The Evolution of Malicious Agents

1
The Evolution of Malicious Agents

• Lenny Zeltser
• lenny_at_zeltser.com
• SANS Security DC 2000

2
Overview
3
Definition of Malicious Agents

• Computer program
• Operates on behalf of potential intruder
• Aids in attacking systems
• Viruses, worms, trojanized software

4
Goals of the Course

• Trace evolution of malicious agents
• Examine anatomy of advanced malicious agents
  based on key features of existing ones
• Develop an approach to assessing threats posed by
  malicious agents

5
Course Outline

• Rapidly spreading agents
• Spying agents
• Remotely controlled agents
• Coordinated attack agents
• Advanced malicious agents

6
Rapidly Spreading Agents
7
General Attributes

• Morris Worm and Melissa Virus
• Able to rapidly spread across the network
• Viruses infect other programs by explicitly
  copying themselves
• Worms self-propagate without the need for a host
  program

8
Key Features and Limitations

• Effectively infiltrate organizations despite many
  firewalls
• Effective replication mechanisms
• Limited control over propagation rates and target
  selection criteria

9
The Morris Worm

• Self-contained, self-propagating worm
• Overwhelmed the Internet in November of 1988
  within hours of release
• Exploited known host access loopholes to
  replicate
• A program that lived on the Internet?

10
Propagation Techniques

• Non-standard command in sendmail
• Buffer overflow bug in fingerd
• Remote administration trust relationships of
  rexec and rsh
• Guessable user passwords
• Recursively infiltrated systems to replicate
  itself and reproduce further

11
Relevance to Advanced Agents

• Aggressive infiltration methods of the Morris
  Worm are still very effective
• For rapid propagation, program the agent to
  exploit common vulnerabilities

12
The Melissa Virus

• Microsoft Word-based macro virus
• Overwhelmed many Internet systems after the first
  weekend of release
• E-mailed itself to address book entries
• Propagated primarily via e-mail

13
Propagation Techniques

• Arrived as an e-mail attachment
• Message recipient had to open infected attachment
  to activate payload
• E-mailed itself to entries in Microsoft Outlook
  MAPI address books
• Recipients lowered guard when e-mail came from
  friends and colleagues

14
Relevance to Advanced Agents

• Penetrated firewalls via inbound e-mail
• Virus signatures could not be developed and
  applied in time
• For effective infiltration, program the agent to
  arrive via open inbound channels

15
Advanced Attributes Summary

• Propagate via open channels such as Web browsing
  or e-mail
• Once inside, replicate aggressively by exploiting
  known vulnerabilities
• Need to control replication rates, possibly by
  staying in touch with attacker

16
Spying Agents
17
General Attributes

• Caligula, Marker, and Groov viruses
• Transmit sensitive information from within
  organizations
• Infiltrate via open channels
• Use outbound connections for communications

18
Key Features and Limitations

• Can be used as reconnaissance probes
• Effective mechanism for communicating with
  authors despite many firewalls
• Currently agents behavior is limited to what was
  pre-programmed

19
The Caligula Virus

• Also known as W97M/Caligula
• Microsoft Word-based macro virus
• Discovered around January 1999
• Transmitted PGP secret keyring file to author

20
Espionage Tactics

• Used built-in ftp.exe command to transmit
  information to author
• Used outbound sessions for communications
• Bypassed many firewalls because connections were
  initiated from inside

21
The Marker Virus

• Also known as W97M/Marker
• Discovered around April 1999
• Recorded date and time of infection, plus
  victims personal information
• Most likely developed by the CodeBreakers group

22
Espionage Tactics

• Implementation characteristics similar to
  Caligula
• Realization of bright future for espionage
  enabled viruses
• Allowed to study relationships between people at
  target organization
• Helpful for precisely targeting attacks

23
The Groov Virus

• Also known as W97M/Groov.a
• Discovered around May 1998
• Uploaded victims network configuration to
  external site
• Attempted to overwhelm a vendors site with
  network configuration reports

24
Espionage Tactics

• Used built-in ipconfig.exe command to get network
  information
• Used built-in ftp.exe for outbound transfer
• Helpful to get insiders view of the network
• Can be correlated with external scans

