Download Viruses - University of Windsor

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
page
82
page
83
page
84
page
85
page
86
page
87
page
88
page
89
page
90
page
91
page
92
page
93
page
94
page
95
page
96
page
97
page
98
page
99
page
100
page
101
page
102
page
103
page
104
page
105
page
106
page
107
page
108
page
109
page
110
page
111
page
112
page
113
page
114
page
115
page
116
page
117
page
118
Document related concepts

Deep packet inspection wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Distributed firewall wikipedia , lookup

Cyberattack wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Antivirus software wikipedia , lookup

Mobile security wikipedia , lookup

Malware wikipedia , lookup

Unix security wikipedia , lookup

Computer virus wikipedia , lookup

Transcript 
“Unix. The world's first computer virus.”
title of Chapter 1 of
‘The Unix Haters Handbook’,
written by serious computer scientists ISBN: 1-56884-203-1
1
Classification of Threats
Threats may exploit weaknesses in
1. operating systems (W32,W95, Linux, etc),
2. applications they infect (W97M, WordPro, X97M,
etc)
3. languages (HTML; Scripting languages like VBS,
JS; etc).
Delivery of malicious codes to a user’s machine:
1. the most popular early methods of passing viruses
by floppy disk.
2. Internet borne worms, that require no human
intervention, once started.
2
Malware, security tools and toolkits:
• Malware : any piece of malicious software.
• Security tools and toolkits :
• designed to be used by security professionals to
protect their systems, networks and web-sites;
• may also be used by unauthorized individuals to
probe for weaknesses.
The purposes, not the approach, makes a
program malicious.
• Many of the programs, that may be called
malware, have benevolent uses also.
3
Benevolent Uses:
•
•
Worms can be used to distribute computation
on idle processors;
Trap doors/ back doors are useful for debugging
programs;
A trapdoor: a code that recognizes some
special (unlikely) sequence of inputs or is
triggered by being run from a special ID.
Some programs require special privileges and
authentication to access it. Or they may require long
setup (providing many initial values of variables) and
authentication.
…………..continued on the next slide
4
Benevolent Uses of Trap doors and Viruses:
While debugging one may want to be able to
open the program without going through
these procedures.
•
A trapdoor allows one to activate the
program even if something be wrong
with the authentication procedure.
Viruses can be written to update source
code and patch bugs.
5
A Normal Utility: Rootkit ….1

ROOTKIT: uses two words- "root" and "kit".




Root: refers to the "Administrator" account on Unix
and Linux systems;
kit: a set of programs or utilities that allow someone
to maintain root-level access to a computer.
Additionally the presence of the rootkit should
be undetectable.
NORMAL USES of Rootkits ( known to exist since 1989
or earlier): For allowing maintenance of command and
control over a computer system, without the computer
system user knowing about it. This requires the
capability


of executing files and changing system configurations on the
target machine,
of accessing log files or monitoring activity on the user's
computer usage.
6
A Normal Utility: Rootkit ….2

Legitimate users of rootkits: Administrators of

Rootkit products: Spectorsoft’s two products:
large networked systems, law enforcement agents or
parents or employers wishing to retain remote
command and control and/or the ability to monitor
activity on their employee's / children's computer
systems.
eBlaster and Spector Pro, allow for such monitoring.
LARGE SCALE ABNORMAL USE: In Dec 2004, hackers
started using Rootkits against Windows systems.

Reference for slides 6 and 7: Tom Bradley, “What Is A Rootkit? “,
http://netsecurity.about.com/od/frequentlyaskedquestions/f/faq_rootkit
.htm, as of 2nd December 2007
7
Rootkit: A Hacker’s Tool



A rootkit: a collection of tools (programs) that
enable administrator-level access to a
computer or computer network.
Typically, a hacker first obtains user-level
access, either by exploiting a known
vulnerability or cracking a password. Then he
installs the rootkit.
A rootkit has tools for:


logging keystrokes,
monitoring packets on the network to gain
information
………continued
8
Tools in a Rootkit





Collecting usernames and passwords
Obtaining multiple methods of backdoor entry, using
different ports and protocols
Gaining root or privileged access to the computer and
other machines on the network – Thus if the first
intrusion is detected, the hacker has other methods
of intrusion in to the machine and the network.
altering system log files and administrative tools to
prevent detection
for hiding the files and processes that the intruder
may place on the system and for hiding port and
protocol connections.
………continued
9
Tentacles of a Rootkit
using the machine to launch attacks on other
machines
CLEANING A MACHINE with a Rootkit: Difficult since
the extent of infiltration in the machine and the
network may not be known


