Networking & Malware - PowerPoint Presentation

Slide1

Networking & Malware

CS 598: Network SecurityMichael Rogers & Leena WinterrowdMarch 26, 2013Slide2

Types of Malware

Image courtesy of prensa.pandasecurity.comSlide3

Types of Malware

Viruses 16,82%

Trojan horses

69.99%

No standardized definitions!Slide4

Viruses

Programs capable of

self-replication

Spread to other systems

Cannot execute on their own

Must attach themselves to other programs

Effectively need

user-interaction

to spreadSlide5

Worms

Standalone programs

Self-replicating

Rely on exploits to self-execute

Self-propagating

No user interaction

!Slide6

Ye Olde Computyre

Virus

Thou hast presently received ye olde virus!

Since it doth not useth 'electricitee' or 'computyres', thou art on ye olde 'Honore Systeme'.

Please deleteth all of thy files from thy hard drive and forward ye olde virus to thy friends.Slide7

Trojans

Masquerade as legitimate files

Often 'gifts' or free downloads

Gives (unauthorized) access to a system

Most often propagated with worms

Most often contains spywareSlide8

Backdoors

Bypass security to directly access data/service

Often default/hard-coded password

Maintain undetectability

Example (2003):

2-line Linux kernel change:

http://kerneltrap.org/node/1584

Frequently used by wormsSlide9

Rootkits

DAEMON Tools is actually a beneficial rootkit!

(Intercepts Windows API calls)

Hide existence of a payload

Payload is often a trojan

Generally subvert/disable security programs

Usually enable root access (elevated privilege)

Modern rootkits do not do this!

Most often perform injection:

Enable a backdoor

Replace a library

Hide on devices or in BIOS

CompuTrace & LoJackSlide10

Spyware

Collects information without user knowledge/permission

Often trojans

May be intentional

KeyloggersSlide11

Adware

Automatically renders ads

Generates money for developer(s)

Often intentional

Ideally non-intrusiveSlide12

Typhoid Adware

An infected machine poses as the legitimate access point

Intercepts and hijacks other users connections via ARP spoofing

The infected machine inserts ad-content into video streams

Infected machine shows no symptoms

Only a NAT-box proxy

Paper available at:

http://pages.cpsc.ucalgary.ca/~aycock/papers/eicar10.pdfSlide13

Infection Mechanisms

Droppers

Inject malware (single-stage)

Download malware to the machine (two-stage)

Pretend to be legitimate programs (Trojans)

Injector: dropper which installs to memory only

Drive-By Downloads

Placed on systems by compromised websites

Serves as point of entry for other malware

Recent Example: FBI virus (Java exploit)

Image courtesy of http://www.technobuffalo.comSlide14

Infection Mechanisms

DECEPTION!

Exploitation

OS design defects

Zero-day

Unpatched

Software bugs

Privilege elevation

Preexisting (related or unrelated) backdoors

'Auto-run' on removable devices (USB, CD, etc.)

Purposely install malicious code

Physical access

Image courtesy of http://www.technobuffalo.comSlide15

Well-Known Malware ExamplesSlide16

Stuxnet

In June 2010, VirusBlokAda discovered an unprecedented type of Malware – Stuxnet.

But what made Stuxnet different?

(usu < 1KB)Slide17

Stuxnet's Infection Mechanisms

Image courtesy of http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process

Infected Windows systems via USB (auto-run)

3 infections/drive; self-replicates to removable drives

Worm attempts to spread to any Windows system for 21 days

Systems were 'air-gapped' (not connected to internet)

Uses

four

zero-day Windows exploits

Copies itself through LAN via a print-spooler exploit

Spreads through SMB

E

xploit

s

a Windows Server Service RPC vulnerability (same as

Conficker

worm; patched in 2008)

2 escalation of privilege vulnerabilitiesSlide18

Stuxnet's P

ropagation Mechanisms

Image courtesy of http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process

Spreads via network shares

L

ooks for

and i

njects itself into

specific

control software project

Software h

as a hard-coded password

Copies to server via SQL injection

Can self-update or report data via 'command & control' servers

Self-updating via LAN or p2p

Contained a Windows rootkit to further avoid detection

Digitally signed with stolen certificates from

Realtek

&

JmicronSlide19

What

did

Stuxnet

d

o

?

