CSE543 Computer and Network Security Module: Internet Malware - PowerPoint PPT Presentation

�������฀฀���฀฀�������� ��������������฀�������� � � �������฀���฀��������฀��������฀������ ����������฀��฀��������฀�������฀���฀����������� ������������฀�����฀�����������฀����������฀����฀฀�� CSE543 Computer and Network Security Module: Internet Malware Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security Page 1

Viruses Is an attack that modifies programs on your host • Approach • 1. Download a program … 2. Run the program … 3. Searches for binaries and other code (firmware, boot sector) that it can modify … 4. Modifies these programs by adding code that the program will run • What can an adversary do with this ability? CMPSC443 - Introduction to Computer and Network Security Page 2

Viruses How does it work? • ‣ Modify the file executable format CMPSC443 - Introduction to Computer and Network Security Page 3

Viruses • How does it work? ‣ Modify the file executable format • What types of modifications? ‣ Overwrite the beginning ‣ Add code anywhere and change “address of entry point” • Add a new section header • Patch into a section ‣ Add jump instruction to exploit • All these were well known by 90s CMPSC443 - Introduction to Computer and Network Security Page 4

Worms A worm is a self-propagating program. • As relevant to this discussion • 1. Exploits some vulnerability on a target host … 2. (often) embeds itself into a host … 3. Searches for other vulnerable hosts … 4. Goto (1) Q: Why do we care? • CMPSC443 - Introduction to Computer and Network Security Page 5

The Danger • What makes worms so dangerous is that infection grows at an exponential rate ‣ A simple model: • s (search) is the time it takes to find vulnerable host • i (infect) is the time is take to infect a host ‣ Assume that t=0 is the worm outbreak , the number of hosts infected at t=j is 2 (j/(s+i)) ‣ For example, if (s+i = 1), what is it at time t=32? CMPSC443 - Introduction to Computer and Network Security Page 6

The result 5,000,000,000 4,500,000,000 4,000,000,000 3,500,000,000 3,000,000,000 2,500,000,000 2,000,000,000 1,500,000,000 1,000,000,000 500,000,000 0 CMPSC443 - Introduction to Computer and Network Security Page 7

The Morris Worm • Robert Morris, a 23 doctoral student from Cornell ‣ Wrote a small (99 line) program ‣ November 3rd, 1988 ‣ Simply disabled the Internet • How it did it ‣ Reads /etc/password, they tries the obvious choices and dictionary, /usr/dict words ‣ Used local /etc/hosts.equiv, .rhosts, .forward to identify hosts that are related • Tries cracked passwords at related hosts (if necessary) • Uses whatever services are available to compromise other hosts ‣ Scanned local interfaces for network information ‣ Covered its tracks (set is own process name to sh, prevented accurate cores, re-forked itself) CMPSC443 - Introduction to Computer and Network Security Page 8

Code Red • Exploited a Microsoft IIS web-server vulnerability ‣ A vanilla buffer overflow (allows adversary to run code) ‣ Scans for vulnerabilities over random IP addresses ‣ Sometimes would deface the served website • July 16th, 2001 - outbreak ‣ CRv1- contained bad randomness (fixed IPs searched) ‣ CRv2 - fixed the randomness, • added DDOS of www.whitehouse.gov • Turned itself off and on (on 1st and 19th of month, attack 20-27th, dormant 28-31st) ‣ August 4 - Code Red II • Different code base, same exploit • Added local scanning (biased randomness to local IPs) • Killed itself in October of 2001 CMPSC443 - Introduction to Computer and Network Security Page 9

Worms and infection • The effectiveness of a worm is determined by how good it is at identifying vulnerable machines ‣ Morris used local information at the host ‣ Code Red used what? • Multi-vector worms use lots of ways to infect ‣ E.g., network, DNS partitions, email, drive by downloads … ‣ Another worm, Nimda did this • Lots of scanning strategies ‣ Signpost scanning (using local information, e.g., Morris) ‣ Random IP - good, but waste a lot of time scanning “dark” or unreachable addresses (e.g., Code Red) ‣ Local scanning - biased randomness ‣ Permutation scanning - instance is given part of IP space CMPSC443 - Introduction to Computer and Network Security Page 10

Other scanning strategies • The doomsday worm: a flash worm ‣ Create a hit list of all vulnerable hosts • Staniford et al. argue this is feasible • Would contain a 48MB list ‣ Do the infect and split approach ‣ Use a zero-day vulnerability 5,000,000,000 4,500,000,000 4,000,000,000 3,500,000,000 3,000,000,000 2,500,000,000 2,000,000,000 1,500,000,000 1,000,000,000 500,000,000 0 • Result: saturate the Internet is less than 30 seconds ! CMPSC443 - Introduction to Computer and Network Security Page 11

