Published: 01 Nov 2003
In an exclusive agreement with book publisher Prentice Hall, portions of this article were adapted from Ed Skoudis's new book, Malware: Fighting Malicious Code (Prentice Hall, 2003, ISBN 0131014056), co-authored by Lenny Zeltser.
Nachi. Blaster. Sobig.F. These were some of the nastiest worms we've faced to date, but, in some ways, they were just warning shots. The attacks put the spotlight on the rising threat of "combo malware," hybrid menaces that combine several species of malicious code in one nasty package, making them tougher to fight than single-purpose breeds.
Ever since Code Red and Nimda in 2001, we've been hearing the same thing: Combo malware marks a new, potentially disastrous era in malicious code propagation. That's true, but so far we've been lucky. A major worm with a viral payload could bring large portions of the computing grid to a standstill. Millions of hard drives could be overwritten multiple times, making data reconstruction almost impossible. Denial of service could become the rule rather than the exception. The financial damage could equal that of a hurricane...or worse.
The destructiveness of previous attacks underscores our continued vulnerability. To arm you against the next wave of combo malware, we'll examine the types of malicious code that attackers can combine and offer tips on how to fight the good fight. We'll also examine, in detail, why Sobig.F was so effective.
Today's Malware-and Tomorrow's
Most people break down malware into three main categories: viruses, worms and Trojan horses. But there's a lot more to it, and to understand how to combat combo malware, you first have to understand the difference between the strains of malicious code and their propagation strategies.
Combo malware can infect several layers of a target system, including the application layer, OS executables and the kernel itself. The deeper that malware penetrates a system, the more likely the attacker will be able to disguise the breach.
Backdoors give the attacker access to a machine while bypassing normal security controls. Although normal users might have to authenticate with a password or token device, the attacker can gain direct access to a system using a backdoor.
Trojan horses impersonate legitimate or benign programs, fooling users and administrators into thinking that everything is OK.
User-mode rootkits replace normal OS components, including the programs and commands that users and administrators rely on, with malicious versions that give the attacker remote access to the machine and mask the attacker's presence with fraudulent components that appear normal.
Kernel-mode rootkits-a particularly sinister breed of malware-undermine the very heart of the operating system, the kernel itself. The kernel sits between user programs and the hardware of the machine, controlling which programs run, allocating memory, interacting with the hard drive, and so on. By poisoning the kernel, attackers can use the system to do their bidding-hiding files, processes and network activities. The bad guy creates a false view of the system that appears intact to admins and users, but the machine is really compromised at its core.
As if all that's not sufficiently threatening, future malware could go even deeper, penetrating to the very core of our systems' hardware, embedding code to bend our machines even further to the attackers' will.
BIOS-based malware could compromise the BIOS boot program included in the motherboard chipset. By altering the flash memory storing the boot program, an attacker could corrupt the BIOS, rendering the machine unbootable. We saw this kind of attack in the Chernobyl virus in 1999. Worse yet, an attacker might be able to plant a backdoor or rootkit inside the BIOS itself, infecting your system each time the machine boots.
Microcode malware could conceivably reprogram the microcode inside our CPUs. Most modern CPUs include updatable microcode, essen- tially small programs inside the CPU that tell it how to run various machine language instructions. Malware running at this level would be insidious, giving an attacker extreme stealth capabilities. To prevent this type of attack, CPU manufacturers utilize a variety of security features inside the processor, including encrypted microcode updates. With the complex, yet undocumented, microcode security features of modern CPUs, creating this type of malware would be very difficult indeed-but not impossible.
Spreading the Infection
Authors can choose from a variety of different propagation strategies to spread their malicious code.
Viruses, one of the oldest types of malware, infect files, such as executable programs and documents. When viewed or executed, these infected files self-replicate, spreading the contagion. Viruses attach themselves to a host program and typically need an agent (often carbon-based) to activate.
Worms are self-replicating malicious code that spread via networks. They plant themselves on victim systems, which they use to scan for and infect other targets. Worms are like viruses that propagate across networks without user assistance. It's like the proverbial amphibian crawling out of the muck, sprouting wings and taking flight. Of course, some malicious code is both a worm and a virus, in that it propagates across a network and infects a host file. In fact, most modern viruses include worm characteristics for propagation.
