Malware

Part 4  Software 1
 Malicious Software
 Malware is not new…
o Fred Cohen’s initial virus work in 1980’s
o Cohen used viruses to break MLS systems
 Types of malware (no standard definition)
o Virus  passive propagation
o Worm  active propagation
o Trojan horse  unexpected functionality
o Trapdoor/backdoor  unauthorized access
o Rabbit  exhaust system resources
o Spyware  steals info, such as passwords
Part 4  Software 2
 Where do Viruses Live?
 They live just about anywhere, such as…
 Boot sector
o Take control before anything else
 Memory resident
o Stays in memory
 Applications, macros, data, etc.
 Library routines
 Compilers, debuggers, virus checker, etc.
o These would be particularly nasty!

Part 4  Software 3
 Malware Examples
 Brain virus (1986)
 Morris worm (1988)
 Code Red (2001)
 SQL Slammer (2004)
 Stuxnet (2010)
 Botnets (currently fashionable malware)
 Future of malware?

Part 4  Software 4
 Brain
q First appeared in 1986
q More annoying than harmful
q A prototype for later viruses
q Not much reaction by users
q What it did
1. Placed itself in boot sector (and other places)
2. Screened disk calls to avoid detection
3. Each disk read, checked boot sector to see if boot
sector infected; if not, goto 1
q Brain did nothing really malicious
Part 4  Software 5
 Morris Worm
 First
appeared in 1988
 What it tried to do
o Determine where it could spread, then…
o …spread its infection and…
o …remain undiscovered
 Morris claimed his worm had a bug!
o It tried to re-infect infected systems
o Led to resource exhaustion
o Effect was like a so-called rabbit
Part 4  Software 6
 How Morris Worm Spread
 Obtained access to machines by…
o User account password guessing
o Exploit buffer overflow in fingerd
o Exploit trapdoor in sendmail
 Flaws in fingerd and sendmail were well-
known, but not widely patched

Part 4  Software 7
 Bootstrap Loader
 Once Morris worm got access…
 “Bootstrap loader” sent to victim
o 99 lines of C code
 Victim compiled and executed code
 Bootstrap loader fetched the worm
 Victim authenticated sender
o Don’t want user to get a bad worm…

Part 4  Software 8
 How to Remain Undetected?
 If transmission interrupted, all code deleted
 Code encrypted when downloaded
 Code deleted after decrypt/compile
 When running, worm regularly changed
name and process identifier (PID)

Part 4  Software 9
 Morris Worm: Bottom Line
 Shock to the Internet community of 1988
o Internet of 1988 much different than today
 Internet designed to survive nuclear war
o Yet, brought down by one graduate student!
o At the time, Morris’ father worked at NSA…
 Could have been much worse
 Result? CERT, more security awareness
 But should have been a wakeup call

Part 4  Software 10
 Code Red Worm
 Appeared in July 2001
 Infected more than 250,000 systems in
about 15 hours
 Eventually infected 750,000 out of about
6,000,000 vulnerable systems
 Exploited buffer overflow in Microsoft IIS
server software
o Then monitor traffic on port 80, looking for
other susceptible servers
Part 4  Software 11
 Code Red: What it Did
 Day 1 to 19 of month: spread its infection
 Day 20 to 27: distributed denial of service attack
(DDoS) on www.whitehouse.gov
 Later version (several variants)
o Included trapdoor for remote access
o Rebooted to flush worm, leaving only trapdoor
 Some said it was “beta test for info warfare”
o But, no evidence to support this

Part 4  Software 12
 SQL Slammer
 Infected 75,000 systems in 10
minutes!
 At its peak, infections doubled
every 8.5 seconds
 Spread “too fast”…
 …so it “burned out” available
bandwidth

Part 4  Software 13
 Why was Slammer Successful?
 Worm size: one 376-byte UDP packet
 Firewalls often let one packet thru
o Then monitor ongoing “connections”
 Expectation was that much more data
required for an attack
o So no need to worry about 1 small packet
 Slammer defied “experts”

Part 4  Software 14
 Stuxnet
 Malware for information warfare…
 Discovered in 2010
o Origins go back to 2008, or earlier
 Apparently, targeted Iranian nuclear
processing facility
o Reprogrammed specific type of PLC
o Changed speed of centrifuges, causing damage
to about 1000 of them

