1. No category

The Evolution of Malicious Agents

The Evolution of Malicious Agents
Lenny Zeltser (www.zeltser.com)
SANS Institute
Presented July 2000
Copyright (c) Lenny Zeltser. 2000.
1
Overview
Copyright (c) Lenny Zeltser. 2000.
2
Definition of Malicious Agents
Computer program
Operates on behalf of potential intruder
Aids in attacking systems
Viruses, worms, trojanized software
Copyright (c) Lenny Zeltser. 2000.
3
Goals of the Course
Trace evolution of malicious agents
Examine anatomy of advanced
malicious agents based on key features
of existing ones
Develop an approach to assessing
threats posed by malicious agents
Copyright (c) Lenny Zeltser. 2000.
4
Course Outline
Rapidly spreading agents
Spying agents
Remotely controlled agents
Coordinated attack agents
Advanced malicious agents
Copyright (c) Lenny Zeltser. 2000.
5
Rapidly Spreading Agents
Copyright (c) Lenny Zeltser. 2000.
6
General Attributes
Morris Worm and Melissa Virus
Able to rapidly spread across the
network
Viruses infect other programs by
explicitly copying themselves
Worms self-propagate without the need
for a host program
Copyright (c) Lenny Zeltser. 2000.
7
Key Features and Limitations
Effectively infiltrate organizations
despite many firewalls
Effective replication mechanisms
Limited control over propagation rates
and target selection criteria
Copyright (c) Lenny Zeltser. 2000.
8
The Morris Worm
Self-contained, self-propagating worm
Overwhelmed the Internet in November
of 1988 within hours of release
Exploited known host access loopholes
to replicate
A program that “lived” on the Internet?
Copyright (c) Lenny Zeltser. 2000.
9
Propagation Techniques
Non-standard command in sendmail
Buffer overflow bug in fingerd
Remote administration trust
relationships of rexec and rsh
Guessable user passwords
Recursively infiltrated systems to
replicate itself and reproduce further
Copyright (c) Lenny Zeltser. 2000.
10
Relevance to Advanced Agents
Aggressive infiltration methods of the
Morris Worm are still very effective
For rapid propagation, program the
agent to exploit common vulnerabilities
Copyright (c) Lenny Zeltser. 2000.
11
The Melissa Virus
Microsoft Word-based macro virus
Overwhelmed many Internet systems
after the first weekend of release
E-mailed itself to address book entries
Propagated primarily via e-mail
Copyright (c) Lenny Zeltser. 2000.
12
Propagation Techniques
Arrived as an e-mail attachment
Message recipient had to open infected
attachment to activate payload
E-mailed itself to entries in Microsoft
Outlook MAPI address books
Recipients lowered guard when e-mail
came from friends and colleagues
Copyright (c) Lenny Zeltser. 2000.
13
Relevance to Advanced Agents
Penetrated firewalls via inbound e-mail
Virus signatures could not be developed
and applied in time
For effective infiltration, program the
agent to arrive via open inbound
channels
Copyright (c) Lenny Zeltser. 2000.
14
Advanced Attributes Summary
Propagate via open channels such as
Web browsing or e-mail
Once inside, replicate aggressively by
exploiting known vulnerabilities
Need to control replication rates,
possibly by staying in touch with
attacker
Copyright (c) Lenny Zeltser. 2000.
15
Spying Agents
Copyright (c) Lenny Zeltser. 2000.
16
General Attributes
Caligula, Marker, and Groov viruses
Transmit sensitive information from
within organizations
Infiltrate via open channels
Use outbound connections for
communications
Copyright (c) Lenny Zeltser. 2000.
17
Key Features and Limitations
Can be used as reconnaissance probes
Effective mechanism for communicating
with authors despite many firewalls
Currently agent’s behavior is limited to
what was pre-programmed
Copyright (c) Lenny Zeltser. 2000.
18
The Caligula Virus
Also known as W97M/Caligula
Microsoft Word-based macro virus
Discovered around January 1999
Transmitted PGP secret keyring file to
author
Copyright (c) Lenny Zeltser. 2000.
