Malware

25/09/2019 EL5112 - Sem 1 2019/2020 1

 ADAPTED from:

Information Security
CS 526
Topic 13-a

Overview of Malwares

25/09/2019 EL5112 - Sem 1 2019/2020 2

 ADAPTED from:

CS155 Spring 2009

Elie Bursztein
MALWARE

25/09/2019 EL5112 - Sem 1 2019/2020 3

 Malware
• a set of instructions that run on your
computer and make your system do
something that an attacker wants it to do.
• Use case:
• Steal personal information
• Delete files
• Click fraud
• Steal software serial numbers
• Use your computer as relay

25/09/2019 EL5112 - Sem 1 2019/2020 4

 Malware Types
• Infectious:
– Viruses, worms
• Concealment:
– Trojan horses, and backdoors (trapdoors), logic bombs, rootkits
• Malware for stealing information:
– Spyware, keyloggers, screen scrapers
• Malware for profit:
– Dialers, scarewares, ransomware
• Botnets
• Many malwares have characterstics of multiple types

25/09/2019 EL5112 - Sem 1 2019/2020 5

 The Malware Zoo
• Virus
• Backdoor
• Trojan horse
• Rootkit
• Scareware
• Adware
• Worm

25/09/2019 EL5112 - Sem 1 2019/2020 6

 Number of malware signatures

25/09/2019 EL5112 - Sem 1 2019/2020 7

Symantec report 2009
 Malware Repartition

25/09/2019 EL5112 - Sem 1 2019/2020 8

Panda Q1 report 2009
 What to Infect
• Executable
• Interpreted file
• Kernel
• Service
• MBR
• Hypervisor

25/09/2019 EL5112 - Sem 1 2019/2020 9

 Overwriting malware

Targeted Malware
Malware
Executable

25/09/2019 EL5112 - Sem 1 2019/2020 10

 prepending malware

Malware

Targeted Infected host

Malware
Executable Executable

25/09/2019 EL5112 - Sem 1 2019/2020 11

 appending malware

Infected
Targeted
Malware host
Executable
Executable

Malware
25/09/2019 EL5112 - Sem 1 2019/2020 12
 Cavity malware

Malware
Targeted
Malware
Executable Infected host
Executable

25/09/2019 EL5112 - Sem 1 2019/2020 13

 Multi-Cavity malware

Malware

Targeted
Malware
Executable
Malware

Malware

25/09/2019 EL5112 - Sem 1 2019/2020 14

 Packers

Payload
Packer Infected host
Malware
Executable

25/09/2019 EL5112 - Sem 1 2019/2020 15

 Packer functionalities
• Compress
• Encrypt
• Randomize (polymorphism)
• Anti-debug technique (int / fake jmp)
• Add-junk
• Anti-VM
• Virtualization

25/09/2019 EL5112 - Sem 1 2019/2020 16

 Auto start
• Folder auto-start : C:\Documents and Settings\[user_name]\Start Menu\Programs\Startup

• Win.ini : run=[backdoor]" or
"load=[backdoor]".
• System.ini : shell=”myexplorer.exe”
• Wininit
• Config.sys

25/09/2019 EL5112 - Sem 1 2019/2020 17

 Auto start cont.
• Assign know extension (.doc) to the
malware
• Add a Registry key such as
HKCU\SOFTWARE\Microsoft\Windows \CurrentVersion\Run

• Add a task in the task scheduler

• Run as service

25/09/2019 EL5112 - Sem 1 2019/2020 18

 Unix autostart
• Init.d
• /etc/rc.local
• .login .xsession
• crontab
– crontab -e
– /etc/crontab

25/09/2019 EL5112 - Sem 1 2019/2020 19

 Macro virus
• Use the builtin script engine
• Example of call back used (word)
– AutoExec()
– AutoClose()
– AutoOpen()
– AutoNew()

25/09/2019 EL5112 - Sem 1 2019/2020 20

 Document based malware
• MS Office
• Open Office
• Acrobat

25/09/2019 EL5112 - Sem 1 2019/2020 21

 Trojan Horse
• Software that appears to perform Example: Attacker:
a desirable function for the user Place the following file
prior to run or install, but cp /bin/sh /tmp/.xxsh
(perhaps in addition to the chmod u+s,o+x /tmp/.xxsh
expected function) steals rm ./ls
information or harms the system. ls $*
• User tricked into executing
Trojan horse as /homes/victim/ls
– Expects (and sees) overt and
expected behavior • Victim
– Covertly perform malicious acts ls
with user’s authorization

25/09/2019 EL5112 - Sem 1 2019/2020 22

 Trapdoor or Backdoor
• Secret entry point into a system
– Specific user identifier or password that
circumvents normal security procedures.
• Commonly used by developers
– Could be included in a compiler.

