Download Introduction to System Administration

Software Vulnerabilities
and Malware
CS432 - Security in Computing
Copyright © 2005, 2010 by Scott Orr
and the Trustees of Indiana University
Section Overview

Program flaws

Buffer overflows

Malware Taxonomy

Virus Techniques and Detection

Worms
References

Security in Computing, 4th Ed.

Chapter 3
Software Flaw Classifications





Inadequate Authentication and Authorization
Serialization Errors
Data Isolation Errors
Bounds Checking Errors
Validation Error



Incomplete
Inconsistent
Exploitable Logic Errors
It’s a bug’s life…
U.S. Navy Capt. Grace Hopper finds first
computer bug in August, 1945
From Hopper’s logbook 
Source: History of Computing
Virginia Tech
Computer Bugs
Bug (n): An unwanted and unintended
property of a program or piece of
hardware, esp. one that causes it to
malfunction.*
Security related issues

Coredumps

Unauthorized access
*Source:
The New Hackers Dictionary
Stack Buffer Overflows
Process
Code
(Text)
x = 5;
call func(x);
print x;
Data
char x[8];
Stack
nop;
Local
variable a
exec(/bin/sh);
nop;
Return
Address
Pointer
Return
address
n
Func() Args
Buffer Overflow Prevention




Bounds Checking!!!
Virtual Machines / Sandboxing
Compiler “Canaries”
Memory Protection



Non-executable stack/heap page tagging
Executable/Library Randomization
Metasploit Framework
Incomplete Mediation



Failure to make sure input data makes
“sense”
Injection attacks?
Fixes


Data sanity checks
Controlled input methods (i.e. forms using
pulldown boxes)
NRL Taxonomy




Developed in 1992
How did the flaw enter the system?
Where did it enter the system?
Where in the system is it manifest?
Type of Flaw
Intentional
Non
Malicious
Malicious
Time/Logic
Bombs
Trojan
Horse
Non
Replicating
Trapdoor
Replicating
Covert
Channel
Other
Storage
Timing
Source: Computer Security: Art and Science
By Matt Bishop
Time of Flaw
Time of
Introduction
Maintenance
Development
Operation
Requirement
Specs/Design
Source Code
Object Code
Source: Computer Security: Art and Science
By Matt Bishop
Location of Flaw
Software
Operating
System
Application
System
Initialization
Memory
Mgmt
Process
Mgmt/Sched
Device
Mgmt
File
Mgmt
Ident/Auth
Other/
Unknown
Hardware
Support
Privileged
Utilities
Unprivileged
Utilities
Source: Computer Security: Art and Science
By Matt Bishop
Logic Bombs



One of the earliest forms of malware
Code embedded in a good program
Explodes under special circumstances



Date/Time (Time Bombs)
Missing employee information
Other “triggers”
Backdoors


Code to allow unauthorized access to a
restricted resource.
Causes




Forgotten debugging or testing code
Code intentionally left for testing or maintenance
Code intentionally left to allow covert access after the
program goes into production
Almost always undocumented
Intruder Backdoors



Created (privileged) accounts
Use of schedulers to regain access
Remote Control tools




BO2K/Netbus/SubSeven
Netcat
Virtual Network Computing (VNC)
Bots & Rootkits
Botnet Uses






Distributed Denial of Service (DDoS)
Attacks
Spamming
Sniffing Traffic
Keylogging
Spreading of other Malware
Web Advert Clicking
Source: Computer Security: Principles and Practice
By William Stallings and Lawrie Brown
Rootkits


Replace programs, libraries, or kernel
modules
Classifications




Persistent
Memory Based
User Mode (Modify returned data)
Kernel Mode (System Calls)
Trojan Horses


Code that is supposed to do one thing but
actually does something else.
Examples





“Login” programs
AIDS Information Disk (1989)
Whack-A-Mole (Netbus)
Sony XCP (Rootkit)
eLiTeWrap and other Wrappers
Adware/Spyware




Advertiser supported software
Installed along with target application
Pops up advertisement windows
Sends data back to third party


Adware: Asks permission
Spyware: Doesn’t ask permission
Salami Attacks


Financial Organizations prime target
Methods of attack



Collection of round off errors
Shaving very small amounts of money from
many accounts
Hard to detect
Viruses