References: 1. Tom Bradley, “Rootkits”,
http://netsecurity.about.com/od/secureyourwindowspc/a/rootkit
s.htm, as of 2nd December 2007
2. “What is a rootkit?” – a definition from
Whatis.com,http://searchsecurity.techtarget.com/sDefinition/0,,s
id14_gci547279,00.html , as of 2nd December 2007
10
Classification of Malicious programs:
First Method
Malicious programs
Need Host programs
Trap doors Logic Bombs Trojan Horse Viruses
Independent
Zombie
Worms
Bacteria
A Logic Bomb or a Trojan Horse may be part of a Virus or
Worm.
11
Classification of malicious programs:
•
Programs that do not replicate: consist of
fragments of programs that are activated,
•
•
•
when the host program is invoked or
when in the host program, a specific function is
performed.
Programs that replicate: consist of
•
a program fragment (Example : Viruses) Or
•
an independent program (Example: Worm or bacterium)
that, when executed, may produce one or more
copies of itself on the same system or some other
system.
12
Classification of Malicious Program:
The Second Method
Malicious Programs
Those that won’t replicate
Trap Doors Logic Bombs Trojan Horses
Those that replicate themselves
Viruses
Zombie
Worms
Bacteria
*Ref: Fig 19.1 pp.599, Stallings [2003]
13
Malicious Software
Malicious software: runs under the user’s
authority (without his knowledge and
permission);
hence can do all that a user can himself do.
TYPES: Back doors/ trap doors : allow
unauthorized access to your system.
• Logic bombs: programmed threats that lie
dormant for an extended period of time until
they are triggered; at this point, they perform
a function that is not the intended function of
the program in which they are contained .
14
Triggers for logic Bombs:

•
•
•
Logic bombs: usually embedded in programs
by software developers who have legitimate
access to the system.
Triggers for Logic Bombs:
Presence or absence of certain files.
Particular day of the week or data.
Particular user running the application
15
Trojan horses:
• Trojan horses: programs that appear to have
one function but actually perform another
function.
• The modern – day Trojan horses resemble a
program that the user wishes to run – a
game, a spreadsheet, or an editor.
• While the program appears to be doing what
the user wants, it is also doing something
else unrelated to its advertised purpose, and
without the user’s knowledge.
16
Examples of Trojan horse attacks:
Examples of Trojan horse attacks:
1.
A compiler was modified to insert additional
code into certain programs as these are
compiled.
The code creates a trapdoor in the login
program that permits the author to log on
to the system using a special word. Difficult
to discover, by reading the source code of
the program.
Ref : THOM 84 from Stallings[2003]
17
Examples of Trojan horse attacks
(continued)
2.
Attach a (secret) program -- to the regular
program for listing the user’s files in a
particular format.
The attached program may change the file
permissions to make them readable by any
user. After the program is executed, any
one can read the files.
18
Viruses:
• Viruses: “programs” that modify other programs on a
computer, inserting copies of themselves.
Viruses:* not distinct programs
*need to have some host program, (of which they are a
part), executed to activate them
*executes secretly, when the host program is run.
A typical virus: takes control of the Operating System.
Whenever it comes in contact with any uninfected
piece of software, a fresh copy of the virus is
attached to the new program.
Reference: A malicious program was called a Virus by Cohen.
Cohen F.,’Computer Viruses’, Computer Security: A Global
Challenge, Elsevier Press, 1984, p143-158
19
Worms:
• Worms: programs that propagate from computer to
computer on a network, without necessarily
modifying other programs on the target machines.
• Worms
• can run independently;
• travel from machine to machine across network connections;
• may have portions of themselves running on many different
machines.
• Worms do not change other programs, although they
may carry other code that does (for example, a true
virus or a Trojan horse may be implanted by a
worm).
20
Worms (continued)
•
1.
2.
3.

To replicate itself, a worm uses some network
vehicle. Examples:
Electronic mail: A worm may mail a copy of itself to
another system.
Remote execution capability: A worm may execute
a copy of itself on another system.
Remote log-in capability: A worm logs on another
system as a user and then uses commands to copy
itself to the remote system.
A Worm may determine whether a host has
been infected before copying itself.
21
Worms (continued)


In a multiprogramming system, a worm may
hide itself by naming itself as a system
process.
It may examine the routing tables to locate
the addresses of remote machines, to which
it may connect, without any information to
the owner of the local host.
Examples of Worms:
Morris 1998 for unix systems,
Code Red, Code Red II, NIMDA,
W32/Netsky.P.worm, MyDoom.A, Sober.I worm,
Sobiq.E worm, Bagle.BC worm
22
A Rootkit: Not a Virus or a Worm