25/09/2019 EL5112 - Sem 1 2019/2020 23

 Logic Bomb

• Embedded in legitimate programs

• Activated when specified conditions met
– E.g., presence/absence of some file; Particular
date/time or particular user
• When triggered, typically damages system
– Modify/delete files/disks

25/09/2019 EL5112 - Sem 1 2019/2020 24

 Example of Logic Bomb
• In 1982, the Trans-Siberian Pipeline incident
occurred. A KGB operative was to steal the
plans for a sophisticated control system and
its software from a Canadian firm, for use on
their Siberian pipeline. The CIA was tipped
off by documents in the Farewell Dossier and
had the company insert a logic bomb in the
program for sabotage purposes. This
eventually resulted in "the most monumental
non-nuclear explosion and fire ever seen
from space“.

25/09/2019 EL5112 - Sem 1 2019/2020 25

 Virus
• Attach itself to a host (often a program) and
replicate itself
• Self-replicating code
– Self-replicating Trojan horses
– Alters normal code with “infected” version
• Operates when infected code executed
If spread condition then
For target files
if not infected then alter to include virus
Perform malicious action
Execute normal program

25/09/2019 EL5112 - Sem 1 2019/2020 26

 Worm
• Self-replicating malware that does not require a
host program
• Propagates a fully working version of itself to
other machines
• Carries a payload performing hidden tasks
– Backdoors, spam relays, DDoS agents; …
• Phases
– Probing ➔ Exploitation ➔ Replication ➔ Payload

25/09/2019 EL5112 - Sem 1 2019/2020 27

 Worm
• A worm is self-replicating software designed to spread
through the network
– Typically, exploit security flaws in widely used services
– Can cause enormous damage
• Launch DDOS attacks, install bot networks
• Access sensitive information
• Cause confusion by corrupting the sensitive information

• Worm vs Virus vs Trojan horse

– A virus is code embedded in a file or program
– Viruses and Trojan horses rely on human intervention
– Worms are self-contained and may spread autonomously
25/09/2019 EL5112 - Sem 1 2019/2020 28
28
 Cost of worm attacks
• Morris worm, 1988
◼ Infected approximately 6,000 machines
 10% of computers connected to the Internet
◼ cost ~ $10 million in downtime and cleanup
• Code Red worm, July 16 2001
◼ Direct descendant of Morris’ worm
◼ Infected more than 500,000 servers
 Programmed to go into infinite sleep mode July 28
◼ Caused ~ $2.6 Billion in damages,
• Love Bug worm: $8.75 billion
– Statistics: Computer Economics Inc., Carlsbad, California

25/09/2019 EL5112 - Sem 1 2019/2020 29

29
 Internet Worm (First major attack)

• Released November 1988

◼ Program spread through Digital, Sun workstations
◼ Exploited Unix security vulnerabilities
 VAX computers and SUN-3 workstations running versions
4.2 and 4.3 Berkeley UNIX code
• Consequences
◼ No immediate damage from program itself
◼ Replication and threat of damage
 Load on network, systems used in attack
 Many systems shut down to prevent further attack

25/09/2019 EL5112 - Sem 1 2019/2020 30

30
 Some historical worms of note
Worm Date Distinction
Morris 11/88 Used multiple vulnerabilities, propagate to “nearby” sys
ADM 5/98 Random scanning of IP address space
Ramen 1/01 Exploited three vulnerabilities
Lion 3/01 Stealthy, rootkit worm
Cheese 6/01 Vigilante worm that secured vulnerable systems
Code Red 7/01 First sig Windows worm; Completely memory resident
Walk 8/01 Recompiled source code locally
Nimda 9/01 Windows worm: client-to-server, c-to-c, s-to-s, …
11 days after announcement of vulnerability; peer-to-peer
Scalper 6/02
network of compromised systems
Slammer 1/03 Used a single UDP packet for explosive growth

25/09/2019 EL5112 - Sem 1 2019/2020

31
Kienzle and Elder31
 The Morris Worm: What It Did
⚫ The Morris worm was named after its creator,
Robert Morris. Morris was a graduate student
at Cornell University when he wrote the
worm. When he first deployed the worm, it
was able to infect over 6,000 computers in
just a few hours.

