THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE [Electronic resources] - نسخه متنی

Peter Szor

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

  • Acknowledgments

    Contact Information

    Part I. STRATEGIES OF THE ATTACKER

    Chapter 1. Introduction to the Games of Nature

    Section 1.1. Early Models of Self-Replicating Structures

    Section 1.2. Genesis of Computer Viruses

    Section 1.3. Automated Replicating Code: The Theory and Definition of Computer Viruses

    References

    Chapter 2. The Fascination of Malicious Code Analysis

    Section 2.1. Common Patterns of Virus Research

    Section 2.2. Antivirus Defense Development

    Section 2.3. Terminology of Malicious Programs

    Section 2.4. Other Categories

    Section 2.5. Computer Malware Naming Scheme

    Section 2.6. Annotated List of Officially Recognized Platform Names

    References

    Chapter 3. Malicious Code Environments

    Section 3.1. Computer Architecture Dependency

    Section 3.2. CPU Dependency

    Section 3.3. Operating System Dependency

    Section 3.4. Operating System Version Dependency

    Section 3.5. File System Dependency

    Section 3.6. File Format Dependency

    Section 3.7. Interpreted Environment Dependency

    Section 3.8. Vulnerability Dependency

    Section 3.9. Date and Time Dependency

    Section 3.10. JIT Dependency: Microsoft .NET Viruses

    Section 3.11. Archive Format Dependency

    Section 3.12. File Format Dependency Based on Extension

    Section 3.13. Network Protocol Dependency

    Section 3.14. Source Code Dependency

    Section 3.15. Resource Dependency on Mac and Palm Platforms

    Section 3.16. Host Size Dependency

    Section 3.17. Debugger Dependency

    Section 3.18. Compiler and Linker Dependency

    Section 3.19. Device Translator Layer Dependency

    Section 3.20. Embedded Object Insertion Dependency

    Section 3.21. Self-Contained Environment Dependency

    Section 3.22. Multipartite Viruses

    Section 3.23. Conclusion

    References

    Chapter 4. Classification of Infection Strategies

    Section 4.1. Boot Viruses

    Section 4.2. File Infection Techniques

    Section 4.3. An In-Depth Look at Win32 Viruses

    Section 4.4. Conclusion

    References

    Chapter 5. Classification of In-Memory Strategies

    Section 5.1. Direct-Action Viruses

    Section 5.2. Memory-Resident Viruses

    Section 5.3. Temporary Memory-Resident Viruses

    Section 5.4. Swapping Viruses

    Section 5.5. Viruses in Processes (in User Mode)

    Section 5.6. Viruses in Kernel Mode (Windows 9x/Me)

    Section 5.7. Viruses in Kernel Mode (Windows NT/2000/XP)