A rootkit modifies the flow of the
operating system or changes the data
set, which the operating system uses.
A virus is designed to damage a
system. A worm scans for vulnerabilities
and spreads to other computers on the
network. But a rootkit may stay hidden
and maintain its functionality, without
damaging a system for a long time.
A rootkit may be classified as a Trojan.23
Phases of a virus and a worm:
•
1.
A worm as well as a virus have the
following phases:
Dormant phase: This phase lasts till the
worm/virus is activated
•
on some Date, or
•
by presence of some file or program, or
•
some action like the data on disc
exceeding certain limit.
Some viruses may not have this stage.
24
Phases of a virus and a worm (continued)
2. Propagation phase: Both a worm and a virus
check whether the file/system is already
infected. If not, they do the job.
3. Triggering phase: may be caused by some
system event.
4. Execution phase: Performs a function
Benign function: like showing a message on
screen.
•
Non-benign: to damage/destroy certain files.
Viruses are designed to take advantage of the
weaknesses of the OS and/or a hardware platform.
•
25
Spreading Malware via the Internet
Trojan Horse vs Virus:
• Whereas a Trojan horse is delivered pre-built, a virus
infects.
Propagation of Virus: OLD DAYS: through tapes and
disks  the spread of a virus around the world took
many months.
TODAY: Trojan horses, and viruses are network
deliverable as
*E-mail, *java applets, *ActiveX
controls, *javaScripted pages, *CGI-BIN scripts, or
as *self-extracting packages.
DELIVERED: as a part of a game or a useful utility,
copied from some electronic bulletin board
26
Mobile program Systems
Examples: Javascript and ActiveX.
•
•
•
became popular with Web servers and
browsers, but are now integrated (e,g, Java
into Lotus Notes, and ActiveX into Outlook)
with mail systems.
Security Bugs in both Java and ActiveX
A mobile program may act as the carrier of a
virus.
Any mechanism for sharing of files – of
programs, data, documents or images – can
transfer a virus
27
Structure of Viruses:
In the infected binary, at a known byte location in the
file, a virus inserts a signature byte, used to
determine if a potential carrier program has been
previously infected.
• On invoking an infected program, it first transfers
control to the virus part.
• The virus part infects uninfected executable files.
• Secondly it may damage the system in some way.
Or like a logic bomb, the damaging action may
take place in response to some trigger.
• Finally it transfers control to the original program.
Usually the first two steps may take so little time, that
one may fail to notice any difference.
•
28
Normal .COM vs. Infected .COM
29
Structure of a virus program:
V()
{
infectExecutable();
If (triggered()){
Do Damage();
}
Jump to main of infected program;
}
…………….
30
Structure of a virus program (continued):
Void infectExecutable()
{
file = choose an uninfected executable file;
Prepend V to file;
}
Void doDamage(){
…….
}
int triggered(){
Return (some test? 1:0);
}
31
Types of Viruses:

1.
2.
Types of viruses:
Parasitic Virus:
It attaches itself to executable files and replicates,
when the infected program is executed, by
finding other files to infect.
Memory – resident virus:
stays in main memory as a part of a system
program. Then it infects every program that
executes. (Like Terminate and Stay Resident –
TSR- programs )
32
Types of viruses (continued)
3.
Boot sector virus:
It infects a boot record and spreads when a
system is booted from the disk containing the
virus.
Boot sector contains crucial files. Hence it is made
invisible by the OS.  boot-sector virus files will not show
up in a normal listing of files.
4.
Polymorphic virus:
Creates copies that are functionally equivalent
but have distinctly different bit patterns. Thus
signature of each copy will vary and a virus
scanner will find it difficult to locate it.
33
Methods used by Polymorphic Viruses
for variation in signature
Random insertion of superfluous instructions
 To interchange the order of independent
instructions
 Use of encryption: The virus has a mutation
engine which generates a random key and
then the engine is altered; the key is stored
with the rest of the virus, which is encrypted.
When this virus infects another host, the altered
mutation engine would generate a different
key.
Thus every host would carry a different
signature for the virus.
34

The Stealth Virus
There are two other types: The Stealth
virus and the Macro virus.
A stealth virus has code in it that


•
seeks to conceal itself from discovery or
defends itself against attempts to analyze or
remove it.
The stealth virus adds itself to a file or boot
sector but, when you examine, it appears
normal and unchanged.
35
Methods used by Stealth Virus


The stealth virus performs this trickery by staying
in memory after it is executed. From, there, it
monitors and intercepts your system calls.
When the system seeks to open an infected file, the
stealth virus displays the uninfected version, thus
hiding itself.
The four types of viruses, discussed in slides 32 and
33, make an infected file longer than it was, making
it easy to spot.
There are many techniques to leave the file length
and even a check sum unchanged and yet infect.
36
Stealth technique:
Keeping the file length unchanged
•
•
For example, many executable files often
contain long sequences of zero bytes, which
can be replaced by the virus and regenerated.
It is also possible to compress the original
executable code like the typical Zip programs
do, and uncompress before execution and
pad with bytes so that the check sum comes
out to be what it was.
37
Macros:
•
•
•
Macro languages are (often) equal in power to
ordinary programming languages such as C.
A program written in a macro language is
interpreted by the application.
Macro languages are conceptually no different
from so-called scripting languages.
•
•
•
Microsoft applications use Visual Basic script as macro
languages.
Gnu Emacs (Reference: http://www.gnu.org/software/emacs/) uses a
dialect of Lisp
The typical use of a macro in applications, such as
MS Word, is to extend the features of the
38
application.
Macros (continued)
•
•
Can be used to define a sequence of key-strokes in a
macro and to set it up so that when a function key is
input, the whole of the sequence is invoked.
Some of these macros, know as auto-execute
macros, are executed in response to some
events, such as…..
•
•
•
•
•
closing a file,
opening a file,
starting an application,
invoking a command such as ‘FileSave’ or
pressing a certain key.
39
Auto-executing Macros in WORD
Three types of auto-executing Macros:
1.Start-up Auto-execute: executed when WORD
is started.
2.Automacro: executes when some event like
opening/closing a document, creating a new
document, quitting WORD
3.Command:executes when a WORD command,
like FileSave) is executed.
MS has developed a Macro Virus Protection
Tool. It detects suspicious files and alerts the
user to the risk of opening them.
40
Macro Viruses
•
Macro Viruses form a large majority of the
total number of viruses today.
A macro virus is a piece of self-replicating code
inserted into an auto-execute macro.
• Once a macro is running, the virus copies
itself to other documents.
• Another type of hazardous macro is one
named for an existing command of an
application.
41
Macro Viruses (continued)
•
•
•
•
Example: If a macro named FileSave exists in
the “normal.dot” template of MS Word, that
macro is executed whenever you choose the
Save command on the File menu.
Unfortunately, there is often no way to
disable such features.
Such macro viruses may be carried in the command
part of a text file, a database, a slide presentation or
a spreadsheet. The user sees only the data part –
and not the command part. So he would not be able
to see the malicious code.
Ref: For Loveletter virus for OUTLOOK (May 2000)
http://all.net/journal/cohen0504-2.htm
42
Spread of Macro Viruses
Macro Viruses spread fast because
• Macro viruses may be platform independent in that
any hardware/software platform that supports the
particular application can be infected.
• Macro viruses affect documents and not executable
portions of code.
• Spread easily – by e-mail.
Ex: A virus, called Melissa, used a micro, embedded in a
WORD document attached to an e-mail. …………………….
43
Melissa
On opening the WORD attachment of e-mail,
• it damages the local machine and
• it sends itself to all the addresses in the e-mail
address book.
In 1999, new e-mail viruses appeared. These
would be able to infect, as soon as one opens
the carrier e-mail, and not by opening an
attachment
44
Unix/Linux Viruses:
•
•
•
•
The most famous of the security incidents in the last
decade was the internet Worm incident which began
from a Unix system.
Several Linux viruses have been discovered.
The Staog virus first appeared in 1996 and was
written in assembly language by the VLAD virus
writing group, the same group responsible for
creating the first Windows 95 virus called Boza.
Like the Boza virus, the Staog virus is a proof-ofconcept virus to demonstrate the potential of Linux
virus writing without actually causing any real
damage.
45
Unix/Linux Viruses (continued)
•
•
The second known Linux virus is called the
Bliss virus.
Unlike the Staog virus, the Bliss virus can not
only spread in the wild, but also possesses a
potentially dangerous payload that could wipe
out data.
46
Zombie
Zombie: A program that takes over a
computer, without any authorization and
without informing the owner of the system.
The program originates from some other host.
It then uses the computer, that has been
taken over, for attacking a victim.
Objectives: To hide the originator of the attack
To attack the victim through a large
number of zombie computers (as in a DDoS
attack)

