《恶意代码基础与防范（微课版）》 课件 第7章 蠕虫

蠕虫本章目标掌握蠕虫的概念掌握蠕虫的发展过程熟悉蠕虫的编制蠕虫的最大贡献蠕虫更像是一种传播方式！蠕虫的基本概念蠕虫（Worm）是恶意代码的一种，它的传播通常不需要所谓的激活。它通过分布式媒介进行图传播。分布式媒介包括：网络、服务、人工等蠕虫强调的是图传播方式（参考本教材第2章的传播模型）。蠕虫历史蠕虫这个名词的由来是在1982年，Shock和Hupp根据《TheShockwaveRider》一书中的概念提出了一种“蠕虫（Worm）”程序的思想。2003-2005年蠕虫发展的高峰期2010后，蠕虫的传播能力被用在工业控制等新型恶意代码中。2015年后，蠕虫的传播能力被用在勒索软件型恶意代码中。与传统病毒的联系具有病毒共性：如传播性、隐蔽性、破坏性等独有的性质：不利用文件寄生，对网络造成拒绝服务，以及和黑客技术相结合等

蠕虫和传统病毒的区别：比较项目传统病毒蠕虫存在形式寄存文件独立程序传染机制宿主程序运行主动攻击传染对象本地文件网络计算机蠕虫的分类一种是面向企业用户和局域网而言，这种病毒利用系统漏洞，主动进行攻击，可以对整个互联网可造成瘫痪性的后果。以“红色代码”、“尼姆达”以及最新的“SQL蠕虫王”为代表。另外一种是针对个人用户的，通过网络（主要是电子邮件、恶意网页形式）迅速传播的蠕虫病毒，以爱虫病毒、求职信病毒为代表。蠕虫的特征第一，利用漏洞主动进行攻击第二，与黑客技术相结合第三，传染方式多第四，传播速度快第五，清除难度大第六，破坏性强蠕虫病毒的机理蠕虫病毒由两部分组成：一个主程序和另一个是引导程序。主程序收集与当前机器联网的其他机器的信息。利用漏洞在远程机上建立引导程序。引导程序把“蠕虫”病毒带入了它所感染的每一台机器中。当前流行的病毒主要采用一些已公开漏洞、脚本、电子邮件等机制进行传播。例如，IRC,RPC等漏洞。蠕虫病毒实例－基于RPC漏洞蠕虫RPC漏洞远程过程调用(RPC)是Windows操作系统使用的一个协议，提供了一种进程间通信机制RPC中处理通过TCP/IP的消息交换的部分存在一个漏洞。此问题是由错误地处理格式不正确的消息造成的。RPC漏洞影响分布式组件对象模型(DCOM)与RPC间的一个接口，此接口侦听TCP/IP端口135。Samba等程序存在此类漏洞基于RPC漏洞蠕虫冲击波病毒2003年7月16日，微软公司发布了“RPC接口中的缓冲区溢出”的漏洞补丁，攻击者即制作了一个利用此漏洞的蠕虫冲击波的中毒症状特种木马是什么？震网病毒震网（Stuxnet）是一种Windows平台上的计算机蠕虫，该蠕虫病毒已感染并破坏了伊朗的核设施，使伊朗的布什尔核电站推迟启动。/video/av5812131/Stuxnet蠕虫病毒是世界上首个专门针对工业控制系统编写的破坏性病毒，能够利用对windows系统和西门子SIMATICWinCC系统的7个漏洞进行攻击。特别是针对西门子公司的SIMATICWinCC监控与数据采集(SCADA)系统进行攻击，由于该系统在我国的多个重要行业应用广泛，被用来进行钢铁、电力、能源、化工等重要行业的人机交互与监控。OutlineWhatisStuxnet?Howwasitdetected?Howdoesitpenetrateanetwork?Howdoesitpropagateitself?Howisitcontrolled/updated?Howhasitevolved?Howbigistheproblem(whoisatrisk)?15WhatisStuxnet?StuxnetisanAdvancedPersistentThreat(APT)thatwastargetedataspecificmanufacturingfacility.(Namedforastringoflettersburiedinitscode)Itis(wasatthetimeofitsdiscovery)themostcomplicatedvirus/wormeverdiscovered.Averagevirusesareabout10kbytesinsize.Stuxnetwas500KB(andnographics).Itisunusualforavirustocontainonezero-dayvulnerability.Stuxnethad4.Stuxnetalsoactedlikearootkit–hidingitsactionsanditspresence.ItwasthefirstvirustoincludecodetoattackSupervisoryControlandDataAcquisition(SCADA)systems.16HowitwasdetectedDiscoveredbySergeyUlaseninJune,2010,atthetimeworkingforasmallBelarusanti-viruscompany(VirusBlokAda)OneoftheircustomersinIranhadbeenexperiencinganumberofBSODfailuresandwantedhelpfindingthecause.Researchintothatproblemledtothediscoveryofthevirus.IT426-Cotter17W32.StuxnetTimeline November20,2008 Trojan.ZlobvariantfoundtobeusingtheLNKvulnerabilityonlylateridentifiedinStuxnet.April,2009 SecuritymagazineHakin9releasesdetailsofaremotecodeexecutionvulnerabilityinthe