Worms: Defense Strategies • (Auto) patch your systems: most, if not all, large worm outbreaks have exploited known vulnerabilities (with patches) • Heterogeneity: use more than one vendor for your networks • Shield (Ross): provides filtering for known vulnerabilities, such that they are protected immediately (analog to virus scanning) Network Shield Traffic Network Interface Operating System • Filtering: look for unnecessary or unusual communication patterns, then drop them on the floor ‣ This is the dominant method, getting sophisticated (Arbor Networks) CMPSC443 - Introduction to Computer and Network Security Page 12

Modern Malware • Now malware has a whole other level of sophistication • Now we speak of … • Advanced Persistent Malware CMPSC443 - Introduction to Computer and Network Security Page 13

Advanced • More like a software engineering approach • Growing demand for “reliable” malware • Want malware to feed into existing criminal enterprise • Online - criminals use online banking too • Malware ecosystem • Measuring Pay-per-Install: The Commoditization of Malware Distribution , USENIX 2011 • Tool kits • Sharing of exploit materials • Combine multiple attack methodologies • Not hard to find DIY kits for malware CMPSC443 - Introduction to Computer and Network Security Page 14

Malware Lifecycle CMPSC443 - Introduction to Computer and Network Security Page 15

Persistent • Malware writers are focused on specific task • Criminals willing to wait for gratification • Cyberwarfare • Low-and-slow • Can exfiltrate secrets at a slow rate, especially if you don't need them right away • Plus can often evade or disable defenses CMPSC443 - Introduction to Computer and Network Security Page 16

Threat • Coordinated effort to complete objective • Not just for kicks anymore • Well-funded • There is money to be made • … At least that is the perception CMPSC443 - Introduction to Computer and Network Security Page 17

Threat • PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs, USENIX 2012 GlavMed SpamIt RX-Promotion Product Orders Revenue Orders Revenue Orders Revenue ED and Related 580 K (73%) $55 M (75%) 670 K (79%) $70 M (82%) 58 K (72%) $5.3 M (51%) Viagra 300 K (38%) $28 M (38%) 290 K (34%) $31 M (36%) 33 K (41%) $2.7 M (27%) Cialis 180 K (23%) $19 M (26%) 190 K (22%) $23 M (27%) 18 K (22%) $1.9 M (19%) Combo Packs 49 K (6.1%) $3.9 M (5.4%) 110 K (14%) $8.4 M (9.8%) 5100 (6.4%) $350 K (3.4%) Levitra 32 K (4.1%) $3.2 M (4.4%) 35 K (4.2%) $3.9 M (4.5%) 1200 (1.5%) $150 K (1.5%) Abuse Potential 48 K (6.1%) $4.5 M (6.1%) 64 K (7.6%) $6.2 M (7.3%) 11 K (14%) $3.3 M (32%) Painkillers 29 K (3.7%) $2.4 M (3.3%) 53 K (6.3%) $4.7 M (5.5%) 10 K (13%) $3.0 M (29%) Opiates — — — — 8000 (10%) $2.7 M (26%) Soma/Ultram/Tramadol 20 K (2.5%) $1.8 M (2.4%) 46 K (5.5%) $4.1 M (4.8%) 1000 (1.3%) $150 K (1.5%) 120 K (15%) $9.5 M (13%) 64 K (7.6%) $5.2 M (6.1%) 8500 (11%) $1.3 M (13%) Chronic Conditions 23 K (2.9%) $2.1 M (2.9%) 16 K (1.9%) $1.4 M (1.7%) 6000 (7.4%) $1.1 M (11%) Mental Health Antibiotics 25 K (3.2%) $2.1 M (2.9%) 16 K (1.9%) $1.4 M (1.6%) 1300 (1.6%) $97 K (0.9%) Heart and Related 12 K (1.5%) $770 K (1.1%) 9700 (1.2%) $630 K (0.7%) 390 (0.5%) $35 K (0.3%) Uncategorized 48 K (6.0%) $4.0 M (5.5%) 47 K (5.6%) $3.9 M (4.6%) 2400 (3.0%) $430 K (4.2%) Table 2: Product popularity in each of the three programs. Product groupings and categories are in italics; individual brands are without italics. Opiates are a further subcategory of Painkillers, and include Oxycodone, Hydrocodone, Vicodin, and Percocet. CMPSC443 - Introduction to Computer and Network Security Page 18

Example: Sirefef • Windows malware - Trojan to install rootkit Technical details (see Microsoft) • And http://antivirus.about.com/od/virusdescriptions/a/What-Is- • Sirefef-Malware.htm • Attack: “Sirefef gives attackers full access to your system” • Runs as a Trojan software update (GoogleUpdate) • Runs on each boot by setting a Windows registry entry • Some versions replace device drivers • Downloads code to run a P2P communication • Steal software keys and crack password for software piracy • Downloads other files to propagate the attack to other computers CMPSC443 - Introduction to Computer and Network Security Page 19