47
Bacteria or rabbit
• Bacteria, or rabbit program, replicates
without bound to overwhelm a computer
system’s resources.
• Bacteria do not explicitly damage any files.
Their sole purpose is to replicate themselves.
• A typical bacteria program may do nothing
more than execute two copies of itself
simultaneously on multiprogramming
systems, or perhaps create two new files,
each of which is a copy of the original source
file of the bacteria program.
48
Bacteria continued:
• Both of those programs then may copy
themselves twice, and so on. Bacteria
reproduce exponentially, eventually taking up
all the processor capacity, memory, or disk
space, denying the user access to those
resources.
49
Dropper:
• A dropper: a program that is not a virus, nor
is it infected with a virus, but when the
program is run, it installs a virus into memory,
on to the disk, or into a file.
• Droppers have been written sometimes as a
convenient carrier for a virus, and sometimes
as an act of sabotage.
• Some anti-virus programs try to detect
droppers.
50
Virus Detection:
“Virus” is used, (in the following slidesfor- detection-and-removal of viruses,)
to stand for all types of malicious
programs.
•
•
Virus detection programs analyze a suspect
program for the presence of known viruses.
Fred Cohen has proven mathematically: that
perfect detection of unknown viruses is
impossible: no program can look at other
program and say either “a virus is present” or
“no virus is present”, and always be correct.
51
Virus Detection (continued):
Most new viruses are sufficiently like old
viruses:  the scanning for old viruses may
find the new ones.
• There are a large number of heuristic tricks
that anti-virus programs use to detect new
viruses, based either on how they look, or
what they do.
• Since brand-new viruses are comparatively
rare, these methods may suffice.
After detection of a virus, its identification and
removal is required.
•
52
‘generations’ of virus scanners

The first generation of virus scanners:



obtain a virus signature, a bit pattern, to detect a
known virus.
record and check the length of all executables.
The second generation of virus scanners



scan executables with heuristic rules, looking for
fragments of code associated with a typical virus.
do integrity checking by calculating a checksum of a
program and storing somewhere else the encrypted
checksum.
OR A better method is storing a hash function rather than a
checksum. The encryption key is stored at a separate place.
53
‘generations’ of virus scanners
(continued)
The third generation of virus scanners: use a
memory resident program to monitor the
execution behavior of programs to identify a
virus by the types of action that the virus
takes.
 The fourth generation of virus scanners:
combines all the previous approaches and
includes access control capabilities so that
system penetration and access to files may
be denied.
54
Advanced Anti virus Techniques
1) Generic Decryption (GD) Technology
It uses the following components :
a) CPU Emulator: Consisting of a virtual computer
with software versions of all registers and other
processor hardware.
b) Virus signature scanner
c) Emulator control module
Virus elements are usually activated immediately after a
program starts execution.
GD begins execution of an executable file in the CPU
emulator. As each instruction is executed, the signature
scanner tries to expose the virus.


