Malware: Viruses and Rootkits slide Vitaly Shmatikov cs 361s malware

Download 45,19 Kb.
Date conversion07.01.2017
Size45,19 Kb.

“Ghost in the Browser”

  • slide
  • Large study of malicious URLs by Provos et al. (Google security team)
  • In-depth analysis of 4.5 million URLs
    • About 10% malicious
  • Several ways to introduce exploits
    • Compromised Web servers
    • User-contributed content
    • Advertising
    • Third-party widgets

Compromised Web Servers

  • slide
  • Vulnerabilities in phpBB2 and InvisionBoard enable complete compromise of the underlying machine
    • All servers hosted on a virtual farm become malware distribution vectors
    • Example:
  • Exploit iframes inserted into copyright boilerplate
  • Test machine infected with 50 malware binaries
  • [Provos et al.]
  • Powered by
  • Invision Power Board(U)
  • v1.3.1 Final © 2003  
  • IPS, Inc.
  • Redirection Using .htaccess

    • slide
    • After compromising the site, change .htaccess to redirect visitors to a malicious site
    • Hide redirection from website owner
    • Compromised .htaccess file
    • frequently rewritten with new IP addresses,
    • restored if site owner deletes it
    • [Provos et al.]
    • RewriteEngine On  RewriteCond %{HTTP _ REFERER} .*google.*$ [NC,OR]  RewriteCond %{HTTP _ REFERER} .*aol.*$ [NC,OR]  RewriteCond %{HTTP _ REFERER} .*msn.*$ [NC,OR]  RewriteCond %{HTTP _ REFERER} .*altavista.*$ [NC,OR]  RewriteCond %{HTTP _ REFERER} .*ask.*$ [NC,OR]  RewriteCond %{HTTP _ REFERER} .*yahoo.*$ [NC]  RewriteRule .* [R,L]
    • If user comes via one of
    • these search engines…
    • …redirect to a
    • staging server
    • …which redirects to a
    • constantly changing set
    • of malicious domains

    User-Contributed Content

    • slide
    • Example: site allows user to create online polls, claims only limited HTML support
      • Sample poll:
      • Interpreted by browser as
      • location.replace(‘’)
      • Redirects user to a malware site
    • [Provos et al.]

    Trust in Web Advertising

    • slide
    • Advertising, by definition, is ceding control of Web content to another party
    • Webmasters must trust advertisers not to show malicious content
    • Sub-syndication allows advertisers to rent out their advertising space to other advertisers
    • Trust is not transitive!
      • Webmaster may trust his advertisers, but this does not mean he should trust those trusted by his advertisers

    Example of an Advertising Exploit

    • slide
    • Video sharing site includes a banner from a large US advertising company as a single line of JavaScript…
    • … which generates JavaScript to be fetched from another large US company
    • … which generates more JavaScript pointing to a smaller US company that uses geo-targeting for its ads
    • … the ad is a single line of HTML containing an iframe to be fetched from a Russian advertising company
    • … when retrieving iframe, “Location:” header redirects browser to a certain IP address
    • … which serves encrypted JavaScript, attempting multiple exploits against the browser
    • [Provos et al.]

    Another Advertising Exploit

    • slide
    • Website of a Dutch radio station…
    • … shows a banner advertisement from a German site
    • … JavaScript in the ad redirects to a big US advertiser
    • … which redirects to another Dutch advertiser
    • … which redirects to yet another Dutch advertiser
    • … ad contains obfuscated JavaScript; when executed by the browser, points to another script hosted in Austria
    • … encrypted script redirects the browser via multiple iframes to an exploit site hosted in Austria
    • … site automatically installs multiple trojan downloaders
    • [Provos et al.]

