Upload
lamthuy
View
216
Download
0
Embed Size (px)
Citation preview
Introduction to Computer Security
Instructor:
Mahadevan Gomathisankaran
CSCE 4550/5550, Fall 2009 Lecture 16 1
Malware
• Virus: Infects programs/systems by attaching to them– First wide-spread type of malware
– Often used as a generic term (“virus scanners” detect more than viruses!)
• Trojan Horse: Program with both obvious and non-obvious (and malicious) actions– Different from virus in that it doesn't generally attach to non-
malware
• Worm: Spreads copies through a network– Often passed as a stand-alone program (not attached to
another program as a virus)
– Can spread automatically or with user intervention
CSCE 4550/5550, Fall 2009 Lecture 16 2
Malware Actions
• Common goals:– Spread widely
– Remain undetected• “Rootkits” replace standard system commands to hide processes
(replace “ps”) and files (replace “ls”)
• Kernel level rootkits go deeper, hiding things from all programs
• Other functionality:– Backdoor: Allows unauthorized users access to system
– Destructive functions: Delete files, ...
– Monitoring (privacy violation):• Spyware – browsing/execution history
• Keystroke loggers – capture passwords, passphrases
• Have even tapped into webcams!
CSCE 4550/5550, Fall 2009 Lecture 16 3
Malware Behavior
• Different infection vectors
– Regular software distribution (disk or network)
– Vulnerable network services
– Vulnerable applications
– E-mail: Automatic or fool user
• Malicious behavior control
– Could execute immediately
– Can “trigger” on a specific time (“time-bomb”) or condition (“logic bomb”)
– Could try to always stay stealthy (bots, backdoors)
CSCE 4550/5550, Fall 2009 Lecture 16 4
Malware - Examples
• 1986: Brain virus (first PC virus – more later!)
• 1987: Jerusalem
– First PC virus to cause widespread damage
– Attached to .COM and .EXE executable files
– On any Friday the 13th, deleted any program run
• 1992: Michelangelo
– On Michelangelo’s birthday (March 6) wiped disks
– McAfee predicted 5,000,000 computers would be infected – only about 10,000 were. Sales gimmick?
CSCE 4550/5550, Fall 2009 Lecture 16 5
Malware - Examples
• 1999: Melissa
– MS-Word macro virus
– When document opened, sent itself to first 50 entries in address book
– No direct damage, but seriously clogged many mail servers and networks
– Estimated to have hit 100,000 computers in first weekend
• 2000: Love Bug
– VBScript virus, spread by e-mail / MS-Outlook (similar to Melissa)
– Malicious actions: deleted media files (.jpg, .mp3, …)
– Author from the Philippines, and basically got away with it
• 2001: Code Red – spread via MS-IIS bug
• 2003: Blaster – spread via MS-SQL Server bug
CSCE 4550/5550, Fall 2009 Lecture 16 6
Viruses and Worms
• Anonymous malicious codes• Virus is a code segment which replicates itself by attaching
copies toexecutables.– Replicates itself– Needs a host program as a carrier– Activated externally– Can spread through any medium
• Worm is a program that replicates itself and causes the execution of the new copy.– Replicates itself– No need for a host, copies itself as a stand-alone program– Activated by hijacking or creating a host– Operates through networks
CSCE 4550/5550, Fall 2009 Lecture 16 7
Viruses – Basic Concepts
• Term coined by Fred Cohen in 1983
• Malicious code attaches to active content
– “Active content” can be program, script, boot sector, library, …
CSCE 4550/5550, Fall 2009 Lecture 16 8
Start: mov eax,…
Good ProgramStart: mov eax,…
Good Program
VirusVStart:jmp Start
Start:jmp VStart
Good Program
VirusVStart:mov eax,…jmp Start+1
<next instr>
Some possibilities:
or
Viruses – Boot Sector Virus
• Boot process of a PC1. Starts in BIOS with POST, initialization, …
2. Loads first sector off boot device (disk)
3. Runs code found there, which typically chains to a larger “loader”
• Virus can make sure it gets control by placing itself in the boot sector
CSCE 4550/5550, Fall 2009 Lecture 16 9
Viruses – Historical
• Early days of PCs were different:
– Booted off floppies, which held O.S. and programs as well as data
– Floppies were carried and swapped, so viruses spread easily
– No “users” or access control in MS-DOS or Windows 3.1/95, so everything was vulnerable!