55
Advanced Anti virus Techniques:
Generic Decryption (GD) Technology



A polymorphic virus would decrypt itself and be
recognized by the signature scanner.
This process does not affect the computer, since
the CPU emulator provides a safe and controlled
environment.
Difficulties:


How many instruction may be interpreted
through the emulator ? - is a design issue
The user would complain if the GD scanner uses
a great deal of computer resources and these
are not available to the user.
56
Advanced Anti virus Techniques:
IBM’s Digital Immune System
2) IBM’s Digital Immune System (DIS):


Since the viruses spread through e-mail,
internet and mobile code, IBM has developed
the system for fast response.
When a new virus enters the system of an
organization, DIS captures it, analyzes it, adds
detection and shielding for it, removes it and
informs other systems running IBM anti-virus
about it
57
Components of DIS
1) Monitoring Program - on each PC - uses
heuristics based on
system behaviour
 changes to programs
 virus signatures
to monitor the presence of a virus in a program.
Such an infected program is sent to an Administrative
Machine in the organization

58
Components of DIS
continued
2) Administrative Machines : one machine located at
each site
 It encrypts suspect program received from any
PC.
 It sends the encrypted suspect program to the
Central Virus Analysis machine.
3) Central Virus Analysis machine :
 It provides a safe environment for running the
suspect program (like the CPU emulator and
Emulation Control module of the GD scanner).
59
Components of DIS
continued
3) Central Virus Analysis machine :
continued..


It generates a prescription for identifying and
removing the virus.
The prescription is sent to all the clients in the
world through their Administrative Machines.
60
Advanced Anti virus Techniques:
Behavior Blocking Software
3) Behavior Blocking Software: monitors
and blocks malicious actions like






Attempts to open, view, delete or modify files
Attempt to format a disk or other non-recoverable
disk operations.
Modifying logic of executable files or macros
Modification of critical settings like start-up
settings
Initiation of network communication
sending executable content through e-mail or
instant messaging.
61
Behavior Blocking Software


continued
Irrespective of complexity of a virus, this realtime blocking of malicious request can keep
the system safe.
However even a behavior, which may look
normal, may be problematic, thus shuffling of
files may make them unusable. So if shuffling
of files is not blocked, a virus may still
succeed in making the system unusable.
But can we/ should we block shuffling of
files?
62
Prevention, Detection & Removal of Viruses


Use software acquired from reliable vendors only
Test all new software on isolated computers





with no hard disk and
not connected to a network and
with boot disk removed
Check for any unexpected behavior.
Scan with an up-to-date virus scanner, which
should have been installed before running the
new software.
63
Prevention, Detection & Removal of Viruses
continued




Open an attachment only if it is safe.
When the system is known to be virus free,
prepare a recoverable system image and
store it safely in a write-protected medium
Prepare and store safely back-up copies of
executable system files
Use virus scanners and update them
regularly.
64
Prevention, Detection & Removal of Viruses
continued

Removal of a virus : possible only if it is
detected and eliminated faster than it
spreads


A resident virus may disable system calls,
used for deleting it.
A virus may be hidden in a variety of files even in normally hidden system files.
65
Examples of Viruses
up to slide 83
66
Example of Viruses:

Brain: It locates itself in the upper part of
memory.



Traps interrupt 19 (used in PCs for disk-read) by
resetting the interrupt address table to point to
itself.
Uses interrupt 6 (unused in PCs) to point to the
‘former address’ of interrupt 19
Thus it receives all disk read calls and shows
only the original uninfected boot sector to a
user (thus hiding itself.)
67
Example of Viruses:
Brain
It uses the boot sector and 6 other sectors on
the disk.
The brain virus splits itself into 3 parts. The
first part is in the boot sector. The other 2
parts are in the two other sector of the disk.
The 3rd sector of the disk contains the original
boot sector code.
Another copy of the virus is stored in the
remaining 3 sectors on the disk

68
Example of Viruses:




Brain
continued
The virus marks the six disk sectors as faulty,
so that OS may not use them.
Signature: in 5th and 6th bytes of the file, it
stores 1234 ( HEX ).
Action : with every disk read, it examines the
file for its signature. If it is not there, it
infects the file.
Name: It changes the label of any disk it
attacks to the word BRAIN.
69
Morris Worm
Released on Internet in the evening of Nov 2,
1988 by Robert T. Morris Jr., a grad student
of Cornell.
In 1990 he was sentenced to a fine of $10,000,
a suspended 3 year jail and 400 hours of
community service.
Morris exploited three flaws:
1. Unix Password file is stored in encrypted
form.
But any one can read the ciphertext.
70
Morris Worm: the first flaw
To connect to a remote system, it tries to
crack the local password file by trying
the following:
 the 432 words (like password, guest,
coffee, coke, aaa etc) included in the
worm,
 all the words in the dictionary file stored
on the system for spell-check.
71
Morris Worm: the second flaw
2.) the second flaw- in fingered:
 fingered continuously runs to service requests, from
other computers, about system users.
 Security flaw in fingered : overflow of input buffer
spills in to the return address stack
 when a fingered call terminates, it may execute
instructions, pushed through buffer overflow. This
may cause the worm to connect to a remote shell.
72
Morris Worm: the third flaw
3) the third flaw --- in sendmail - in debug
mode –
Normally sendmail runs in the background. It
receives a ‘send’ instruction along with dest
address.
However in debug mode the worm can send
a command string, in place of dest address.
Then this command string may be executed.
Assume that the Worm has been able to
enter a host (without its knowledge or
permission.)
73
Morris Worm: action
It examines the following lists on the host:







tables giving lists of trusted machines,
mail forwarding lists,
tables stating the access rights of the local host on remote
machine
status of network connections
It selects a suitable target.
Uses - one of the three flaws - to send a
bootstrap program of 99 lines of C code.
Through the host, it sends a command to
execute the program on the target machine.
Then the host logs off.
74
Morris Worm: action



continued
The bootstraps-on-target now connects to the
host to get the rest of the worm.
The bootstrap authenticates by sending a
password (so that a system admin should not be
able to get the rest of the worm)
The host sends the rest of the worm
Efforts at stealth:

if any transmission error occurs while
transferring, the bootstrap deletes all record,
received till then.
75
Morris Worm: Efforts at Stealth


