slide 1 Vitaly Shmatikov CS 361S Malware: Viruses and Rootkitsslide 2 Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs • Trojan horses (malicious code hidden in a useful program), logic bombs, backdoors Others can exist and propagate independently • Worms, automated viruses Many infection vectors and propagation methods Modern malware often combines trojan, rootkit, and worm functionalityslide 3 Computer Backdoors circa 1958 AN/FSQ-7 air defense intercept computer • Largest computer ever built • 50,000 vacuum tubes, 275 tons, 3 MWatt of power, ½ acre of floor space “Hula Girl” diagnostic program • If you pointed the light gun at her navel and pulled the trigger, her skirt would fall offslide 4 “Reflections on Trusting Trust” Ken Thompson’s 1983 Turing Award lecture 1. Added a backdoor-opening Trojan to login program 2. Anyone looking at source code would see this, so changed the compiler to add backdoor at compile-time 3. Anyone looking at compiler source code would see this, so changed the compiler to recognize when it’s compiling a new compiler and to insert Trojan into it “The moral is obvious. You can’t trust code you did not totally create yourself. (Especially code from companies that employ people like me).”slide 5 Viruses Virus propagates by infecting other programs • Automatically creates copies of itself, but to propagate, a human has to run an infected program • Self-propagating viruses are often called worms Many propagation methods • Insert a copy into every executable (.COM, .EXE) • Insert a copy into boot sectors of disks – PC era: “Stoned” virus infected PCs booted from infected floppies, stayed in memory, infected every inserted floppy • Infect common OS routines, stay in memoryslide 6 First Virus: Creeper Written in 1971 at BBN Infected DEC PDP-10 machines running TENEX OS Jumped from machine to machine over ARPANET • Copied its state over, tried to delete old copy Payload: displayed a message “I’m the creeper, catch me if you can!” Later, Reaper was written to hunt down Creeper http://history-computer.com/Internet/Maturing/Thomas.htmlslide 7 Polymorphic Viruses Encrypted viruses: constant decryptor followed by the encrypted virus body Polymorphic viruses: each copy creates a new random encryption of the same virus body • Decryptor code constant and can be detected • Historical note: “Crypto” virus decrypted its body by brute-force key search to avoid explicit decryptor codeslide 8 Virus Detection Simple anti-virus scanners • Look for signatures (fragments of known virus code) • Heuristics for recognizing code associated with viruses – Example: polymorphic viruses often use decryption loops • Integrity checking to detect file modifications – Keep track of file sizes, checksums, keyed HMACs of contents Generic decryption and emulation • Emulate CPU execution for a few hundred instructions, recognize known virus body after it has been decrypted • Does not work very well against viruses with mutating bodies and viruses not located near beginning of infected executableslide 9 Virus Detection by Emulation Virus body Randomly generates a new key and corresponding decryptor code Mutation A Decrypt and execute Mutation C Mutation B To detect an unknown mutation of a known virus , emulate CPU execution of until the current sequence of instruction opcodes matches the known sequence for virus bodyslide 10 Metamorphic Viruses Obvious next step: mutate the virus body, too Apparition: an early Win32 metamorphic virus • Carries its source code (contains useless junk) • Looks for compiler on infected machine • Changes junk in its source and recompiles itself • New binary copy looks different! Mutation is common in macro and script viruses • A macro is an executable program embedded in a word processing document (MS Word) or spreadsheet (Excel) • Macros and scripts are usually interpreted, not compiledslide 11 Obfuscation and Anti-Debugging Common in all kinds of malware Goal: prevent code analysis and signature-based detection, foil reverse-engineering Code obfuscation and mutation • Packed binaries, hard-to-analyze code structures • Different code in each copy of the virus – Effect of code execution is the same, but this is difficult to detect by passive/static analysis (undecidable problem) Detect debuggers and virtual machines, terminate executionslide 12 Mutation Techniques Real Permutating Engine/RPME, ADMutate, etc. Large arsenal of obfuscation techniques • Instructions reordered, branch conditions reversed, different register names, different subroutine order • Jumps and NOPs inserted in random places • Garbage opcodes inserted in unreachable code areas • Instruction sequences replaced with other instructions that have the same effect, but different opcodes – Mutate SUB EAX, EAX into XOR EAX, EAX or MOV EBP, ESP into PUSH ESP; POP EBP There is no constant, recognizable virus bodyslide 13 Example of Zperm Mutation From Szor and Ferrie, “Hunting for Metamorphic”slide 17 [Biondi and Desclaux] Detour: Skypeslide 18 [Biondi and Desclaux] Skype: Code Integrity Checkingslide 19 [Biondi and Desclaux] Skype: Anti-Debuggingslide 20 [Biondi and Desclaux] Skype: Control Flow Obfuscation (1)slide 21 [Biondi and Desclaux] Skype: Control Flow Obfuscation (2)slide 22 Propagation via Websites Websites with popular content • Games: 60% of websites contain executable content, one-third contain at least one malicious executable • Celebrities, adult content, everything except news – Malware in 20% of search results for “Jessica Biel” (2009 McAfee study) Most popular sites with malicious content (Oct 2005) Most are variants of the same few adware applications [Moschuk et al.]slide 23slide 24 Drive-By Downloads Websites “push” malicious executables to user’s browser with inline JavaScript or pop-up windows • Naïve user may click “Yes” in the dialog box Can install malicious software automatically by exploiting bugs in the user’s browser • 1.5% of URLs - Moshchuk et al. study • 5.3% of URLs - “Ghost Turns Zombie” • 1.3% of Google queries - “All Your IFRAMEs Point to Us” Many
View Full Document
Unlocking...