ISA 562

Information Security, Theory and Practice.

Lecture 10: Malware

Slides from Goodrich and Tamassia

(unless otherwise credited.)
 Logic Bombs
• A logic bomb is a program that performs a malicious
action as a result of a certain logic condition.
• In 1982, the CIA learned that Moscow was going to
steal software for use in handling a new gas pipeline
to Western Europe.
• The CIA inserted code that would set pump speeds
and valve pressures that were far too high.
• Resulted in the largest non-nuclear explosion ever
seen from space.

09/10/2021 Malware 2
 Viruses, Worms, Trojans, Rootkits
• Malware can be classified into several categories, depending
on propagation and concealment
• Propagation
– Virus: human-assisted propagation (e.g., open email attachment)
• Injects code into existing program code.
– Worm: automatic propagation without human assistance.
• Standalone piece of code.

• Concealment
– Rootkit: modifies operating system to hide its existence
– Trojan: provides desirable functionality but hides malicious operation
• Various types of payloads, ranging from annoyance to crime

09/10/2021 Malware 3
 Computer Worms
• A computer worm is a malware program that spreads
copies of itself without the need to inject itself in other
programs, and usually without human interaction.
• Thus, computer worms are technically not computer
viruses (since they don’t infect other programs), but
some people nevertheless confuse the terms, since
both spread by self-replication.
• In most cases, a computer worm will carry a malicious
payload, such as deleting files or installing a backdoor.

09/10/2021 Malware 4
 Early History
 First worms built in the labs of John Shock and Jon
Hepps at Xerox PARC in the early 80s
 CHRISTMA EXEC written in REXX, released in
December 1987, and targeting IBM VM/CMS
systems was the first worm to use e-mail service
 The first internet worm was the Morris Worm,
written by Cornell student Robert Tappan Morris
and released on November 2, 1988

09/10/2021 Malware 5
 Worm Development
• Identify vulnerability still • Worm template
unpatched – Generate target list
• Write code for – For each host on target list
– Exploit of vulnerability • Check if infected
– Generation of target list • Check if vulnerable
• Random hosts on the internet • Infect
• Hosts on LAN
• Recur
• Divide-and-conquer
– Installation and execution of payload • Distributed graph search
– Querying/reporting if a host is algorithm
infected – Forward edges: infection
• Initial deployment on botnet – Back edges: already infected or
not vulnerable
09/10/2021 Malware 6
 Worm Propagation
• Worms propagate by finding and infecting vulnerable hosts.
– They need a way to tell if a host is vulnerable
– They need a way to tell if a host is already infected.

initial infection

09/10/2021 Malware 7
 Propagation: Theory
 Classic epidemic model Source:
Cliff C. Zou, Weibo Gong, Don Towsley,
– N: total number of vulnerable hosts and Lixin Gao.
The Monitoring and Early Detection of Int
– I(t): number of infected hosts at ernet Worms
, IEEE/ACM Transactions on Networking,
time t 2005.
– S(t): number of susceptible hosts at
time t
– I(t) + S(t) = N
– b: infection rate
 Differential equation for I(t):
dI/dt = bI(t) S(t)
 More accurate models adjust
propagation rate over time

09/10/2021 Malware 8
 Propagation: Practice
• Cumulative total of unique IP addresses infected by the first
outbreak of Code-RedI v2 on July 19-20, 2001

Source:
David Moore, Colleen
Shannon, and Jeffery
Brown.
Code-Red: a case study
on the spread and victim
s of an Internet worm
, CAIDA, 2002

09/10/2021 Malware 9
 Rootkits
• A rootkit modifies the operating system to hide its existence
– E.g., modifies file system exploration utilities
– Hard to detect using software that relies on the OS itself
• RootkitRevealer
– By Bryce Cogswell and Mark Russinovich (Sysinternals)
– Two scans of file system
– High-level scan using the Windows API
– Raw scan using disk access methods
– Discrepancy reveals presence of rootkit
– Could be defeated by rootkit that intercepts and modifies results of
raw scan operations
09/10/2021 Malware 10
 Trojan Horses
• A Trojan horse (or Trojan) is a malware program that appears
to perform some useful task, but which also does something
with negative consequences (e.g., launches a keylogger).
• Trojan horses can be installed as part of the payload of other
malware but are often installed by a user or administrator,
either deliberately or accidentally.