After receiving the full code of the worm, it is
encrypted. The original copies are deleted from
the target.
It changes its name and identifier periodically
Because of a flaw in the code of Morris, it
created many copies of the worm on the
same machine, thereby degrading its
performance to normal tasks.
After Morris, a Computer Emergency Response
Team was set up in Carnegie - Mellon
University.
76
Code Red



Uses a security hole in MS Internet
Information Server (IIS).
On July 12, one in 8 of the 6 million IIS
servers were affected.
The first version shows the following text on
the web :
Hello!
Welcome to http://www.worm.com !
Hacked by Chinese !
77
Code Red: Action





Day 1 to 19th, spawns 99 parallel threads & scans
for other computers for infecting them;
day 20-27 it attacked www.whitehouse.gov by
DDoS;
from day 28 to end of month it lies dormant.
It disables the system File Checker in windows.
It uses random IP addresses to spread to other
machines.
78
Code Red: Action


continued
It suspends its activities periodically and then
restarts.
Code Red II also installs a backdoor to permit a
hacker to be able to use the victim machines.



It would automatically stop after Oct 2002.
Finally it reboots after 24/48 hours, wipes itself
from memory but leaves the Trojan in place.
79
Code Red: Technique


continued
Vulnerability in IIS: buffer overflow in dynamic
link library called idq.dll
Code red II creates a trapdoor by copying
%windir%\cmd.exe to 4 locations
C:\inetpub\scripts\root.txt
C:\progra~1\common~1\system\MSADC\root.exe
d :\inetpub\scripts\root.ext
d:\program1\common~1\sytem\MSADC\root.exe
80
Code Red: Technique





continued
Code red also includes its own copy of explorer.exe on
c: and d: drives.
It modifies system registry to allocate Read, Write and
execute permission in some directories to every one.
The Trojan horse continues to run in the background,
resetting the registry every 10 minutes.
Thus even if a system admin notices the changes in the
registry and removes them, the Trojan will again create
changes.
Code red may be beta test for ‘information war fare.’
81
Two more well-known viruses

NIMDA: It had multiple spread modes:
 e-mail
 client-to-client through open network
connection
 web-server to client
 client to web-server
 by using backdoor left by Code Red II
It modifies html files and some executable
files. It creates numerous copies under
various names.
82
The "Slammer" virus

The "Slammer" virus ( also known as the "SQL"
or "Sapphire" worm):
 launched at midnight ET on Saturday in Jan 2003,
shut down MS IIS based web-servers worldwide.
 By Sunday morning, about 150,000 to 200,000
servers had been compromised.
 By quickly copying itself and seeking to spread to
the computers that manage Internet traffic, the
worm overwhelmed networks worldwide,
causing probably the most damaging attack in a year
and a half.
83
Multi-pronged approach
Attacks: from various fronts.
So security has also to be multi-faceted.
Example: A mobile user A, who may be a salesman,
may be allowed to access a company network,
protected by a firewall.
A may have a wireless network at home, which may get
connected to the company network.
A malicious user, who may be a neighbor or even a
computer, in a parked vehicle near A’s home, could in
turn become a part of the wireless network.
Thus firewall alone may not be able to provide a
protection from such a malicious user.
84
Multi Pronged Protection Systems
Based on Behavior Blocking Software idea of slide 61

MPPS:



monitor traffic characteristics.
Use anomalies to develop real time warning and
defensive actions.
During an attack, MPPS determines the
characteristics of malicious attack traffic by
tracking various attributes of packets
including:




Source and destination socket addresses
IP TTL
protocol
85
Packet length
Multi Pronged Protection Systems
continued
Characterization of the malicious traffic: by
identifying the highest volume values for each
packet attribute and comparing current
distributions of the attribute values to normal
distributions.
Two types of Triggers:
 Bandwidth triggers based on packet and
byte rates. They indicate attempts to flood a
network and consume its bandwidth.
 Suspicious traffic triggers based on
packets that target resources on the network,
such as TCP SYN flood attack packets.
86

Solutions

Once an attack is detected, there are
two solution approaches:


Black-hole routing allows the
administrator to take all malicious traffic
and route it to a null IP address or drop it.
Sinkhole routing The malicious traffic is
sent to an IP address where it can be
examined.
87
Multi Pronged Protection Systems
continued

Both Black-hole and Sink-hole routing can be
used
 at the enterprise level. Or
 at the ISP level, who can prevent the
malicious traffic from reaching the
customer's network. (Most ISPs have some level of
DDoS traffic crossing their networks virtually all the time.
This costs them money in terms of bandwidth and annoys
customers.)