25/09/2019 EL5112 - Sem 1 2019/2020 32

 The Morris Worm: What It Did
⚫ Used the Internet and it did not need any
human assistance to spread.
⚫ Network traffic that was generated by the
worm scanning for other computers was
extensive.
⚫ The effort to determine if a particular
computer was infected, let alone remove it,
was also significant.
25/09/2019 EL5112 - Sem 1 2019/2020 33
 The Morris Worm: What It Did
⚫ took advantage of a vulnerability in a UNIX
program called fingerd
⚫ exploited a buffer overflow vulnerability in
the fingerd server
⚫ took advantage of a vulnerability in another
piece of software that is deployed on most
UNIX servers—the sendmail program

25/09/2019 EL5112 - Sem 1 2019/2020 34

 The Morris Worm: What It Did
⚫ took advantage of the debug mode to have the
mails that it sends execute “arbitrary” code
⚫ took advantage of was the use of two additional
UNIX commands called rexec and rsh
⚫ had a list of 432 common passwords hard-coded
in it, and attempted to log into other machines
using that list of passwords

25/09/2019 EL5112 - Sem 1 2019/2020 35

 The Morris Worm: What We
Learned
⚫ it attempted to use a buffer overflow
vulnerability in the finger daemon server
⚫ it took advantage of the debug mode in
sendmail
⚫ it tried to remotely log into hosts using
common usernames and passwords.

25/09/2019 EL5112 - Sem 1 2019/2020 36

 The Morris Worm:What We
Learned
⚫ A first is that “diversity” is good
⚫ A second lesson that we learned is that large
programs are particularly vulnerable to attack
⚫ Small program it does not necessarily make it
any less vulnerable to attack
⚫ A third lesson from the Morris worm is the
importance for users to choose good
passwords
25/09/2019 EL5112 - Sem 1 2019/2020 37
 The Creation of CERT
⚫ Due to the damage and level of disruption
that the Morris worm caused in 1988, the US
government decided to fund an organization
called the Computer Emergency Response
Team (CERT).
⚫ Carnegie Mellon University ran CERT as a
research, development, and coordination
center for emergency response to attacks.
25/09/2019 EL5112 - Sem 1 2019/2020 38
 Increasing propagation speed
• Code Red, July 2001
◼ Affects Microsoft Index Server 2.0,
 Windows 2000 Indexing service on Windows NT 4.0.
 Windows 2000 that run IIS 4.0 and 5.0 Web servers
◼ Exploits known buffer overflow in Idq.dll
◼ Vulnerable population (360,000 servers) infected in 14 hours
• SQL Slammer, January 2003
◼ Affects in Microsoft SQL 2000
◼ Exploits known buffer overflow vulnerability
 Server Resolution service vulnerability reported June 2002
 Patched released in July 2002 Bulletin MS02-39
◼ Vulnerable population infected in less than 10 minutes