    Section 5.8. In-Memory Injectors over Networks

    References

    Chapter 6. Basic Self-Protection Strategies

    Section 6.1. Tunneling Viruses

    Section 6.2. Armored Viruses

    Section 6.3. Aggressive Retroviruses

    References

    Chapter 7. Advanced Code Evolution Techniques and Computer Virus Generator Kits

    Section 7.1. Introduction

    Section 7.2. Evolution of Code

    Section 7.3. Encrypted Viruses

    Section 7.4. Oligomorphic Viruses

    Section 7.5. Polymorphic Viruses

    Section 7.6. Metamorphic Viruses

    Section 7.7. Virus Construction Kits

    References

    Chapter 8. Classification According to Payload

    Section 8.1. No-Payload

    Section 8.2. Accidentally Destructive Payload

    Section 8.3. Nondestructive Payload

    Section 8.4. Somewhat Destructive Payload

    Section 8.5. Highly Destructive Payload

    Section 8.6. DoS (Denial of Service) Attacks

    Section 8.7. Data Stealers: Making Money with Viruses

    Section 8.8. Conclusion

    References

    Chapter 9. Strategies of Computer Worms

    Section 9.1. Introduction

    Section 9.2. The Generic Structure of Computer Worms

    Section 9.3. Target Locator

    Section 9.4. Infection Propagators

    Section 9.5. Common Worm Code Transfer and Execution Techniques

    Section 9.6. Update Strategies of Computer Worms

    Section 9.7. Remote Control via Signaling

    Section 9.8. Intentional and Accidental Interactions

    Section 9.9. Wireless Mobile Worms

    References

    Chapter 10. Exploits, Vulnerabilities, and Buffer Overflow Attacks

    Section 10.1. Introduction

    Section 10.2. Background

    Section 10.3. Types of Vulnerabilities

    Section 10.4. Current and Previous Threats

    Section 10.5. Summary

    References

    Part II. STRATEGIES OF THE DEFENDER

    Chapter 11. Antivirus Defense Techniques

    Section 11.1. First-Generation Scanners

    Section 11.2. Second-Generation Scanners

    Section 11.3. Algorithmic Scanning Methods

    Section 11.4. Code Emulation

    Section 11.5. Metamorphic Virus Detection Examples

    Section 11.6. Heuristic Analysis of 32-Bit Windows Viruses

    Section 11.7. Heuristic Analysis Using Neural Networks

    Section 11.8. Regular and Generic Disinfection Methods

    Section 11.9. Inoculation

    Section 11.10. Access Control Systems

    Section 11.11. Integrity Checking

    Section 11.12. Behavior Blocking

    Section 11.13. Sand-Boxing

    Section 11.14. Conclusion

    References

    Chapter 12. Memory Scanning and Disinfection

    Section 12.1. Introduction

    Section 12.2. The Windows NT Virtual Memory System

    Section 12.3. Virtual Address Spaces

    Section 12.4. Memory Scanning in User Mode

    Section 12.5. Memory Scanning and Paging

    Section 12.6. Memory Disinfection

    Section 12.7. Memory Scanning in Kernel Mode

    Section 12.8. Possible Attacks Against Memory Scanning

    Section 12.9. Conclusion and Future Work

    References

    Chapter 13. Worm-Blocking Techniques and Host-Based Intrusion Prevention

    Section 13.1. Introduction

    Section 13.2. Techniques to Block Buffer Overflow Attacks

    Section 13.3. Worm-Blocking Techniques

    Section 13.4. Possible Future Worm Attacks

    Section 13.5. Conclusion

    References

    Chapter 14. Network-Level Defense Strategies

    Section 14.1. Introduction

    Section 14.2. Using Router Access Lists

    Section 14.3. Firewall Protection

    Section 14.4. Network-Intrusion Detection Systems

    Section 14.5. Honeypot Systems

    Section 14.6. Counterattacks

    Section 14.7. Early Warning Systems

    Section 14.8. Worm Behavior Patterns on the Network

    Section 14.9. Conclusion

    References

    Chapter 15. Malicious Code Analysis Techniques

    Section 15.1. Your Personal Virus Analysis Laboratory

    Section 15.2. Information, Information, Information

    Section 15.3. Dedicated Virus Analysis on VMWARE

    Section 15.4. The Process of Computer Virus Analysis

    Section 15.5. Maintaining a Malicious Code Collection

    Section 15.6. Automated Analysis: The Digital Immune System

    References

    Chapter 16. Conclusion

    Further Reading

    Index

    •
    توضیحات
    افزودن یادداشت جدید











  • 14.8. Worm Behavior Patterns on the Network


    This section discusses a few interesting network captures of computer worms as they propagate from one computer to another. Detailed examination of such captures is useful in seeing how typical exploitation can be experienced on the wire when the network traffic is examined with a packet sniffer, such as tcpdump11. Always use such tools with the network administrator's permission because you might accidentally capture sensitive data from the network.

    14.8.1. Capturing the Blaster Worm


    In the first example, shown in 12.

    Figure 14.3. A network capture of a W32/Blaster worm infection with Ethereal.

    Chapter 10 and match it with the behavior pattern of the worm in this network capture. In this particular example, the IP address 192.168.0.1 belongs to the attacker system, which is already compromised by Blaster. The IP address 192.168.0.3 (also on a local test network) is currently under attack by Blaster.Chapter 15 explains more about natural infection strategies and analysis techniques and introduces a few more network captures of worm attacks.)

    Next, in frame 82 of Figure 14.3, you can see that the attacker system again communicates with its shell on the newly compromised host and sends a "start msblast.exe" command (see the packet dump in the lower panel of Ethereal).

    At that point, the worm starts to run on the newly attacked system. You also can see that action because 192.168.0.3 suddenly starts to send broadcast ARP requests such as "Who has 192.168.0.2? Tell 192.168.0.3," "Who has 192.168.0.4? Tell 192.168.0.3," and so on, as it scans the network for other machines. This behavior pattern is very typical of computer worms.

    You can easily target Blaster with a NIDS system. One possibility is to check for exploit code in the first few packets, which allows you to log attacker systems on your network quickly. Another possibility is simply to look for the string "start msblast.exe," to see when a new system gets compromised. When you see this request, you will know that your systems are still not patched with the new security updates required to eliminate the vulnerability exploited by the worm.

