changed 5 years ago
Linked with GitHub

IT Security 2 (Ch2~Ch3)

Chapter 2: Malware

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
What is malware?

  • Malware = Malicious Software
    "A program that is inserted into a system, usually covertly(偷偷的), with the intent of compromising the confidentiality, integrity or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim"

    不包含巧合

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Motivation to write malware

  • 實驗、測試、取得名聲
  • 對抗官方、犯罪、對抗防毒軟體
  • 直接金錢利益(販賣商品)、間接金錢利益(取得別人商業機密)

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Classic classification

Trojan horse

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    定義:一個程式具有overt(明顯的)目的及covert(隱藏的)目的
  • 範例:攻擊者儲存一個指令叫ls
    使用者知道他的overt目的是列出檔案
    但covert目的是攻擊者存取的shell script內容
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    傳播:使用者通常是inadvertently(不經意) 的安裝
    例如:防毒軟體、source repositories、第三方套件、A片縮圖
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Ken Thompson's C Compiler Hack
    1. 編寫self-reproducing(自我繁殖)程式片段
    2. 修改compiler
      若遇到login則插入一backdoor
      有此backdoor後所有的login都可接受實際密碼或fixed master password
    3. 再修改compiler,如果之後要compile新的compiler則植入backdoor
    4. 刪掉修改過的版本,替換成原本的compiler的code

    即使有可驗證的軟體,還是有可能有Trojan
    檢查Open source code還是無法解決Trojan

Viruses

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    定義:Software fragment 附在 executable 上,Virus 可以自我複製或傳遞給沒有被感染過的 executable
    若程式執行才開始執行 Virus (程式停止即停止)
    必須有人執行最一開始的 virus
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    如何傳播
    感染:modifying file
    modifying file:植入 virus code
    exchange infected programs/files也會造成其他裝置感染(ex. USB)

    Viruses是不是Trojen?

    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Overt: 感染程式執行 Covert: 病毒行為
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Overt: 病毒行為 Covert: 無

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Parts of a Virus
    • Infection mechanism (infection vector) 可以繁殖
    • Trigger 一個事件或狀態決定payload是否activated或delivered
    • Payload Virus的行為,破壞或是良性提醒
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Typical Phases in the Lifetime of a Virus
    • Dormant(休眠) phase
    • Propagation phase 複製自己,或是植入突變(mutation)
    • Triggering (activating) phase 被trigger(數量或時間到了)
    • Execution phase 執行funcion(payload)
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Types of viruses by target
    • Boot sector infector
    • File infector / Executable infector
      • Executable infector: 增加executable的長度
      • 容易偵測
      • 有更精巧的方式藏virus(複寫、壓縮)
    • Macro virus (較大的程式(Macro)或scripting code = application)
      • Macro: 被寫在scripting language中跟application一起被生成
      • Macro virus: 被application識別(ex. word, excel)
      • platform independent
      • 隨檔案被傳輸,virus擴散
    • Multipartite virus (多種方式感染file:感染不同type的file)
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Classification by Concealment Strategy
    • Encrypted virus
      • 除了解密程式之外其他都被加密(還有解密的key)
      • 偵測不易
    • Polymorphic(多態的) Viruses
      • insert到不同的program時變成不同的virus,但功能相同
      • 預防signature detection
      • 加密virus body用不同的key

    anti-virus:
    檢查signature
    檢查code: Polymorphic viruses 常用 decryption loops
    integrity檢查
    模擬CPU執行很多次(因為decrypt多次),直到opcode符合已知的virus body

    • Metamorphic(變質) Viruses
      • 變異virus body本身
      • Virus自帶原本source code且重編譯自身
      • 通常是 macro 或 script virus (macros/scripts通常是被 interpreted 而不是 compiled)

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Obfuscation and Anti-Debugging

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    目的:避免被分析code或被signature detection檢查出virus
    • 插入garbage opcodes
    • 不同的code執行相同的功能
    • packed binaries
  • 偵測debugger及virtual machine,終止執行
  • 相同code,不同register名/不同subroutine order(\(n\) 個subroutines, \(n!\) 個變異)
  • 用instructions解密instructions
  • Zperm變異: 用jump變更code順序
  • Zmist (code integration): virus聚集成一個instruction flow,再用jump隨機到program的位址執行

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Worms

  • 利用軟體漏洞(software vunerabilities)傳播
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    定義:a program actively(積極的) seeks machine to infect
  • 被感染的machine被用來作automated launching pad,再感染別人
  • 用軟體漏洞取得授權
  • 經網路、shared media(USB,DVD)
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    複製方式:
    • email: 自動傳送worm email,若點開email或附件則執行code
    • file sharing: 生成copy file,用USB等傳輸
    • remote execution: 若有網路漏洞
    • remote file access/transfer
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Phases in the Lifetime: (跟virus比較)
    • 跟virus相同:dormant, propagation(尋找適合感染的裝置), triggering, execution
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Target Discovery(尋找目標):
    • Scanning: 若worm在遠端網路被傳播,則此系統被認為是在vulnerable service中
    • address(地址) scanning stragegies:
      • random: 產生random IP address,容易被偵測因為大量traffic產生
      • Hit-list: compile list of candidate targets且感染,提供感染的machine此list
      • Topological: 用其他machine的information
      • Local subnet: host behind a firewall 試著感染同個subnet的host