PrinterSpoolerservice.LateridentifiedasMS10-061. June,2009 EarliestStuxnetsampleseen.DoesnotexploitMS10-046.Doesnothavesigneddriverfiles.January25,2010 StuxnetdriversignedwithavalidcertificatebelongingtoRealtekSemiconductorCorps.March,2010 FirstStuxnetvarianttoexploitMS10-046. June17,2010 VirusblokadareportsW32.Stuxnet(namedRootkitTmphider).Reportsthatit’susinga

vulnerabilityintheprocessingofshortcuts/.lnkfilesinordertopropagate(lateridentifiedas

MS10-046).July13,2010 SymantecaddsdetectionasW32.Temphid(previouslydetectedasTrojanHorse). July16,2010 MicrosoftissuesSecurityAdvisoryfor“VulnerabilityinWindowsShellCouldAllowRemote

CodeExecution(2286198)”thatcoversthevulnerabilityinprocessingshortcuts/.lnkfiles.

VerisignrevokesRealtekSemiconductorCorpscertificate. 18July17,2010 EsetidentifiesanewStuxnetdriver,thistimesignedwithacertificatefromJMicron

TechnologyCorpJuly19,2010 SiemensreportthattheyareinvestigatingreportsofmalwareinfectingSiemensWinCC

SCADAsystems.SymantecrenamesdetectiontoW32.Stuxnet. July20,2010 SymantecmonitorstheStuxnetCommandandControltraffic. July22,2010 VerisignrevokestheJMicronTechnologyCorpscertificate. August2,2010 MicrosoftissuesMS10-046,whichpatchestheWindowsShellshortcutvulnerability. August6,2010 SymantecreportshowStuxnetcaninjectandhidecodeonaPLCaffectingindustrial

controlsystems. September14,2010 MicrosoftreleasesMS10-061topatchthePrinterSpoolerVulnerabilityidentifiedby