19
Espionage Tactics
Used built-in ftp.exe command to
transmit information to author
Used outbound sessions for
communications
Bypassed many firewalls because
connections were initiated from inside
Copyright (c) Lenny Zeltser. 2000.
20
The Marker Virus
Also known as W97M/Marker
Discovered around April 1999
Recorded date and time of infection,
plus victim’s personal information
Most likely developed by the
CodeBreakers group
Copyright (c) Lenny Zeltser. 2000.
21
Espionage Tactics
Implementation characteristics similar
to Caligula
Realization of “bright future for
espionage enabled viruses”
Allowed to study relationships between
people at target organization
Helpful for precisely targeting attacks
Copyright (c) Lenny Zeltser. 2000.
22
The Groov Virus
Also known as W97M/Groov.a
Discovered around May 1998
Uploaded victim’s network configuration
to external site
Attempted to overwhelm a vendor’s site
with network configuration reports
Copyright (c) Lenny Zeltser. 2000.
23
Espionage Tactics
Used built-in ipconfig.exe command
to get network information
Used built-in ftp.exe for outbound
transfer
Helpful to get insider’s view of the
network
Can be correlated with external scans
Copyright (c) Lenny Zeltser. 2000.
24
Relevance to Advanced Agents
Use outbound traffic for
communications
Obtain personal and relationship
information for precise targeting
Obtain network information to help
reconnaissance efforts
Copyright (c) Lenny Zeltser. 2000.
25
Advanced Attributes Summary
Propagate via open channels or
aggressive vulnerability exploitation
Use outbound channels for
communication
Gather insider’s perspective of
infrastructure
Need to remotely control agent’s
behavior
Copyright (c) Lenny Zeltser. 2000.
26
Remotely Controlled Agents
Copyright (c) Lenny Zeltser. 2000.
27
General Attributes
Back Orifice and NetBus trojans
Provide full control over victim’s host
Comprised of client and server modules
Server modules “infect” victim hosts
Client modules send remote commands
Infiltrate via open channels
Copyright (c) Lenny Zeltser. 2000.
28
Key Features and Limitations
Server modules are very stealthy
Level of control is thorough and
expandable
Client and server modules must be
reunited before controlling
Typically controlled via inbound traffic
with respect to server modules
Copyright (c) Lenny Zeltser. 2000.
29
Back Orifice
Original version released August 1998,
updated July 1999
Created by Cult of the Dead Cow
Much functionality similar to standard
remote administration tools
Classification often depends on
intended use
Copyright (c) Lenny Zeltser. 2000.
30
Native Capabilities
Keystroke, video, audio capture
File share management
File and registry access
Cached password retrieval
Port redirection
Process control
Many other capabilities
Copyright (c) Lenny Zeltser. 2000.
31
Enhancement Capabilities
Provides plug-in API support
Communication channel encryption
Server component location
announcement via outbound IRC
Many other capabilities
Copyright (c) Lenny Zeltser. 2000.
32
NetBus
Original version released March 1998 to
“have some fun with his/her friends”
New version February 1999 marketed
as “remote administration and spy tool”
New version required physical access to
install stealthy server component, but
unofficial restriction-free versions exist
Copyright (c) Lenny Zeltser. 2000.
33
Remote Control Capabilities
Functionality similar to Back Orifice
Also supports plug-ins, but not as
popular among developers as Back
Orifice
Primitively controls multiple server
components from single client module,
but not in parallel
Copyright (c) Lenny Zeltser. 2000.
34
Relevance to Advanced Agents
Operate agents in stealthy mode to
minimize chances of discovery
Offer extensive remote controlling
functionality
Support enhancements to native
features via plug-ins
Copyright (c) Lenny Zeltser. 2000.
35
Advanced Attributes Summary
Propagate via open channels or
aggressive vulnerability exploitation
Use outbound channels for
communication
Gather insider’s perspective of
infrastructure
Copyright (c) Lenny Zeltser. 2000.
36
Advanced Attributes Summary
Provide stealthy and extensible remotecontrol functionality
Need to control multiple agents from a
single point
Copyright (c) Lenny Zeltser. 2000.
37
Coordinated Attack Agents
Copyright (c) Lenny Zeltser. 2000.
