Upload
jonas-hodges
View
224
Download
4
Tags:
Embed Size (px)
Citation preview
CSCE 522 - Farkas 2
ReadingReading Reading for this lecture:
Required:– Pfleeger: Ch. 3
Recommended: – USC Computing Services – Virus Information Center– L. Constantin, Eastern European cybercriminals trump
Asian counterparts, researchers say, http://www.computerworld.com/s/article/9231563/Eastern_European_cybercriminals_trump_Asian_counterparts_researchers_say?taxonomyId=82&pageNumber=1
CSCE 522 - Farkas 3
Program FlawsProgram Flaws
Taxonomy of flaws:– how (genesis)– when (time)– where (location)
the flaw was introduced into the system
CSCE 522 - Farkas 4
Security Flaws by GenesisSecurity Flaws by Genesis
Genesis– Intentional
Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus
Non-malicious
– Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error
CSCE 522 - Farkas 5
Flaws by timeFlaws by time
Time of introduction– During development
Requirement/specification/design Source code Object code
– During maintenance– During operation
CSCE 522 - Farkas 6
Flaws by LocationFlaws by Location
Location– Software
Operating system: system initialization, memory management, process management, device management, file management, identification/authentication, other
Support: privileged utilities, unprivileged utilities Application
– Hardware
CSCE 522 - Farkas 7
Slammer WormSlammer Worm
The Slammer worm (Sapphire worm) was the fastest worm in history – Start: Saturday, Jan. 25, 2003 – Doubled in size every 8.5 seconds at its peak – Infected more than 90 percent of the vulnerable hosts within 10
minutes using a vulnerability in Microsoft's SQL Server– Total infected: more than 75,000 hosts– Flooded networks all over the world, caused disruptions to
financial institutions, ATMs, and even an election in Canada – http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/etc/map
s.html
CSCE 522 - Farkas 8
History History
1982: Elk Cloner1983: “virus”1988: Internet Worm1990: antivirus software2000s: virus mitigation
CSCE 522 - Farkas 9
Kinds of Malicious CodesKinds of Malicious Codes
Virus: a program that attaches copies of itself into other programs. Propagates and performs some unwanted function. Viruses are not programs - they cannot run on their own.
Bacteria: make copies of themselves to overwhelm a computer system's resources. Denying the user access to the resources.
CSCE 522 - Farkas 10
Kinds of Malicious CodeKinds of Malicious Code
Worm: a program that propagates copies of itself through the network. Independent program. May carry other code, including programs and viruses.
Trojan Horse: secret, undocumented routine embedded within a useful program. Execution of the program results in execution of secret code.
CSCE 522 - Farkas 11
Kinds of Malicious CodeKinds of Malicious Code Logic bomb, time bomb: programmed threats
that lie dormant for an extended period of time until they are triggered. When triggered, malicious code is executed.
Trapdoor: secret, undocumented entry point into a program, used to grant access without normal methods of access authentication.
Dropper: Not a virus or infected file. When executed, it installs a virus into memory, on to the disk, or into a file.
CSCE 522 - Farkas 12
VirusVirusVirus lifecycle:1. Dormant phase: the virus is idle. (not all
viruses have this stage)2. Propagation phase: the virus places an identical
copy of itself into other programs of into certain system areas.
3. Triggering phase: the virus is activated to perform the function for which it was created.
4. Execution phase: the function is performed. The function may be harmless or damaging.
CSCE 522 - Farkas 13
Virus TypesVirus Types
Parasitic virus: most common form. Attaches itself to a file and replicates when the infected program is executed.
Memory resident virus: lodged in main memory as part of a resident system program. Virus may infect every program that executes.
CSCE 522 - Farkas 14
Virus TypesVirus Types
Boot Sector Viruses:– Infects the boot record and spreads when
system is booted.– Gains control of machine before the virus
detection tools.– Very hard to notice– Carrier files: AUTOEXEC.BAT,
CONFIG.SYS,IO.SYS
CSCE 522 - Farkas 15
Virus TypesVirus Types
Stealth virus: a form of virus explicitly designed to hide from detection by antivirus software.
Polymorphic virus: a virus that mutates with every infection making detection by the “signature” of the virus difficult.
CSCE 522 - Farkas 16
How Viruses AppendHow Viruses Append
Originalprogram
virus
Originalprogram
virus
Virus appended to program
+ =
CSCE 522 - Farkas 17
How Viruses AppendHow Viruses Append
Originalprogram
virus
Originalprogram
Virus-1
Virus surrounding a program
+ =
Virus-2
CSCE 522 - Farkas 18
How Viruses AppendHow Viruses Append
Originalprogram
virus
Originalprogram
Virus-1
Virus integrated into program
+ =
Virus-2
Virus-3Virus-4
CSCE 522 - Farkas 19
How Viruses Gain ControlHow Viruses Gain Control
Virus V has to be invoked instead of target T.– V overwrites T– V changes pointers from T to V
High risk virus properties: – Hard to detect– Hard to destroy– Spread infection widely– Can re-infect– Easy to create – Machine independent
CSCE 522 - Farkas 20
Virus SignaturesVirus Signatures
Storage pattern– Code always located on a specific address– Increased file size
Execution patternTransmission patternPolymorphic Viruses
CSCE 522 - Farkas 21
Antivirus ApproachesAntivirus Approaches
Detection: determine infection and locate the virus.
Identification: identify the specific virus. Removal: remove the virus from all
infected systems, so the disease cannot spread further.
Recovery: restore the system to its original state.
CSCE 522 - Farkas 22
Preventing Virus InfectionPreventing Virus Infection
Prevention:Good source of software installed Isolated testing phaseUse virus detectorsLimit damage:Make bootable disketteMake and retain backup copies important
resources
CSCE 522 - Farkas 23
WormWorm
Self-replicating (like virus) Objective: system penetration (intruder) Phases: dormant, propagation, triggering, and
execution Propagation:
– Searches for other systems to infect (e.g., host tables)– Establishes connection with remote system– Copies itself to remote system– Execute
CSCE 522 - Farkas 24
Covert Channel - Trojan HorseCovert Channel - Trojan Horse
John
Spy
Only Johnis permittedto accessthe document
MS Word
Document
Spy’sDocumentcopy
TH
installcopy
CSCE 522 - Farkas 25
Covert ChannelCovert Channel
Need: Two active agents
– Sender (has access to unauthorized information) – e.g., TH in MS Word
– Receiver ( reads sent information) – e.g., program creating the copy
Encoding schema– How the information is sent – e.g.,
File F exists 0File F is does not exist 1
Synchronization – e.g., when to check for existence of F
CSCE 522 - Farkas 26
Storage Covert ChannelsStorage Covert Channels
Based on properties of resourcesExamples:
– File locks– Delete/create file– Memory allocation
CSCE 522 - Farkas 27
Timing Covert ChannelTiming Covert Channel
Time is the factor – how fastExamples:
– Processing time– Transmission time
CSCE 522 - Farkas 28
Covert Channel Detection and Covert Channel Detection and RemovalRemoval
Identification:Shared resourcesProgram code correctnessInformation flow analysis
Removal:Total removal – may not be possibleReduce bandwidth