    Not a Theoretical Threat

    • slide
    • Hundreds of thousands of malicious ads online
      • 384,000 in 2013 vs. 70,000 in 2011 (source: RiskIQ)
      • Google disabled ads from more than 400,000 malware sites in 2013
    • Dec 27, 2013 – Jan 4, 2014: Yahoo! serves a malicious ad to European customers
      • The ad attempts to exploit security holes in Java on Windows, install multiple viruses including Zeus (used to steal online banking credentials)

    Third-Party Widgets

    • slide
    • Make sites “prettier” using third-party widgets
      • Calendars, visitor counters, etc.
    • Example: free widget for keeping visitor statistics operates fine from 2002 until 2006
    • In 2006, widget starts pushing exploits to all visitors of pages linked to the counter
    • [Provos et al.]

    Exploitation Vectors

    • slide
    • Bugs in browser’s security logic or memory vulnerabilities
    • Example: MS Data Access Components bug
      • Compromised web page contains an iframe with JavaScript that instantiates an ActiveX object and makes an XMLHttpRequest to retrieve an executable
      • Writes executable to disk using and launches it using Shell.Application
    • Example: WebViewFolderIcon memory exploit
      • Sprays the heap with a large number of JavaScript string objects containing x86 shellcode, hijacks control
    • [Provos et al.]

    Social Engineering

    • Goal: trick the user into “voluntarily” installing a malicious binary
    • Fake video players and video codecs
      • Example: website with thumbnails of adult videos, clicking on a thumbnail brings up a page that looks like Windows Media Player and a prompt:
        • “Windows Media Player cannot play video file. Click here to download missing Video ActiveX object.”
      • The “codec” is actually a malware binary
    • Fake antivirus (“scareware”)
      • January 2009: 148,000 infected URLs, 450 domains
    • slide
    • [Provos et al.]

    Fake Antivirus

    • slide


    • slide
    • Rootkit is a set of trojan system binaries
    • Main characteristic: stealthiness
      • Create a hidden directory
        • /dev/.lib, /usr/src/.poop and similar
        • Often use invisible characters in directory name (why?)
      • Install hacked binaries for system programs such as netstat, ps, ls, du, login
      • Modified binaries have same checksum as originals
        • What should be used instead of checksum?
    • Can’t detect attacker’s processes, files or network connections by running standard UNIX commands!

    Real-Life Examples

    • slide
    • Buffer overflow in BIND to get root on Lockheed Martin’s DNS server, install password sniffer
      • Sniffer logs stored in directory called /var/adm/ …
    • Excite@Home employees connect via dialup; attacker installs remote access trojans on their machines via open network shares, sniffs IP addresses of promising targets
      • To bypass anti-virus scanners, uses commercial remote-access software modified to make it invisible to the users
    • [From “The Art of Intrusion”]

    Function Hooking

    • slide
    • Rootkit may “re-route” a legitimate system function to the address of malicious code
    • Pointer hooking
      • Modify the pointer in OS’s Global Offset Table, where function addresses are stored
    • “Detour” or “inline” hooking
      • Insert a jump in first few bytes of a legitimate function
      • This requires subverting memory protection
    • Modifications may be detectable by a clever rootkit detector

    Kernel Rootkits

    • slide
    • Get loaded into OS kernel as an external module
      • For example, via compromised device driver or a badly implemented “digital rights” module (e.g., Sony XCP)
    • Replace addresses in system call table, interrupt descriptor table, etc.
    • If kernel modules disabled, directly patch kernel memory through /dev/kmem (SucKIT rootkit)
    • Inject malicious code into a running process via PTRACE_ATTACH and PTRACE_DETACH
      • Security and antivirus software are often the first injection targets

    Mebroot (Windows)

    • slide
    • Replaces the host’s Master Boot Record (MBR)
    • No registry changes, very little hooking
    • Stores data in physical sectors, not files
      • Invisible through the normal OS interface
    • Uses its own version of network driver API to send and receive packets
      • Invisible to “personal firewall” in Windows
    • Used in Torpig botnet

    Detecting Rootkit’s Presence

    • slide
    • Sad way to find out
      • Run out of physical disk space because of sniffer logs
      • Logs are invisible because du and ls have been hacked
    • Manual confirmation
      • Reinstall clean ps and see what processes are running
    • Automatic detection
      • Rootkit does not alter the data structures normally used by netstat, ps, ls, du, ifconfig
      • Host-based intrusion detection can find rootkit files
        • …assuming an updated version of rootkit did not disable the intrusion detection system!

