Malware: Viruses and RootkitsMalwareComputer Backdoors circa 1958“Reflections on Trusting Trust”VirusesFirst Virus: CreeperPolymorphic VirusesVirus DetectionVirus Detection by EmulationMetamorphic VirusesObfuscation and Anti-DebuggingMutation TechniquesExample of Zperm MutationDetour: SkypeSkype: Code Integrity CheckingSkype: Anti-DebuggingSkype: Control Flow Obfuscation (1)Skype: Control Flow Obfuscation (2)Propagation via WebsitesSlide 23Drive-By DownloadsObfuscated JavaScript“Ghost in the Browser”Compromised Web ServersRedirection Using .htaccessUser-Contributed ContentTrust in Web AdvertisingExample of an Advertising ExploitAnother Advertising ExploitNot a Theoretical ThreatThird-Party WidgetsExploitation VectorsSocial EngineeringFake AntivirusRootkitsReal-Life ExamplesFunction HookingKernel RootkitsMebroot (Windows)Detecting Rootkit’s PresenceRemote Administration ToolsCommunicating Via BackdoorsByzantine HadesNight DragonRAT CapabilitiesWho Was Behind Night Dragon?Slide 51Slide 52Who Was Behind the RSA Attack?LuckycatSlide 55Aurora AttacksIt All Starts with an Email…Aurora Exploit (1)Aurora Exploit (2)Aurora Exploit (3)Aurora Exploit (4)Aurora TricksSony XCP RootkitCast of CharactersDRM: Digital Rights ManagementActive ProtectionDefeating Active ProtectionXCP Rootkit: MotivationXCP Rootkit: DiscoveryNormal Windows OperationXCP Rootkit OperationXCP Rootkit: OperationUsing XCP for Fun and ProfitUninstalling XCPRepurposing XCP Uninstallerslide 1Vitaly ShmatikovCS 361SMalware: Viruses and Rootkitsslide 2MalwareMalicious code often masquerades as good software or attaches itself to good softwareSome malicious programs need host programs•Trojan horses (malicious code hidden in a useful program), logic bombs, backdoorsOthers can exist and propagate independently•Worms, automated virusesMany infection vectors and propagation methodsModern malware often combines trojan, rootkit, and worm functionalityslide 3Computer Backdoors circa 1958AN/FSQ-7 air defense intercept computer•Largest computer ever built•50,000 vacuum tubes, 275 tons, 3 MWatt of power, ½ acre of floor space“Hula Girl” diagnostic program•If you pointed the light gun at her navel and pulled the trigger, her skirt would fall ofslide 4“Reflections on Trusting Trust”Ken Thompson’s 1983 Turing Award lecture1. Added a backdoor-opening Trojan to login program2. Anyone looking at source code would see this, so changed the compiler to add backdoor at compile-time3. Anyone looking at compiler source code would see this, so changed the compiler to recognize when it’s compiling a new compiler and to insert Trojan into it“The moral is obvious. You can’t trust code you did not totally create yourself. (Especially code from companies that employ people like me).”slide 5VirusesVirus propagates by infecting other programs•Automatically creates copies of itself, but to propagate, a human has to run an infected program•Self-propagating viruses are often called wormsMany propagation methods•Insert a copy into every executable (.COM, .EXE)•Insert a copy into boot sectors of disks–PC era: “Stoned” virus infected PCs booted from infected floppies, stayed in memory, infected every inserted floppy•Infect common OS routines, stay in memoryslide 6First Virus: CreeperWritten in 1971 at BBNInfected DEC PDP-10 machines running TENEX OSJumped from machine to machine over ARPANET•Copied its state over, tried to delete old copyPayload: displayed a message “I’m the creeper, catch me if you can!”Later, Reaper was written to hunt down Creeperhttp://history-computer.com/Internet/Maturing/Thomas.htmlslide 7Polymorphic VirusesEncrypted viruses: constant decryptor followed by the encrypted virus bodyPolymorphic viruses: each copy creates a new random encryption of the same virus body•Decryptor code constant and can be detected•Historical note: “Crypto” virus decrypted its body by brute-force key search to avoid explicit decryptor codeslide 8Virus DetectionSimple anti-virus scanners•Look for signatures (fragments of known virus code)•Heuristics for recognizing code associated with viruses–Example: polymorphic viruses often use decryption loops•Integrity checking to detect file modifications–Keep track of file sizes, checksums, keyed HMACs of contentsGeneric decryption and emulation•Emulate CPU execution for a few hundred instructions, recognize known virus body after it has been decrypted•Does not work very well against viruses with mutating bodies and viruses not located near beginning of infected executableslide 9Virus Detection by EmulationVirus bodyRandomly generates a new keyand corresponding decryptor codeMutation ADecrypt and executeMutation CMutation BTo detect an unknown mutation of a known virus ,emulate CPU execution of until the current sequence ofinstruction opcodes matches the known sequence for virus bodyslide 10Metamorphic VirusesObvious next step: mutate the virus body, tooApparition: an early Win32 metamorphic virus•Carries its source code (contains useless junk)•Looks for compiler on infected machine•Changes junk in its source and recompiles itself•New binary copy looks diferent!Mutation is common in macro and script viruses•A macro is an executable program embedded in a word processing document (MS Word) or spreadsheet (Excel)•Macros and scripts are usually interpreted, not compiledslide 11Obfuscation and Anti-DebuggingCommon in all kinds of malwareGoal: prevent code analysis and signature-based detection, foil reverse-engineeringCode obfuscation and mutation•Packed binaries, hard-to-analyze code structures•Diferent code in each copy of the virus–Efect of code execution is the same, but this is difficult to detect by passive/static analysis (undecidable problem)Detect debuggers and virtual machines, terminate executionslide 12Mutation TechniquesReal Permutating Engine/RPME, ADMutate, etc.Large arsenal of obfuscation techniques•Instructions reordered, branch conditions reversed, diferent register names, diferent subroutine order•Jumps and NOPs inserted in random places•Garbage opcodes inserted in unreachable code areas•Instruction sequences replaced with other instructions that have the same efect, but diferent opcodes–Mutate SUB EAX, EAX into XOR EAX, EAX or MOV EBP, ESP into PUSH