King Fahd University of Petroleum Minerals College of

King Fahd University of Petroleum & Minerals College of Computer Science & Engineering SEC 511 Principles of Information Assurance and Security Lecture 9 Malware These slides are based on: Chapters: 1, 2 and 3, Computer Viruses and Malware, John Aycock

Outline n n n Malware Taxonomy Malware Infection Malware Concealment

Types of Malware n n n n Logic Bomb Trojan Back Door Virus Worm Spyware/Adware Hybrid

General Malware Characteristics n n n Self-replicating malware actively attempts to propagate by creating new copies of itself. The population growth of malware describes the overall change in the number of malware instances due to self-replication. Parasitic malware requires some other executable code in order to exist. n Such as : boot block code on a disk and binary code in applications

Logic Bomb n A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious payload when a specified condition is met. n n Self-replicating: no Population growth: 0 Parasitic: possibly Consists of 2 parts n n Payload --- action to be performed Trigger --- event to execute payload legitimate code if (date is Saturday the 13 th): Crash_computer() legitimate code

Logic Bombs n n n Logic bombs are concise and unobtrusive (inside millions of lines of source code) The mere threat of a logic bomb could be easily used to extort money from a company Example: Shamoon

Trojan Horse n A Trojan is a program that appears to perform a desirable function but secretly performs a malicious task. n n Name comes from ancient world n n n Self-replicating: no Population growth: 0 Parasitic: yes Pretends to be innocent, but it’s not Trojans may use drive-by downloads or install via online games or internet-driven applications in order to reach target computers. Trojans account for more than 83% of all detected malware 1. 1 Bit. Defender. com Malware and Spam Survey, 2009.

Back Door n A mechanism which bypasses a normal security check and authentication. n n Self-replicating: no Population growth: 0 Parasitic: possibly Can be created by programmers for legitimate reasons (e. g. skipping a time-consuming authentication process). username = read_username() password = read_password() if (username is "133 t h 4 ck 0 r“) return ALLOW_LOGIN if (username and password are valid) return ALLOW_LOGIN else return DENY_LOGIN

Virus n A virus is a malware that, when executed, tries to replicate itself into other executable code. n n n Self-replicating: yes Population growth: positive Parasitic: yes A virus relies in some way on other code. Viruses can propagate within a single computer, or may travel from one computer to another using human-transported media (CD, USB, etc. ) Viruses do not propagate via network n Networks are the domain of Worms.

Virus def virus(): infect() if trigger() is true: payload() def infect(): repeat k times: target = select_target() if no target: return infect_code(target)

Worm n A Worm is a virus that spreads over network and does not rely on other code to execute (Standalone) n n n Self-replication: yes Population growth: positive Parasitic: no Many worms are designed only to spread (even this can be harmful: consuming bandwidth) A worm can be equipped with a malicious payload.

Worm Target Selection: Propagation Methods: - FTP - HTTP - SMB - TFTP - E-mail address harvesting - Network share enumeration - Network scanning - Web searching Payload: - DOS - Data theft - Ransomware - Spam Initial Infection Vector: - B. O. Exploits - Network shares - Social Engineering - Weak passwords Scanning Engine: - Check targets for vulnerabilites - Scan for vulnerable services - OS Check - Version Checking

Rootkit n n Rootkits are Kernel Programs that have the ability to hide themselves and cover up traces of activities. The two main goals for a rootkits are: n n Conceal existence (Stealth) Maintain Access The latest generations of rootkits use their stealth abilities to help other malwares (Trojans, Spywares, etc. ) to hide from users and anti-malware tools. The teaming of malware with rootkits has caused rootkit developers to improve the quality and effectiveness of their stealth techniques dramatically.

Spyware, Adware n Collects information from one computer and transmits it to someone else n n Gathered information include: n n Username/password, bank info, credit card info, software license info, etc. May arrive on a machine: n n Self-replicating: no Population growth: 0 Parasitic: no Bundled with other software, exploit flaws in web-browsers (“drive-by download”), etc. Adware is similar to Spyware but focused on marketing (advertisement, etc. ).

Hybrids, Droppers, etc. n The nature of software makes it easy to create hybrid malware which has characteristics belonging to several different types: n n Trojan that acts like a virus, etc. Dropper is malware that deposits other malware n Worm might leave behind a back door…

Zombies n Compromised machines that can be used by an attacker n n Spam Denial of service (Do. S) Distributed denial of service (DDo. S) Today, usually part of a botnet

Malware Cheat Sheet n Trojan Horse n n Virus n n Copies self from computer to computer. Backdoor n n When run by user, copies self into other files. Worm n n Tricks user into executing malicious code. Leaves opening for attacker to gain access. Rootkit n Hides attacker activities from system administrators.

Outline n n n Malware Taxonomy Malware Infection Malware Concealment

File Infection n OS views some files as executable n n Files that can be run by a command-line "shell" also considered executable n n Like “exe” and similar Batch files, shell scripts, … File infector --- infects executable file n n Exe, shell code, consider executable Binary executable is most common target

File Infectors n Two main issues… 1. 2. Where to put the virus within file? How to execute the virus when infected file is run?

Where to insert virus n n Beginning of file End of file Overwrite file Insert into code

Beginning of File (Parasitic) n Older exe formats (e. g. , . COM) treat entire file as chunk of code and data n n n Entire file loaded into memory Execution starts by jumping to the beginning of the loaded file Can put virus at start of such a file n That is, prepend the virus code

End of File n n n Append a virus (even easier? ? ? ) Then how does virus get executed? Some possibilities… Replace first line(s) with a jump to viral code --save overwritten code Later, transfer control back to code n How to do this?