Code which attaches to other programs
Actions



Infects other programs
Runs “logic bomb” style code
Can be:



Memory Resident
Run at same time as infected program
Run when infected data file is loaded (Macro)
Parasitic Viruses
Before Infection
Program Code
After Infection (Basic)
Virus
Code
Program Code
Parasitic Virus Structure
Signature
Infect another executable
Trigger event occurred?
Payload
Compression Viruses
Before Infection
Program Code
After Infection (Basic)
Virus
Compressed
Program Code
Code
Program Code
Boot Sector Virus
Boot Sector
Normal
Boot
Loader
Boot Sector
After
Infection
Boot
Virus
Loader
Code
Other Sectors
System
Initialization
Other Sectors
System
Initialization
Boot
Loader
Stealth Viruses
Memory
Modified
Interrupt
Interrupt
Handler
Handler
n
User
System
Call
Interrupt Vector 0
Supervisor
Trap n
Interrupt Vector n-1
Interrupt Vector n
Interrupt vector table
Polymorphic Viruses
Before Infection
Program Code
After Infection
Mutation
Engine
Crypto Encrypted
Compressed
Program
Code
Code Virus Code
Program Code
Armored Viruses





Anti-Disassembly
Anti-Debugging
Anti-Heuristics
Anti-Emulation
Anti-Goat
Other Virus Types





Slow Viruses
Multipartite Viruses
Companion Viruses
Retro Viruses
Phage Viruses
Macro Viruses





Macro Language part of “Office Suites”
Virus is a macro saved in document
Spreads to Suite when infected file is opened
(global macros infected)
All open documents infected when saved
Virus damage limited by macro language
capabilities
Hoax Viruses





Not really virus
Email warnings sent
FUD (Fear, Uncertainty, and Doubt) leads
to further propagation
Goodtimes Virus (1994)
Virus Hoax Pages
Virus Sources





Internet downloads
Email/IM
USB Keys
Vendors
Virus Toolkits


Virus Creation Laboratory (VCL)
VBS Worm Generator
Virus Symptoms

File/Directory changes




Slower system operation
Reduction of resources





Date/Time
Size
Memory
Disk space
Bad sectors
Unusual messages
Application crashes
Virus Detection

Signature scans




Heuristic scans




Fingerprints based on virus samples
Can detect and clean/quarantine on open request
Keep signature database current!!!
Looks for common virus behavior (i.e. writing to a .exe file)
Assigns weights based on each characteristic found
If total exceeds threshold, mark as virus
Integrity Checkers (i.e. Tripwire)



Take one-way hash of on newly installed system
Periodically recompute hashs and compare to original
Non-matches considered compromises
Worms and Rabbits

Worms




Applications which propagate themselves via a
network by exploiting service vulnerabilities
Morris Internet Worm (1988)
Code Red, Nimda, SQL Slammer, MSBlast, etc.
(2001-2004)
Rabbits


Applications which replicate as much as they can
to use up available resources
Resources


Disk Space
Memory
2007 Malware Breakdown
16%
26%
14%
4%
6%
6%
12%
6%
10%
Trojan
Worm
Adware
Virus
Downloader
PWS
Dialer
Backdoor
Other
Source: X-Force 2007 Trend Statistics
IBM Internet Security Systems
Modular Code Design

Code Module




Encapsulation



Does only one task
Reusable
Easier to understand and test
Minimal data sharing
Few, well defined interfaces
Information Hiding – “Black Box”
Program Development





Detailed Specs
Peer Reviews & Walkthroughs
Independent Testing
Revision Control Systems
Coding Standards!!!
Testing






Module Testing
Integration Testing
Function Testing
Performance Testing
Acceptance Testing
Regression Testing
Time
Storage Covert Channel
Exists?
Create(1)
Interval 1
Service
Program
Delete(0)
Interval 2
Service
Program
Service
Program
Interval 3
01
Leave
Deleted(0)
File
Yes: 1
Exists?
File
No: 0
Exists?
No: 0
Protected
Data
Spy’s
Program
Spy’s
Program
Spy’s
Program
Detecting Covert Channels

Shared Resource Matrix
Lock File
Protected Data
Service Program
Spy’s Program
R M
R
R
R
 Information Flow Method
 Analysis of all inputs and outputs to a
routine
 Create dependency diagram