Targeted Siemen's 315 and 417 PLCs

Fingerprinted by model number, configuration, and actual PLC code

Exploited a driver DLL to copy itself to the PLCs

Changed frequency controller drives' speeds

Alternated between slowing down and speeding up the normal frequency

Could cause a PLC-controlled centrifuge to fly apart over time

Image courtesy of http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process

Centrifuge

Speed

SettingsSlide20

Flame

"Arguably the most sophisticated malware ever found"~20 MB

Spreads via LAN or USB

Compromised Microsoft code-signing certificate

MD5 chosen-prefix collision attack

Modular designSlide21

What did Flame do?

Steals informationRecords Skype calls

Activates Bluetooth

Steals information from other Bluetooth devices

Communicates information back to command & control server and awaits further instructionsSlide22

DNSChanger

Drive-by download claiming to be a required video codec

Modified DNS

config

to go through a rogue name server

Injected/substituted advertising on web pages & redirected some links

Could spread within a LAN

Mimicked a DHCP server

Pointed others towards the rogue DNS servers

Perpetrators apprehended, but rogue DNS servers left running for fear of knocking infected machines off the internetSlide23

Nimda

Virus/worm hybridInfected via multiple avenues

Email

Network shares

Compromised websites

Microsoft IIS vulnerability exploits

Backdoors left by other worms (Code Red II and sadmind/IIS)

Became the internet's most widespread worm within 22 minutesSlide24

Why Malware is Written

'For teh lulz

' (entertainment value)

Causing distraction or destruction just because it's amusing

To show off

Exploit remote systems as a show of skill

Anonymity

Attacks may act as the victim

Sociopolitical

Anonymous,

Lulzsec, hacktivistsStuxnet & FlameMay cause physical damage! (Stuxnet)For profitSlide25

Malware for Profit

Spyware

Gain personal information for various purposes

Targeted marketing or identity theft

Corporate espionage/sabotage

Botnets

Cloud-based attacks (DDOS, click fraud, spam)

Adware/

scareware

/

ransomwareDirectly bilk money from victimsRecursiveSell dropper/backdoor kitsPromote further infectionSlide26

Malware PropagationSlide27

Target Selection

Completely targetedSemi-targeted

Brute-force/random

Pseudorandom

DiffusionSlide28

Completely Targeted

Predetermined list of targets

Common to spam/phishing

Tend to employ social engineering techniquesSlide29

Semi-Targeted

Takes a good guess at the next target

Often target machines on the local network (worms)

Uses the concept of

homogeneity

Exploit one in network → may be able to exploit all

E-mail contact lists (trojans)Slide30

Brute-Force

Port-scanning and IP scanning the entire address space

Often start from a randomized offset and skip aroundSlide31

Pseudorandom

Brute-force with restrictions (for better performance)

Example: Blacklist known darknet/honeypot addresses

Example: Prioritize IPs belonging to a specific countrySlide32

Diffusion

Design malware to use alternate channels of infection (USB drives or smartphones)

Hope someone plugs the wrong thing in the wrong place

Can be random or targeted

Targeted often requires research on habits/behaviors of individuals in the target environmentSlide33

Actual Propagation

Self-propagationSocial engineering

Secondary infections

Malicious code sources:

From central source

From infector

Inject as part of exploitationSlide34

Self-Propagation

Uses exploits on the remote machine to self-installExamples:

Unpatched network daemons (several in older versions of Samba)

Insecure driver code (thumb drives and other out-channel exploits)

Insecure system settings (autoplay, no UAC)Slide35

Social Engineering

Sends a copy of the malware disguised as something innocuous

"Funny cat video!.mpg.exe"

Spread by malicious user, unwitting infected user, or the malware itselfSlide36

Secondary Infections

Create an artificial vulnerability or exploitServes as the vehicle for other malware

Primary approach of droppers & backdoorsSlide37

Honeypots

Detection mechanism that exploits random/pseudorandom propagation

Pose as a vulnerable system

Capture malware samples

Often run by known organizations

Known IP spaces = easy to avoid

Low interaction honeypots

Emulate aspects of a vulnerable system

Safer but only emulate specific aspects

High interaction honeypots

Actual full systems/VMsSpecialized firewallInfection (hopefully) cannot spreadSlide38

