《惡意代碼基礎(chǔ)與防范（微課版）》 課件 第7章 蠕蟲

蠕蟲本章目標(biāo)掌握蠕蟲的概念掌握蠕蟲的發(fā)展過程熟悉蠕蟲的編制蠕蟲的最大貢獻(xiàn)蠕蟲更像是一種傳播方式！蠕蟲的基本概念蠕蟲（Worm）是惡意代碼的一種，它的傳播通常不需要所謂的激活。它通過分布式媒介進(jìn)行圖傳播。分布式媒介包括：網(wǎng)絡(luò)、服務(wù)、人工等蠕蟲強(qiáng)調(diào)的是圖傳播方式（參考本教材第2章的傳播模型）。蠕蟲歷史蠕蟲這個名詞的由來是在1982年，Shock和Hupp根據(jù)《TheShockwaveRider》一書中的概念提出了一種“蠕蟲（Worm）”程序的思想。2003-2005年蠕蟲發(fā)展的高峰期2010后，蠕蟲的傳播能力被用在工業(yè)控制等新型惡意代碼中。2015年后，蠕蟲的傳播能力被用在勒索軟件型惡意代碼中。與傳統(tǒng)病毒的聯(lián)系具有病毒共性：如傳播性、隱蔽性、破壞性等獨(dú)有的性質(zhì)：不利用文件寄生，對網(wǎng)絡(luò)造成拒絕服務(wù)，以及和黑客技術(shù)相結(jié)合等

蠕蟲和傳統(tǒng)病毒的區(qū)別：比較項目傳統(tǒng)病毒蠕蟲存在形式寄存文件獨(dú)立程序傳染機(jī)制宿主程序運(yùn)行主動攻擊傳染對象本地文件網(wǎng)絡(luò)計算機(jī)蠕蟲的分類一種是面向企業(yè)用戶和局域網(wǎng)而言，這種病毒利用系統(tǒng)漏洞，主動進(jìn)行攻擊，可以對整個互聯(lián)網(wǎng)可造成癱瘓性的后果。以“紅色代碼”、“尼姆達(dá)”以及最新的“SQL蠕蟲王”為代表。另外一種是針對個人用戶的，通過網(wǎng)絡(luò)（主要是電子郵件、惡意網(wǎng)頁形式）迅速傳播的蠕蟲病毒，以愛蟲病毒、求職信病毒為代表。蠕蟲的特征第一，利用漏洞主動進(jìn)行攻擊第二，與黑客技術(shù)相結(jié)合第三，傳染方式多第四，傳播速度快第五，清除難度大第六，破壞性強(qiáng)蠕蟲病毒的機(jī)理蠕蟲病毒由兩部分組成：一個主程序和另一個是引導(dǎo)程序。主程序收集與當(dāng)前機(jī)器聯(lián)網(wǎng)的其他機(jī)器的信息。利用漏洞在遠(yuǎn)程機(jī)上建立引導(dǎo)程序。引導(dǎo)程序把“蠕蟲”病毒帶入了它所感染的每一臺機(jī)器中。當(dāng)前流行的病毒主要采用一些已公開漏洞、腳本、電子郵件等機(jī)制進(jìn)行傳播。例如，IRC,RPC等漏洞。蠕蟲病毒實(shí)例－基于RPC漏洞蠕蟲RPC漏洞遠(yuǎn)程過程調(diào)用(RPC)是Windows操作系統(tǒng)使用的一個協(xié)議，提供了一種進(jìn)程間通信機(jī)制RPC中處理通過TCP/IP的消息交換的部分存在一個漏洞。此問題是由錯誤地處理格式不正確的消息造成的。RPC漏洞影響分布式組件對象模型(DCOM)與RPC間的一個接口，此接口偵聽TCP/IP端口135。Samba等程序存在此類漏洞基于RPC漏洞蠕蟲沖擊波病毒2003年7月16日，微軟公司發(fā)布了“RPC接口中的緩沖區(qū)溢出”的漏洞補(bǔ)丁，攻擊者即制作了一個利用此漏洞的蠕蟲沖擊波的中毒癥狀特種木馬是什么？震網(wǎng)病毒震網(wǎng)（Stuxnet）是一種Windows平臺上的計算機(jī)蠕蟲，該蠕蟲病毒已感染并破壞了伊朗的核設(shè)施，使伊朗的布什爾核電站推遲啟動。/video/av5812131/Stuxnet蠕蟲病毒是世界上首個專門針對工業(yè)控制系統(tǒng)編寫的破壞性病毒，能夠利用對windows系統(tǒng)和西門子SIMATICWinCC系統(tǒng)的7個漏洞進(jìn)行攻擊。特別是針對西門子公司的SIMATICWinCC監(jiān)控與數(shù)據(jù)采集(SCADA)系統(tǒng)進(jìn)行攻擊，由于該系統(tǒng)在我國的多個重要行業(yè)應(yīng)用廣泛，被用來進(jìn)行鋼鐵、電力、能源、化工等重要行業(yè)的人機(jī)交互與監(jiān)控。OutlineWhatisStuxnet?Howwasitdetected?Howdoesitpenetrateanetwork?Howdoesitpropagateitself?Howisitcontrolled/updated?Howhasitevolved?Howbigistheproblem(whoisatrisk)?15WhatisStuxnet?StuxnetisanAdvancedPersistentThreat(APT)thatwastargetedataspecificmanufacturingfacility.(Namedforastringoflettersburiedinitscode)Itis(wasatthetimeofitsdiscovery)themostcomplicatedvirus/wormeverdiscovered.Averagevirusesareabout10kbytesinsize.Stuxnetwas500KB(andnographics).Itisunusualforavirustocontainonezero-dayvulnerability.Stuxnethad4.Stuxnetalsoactedlikearootkit–hidingitsactionsanditspresence.ItwasthefirstvirustoincludecodetoattackSupervisoryControlandDataAcquisition(SCADA)systems.16HowitwasdetectedDiscoveredbySergeyUlaseninJune,2010,atthetimeworkingforasmallBelarusanti-viruscompany(VirusBlokAda)OneoftheircustomersinIranhadbeenexperiencinganumberofBSODfailuresandwantedhelpfindingthecause.Researchintothatproblemledtothediscoveryofthevirus.IT426-Cotter17W32.StuxnetTimeline November20,2008 Trojan.ZlobvariantfoundtobeusingtheLNKvulnerabilityonlylateridentifiedinStuxnet.April,2009 SecuritymagazineHakin9releasesdetailsofaremotecodeexecutionvulnerabilityinthe