Part 4  Software 15
 Stuxnet
 Many advanced features including…
o Infect system via removable drives  able to
get behind “airgap” firewalls
o Used 4 unpatched MS vulnerabilities
o Updates via P2P over a LAN
o Contact C&C server for code/updates
o Includes a Windows rootkit for stealth
o Significant exfiltration/recon capability
o Used a compromised private key
Part 4  Software 16
 Malware Related to Stuxnet
 Duqu (2011)
o Likely that developers had access to Stuxnet
source code
o Apparently, used mostly for info stealing
 Flame (2012)
o May be “most complex” malware ever
o Very sophisticated spyware mechanisms

Part 4  Software 17
 Trojan Horse Example
 Trojan: unexpected functionality
 Prototype trojan for the Mac
 File icon for freeMusic.mp3:
 For a real mp3, double click on icon
o iTunes opens
o Music in mp3 file plays
 But for freeMusic.mp3, unexpected results…

Part 4  Software 18
 Mac Trojan
 Double click on freeMusic.mp3
o iTunes opens (expected)
o “Wild Laugh” (not expected)
o Message box (not expected)

Part 4  Software 19
 Trojan Example
 How does freeMusic.mp3 trojan work?
 This “mp3” is an application, not data

 This trojan is harmless, but…

 …could have done anything user could do
o Delete files, download files, launch apps, etc.
Part 4  Software 20
 Malware Detection
 Three common detection methods
o Signature detection
o Change detection
o Anomaly detection
 We briefly discuss each of these
o And consider advantages…
o …and disadvantages

Part 4  Software 21
 Signature Detection
 A signature may be a string of bits in exe
o Might also use wildcards, hash values, etc.
 For example, W32/Beast virus has signature
83EB 0274 EB0E 740A 81EB 0301 0000
o That is, this string of bits appears in virus
 We can search for this signature in all files
 If string found, have we found W32/Beast?
o Not necessarily  string could be in normal code
o At random, chance is only 1/2112
o But software is not random…
Part 4  Software 22
 Signature Detection
 Advantages
o Effective on “ordinary” malware
o Minimal burden for users/administrators
 Disadvantages
o Signature file can be large (10s of thousands)…
o …making scanning slow
o Signature files must be kept up to date
o Cannot detect unknown viruses
o Cannot detect some advanced types of malware
 The most popular detection method
Part 4  Software 23
 Change Detection
 Viruses must live somewhere
 Ifyou detect a file has changed, it might have
been infected
 How to detect changes?
o Hash files and (securely) store hash values
o Periodically re-compute hashes and compare
o If hash changes, file might be infected

Part 4  Software 24
 Change Detection
 Advantages
o Virtually no false negatives
o Can even detect previously unknown malware
 Disadvantages
o Many files change  and often
o Many false alarms (false positives)
o Heavy burden on users/administrators
o If suspicious change detected, then what? Might fall
back on signature detection

Part 4  Software 25
 Anomaly Detection
 Monitor system for anything “unusual” or “virus-
like” or “potentially malicious” or …
 Examples of anomalous things
o Files change in some unexpected way
o System misbehaves in some way
o Unexpected network activity
o Unexpected file access, etc., etc., etc., etc.
 But, we must first define “normal”
o And normal can (and must) change over time

Part 4  Software 26
 Anomaly Detection
 Advantages
o Chance of detecting unknown malware
 Disadvantages
o No proven track record
o Trudy can make abnormal look normal (go slow)
o Must be combined with another method (e.g., signature
detection)
 Also popular in intrusion detection (IDS)
 Difficult unsolved (unsolvable?) problem
o Reminds me of AI…

Part 4  Software 27
 Future of Malware
 Recent trends
o Encrypted, polymorphic, metamorphic malware
o Fast replication/Warhol worms
o Flash worms, slow worms
o Botnets
 The future is bright for malware
o Good news for the bad guys…
o …bad news for the good guys
 Future of malware detection?
Part 4  Software 28
 Encrypted Viruses
 Virus writers know signature detection used
 So, how to evade signature detection?
 Encrypting the virus is a good approach
o Ciphertext looks like random bits
o Different key, then different “random” bits
o So, different copies have no common signature
 Encryption often used in viruses today

Part 4  Software 29
 Encrypted Viruses
 How to detect encrypted viruses?
 Scan for the decryptor code
o More-or-less standard signature detection
o But may be more false alarms
 Why not encrypt the decryptor code?
o Then encrypt the decryptor of the decryptor (and so
on…)
 Encryption of limited value to virus writers

Part 4  Software 30
 Polymorphic Malware
 Polymorphic worm
o Body of worm is encrypted
o Decryptor code is “mutated” (or “morphed”)
o Trying to hide decryptor signature
o Like an encrypted worm on steroids…

Q: How to detect?
A: Emulation  let the code decrypt itself
o Slow, and anti-emulation is possible