Communication and ControlSlide39

Four different classifications

Uncontrolled and silent

Controlled and silent

Uncontrolled and noisy

Controlled and noisySlide40

Uncontrolled and Silent

No interaction with programmer in either direction

No transmitting of information back to source

Behavior must be pre-programmed, e.g. Stuxnet

Often used simply to cause destructionSlide41

Uncontrolled and Silent

Pros

Cannot be disrupted by compromising command method

Less likely to be detected by network monitoring (under correct conditions)Slide42

Uncontrolled and Silent

Cons

No dynamic control

Cannot be used for data theft, reconnaissanceSlide43

Controlled and Silent

Can receive commands

Numerous channels available, such as IRC, DHT, Google link bombing, establishing direct network contact, P2P networks, file drops

Does not transmit information

Often used for targeted attacks, occasionally used for botnets, planting backdoorsSlide44

Controlled and Silent

Pros

Behavior can change dynamically after launch in direct response to controller

Less likely to be detected by network monitoring (under correct conditions, initially)Slide45

Controlled and Silent

Cons

Cannot be used for data theft, reconnaissance

Can be disrupted or even destroyed by subversion of command mechanismSlide46

Uncontrolled and Noisy

Can communicate information about infected systems

Methods include file drops on a central server or to online hosting services (e.g. Mega), IRC channels, P2P services

More useful for reconnaissance, smash-and-grabSlide47

Uncontrolled and Noisy

Pros

Easiest for ‘blitz’ style attacks

Good for blind mappingSlide48

Uncontrolled and Noisy

Cons

No dynamic control

More likely to be detectedSlide49

Controlled and Noisy

Allows for both control and communication

Allows for targeting and exploiting specific systems

Frequently used for more sophisticated malware

High-end botnets, spyware, backdoorsSlide50

Controlled and Noisy

Pros

Can dynamically alter behavior

Can gain information about infected systems

Allows for most sophisticated behaviorSlide51

Controlled and Noisy

Cons

Most likely to be detected

Can be disrupted or destroyed by subversion of communication mechanism

Provides most chances for perpetrator to be caughtSlide52

Detecting Malware

Warning signs at the network levelSlide53

Detecting the Act of Infection

Look for network packets which indicate an attack or exploit

Known bad packets

Malformed packets

Often requires deep packet inspection (NIDS such as Snort and Bro)Slide54

Detecting Suspicious Traffic Types

Probes on multiple ports from the same source (single-origin port scanning)

Can be frustrated or defeated by a distributed scan (likely via botnet), use of proxies or anonymization services such as Tor, cooldown periodsSlide55

Detecting Suspicious Traffic Types

Encrypted traffic on unusual ports

Can be frustrated or defeated by tunneling through normally encrypted ports such as 443 for HTTPSSlide56

Detecting Suspicious Traffic Types

Requests for multiple IP addresses on the same LAN from a single source

Can be frustrated or defeated by a distributed scan (likely via botnet) and/or use of proxies or anonymization services such as Tor if done remotely, cooldown periodsSlide57

Detecting Suspicious Traffic Types

Requests with unusual strings and/or misspellings

Browser type "MoZilla", "InertNet Esplorer"

User-Agent: %^&NQvt

Requests with unusual IP headers and/or flags

<!--- malicious message --->Slide58

Detecting Suspicious Traffic Volume

Observe the (networking) behavior of a suspect machine

Look for large traffic spikes

Look for strange traffic behaviorSlide59

Detecting Suspicious Traffic Volume

Large traffic spikes may indicate an attempt at a ‘fire hose’ or ‘spray and pray’ method of infection

Large traffic spikes may also indicate cooption of system resources such as Bitcoin mining, click fraud, or distributed cryptographic attacksSlide60

Detecting Suspicious Traffic Volume

Strange behavior is more subtle

Look for port scanning behavior

Look for network communications while the system is otherwise idle

Look for network communications to a large number of IP addresses in a relatively short time