PrinterSpoolerservice.LateridentifiedasMS10-061. June,2009 EarliestStuxnetsampleseen.DoesnotexploitMS10-046.Doesnothavesigneddriverfiles.January25,2010 StuxnetdriversignedwithavalidcertificatebelongingtoRealtekSemiconductorCorps.March,2010 FirstStuxnetvarianttoexploitMS10-046. June17,2010 VirusblokadareportsW32.Stuxnet(namedRootkitTmphider).Reportsthatit’susinga

vulnerabilityintheprocessingofshortcuts/.lnkfilesinordertopropagate(lateridentifiedas

MS10-046).July13,2010 SymantecaddsdetectionasW32.Temphid(previouslydetectedasTrojanHorse). July16,2010 MicrosoftissuesSecurityAdvisoryfor“VulnerabilityinWindowsShellCouldAllowRemote

CodeExecution(2286198)”thatcoversthevulnerabilityinprocessingshortcuts/.lnkfiles.

VerisignrevokesRealtekSemiconductorCorpscertificate. 18July17,2010 EsetidentifiesanewStuxnetdriver,thistimesignedwithacertificatefromJMicron

TechnologyCorpJuly19,2010 SiemensreportthattheyareinvestigatingreportsofmalwareinfectingSiemensWinCC

SCADAsystems.SymantecrenamesdetectiontoW32.Stuxnet. July20,2010 SymantecmonitorstheStuxnetCommandandControltraffic. July22,2010 VerisignrevokestheJMicronTechnologyCorpscertificate. August2,2010 MicrosoftissuesMS10-046,whichpatchestheWindowsShellshortcutvulnerability. August6,2010 SymantecreportshowStuxnetcaninjectandhidecodeonaPLCaffectingindustrial

controlsystems. September14,2010 MicrosoftreleasesMS10-061topatchthePrinterSpoolerVulnerabilityidentifiedby

