BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES

BLENDED ATTACKS EXPLOITS, VULNERABILITIESAND BUFFER-OVERFLOW TECHNIQUES INCOMPUTER VIRUSES

By: Eric Chien and Peter Szor

Presented by: Jesus Morales

2

Introduction & Overview

Security exploits + Computer viruses = very complex attacks.

Types of Vulnerabilities: Stack Buffer Overflows Heap Overflows Function Pointers Input Validation

URL Encoding and Canonicalization MIME Header Parsing

Format String Attacks

3

Blended Attack

What is a blended attack? Also known as blended threat. Virus exploits a system or application

security flaw to infect new systems. Infection vector: one or more vulnerabilities.

4

Let’s begin with a bit of controversy

A security or an anti-virus issue? Some security people think:

A computer virus is not part of security. No relation between computer security and

computer viruses. Example: CodeRed. Authors answer: a mixed approach.

Multi-layered security solutions.

5

Buffer Overflow

What is? Buffer overflow is when a program tries to store data into a buffer and the data is larger than the buffer size.

6

Buffer Overflow Generations

First Generation: overwriting stack memory.

Second Generation: heaps, function pointers and off-by-one exploits.

Third Generation: format string attacks, vulnerabilities in heap structure management, and input validation.

7

First Generation: Stack Buffer Overflow (Cont.)

Causes of Stack-based Overflow VulnerabilitiesLack of verification of the amount of data

written into a buffer (strcpy)Better to use: strncpy or strlcpy. Careful with strncpy!

If count too large, still buffer overflow. Typical: off-by-ones.

8

Second Generation: Off-By-Ones Overflows

Cause: errors counting the size of the buffer.

Consequence: single byte overflow.

9

Second Generation: Off-By-Ones Overflows (Cont.)

Example: Set the overflow byte to 0x00.

10

Second Generation: Heap Overflow

A heap is dynamically allocated memory. Out of the stack. No return addresses to overwrite. Common misconception: the heap is safe. This is not the case:

Potentially more difficult to redirect execution. Buffer overflows and exploitation still possible.

11

Second Generation: Heap Overflow (Cont.)

A program with a heap overflow

void main(int argc, char **argv){char *buffer = (char *) malloc(16);char *input = (char *) malloc(16);strcpy(buffer,”AAAAAAAAAAAAAAA”);// Use a non-bounds checked functionstrcpy(input,argv[1]);printf(“%s”,buffer);}

12

Second Generation: Heap Overflow (Cont.)

With valid input size memory looks as follows:

With input too large (A series of B’s):

13

Second Generation: Heap Overflow (Cont.)

Exploiting the Overflow

14

Second Generation: Heap Overflow (Cont.)

No overflow:

Overflow with buffer equal to: XXXXXXXXXXXXXXXX00300ECB and argv[1] is C:\AUTOEXEC.BAT, memory appears as:

15

Second Generation: Function Pointers (Cont.)

Occur mainly in call backsIf function pointer in memory follows a

buffer: risk of being overwritten if the buffer is unchecked.

Our friend strcpy again.

16

Second Generation: Function Pointers (Cont.)

17

Second Generation: Function Pointers (Cont.)

The memory looks as follows:

Afterwards (argv[1]: ABCDEFGHIJKLMNOP004013B0):

18

Third Generation: Input Validation

Exploits take advantage of improperly validated input.

Problems with Web Servers and E-mail Clients.

We’ll see two types: URL Canonicalization.MIME Header Parsing.

19

URL Canonicalization

Canonicalization: when a resource can be represented in more than one way.

Canonicalization is the process of converting data that has more than one possible representation into a "standard" canonical representation. (wikipedia.org)

Where is the vulnerability? A decision is based on a URLNot all possible URL representations are

taken into account.

20

URL Canonicalization (Cont.)

Example: Web server. Allows access only to /user and

subdirectories. Validation: examines the URL for string

/user. The following URL:

http://domain.tld/user/../../autoexec.bat

would give access to root.

21

MIME Header Parsing

Internet Explorer parses a file containing MIME encoded files by examining the header.

MIME files are associated with a particular application (e.g., audio/basic is associated with Windows Media Player)

Each MIME type has associated settings (icons, show extension? Automatically pass file to application? )

22

MIME Header Parsing (Cont.)

Example of MIME header:

Audio/x-wav file will be passed automatically to the application based on the context type.

When finally determining what the associated application is, the file extension is (.EXE) used. It is passed to the OS for execution.

23

In-the-Wild

Morris Worm Is a buffer overflow attack against the fingered program. 512 byte buffer. Function gets with no bounds checking.

Linux/ADM Buffer overflow technique to attack BIND servers. Malformed IQUERY with long request body. Hits a return address.

CodeRed URL canonicalization and stack overflow exploits. GET request with the worm in its body.

24

In-the-Wild (Cont.)

Win32/Badtrans.B@mmMIME header exploit.

Win32/Nimda.A@mmMIME exploit

VBS/BubbleboyUses ActiveX safe for scripting exploit

Win32/BeblaMIME exploit

25

Current Security

Blended attacks are effective because most security products cannot prevent the threats.

Traditional anti-virus does not scan memory (CodeRed resides entirely in memory)

Firewalls mitigate the problem, but not solve it. Host based IDS: hard to provide solutions for a

wide variety of platforms within a diversified network.

Counter-attacks have ethical and legal problems.

26

Solutions

Anti-virus scanners should implement memory scanning.

Scan incoming network data to prevent threats injected through the network via IDS.

Anti-virus should also scan incoming data through the network to prevent corrupted files from entering the system.

Behavior blocking technology.

27

In the Future

The solutions will be deployed into a network of products.

These products communicate with each other and correlate data.

Suspicious activity is monitored, tracked and recorded.

If the threat is confirmed it can be contained/aborted and the logs investigated.

Thank You.

Questions?