ESPECIALLY if the IP addresses are sequential

Look for network communications using unusual protocols

IRC traffic when no IRC client is installedSlide61

Detecting Suspicious Traffic End Points

Blacklist approach

Look for communication attempts with known bad IP addresses

Look for suspicious network requests

A DNS lookup for “pwnz0rd-j00.l33t.net” is unlikely to be a good thing

A VPN connection being established FROM a workplace (depending on the workplace)

Unexpected P2P or Tor trafficSlide62

Reverse Engineering Networking

Given a malware binary, look for networking codeCheck for common API calls

Identify how the malware puts networking requests together

Create an outline of the protocol and possible values placed in the traffic

Identify how/if this differs from normal traffic

Write signatures based on the differencesSlide63
Slide64

Anti Techniques

Anti-Disassembly

Anti-Debugger

Anti-Virtual Machine

Goal: Make it too difficult for beginners or even average malware analysts to handleSlide65

Anti-Disassembly

Goal: Trick Disassemblers into showing incorrect code

Raises the bar for malware analysts

Debugging assembly is difficult enough already

Can make it too difficult for novice malware analysts….Slide66

Types of Disassembly

Linear Disassembly

Disassemble one instruction at a time

Do not look at type of instruction

Flow-

oriente

d Disassembly

Look at instruction and disassemble based on program flow

Used by IDA Pro and other commercial productsSlide67

33 C0 xor eax,eax

74 01 jz short near ptr loc+1

E9 junk

58 Pop eax

C3 retn

Jump Tricks

Fool Linear Disassembly with jump instructions

Same target (jz and jnz)

Constant condition (xor to zero and jz)

Example

33 C0 XOR eax, eax

74 01 jz short near ptr loc+1

E9 58 C3 68 94 jmp near ptr 94A8D521hSlide68

Impossible Disassembly

Recall Assembly instructions are multiple byte lengths depending on instruction

Jump back a byte into an instruction already disassembled and use it as part of another instruction

Screws over disassemblersSlide69

Impossible Disassembly cont.

EB FF JMP -1

C0 48 ???

FF CO INC EAX

48 DEC EAX

66 B8 EB 05 mov ax, 5EBh

31 C0 xor eax, eax

74 F9 jz (-7)

E8 58 C3 90 90 call near ptr 98A8D525h

EB 05 jmp 5

58 Pop eax

C3 retSlide70

Hiding Cross Referenced Code

Graph view in IDA is nice but….

It is easy to hide function calls made through pointers

C++ uses this extensively

Be aware that function calls through pointers can get lost!!!Slide71

Fun with Ret

When a program returns, it pops the return address from the stack and jumps execution there

004011C0 var_4 = byte ptr -4

004011C0 call $+5

004011C5 add [esp+4+var_4], 5

004011C9 ret

004011C9 sp-analysis failed

004011CA Confused IDA Pro…..Slide72

Handling Exception Handlers

Exception handling is common in C

When an exception is thrown, handlers are searched by looking through a linked list data structure

New exception handlers are added to the list by appending to the end

During an exception, each exception handler is called in sequence pushing itself onto the stackSlide73

Stack Example

00401050 mov eax, (offset loc_40106B+1)

00401055 add eax, 14h

00401058 push eax

00401059 push large dword ptr fs:0

00401060 mov large fs:0, esp

00401067 xor ecx, ecx

00401069 div ecx

0040106B call whatever

00401070 retn

00401071 IDA Panic Time ??????Slide74

Screwing up Automated Function Analysis

Automated analysis of function parameters is determined by looking at what variables are accessed

00401543 sub esp, 8

00401546 sub esp, 4

00401549 cmp esp, 1000h

0040154F jl short loc_401556

00401551 add esp, 4

00401554 jmp short loc_40155C

00401556 add esp, 104h

0040155C IDA confusion ensues…..Slide75

Anti-Disassembly

Disassemblers are nice but not infallible

We get to keep our jobs ☺

Good malware analysts can recognize impossible assembly and run through the code to figure out what is going on

IDA supports manually re-classifying code as well as code replacement to “fix” problem areasSlide76