• Some early solutions:
– BIOS and O.S. started checking boot sectors
– MS-DOS started putting “checksums” in directories
CSCE 4550/5550, Fall 2009 Lecture 16 10
How a Virus Works
• Attaches itself by
– Appending to a program, e-mail• Executes with program
– Surrounding a program• Executes before and after program
• Leaves no tracks
– Integrating or replacing a program code
• Gains control
– Virus replaces the target
• Resides in one or more of the following
– Memory
– Application program
– Boot sector
– Libraries
CSCE 4550/5550, Fall 2009 Lecture 16 11
Truths about Viruses
• Viruses– can infect any OS– can modify “hidden” or “read only” files– can appear anywhere (not only docs, data files) in the
system– can spread any place where sharing occurs– cannot remain in memory
• If a virus is memory resident, when power is off, the virus removes from RAM. But virus most probably have copied itself to disk!!
– Can infect software, but not directly hardware– can be malevolent, benevolent, and benign
• E.g. compressing some files. Still, this is done out of control of the user
CSCE 4550/5550, Fall 2009 Lecture 16 12
What to do Against Viruses
• Detection: Trace the following
– Virus signatures
– Storage patterns
– Execution patterns
– Transmission patterns
• Prevention
– Don’t share executables
– Use commercial software from reliable sources
– Test new software on isolated computers
– Open only safe attachments
– Backup a recoverable system image in a safe place
– Backup executable system file copies
– Use regularly updated virus detectors
CSCE 4550/5550, Fall 2009 Lecture 16 13
An Early Virus – “The Brain”
• Discovered in 1986– Thought to be the first PC virus “in the wild”
– Originated in Pakistan (sometimes called the “Pakistani Brain”)
• What it did:– Located itself in high memory and stayed resident
– Copied itself to boot sector
– Copied original boot sector and extra copies of itself to various disk locations, marked as “bad sectors”
– Intercepted all disk read/write requests to fake a read to the boot sector (replaces with original copy)
– During disk read/write, spread itself to all uninfected disks
– Otherwise no direct damage
CSCE 4550/5550, Fall 2009 Lecture 16 14
Macro Viruses
• Now: Data not always passive!– MS-Word .doc’s can contain macros
– Many files (HTML, e-mail) can contain VBScript or JavaScript
• One of the earliest: Melissa (1999)– Used macro access to Outlook address book
• Half-fix: MS-Word/Excel/etc now warn if a document with macros is opened– How many people click “Enable Macros” without really knowing
what this does?!?
CSCE 4550/5550, Fall 2009 Lecture 16 15
Virus Hoaxes
• Many virus hoaxes over the years:– “Virus Flambé”: rumored to set monitor sync rate so
high that it would burst into flames!
– Blue Mountain greeting card virus hoax: claimed a virus in electronic greeting cards…
– “Goodtimes” hoax (1994): First widespread hoax
• Bottom line: Always check with a reputable security/virus company (McAfee and Norton/Symantec both distribute good info)– Fun reading: http://hoaxbusters.ciac.org
CSCE 4550/5550, Fall 2009 Lecture 16 16
Worms – Basics
• Specifically spread over a network
– Less “disk swapping” now, but more network connectivity
– Not completely different from a virus• Could infect executables after using network to spread
• But usually just install on system as extra, complete files
– Spread can either be automatic or require user work• Often try to trick a user into opening an active attachment
• File extensions can change to try to trick user (file.jpg.exe)
• Automatic spreading by e-mail (e.g., exploiting bug in Outlook) or via vulnerable network services (MS IIS, SQL Server, …)
CSCE 4550/5550, Fall 2009 Lecture 16 17
Types of Worms
• Memory based– The payload arrive as packets on an open port
– Takes advantage of a program vulnerability
– Hijacks the program
– Self propagate
• E-mail based – The payload arrives as an e-mail attachment
– Payload gets executed• Social Engineering or
• Program vulnerability
– Self propagate
CSCE 4550/5550, Fall 2009 Lecture 16 18
“The Internet Worm”
• First widespread, serious Internet incident
– November 2, 1988
– Supposed to spread but cause no other damage
• But: Bug in replication code caused it to repeatedly infect same host
• Clogged many systems – sysadmins simply disconnected
– Exploited 3 bugs: guessed logins, fingered buffer overflow, sendmail“debug mode”
– Tracked down to Cornell grad student Robert Morris
• Usually called the “Morris worm”
• First person convicted under 1986 Computer Fraud and Abuse Act ($10k fine, 3 year suspended sentence, 400 hours of community service)
• One good result: people started paying attention to security – CERT created to response to incidents
CSCE 4550/5550, Fall 2009 Lecture 16 19
Recent Worms – Code Red
• Spread via MS IIS buffer overflow vulnerability
• Discovered in Summer 2001– Analyzed in marathon all-nighter, fueled by Mountain Dew Code
Red (the source of the name!)