25/09/2019 EL5112 - Sem 1 2019/2020 39

39
 The Code Red Worm
⚫ In 2001, the Code Red worm surfaced (CERT
2002).
⚫ It exploited a buffer overflow vulnerability in
the Microsoft IIS web server
⚫ randomly scanning other IP addresses to try
to connect to other IIS web servers
⚫ It spread from one web server to another
quickly (over 2,000 hosts per minute)
25/09/2019 EL5112 - Sem 1 2019/2020 40
 Code Red
• Initial version released July 13, 2001
◼ Sends its code as an HTTP request
◼ HTTP request exploits buffer overflow
◼ Malicious code is not stored in a file
 Placed in memory and then run
• When executed,
◼ Worm checks for the file C:\Notworm
 If file exists, the worm thread goes into infinite sleep state
◼ Creates new threads
 If the date is before the 20th of the month, the next 99
threads attempt to exploit more computers by targeting
random IP addresses
25/09/2019 EL5112 - Sem 1 2019/2020 41
41
 The Code Red Worm
⚫ The entire process took milliseconds. Human
response takes minutes or hours.
⚫ to prevent being detected, Code Red would
just stay resident in the web server’s memory
⚫ much more easily detectable by humans than
some virus scanners
⚫ it could be eliminated just by rebooting the
machine
25/09/2019 EL5112 - Sem 1 2019/2020 42
 Code Red of July 13 and July 19
• Initial release of July 13
◼ 1st through 20th month: Spread
 via random scan of 32-bit IP addr space
◼ 20th through end of each month: attack.
 Flooding attack against 198.137.240.91 (www.whitehouse.gov)
◼ Failure to seed random number generator linear growth
• Revision released July 19, 2001.
◼ White House responds to threat of flooding attack by changing the
address of www.whitehouse.gov
◼ Causes Code Red to die for date ≥ 20th of the month.
◼ But: this time random number generator correctly seeded

25/09/2019 EL5112 - Sem 1 2019/2020

43
Slides: Vern Paxson43
 Infection Rate

25/09/2019 EL5112 - Sem 1 2019/2020 44

44
 Measuring activity: network telescope

Monitor cross-section of Internet address space, measure traffic

◼ “Backscatter” from DOS floods
◼ Attackers probing blindly
◼ Random scanning from worms
LBNL’s cross-section: 1/32,768 of Internet
UCSD, UWisc’s cross-section: 1/256.
25/09/2019 EL5112 - Sem 1 2019/2020 45
45
 Spread of Code Red
Network telescopes estimate of # infected hosts: 360K.
(Beware DHCP & NAT)
Course of infection fits classic logistic.
Note: larger the vulnerable population, faster the worm
spreads.

That night (20th), worm dies …

• … except for hosts with inaccurate clocks!
It just takes one of these to restart the worm on August
1st …

25/09/2019 EL5112 - Sem 1 2019/2020

46
Slides: Vern Paxson46
25/09/2019 EL5112 - Sem 1 2019/2020
47
Slides: Vern Paxson47
 Code Red 2
• Released August 4, 2001.
• Comment in code: “Code Red 2.”
◼ But in fact completely different code base.
• Payload: a root backdoor, resilient to reboots.
• Bug: crashes NT, only works on Windows 2000.
• Localized scanning: prefers nearby addresses.

• Kills Code Red 1.

• Safety valve: programmed to die Oct 1, 2001.

25/09/2019 EL5112 - Sem 1 2019/2020

48
Slides: Vern Paxson48
 The Nimda Worm
⚫ The Nimda worm was very interesting since it
took some of what Code Red did and it made
it a lot worse
⚫ Nimda not only spread from web server to
web server, but it employed multiple
propagation vectors.
⚫ A propagation vector, in the context of
worms, is a method by which the worm
spreads to another machine.
25/09/2019 EL5112 - Sem 1 2019/2020 49
 The Nimda Worm
⚫ Nimda spread from web servers to web
clients by infecting files on the web server
⚫ Nimda sent out e-mails from the infected
client to other machines containing the
worm’s code as a payload

25/09/2019 EL5112 - Sem 1 2019/2020 50

 Striving for Greater Virulence:
Nimda
• Released September 18, 2001.
• Multi-mode spreading:
– attack IIS servers via infected clients
– email itself to address book as a virus
– copy itself across open network shares
– modifying Web pages on infected servers w/ client exploit
– scanning for Code Red II backdoors (!)
• worms form an ecosystem!
• Leaped across firewalls.

25/09/2019 EL5112 - Sem 1 2019/2020

51
Slides: Vern Paxson51
 Code Red 2 kills off
Code Red 1

Nimda enters the

CR 1 ecosystem
returns
thanks
to bad Code Red 2 settles into Code Red 2 dies off as
clocks weekly pattern programmed