SymantecinAugust.Microsoftreporttwootherprivilegeescalationvulnerabilities

identifiedbySymantecinAugust. September30,2010 SymantecpresentsatVirusBulletinandreleasescomprehensiveanalysisofStuxnet.Howdoesitpenetrateanetwork?Targetenvironmentwasexpectedtobeanair-gappednetwork(morelater).Spreadthroughflashdrives.*.lnkfileonflashdriveNomemorycorruption,100%reliableOncevirusisuploadedandrunning,ithidesthe.lnkandsourcefiles.PatchedinMS10-04620.LNK0DayAttackRemovabledrivecontains:2tmpfiles:filenamesvariable(∑mod10=0)~WT4132.tmp–mainDLL~500KB~WT4141.tmp–loaderformaindll~25KB4.lnkfiles:MultiplelinksneededtoattackdifferentversionsofWindows(W2k,WXP,Serv2003,Vista,W7)Removabledriveonlyinfectsamaxof3hosts,andthenerasesitself.Hostonlyinfectsanewremovabledriveif:DriveisnotalreadyinfectedInfectionislessthan21daysoldDrivehasmorethan5MBoffreespaceDrivehasmorethan3filesonit.IT426-Cotter21.lnkinfectionstrategyIT426-Cotter22Howdoesitpropagateitself?

(Overview)CarriedbyflashdriveCopiestoopenfilesharesPassedthroughvulnerableprintspoolercode

(zero-dayvulnerability–MS10-061)PassedtheRPCvulnerabilityfoundinConficker

(MS-08-067)Createavulnerablescheduledtask,thenmodifythetaskandpaduntilitsCRC32matchesoriginaltask.(Willnowrununderscheduler.)CreatesrootkitforVista+Allowsuserstoloaddifferentkeyboardlayouts.Canbeloadedfromanywhere.Loadpointersandthentransfertocode.CreatesrootkitforWindowsXP.IT426-Cotter23PropagatethroughP2PUseRPCSomeofthemachinesexpectedtobenetworkisolated,butmighthaveaccesstoinfectedmachines.Searchesthroughasetof5programsthatmightbeinfected(dependingonOSversion,vulnerabilities,etc.)Eachinfectedmachinesearchesforotherinfectedmachines(withRPCservers).Queryforcurrentvirusversion.Ifserverhasolderversion,sendupdate.Ifserverhasnewerversion,downloadupdate.IT426-Cotter24P2PupdateprocessIT426-Cotter25SiemensWinccprogramVisualizationprogramtosupportdesignanddevelopmentofsupervisorycontrolanddataacquisition(SCADA)programsIncludesdatabasetostoreprojects.Databaseincludesahardcodedpassword–backdoorintothesystem.VirusmodifiesaWinCCviewtostartvirusexeeachtimeviewisaccessed.Viruswritesitselfintoanewtable,thencreatesastoredprocedurethatextractsandexecutescode,thendeletesstoredprocedureIT426-Cotter26NetworkSharesSearchesthroughalluseraccountsandallshareddrivestofindaccesstoremotemachine.Ifnonefound,willtryWindowsManagementInstrumentation(WMI)toaccesssharesanddownloadacopyofthevirus.IT426-Cotter27PrintSpooler0-dayAttackVirususesaweaknessinprintspooleronsharedmachinestopropagateanexecutablefile.File(%system%\winsta.exe)canbeloadedtoanymachinethatusesprintspooler.Onlyusedifdateisbefore6/1/2011).Expectthevulnerabilitytobefixedbythen??Vulnerabilityhadbeenpublishedin2009editionofHakin9magazine–butnotpatchedbyMicrosoft.PatchedinMS10-061IT426-Cotter28ConfickerrpcvulnerabilityPatchedasMS08-067Patchhadbeenavailable,butifmachinesnotupdated,thisvulnerabilityiseasytoexploit.Virusverifiesthatdateisbefore1/1/2030??Verifiesthatantivirusproductsaredatedbefore1/1/2009.Verifiesthatkernel32.dllandnetapi32.dlltimestampsarebefore10/12/2008.Appearstobetestingwhetherexploitislikelytobedetectedornot.IT426-Cotter29InfectionSpreadVirusrecordsinfectionhistory–cantrackancestors.5Differentorganizationstargeted(allinIran)Represents~12,000outof~100,000hostsPrimaryInfection1(version1.000)–June22,2009~360infectedhostsPrimaryInfection2(version1.100)–March1,2010~8300infectedhostsPrimaryInfection3(version1.101)April14,2010~3300infectedhostsAugust,2010–stoppedrecordinginfectedsitesfromwithinIran(linkblockedto“sinkhole”).IT426-Cotter30InfectionbycountryIT426-Cotter31FromSymantec(W32.Stuxnet)–updated2/26/2013Howisitcontrolled/updated?Communicateswithservers:SBIAUseshttptocommunicatewithCommandandControl(http-c2)Messagessenttoserverwhichimmediatelyforwardsmessagetosomeother(unknown)server.EmbedsuploadinformationoninfectionanddownloadupdatestovirusthroughInformationpassedbackinencryptedwithAESusing1ofseveralkeys.32Howisitcontrolled/updated?IT426-Cotter33Whatisthetarget?Veryselectivepropagation.Willonlyinfect3machinesfromaflashdrive(probablytolimitriskofdetection).LooksformachinesrunningSiemensStep7developmentsoftware(usedtobuildPLCcontrolprograms).VirustargetistomodifyprogramsusedtocontrolSimaticProgrammableLogicControllers(PLCs).IT426-Cotter34WhatdoesStuxnetlookfor?ThenlooksforPLClogicrunningfrequencyconverters.Specificallylookingformorethan155convertersrunningatafrequencybetween800and1200Hz.Veryfewfrequencyconvertersinindustryrunatfrequenciesabove1000.(Uraniumcentrifugesaretheexception)Iran’sNatanznuclearfacilityhas(had)160frequencyconvertersusedtoruntheircentrifuges.IT426-Cotter35UraniumEnrichment