38
General Attributes
Trinoo and Tribe Flood Network
Disrupt normal system functions via
network floods
Attacker can control several clients,
each controlling multiple attack servers
Networks scanned for vulnerabilities
and attack agents are planted
Copyright (c) Lenny Zeltser. 2000.
39
Key Features and Limitations
Client as well as server modules run on
compromised machines
Attacker further removed from target
Agents typically beyond administrative
control of single entity
Single purpose, designed specifically for
denial-of-service attacks
Copyright (c) Lenny Zeltser. 2000.
40
Trinoo
Discovered on compromised Solaris
systems in August 1999
Initial testing dates back to June 1999
First Windows version February 2000
Attacks via UDP packet flood
Copyright (c) Lenny Zeltser. 2000.
41
Coordination Mechanisms
Attacker connects to client module
(“master”) via telnet to specific port
Warning issued if another connection
attempt during ongoing session
Password-based access control for
communication between all nodes
Copyright (c) Lenny Zeltser. 2000.
42
Coordination Mechanisms
Master relays commands to server
modules (“daemons”) via proprietary
text-based protocol over UDP
For example, “do” command to master
relayed as “aaa” command to daemons
Attack terminated via timeout or “mdie”
command to master (“die” to daemons)
Copyright (c) Lenny Zeltser. 2000.
43
Relevance to Advanced Agents
Control of multiple agents in
coordinated manner
All traffic is inbound with respect to
destination of particular communication
Master to daemons channels can be
disrupted by blocking high-numbered
UDP ports
Copyright (c) Lenny Zeltser. 2000.
44
Tribe Flood Network
Discovered around October 1999
Similar to Trinoo in purpose and
architecture
Attacks via ICMP, UDP, and Smurf-style
floods, offers back door to agent’s host
Client to server module communication
via ICMP “echo reply” packets
Copyright (c) Lenny Zeltser. 2000.
45
Coordination Mechanisms
Normally ICMP “echo reply” generated
to “echo request” by ping command
Use ICMP packet identifier field to
specify commands
Firewalls may accept ICMP “echo reply”
Some network monitoring tools do not
process ICMP traffic properly
Copyright (c) Lenny Zeltser. 2000.
46
Relevance to Advanced Agents
Control of multiple agents in
coordinated manner
Exploit protocols by violating
specifications
Follow specifications, but use protocols
in unexpected ways
This forms the basis of many attacks
Copyright (c) Lenny Zeltser. 2000.
47
Advanced Attributes Summary
Propagate via open channels or
aggressive vulnerability exploitation
Use outbound channels for
communication
Gather insider’s perspective of
infrastructure
Copyright (c) Lenny Zeltser. 2000.
48
Advanced Attributes Summary
Provide stealthy and extensible remote
controlling functionality
Control multiple agents in coordinated
manner
Employ covert techniques for
communication
These attributes can be used to assess
threat level of a particular agent
Copyright (c) Lenny Zeltser. 2000.
49
Advanced Malicious Agents
Copyright (c) Lenny Zeltser. 2000.
50
General Attributes
RingZero Trojan, Samhain Worm
Combine key features of other agents
Offers attacker tight control over
agent’s actions
Difficult to defend against without
proper infrastructure and resources
Copyright (c) Lenny Zeltser. 2000.
51
The RingZero Trojan
Activity reports around September 1999
Sightings in August 1999 of e-mail
messages with a “really class program”
Several variants of trojanized program
attachments
Agent scanned for Web proxy servers
Attributes rarely seen in single agent
Copyright (c) Lenny Zeltser. 2000.
52
Observed Behavior
Detailed analysis October 1999
Scanned for Web proxy servers via
connection attempts to known ports
Proxy servers typically access Web
resources on user’s behalf
Used the discovered server to report
server’s existence to external site
Copyright (c) Lenny Zeltser. 2000.
53
Observed Behavior
Retrieved encoded/encrypted file from
two external sites
Send mass mailing to ICQ users from
spoofed address
Encouraged recipients to visit the
“Biggest Proxy List” on external site
Copyright (c) Lenny Zeltser. 2000.
