Malicious Software
SFL @ TU Dortmund
Malicious Software
Copyright By Assignmentchef assignmentchef
Malicious software (malware) is software that executes on a system without the explicit consent of the user(s)
Malware authors may have several motivations
Espionage (e.g., to nation state or company leak secrets)
Extortion (e.g., to add pressure on the user to the attackers benefit)
Resource abuse (e.g., to send spam from a victims system, launch DDoS) Stealing money (e.g., by hijacking online banking sessions)
Lifecycle of Malicious Software
Detection Disinfection Disruption
(4) Defense
(1) Spread
Spam Drive-by Social Eng.
Clickfraud
Banking trojans Denial-of-service
(3) Monetize
(2) Control
Commands Feedback Infrastructures
Major Infection Channels (1/2)
Email spam is one of the two major malware infection channels Attackers trick users into opening malicious email attachments
Common attack strategies:
Spray and pray: Send mass emails with malicious attachments
(e.g., send email with a DHL delivery notification with an attachment)
Targeted emails: Individual email that is tailored to a particular person
(e.g., send professor an email with a malicious attachment ProjectReport.exe)
Social engineering increases chances of success
Relate to interests of recipient (e.g., mention recent hobbies or issues)
Identify weak points of recipient (e.g., greed, curiosity, impulsiveness, etc.)
Email sender spoofing eases identity theft ( choose senders name/address)
Major Infection Channels (1/2)
Major Infection Channels (2/2)
Software exploitation is the other major infection channel
Attackers primarily target vulnerabilities in Web browsers
Typically involves some sort of active content (Flash, JavaScript, etc.) Regular incidents of zero-day vulnerabilities
Browsers try to defend against exploitation
Sandboxes aim to prevent JIT escapes
Untrusted plugins get their own sandbox (e.g., Flash) Constant blinding aim to prevent JITted ROP gadgets Plugins (e.g., NoScript) disable active scripts
CFI and secure code loading of signed code
Still: Browsers remain the most popular exploitation target
Other Infection Channels
Untrusted media
Victim finds USB memory stick and opens untrustworthy files on it
Victim downloads file an (malware-infected) friend is suggest to him
Loss of communication integrity
Victim downloads programs via HTTP in an untrusted WiFi
File infectors
Malware spreads by injecting into other executables on the same system If any of those programs is shared with others, victim can reinfect
Software bundles
Victim aims to download a particular program, but is tricked into downloading
a malware-infected version of this program
Victim downloads a (secretly malware-spreading) crack to play a commercial computer game for free
Malware Types
Ransomware (1/2)
Malware that extorts victim for ransom, using varying strategies: Encrypt files (e.g., media) and ask for ransom to decrypt
Lock computer screen and ask for ransom to unlock
Popular examples: CryptoWall, CryptoLocker
Ransomware (2/2)
Common ransomware encryption scheme
Encryption:
Ransomware generates local symmetric key Ks
Encrypt files with Ks and symmetric cryptographic algorithm
Encrypt Ks with public key of attacker using asymmetric cryptography K = asymm_enc(Ks, pubkey)
Send K to remote C&C server
Delete Ks (and optionally K ) from disk / memory
Decryption:
After payment, server decrypts K with privkey
Ks = asymm_dec(K, privkey)
Victim (may or may not) obtain Ks from C&C server
Banking Trojans (1/4)
Steal money from online banking account
Steal credentials and initiate money transfer to attackers account
Or: Manipulate destination of money transfers
Or: Maniuplate website and ask users to refund accidental money transfer
Popular examples: Zeus (P2P), Tinba, Citadel
Banking Trojans (2/4)
Dynamic web site manipulation via web injects Man-in-the-Browser
Target Pattern(s): (?:^https://banking.postbank.de/app/legitimation)
pcre_pattern (?:
(?P
data_inject
%2
