Outline Malware and the network CSci 5271 Introduction to Computer Security Announcements intermission Malware and Denial of Service Stephen McCamant Denial of service and the network University of Minnesota, Computer Science & Engineering Malicious software Trojan (horse) Shortened to Mal. . . ware Software whose inherent goal is malicious Looks benign, has secret malicious functionality Not just used for bad purposes Key technique: fool users into installing/running Strong adversary Concern dates back to 1970s, MLS High visibility Many types (Computer) viruses Worms Completely automatic self-propagation Attaches itself to other software Requires remote security holes Propagates when that program runs Classic example: 1988 Morris worm Once upon a time: floppy disks “Golden age” in early 2000s More modern: macro viruses Internet-level threat seems to have declined Have declined in relative importance Fast worm propagation Getting underneath Initial hit-list Lower-level/higher-privilege code can deceive Pre-scan list of likely targets Accelerate cold-start phase normal code Permutation-based sampling Rootkit: hide malware by changing kernel behavior Systematic but not obviously patterned MBR virus: take control early in boot Pseudorandom permutation Blue-pill attack: malware is a VMM running your Approximate time: 15 minutes system “Warhol worm” Too fast for human-in-the-loop response
Malware motivation User-based monetization Once upon a time: curiosity, fame Adware, mild spyware Now predominates: money Keyloggers, stealing financial credentials Modest-size industry Ransomware Competition and specialization Application of public-key encryption Also significant: nation-states Malware encrypts user files Industrial espionage Only $300 for decryption key Stuxnet (not officially acknowledged) Bots and botnets Bot monetization Bot: program under control of remote attacker Click (ad) fraud Botnet: large group of bot-infected computers with Distributed DoS (next section) common “master” Bitcoin mining Command & control network protocol Once upon a time: IRC Pay-per-install (subcontracting) Now more likely custom and obfuscated Spam sending Centralized ✦ peer-to-peer Gradually learning crypto and protocol lessons Malware/anti-virus arms race Signature-based AV Similar idea to signature-based IDS “Anti-virus” (AV) systems are really general Would work well if malware were static anti-malware In reality: Clear need, but hard to do well Large, changing database No clear distinction between benign and malicious Frequent updated from analysts Endless possibilities for deception Not just software, a subscription Malware stays enough ahead to survive Emulation and AV Polymorphism Simple idea: run sample, see if it does something evil Attacker makes many variants of starting malware Obvious limitation: how long do you wait? Different code sequences, same behavior Simple version can be applied online One estimate: 30 million samples observed in 2012 More sophisticated emulators/VMs used in backend But could create more if needed analysis
Packing Fake anti-virus Sounds like compression, but real goal is obfuscation Major monentization strategy recently Static code creates real code on the fly Your system is infected, pay $19.95 for cleanup tool Or, obfuscated bytecode interpreter For user, not fundamentally distinguishable from real Outsourced to independent “protection” tools AV Outline Note to early readers Malware and the network This is the section of the slides most likely to change in the final version Announcements intermission If class has already happened, make sure you have the latest slides for announcements Denial of service and the network Outline DoS versus other vulnerabilities Effect: normal operations merely become impossible Malware and the network Software example: crash as opposed to code injection Announcements intermission Less power that complete compromise, but practical severity can vary widely Denial of service and the network Airplane control DoS, etc. When is it DoS? Algorithmic complexity attacks Can an adversary make your algorithm have Very common for users to affect others’ worst-case behavior? performance ❖ ✭ ♥ ✷ ✮ quicksort Focus is on unexpected and unintended effects Hash table with all entries in one bucket Unexpected channel or magnitude Exponential backtracking in regex matching
XML entity expansion Compression DoS XML entities (c.f. HTML ✫❧t ) are like C macros Some formats allow very high compression ratios ★❞❡❢✐♥❡ ❇ ✭❆✰❆✰❆✰❆✰❆✮ Simple attack: compress very large input ★❞❡❢✐♥❡ ❈ ✭❇✰❇✰❇✰❇✰❇✮ More powerful: nested archives ★❞❡❢✐♥❡ ❉ ✭❈✰❈✰❈✰❈✰❈✮ Also possible: “zip file quine” decompresses to itself ★❞❡❢✐♥❡ ❊ ✭❉✰❉✰❉✰❉✰❉✮ ★❞❡❢✐♥❡ ❋ ✭❊✰❊✰❊✰❊✰❊✮ DoS against network services Tiny bit of queueing theory Mathematical theory of waiting in line Common example: keep legitimate users from Simple case: random arrival, sequential fixed-time viewing a web site service Easy case: pre-forked server supports 100 M/D/1 simultaneous connections If arrival rate ✕ service rate, expected queue length Fill them with very very slow downloads grows without bound SYN flooding SYN cookies SYN is first of three packets to set up new Change server behavior to stateless approach connection Embed small amount of needed information in fields Traditional implementation allocates space for that will be echoed in third packet control data MAC-like construction However much you allow, attacker fills with Other disadvantages, so usual implementations used unfinished connections only under attack Early limits were very low (10-100) DoS against network links Traffic multipliers Third party networks (not attacker or victim) Try to use all available bandwidth, crowd out real traffic One input packet causes ♥ output packets Brute force but still potentially effective Commonly, victim’s address is forged source, multiply replies Baseline attacker power measured by packet sending rate Misuse of debugging features
“Smurf” broadcast ping Distributed DoS Many attacker machines, one victim ICMP echo request with forged source Easy if you own a botnet Sent to a network broadcast address Impractical to stop bots one-by-one Every recipient sends reply May prefer legitimate-looking traffic over weird Now mostly fixed by disabling this feature attacks Main consideration is difficulty to filter Next time Network anonymity with overlay networks
Recommend
More recommend