CSCE 201CSCE 201

Attacks on Desktop Attacks on Desktop Computers:Computers:Malicious Code Malicious Code Hardware attacksHardware attacks

CSCE 201 - Farkas 2

Reading list:– M. Ciampa, Security Awareness: Chapter 2– Malicious Codes in Depth,

http://www.securitydocs.com/library/2742 – USC Computer Services – Virus Information

Center http://www.uts.sc.edu/itsecurity/antivirus.shtml

CSCE 201 - Farkas 3

Program FlawsProgram Flaws

Taxonomy of flaws:– how (genesis)– when (time)– where (location)

the flaw was introduced into the system

CSCE 201 - Farkas 4

Security Flaws by GenesisSecurity Flaws by Genesis

Genesis– Intentional

Malicious: Trojan Horse, Trapdoor, Logic Bomb, Rootkits, Botnets, Covert channels

Non-malicious

– Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error

CSCE 201 - Farkas 5

Kinds of Malicious CodesKinds of Malicious Codes

Virus: a program that attaches copies of itself into other programs. Propagates and performs some unwanted function.

Rabbit (Bacteria): program that consumes system resources by replicating itself.

CSCE 201 - Farkas 6

Kinds of Malicious CodeKinds of Malicious Code

Worm: a program that propagates copies of itself through the network. Usually performs some unwanted function.– Does not attach to other programs

Trojan Horse: secret, undocumented routine embedded within a useful program. Execution of the program results in execution of secret code.

CSCE 201 - Farkas 7

Kinds of Malicious CodeKinds of Malicious Code

Logic bomb, time bomb: logic embedded in a program that checks for a certain set of conditions to be present in the system. When these conditions are present, some malicious code is executed.

Trapdoor: secret, undocumented entry point into a program, used to grant access without normal methods of access authentication.

Kinds of Malicious CodeKinds of Malicious Code

Rootkits: aims to hide the presence of itself and other malicious code on the computer by corrupting detection capabilities. Usually limited to the corrupted computer.

Zombies and Botnets: computers under the control of a remote entity. Attackers goals: spreading virus, attacking internet communications, stealing personal data, manipulating online polls, DOS.

CSCE 201 - Farkas 8

CSCE 201 - Farkas 9

VirusVirus

Virus lifecycle:1. Dormant phase: the virus is idle. (not all viruses have

this stage)

2. Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas.

3. Triggering phase: the virus is activated to perform the function for which it was created.

4. Execution phase: the function is performed. The function may be harmless or damaging.

CSCE 201 - Farkas 10

Virus TypesVirus Types

Transient (parasitic) virus: most common form. Attaches itself to a file and replicates when the infected program is executed.

Memory resident virus: lodged in main memory as part of a resident system program. Virus may infect every program that executes.

CSCE 201 - Farkas 11

Virus TypesVirus Types

Boot Sector Viruses:– Infects the boot record and spreads when

system is booted.– Gains control of machine before the virus

detection tools.– Very hard to notice– Carrier files: AUTOEXEC.BAT,

CONFIG.SYS,IO.SYS

CSCE 201 - Farkas 12

Virus TypesVirus Types

Stealth virus: a form of virus explicitly designed to hide from detection by antivirus software.

Polymorphic virus: a virus that mutates with every infection making detection by the “signature” of the virus difficult.

CSCE 201 - Farkas 13

How Viruses AppendHow Viruses Append

Originalprogram

virus

Originalprogram

virus

Virus appended to program

+ =

CSCE 201 - Farkas 14

How Viruses AppendHow Viruses Append

Originalprogram

virus

Originalprogram

Virus-1

Virus surrounding a program

+ =

Virus-2

CSCE 201 - Farkas 15

How Viruses AppendHow Viruses Append

Originalprogram

virus

Originalprogram

Virus-1

Virus integrated into program

+ =

Virus-2

Virus-3Virus-4

CSCE 201 - Farkas 16

High Risk Viruses PropertiesHigh Risk Viruses Properties

– Hard to detect– Hard to destroy– Spread infection widely– Can re-infect– Easy to create – Machine independent

CSCE 201 - Farkas 17

Virus SignaturesVirus Signatures

Storage pattern– Code always located on a specific address– Increased file size

Execution patternTransmission patternPolymorphic Viruses

CSCE 201 - Farkas 18

Antivirus ApproachesAntivirus Approaches

Detection: determine infection and locate the virus.