Part 4  Software 31
 Metamorphic Malware
 A metamorphic worm mutates before infecting a
new system
o Sometimes called “body polymorphic”
 Such a worm can, in principle, evade signature-
based detection
 Mutated worm must function the same
o And be “different enough” to avoid detection
 Detection is a difficult research problem

Part 4  Software 32
 Metamorphic Worm
 One approach to metamorphic replication…
o The worm is disassembled
o Worm then stripped to a base form
o Random variations inserted into code (permute the
code, insert dead code, etc., etc.)
o Assemble the resulting code

 Result is a worm with same functionality as

original, but different signature

Part 4  Software 33
 Warhol Worm
 “In the future everybody will be world-famous for
15 minutes”  Andy Warhol
 Warhol Worm is designed to infect the entire
Internet in 15 minutes
 Slammer infected 250,000 in 10 minutes
o “Burned out” bandwidth
o Could not have infected entire Internet in 15 minutes 
too bandwidth intensive
 Can rapid worm do “better” than Slammer?

Part 4  Software 34
 A Possible Warhol Worm
 Seed worm with an initial hit list containing a set
of vulnerable IP addresses
o Depends on the particular exploit
o Tools exist for identifying vulnerable systems
 Each successful initial infection would attack
selected part of IP address space
 Could infect entire Internet in 15 minutes!
 No worm this sophisticated has yet been seen in
the wild (as of 2011)
o Slammer generated random IP addresses

Part 4  Software 35
 Flash Worm
 Can we do “better” than Warhol worm?
 Infect entire Internet in less than 15 minutes?
 Searching for vulnerable IP addresses is the slow part
of any worm attack
 Searching might be bandwidth limited
o Like Slammer
 Flash worm designed to infect entire Internet almost
instantly

Part 4  Software 36
 Flash Worm
 Predetermine all vulnerable IP addresses
o Depends on details of the attack
 Embed these addresses in worm(s)
o Results in huge worm(s)
o But, the worm replicates, it splits
 No wasted time or bandwidth!
Original worm(s)

1st generation

2nd generation

Part 4  Software 37
 Flash Worm
 Estimated that ideal flash worm could infect the
entire Internet in 15 seconds!
o Some debate as to actual time it would take
o Estimates range from 2 seconds to 2 minutes
 In any case…
 …much faster than humans could respond
 So, any defense must be fully automated
 How to defend against such attacks?

Part 4  Software 38
 Rapid Malware Defenses
 Master IDS watches over network
o “Infection” proceeds on part of network
o Determines whether an attack or not
o If so, IDS saves most of the network
o If not, only a slight delay
 Beneficial worm
o Disinfect faster than the worm infects
 Other approaches?
Part 4  Software 39
 Push vs Pull Malware
 Viruses/worms examples of “push”
 Recently, a lot of “pull” malware
 Scenario
o A compromised web server
o Visit a website at compromised server
o Malware loaded on you machine
 Good paper: Ghost in the Browser

Part 4  Software 40
 Botnet
 Botnet: a “network” of infected machines
 Infected machines are “bots”
o Victim is unaware of infection (stealthy)
 Botmaster controls botnet
o Generally, using IRC
o P2P botnet architectures exist
 Botnets used for…
o Spam, DoS attacks, keylogging, ID theft, etc.

Part 4  Software 41
 Botnet Examples
 XtremBot
o Similar bots: Agobot, Forbot, Phatbot
o Highly modular, easily modified
o Source code readily available (GPL license)
 UrXbot
o Similar bots: SDBot, UrBot, Rbot
o Less sophisticated than XtremBot type
 GT-Bots and mIRC-based bots
o mIRC is common IRC client for Windows

Part 4  Software 42
 More Botnet Examples
 Mariposa
o Used to steal credit card info
o Creator arrested in July 2010
 Conficker
o Estimated 10M infected hosts (2009)
 Kraken
o Largest as of 2008 (400,000 infections)
 Srizbi
o For spam, one of largest as of 2008

Part 4  Software 43
 Computer Infections
 Analogies are made between computer
viruses/worms and biological diseases
 There are differences
o Computer infections are much quicker
o Ability to intervene in computer outbreak is more limited
(vaccination?)
o Bio disease models often not applicable
o “Distance” almost meaningless on Internet
 But there are some similarities…
Part 4  Software 44
 Computer Infections
 Cyber “diseases” vs biological diseases
 One similarity
o In nature, too few susceptible individuals and disease will
die out
o In the Internet, too few susceptible systems and worm
might fail to take hold
 One difference
o In nature, diseases attack more-or-less at random
o Cyber attackers select most “desirable” targets
o Cyber attacks are more focused and damaging
 Mobile devices an interesting hybrid case
Part 4  Software 45
 Future Malware Detection?
 Malware today far outnumbers “goodware”
o Metamorphic copies of existing malware
o Many virus toolkits available
o Trudy can recycle old viruses, new signatures
 So, may be better to “detect” good code
o If code not on approved list, assume it’s bad
o That is, use whitelist instead of blacklist

Part 4  Software 46
 Miscellaneous
Software-Based Attacks

Part 4  Software 47
 Miscellaneous Attacks
 Numerous attacks involve software
 We’ll discuss a few issues that do not fit
into previous categories
o Salami attack
o Linearization attack
o Time bomb
o Can you ever trust software?

Part 4  Software 48
 Salami Attack
 What is Salami attack?
o Programmer “slices off” small amounts of money
o Slices are hard for victim to detect
 Example
o Bank calculates interest on accounts
o Programmer “slices off” any fraction of a cent and puts
it in his own account
o No customer notices missing partial cent
o Bank may not notice any problem
o Over time, programmer makes lots of money!

Part 4  Software 49
 Salami Attack
 Such attacks are possible for insiders
 Do salami attacks actually occur?
o Or is it just Office Space folklore?
 Programmer added a few cents to every employee
payroll tax withholding
o But money credited to programmer’s tax
o Programmer got a big tax refund!
 Rent-a-car franchise in Florida inflated gas tank
capacity to overcharge customers
Part 4  Software 50
 Salami Attacks
 Employee reprogrammed Taco Bell cash register:
$2.99 item registered as $0.01
o Employee pocketed $2.98 on each such item
o A large “slice” of salami!
 In LA, four men installed computer chip that
overstated amount of gas pumped
o Customers complained when they had to pay for more
gas than tank could hold
o Hard to detect since chip programmed to give correct
amount when 5 or 10 gallons purchased
o Inspector usually asked for 5 or 10 gallons

Part 4  Software 51
 Linearization Attack
 Program checks for
serial number
S123N456
 For efficiency, check
made one character at
a time
 Can attacker take
advantage of this?

Part 4  Software 52
 Linearization Attack
 Correct number takes longer than incorrect
 Trudy tries all 1st characters
o Find that S takes longest
 Then she guesses all 2nd characters: S
o Finds S1 takes longest
 And so on…
 Trudy can recover one character at a time!
o Same principle as used in lock picking

Part 4  Software 53
 Linearization Attack
 What is the advantage to attacking serial number
one character at a time?
 Suppose serial number is 8 characters and each
has 128 possible values
o Then 1288 = 256 possible serial numbers
o Attacker would guess the serial number in about 255
tries  a lot of work!
o Using the linearization attack, the work is about 8 
(128/2) = 29 which is easy

Part 4  Software 54
 Linearization Attack
 A real-world linearization attack
 TENEX (an ancient timeshare system)
o Passwords checked one character at a time
o Careful timing was not necessary, instead…
o …could arrange for a “page fault” when next unknown
character guessed correctly
o Page fault register was user accessible
 Attack was very easy in practice

Part 4  Software 55
 Time Bomb
 In 1986 Donald Gene Burleson told employer to
stop withholding taxes from his paycheck
 His company refused
 He planned to sue his company
o He used company time to prepare legal docs
o Company found out and fired him
 Burleson had been working on malware…
o After being fired, his software “time bomb” deleted
important company data

Part 4  Software 56
 Time Bomb
 Company was reluctant to pursue the case
 So Burleson sued company for back pay!
o Then company finally sued Burleson
 In 1988 Burleson fined $11,800
o Case took years to prosecute…
o Cost company thousands of dollars…
o Resulted in a slap on the wrist for attacker
 One of the first computer crime cases
 Many cases since follow a similar pattern
o Companies reluctant to prosecute
Part 4  Software 57
 Trusting Software
 Can you ever trust software?
o See Reflections on Trusting Trust
 Consider the following thought experiment
 Suppose C compiler has a virus
o When compiling login program, virus creates backdoor
(account with known password)
o When recompiling the C compiler, virus incorporates
itself into new C compiler
 Difficult to get rid of this virus!

Part 4  Software 58
 Trusting Software
 Suppose you notice something is wrong
 So you start over from scratch
 First, you recompile the C compiler
 Then you recompile the OS
o Including login program…
o You have not gotten rid of the problem!
 In the real world
o Attackers try to hide viruses in virus scanner
o Imagine damage that would be done by attack on virus
signature updates

Part 4  Software 59