• Estimated 700,000 servers infected• The damage cost $2-2.9 billion
• Possibly politically motivated– Message “Hacked by Chinese” left on machines
– A few months after the “spy-plane” incident
– Included a timebomb DoS attack on www.whitehouse.gov
• Two main phases: scan/infect and attack (based on day of month)
CSCE 4550/5550, Fall 2009 Lecture 16 20
Recent Worms – Slammer
• Also known as “Sapphire” or “SQL Slammer”
• Spread via buffer overflow vulnerability in MS SQL Server
• Discovered in early 2003
• Extremely rapid spreading!
– Infected hosts doubled every 8.5 seconds
– Infected over 90% of vulnerable hosts in 10 minutes
– Infected by UDP (not TCP) service
CSCE 4550/5550, Fall 2009 Lecture 16 22
Targeted Malicious Code
• Trapdoors: Undocumented entry point to a module– Program stubs during testing– Intentionally or unintentionally left
• Simply forgotten• Left for testing or maintenance
– integration testing: Test how modules function as they exchange messages
– unit testing: Ensure that program components work properly– Risk of undefined opcodes!
• Left intentionally for covert access
• Salami attack: Merges bits of innocent looking inconsequential data to yield powerful results– Ex: deliberate diversion of fractional cents
• Very hard to detect
CSCE 4550/5550, Fall 2009 Lecture 16 23
Malware ControlsVirus Scanners
• How can you protect against malware?– Extreme: Don’t connect to network and don’t use untrusted
software• Not very practical for most people
• But certain high-security systems should be run this way!
– Use a virus scanner on all machines• Detects known viruses and/or suspicious behavior
– Typically look for patterns or “signatures”
• Must keep known virus database up to date!– Caution: Many anti-virus programs w/new computers have a limited “free
trial period” for virus updates – then stop!
• Even very good virus scanners aren’t perfect:– Encrypted viruses
– Polymorphic viruses
– Use a virus scrubber on e-mail server• Benefits: Run by dedicated people who make sure it’s up to date
CSCE 4550/5550, Fall 2009 Lecture 16 25
Malware ControlsSystem Integrity Protection – Tripwire
• Designed to detect rootkits
• Basic ideas:– Fingerprint system/configuration files
• Uses a cryptographic hash (message digest)
– All stored in a database that is signed– Verification key and hashes available to everyone
• Everyone can check system• Have to be careful with integrity of verification key• Can automate and e-mail alerts
– Private signature key encrypted with passphrase• Updating database only by system administrator
• Some problems – need to remember to update tripwire database when software installed/updated
CSCE 4550/5550, Fall 2009 Lecture 16 26
Controls Against Program Threats
• Developmental methods
– Software Engineering
• Operating System
• Administrative
CSCE 4550/5550, Fall 2009 Lecture 16 27
Developmental methods – S/w Eng.
CSCE 4550/5550, Fall 2009 Lecture 16 28
Requirements Analysis
System Design
Program Design
Coding
Unit and Integration Testing
System Testing
Acceptance Testing
Maintenance
SDLC – WATERFALL MODEL
SDLC
Collaborative work teams
Reviews
Documentation
Configuration Management
Project Management
Controls Against Program Threats
• Modularity– Dividing a task into subtasks
– Provides ease of program development and security
– Should be single purpose, small, simple and independent, loosely coupled
• Encapsulation– Isolating one component from the others
– Easy to trace faults
• Information Hiding– Each component hides its implementation and design details from
others
CSCE 4550/5550, Fall 2009 Lecture 16 29
Controls Against Program Threats
• Mutual Suspicion– procedure A suspects procedure B changes the content of array List
Lecture 16
procedure A {array List[5]={1, 2, 3, 4, 5}……call B(List)…
}procedure B {……………}
Controls Against Program Threats
• Confinement– Limit the access rights of a non trustworthy program.
• Genetic Diversity
– Provide services from different providers so as to generate diversity and hence more secure components.
– e.g. Morris virus ran on Unix and Code Red ran on Windows OSs
CSCE 4550/5550, Fall 2009 Lecture 16 31
Controls Against Program Threats
• Techniques to build “solid software”– Peer Reviews: Sharing a product with colleagues to test its
correctness• Review
• Walk-through
• Inspection
– Hazard Analysis: Set of systematic techniques intended to expose potentially hazardous system states.
• Hazard and Operability Studies: Structured Analysis Technique for process control and chemical plant industries.
• Failure Modes and Effects Analysis: Bottom-up technique applied at the system component level.
• Fault Tree Analysis: A top-down technique that begins with a postulated hazardous system malfunction
CSCE 4550/5550, Fall 2009 Lecture 16 32
Controls Against Program Threats
• Testing: Making the product failure free or fault tolerant.
• Good design
• Prediction
• Static Analysis: Examine the system’s design and code to check for security flaws before the system is up and running.
– Control flow structure
– Data flow structure
– Data structure
• Configuration management
• Analysis of mistakes
CSCE 4550/5550, Fall 2009 Lecture 16 33