DISADVANTAGE of using Filtering at ISP:
the possibility of catching legitimate traffic as
well.
88
Virus vs Spyware


A virus: designed to damage the
machine in some way
Spyware:



a form of adware with tracking capability;
hidden in free open-source software;
used to collect information about a user
Use Spybot or AdAware for removing
Spyware from your machine.
89
To end

three news-item on security
one on ticking time-bombs in the
weakest link – the PCs
and
two on 1st April pranks by security
companies
90
A honey-pot is added

Bill McCarty, an Associate Professor of Web
and Information Technology at Azusa Pacific
University, Calif., said a Windows 2000 "honey
pot" machine that he runs has been added to
several bot networks, or botnets – reportedly
many hundreds of thousand strong as of
now.
(A honey pot is a machine connected to the Internet
and left defenseless so that security experts can
observe hackers' activities or methods.)

91
Two pranks of April 1, 2003

A news-item in the Register, a U.K. IT news
Web site: Availability of an Intruder
Retaliation Systems (IRS) by a new (fake)
security company. The first IRS, called the
Payback 1.0: an application that


instantly and dynamically 'traces' the IP source
address—no matter how well masked—of the
network attack/infection and
responds by launching either a Domain Name or
mail server flood attack in the direction of the
attacker."
92
The second prank:An advisory posted to BugTraq
(by an Internet security company –
but not on Internet security)


A (fake) company called S.E.L.L.warns that "a DDoS
condition is present in the election system in many
polypartisan democratic countries. A group of
determined but unskilled and not equipped lowincome individuals, usually between 0.05% and 2%
of the overall population of the country, can cause
serious disruptions or even a complete downfall of
the democratic system and its institutions.
The fix for this vulnerability: for affected
parliaments to either "establish a convenient
dictatorship or a monarchy, or [become] the
51st state."
93
Abbreviations










IPSec: IP Sec protocol
SSL: Secure Socket layer
TLS: Transport Level Security
SSH: Secure SHell
Kerberos:Project Athena’s Authentication Service
SHA: Secure Hash Algorithm
DSA: Digital Signature Algorithm
RSA: RSA Laboratories named after its founders: Ron Rivest,
Adi Shamir, Leonard Adelman
DES: Data Encryption Standard
MD: Message Digest
94
References

1.To study the details of a scanner
Sandeep Kumar, and Gene Spafford, “A Generic Virus Scanner in
C++,” Proceedings of the 8th Computer Security Applications
Conference, IEEE Press, Piscataway, NJ; pp.210-219, 2-4 Dec
1992

2.For a complete list of known viruses
www.cai.com/virusinfo/encyclopedia/

3.For cryptography
G.C.Kessler, “An Overview of Cryptography”
http://www.hill.com/library/staffpubs/crypto.html
RSA Laboratories, “RSALabs FAQ,”
http://www.rsasecurity.com/rsalabs/faq/
95
References
continued
4.For MPPS



http://www.mazunetworks.com/products/enf
orcer.html
http://www.intruvert.com/resources/inde
x.htm
http://www.okena.com/areas/products/pr
oducts_literature.html#COMPARE
96
“Malware payloads have been boring……..
Payloads can be malign and I expect that
we’ll see more devious payloads over the
next few years.”
- Bruce Schneier
author of Applied Cryptography
FIREWALLS up to slide
97
Firewall:
a definition
• A Firewall is a set of related hardware
and/or software, which protects the
resources of a private network from the
outside networks.

watch single point rather than every PC
•
A firewall provides strict access control
between your systems and the outside
world.
98
• Packet-Filtering Router
Applies a set of rules to each incoming IP
packet and then forwards or discards the
packet, usually for both directions.
 The rules are mainly based on the IP and
transport (TCP or UDP) header, including




source and destination IP address,
IP protocol field,
TCP/UDP port number.
99
Application-Level Gateway
(Proxy Server)
Acts as a relay of application-level traffic.
Users contact the gateway using a TCP/IP
application (such as FTP or Telnet) with
the information of the remote host to be
accessed. The gateway will contact the
application on the remote host and convey
TCP segments containing the application
data between the two endpoints.
100
Firewall
Limitations
Firewall can not protect against attacks that
bypass the firewall (e.g. dial-up modem)
Firewall does not protect against internal
threats, such as a bad employee
Firewall can not protect against the transfer of
virus-infected files
can’t prevent people walking out with disks
101
Packet Filtering :
Advantages and Disadvantages
Advantages: Fast, Flexible, and Inexpensive
Disadvantages:
Lack the ability to provide detailed auditinformation about the traffic they transmit;
Vulnerable to attack.
Firewall can become a bottleneck for a
big system.  Multiple firewalls in
parallel, divided by function?
102
FIREWALLS: the common architecture

The most common firewall architecture
contains at least four hardware
components:




an (exterior) router,
a secure server (called a Bastion Host),
an exposed network (called a Perimeter
Network),
an (interior) filtering router.
103
Firewall: an example

Screened subnet type of firewall:
104
Firewall: an example (continued)


Exterior Router: uses packet filtering to eliminate
packets coming from the external world that have
a source address that matches that of the internal
network.
The interior router does the bulk of the access
control work. It filters packets on



address
protocol and
port numbers
to control the services that are accessible to and
from the interior network.
105
Firewall: an example (continued)