End of File n How to transfer control back to code? n n n Run saved instructions in saved location Restore the infected code back to its original state and run it Many exe file formats specify start location in file header n If so, virus can change start location to point to its own code and jump to the original start location when done

Appended Virus

Overwritten into File n n Virus places itself atop original code Can avoid changes in file size Easy for virus to get control But… overwriting code will break the original code n n Making virus easier to discover Is it possible to overwrite without breaking the code?

Overwrite into File n Smart ways to overwrite? n n n Overwrite repeated data Save overwritten data (e. g. in a jpeg file) Use over-allocated space in a file (Cavity) Compress code to make space For these to work, virus must be small

Outline n n n Malware Taxonomy Malware Infection Malware Concealment

Malware Concealment Strategies n n n n n Encryption Packing Oligomorphism Polymorphism Metamorphism Strong Encryption Stealth Infection Data Fabrication Multi-stage Dropping

No Concealment n n Do nothing to hide This is easiest for virus writer… n …but also easiest to detect, analyze

Encrypted Virus

Encryption n How to encrypt? n 1. Simple encryption n 2. Rotate, increment, negate, etc. Static encryption key n 3. Let me count the ways… E. g. , XOR fixed byte to all bytes Variable encryption key n Like static, but key changes

Encryption (Continued) 4. Substitution cipher n n n 5. Permute the bytes Could be via lookup table Could even have multiple ciphertexts decrypt to same plaintext Strong encryption n n DES, AES, RC 4, etc. Might use crypto libraries

Encryption: Key Issues n Key embedded within the executable itself n n Encrypting different parts of the executable with different keys which are generated at runtime n n Simple, but easy to find Use camouflage to keep analyst busy for a period of time Key changes at every infection Forensic Investigator will have a difficult time The problem remains: the malware is carrying its decryption key inside!

Strong Encryption: Key n Store key on the web n n Binary malware n n n Malware retrieves the key from a website Problem: website name inside the malware Use of web search engine The virus is in two parts. Does not trigger only if both parts are present One part would be a strongly encrypted code The other part contains the key. “Environmental” key generation n n Key based on machine-specific info Key derived at runtime

Packers n n n A packer is like a cryptor, but instead of encrypting the binary, the packer compresses it. One fundamental difference is that packers do not require a key ! this makes packers inherently less secure. A commonly used packer is UPX.

UPX Packer n UPX: the Ultimate Packer for e. Xecutables

Packers n The most powerful part of using a packer is the malware never needs to hit the hard disk. Everything is run as in-process memory which can bypass most antivirus products.

Oligomorphism n n Oligomorphic (aka semi-polymorphic) malware is an encrypted code which uses a different decryption loop at every infection. Decryption loop is morphed n n But not too many different decryptors For example n n Whale had 30 different decryptors Memorial had 96 decryptors

Polymorphism n n n Like oligomorphic, but lots more decryptors Essentially, an infinite number For example n n n Tremor has almost 6 billion decryptors So, AV software cannot have a signature for each decryptor How to have that many decryption loops?

Mutation Engine Equivalent instruction substitution 1. n 2. 3. 4. 5. 6. 7. One or more instructions Instruction reordering Register swap Reorder data Spaghetti code Insert junk code Run-time code modification/generation

Mutation Engine 8. 9. 10. 11. 12. Subroutine permutation DIY virtual machine Concurrency --- threads Inlining/outlining “Threaded” code --- not threads n n Jump directly from one subroutine to another, without returning Many, many other possibilities

Mutation Engine Example n All of these lines set register r 1 to 0 clear r 1 xor r 1, r 1 and 0, r 1 mov 0, r 1

Mutation n 1. 2. n Mutation also can be used for good Makes reverse engineering attacks more difficult Make software more “diverse” Hence, Software protection techniques can be used to produce more armored malware !

Metamorphism n Apply polymorphism to virus body n n n No encryption/decryption Body must change a lot n n Aka, “body polymorphic” Goal is to have no common signature Mutation code must be mutated too! n n Otherwise, a signature will exist Different from polymorphic (why? )

Metamorphism n Metamorphics difficult to detect n n Metamorphics also difficult to write n n Machine learning works well on hacker malware, but can be defeated Most “metamorphic” generators aren’t Current state of the art? n “Undetectable” metamorphic viruses

Metamorphism Example

Malware Concealment Strategies n n n n n Encryption Packing Oligomorphism Armoring Polymorphism Metamorphism Strong Encryption Stealth Infection Data Fabrication Multi-stage Dropping

The Argument against Armoring n If a malware is aromored, a forensic investigator can easily detect it. n n n Very few strings Very few imports High degree of entropy (Red Curtain tool) However, a malware should remain low and slow! Looking suspicious is bad because it indicates that a machine has been compromised.

Stealth Infection n Tries to hide the infection n n Examples of stealth techniques n n Not just hide the virus signature Change timestamp and/or other file info to pre-infection values Intercept I/O calls to hide presence (in MS-DOS useraccessible interrupts) Hijack secondary boot loader In practice: using a rootkit (more on this later).

Data Fabrication n If you must use armoring, at least camouflage your module to look legitimate. Decorate the stub application with superfluous code and strings to make look, for example, as an obscure Microsoft utility. Use a resource file when compiling the malware: n n Use rc. exe Use False-Flags: Malware built so that they appear to have been developed by engineers in another country: n n Localized version of Windows Localized tools

Multistage Loaders n n Rather than deploy the malware in one shot, break down the process of deployment into stages. The goal is to leave a minimal footprint on disk:

The end Reading: Aycock, Chapters 1, 2 and 3.