Centrifuge36IranianCentrifuges37Step7projectfilesSiemensStep7developmentsystemusedtobuildprogramsthatrunindustrialcontrollers.Virusmodifiesexeanddllfilesinthedevelopmentenvironmenttoallowvirustodownloadfilesintoexistingprojects.Projectsareinfectedif:Projecthasbeenaccessedwithinthelast3.5yearsProjectcontainsawincprojfolderProjectisnotanexampleproject(*\step7\examples)38Step7projectfilesVirusinfects*.s7pand*.mcpfilesCreatesnew*.tmpfilesthatcontainthevirus.Viruscanverifyvirusversionandupdatetheinfection(throughRPC)ifneeded.39WhatisStep7?Testanddevelopmentenvironment(likeVisualStudio)UsedtodevelopprogramstocontrolprogrammableLogicControllersCanconnectdirectlytoPLCsto:View/modifymemoryDownloadprogramsDebugcodeOnceprogramisdownloaded,Step7candisconnectandPLCwillfunctionbyitself.40Step7ProgramstructureDataBlocks(DB)containprogram-specificdata,suchasnumbers,structures,andsoon.SystemDataBlocks(SDB)containinformationabouthowthePLCisconfigured.TheyarecreateddependingonthenumberandtypeofhardwaremodulesthatareconnectedtothePLC.OrganizationBlocks(OB)aretheentrypointofprograms.TheyareexecutedcyclicallybytheCPU.InregardstoStuxnet,twonotableOBsare:OB1isthemainentry-pointofthePLCprogram.Itisexecutedcyclically,withoutspecifictimerequirements.OB35isastandardwatchdogOrganizationBlock,executedbythesystemevery100ms.Thisfunctionmaycontainanylogicthatneedstomonitorcriticalinputinordertorespondimmediatelyorperformfunctionsinatimecriticalmanner.FunctionBlocks(FC)arestandardcodeblocks.TheycontainthecodetobeexecutedbythePLC.Generally,theOB1blockreferencesatleastoneFCblock.41Step7communications42Replacecommunicationslink!Stuxnetcopiesoriginals7otbxdx.dlltos7otbxsx.dllStuxnettheninsertsitsownversionofs7otbxdx.dllOriginallibrarycontains109differentfunctions(exports)93exportsunmodified(passedthroughtooriginallibraryRemaining16exportsmodifiedtochangecommands,hidedata,etc.