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Ransomware

  • WannaCry2.0 (2017)
  • 利用Windows版本的漏洞
  • WannaCry解密 (2017)
    • 產生RSA公鑰/私鑰
    • 將私鑰傳給control server後刪掉
    • 但沒有刪除 Prime numbers
    • 若電腦沒有被 rebooted 則可用 prime numbers 由 public key 復原 private key

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Malware classification by payload

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    System Corruption:
    • Data Destruction: 刪除data
    • Ransomware: 要求贖金
    • Physical-World Damage: 改寫BOIS使電腦無法開機
    • Logic Bomb: 觸發惡意功能
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Information Theft:
    • Keyloggers and spyware(取得key、螢幕截圖、麥克風、鏡頭)
    • Phishing and identity theft(Phishing或SPAM)
    • Reconnaissance(偵查), Espionage(間諜) and data exfiltration(滲出)(取得機密資訊)
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Stealthing – Backdoors and Rootkits:
    • Backdoor: secret entry point
    • Rootkits: 偷偷被安裝在系統中的program,有root權限

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Rootkits

  • 定義: 主要性質 Stealthiness(隱蔽性)
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    感染途徑:
    • 偷取密碼或字典攻擊
    • buffer overflow攻擊vulnerable的program取得root權限
    • 下載rootkits並安裝
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    分類:
    • Persistent: 系統執行時就啟動(在registry或file system中)
    • Memory based: reboot後會消失
    • User mode: Intercepts(攔截) API calls且修改return值
    • Kernel mode: 攔截API
    • Virtual machine based: 安裝VM monitor

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Terminology

  • Advanced Persistent Threat (APT): Sophisticated malware directed at specific business or political targets applied persistently and effectively(被企業或政府主導的長期malware)
  • Attack kit: Set of tools for generating malware, including propagation and payload mechanisms(生成malware的工具)
  • Auto-rooter: Malicious hacking tool used to remotely break into machines(遠端駭客軟體)
  • Flooder (DoS engine): Generates large volume of data, e.g. to carry out denial of service attack(大量資料攻擊)
  • Key logger: Captures keystrokes on the infected system(取得鑰匙圈)
  • Trojan horse: Appears to be useful but also has a secondary malicious purpose (有第二目的)
  • Bot (Zombie): Activated on an infected machine to gain remote control to launch attacks on other machines (在感染的機器上行動取得遠端控制,再影響其他機器)

Chapter 2: Malware – Botnets and Stuxnet

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
What is botnets?

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    定義:
    • Bots: 是具有可遠端控制功能的malware
    • Bots傳播: worm或trojan
    • Botnets: 一群 compromised(折衷) 的電腦
      • 被安裝bots
      • 被攻擊者遠端控制(command and control infrastructure (C&C))
      • Attacker被稱作herder(牧羊人)
    • 被感染的電腦稱作 droneszombies
  • Bot在malware中的分類:
    • 具有worm的利用軟體弱點、backdoor、利用rootkit、用skyware、可以擴增
    • 辨別的方式:是否遠端控制

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Attacks mounted with the help of botnets

  • spam/phishing
  • DDoS攻擊
  • spyware竊取資料
  • click-fraud(詐騙)
  • 散播新的malware

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Lifecycle of a Botnet from a Herder’s View

時期 說明
Creation 重複利用existing code
Infection 利用軟體弱點、drive-by-download、Trojan、email附件等
Rallying(團結) Bots 第一次 start up並連線C&C server(s)
Waiting 等待command
Executing 執行command

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Lifecycle of a Botnet from a Defense’s View

時期 說明
Detection 安全偵測(infection, rallying, executiong時期)
Capturing 被抓到
Analysis 分析散播策略、目的、C&C infrastructure
Tear down 拆除

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Command and Control(C&C) Techniques

  • 中心化:
    • IRC server: server推送
    • HTTP server: victim clients拉回
  • 分散式:
    • P2P