25/09/2019 EL5112 - Sem 1 2019/2020

52
Slides: Vern Paxson52
 The Blaster and SQL Slammer
Worms
⚫ In 2003, the Blaster and SQL Slammer worms surfaced
⚫ Vulnerability disclosed : 25 june 2002
⚫ Better scanning algorithm
⚫ UDP Single packet : 380bytes
⚫ took advantage of a buffer overflow vulnerability in
Microsoft’s operating system
⚫ attacked a Distributed Component Object Model
(DCOM) service that was running as part of the
operating system
25/09/2019 EL5112 - Sem 1 2019/2020 53
 The Blaster and SQL Slammer
Worms
⚫ Once the worm caused the system to shut
down and reboot, the worm issued a DDoS
attack against the Windows Update site
(http://windowsupdate.microsoft.com)
⚫ SQL Slammer took advantage of a buffer
overflow vulnerability.
⚫ SQL Slammer attacked the Microsoft SQL
Server database application.
25/09/2019 EL5112 - Sem 1 2019/2020 54
 The Blaster and SQL Slammer
Worms
⚫ SQL Slammer is that it took a single UDP
packet of only 376 bytes to exploit the buffer
overflow vulnerability to propagate the worm
⚫ The worm infected at least 75,000 hosts, and
90 percent of them were infected within the
first 10 minutes of the worm’s release

25/09/2019 EL5112 - Sem 1 2019/2020 55

 Slammer propagation

25/09/2019 EL5112 - Sem 1 2019/2020 56

 Number of scan/sec

25/09/2019 EL5112 - Sem 1 2019/2020 57

 Packet loss

25/09/2019 EL5112 - Sem 1 2019/2020 58

 A server view

25/09/2019 EL5112 - Sem 1 2019/2020 59

 Consequences
• ATM systems not available
• Phone network overloaded (no 911!)
• 5 DNS root down
• Planes delayed

25/09/2019 EL5112 - Sem 1 2019/2020 60

 How do worms propagate?
Scanning worms : Worm chooses “random” address
Coordinated scanning : Different worm instances scan different addresses
Flash worms
◼ Assemble tree of vulnerable hosts in advance, propagate along tree
 Not observed in the wild, yet

 Potential for 106 hosts in < 2 sec ! [Staniford]

Meta-server worm :Ask server for hosts to infect (e.g., Google for
“powered by phpbb”)
Topological worm: Use information from infected hosts (web server logs,
email address books, config files, SSH “known hosts”)
Contagion worm : Propagate parasitically along with normally initiated
communication

25/09/2019 EL5112 - Sem 1 2019/2020 61

61
 Spyware
• Malware that collects little bits of
information at a time about users without
their knowledge
– Keyloggers: stealthly tracking and logging key
strokes
– Screen scrapers: stealthly reading data from a
computer display
– May also tracking browsing habit
– May also re-direct browsing and display ads
25/09/2019 EL5112 - Sem 1 2019/2020 62
 Scareware
• Software
– with malicious payloads, or of limited or no benefit
– Sold by social engineering to cause shock, anxiety, or the perception
of a threat
• Rapidly increasing
– Anti-Phishing Working Group: # of scareware packages rose from
2,850 to 9,287 in 2nd half of 2008.
– In 1st half of 2009, the APWG identified a 583% increase in
scareware programs.
– A 2010 study by Google found 11,000 domains hosting fake anti-
virus software, accounting for 50% of malware delivered via Internet
advertising

25/09/2019 EL5112 - Sem 1 2019/2020 63

25/09/2019 EL5112 - Sem 1 2019/2020 64
 Ransomware
• Holds a computer system, or the data it contains,
hostage against its user by demanding a ransom.
– Disable an essential system service or lock the display at system
startup
– Encrypt some of the user's personal files, originally referred to as
cryptoviruses, cryptotrojans or cryptoworms

• Victim user has to

– enter a code obtainable only after wiring payment to the attacker
or sending an SMS message
– buy a decryption or removal tool

25/09/2019 EL5112 - Sem 1 2019/2020 65

 Zombie & Botnet
• Secretly takes over another networked
computer by exploiting software flows
• Builds the compromised computers into a
zombie network or botnet
– a collection of compromised machines
running programs, usually referred to as
worms, Trojan horses, or backdoors, under a
common command and control infrastructure.
• Uses it to indirectly launch attacks
– E.g., DDoS, phishing, spamming, cracking
25/09/2019 EL5112 - Sem 1 2019/2020 66
 Detailed Steps (1)
1 Attacker scans
Internet for
Unsecured Computers
unsecured systems that
Attacker can be compromised

Internet

25/09/2019 EL5112 - Sem 1 2019/2020 67

 Detailed Steps (2)