09/10/2021 Malware 11
 Current Trends
• Trojans currently have largest infection potential
– Often exploit browser vulnerabilities
– Typically used to download other malware in multi-stage attacks

Source:
Symantec Internet
Security Threat
Report, April 2009

09/10/2021 Malware 12
 Spyware
Spyware software payload Computer user

1. Spyware engine infects

a user’s computer.

2. Spyware process collects

keystrokes, passwords,
and screen captures.

3. Spyware process
periodically sends
collected data to
spyware data collection
agent.

Spyware data collection agent

09/10/2021 Malware 13
 Stuxnet
• Worm that manipulated Siemens systems for
controlling and monitoring centrifuge speeds.
• Iran’s centrifuge system was air gapped.
– Had to infect USB drives that would be carried in.
– Then spread locally using other vulnerabilities.
• Once in the network, it continues spreading, but
searches for Siemens Step7 software.
• Infected 200,000 machines. Ruined 1000
centrifuges.
09/10/2021 Malware 14
 Stuxnet
• Exploited 4 “zero-day” vulnerabilities.
– LNK windows shortcuts, to spread via USB sticks.
– Windows print-spooler vulnerability.
– 2 others for escalating privileges.
• It had a P2P component for updating itself.
– 2 infected hosts would compare their versions
with each other, and the older would update.

09/10/2021 Malware 15
 Stuxnet
• Once Siemens Step7 is found, the virus installs a
rootkit.
– Sends unexpected commands to the logic controller,
frequently changing motor speed.
– Sends normal operations system values to the user, and
hides the behavior from monitoring.
– First publically known rootkit for a PLC.
• The code was signed using 2 stolen keys from well
known companies in Taiwan.
– Verisign has since revoked those keys.
09/10/2021 Malware 16
 Wannacry
• Spread using the “eternalblue” vulnerability in Windows’ Server Message
Block protocol.
– SMB is used to allow shared access to files, printers, serial ports, and inter-process
comm.
– 0-day discovered by the NSA and kept.
• After it lands, it tries to connect to 3 URLs that look like this:
– www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
– If it succeeds, it halts!
– Not “proxy aware”, so even a local DNS server can reply with an A record. If the IP
establishes a TCP 80 connection, the attack halts.
– Why did they do this? Possibly to detect sandboxing: virus hunters often fake the
replies. This would detect “foul play” and stop the virus.
• Creates a Windows service that looks for other SMB vulnerabilities so it
can spread.

09/10/2021 Malware 17
 Wannacry
It encrypts anything with the following extensions.
.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key ,
.sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln ,
.aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb ,
.asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup ,
.mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg ,
.sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar ,
.cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 ,
.txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der" ,
.ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf ,
.vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl ,
.wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv
, .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt ,
.xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx ,
.iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.

09/10/2021 Malware 18
 Wannacry
• Spread to 230,000 machines.
• Earned $150,000, all money is withdrawn.
– Tried to use a unique bitcoin wallet for each
victim, but a bug caused them to default to 1 of 4.
• Easy to track, and, hard for them to know who paid!
• No automation in checking for payment / sending key.
– Later released a new version with a fix. Too late.
– In contrast, Angler exploit kit is credited with
$60Mil. from ransomware.

09/10/2021 Malware 19
 Wannacry
• FedEx halted deliveries with a European
subsidiary, claiming $300M in losses.
• Hospitals in 3 countries had to turn patients
away.
• Some auto-manufacturers halted production.

09/10/2021 Malware 20
 Wannacry: crypto
Can’t use attacker’s public key to encrypt everything.
Reveal the secret key only once!
Instead: Victim generates a new public key pair.
Because Public key encryption is slow:
• Generates a new AES key for every file.
• Encrypts the AES key using the local public key.
• Encrypts the local private key using the attacker’s public
key.
– Later, when attempting to recover, can send the encrypted
private key to the attacker for decryption.