    Remote Administration Tools

    • slide
    • Legitimate tools are often abused
      • Citrix MetaFrame, WinVNC, PC Anywhere
      • Bad installations, crackable password authentication
        • “The Art of Intrusion” – hijacking remote admin tools to break into a cash transfer company, a bank’s IBM AS/400 server
    • Semi-legitimate tools
      • Back Orifice, NetBus
      • Rootkit-like behavior: hide themselves, log keystrokes
      • Considered malicious by anti-virus software

    Communicating Via Backdoors

    • slide
    • All sorts of standard and non-standard tunnels
    • SSH daemons on a high port
      • Communication encrypted  hard to recognize for a network-based intrusion detector
      • Hide SSH activity from the host by patching netstat
    • UDP listeners
    • Passively sniffing the network for master’s commands

    Byzantine Hades

    • 2006-09 cyber-espionage attacks against US companies and government agencies
      • Attack websites located in China, use same precise postal code as People's Liberation Army Chengdu Province First Technical Reconnaissance Bureau
    • Targeted email results in installing a Trojan
      • Gh0stNet / Poison Ivy Remote Access Tool
      • Stole 50 megabytes of email, documents, usernames and passwords from a US government agency
    • Same tools used to penetrate Tibetan exile groups, foreign diplomatic missions, etc.
    • slide

    Night Dragon

    • slide
    • Started in November 2009
    • Targets: oil, energy, petrochemical companies
    • Propagation vectors
      • SQL injection on external Web servers to harvest account credentials
      • Targeted emails to company executives (spear-phishing)
      • Password cracking and “pass the hash” attacks
    • Install customized RAT tools, steal internal documents, deliver them to China

    zwShell RAT

    • slide
    • When launched, presents a fake crash error
      • Type “zw.china” into the hidden password field
    • Can create a custom trojan or start a C&C server
      • Select listening port, password for encrypting C&C traffic, custom sound notifications when infected machines connect or disconnect

    RAT Capabilities

    • slide
    • “Dropper” program installs RAT DLL, launches it as persistent Windows service, deletes itself
    • RAT notifies specified C&C server, waits for
    • instructions
    • Attacker at C&C server
    • has full control of the
    • infected machine, can
    • view files, desktop,
    • manipulate registry,
    • launch command shell

    Who Was Behind Night Dragon?

    • slide
    • C&C servers hosted in Heze City,
    • Shandong Province, China
    • All data exfiltration to IP addresses in Beijing, on weekdays, between 9a and 5p Beijing time
    • Uses generic tools from Chinese hacking sites
      • Hookmsgina and WinlogonHack: password stealing
      • ASPXSpy:
      • Web-based RAT
    • Make in China
    • E-mail:
    • slide
    • Sources say hackers using servers in China gained control of a number of Canadian government computers belonging to top federal officials.
    • The hackers, then posing as the federal executives, sent emails to departmental technical staffers, conning them into providing key passwords unlocking access to government networks.
    • At the same time, the hackers sent other staff seemingly innocuous memos as attachments. The moment an attachment was opened by a recipient, a viral program was unleashed on the network.
    • The program hunts for specific kinds of classified government information, and sends it back to the hackers over the internet.
    • One source involved in the investigation said spear-phishing is deadly in its simplicity: "There is nothing particularly innovative about it. It's just that it is dreadfully effective."

    Successful attack on a big US security company

    • slide
    • Successful attack on a big US security company
    • Target: master keys for two-factor authentication
    • Spear-phishing email messages
      • Subject line: “2011 Recruitment Plan”
      • Attachment: 2011 Recruitment plan.xls
    • Spreadsheet exploits a zero-day vulnerability in Adobe Flash to install Poison Ivy RAT
      • Reverse-connect: pulls commands from C&C servers
      • Stolen data moved to compromised servers at a hosting provider, then pulled from there and traces erased

    Who Was Behind the RSA Attack?

