CS 290 Host-based Security and Malware Christopher Kruegel [email protected] CodeCS 290: Host-based security and malware Overview • Introduction to malicious code – taxonomy, history, life cycle • Virus – infection strategies, armored viruses, detection • Worms – email- and exploit-based worms, spreading strategies • Trojan horses – key logger, rootkits, botnet, spyware – demos that demonstrate danger of malicious code on local hostCS 290: Host-based security and malware Introduction • Malicious Code (Malware) – software that fulfills malicious intent of author – term often used equivalent with virus (due to media coverage) – however, many different types exist – classic viruses account for only 3% of malware in the wild • Virus - Definition A virus is a program that reproduces its own code by attaching itself to other executable files in such a way that the virus code is executed when the infected executable file is executedCS 290: Host-based security and malware TaxonomyCS 290: Host-based security and malware Taxonomy • Virus – self-replicating, infects files (thus requires host) • Worm – self-replicating, spreads over network • Interaction-based worms (B[e]agle, Netsky, Sobig) – spread requires human interaction – double-click and execute extension – follow link to download executable • Process-based worms (Code Red, Blaster, Slammer) – requires no human interaction – exploits vulnerability in network serviceCS 290: Host-based security and malware Reasons for Malware Prevalence • Mixing data and code – violates important design property of secure systems – unfortunately very frequent • Homogeneous computing base – Windows is just a very tempting target • Unprecedented connectivity – easy to attack from safety of home • Clueless user base – many targets available • Malicious code has become profitable – compromised computers can be sold (e.g., spam, DoS, banking)CS 290: Host-based security and malware Virus Lifecycle • Lifecycle – reproduce, infect, run payload • Reproduction phase – viruses balance infection versus detection possibility – variety of techniques may be used to hide viruses • Infection phase – difficult to predict when infection will take place – many viruses stay resident in memory (TSR or process) • Attack phase – e.g., deleting files, changing random data on disk – viruses often have bugs (poor coding) so damage can be done • Stoned virus expected 360K, floppy, corrupted sectorsCS 290: Host-based security and malware Infection Strategies • Boot viruses – master boot record (MBR) of hard disk (first sector on disk) – boot sector of partitions – e.g., Pakistani Brain virus – rather old, but interest is growing again • diskless work stations, virtual machine virus (SubVirt) • MebRoot • File infectors – simple overwrite virus (damages original program) – parasitic virus • append virus code and modify program entry point – cavity virus • inject code into unused regions of program codeCS 290: Host-based security and malware Infection Strategies • Entry Point Obfuscation – virus scanners quickly discovered to search around entry point – virus hijacks control later (after program is launched) – overwrite import table addresses – overwrite function call instructions • Code Integration – merge virus code with program – requires disassembly of target • difficult task on x86 machines – W95/Zmist is a classic example for this techniqueCS 290: Host-based security and malware Macro Viruses • Many modern applications support macro languages – Microsoft Word, Excel, Outlook – macro language is powerful – embedded macros automatically executed on load – mail app. with Word as an editor – mail app. with Internet Explorer to render HTML I made this program to all those people who want to write Word 2000 virii, but don't know what the hell to do. !CS 290: Host-based security and malware Virus Defense • Antivirus Software – working horse is signature based detection • database of byte-level or instruction-level signatures that match virus • wildcards can be used, regular expressions – heuristics (check for signs of infection) • code execution starts in last section • incorrect header size in PE header • suspicious code section name • patched import address table • Sandboxing – run untrusted applications in restricted environment – simplest variation, do not run as AdministratorCS 290: Host-based security and malware Tunneling and Camouflage Viruses • To minimize the probability of its being discovered, a virus could use a number of different techniques • A tunneling virus attempts to bypass antivirus programs – idea is to follow the interrupt chain back down to basic operating system or BIOS interrupt handlers – install virus there – virus is “underneath” everything – including the checking program • In the past, possible for a virus to spoof a scanner by camouflaging itself to look like something the scanner was programmed to ignore – false alarms of scanners make “ignore” rules necessaryCS 290: Host-based security and malware Polymorphism and Metamorphism • Polymorphic viruses – change layout (shape) with each infection – payload is encrypted – using different key for each infection – makes static string analysis practically impossible – of course, encryption routine must be changed as well – otherwise, detection is trivial • Metamorphic techniques – create different “versions” of code that look different but have the same semantics (i.e., do the same)5B 00 00 00 00 pop ebx 8D 4B 42 lea ecx, [ebx + 42h] 51 push ecx 50 push eax 50 push eax 0F 01 4C 24 FE sidt [esp - 02h] 5B pop ebx 83 C3 1C add ebx, 1Ch FA cli 8B 2B mov ebp, [ebx] CS 290: Host-based security and malware 5B 00 00 00 00 8D 4B 42 51 50 50 0F 01 4C 24 FE 5B !83 C3 1C FA 8B 2B!Chernobyl (CIH) Virus5B 00 00 00 00 pop ebx!8D 4B 42 ! lea ecx, [ebx + 42h]!51