09/10/2021 Malware 21
 Wannacry: crypto
Can’t use attacker’s public key to encrypt everything.
Reveal the secret key only once!
Instead: Victim generates a new public key pair.
A bug in MSFT key generation algorithm gave some
people a way to recover the secret key:
• Although MSFT provides an API for wiping the secret
key after keygen, they fail to wipe the prime numbers
used to generate the key!
• Wannakey and wannawiki allowed some victims to
recover the secret key and decrypt their files.
09/10/2021 Malware 22
 Shadow Brokers
• Tailored Access Operations: NSA hacking group
that found the SMB vulnerability, and likely the
4 vulnerabilities in Stuxnet.
– “They had operational insight that even most of my
fellow operators at T.A.O. did not have,” said Mr.
Williams, now with Rendition Infosec, a
cybersecurity firm he founded. “I felt like I’d been
kicked in the gut. Whoever wrote this either was a
well-placed insider or had stolen a lot of
operational data.” Nytimes, 11/12/17.
09/10/2021 Malware 23
 Shadow Brokers
• Shadow Brokers leaked a lot of these NSA tools,
providing code online for re-use.
– Wannacry was the first to use them.
– EternalRocks was recently found in a honeypot. Uses 7 of
the NSA tools, compared with Wannacry’s 2.

• They seem to have connections with Russia, but it also

seems they might have insiders at the NSA.

• Opens obvious ethical questions…

09/10/2021 Malware 24
 Malware Zombies
• Malware can turn a computer in to a zombie, which is a
machine that is controlled externally to perform
malicious attacks, usually as a part of a botnet.
Botnet Controller (Attacker)

Attack Commands

Botnet:

Attack Actions

09/10/2021 25
Victim
09/10/2021 Malware Slide credit:
26
Tom Ristenpart
09/10/2021 Malware Slide credit:
27
Tom Ristenpart
09/10/2021 Malware Slide credit:
28
Tom Ristenpart
09/10/2021 Malware Slide credit:
29
Tom Ristenpart
Slide credit:
09/10/2021 Malware 30
Tom Ristenpart
 FastBflux'DNS'
Spam'campaign'that'directs'users'to'pharmashop.com!
Single'flu
x : '
1.2.3.4'
• Change'A'record'for'
pharmashop.com!quickly'to' Content'server'
point'to'different'compromised' 1.2.3.5'
systems'
6.7.8.9'
• Short'TTL'(e.g.,'5'minutes)'
1.4.5.1'
Double'flu
x : '
• Change'NS'record'for'
pharmashop.com!to'point'to' 28.4.1.5'
different'compromised'systems'

Similar'to'roundBrobin'DNS'as'used'by'major'websites'
09/10/2021 Malware Slide credit:
31
Tom Ristenpart
09/10/2021 Malware Slide credit:
32
Tom Ristenpart
 F i g u r e 6 : E x a m p l e fr o m [1 7 ] o f G n u t e l l a ’s n e t w o r k s t r u c t u r e

F ig u r e 7 : A ll b o t s b y g e o lo c a t io n fr o m t h e T h ir d E n u m e r a t io n E x p e r im e n t
GeolocaXng'bots'enumerated'for'Naguche'botnet'
Di/ rich'and'Dietrich,'“Discovery'Techniques'for'P2P'Botnets”'
n etw ork.
T h e s e t e c h n i q u e s m a y a l r e a d y a c c o u n t f o Malware
09/10/2021 r w i d e d i s c r e p a n c i e s i n t h e e s t i m a t e d s i z e Slide
o f v a rcredit:
i o33
us
b o t n e t s s e e n i n t h e m e d i a . [ 1 6 , 2 8 , 1 5 ] W i t h s o m a n y g r o u p s t a k i n g u n c o o r d i n a t e d a c t Tom i o n s ,Ristenpart
w it h
 Mirai Botnet (2016)
• First major one to go after Internet of Things.
– 100Ks devices that are poorly configured.
• Malware simply used 60 common factory default
logins, and scanned.
• A reboot of the device removes the malware.
• Reports of DDOS reaching 620 Gb/s, or 1Tb/s.
• 10/21/16, attack on Dyn DNS provider impacted
access to Netflix, Twitter, Github, Reddit, Airbnb,
and others.
09/10/2021 Malware 34
 Economics of Malware
Source:
• New malware threats have Symantec Internet
grown from 20K to 1.7M Security Threat Re
port
in the period 2002-2008 , April 2009

• Most of the growth has

been from 2006 to 2008
• Number of new threats
per year appears to be
growing an exponential
rate.