    • Poison Ivy RAT downloaded from
      • Previously used in Gh0stNet attacks
    • Some attack domains were associated with “fast-flux” dynamic DNS providers
      • Can rapidly change IP addresses to evade blacklisting
    • But fast-flux DNS is commonly used by Russian spammers, not Night Dragon attackers… hmmm
    • slide


    • slide
    • Targets: aerospace, energy, engineering, shipping companies and military research orgs in Japan and India, Tibetan activists
    • Spear-phishing emails with malicious attachments
      • PDF attachment with radiation measurement results
      • Word file with info on India’s ballistic missile program
      • Documents with Tibetan themes
    • Exploits stack overflow vulnerability in MS Office Rich Text Format (RTF) parser + four different buffer overflows in Adobe Flash and Reader
    • [Trend Micro 2012 research paper]


    • slide
    • Uses Windows Management Instrumentation (WMI) to establish a persistent trojan and hide its presence from antivirus file scanners
    • C&C servers on free hosting services
    • QQ instant messaging numbers associated with server registration are linked to several individuals
      • 2005 hacker forum posts about backdoors, shellcode, fuzzing vulnerabilities
      • 2005 bulletin board posts recruiting students for a network security project at the Information Security Institute of the Sichuan University
    • [Trend Micro 2012 research paper]

    Aurora Attacks

    • slide
    • 2009 attacks of Chinese origin on Google and several other high-tech companies
      • State Department cables published on WikiLeaks claim the attacks were directed by the Chinese Politburo
    • Phishing emails exploit a use-after-free vulnerability in IE 6 to install Hydraq malware
      • Compromised machines establish SSL-like backdoor connections to C&C servers
    • Goal: gain access to software management systems and steal source code

    It All Starts with an Email…

    • slide
    • A targeted, spear-phishing email is sent to sysadmins, developers, etc. within the company
    • Victims are tricked into visiting a page hosting this Javascript:
    • It decrypts and executes the actual exploit

    Aurora Exploit (1)

    • slide
    • Decrypts into this code…
    • This code sprays the heap with
    • 0x0D0C bytes + shellcode

    Aurora Exploit (2)

    • slide
    • 3. Deletes the image
    • 2. Creates an image object and
    • calls this code when image is loaded
    • 1. Sets up an array of
    • two hundred “COMMENT” objects
    • 4. Sets up a timer to
    • call this code every 50 milliseconds

    Aurora Exploit (3)

    • slide
    • Overwrites memory that belonged to
    • the deleted image object with 0x0C0D
    • Accesses the deleted image
    • Allocated memory has a reference counter
    • (how many pointers are pointing to this object?)
    • A bug in IE6 JavaScript reference counter allows
    • code to dereference a deleted object

    Aurora Exploit (4)

    • When accessing this image object, IE 6 executes the following code:
      • CALL DWORD PTR DS:[EAX+34]
    • This code calls the function whose address is stored in the object… Ok if it’s a valid object!
    • But object has been deleted and its memory has been overwritten with 0x0C0D0C0D… which happens to be a valid address in the heap spray area  control is passed to shellcode
    • slide

    Aurora Tricks

    • 0x0C0D does double duty as a NOP-like instruction and as an address
      • 0x0C0D is binary for OR AL, 0d – effectively a NOP – so an area filled with 0x0C0D acts as a NOP sled
        • AL is the lower byte of the EAX register
      • When 0x0C0D0C0D is read from memory by IE6, it is interpreted as an address… which points into the heap spray area, likely to an 0x0C0D instruction
    • Bypasses DEP (Data Execution Prevention) – how?
    • Full exploit code:
    • slide

    Sony XCP Rootkit

    • slide
    • Halderman and Felten. “Lessons from the Sony CD DRM Episode” (USENIX Security 2006)
    • The following slides
    • shamelessly jacked
    • from Halderman

    Cast of Characters

    • First4Internet
    • SunnComm
    • Light years beyond encryption™
    • 52 titles 4.7 million discs
    • 37 titles 20 million discs
    • slide