54
Relevance to Advanced Agents
Propagated via open channels
Outbound traffic for communications
View from internal network
Stealthy remote control capabilities
Operated in distributed manner
Copyright (c) Lenny Zeltser. 2000.
55
Room for improvement
Analysis based on single data file
Not especially malicious, though some
reports of password stealing variants
No specific firewall bypassing attributes
No aggressive vulnerability exploitation
Louder than needs to be
Copyright (c) Lenny Zeltser. 2000.
56
The Samhain Worm
Written winter 1998-1999, announced
on Bugtraq May 2000, never released
Research prototype of a “deadly
harmful Internet worm”
Defined alternative set of characteristics
desired of advanced agents
Copyright (c) Lenny Zeltser. 2000.
57
Desired Characteristics
Portability for target OS independence
Invisibility for stealth operation
Autonomy for automatic spread via
built-in exploit database
Polymorphism to avoid detection
Copyright (c) Lenny Zeltser. 2000.
58
Desired Characteristics
Learning for obtaining new techniques
via central communication channel
Integrity to prevent modification or
destruction
Awareness of mission objective to
perform specific tasks and cease activity
Copyright (c) Lenny Zeltser. 2000.
59
Key Implementation Details
Uses “wormnet” to get programs and
updates for target platform
Supports controlled broadcasting of
requests to wormnet members
Family tree passed from parent to child,
used to control broadcasts via
maximum number of wormnet hops
Copyright (c) Lenny Zeltser. 2000.
60
Key Implementation Details
Uses polymorphic engine and
encryption to avoid constant strings
Intercepts system calls when root, as
well as other techniques to hide
Uses exploits unknown at the time,
sorted by scope and effectiveness
Victims chosen via active connection
monitoring and qualifying attributes
Copyright (c) Lenny Zeltser. 2000.
61
Relevance to Advanced Agents
Detailed design and implementation
details, plus code fragments provided
Gradual attack approach suggests to
propagate “harmlessly,” then update
Designed specifically to maximize
potential harm and difficulty of
eradication
Copyright (c) Lenny Zeltser. 2000.
62
Threat of Malicious Agents
Copyright (c) Lenny Zeltser. 2000.
63
Advanced Agents
Advanced agents are especially
dangerous because of features
combined into a single package
Stealth operation, firewall traversal, and
coordination are particularly powerful
Feature sets and experimental nature of
agents suggests active development
Copyright (c) Lenny Zeltser. 2000.
64
Assessing the Threat
Defense techniques depend on priorities
and technologies of the organization
Use a structured framework to assess
threat of particular agents
Analyze extent of “advanced” attributes,
assign weight, react appropriately
Copyright (c) Lenny Zeltser. 2000.
65
Malicious Agents Attributes
Matrix summarizes key attributes of
agents in terms of presented framework
The Samhain Worm not included
because of slightly different feature set
Refer to earlier slides for discussion of
items in the matrix
Use for future reference
Copyright (c) Lenny Zeltser. 2000.
66
Morris
Worm
Melissa
Virus
Marker
Virus
Caligula
Virus
Groov
Virus
Back
Orifice
NetBus
Trinoo
TFN
RingZero
Aggressive
selfpropagation
Yes
No
No
No
No
No
No
No
No
Possibly
Propagation
despite
firewalls
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Partly
Partly
Yes
Aggressive
attack when
no firewalls
Yes
Partly
(DoS)
No
No
Partly
(DoS)
Yes
Yes
Yes
Yes
Possibly
Aggressive
attack despite
firewalls
No
Partly
(DoS)
No
No
Partly
(DoS)
No
No
Partly
(DoS)
Partly
(DoS)
Possibly
Revealing
confidential
information
No
No
Yes
Yes
Yes
Yes
Yes
No
No
Yes
Remotely
controlled
when no
firewalls
No
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Remotely
controlled
despite
firewalls
No
No
No
No
No
No
No
No
No
Yes
Acting in
coordinated
distributed
fashion
No
No
No
No
No
No
No
Yes
Yes
Yes
The End
See http://www.zeltser.com/ for
electronic copies of this material
Copyright (c) Lenny Zeltser. 2000.
68

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz