Chapter 11_Software Flaws and Malware(1).ppt

Full Transcript

Kingdom of Saudi Arabia
Ministry of Higher Education
Al-Imam Muhammad Ibn Saud Islamic University
College of Computer and Information Sciences

Part IV: Software
Chapter 11: Software Flaws and Malware
IS492 Information Security

Information Systems Department

Malicious Software
•

Malware is not new…
•

•

Fred Cohen’s initial virus work in 1980’s, used
viruses to break MLS systems

Types of malware (lots of overlap)
•

Virus  passive propagation

•

Worm  active propagation

•

Trojan horse  unexpected functionality

•

Trapdoor/backdoor  unauthorized access

•

Rabbit  exhaust system resources

Part 4  Software

2

Where do Viruses Live?
• They live just about anywhere, such as…
• Boot sector
• Take control before anything else

• Memory resident
• Stays in memory

• Applications, macros, data, etc.
• Library routines
• Compilers, debuggers, virus checker, etc.
• These would be particularly nasty!
Part 4  Software

3

Malware Examples
• Brain virus (1986)
• Code Red (2001)
• Shamoon (2012, 2017)
• Botnets (currently fashionable)
• Future of malware?

Part 4  Software

4

Brain


First appeared in 1986
More annoying than harmful
A prototype for later viruses
Not much reaction by users
What it did






1.
2.
3.


Part 4  Software

Placed itself in boot sector (and other places)
Screened disk calls to avoid detection
Each disk read, checked boot sector to see if
boot sector infected; if not, goto 1

Brain did nothing really malicious
5

Code Red Worm
• Appeared in July 2001
• Infected more than 250,000 systems in about 15 hours
• Eventually infected 750,000 out of about 6,000,000

vulnerable systems
• Exploited buffer overflow in Microsoft IIS server software
• Then monitor traffic on port 80, looking for other susceptible

servers

Part 4  Software

6

Code Red: What it Did
• Day 1 to 19 of month: spread its infection
• Day 20 to 27: distributed denial of service attack

(DDoS) on www.whitehouse.gov
• Later version (several variants)
• Included trapdoor for remote access
• Rebooted to flush worm, leaving only trapdoor

• Some say it was “beta test for info warfare”
• But no evidence to support this
Part 4  Software

7

Trojan Horse Example
• Trojan: unexpected functionality
• Prototype trojan for the Mac
• File icon for freeMusic.mp3:


For a real mp3, double click on icon
o iTunes opens
o Music in mp3 file plays



But for freeMusic.mp3, unexpected results…

Part 4  Software

8

Mac Trojan
• Double click on freeMusic.mp3
• iTunes opens (expected)
• “Wild Laugh” (not expected)
• Message box (not expected)

Part 4  Software

9

Trojan Example
• How does freeMusic.mp3 trojan work?
• This “mp3” is an application, not data



This trojan is harmless, but…



…could have done anything user could do
o Delete files, download files, launch apps, etc.

Part 4  Software

10

Malware Detection
• Three common detection methods
• Signature detection
• Change detection
• Anomaly detection

• We briefly discuss each of these
• And consider advantages…
• …and disadvantages

Part 4  Software

11

Signature Detection
• A signature may be a string of bits in exe
• Might also use wildcards, hash values, etc.

• For example, W32/Beast virus has signature

83EB 0274 EB0E 740A 81EB 0301 0000
• That is, this string of bits appears in virus

• We can search for this signature in all files
• If string found, have we found W32/Beast?
• Not necessarily  string could appear elsewhere
• At random, chance is only 1/2112
• But software is not random
Part 4  Software

12

Signature Detection
• Advantages
• Effective on “ordinary” malware
• Minimal burden for users/administrators

• Disadvantages
• Signature file can be large (10s of thousands)…
• …making scanning slow
• Signature files must be kept up to date
• Cannot detect unknown viruses
• Cannot detect some advanced types of malware