09/10/2021 Malware 35
 Professional Malware
• Growth in professional cybercrime and
online fraud has led to demand for
professionally developed malware
• New malware is often a custom-
designed variations of known exploits,
so the malware designer can sell
different “products” to his/her
customers.
• Like every product, professional
malware is subject to the laws of
supply and demand.
– Recent studies put the price of a software
keystroke logger at $23 and a botnet use
Image by User:SilverStar from http://commons.wikimedia.org/wiki/File:Supply-demand-equilibrium.svg
at $225. used by permission under the Creative Commons Attribution ShareAlike 3.0 License

09/10/2021 Malware 36
Signatures: A Malware Countermeasure
• Scan compare the analyzed object with a database of
signatures
• A signature is a virus fingerprint
– E.g.,a string with a sequence of instructions specific for each
virus
– Different from a digital signature
• A file is infected if there is a signature inside its code
– Fast pattern matching techniques to search for signatures
• All the signatures together create the malware
database that usually is proprietary
09/10/2021 Malware 37
 Signatures Database
• Common Malware Enumeration (CME)
– aims to provide unique, common identifiers to new
virus threats
– Hosted by MITRE
– http://cme.mitre.org/data/list.html
• Digital Immune System (DIS)
– Create automatically new signatures

09/10/2021 Malware 38
 Shield vs. On-demand
• Shield On-demand
– Background process • Scan on explicit user
(service/daemon) request or according to
– Scans each time a file is regular schedule
touched (open, copy, • On a suspicious file,
execute, etc.) directory, drive, etc.
Performance test of scan techniques
o Comparative: check the number of already known viruses that are
found and the time to perform the scan
o Retrospective: test the proactive detection of the scanner for unknown
viruses, to verify which vendor uses better heuristics
Anti-viruses are ranked using both parameters:
http://www.av-comparatives.org/
09/10/2021 Malware 39
 Online vs Offline Anti Virus Software
Online Offline
• Free browser plug-in • Paid annual subscription
• Authentication through third • Installed on the OS
party certificate (i.e. VeriSign) • Software distributed securely by the
vendor online or a retailer
• No shielding
• System shielding
• Software and signatures update
• Scheduled software and signatures
at each scan
updates
• Poorly configurable
• Easily configurable
• Scan needs internet connection
• Scan without internet connection
• Report collected by the company • Report collected locally and may be
that offers the service sent to vendor
09/10/2021 Malware 40
 Quarantine
• A suspicious file can be isolated in a folder called quarantine:
– E.g,. if the result of the heuristic analysis is positive and you are waiting
for db signatures update
• The suspicious file is not deleted but made harmless: the user can
decide when to remove it or eventually restore for a false positive
– Interacting with a file in quarantine it is possible only through the
antivirus program
• The file in quarantine is harmless because it is encrypted
• Usually the quarantine technique is proprietary and the details
are kept secret

09/10/2021 Malware 41
 White/Black Listing
• Maintain database of cryptographic hashes for
– Operating system files
– Popular applications
– Known infected files
• Compute hash of each file
• Look up into database
• Needs to protect the integrity of the database

09/10/2021 Malware 42
 Heuristic Analysis

• Useful to identify new and “zero day” malware

• Code analysis
– Based on the instructions, the antivirus can determine whether
or not the program is malicious, i.e., program contains
instruction to delete system files,
• Execution emulation
– Run code in isolated emulation environment
– Monitor actions that target file takes
– If the actions are harmful, mark as virus
• Heuristic methods can trigger false alarms
09/10/2021 Malware 43
 Static vs. Dynamic Analysis
Static Analysis Dynamic Analysis
• Checks the code without trying to
execute it
• Check the execution of codes
• Quick scan in white list inside a virtual sandbox
• Filtering: scan with different antivirus • Monitor
and check if they return same result
– File changes
with different name
• Weeding: remove the correct part of – Registry changes
files as junk to better identify the virus – Processes and threads
• Code analysis: check binary code to – Networks ports
understand if it is an executable, e.g.,
PE
• Disassembling: check if the byte code
shows something unusual
09/10/2021 Malware 44