2 Attacker secretly
installs zombie agent Unsecured Computersbie
Zombies
Attacker programs, turning
unsecured computers
into zombies

Internet

25/09/2019 EL5112 - Sem 1 2019/2020 68

 Detailed Steps (3)

3 Zombie agents
``phone home’’ Zombies
Attacker and connect to a
master server

Master
Server

Internet

25/09/2019 EL5112 - Sem 1 2019/2020 69

 Detailed Steps (4)
4 Attacker sends commands
to Master Server to launch a
DDoS attack against Zombies
Attacker a targeted system

Master
Server

Internet

25/09/2019 EL5112 - Sem 1 2019/2020 70

 Detailed Steps (5)
5 Master Server
sends signal to
Zombies
zombies to launch
Attacker attack on targeted
system

Master
Server

Internet

Targeted
25/09/2019 EL5112 - Sem 1 2019/2020
System 71
System
 Detailed Steps (6)
6 Targeted system is
overwhelmed by
Zombies
zombie requests,
Attacker denying requests
from normal users

Master
Server

Internet

Request Denied Targeted

25/09/2019 EL5112 - Sem 1 2019/2020
System 72
User System
 Rootkit
• A rootkit is software that enables continued privileged
access to a computer while actively hiding its presence
from administrators by subverting standard operating
system functionality or other applications.

• Emphasis is on hiding information from administrators’

view, so that malware is not detected
– E.g., hiding processes, files, opened network connections, etc

• Example: Sony BMG copy protection rootkit scandal

– In 2005, Sony BMG included Extended Copy Protection on
music CDs, which are automatically installed on Windows on
CDs are played.
25/09/2019 EL5112 - Sem 1 2019/2020 73
 Types of Rootkits
• User-level rootkits
– Replace utilities such as ps, ls, ifconfig, etc
– Replace key libraries
– Detectable by utilities like tripwire
• Kernel-level rootkits
– Replace or hook key kernel functions
– Through, e.g., loadable kernel modules or direct kernel memory
access
– A common detection strategy: compare the view obtained by
enumerating kernel data structures with that obtained by the API
interface
– Can be defended by kernel-driver signing (required by 64-bit
windows)
25/09/2019 EL5112 - Sem 1 2019/2020 74
 More Rootkits
• Bootkit (variant of kernel-level rootkit)
– Replace the boot loader (master boot record)
– Used to attack full disk encryption key
– Malicious boot loader can intercept encryption keys or disable
requirement for kernel-driver signing

• Hypervisor-level rootkits
• Hardware/formware rootkits
• Whoever gets to the lower level has the upper hand.

25/09/2019 EL5112 - Sem 1 2019/2020 75

 Userland root kit
– Perform
• login
• sshd
• passwd
– Hide activity
• ps
• netstat
• ls
• find
• du
25/09/2019 EL5112 - Sem 1 2019/2020 76
 Subverting the Kernel

• Kernel task
• Process What to hide
management
• File access Process
• Memory Files
management
Network traffic
• Network
management
25/09/2019 EL5112 - Sem 1 2019/2020 77
 Kernel rootkit
P1 P2
PS
P3 P3

rootkit
KERNEL

Hardware :
HD, keyboard, mouse, NIC, GPU
25/09/2019 EL5112 - Sem 1 2019/2020 78
 Subverting techniques
• Kernel patch
• Loadable Kernel Module
• Kernel memory patching (/dev/kmem)

25/09/2019 EL5112 - Sem 1 2019/2020 79

 Windows Kernel

P1 P2 Pn Csrss.exe

Win32 subsystem DLLs Other Subsytems

User32.dll, Gdi32.dll and Kernel32.dll
(OS/2 Posix)

Ntdll.dll

Executive
ntoskrnl.exe
Underlying kernel

Hardware Abstraction Layer (HAL.dll)

25/09/2019 EL5112 - Sem 1 2019/2020 80
Hardware
 Kernel Device driver

P2

Win32 subsystem DLLs

Ntdll.dll

C
Interrupt Hook
System service dispatch
System service dispatcher table

ntoskrnl.exe
New pointer
B
A
25/09/2019 Driver OverwritingEL5112
functions - Sem 1 2019/2020
Driver Replacing Functions 81
 MBR/Bootkit
• Bootkits can be used to avoid all
protections of an OS, because OS
consider that the system was in trusted
stated at the moment the OS boot loader
took control.