SymantecinAugust.Microsoftreporttwootherprivilegeescalationvulnerabilities

identifiedbySymantecinAugust. September30,2010 SymantecpresentsatVirusBulletinandreleasescomprehensiveanalysisofStuxnet.Howdoesitpenetrateanetwork?Targetenvironmentwasexpectedtobeanair-gappednetwork(morelater).Spreadthroughflashdrives.*.lnkfileonflashdriveNomemorycorruption,100%reliableOncevirusisuploadedandrunning,ithidesthe.lnkandsourcefiles.PatchedinMS10-04620.LNK0DayAttackRemovabledrivecontains:2tmpfiles:filenamesvariable(∑mod10=0)~WT4132.tmp–mainDLL~500KB~WT4141.tmp–loaderformaindll~25KB4.lnkfiles:MultiplelinksneededtoattackdifferentversionsofWindows(W2k,WXP,Serv2003,Vista,W7)Removabledriveonlyinfectsamaxof3hosts,andthenerasesitself.Hostonlyinfectsanewremovabledriveif:DriveisnotalreadyinfectedInfectionislessthan21daysoldDrivehasmorethan5MBoffreespaceDrivehasmorethan3filesonit.IT426-Cotter21.lnkinfectionstrategyIT426-Cotter22Howdoesitpropagateitself?

(Overview)CarriedbyflashdriveCopiestoopenfilesharesPassedthroughvulnerableprintspoolercode

(zero-dayvulnerability–MS10-061)PassedtheRPCvulnerabilityfoundinConficker

(MS-08-067)Createavulnerablescheduledtask,thenmodifythetaskandpaduntilitsCRC32matchesoriginaltask.(Willnowrununderscheduler.)CreatesrootkitforVista+Allowsuserstoloaddifferentkeyboardlayouts.Canbeloadedfromanywhere.Loadpointersandthentransfertocode.CreatesrootkitforWindowsXP.IT426-Cotter23PropagatethroughP2PUseRPCSomeofthemachinesexpectedtobenetworkisolated,butmighthaveaccesstoinfectedmachines.Searchesthroughasetof5programsthatmightbeinfected(dependingonOSversion,vulnerabilities,etc.)Eachinfectedmachinesearchesforotherinfectedmachines(withRPCservers).Queryforcurrentvirusversion.Ifserverhasolderversion,sendupdate.Ifserverhasnewerversion,downloadupdate.IT426-Cotter24P2PupdateprocessIT426-Cotter25SiemensWinccprogramVisualizationprogramtosupportdesignanddevelopmentofsupervisorycontrolanddataacquisition(SCADA)programsIncludesdatabasetostoreprojects.Databaseincludesahardcodedpassword–backdoorintothesystem.VirusmodifiesaWinCCviewtostartvirusexeeachtimeviewisaccessed.Viruswritesitselfintoanewtable,thencreatesastoredprocedurethatextractsandexecutescode,thendeletesstoredprocedureIT426-Cotter26NetworkSharesSearchesthroughalluseraccountsandallshareddrivestofindaccesstoremotemachine.Ifnonefound,willtryWindowsManagementInstrumentation(WMI)toaccesssharesanddownloadacopyofthevirus.IT426-Cotter27PrintSpooler0-dayAttackVirususesaweaknessinprintspooleronsharedmachinestopropagateanexecutablefile.File(%system%\winsta.exe)canbeloadedtoanymachinethatusesprintspooler.Onlyusedifdateisbefore6/1/2011).Expectthevulnerabilitytobefixedbythen??Vulnerabilityhadbeenpublishedin2009editionofHakin9magazine–butnotpatchedbyMicrosoft.PatchedinMS10-061IT426-Cotter28ConfickerrpcvulnerabilityPatchedasMS08-067Patchhadbeenavailable,butifmachinesnotupdated,thisvulnerabilityiseasytoexploit.Virusverifiesthatdateisbefore1/1/2030??Verifiesthatantivirusproductsaredatedbefore1/1/2009.Verifiesthatkernel32.dllandnetapi32.dlltimestampsarebefore10/12/2008.Appearstobetestingwhetherexploitislikelytobedetectedornot.IT426-Cotter29InfectionSpreadVirusrecordsinfectionhistory–cantrackancestors.5Differentorganizationstargeted(allinIran)Represents~12,000outof~100,000hostsPrimaryInfection1(version1.000)–June22,2009~360infectedhostsPrimaryInfection2(version1.100)–March1,2010~8300infectedhostsPrimaryInfection3(version1.101)April14,2010~3300infectedhostsAugust,2010–stoppedrecordinginfectedsitesfromwithinIran(linkblockedto“sinkhole”).IT426-Cotter30InfectionbycountryIT426-Cotter31FromSymantec(W32.Stuxnet)–updated2/26/2013Howisitcontrolled/updated?Communicateswithservers:SBIAUseshttptocommunicatewithCommandandControl(http-c2)Messagessenttoserverwhichimmediatelyforwardsmessagetosomeother(unknown)server.EmbedsuploadinformationoninfectionanddownloadupdatestovirusthroughInformationpassedbackinencryptedwithAESusing1ofseveralkeys.32Howisitcontrolled/updated?IT426-Cotter33Whatisthetarget?Veryselectivepropagation.Willonlyinfect3machinesfromaflashdrive(probablytolimitriskofdetection).LooksformachinesrunningSiemensStep7developmentsoftware(usedtobuildPLCcontrolprograms).VirustargetistomodifyprogramsusedtocontrolSimaticProgrammableLogicControllers(PLCs).IT426-Cotter34WhatdoesStuxnetlookfor?ThenlooksforPLClogicrunningfrequencyconverters.Specificallylookingformorethan155convertersrunningatafrequencybetween800and1200Hz.Veryfewfrequencyconvertersinindustryrunatfrequenciesabove1000.(Uraniumcentrifugesaretheexception)Iran’sNatanznuclearfacilityhas(had)160frequencyconvertersusedtoruntheircentrifuges.IT426-Cotter35UraniumEnrichment