25
Relevance to Advanced Agents

• Use outbound traffic for communications
• Obtain personal and relationship information for
  precise targeting
• Obtain network information to help reconnaissance
  efforts

26
Advanced Attributes Summary

• Propagate via open channels or aggressive
  vulnerability exploitation
• Use outbound channels for communication
• Gather insiders perspective of infrastructure
• Need to remotely control agents behavior

27
Remotely Controlled Agents
28
General Attributes

• Back Orifice and NetBus trojans
• Provide full control over victims host
• Comprised of client and server modules
• Server modules infect victim hosts
• Client modules send remote commands
• Infiltrate via open channels

29
Key Features and Limitations

• Server modules are very stealthy
• Level of control is thorough and expandable
• Client and server modules must be reunited before
  controlling
• Typically controlled via inbound traffic with
  respect to server modules

30
Back Orifice

• Original version released August 1998, updated
  July 1999
• Created by Cult of the Dead Cow
• Much functionality similar to standard remote
  administration tools
• Classification often depends on intended use

31
Native Capabilities

• Keystroke, video, audio capture
• File share management
• File and registry access
• Cached password retrieval
• Port redirection
• Process control
• Many other capabilities

32
Enhancement Capabilities

• Provides plug-in API support
• Communication channel encryption
• Server component location announcement via
  outbound IRC
• Many other capabilities

33
NetBus

• Original version released March 1998 to have
  some fun with his/her friends
• New version February 1999 marketed as remote
  administration and spy tool
• New version required physical access to install
  stealthy server component, but unofficial
  restriction-free versions exist

34
Remote Control Capabilities

• Functionality similar to Back Orifice
• Also supports plug-ins, but not as popular among
  developers as Back Orifice
• Primitively controls multiple server components
  from single client module, but not in parallel

35
Relevance to Advanced Agents

• Operate agents in stealthy mode to minimize
  chances of discovery
• Offer extensive remote controlling functionality
• Support enhancements to native features via
  plug-ins

36
Advanced Attributes Summary

• Propagate via open channels or aggressive
  vulnerability exploitation
• Use outbound channels for communication
• Gather insiders perspective of infrastructure

37
Advanced Attributes Summary

• Provide stealthy and extensible remote-control
  functionality
• Need to control multiple agents from a single
  point

38
Coordinated Attack Agents
39
General Attributes

• Trinoo and Tribe Flood Network
• Disrupt normal system functions via network
  floods
• Attacker can control several clients, each
  controlling multiple attack servers
• Networks scanned for vulnerabilities and attack
  agents are planted

40
Key Features and Limitations

• Client as well as server modules run on
  compromised machines
• Attacker further removed from target
• Agents typically beyond administrative control of
  single entity
• Single purpose, designed specifically for
  denial-of-service attacks

41
Trinoo

• Discovered on compromised Solaris systems in
  August 1999
• Initial testing dates back to June 1999
• First Windows version February 2000
• Attacks via UDP packet flood

42
Coordination Mechanisms

• Attacker connects to client module (master) via
  telnet to specific port
• Warning issued if another connection attempt
  during ongoing session
• Password-based access control for communication
  between all nodes

43
Coordination Mechanisms

• Master relays commands to server modules
  (daemons) via proprietary text-based protocol
  over UDP
• For example, do command to master relayed as
  aaa command to daemons
• Attack terminated via timeout or mdie command
  to master (die to daemons)

44
Relevance to Advanced Agents

• Control of multiple agents in coordinated manner
• All traffic is inbound with respect to
  destination of particular communication
• Master to daemons channels can be disrupted by
  blocking high-numbered UDP ports

45
Tribe Flood Network

• Discovered around October 1999
• Similar to Trinoo in purpose and architecture
• Attacks via ICMP, UDP, and Smurf-style floods,
  offers back door to agents host
• Client to server module communication via ICMP
  echo reply packets

46
Coordination Mechanisms

• Normally ICMP echo reply generated to echo
  request by ping command
• Use ICMP packet identifier field to specify
  commands
• Firewalls may accept ICMP echo reply
• Some network monitoring tools do not process ICMP
  traffic properly