Target URL Target location
Injection code
Banking Trojans (3/4): IAT Hooking
Change jump addresses in Import Address Table (IAT) IAT contains function pointers to libraries
Internet Explorer (iexplorer.exe)
Import Address Table wininet.dll
malicious code
HttpSendRequestA 0x75570190830C40
HttpSendRequestA
HttpSendReqAHook
Banking Trojans (3/4): IAT Hooking
Change jump addresses in Import Address Table (IAT) IAT contains function pointers to libraries
Internet Explorer (iexplorer.exe)
Import Address Table wininet.dll
malicious code
HttpSendRequestA 0x75570190830C40
HttpSendRequestA
HttpSendReqAHook
Banking Trojans (4/4): Inline Hooking
Add jump to hook in the actual library code Overwrite existing code and hotpatching NOPs
771960BC nop
771960BD nop
771960BE nop
771960BF nop
771960C0 nop
771960C1 HttpSendRequestA proc near 771960C1 mov edi, edi
771960C3 push ebp 771960C4 mov ebp, esp 771960C6 push 13h 771960C8
Banking Trojans (4/4): Inline Hooking
Add jump to hook in the actual library code Overwrite existing code and hotpatching NOPs
771960BC jmp HttpSendReqAHook
far JMP (5B instr.)
771960C1 HttpSendRequestA proc near
771960C3 push ebp 771960C4 mov ebp, esp 771960C6 push 13h 771960C8
771960C1 jmp -7
near JMP (2B instr.)
Protection Against Banking Trojans (at the example of SMS-based TAN)
Second Factor (e.g., phone)
Die TAN fur Ihre Uberweisung von
5.000 EUR an das Konto DE01 1566 8161 1351 3135 1337 ist 325975.
RATs / RAT Trojans
Remote Administration Tools
Originally used for exactly that benign purpose
Abused by attackers to spy on infiltrated systems
RAT features:
search for files, retrieve files, install further applications, control mouse/keyboard,
Examples
Blackshades, Bifrost, PoisonIvy
Commonly used for espionage by nation-state attackers
~90% of worldwide spam is sent by malware
Act as spam relay, abusing dynamic IP address of victim Or: authenticated spam, abusing stolen email accounts
Financial motivation
Spreading: sell infections via malicious attachments
Marketing: sell products (pharmacies, etc.)
Stock spam: advertise penny stocks and then sell them Advance-fee scam: ask for money with fake identity
Examples: Rustock,
Download and executes even more malware
Pay-per-install scheme: sell infections to others
Typical job specialization one actor infects, the other abuses
Examples: GoldInstall, Virut
Perform Distributed Denial-of-Service attacks
Many DDoS bots jointly start attacking a target
Any kind of DoS: SYN flood, HTTP request flood, etc.
Examples: Dirtjumper, Yoddos, Mirai
Fake AV (Fake Anti-Virus) / Scareware / Rogueware
Malware that pretends to be
anti-virus that found malware and wants payment
a fine by the police for illegal activities like child porn
Uneducated users may pay
Runs in background and clicks on advertisements Attacker registers for pay-per-view or per-pay-click ads Attacker then views/clicks his own ads
Every click/view adds small revenue
Cryptocurrencies allow to generate virtual money by using resources Malware may steal resources of a compromised system to generate coins
Victim gets a high bill for power consumption and faces reduced performance
Mobile Malware (1/2)
Online banking transactions are protected by second factor
One typical second factor is a mobile TAN (mTAN) sent to mobile TAN stealers may sniff on SMS to leak mTANs
Example: Zeus in the Mobile
Source: https://mobisec.reyammer.io/slides Thanks to
Mobile Malware (2/2)
Other types of mobile malware exist
RAT-style apps that gain system-level privileges
Apps that sniff on user data and behavior (Spyware)
Attacks on service accounts (e.g., Gooligan stole Google accounts) Ransomware
Source: https://mobisec.reyammer.io/slides Thanks to
Back in the modem time
Disconnect from Internet and dial premium numbers that the attacker had
registered (e.g., $5 per minute)
Dialers disappeared from the PC market when dial modems were replaced by cable Internet / DSL
Dialers resurrected on smartphones