Centrifuge36IranianCentrifuges37Step7projectfilesSiemensStep7developmentsystemusedtobuildprogramsthatrunindustrialcontrollers.Virusmodifiesexeanddllfilesinthedevelopmentenvironmenttoallowvirustodownloadfilesintoexistingprojects.Projectsareinfectedif:Projecthasbeenaccessedwithinthelast3.5yearsProjectcontainsawincprojfolderProjectisnotanexampleproject(*\step7\examples)38Step7projectfilesVirusinfects*.s7pand*.mcpfilesCreatesnew*.tmpfilesthatcontainthevirus.Viruscanverifyvirusversionandupdatetheinfection(throughRPC)ifneeded.39WhatisStep7?Testanddevelopmentenvironment(likeVisualStudio)UsedtodevelopprogramstocontrolprogrammableLogicControllersCanconnectdirectlytoPLCsto:View/modifymemoryDownloadprogramsDebugcodeOnceprogramisdownloaded,Step7candisconnectandPLCwillfunctionbyitself.40Step7ProgramstructureDataBlocks(DB)containprogram-specificdata,suchasnumbers,structures,andsoon.SystemDataBlocks(SDB)containinformationabouthowthePLCisconfigured.TheyarecreateddependingonthenumberandtypeofhardwaremodulesthatareconnectedtothePLC.OrganizationBlocks(OB)aretheentrypointofprograms.TheyareexecutedcyclicallybytheCPU.InregardstoStuxnet,twonotableOBsare:OB1isthemainentry-pointofthePLCprogram.Itisexecutedcyclically,withoutspecifictimerequirements.OB35isastandardwatchdogOrganizationBlock,executedbythesystemevery100ms.Thisfunctionmaycontainanylogicthatneedstomonitorcriticalinputinordertorespondimmediatelyorperformfunctionsinatimecriticalmanner.FunctionBlocks(FC)arestandardcodeblocks.TheycontainthecodetobeexecutedbythePLC.Generally,theOB1blockreferencesatleastoneFCblock.41Step7communications42Replacecommunicationslink!Stuxnetcopiesoriginals7otbxdx.dlltos7otbxsx.dllStuxnettheninsertsitsownversionofs7otbxdx.dllOriginallibrarycontains109differentfunctions(exports)93exportsunmodified(passedthroughtooriginallibraryRemaining16exportsmodifiedtochangecommands,hidedata,etc.