47
Relevance to Advanced Agents

• Control of multiple agents in coordinated manner
• Exploit protocols by violating specifications
• Follow specifications, but use protocols in
  unexpected ways
• This forms the basis of many attacks

48
Advanced Attributes Summary

• Propagate via open channels or aggressive
  vulnerability exploitation
• Use outbound channels for communication
• Gather insiders perspective of infrastructure

49
Advanced Attributes Summary

• Provide stealthy and extensible remote
  controlling functionality
• Control multiple agents in coordinated manner
• Employ covert techniques for communication
• These attributes can be used to assess threat
  level of a particular agent

50
Advanced Malicious Agents
51
General Attributes

• RingZero Trojan, Samhain Worm
• Combine key features of other agents
• Offers attacker tight control over agents
  actions
• Difficult to defend against without proper
  infrastructure and resources

52
The RingZero Trojan

• Activity reports around September 1999
• Sightings in August 1999 of e-mail messages with
  a really class program
• Several variants of trojanized program
  attachments
• Agent scanned for Web proxy servers
• Attributes rarely seen in single agent

53
Observed Behavior

• Detailed analysis October 1999
• Scanned for Web proxy servers via connection
  attempts to known ports
• Proxy servers typically access Web resources on
  users behalf
• Used the discovered server to report servers
  existence to external site

54
Observed Behavior

• Retrieved encoded/encrypted file from two
  external sites
• Send mass mailing to ICQ users from spoofed
  address
• Encouraged recipients to visit the Biggest Proxy
  List on external site

55
Relevance to Advanced Agents

• Propagated via open channels
• Outbound traffic for communications
• View from internal network
• Stealthy remote control capabilities
• Operated in distributed manner

56
Room for improvement

• Analysis based on single data file
• Not especially malicious, though some reports of
  password stealing variants
• No specific firewall bypassing attributes
• No aggressive vulnerability exploitation
• Louder than needs to be

57
The Samhain Worm

• Written winter 1998-1999, announced on Bugtraq
  May 2000, never released
• Research prototype of a deadly harmful Internet
  worm
• Defined alternative set of characteristics
  desired of advanced agents

58
Desired Characteristics

• Portability for target OS independence
• Invisibility for stealth operation
• Autonomy for automatic spread via built-in
  exploit database
• Polymorphism to avoid detection

59
Desired Characteristics

• Learning for obtaining new techniques via central
  communication channel
• Integrity to prevent modification or destruction
• Awareness of mission objective to perform
  specific tasks and cease activity

60
Key Implementation Details

• Uses wormnet to get programs and updates for
  target platform
• Supports controlled broadcasting of requests to
  wormnet members
• Family tree passed from parent to child, used to
  control broadcasts via maximum number of wormnet
  hops

61
Key Implementation Details

• Uses polymorphic engine and encryption to avoid
  constant strings
• Intercepts system calls when root, as well as
  other techniques to hide
• Uses exploits unknown at the time, sorted by
  scope and effectiveness
• Victims chosen via active connection monitoring
  and qualifying attributes

62
Relevance to Advanced Agents

• Detailed design and implementation details, plus
  code fragments provided
• Gradual attack approach suggests to propagate
  harmlessly, then update
• Designed specifically to maximize potential harm
  and difficulty of eradication

63
Threat of Malicious Agents
64
Advanced Agents

• Advanced agents are especially dangerous because
  of features combined into a single package
• Stealth operation, firewall traversal, and
  coordination are particularly powerful
• Feature sets and experimental nature of agents
  suggests active development

65
Assessing the Threat

• Defense techniques depend on priorities and
  technologies of the organization
• Use a structured framework to assess threat of
  particular agents
• Analyze extent of advanced attributes, assign
  weight, react appropriately

66
Malicious Agents Attributes

• Matrix summarizes key attributes of agents in
  terms of presented framework
• The Samhain Worm not included because of slightly
  different feature set
• Refer to earlier slides for discussion of items
  in the matrix
• Use for future reference

67
(No Transcript)
68
The End

• Please e-mail lenny_at_zeltser.com with any
  questions or comments
• See http//www.zeltser.com/agents for electronic
  copies of this material
• Please fill out evaluation forms