    14.8.2. Capturing the Linux/Slapper Worm


    As Chapter 10 discusses in detail, the Slapper worm exploited an OpenSSL vulnerability on Apache Web servers that involved exploitation on the heap. It is important to understand the specifics of heap exploitation to be able to build host-based intrusion prevention techniques similar to those discussed in Chapter 13, "Worm-Blocking Techniques and Host-Based Intrusion Prevention." On the other hand, from the point of view of network-level defense, there are other interesting questions that you might ask. In particular, the worm exploits OpenSSL, so it is interesting to double-check whether or not the worm is encrypted on the wire. In some of the existing computer security literature, the Slapper worm is already discussed as a worm that "cannot be effectively detected with NIDS because someone would need to compromise the security provided by SSL." As I will demonstrate next, however, this statement is false.

    Figure 14.4 is a capture of the Linux/Slapper worm where the IP address 206.129.0.1 is compromised by Slapper and attacks 206.129.254.254. Of course, all of this happens on our lab network, just like any other captures, so the IP address does not have to do anything with real-world targets.

    Figure 14.4. A network capture of the Linux/Slapper worm infection with Ethereal.

    [View full size image]

    You can see the double-take action of the two "Client Hello" messages; Slapper exploits the target twice. When the worm exploits the target the first time, the target leaks valuable information, which is used in the second exploit phase to gain proper control of the target.

    Ethereal also expects that the wire contains encrypted data in frame 53, shown in Figure 14.4. Normally, this would be the case, and Ethereal would be right. However, the worm exploits the target before the encryption is established on the wire. You can see in the lower Ethereal window that some of the worm's commands are passing in the payload as plain text instead of cipher text. This is a clear indication that there is no encryption established between the two systems.

    You can see that the first command is rm (remove), followed by a cat command, which creates Slapper's UU-encoded source file on the target. The propagation of the worm is visible in plain text over the wire, so there should be no problem detecting the worm using standard NIDS.

    A Snort NIDS signature to detect Linux/Slapper could be the following:


    alert tcp any any -> any 443 (msg:"Linux/Slapper Worm Propagation";
    content:"36 35 35 20 2E 62 75 67 74 72 61 2e 63";)

    This alert is generated when the string 655 .bugtraq.c is detected in a packet transmitted on port 443/tcp, which should not be the case. An SSL connection would always transmit cipher text in normal circumstances, and the filename is unique.

    Note, however, that the filename might be the first thing that someone would change in a new variant of a worm, so a more appropriate NIDS signature could also investigate the key argument length field and check whether that value is larger than eight, which is the maximum allowed (as discussed in Chapter 10). I define this type of detection as a generic intrusion signature. Figure 14.5 shows a network capture of Linux/Slapper with a large key argument length field set to 64.

    Figure 14.5. A Client Master Key message with a key_arg length set to 64.

    13.

    14.8.3. Capturing the W32/Sasser.D Worm


    The W32/Sasser.D worm was released by a German virus writer and was interesting because it targeted a Microsoft LSASS vulnerability. In Figure 14.6, you can see the worm send its code from the already compromised 10.10.10.34 attacker system to the currently exploited system on 10.10.10.36.

    Figure 14.6. A network capture of the W32/Sasser.D worm.

    [View full size image]

    So what is the interesting part of this attack? It appears that the first byte of the executable worm body is sent alone and shows as Len=1 in frame 90 of Figure 14.6. In the lower pane of Ethereal, you can see an M character as the payload of the packet. This is the first byte of the PE file of the worm body that starts with the MZ header. The following part of the worm executable header will start with Z in frame 91, in which a payload with a Len=1460 bytes is sent, typical on Ethernet networks.

    Indeed, the worm sends itself byte by byte on the network, but without specifying an immediate sending, the IP stack will be reassembled locally, and usually a complete payload will be sent to the target. There is no guarantee, however, that the reassembling will always happen, and this can split the worm body along short packet boundaries.

    Although Sasser does not attack NIDS directly, it demonstrates that worms can indeed split their exploit code to a byte-per-payload style of transfer if they specifically ask to do so. Not all NIDS have proper packet reassembling abilities, as mentioned earlier. As a result, the IDS signature of the attack might not match because the signature is split on the wire into several packets, each with a payload a few bytes long.

    As an example, the CodeRed worm is normally sent in the form shown in Figure 14.7A, but a trickier variant of the worm could send its code with randomly split payload sizes, as shown in Figure 14.7B, challenging IDS implementations that do not have traffic reassembling.

    Both of these methods could work correctly. Depending on the packet reassembling and signature engine abilities of a NIDS, however, the signature of the worm might not be matched correctly. This example illustrates why packet reassembling is such an important module for a properly developed IDS.

    Figure 14.7. The exploit code of the CodeRed worm in complete and split forms.