Once infected, again dial premium number Requires special system permissions, though
Worms is self-spreading malware
After infecting a system, a worm immediately scans Internet for other victims Exponential growth and rapid infection rates once critical mass is reached
Infections spread way faster than the vulnerable software can be patched
Typically, an unpatched system is reinfected within a few seconds
Several popular examples
Blaster: Malware exploiting buffer overflow in Windows DCOM RPC service
(2003; knocked several millions of system down within a day)
Conficker: Malware exploiting buffer overflow in Windows NetBIOS code (2008; several million infections within hours)
Mirai: Malware abusing weak Telnet passwords in Internet-of-Things devices (2015; two million infections within hours, abuse for DDoS attacks)
Rootkits are special malware kinds that embed and hide in the system Main goal is to hide from anti-virus software
User-mode rootkits operate entirely in user space Inject malicious library into existing, benign process
Inject backdoor into otherwise-benign process (e.g., sshd)
Kernel-mode rootkits modify the kernel space
Unlink process from list of running processes
Rewrite system call table (e.g., SSDT in Windows) to pointer to attacker code
Yet: Recent OSes have been hardened against kernel-mode rootkits (e.g., Windows requires device drivers to be signed)
Command & Control
Communication Protocols
Malware communication often tries to hide
Blends in HTTP(S) traffic
Koobface: communicate via Facebook
iWorm: fetch botnet servers via Reddit user comments
Waledac: fetch commands from images via steganography
Misc malware strains abuse tweets
Abuse DNS for exchanging data
Dozens of proprietary protocols
Anything on top of UDP/TCP
But: easier to notice and possibly firewalled
Centralized Architectures
Star topology: centralized server Command & Control (C&C or C2)
Bots can connect to the server
Upload data or download
updates and command Single point of failure
Hybrid: Domain Generation Algorithms
Semi-Centralized: DGAs
DGA generates DNS domains based on some input Typically, DGAs are date/time-based
DGA is a shared secret between bot and botmaster
iuqottyz.com b82k..28aj.com zzpl1nbq.com ll18rtuz.com spxu8qer.com po3b8nuz.com rrsw38zy.com
asf9..gz2f.com 1u9bdzbv.com
Peer-to-Peer (P2P) Botnets
Bots make up a P2P network
Bots know a subset of other bots Bot commands are signed
Structured P2P
Distributed Hash Table Commands stored at IDs
Unstructured P2P
No distributed hash table Commands via broadcast
Peer list: Ev := {(v,u) E}
G := (V, E)
Malware Countermeasures
Anti-Virus Software
Anti-virus software integrates into a system to shield against malware Typically deep integration that requires kernel modules / filter drivers
Can monitor any programs system interactions (e.g., API calls, forks, etc.)
A/V detection strategies
Search executables for malicious patterns of known malware (signatures) Check the behavior of a program (e.g., hooking is deemed suspicious)
Validate whether executable hash is in malware blacklists
Upload unknown programs to cloud to analyze it in malware sandboxes
The malware arms race: A/V is not perfect
Polymorphic malware can evade static malware signatures and hashes
Hooks can be placed in alternative manners (e.g., not at the beginning)
Malware tries to evade behavioral checks by deferring malicious behavior
Further Countermeasures
Install system and software updates
More recent software fixes software vulnerabilities of older releases Never use OSes that are out-of-life (e.g., Windows XP, CentOS 5, )
User education
Do no open potential malicious attachments
Disable active scripts in browsers (if possible) or use VM for unsafe sites Never blindly trust media (e.g., memory sticks)
Malware sandboxes
Execute unknown program in contained environment
Judge whether program is malicious based on its behavior
CS: assignmentchef QQ: 1823890830 Email: [email protected]
Reviews
There are no reviews yet.