    DRM: Digital Rights Management

    • CD Players
    • Plays normally
    • Computers
    • Restricted use
    • e.g. Can’t copy disc
    • Can’t rip as MP3
    • Can’t use on iPod
    • slide

    Active Protection

    • Drivers
    • Ripper/copier Application
    • OS
    • Protection software
    • Special protection driver that breaks applications
    • slide

    Defeating Active Protection

    • Prevent installation
      • Infamous shift key ‘attack’
        • Disables autorun that installs protection driver from CD
      • Turn autorun off
      • Use Linux, Mac OS, etc.
    • Interfere with disc detection
    • Disable or remove protection drivers
    • slide

    XCP Rootkit: Motivation

    • Content protection problem:
    • Users will remove active protection software
    • XCP response:
    • Actively conceal processes, files, registry keys
    • slide

    XCP Rootkit: Discovery

    • Mark Russinovich October 31, 2005
    • slide

    Normal Windows Operation

    • KeQueryDirectoryFile
    • 0x8060bb9c
    • KeCreateFile
    • 0x8056b9c8
    • KeQuerySystemInformation
    • 0x805ca104
    • KeEnumerateKey
    • 0x805010d0
    • KeOpenKey
    • 0x805c9e3c
    • KeServiceDescriptorTable
    • Application
    • int KeQueryDirectoryFile(…) { … }
    • KeQueryDirectoryFile(…);
    • 0x8060bb9c:
    • Windows Kernel
    • Normal Windows system call to list files in a directory
    • slide

    XCP Rootkit Operation

    • KeQueryDirectoryFile
    • 0x0f967bfa
    • KeCreateFile
    • 0x8056b9c8
    • KeQuerySystemInformation
    • 0x805ca104
    • KeEnumerateKey
    • 0x805010d0
    • KeOpenKey
    • 0x805c9e3c
    • KeServiceDescriptorTable
    • Application
    • int KeQueryDirectoryFile(…) { … }
    • KeQueryDirectoryFile(…);
    • 0x8060bb9c:
    • Windows Kernel
    • slide
    • int Rootkit_QueryDirectoryFile(…) { … if filename begins with “$sys$”: remove from results
    • 0xf967bfa:
    • Rootkit (Aries.sys)

    XCP Rootkit: Operation

    • Magic prefix: $sys$
      • Files
      • Processes
      • Registry keys
    • Exception: If calling process starts with $sys$, can see everything
    • Hidden
    • slide
    • Not limited to XCP software
    • Any program can use this to hide anything

    Using XCP for Fun and Profit

    • slide
    • “Most people, I think, don't even know what a rootkit is, so why should they care about it?”
      • - Thomas Hesse, President, Sony BMG Global Digital Business
    • Repurposed by malware and other programs
      • Backdoor.Ryknos.B, Trojan.Welomoch
      • Hide game-cheating hacks for online games
    • Other problems with XCP
      • XCP filter drivers intercept all CD read requests… removing XCP causes CD-ROM to stop functioning
      • XCP monitors all processes  nearly constant read attempts on the hard drive, shortening its lifespan

    Uninstalling XCP

    • slide
    • Need a special ActiveX control, CodeSupport.ocx
      • Getting this control from Sony is a pain (on purpose)
    • “HTTP GET /XCP.dat”
    • Server
    • XCP.dat
    • Client
    • CodeSupport.ocx
    • extracts InstallLite.dll from XCP.dat, calls function UnInstall.xcp

    Repurposing XCP Uninstaller

    • Victim visits attacker’s web page, which contains
    • CodeSupport.Uninstall(“”)
    • 2.
    • 3.
    • Attacker constructs Evil.dat with InstallLite.dll,
    • puts attack code in UninstallXCP function
    • 1.
    • “HTTP GET /Evil.dat”
    • Evil.dat
    • Client
    • CodeSupport.ocx
    • extracts InstallLite.dll from XCP.dat,
    • calls function UnInstall.xcp,
    • control is passed to attack code
    • slide

    The database is protected by copyright © 2016
    send message

        Main page