Malicious mobile code spreads via lightweight programs, typically targeting Web browsers and e-mail readers. By exploiting the network-centric properties of browser scripts, ActiveX controls and Java applets, malicious mobile code can spread quickly and easily in networked environments. A user simply visits a Web page with an unpatched Web browser configured to run scripts. The Web server shoots back some malicious code in its response, which installs malware such as a backdoor or rootkit on the browsing machine without any indication to the hapless user.
Often overlooked is the potential for direct installation. An attacker simply installs the malware on the victim machine by manually loading files in appropriate places, or by launching an automated installation script.
Crossbreeding: Combo Malware
Combo malware significantly raises the threat posed by these attacks by treating each element as a building block. The malware developer constructs an attack tool by selecting various blocks and combining them in a single piece of code, like Dr. Frankenstein stitching together his monster.
For example, attackers are increasingly spreading backdoors using worm propagation techniques. The Bugbear.b worm, which appeared earlier this year, featured several backdoors. The more recent Blaster worm and Sobig.F virus also installed backdoors.
We're seeing virus file infection capabilities bundled with backdoors, so that the backdoor self-replicates throughout a system, infecting dozens of files that reinstall the backdoor each time they are run.
The sky's the limit here. For example, a bad guy could take a backdoor, embed a kernel-mode rootkit to hide the backdoor, infect hundreds of different files on the victim machine with virus techniques, and spread the whole foul brew with a worm. Sprinkle in some malicious mobile code to hit Web browsers, and the result is an extremely virulent attack tool.
Combo-malware tools are built to exhaust our system defenses (and defenders). They are far more likely to find some hole in your defensive array than single-trick malware specimens. Per-haps you have adequately fortified your machines against some types of malware, such as viruses, but aren't quite as prepared for others, like rootkits.
To fight combo malware, you need more than your garden-variety signature-based AV engine loaded on servers and desktops. You need to think in terms of holistic defense, addressing multiple vulnerability points, hardening your overall network and preparing for the worst.
Case Study: Sobig.F
While Code Red and Nimda are the poster children of combo malware, they certainly aren't the latest-or most damaging-examples.
Last August's Sobig.F worm was one of the worst contagions ever, spreading to hundreds of thousands of machines in a few days-one of the highest infection rates of any malware we've seen. Although it caused most of its damage by sucking up bandwidth and clogging mail servers, Sobig.F included some rudimentary combo techniques, offering interesting insights and a scary glimpse of the future.
To get a feel for how Sobig.F-and worms in general-are constructed, we'll walk through the process it used to spread and describe the purpose of each component in the infection cycle.
Think of Sobig.F as a missile, complete with a warhead, guidance system, target and payload.
The Sobig.F warhead was deceptively simple. Sobig.F proliferated using a familiar, time-tested worm propagation technique-mass e-mailing. For most victims, Sobig.F arrived as e-mail, requesting that the user click on an attached file to execute the worm's code.
The subject lines of the e-mail created by the worm were selected at random from a pool of nine choices built into the worm's code, including such tempting lures as "Re: Approved," "Re: Details," "Thank you!" and "Your details." By varying the subject lines, Sobig.F's author was trying to avoid simple spam detection tools looking for many e-mail messages with identical subjects. This also helped fool victims, who might get an initial warning about one, two or even three subject headers, but likely wouldn't help them recognize nine. It's an increasingly popular e-mail malware propagation technique.
Sobig.F had another propagation trick. When installed on one victim machine, it searched for network-accessible Windows shares on other machines to copy itself to their startup folders. This component of the Sobig.F code was very buggy, and the vast majority of Sobig.F victims were infected via e-mail.
Blaster: Another combo malware menace
In August, a week before Sobig.F struck, we faced yet another example of combo malware that wrapped a backdoor inside a worm's payload.
Blaster's warhead exploited a major vulnerability in Windows systems involving a buffer overflow in Microsoft's RPC-DCOM implementation used by software components to communicate across a network.