現今多為hybrid

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Internet Relay Chat (IRC):
    • 網路上的即時對話系統(real-time messaging service)
    • 群組通訊或個人通訊
    • 分成多個channels
  • IRC bots
    • C&C server是IRC server
    • 被感染的電腦加入一個特殊的IRC通道
    • 優點:
      • IRC servers are fr:eely available
      • attackers經驗豐富
    • IRC backdoor
      • standalone(單機)檔案自我複製
      • 產生Registry key以開始檔案
      • 修改WIN.INISYSTEM.INI或複製給其他users
      • 一些backdoor用IRC client取代.INI
      • example: Agobot(2009)
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Web-based Command and Control:
    • HTTP 成為最有名的C&C protocol
    • Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →
      連續不斷連線
      Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →
      定時詢問且等待下個連線
    • malware被設定為request 網站 PHP script且導向下載command的網頁
  • HTTP bots
    • 通常有使用者友善的介面以控制bots
      (less skilled的人也可以用)
    • client-side exploits(利用瀏覽器弱點)
    • example: Bobax(2004) 利用buffer overflow弱點
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Decentralized botnets:
    • 並非所有都是P2P
    • 減少server load或為了fault-tolerance
    • example: Waledac
      • Hybrid P2P/Centralized infrastructure
      • 用AES和RSA混合加密
      • 散播: Social Engineering, Vulnerabilities
      • 更新IP list: 和其他節點交換, 連接hard-coded Waledac domains
      • 惡意行為: 下載並執行程式, 傳送spam, 取得email帳號密碼, DDoS

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Taking down botnets

  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Centralized:
    • 定位C&C server(分析traffic, honeypots)
    • 使C&C server無法連結
      • 封鎖hostname, 封鎖IP, 切斷連線
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    隱藏 C&C server的 IP:
    • Domain Generating Algorithms(DGAs)
      • 用seed產生不同的domain name
      • 攻擊者必須註冊queried domain name
    • Fast Flux in DNS
      • 不同的IP 地址對應到同個domain name
      • IP 地址通常是受害者的
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Decentralized:
    • 較困難
    • 需要對所有感染的節點做disinfection(消毒) (Waledac)
    • 汙染peer list (Conficker)
    • 沒有一勞永逸的辦法
    • 減輕Waledac
      • 沒有cryptographic authentication
        發行有clean-up指令的"update"
      • 汙染P2P cache,就沒有新的Tier 2節點可以被汙染
        take down Tier 2 節點定位 main C&C
    • 減輕Conficker
      • 因為command都被簽章,無法發行update
      • Peer lists存不同的IP,但沒有network range
      • Peer lists被整理,提供peer更大的network range
      • 合法的peer只會跟cleaning peer溝通

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Mirai IoT Botnet

  • 感染IoT設備(DVR, routers, IP cameras, printers..)
  • 中心化
  • 沒有避免被偵測
  • 執行DDoS攻擊
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    lifecycle:
    • Loader對各平台加速傳播
    • Report Server有每個被感染的裝置的資料, 可能被感染的裝置
  • 衍生
    • Hajime: 非中心化
    • BrickerBot: Permanent DoS, 清除資料
  • IoT裝置適合被Botnet攻擊
    • Constant operation
    • 較少保護
    • 維護不佳
    • 適合的攻擊路徑(traffic)
    • 沒有或較少user interface
  • 保護機制
    • 修改預設密碼
    • 時常更新
    • 封鎖port
    • 只允許non-routable IP address

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Stuxnet

  • 第一個威脅主要建設(critical infrastructure)的malware
    • 電力, 水利, 醫療, 交通, 股市等
  • Advaced persistent threat
  • Cyber attack: 利用cyber attack,遠端攻擊,勒索主要建設
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Supervisory Control and Data Acquisition System (SCADA):
    • 監測及控制製造過程
    • 通常在不同的物理位置
    • 安全迷思: 大家以為SCADA很安全因為protocols和介面,且如果沒有連上網路就很安全
    • 威脅:
      • 非授權的存取(personal物理性存取, stuxnet利用漏洞)
      • 存取沒有受保護的通訊
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    Stuxnet overview:
    • 2010/6/17被發現
    • 利用Windows的漏洞
    • 尋找SCADA控制的電腦
  • windows漏洞:
    • 一開始在USB上
      • 資料夾被瀏覽後惡意的DLL執行
      • privilege escalation(升級) 的漏洞
      • 安裝兩個簽章後的驅動檔案,確保reboot後的Stuxnet繁殖(propagation)
        • Propagation:用網路驅動, Windows printer spooler(後臺處理程序)service 漏洞, RPC漏洞
        • 上列三個屬於 Zero-day exploits, security experts不知道的漏洞(previously unknown)
  • Update:
    1. HTTP連線到update servers
    2. 兩個感染的裝置互相update
  • Vulnerabilities in WinCC/Step7
    1. 一個漏洞允許修改WinCC/Step7和被控制的PLC的通道
    2. WinCC/SCADA 資料庫軟體(存取只被一個default且不能修改的password保護)
  • 操作PLCs
    • PLC連到一個converter
    • converter被特殊製造商製造
    • 附在motor上,運轉807-1210 Hz
    • 更改頻率, 旋轉速度
  • Origin:
    • 跟worms不同
      • 特定攻擊
      • 沒有竊取資料
      • 沒有C&C特性(除了update)
      • 破壞性攻擊
      • 高度的financial investment
      • 用合法的certificates的簽章
  • Patching and Cleaning
    • Windows漏洞已被補好
    • scanner也可以偵測被感染的機器
Select a repo