25/09/2019 EL5112 - Sem 1 2019/2020 82

 BIOS MBR VBS
NT
Boot
Sector
WINLOAD.EXE BOOTMGR.EXE

Windows 7 kernel HAL.DLL

25/09/2019 EL5112 - Sem 1 2019/2020 83

 Vboot
• Work on every Windows (vista,7)
• 3ko
• Bypass checks by letting them run and
then do inflight patching
• Communicate via ping

25/09/2019 EL5112 - Sem 1 2019/2020 84

 Hypervisor rootkit

App App

Target OS

Hardware

25/09/2019 EL5112 - Sem 1 2019/2020 85

 Hypervisor rootkit

App App

Rogue app Target OS

Host OS Virtual machine monitor

Hardware

25/09/2019 EL5112 - Sem 1 2019/2020 86

 PROPAGATION
VECTOR
25/09/2019 EL5112 - Sem 1 2019/2020 87
 Shared folder

25/09/2019 EL5112 - Sem 1 2019/2020 88

 Email propagation

25/09/2019 EL5112 - Sem 1 2019/2020 89

• from pandalab blog
 Valentine day ...

25/09/2019 EL5112 - Sem 1 2019/2020 • 90 blog

Waledac malicious domain from pandalab
 Email again

25/09/2019 EL5112 - Sem 1 2019/2020 91

Symantec 2009
 Fake codec

25/09/2019 EL5112 - Sem 1 2019/2020 92

 Fake antivirus

25/09/2019 EL5112 - Sem 1 2019/2020 93

• from pandalab blog
 Hijack you browser

25/09/2019 EL5112 - Sem 1 2019/2020 94

• from pandalab blog
 Fake page !

25/09/2019 EL5112 - Sem 1 2019/2020 95

• from pandalab blog
 P2P Files

• Popular
query
• 35.5% are
malwares
(Kalafut 2006)

25/09/2019 EL5112 - Sem 1 2019/2020 96

 DETECTION

25/09/2019 EL5112 - Sem 1 2019/2020 97

 Anti-virus
• Analyze system behavior
• Analyze binary to decide if it a virus
• Type :
– Scanner
– Real time monitor

25/09/2019 EL5112 - Sem 1 2019/2020 98

 Impossibility result
• It is not possible to build a perfect
virus/malware detector (Cohen)

25/09/2019 EL5112 - Sem 1 2019/2020 99

 Impossibility result
• Diagonal argument
• P is a perfect detection program
• V is a virus
• V can call P
– if P(V) = true -> halt
– if P(V) = false -> spread

25/09/2019 EL5112 - Sem 1 2019/2020 100

 Virus signature
• Find a string that can identify the virus
• Fingerprint like

25/09/2019 EL5112 - Sem 1 2019/2020 101

 Heuristics
• Analyze program behavior
– Network access
– File open
– Attempt to delete file
– Attempt to modify the boot sector

25/09/2019 EL5112 - Sem 1 2019/2020 102

 Checksum
• Compute a checksum for
– Good binary
– Configuration file
• Detect change by comparing checksum
• At some point there will more malware
than “goodware” ...

25/09/2019 EL5112 - Sem 1 2019/2020 103

 Sandbox analysis
• Running the executable in a VM
• Observe it
– File activity
– Network
– Memory

25/09/2019 EL5112 - Sem 1 2019/2020 104

 Dealing with Packer
• Launch the exe
• Wait until it is unpack
• Dump the memory

25/09/2019 EL5112 - Sem 1 2019/2020 105

 Worm Detection and Defense
Detect via honeyfarms: collections of “honeypots” fed
by a network telescope.
◼ Any outbound connection from honeyfarm = worm.
• (at least, that’s the theory)
◼ Distill signature from inbound/outbound traffic.
◼ If telescope covers N addresses, expect detection when worm
has infected 1/N of population.

Thwart via scan suppressors: network elements that

block traffic from hosts that make failed connection
attempts to too many other hosts
◼ 5 minutes to several weeks to write a signature
◼ Several hours or more for testing

25/09/2019 EL5112 - Sem 1 2019/2020 106

106