Identification: identify the specific virus. Removal: remove the virus from all infected

systems, so the disease cannot spread further.

Recovery: restore the system to its original state.

CSCE 201 - Farkas 19

Preventing Virus InfectionPreventing Virus Infection

Prevention: Good source of software installed Isolated testing phase Use virus detectors

Limit damage: Make bootable diskette Make and retain backup copies important

resources

CSCE 201 - Farkas 20

WormWorm

Self-replicating (like virus) Objective: system penetration (intruder) Phases: dormant, propagation, triggering, and

execution Propagation:

– Searches for other systems to infect (e.g., host tables)– Establishes connection with remote system– Copies itself to remote system– Execute

Hardware AttacksHardware Attacks

Basic Input/Output System (BIOS)USB DevicesCell PhonesPhysical Theft

CSCE 201 - Farkas 21

BIOS AttacksBIOS AttacksBIOS:

– Recognizes and controls different devices on the computer system

– Executed when the computer is turned on

Old computers: Read Only Memory (ROM)New computers: Programmable Read Only

Memory (PROM)– Flashing the BIOS can disable the computer

completely

CSCE 201 - Farkas 22

USB DevicesUSB DevicesUniversal Serial Bus(USB)Small, light weight, removable, rewriteableNO SECURITYControl:

– Organizational policy– Disable USB in hardware– Disable USB in software– Use third party software

CSCE 201 - Farkas 23

How to Prevent USB Attacks?How to Prevent USB Attacks?

USBDetect 3.0 – Developed by the NSA – Monitors USB ports on PCs attached to a

network– Automatically reports back any unauthorized

activity, including flash or hard disks, and external CD or DVD drives

Not available for general public

CSCE 201 - Farkas 24

Cell PhonesCell PhonesExtended phone capabilitiesRisk associated with cell phones

– US CERT, Defending Cell Phones and PDAs Against Attack, http://www.us-cert.gov/cas/tips/ST06-007.html

– M. Murray, Can Cell Phones Compromise Your Network?, April 2010, http://www.businessweek.com/technology/content/apr2006/tc20060413_027470.htm

– M. Zetlin, Cell Phones: A Security Risk to Your Business?, March 2010, http://www.inc.com/telecom/articles/201003/cellphone.html

CSCE 201 - Farkas 25

US-CERT Security Risk of US-CERT Security Risk of Cell Phones and PDAsCell Phones and PDAs

Abuse your service: e.g., extra charges, download malicious code

Lure you to a malicious web site: e.g., phishing using text messages, visit phishing web sites, etc.

Use your cell phone or PDA in an attack: e.g., attackers compromise device and use it as the origin of attack

Gain access to account information: e.g., access to all personal data stored on the device

CSCE 201 - Farkas 26

How to Protect Cell Phones/PDAs?How to Protect Cell Phones/PDAs?Follow general guidelines for protecting

portable devicesBe careful about posting your cell phone

number and email addressDo not follow links sent in email or text

messagesBe wary of downloadable softwareEvaluate your security settings

CSCE 201 - Farkas 27

Protection of Portable DevicesProtection of Portable Devices

Use passwords correctlyConsider storing important data separatelyEncrypt filesInstall and maintain anti-virus softwareInstall and maintain a firewallBack up your data

CSCE 201 - Farkas 28

Physical TheftPhysical Theft

See previous lectures on physical security and protecting laptops (08/27, 2010)

CSCE 201 - Farkas 29

CSCE 201 - Farkas 30

Next ClassNext Class

Defending personal comuters – Overview

M. Ciampa, Security Awareness, Chapter 2