For a propagation engine, the warhead invoked the Trivial File Transfer Program (TFTP) on the victim machine to fetch the contents of the worm from the infecting system. Blaster's target selection engine randomly generated IP addresses to scan for vulnerabilities, weighting nearby addresses more heavily to thoroughly saturate local networks before taking long-haul jumps across the Internet.
The Blaster payload included two malicious elements: a backdoor command shell listening on TCP port 4444, as well as a distributed denial-of-service (DDoS) flooding agent. The shell offered full, interactive command-line access to the victim system, without any authentication.
The DDoS zombie targeted Microsoft's own Windows Update server with a SYN flood, aimed at preventing users from downloading the patch. Fortunately, Microsoft had other Internet-accessible servers besides www.windowsupdate.com.
Not to be outdone, Blaster was followed a week later by Nachi/Welchia, which affected systems using the same RPC-DCOM flaw, as well as the older WebDAV exploit.
-- Ed Skoudis
The worm's e-mail attachment ended with a .pif or .scr suffix, which can contain executable programs on Windows. We're not fighting just .exe files any more. More than a dozen different file types can hold executable code or scripts on Windows machines, and Sobig.F took advantage of a couple of alternatives.
To improve its chances of evading detection and filtering, Sobig.F varied the names of the attachment, choosing from nine possibilities. By varying the file name, as well as the subject line, the worm's author employed some very rudimentary polymorphic techniques, slightly modifying the worm's appearance.
Sobig.F also included its own SMTP engine, so it didn't have to rely on an infected host's mail client to propagate. Built-in propagation functionality that doesn't rely on preinstalled software is another increasingly popular malware strategy.
The target selection algorithm chose new victims by scouring the infected machine, looking for e-mail addresses stored in files with the suffixes .dbx, .eml, .hlp, .htm, .html, .mht, .wab and .txt.
The propagation engine would continue to spread Sobig.F by sending out attachments from the pilfered addresses, and, in an interesting twist, spoofed the "From:" addresses. In this way, the worm "framed" innocent bystanders, making it appear as though they were infected and spreading the worm. It's likely that this e-mail spoofing maneuver, plus the reasonable-sounding subject lines, were what caused this worm to trick so many users and infect such a large number of machines.
The strategy also defeated many mail-filtering AV tools. Upon receiving a Sobig.F infected message, they'd send a polite yet annoying e-mail response informing the spoofed sender that his or her system was infected. My network received thousands of such bounced messages, and I'm certain I didn't have Sobig.F on my systems. This bounce message amplified the avalanche of bogus e-mails Sobig.F generated.
Showing its combo-malware stripes, the Sobig.F payload included a very simple backdoor. At a predetermined time, the worm dribbled a UDP packet on the network to one of 20 hijacked machines around the world. These machines would respond with a URL. The worm would then connect to this URL, download any file placed there by the attacker and execute the file. With this functionality, the attacker could have made the infected systems grab a new, even more virulent version of the worm, install a fully interactive backdoor, steal files from the victim machines, or even wipe their hard drives.
Authorities raced to deactivate these machines before the worm called home for instructions. As it turns out, most of these systems belonged to home users who didn't even realize the attacker had commandeered their computers and used them to communicate with a worm. Curiously, the author of the worm had included a built-in lifetime-until Sept. 10-perhaps to clear the way for a later variant.
Combo malware: Six ways to thwart it by Ed Skoudis
"Now, That's New"
The bottom line: We got lucky with Sobig.F. The worm could have used the embedded backdoor to unleash even worse malware, stealing information or destroying machines. Or, instead of tricking users into running an e-mail attachment, future malware could employ a zero-day exploit to conquer targets with a previously undetected vulnerability. Sobig.F was yet another wake-up call. Will we heed this one?
Malware developers are often looking to innovate, pushing the envelope for intellectual satisfaction, cheap thrills at their victim's expense or notoriety. In a recent IRC discussion, one malware developer wrote, "Worms? Been there, done that. But a kernel-mode rootkit spread via a worm? Now, that's new."
Although we haven't seen that particular combo in the wild, it's just a matter of time before one is unleashed. They're talking about this, folks. We'd better get ready.
ED SKOUDIS, CISSP, is a security consultant with International Network Services and author of the newly released book, Malware: Fighting Malicious Code (Prentice Hall).