1 of 29

Malware Lab

Cyber Lab S23 - Week 1

2 of 29

Announcements

  • Psi Beta Rho Practice: Number Theory
    • Tuesday 6-8 pm
    • Ackerman 3517
  • Cyber Academy: Intro to Reverse Engineering
    • Wednesday 6-8 pm
    • MATH SCI 5200
  • Cyber x Studio Social: Mario Kart Tournament
    • Friday 6-8 pm
    • Kerckhoff 131+133+135
  • Cyber DEFCON 31 Trip Interest Form
    • bit.ly/cyber-defcon-31-trip

3 of 29

Overview

4 of 29

Meet the Team

Benson Liu

Co-President

Sanjana Sarda

Mentor & Security Engineer @ Nuro

You

MVP

Emily Sun

Officer

Rory Hemmings

Malware Lab Project Lead

5 of 29

✨Social Engineering Time ✨

  • Introduce Yourself!
    • Name
    • Year
    • Major
    • Favorite plant (because rootkit haha)

6 of 29

Goal

  • Write a fully functional rootkit with remote access capabilities
  • Learn & practice C programming, system calls, dynamic linking, networking, virtual machines, and Linux
  • TWO Parts:
    • (1) Guided development of a rootkit with remote access capabilities and payload delivery
    • (2) Extend the malware by designing your own features (ex. command and control server, ransomware, obfuscation, etc.)

7 of 29

Logistics

  • Weekly meetings
    • Mondays 6-8 pm
    • Kerckhoff 131+133+135
  • Need Additional Help?
    • Secure OS Lab meets Thursday 7-9 pm in Boelter 4760
    • If you’re stuck during the week, feel free to show up to ask officers there for help!
    • Messaging on Discord works as well!

8 of 29

Timeline

Part 1: Developing the Core Rootkit

  • Week 3: Syscalls & Shared Libraries + VM Setup
  • Week 4: Networking & Sockets
  • Week 5: Break for Midterms

Part 2: Design Your Own Features

  • Week 6: Exploitation & Payloads + Work Session
  • Week 7: Work Session
  • Week 8: Work Session
  • Week 9: Presentation & Demo
    • Wednesday - May 31, 6-8 pm
    • MATH SCI 5200

9 of 29

Team Formation

  • Split into groups of ~3 members
    • Find an officer to be a helper for your group
  • Come up with a Team name
  • These will be your final project groups after Week 6!
  • Weeks 3 - 6: base rootkit walkthrough
  • Weeks 6 - 8: your group has freedom to implement advanced features of your choosing

10 of 29

VM Setup

11 of 29

⚠️WARNING⚠️

  • We are developing ACTUAL MALWARE!
  • Do NOT run anything we develop on your actual computer!
  • Please use a Virtual Machine (VM)

12 of 29

VM Setup Guide

https://tinyurl.com/cyber-lab-vm

13 of 29

Background

14 of 29

What is malware?

  • any piece of software meant to cause harm
  • 5.5 billion malware attacks in 2022
  • malware is classified based on intent & execution
    • ex. ransomware encrypts files for the purposes of obtaining ransom from victims
    • more about this in a future week

15 of 29

The best way to learn how to defend malware is to learn to develop with an adversarial mindset!

16 of 29

Malware Development

Phase

Description

1. Reconnaissance

Identify the target and explores vulnerabilities and weaknesses that can be exploited within the network

2. Weaponization

Create the attack vector (i.e. remote access malware, ransomware, virus)

3. Delivery

Launch the attack

4. Exploitation

Malicious code is executed in the victim’s system

5. Installation

Malware is installed on the victim’s system

6. Command & Control

Attacker uses malware to assume remote control of a device or identity within the target network

7. Actions on Objective

Attacker carries out intended goals (i.e. data theft, destruction, etc.)

17 of 29

What is a rootkit?

  • root + kit
    • root: program is run with admin level access to an operating system
    • kit: an application with unauthorized access
  • often mask their presence to avoid being detected
  • typically needs to exploit a zero-day vulnerability
  • Ex. Stuxnet
    • A worm discovered in 2010 that caused severe damage to Iran’s nuclear development program by getting root access to PLCs managing Uranium refinement centrifuges.

18 of 29

Hooking Syscalls

19 of 29

System Calls

  • Used by computer program to send a request to the operating system (ex. interacting with hardware, files, or processes)
  • Ex: executing ls calls puts() to write contents to terminal
  • Use strace to intercept and print system calls

20 of 29

Hooking a Syscall

  • We can implement thin wrappers around system calls to intercept and control requests that reach the operating system
  • Used to trigger connections and hide rootkits presence

21 of 29

Shared Libraries

22 of 29

Shared Libraries

  • Dynamic libraries that store commonly used routines
  • Used to reduce the overall amount of code to save disk space
  • Commonly used c functions and syscalls, like printf and write, are stored in a single library file and shared system-wide

23 of 29

Shared Libraries

  • /etc/ld.so.preload
    • Specify a shared library to be loaded into memory before other shared libraries
    • Applies to every program that's loaded using /lib/ld-linux.so
  • By adding a malicious library path to ld.so.preload, we can load a malicious library into memory at runtime to hijack critical system calls

24 of 29

Shared Libraries Example

  • Checking the shared libraries used by /bin/ls
    • Creates a shared library called evil.so
    • Exports it to /etc/ld.so.preload
    • Check the library dependencies of /bin/ls
    • Notice that evil.so is loaded first before any other library on disk

25 of 29

Shared Libraries Example

26 of 29

Syscalls & Shared Libraries Example

27 of 29

Syscalls & Shared Libraries Example

28 of 29

puts Demo in Action

29 of 29

Check out our linktree:

linktr.ee/uclacyber