    14.8.4. Capturing the Ping Requests of the W32/Welchia Worm


    The sad reality is that many network administrators who have corporate permission to run sniffer tools often do not really know how to use such tools to look for worm infections. As a result, they do not perform this kind of logging routinely. Such logging techniques can be useful in preparing for a worm attack in advance or in helping to eliminate an already existing in-house infection. In this section, I illustrate the use of the tcpdump tool, which is included by default in many UNIX distributions. It has become the Swiss-army knife of intrusion detection; as you will see, it is also an effective honeypot tool.

    In the capture shown in Figure 14.8, you can see the Welchia worm ping the destination address 169.254.189.84 from the 169.254.56.166 address. Before Welchia attempts to exploit a new target, it wants to get a positive answer to an ICMP echo request.

    Figure 14.8. The ping request of the W32/Welchia worm.

    14).

    If you want to track Welchia infections based on the special ping request data, use the following command15:


    tcpdump -qn icmp and ip[40] = 0xaa

    You can do the same on a Windows machine (using windump):


    windump -qn icmp and ip[40] = 0xaa

    This command instructs the sniffer to log ICMP traffic but reduces the scope of logging to special ICMP echo requests, which have a 0xAA filler byte at position 40 inside their request. Similar tools, such as ngrep, also can be used to perform even more complicated string matching using regular expressions.

    14.8.5. Detecting W32/Slammer and Related Exploits


    The W32/Slammer worm targets vulnerable Microsoft SQL servers on port 1434/udp. The only thing the worm requires is to send a datagram to the actual port. Vulnerable installations of Microsoft SQL Server will execute the worm when processing the UDP request.Chapter 10, the exploit code built into Slammer requires a special ID in front of the worm's code. This special byte, 0x04, would be normally followed by a short string, but there is no bound checking in the code, and the stack is overflowed when a large string is received. Notice the number of filler (0x01) bytes in the worm, which shift a return address value to the proper spot.

    Figure 14.9. A snippet of a Slammer worm dump loaded to HIEW.

    [View full size image]

    I will use this dump to demonstrate exploit detection using NIDS software. Normally, you could use a worm-specific signature to detect this attack, and it is certainly a good idea to refine your detection and have a clue whether the actual exploit you have detected is related to Slammer. So here is the Symantec ManHunt Hybrid signature, which pretty much follows the format of a Snort signature in this example:


    alert udp any any -> any 1434 (msg:"W32/Slammer Worm Propagation";
    content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|";
    content:"|04|"; offset:0; depth:1;)

    We generate an alert whenever any traffic targets any IP address with a 1434/udp port. We alert with the message "W32/Slammer Worm Propagation" whenever we find the h.dllhel32hkern string anywhere in the datagram. We also have 0x04 as the first byte of the packet to double-check that we are dealing with the exploit. This signature will detect Slammer effectively, however. If you want to prepare a generic detection to detect the exploit code, you could use the following signature to do so:


    alert udp any any -> any 1434 (msg:"MS02-039 exploitation detected";
    content:"|04|"; offset:0; depth:1; dsize>60)

    This alert is very similar to the first one. In fact, it matches the first byte of the datagram, just as the worm-specific signature does. I do not use the previous sequence of bytes, but the dsize command instead, to check whether the datagram is longer than 60 bytes. In this way, we know that a vulnerable SQL Server would be under attack since a 128-byte buffer is overflowed. There are two constant strings used by SQL Server to build a Registry key when the server receives this request (as discussed in Chapter 10), hence a dsize larger than 60 will always result in an overflow conditionand at least a DoS attack.

    Note

    The 60 comes from 12840271=60 (size_of_buffer-string_size1-string_size2-terminating_zero= 60).

    Of course, you could argue that such signatures are more prone to false positives, but you can also see that they are less prone to false negatives. Indeed, the remaining ambiguity is a general problem of NIDS. How could the NIDS tell whether or not the UDP port 1434 traffic is related to an SQL Server on the target system? This is why more specific IDS signatures always cause fewer false positives.

    Such signatures, however, can be very helpful. Imagine if Slammer were polymorphic or even metamorphicno actual bytes of the worm would be the same in different instances of the worm body on the wire. Unless the worm exploited several vulnerabilities, it would need to present the 0x04 byte in the front of the datagram and represent itself as a long-enough string. Thus the preceding generic IDS signature would also cover the polymorphic version of the worm.

    In fact, modern IDS detection languages support programmable signatures. For example, such signatures use a histogram to check quickly whether there are any zero bytes in a range of the stream. Indeed, it would be better to use such filters in the preceding signature to reduce false positives further. Slammer cannot use a zero byte anywhere in its body because the worm's body is processed as a "string." Similarly, any exploit code targeting this vulnerability would need to avoid using zeros long enough to exploit the overflow condition successfully. As a result, even a polymorphic or metamorphic worm would be detected via the "frame" conditions of the exploit.


      • / 191