IT426-Cotter43Theinfectionprocesss7otbxdx.dllStarts2threadsusedtoinfectthelogiccontrollers(PLCs)FirstthreadchecksforcandidatePLCfilesevery15minutes.Ifitfindsacandidatefile,itinfectsitwithoneoftwosimilarbyuniqueinfectionsequences(AorB).SecondthreadmonitorsthePLCs,lookingforaspecificSystemdatablock(SDB)injectedbythefirstthread.WhenoneoftheinfectedPLCsbeginsitsattack,thissecondthreadcontactsallotherinfectedPLCstocoordinatetheattack.IT426-Cotter44TheinfectionThreadCheckPLCcodeforPLCtype.Lookingfor6ES7-315-2Iffound,checkSDBforProfibuscommunicationsprocessorCP342-5(usedtocontrolanumberofdevices,includingfrequencyconverters).Now,lookforatleast33specificfreq.convertersTypecode7050H(part#KFC750V3–frequencyconvertermadebyFararo

Paya(Iran)Typecode9500H(VaconNXfrequencyconvertermadebyVacon(Finland).Ifabovedetectedand#7050H>9500H,useSequenceAElseifabovedetected├H>#7050H,useSequenceBIT426-Cotter45CentrifugecontrolstructureIT426-Cotter46TheinfectionThreadOB1(mainentrytoPLCprogram)infectionPrependinfectiontooriginalcodeMonitorsflowofdatabetweenPLCprogramandcontrollerstation.ModifiessomeinstructionssenttoPLCReplacessomestatusdatasentfromPLCtocontroller.IT426-Cotter47Infectionstatemachine48InfectionstatemachineNormalStatesequence1-2-3-4-5-1Cyclemaybeadjustedifothercontrollersinthesethavemovedtoahigherstate.State1Monitortrafficevents(typically60/min–max186).Countevents(capat60/min)until~1.1millionobserved(~13days)Expectingabasefrequencyof1064Hz.State2Seemstobeonlyadelayof2hours.State3Sequence1–setfrequencyto1410Hz;Wait15minutesSequence2–setfrequencyto2Hz;Wait50minutesState4Setfrequencyto1064HzState5Reseteventcounterandwaitfor~2.3millionevents(~26.6days)49Wherediditcomefrom(ancestors)Stuxnet0.5Discoveredin2007(underdevelopmentin2005)PropagatedonlythroughStep7infectionsAttackstrategytoclosevalveswithinfacility,causingsignificantdamagetoequipment.Usedadifferentdevelopmentframeworkthanlaterversionsofthevirus.50Howhasitevolved?Vulnerability0.5001.0011.1001.101DescriptionCVE-2010-3888XXTaskSchedulerExploitCVE-2010-2743XXLoadKeyboardLayoutExploitCVE-2010-2729XXXPrintSpoolerRCECVE-2008-4250XXXWindowsRPCServerServiceCVE-2012-3015XXXXStep7insecureLibraryloadingCVE-2010-2772XXXWinCCdefaultPasswordCVE-2010-2568XXShortcut.lnkMS09-025XNuUserRegisterClassExWow51Whathasitbecome?DuQuTrojanDiscoveredOctober,2011Createsfileswithnamesprefixedwith“-DQ”Identifiedin6differentorganizationswithlocationsin:Europe(4countries)IranSudanIndiaVietnamTargetseemstobeinformationgathering.IncludesgeneralremoteaccesscapabilitiesGatherspasswordsTakesscreenshotsIT426-Cotter52DuQuHasuseda0-dayexploitinMSWordtoinstallDuQu,butnotclearwhatotherinstalltechniquesareused.Onlyalimitednumberofinfectionsdetected.UsesseveraltechniquesfoundinStuxnetValidcertificatetosigndriversHTTP/HTTPScommandandcontrolserversVirusremovesitselfafter36daysIT426-Cotter53whoisatrisk?StuxnetIfyouaren’tanuclearenrichmentfacilityinIran,you