The bastion host:



a secure server.
provides an interconnection point between the enterprise
network and the outside world for the restricted services.
Some of the services that are restricted by the
interior gateway may be essential for a useful
network. Those essential services are provided
through the bastion host in a secure manner. The
bastion host


provides some services directly, such as DNS, SMTP mail
services, and anonymous FTP
May also provide other services as proxy services.
106
Firewall: an example (continued)
bastion host (continued)
 When the bastion host acts as a proxy
server, internal clients connect to the
outside world through the bastion hosts
and external systems respond back to the
internal clients through the host.
107
Typical Enterprise Network Topology
(without VPN)
Public
Internet
Firewall
Locations
R
R
Authentication
Server
R
Remote
Client
Extranet
Links
With
Trading
Partners
R
R
R
R
R
Corporate
Intranet
R
A
S
Remote
Access
Server
Remote Access
108
Network Address Translator

NA(P)T: network address (and port)
translator are not firewalls, but can
prevent all incoming connections
109
NAT
110
IPS vs IDS




NEW: IPS: Intrusion Prevention Systems
IDS: Intrusion Detection Systems: IDS devices sit on
a monitor port and simply report problems.
While an IPS device takes action, IDS products
usually just send an alert to an IT staff person, who
must then evaluate the alert and take action.
PROBLEM with IPS:


Costly
need to be periodically tuned so that good traffic is not
inadvertently dumped.
111
IPS devices





operate inline, often at wire speed,
tuned to drop bad traffic from the network.
most IPS devices must be used in conjunction with a
firewall at the perimeter.
process packet contents, not just the headers,
track the state of network connections fast and
thwart DoS (denial-of-service) attacks by quickly
identifying malicious connections. (through fast
identification, statistical pattern analysis and rerouting suspect traffic to a mitigation engine, which
examines the traffic carefully): However no method
can eliminate the problem of bandwidth starvation to
112
valid users
“We are going backward, not forward; today’s
systems don’t even achieve the security level
Multics had in the seventies.”
Karger and Schell, 2002
“Thirty years later: Lessons from the Multics security
evaluation”, Proceedings of the Annual Computer
Security Applications Conference, 2002, pp. 332
113
Internet security protocols at layers
Application
Layer
Transport
Layer
SSH, SFTP, PGP, PEM, HTTPS
SSL/TLS, SSH
Internet
Layer
IPSec
Network
Interface
Security in data link layer?
Other security systems: Kerberos, X.509
114
Figure 2.10
Terms about Internet security

HTTPS:




SSL:




Secure Hypertext Transfer Protocol
an application layer protocol for WWW
using a Secure Socket Layer (SSL).
Secure Socket Layer,
a transport layer protocol
Similar to socket but adding encryption and authentication
TLS:



Transport Layer Security
A transport layer protocol
The IETF version of SSL
115
Terms about Internet security

SSH:





Secure SHell
An application layer protocol (initially)
Replace telnet, rlogin, ftp
Generalized as a transport layer protocol
PGP:




Pretty Good Privacy
An application layer protocol
Embedded in email such as elm
Flexible public key certificate and verification
116
Terms about Internet security

PEM:





Privacy Enhanced Mail
An application protocol
For secure email
Strict hierarchy in public key certificate
IPSec:



Internet Protocol Security
A network layer protocol
Contains two parts (may use separately)


AH: Authentication Header
ESP: Encapsulation Security Payload
117
Terms about Internet security

IKE:


PKI:



Internet Security Association and Key Management Protocol.
Kerberos: used in large distributed systems or Grids


Public Key Infrastructure
Refer to the widespread availability of public keys and certificates
ISAKMP:


Internet Key Exchange, Establishing key used in IPSec.
A system for authentication based on secret keys
OAKLEY

An IETF protocol that provides s mechanism that two
authenticated parties can agree on secure and secret keying
material
118
Related documents
Deardorff COBRE seminar 082913 (PDF)
Deardorff COBRE seminar 082913 (PDF)
Chapter 24- Viruses, section review answers
Chapter 24- Viruses, section review answers
Virus Flipbook
Virus Flipbook
brehlik , kapás , váczi - ITIS Cannizzaro Colleferro
brehlik , kapás , váczi - ITIS Cannizzaro Colleferro
Sample Test Questions: LIfe Ch6 Bacteria
Sample Test Questions: LIfe Ch6 Bacteria
Cool SCIENCE! - University of California, Irvine
Cool SCIENCE! - University of California, Irvine
20.1 viruses - OG
20.1 viruses - OG
ECDHS418-Communicable Disease Fact Notification Letter
ECDHS418-Communicable Disease Fact Notification Letter
Viruses-19.2
Viruses-19.2
VIRUSES
VIRUSES
Scale of the Universe: An Out-of-this-World Website
Scale of the Universe: An Out-of-this-World Website
Application for Faculty of Biological Sciences – 110 Anniversary
Application for Faculty of Biological Sciences – 110 Anniversary
CDC select agent survey form
CDC select agent survey form
Determining Influenza Virus Shedding in Different Time Points in
Determining Influenza Virus Shedding in Different Time Points in
Blood Borne Pathogens
Blood Borne Pathogens
Plants can suffer from infections caused by fungi, bacteria, viruses
Plants can suffer from infections caused by fungi, bacteria, viruses