Malware

• Malicious code that is stored on and runs on a victim’s system  
• How does it get to run?
  • Attacks a user – or network-facing vulnerable service (often using techniques we’ve just learned!)
  • Backdoor: Added by a malicious developer
  • Social engineering: Trick the user into running/clicking/installing
  • Trojan horse: Offer a good service, add in the bad
  • Attacker with physical access downloads and runs it 

Goals

• Host Compromise
  • Attacker gains control of a host
• Denial-of-Service (DOS Attack)
  • Attacker prevents legitimate users from gaining service
• Attack can be both
  • E.g., host compromise that provides resources for denial-of-service 

 

What can it do?

• Virtually anything, subject only to its permissions
  • Brag: “APRIL 1st HA HA HA HA YOU HAVE A VIRUS!” 
  • Destroy:
    • Delete/mangle files
    • Damage hardware (more later this lecture)
    • Crash the machine, e.g., by over-consuming resources
    • Fork bombing or “rabbits”: while(1) { fork(); }
  • Steal information (“exfiltrate”)
  • Launch external attacks
    • Spam, click fraud, denial of service attacks
  • Ransomware: e.g., by encrypting files
  • Rootkits: Hide from user or software-based detection
    • Often by modifying the kernel
    • Man-in-the-middle attacks to sit between UI and reality 

 

When does it run?

• Some delay based on a trigger
  • Time bomb: triggered at/after a certain time
  • Logic bomb: triggered when a set of conditions hold
  • Can also include a backdoor to serve as ransom
• Some attach themselves to other pieces of code
  • Viruses: run when the user initiates something
  • Worms: run while another program is running 

 

Types of Malware

• Virus
  • Program that attaches itself to another (usually trusted) program
  • Runs when the user initiates something
• Worm
  • Standalone
  • Replicates itself (No user intervention required)
• Trojan horse
  • Allows a hacker to gain a “back way” in
  • Often relies on social engineering to gain access
• Botnet
  • A collection of programs running autonomously and controlled remotely
  • Often used to mount DDoS attacks 

 

Viruses

What is it?

• A (malicious) piece of executable code that replicates by inserting/attaching copies of itself into other programs, files, etc.
• Requires the spreading of an infected host file 

 

Elk Cloner 1982

Written by 15 year old. Just displays the following each time system started. It was passed through floppy disk. Not really malicious, but it was difficult to remove. 

 

Melissa Virus 1999

• Came through email including an MS Word attachment
• Emailed itself to the first 50 people in Outlook’s contact list
• Infected ~20% of computers, $1.2B in damages
• Author was trying to impress a girl named Melissa…

 

Worms

What is it?

• Like a virus but a worm does not need a host object
• In that sense, a worm is a self-contained, standalone program
• Has the capability to spread without human intervention
• Often spread via email
• Sometimes used to create botnets 

 

Morris Worm 1988

• Took advantage of known vulnerabilities in Unix sendmail, finger, and rsh/rexec, as well as weak passwords
• Morris claimed the worm was intended to gauge the size of the Internet but accidentally replicated itself  
• Infected approximately 6000 computers
• First significant worm 
• Author – Morris – ended up becoming a professor at MIT…

 

ILOVEYOU 2000

• Email with subject “ILOVEYOU” and attachment LOVE-LETTERFOR-YOU.TXT.vbs
  • Exploit windows hiding file extension
• Overwrote files on the computer with itself so it was very hard to remove
• Once opened, sent itself to every contact in the user’s address book
• ~10% of Internet-connected computers infected, $15B in damages 
• Authors were arrested (Philippines) but released because Phillipines didnt have laws against cyber crime..

 

SLAMMER 2003

• Targeted web servers running a vulnerable version of Microsoft SQL Server
• Generated random IP addresses through which it attempted to further infect other computers
  • Crashed many routers from so many same IP addresses
• Slowed down internet access around the world, $750M in damages 
• Was only 367bytes

 

MYDOOM 2004

• Sent junk e-mail/spam through infected computers
• Fastest spreading email worm (as of 2004)
• Slowed down global internet access by 10%, $38B in damages

 

CONFICKER 2008

Once infect system, it would download other programs like keyloggers. Its focus is on hacking authentication/access. Caused Internet slowdown. Still seen today on IoT and SCADA systems.

STUXNET 2009
Target SCADA systems, specifically targeting Iran’s Nuclear Program. 

Trojans

What is it?

