Hunt for Malicious Code

8/14/2019 Hunt for Malicious Code

1/23

Ryan Berg

Co-Founder and Chief Scientist

March 2009


2/23

Objectives & Agenda

Very high level overview of malicious code

Categories and types of malicious code (malcode)

Detailed understanding of how malicious code works

Triggering events

System interactions

Methods of detections

Profiling

Location, location, location

Whos at risk


3/23

Red Alert!

Hacking is illegal. Period.Dont be tempted to try this at home!

Using the examples and techniques learned in thispresentation without permission can result in

termination of employment and/or criminalpenalties


4/23

Its in your code

The focus is NOT on:

Process breakdown

Insertion of malicious code on deployed environment Infrastructure attacks

Attacking OS flaws, network flaws,

User stupidity Clicking on the executable file in email

Spyware

Installed when user installs downloaded program

The focus is on:

Bad stuff in the source code you build, use, and acquire

Copyright 2009 Ounce Labs, Inc. All rights reserved.


5/23

What is it?

Deliberate or inadvertent security vulnerabilities that allow a hostile personor a program to gain access and control of applications and data.

// Lets gather some information about the users browsing history

String userHome = System.getProperty("user.home" ) + "\\Local Settings\\Temporary Internet Files";StringBuffer browserFiles = new StringBuffer();

if (dir.isDirectory()) {

File[] children = new File(userHome).listFiles();

for (int i=0; i


6/23

Deliberate vs. Inadvertent

Deliberate vulnerabilities are introduced on purpose

Inadvertent vulnerabilities are a programmingmistake

A good attacker will make the malicious code lookinadvertent

A Better attacker will make it hard to find

Does it matter?

6


7/23


8/23

What is a triggering event?

An event that initiates the execution of malicious code

Time Event

After 12/31/1999

Logic Event

Employee record deactivated in DB The ten millionth read of a sensor

If an input value equals a hardcoded constant

Dynamic Loading Events InstanceOf

Hook in loading of DLL

Unsolicited Function Calls


9/23

Examples

Easter Eggs

An overly confident employee/developer has introduced code that willproduce a shrine to their programming abilities when 99999 is entered into a

zip code field from a website.

Spyware

An open source project wishes to track all the users of its application andsends a message to the home server every time the application is run.

Logic Bombs

Logic triggered

A terrorist who has gained employment at the power company introduces a piece oflogic that increments the value of temperature sensor after the ten millionth reading

of that sensor.

Event triggered

A disgruntled employee introduces malicious code into an application that is tied to aspecific date or time. The date or time acts as a trigger and the malicious code is notexecuted until weeks or months after the employee has left.

9


10/23

Famous Easter Eggs Playful in nature!

Most common in gaming software

Cheats

Microsoft Excel 97 - Flight Simulator

Open a new workbook, Press F5 Enter X97:L97 and press Enter Press Tab once, to move to column M Hold Control and Shift, right-click Chart Wizard icon on the Standard toolbar

Spy Hunter in Excel 2000

Under file menu, do 'Save as Web Page'. Say 'Publish Sheet' and 'Add Interactivity'

Save to some htm page on your drive. Load the htm page with IE. You should have Excel in the middle of the page. Scroll to row 2000, column WC. Select row 2000, and tab so that WC is the

active column. Hold down Shift+Crtl+Alt and click the Office logo in the upper-left.



11/23

Firefox 3.0.3 and Open Office 3.0 RC2 Beta



12/23

Lessons Learned

The moral is obvious. You can't trust code that youdid not totally create yourself. (Especially code from

companies that employ people like me.) No amountof source-level verification or scrutiny will protect you

from using untrusted code. (Ken Thompson)



13/23

Thompson C Compiler Trojan

13

Modified the C compiler

http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

Login backdoor for debugging purposes

Used code pattern for password verification

Embedded in into the C compiler to recognize pattern

Generated code to accepted correct password for username Generated additional code to accept special debugging password

Compiler written to insert back-door when compiles itself

Back-door inserted when login compiled

Back-door inserted when C compiler source is compiled

Modify C compiler source to remove back-door

Back-door inserted when C compiler source is compiled

Each successive iteration will always include the back door!
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdfhttp://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf


14/23

How do you detect and stop malcode?

Process and Procedures

Segregation of duties

Controls in SDLC

Manual Analysis

Limited by reviewer expertise

Limited by reviewer fatigue

Time consuming for large applications

Automated Analysis

Difficult to detect logic events

Critical assets unknown

Hybrid Analysis (Manual and Automated)

Domain expert helps identify critical assets

Software doesnt get fatigue

Expertise is in the signatures

Produces reduced code set for manual review


15/23

Profiling isnt always a bad thing!

Represents a comprehensive set of interactions with criticalassets

Identifies and classifies all technologies in use

Eliminates the need to look at ALL the code

Location of interaction with critical assets

Identifies locational hotspots


16/23

Detecting Malicious Code:Defining Critical Assets

Malcode must interact with a critical asset

Applications have a common set of critical assets

Dynamic code instantiations System calls

Thread management

External communications

Security controls

Programming control

Applications have custom critical assets

Determined by business

Inventory control Specific hardware assets

Applications shouldnt use unexpected technologies

Complex graphics in a web application


17/23

Profiling: What are my critical assets?

Standard language APIs

Identify business-critical assets

(examples)

Adjustments to heat sensor Inventory updates

Report card grades Guidance control hardware


Dynamic Class loaders Library loaders Java Native Interface Class instantiations

System File I/O Windows Registry

Memory allocation Privilege changes Operating system calls

Thread Management Interactive manipulations Process termination

External Network communications Data repositories User Input

Security Controls Authentication Authorization

Programming Controls Compilers Debuggers Credential management Standard vulnerability signatures


18/23

Profile Standard Asset Example - WebGoat

Identified getNumVisits() as critical asset

Identify asset as a technology or a mechanism

Run a scan

Look at all technologies and mechanisms in use

Validate suspicious technologies

Should there be an email interface

Should there be socket connections

Should there be date checks (very noisy)

Should dynamic code be loaded


19/23


20/23

Profile Event Triggers

Identify hard coded strings triggers

Identify time checks

Direct function calls do not have triggers

Identified by interaction with critical resource


21/23

MalCode Detection DEMO

Static analysis assists the manual process

Multiple tools required in the toolset

Multiple techniques involved


22/23

Where is the malicious code?

Open source software

Your custom applications

Third party applications Thompson Compiler example


23/23

Questions & Answers

Hunt for Malicious Code

Documents

Transcript of Hunt for Malicious Code