• The most popular detection method
Part 4  Software

13

Change Detection
• Viruses must live somewhere
• If you detect a file has changed, it might have been

infected
• How to detect changes?
• Hash files and (securely) store hash values
• Periodically re-compute hashes and compare
• If hash changes, file might be infected

Part 4  Software

14

Change Detection
• Advantages
• Virtually no false negatives
• Can even detect previously unknown malware

• Disadvantages
• Many files change  and often
• Many false alarms (false positives)
• Heavy burden on users/administrators
• If suspicious change detected, then what?
• Might fall back on signature-based system

Part 4  Software

15

Anomaly Detection
• Monitor system for anything “unusual” or

“virus-like” or potentially malicious or …
• Examples of “unusual”
• Files change in some unexpected way
• System misbehaves in some way
• Unexpected network activity
• Unexpected file access, etc., etc., etc., etc.

• But, we must first define “normal”
• Normal can (and must) change over time
Part 4  Software

16

Anomaly Detection
• Advantages
• Chance of detecting unknown malware

• Disadvantages
• No proven track record
• Trudy can make abnormal look normal (go slow)
• Must be combined with another method (e.g.,

signature detection)
• Also popular in intrusion detection (IDS)
• Difficult unsolved (unsolvable?) problem
Part 4  Software

17

Future of Malware
• Recent trends
• Encrypted
• Flash worms
• Botnets

• The future is bright for malware
• Good news for the bad guys…
• …bad news for the good guys

• Future of malware detection?

Part 4  Software

18

Encrypted Viruses
• Virus writers know signature detection used
• So, how to evade signature detection?
• Encrypting the virus is a good approach
• Ciphertext looks like random bits
• Different key, then different “random” bits
• So, different copies have no common signature

• Encryption often used in viruses today

Part 4  Software

19

Encrypted Viruses
• How to detect encrypted viruses?
• Scan for the decryptor code
• More-or-less standard signature detection
• But may be more false alarms

• Why not encrypt the decryptor code?
• Then encrypt the decryptor of the decryptor (and so

on…)
• Encryption of limited value to virus writers

Part 4  Software

20

Flash Worm
• Infect entire Internet in less than 15 minutes?
• Searching for vulnerable IP addresses is the slow

part of any worm attack
• Searching might be bandwidth limited
• Like Slammer

• Flash worm designed to infect entire Internet

almost instantly

Part 4  Software

21

Flash Worm
• Predetermine all vulnerable IP addresses
• Depends on details of the attack
• Embed these addresses in worm(s)
• Results in huge worm(s)
• But, the worm replicates, it splits

• No wasted time or bandwidth!
Original worm(s)
1st generation
2nd generation

Part 4  Software

22

Flash Worm
• Estimated that ideal flash worm could infect the

entire Internet in 15 seconds!
• Some debate as to actual time it would take
• Estimates range from 2 seconds to 2 minutes

• In any case…
• …much faster than humans could respond
• So, any defense must be fully automated
• How to defend against such attacks? Anomaly

Detection
Part 4  Software

23

Botnet
• Botnet: a “network” of infected machines
• Infected machines are “bots”
• Victim is unaware of infection (stealthy)

• Botmaster controls botnet
• Generally, using IRC
• P2P botnet architectures exist

• Botnets used for…
• Spam, DoS attacks, keylogging, ID theft, etc.

Part 4  Software

24

Botnet Examples
• XtremBot
• Similar bots: Agobot, Forbot, Phatbot
• Highly modular, easily modified
• Source code readily available (GPL license)

• Mariposa
• Used to steal credit card info
• Creator arrested in July 2010

• Conficker
• Estimated 10M infected hosts (2009)

Part 4  Software

25

Future Malware Detection?
• Malware today outnumbers “goodware”
• Metamorphic copies of existing malware
• Many virus toolkits available
• Trudy: recycle old viruses, different signature

• So, may be better to “detect” good code
• If code not on “good” list, assume it’s bad
• That is, use whitelist instead of blacklist

Part 4  Software

26