IT426-Cotter43Theinfectionprocesss7otbxdx.dllStarts2threadsusedtoinfectthelogiccontrollers(PLCs)FirstthreadchecksforcandidatePLCfilesevery15minutes.Ifitfindsacandidatefile,itinfectsitwithoneoftwosimilarbyuniqueinfectionsequences(AorB).SecondthreadmonitorsthePLCs,lookingforaspecificSystemdatablock(SDB)injectedbythefirstthread.WhenoneoftheinfectedPLCsbeginsitsattack,thissecondthreadcontactsallotherinfectedPLCstocoordinatetheattack.IT426-Cotter44TheinfectionThreadCheckPLCcodeforPLCtype.Lookingfor6ES7-315-2Iffound,checkSDBforProfibuscommunicationsprocessorCP342-5(usedtocontrolanumberofdevices,includingfrequencyconverters).Now,lookforatleast33specificfreq.convertersTypecode7050H(part#KFC750V3–frequencyconvertermadebyFararo

Paya(Iran)Typecode9500H(VaconNXfrequencyconvertermadebyVacon(Finland).Ifabovedetectedand#7050H>9500H,useSequenceAElseifabovedetected├H>#7050H,useSequenceBIT426-Cotter45CentrifugecontrolstructureIT426-Cotter46TheinfectionThreadOB1(mainentrytoPLCprogram)infectionPrependinfectiontooriginalcodeMonitorsflowofdatabetweenPLCprogramandcontrollerstation.ModifiessomeinstructionssenttoPLCReplacessomestatusdatasentfromPLCtocontroller.IT426-Cotter47Infectionstatemachine48InfectionstatemachineNormalStatesequence1-2-3-4-5-1Cyclemaybeadjustedifothercontrollersinthesethavemovedtoahigherstate.State1Monitortrafficevents(typically60/min–max186).Countevents(capat60/min)until~1.1millionobserved(~13days)Expectingabasefrequencyof1064Hz.State2Seemstobeonlyadelayof2hours.State3Sequence1–setfrequencyto1410Hz;Wait15minutesSequence2–setfrequencyto2Hz;Wait50minutesState4Setfrequencyto1064HzState5Reseteventcounterandwaitfor~2.3millionevents(~26.6days)49Wherediditcomefrom(ancestors)Stuxnet0.5Discoveredin2007(underdevelopmentin2005)PropagatedonlythroughStep7infectionsAttackstrategytoclosevalveswithinfacility,causingsignificantdamagetoequipment.Usedadifferentdevelopmentframeworkthanlaterversionsofthevirus.50Howhasitevolved?Vulnerability0.5001.0011.1001.101DescriptionCVE-2010-3888XXTaskSchedulerExploitCVE-2010-2743XXLoadKeyboardLayoutExploitCVE-2010-2729XXXPrintSpoolerRCECVE-2008-4250XXXWindowsRPCServerServiceCVE-2012-3015XXXXStep7insecureLibraryloadingCVE-2010-2772XXXWinCCdefaultPasswordCVE-2010-2568XXShortcut.lnkMS09-025XNuUserRegisterClassExWow51Whathasitbecome?DuQuTrojanDiscoveredOctober,2011Createsfileswithnamesprefixedwith“-DQ”Identifiedin6differentorganizationswithlocationsin:Europe(4countries)IranSudanIndiaVietnamTargetseemstobeinformationgathering.IncludesgeneralremoteaccesscapabilitiesGatherspasswordsTakesscreenshotsIT426-Cotter52DuQuHasuseda0-dayexploitinMSWordtoinstallDuQu,butnotclearwhatotherinstalltechniquesareused.Onlyalimitednumberofinfectionsdetected.UsesseveraltechniquesfoundinStuxnetValidcertificatetosigndriversHTTP/HTTPScommandandcontrolserversVirusremovesitselfafter36daysIT426-Cotter53whoisatrisk?StuxnetIfyouaren’tanuclearenrichmentfacilityinIran,you