Often installs in maindocument template10/21/2010Malware13Degrees of Complication Viruses have various degrees of complication in howthey can insert themselves in computer code.10/21/2010Malware14

Concealment Encrypted virus– Decryption engine encrypted body– Randomly generate encryption key– Detection looks for decryption engine Polymorphic virus– Encrypted virus with random variations of the decryption engine (e.g.,padding code)– Detection using CPU emulator Metamorphic virus– Different virus bodies– Approaches include code permutation and instruction replacement– Challenging to detect10/21/2010Malware15Computer Worms A computer worm is a malware program that spreadscopies of itself without the need to inject itself in otherprograms, and usually without human interaction. Thus, computer worms are technically not computerviruses (since they don’t infect other programs), butsome people nevertheless confuse the terms, sinceboth spread by self-replication. In most cases, a computer worm will carry a maliciouspayload, such as deleting files or installing a backdoor.10/21/2010Malware16

Early Historyz First worms built in the labsa of John Shock and JonHepps at Xerox PARC in ththe early 80sz CHRISTMA EXEC written in REXX, released inDecember 1987, and targeting IBM VM/CMSsystems was the first worm to use e-mail servicez The first internet worm was the Morris Worm,written by Cornell student Robert Tappan Morrisand released on November 2, 198810/21/2010Malware17Worm Development Identify vulnerability stillunpatched Write code for Worm template– Generate target list– For each host on targetlist– Exploit of vulnerability– Generation of target list Random hosts on the internet Hosts on LAN Divide-and-conquer Check if infected Check if vulnerable– Installation and execution ofpayload– Querying/reporting if a host isinfected Infect Recur Initial deployment on a privatenetwork10/21/2010Malware18

Worm Propagation Worms propagate by finding and infecting vulnerable hosts.– They need a way to tell if a host is vulnerable– They need a way to tell if a host is already infected.initial infection10/21/2010Malware19Propagation: Theoryz Classic epidemic model– N: total number of vulnerablehosts– I(t): number of infected hostsat time t– S(t): number of susceptiblehosts at time t– I(t) S(t) N– E: infection rateSource:Cliff C. Zou, Weibo Gong, Don Towsley,and Lixin Gao. The Monitoring and EarlyDetection of Internet Worms, IEEE/ACMTransactions on Networking, 2005.z Differential equation for I(t):dI dt EI(t) S(t)z More accurate models adjustpropagation rate over time10/21/2010Malware20

Propagation: Practice Cumulative total of unique IP addresses infected by the firstoutbreak of Code-RedI v2 on July 19-20, 2001Source:David Moore, ColleenShannon, and JefferyBrown. Code-Red: acase study on the spreadand victims of an Internetworm, CAIDA, 200210/21/2010Malware21Trojan Horses A Trojan horse (or Trojan) is a malware program thatappears to perform some useful task, but which alsodoes something with negative consequences (e.g.,launches a keylogger). Trojan horses can be installed as part of the payload ofother malware but are often installed by a user oradministrator, either deliberately or accidentally.10/21/2010Malware22

Current Trends Trojans currently have largest infection potential– Often exploit browser vulnerabilities– Typically used to download other malware in multi-stage attacksSource:Symantec InternetSecurity ThreatReport, April 200910/21/2010Malware23Rootkits A rootkit modifies the operating system to hide itsexistence– E.g., modifies file system exploration utilities– Hard to detect using software that relies on the OS itself RootkitRevealer––––––By Bryce Cogswell and Mark Russinovich (Sysinternals)Two scans of file systemHigh-level scan using the Windows APIRaw scan using disk access methodsDiscrepancy reveals presence of rootkitCould be defeated by rootkit that intercepts and modifiesresults of raw scan operations10/21/2010Malware24

Malware Zombies Malware can turn a computer in to a zombie, which isa machine that is controlled externally to performmalicious attacks, usually as a part of a botnet.Botnet Controlleronttrooller (Attacker)Attack CommandsBotnet:Attack Actions10/21/2010Victim25Financial Impactz Malware often affects a large userpopulationz Significant financial impact, thoughestimates vary widely, up to 100Bper year (mi2g)z Examples{ LoveBug (2000) caused 8.75B indamages and shut down theBritish parliament{ In 2004, 8% of emails infected byW32/MyDoom.A at its peak{ In February 2006, the RussianStock Exchange was taken down bya virus.10/21/2010Malware26

Economics of MalwareSource:Symantec InternetSecurity ThreatReport, April 2009 New malware threatshave grown from 20K to1.7M in the period 20022008 Most of the growth hasbeen from 2006 to 2008 Number of new threatsper year appears to begrowing an exponentialrate.10/21/2010Malware27Professional Malware Growth in professional cybercrimeand online fraud has led to demandfor professionally developedmalware New malware is often a customdesigned variations of knownexploits, so the malware designercan sell different “products” tohis/her customers. Like every product, professionalmalware is subject to the laws ofsupply and demand.– Recent studies put the price of asoftware keystroke logger at 23 anda botnet use at 225.Image by User:SilverStar from nd-equilibrium.svgused by permission under the Creative Commons Attribution ShareAlike 3.0 License10/21/2010Malware28

AdwareComputer userAdware software payloadAdware engine infectsa user’s computerAdware engine requestsadvertisementsfrom adware agentAdvertisers contract withadware agent for contentAdware agentAdware agent deliversad content to serpSpyware software payload1. Spyware engine infectsa user’s computer.2. Spyware process collectskeystrokes, passwords,and screen captures.3. Spyware processperiodically sendscollected data tospyware data collectionagent.Spyware data collection agent10/21/2010Malware30

Signatures: A Malware Countermeasure Scan compare the analyzed object with a database ofsignatures A signature is a virus fingerprint– E.g.,a string with a sequence of instructions specific foreach virus– Different from a digital signature A file is infected if there is a signature inside its code– Fast pattern matching techniques to search for signatures All the signatures together create the malwaredatabase that usually is proprietary10/21/2010Malware31Signatures Database Common MalwareEnumeration (CME)– aims to provideunique, commonidentifiers to new virusthreats– Hosted by MITRE– http://cme.mitre.org/data/list.html Digital ImmuneSystem (DIS)– Create automaticallynew signatures10/21/2010Malware32