Anti-Debugging

Goal is to cause malware to exit or skip important behavior during debugging

As a malware analyst, we need to find this code to get to the fun parts

Thus, we need to jump over and circumvent anti-debugging techniquesSlide77

Windows API Calls

IsDebuggerPresent

CheckRemoteDebuggerPresent

NTQueryInformationProcess

OutputDebugString

Watch for fun calls to OutputDebugString

OutputDebugString(“%s%s%s%s%s”)

If these calls exist, the program is looking for an attached debuggerSlide78

Manual Checks for Debuggers

Check the PEB

Structure of this header is available on MSDN

BeingDebuggedFlag: Set if process is being debugged

ProcessHeap flag: Pointer to the first entry of the heap for a program

Contains a header with a flag telling the kernel if a debugger is present

Offset 0x10 in XP and 0x40 in Windows 7Slide79

Manual Checks cont.

NTGlobalFlag

Debuggers set different heap flags when running programs

Typically:

Enable Tail Check

Enable Free Check

Validate parameters

All allow the debugger to watch for heap errorsSlide80

Manual Checks cont.

Debuggers leave residue on the system:

Check to see if the default debugger (DrWatson) has been replaced in the registry

Look for key: KHLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AeDebug

Malware may also look for known Debug windows with FindWindowSlide81

Looking for Debugger Behavior

Malware can scan its own code in memory looking for software breakpoints inserted by debuggers

Int 3 (0xCC): Most common software breakpoint

Or just calculate an MD5 checksum of the loaded memory

If it does not match, quitSlide82

Debugger Behavior cont.

Timing Checks

Debugged programs run slower especially if the analyst is stepping through code

Strategy: Perform system time check, run code, perform another time check

If time 2 is too much later than time 1, then quit assuming a debuggerSlide83

Debugger Behavior cont.

Common ways to check system time:

Rdtsc: Number of ticks since last reboot

QueryPerformanceCounter:

GetTickCount: Windows API time since last boot in milliseconds

Look for two calls to these functions along with a compare

Then jump over the compare to continue to the good stuffSlide84

Messing with Debuggers

Thread Local Storage

Another cool place to hide code

Supposed to be used to initialize thread specific storage variables

Of course can be used for anything and often skipped by debuggers (debuggers break on the main code)

Easy to find requires a separate .tls section in the PE header

If found force your debugger to load the codeSlide85

Playing with Exceptions

By default, debuggers break on exceptions to let the programmer view what caused the error

Timing detection works really well here since debugger (almost) always stop execution

When debugging, step back into the code’s exception handlers to make sure they are cleanSlide86

Inserting Breakpoints

Debuggers use 0xCC to trigger a breakpoint

Malware can insert these too!!!!

Often this is used as 0xDC (valid instruction when not debugging)

When debugged, the debugger will pause at 0xCC then set the SP to the next byte

All subsequent code is then out of alignmentSlide87

Invalid PE headers

Debuggers are often more strict when reading PE headers than the Windows loader

Certain Size variables have a well known maximum value that the Windows loader enforces

Debuggers can take these at face value

NumberOfRVAandSizes

SizeOfRawDataSlide88

Detecting Virtual Machines

This is becoming less popular as virtual machines become more popular

In the beginning, most virtual machines were bad targets because they were power users and malware analysts

Virtualization is now popular for everyday use

Just because a system is running in a VM does not mean it is not useful now!!!!Slide89

VMWare

VMWare does not try to hide…..

Drivers are named with well known names

VMTools is commonly installed

VMTools in program files

VMTray

System services

Look for any string with VMWare to find these checksSlide90

Virtualization Artifacts

VMWare and others run the VM in an isolated environment

The software traps most CPU calls which request hardware information through interrupts

Unfortunately, some of these instructions do not generate interrupts

To virtualize these, every instruction would need to be tested before they were runSlide91

Virtualization Artifacts cont

This would be a huge performance hit!!!!

Strategy is then:

Query one of these functions

Check through another method what the value is (Often implemented in a virtualized fashion)

If the values differ, then we are running in a VMSlide92

Vulnerable Instructions

Sidt – Store interrupt descriptor table

Sgdt – Store global descriptor table

Sldt – Store local descriptor table

Smsw – Store machine status word

Str – Store task Register

In (with second operand VX)

cpuidSlide93

Circumvention

These instructions will not normally be used in programs

Search for them in IDA and analyze…..