• Usually infects a specific machine or set of machines in a network
• May be embedded in a piece of code that actually does something useful, but that, at the same time, also does things that are malicious
• Known to create back doors 

 

ZEUS

• Spread through drive-by downloads and phishing schemes
  • Some automatic download or process without user control
• Often used to steal banking information by man-in-the-browser keystroke logging and form grabbing  
• Used to install the CryptoLocker ransomware

 

GHOSTRAT (RAT = Remote Access Trojan)

• Believed to be used for “cyber espionage”
• Gives the attacker complete control over the machine
• GhostNet (2009)
• Operation Night Dragon (2011) 

 

Ransomware

What is it?

• “Cryptoviral extortion”
• Holds a computer system, or the data it contains, hostage against its user by demanding a ransom
  • Disable an essential system service or lock the display at system startup
  • Encrypt some of the user’s personal files
• Typically carried out using a Trojan
• Victim user has to
  • Enter a code obtainable only after wiring payment to the attacker
  • Buy a decryption or removal tool

 

CRYPTOLOCKER 2013

• Spread via attachments to spam messages
• Used RSA public key encryption to encrypt user files
• Demanded payment in order to decrypt
• Variants overall harvested about $3 million in ransom fees

 

WANNACRY 2017

• Propagated through EternalBlue (hacker group)
  • First attack that maliciously utilized leaked hacking tools from the NSA
  • Required no user interaction
  • Exploited SMB (file transfer) protocol
• In four days, more than 250,000 detections in 116 countries
• Demanded ransom payments in Bitcoin! 
  • Within the malware there was hardcoding of site it would checkin with, so blocked that site

 

Botnets

What is it?

• Usually equipped with a larger set of behaviors
  • There is some botmaster 
• Maintains a communication link with a human handler (bot master)
  • The botnet keeps some connection with the botmaster
• Often used for DDoS attacks and spam distribution 

 

Botnets

Command and Control Server

• Bot must have some communication capabilities that allow it to receive commands/send results to the bot master
  • Push mode (IRC)
  • Pull mode (HTTP)
• Each bot registers itself with the C&C server (Command and Control)

 

CARNA (example of a botnet)

• “Internet Census 2012”
• Unknown researcher decided that he/she wanted to scan the Internet
• There are a lot of devices connected to the public Internet that shouldn’t be
  • Even many of those that should be aren’t well-secured
• Found a total of 1.3 billion addresses “in use”
• Data set is publicly available
• http://census2012.sourceforge.net/paper.html
• Was this right? Is it ethical? Researchers did it for good intention but it was a botnet accessing devices that they dont have permissions to

 

MIRAI 2016

• Affects IoT devices (IP cameras, routers)
• Connects via telnet and attempts to login using a list of 60 known credentials
• Cannot survive a reboot
• Has been used in a variety of DDoS attacks 
• Origins are students trying to stop Minecraft servers, opening their code to public and others taking it and expanding it

 

What happened to DYN? October 26, 2016 – DYN is major DNS provider

• Dyn provides DNS services to 6% of Fortune 500 companies
• At least three waves of DDoS attacks on Dyn
  • Morning, noon, and later afternoon
• Twitter, Netflix, Spotify, Visa, AirBnB were among the affected sites
• The attacks came from “things” infected by the Mirai malware

 

What “Things” were infected?

• Mostly DVRs and IP cameras made by Xiongmai
  • Directly connected to the Internet with an IP address and with access to large bandwidth
  • Registries may list the IP addresses
• How were they attacked?
  • Telnet/SSH backdoor with “hardcoded” password
• Mirai created botnets of up to 100,000 “things”
  • Later used to attack Dyn 

 

HAJIME 2017

• “‘Vigilante’ IoT worm” that blocks rival botnets
• Most of the targets are Digital Video Recorders, followed by webcams and routers
  • Tries to patch or secure the IoT device
  • Gives prompt to user indicating it is trying to secure the system
  • Researchers not sure why this exists
• Same infection mechanism as Mirai
• Peer-to-peer botnet
• No attacking code or capability, only propagation 

 

Malware Prevention

Technical Challenges

• Viruses: Detection
  • Antivirus software wants to detect
  • Virus writers want to avoid detection for as long as possible
  • Evade human response
• Worms: Spreading
  • The goal is to hit as many machines and as quickly as possible
  • Outpace human response 

 

Malware Analysis

• Static • Reverse engineering
  • Dissect the malware to figure out what it is supposed to do and how to remove it
• Dynamic
  • Run the malware inside of a sandbox and observe its behavior 

 

Virus Detection

• Scan files to see if they have code in them from known viruses
• Scan files to see if the code will do virus-like things
• Wait until a program does something it should not and then flag the program as infected 

 

Users

• Don’t open attachments/documents or click links from people you don’t know
• Don’t plug random USB drives into your computer
• Use strong passwords
• Keep your computer updated
• Do regular backups