Introduction to Computer Security - UNT Computer Sciencemgomathi/teaching/2009/csce5550/Lectures/Lecture... · Introduction to Computer Security ... • Virus is a code segment which

Introduction to Computer Security

Instructor:

Mahadevan Gomathisankaran

[email protected]

CSCE 4550/5550, Fall 2009 Lecture 16 1

mailto:[email protected]

Malware

• Virus: Infects programs/systems by attaching to them– First wide-spread type of malware

– Often used as a generic term (“virus scanners” detect more than viruses!)

• Trojan Horse: Program with both obvious and non-obvious (and malicious) actions– Different from virus in that it doesn't generally attach to non-

malware

• Worm: Spreads copies through a network– Often passed as a stand-alone program (not attached to

another program as a virus)

– Can spread automatically or with user intervention


Malware Actions

• Common goals:– Spread widely

– Remain undetected• “Rootkits” replace standard system commands to hide processes

(replace “ps”) and files (replace “ls”)

• Kernel level rootkits go deeper, hiding things from all programs

• Other functionality:– Backdoor: Allows unauthorized users access to system

– Destructive functions: Delete files, ...

– Monitoring (privacy violation):• Spyware – browsing/execution history

• Keystroke loggers – capture passwords, passphrases

• Have even tapped into webcams!


Malware Behavior

• Different infection vectors

– Regular software distribution (disk or network)

– Vulnerable network services

– Vulnerable applications

– E-mail: Automatic or fool user

• Malicious behavior control

– Could execute immediately

– Can “trigger” on a specific time (“time-bomb”) or condition (“logic bomb”)

– Could try to always stay stealthy (bots, backdoors)


Malware - Examples

• 1986: Brain virus (first PC virus – more later!)

• 1987: Jerusalem

– First PC virus to cause widespread damage

– Attached to .COM and .EXE executable files

– On any Friday the 13th, deleted any program run

• 1992: Michelangelo

– On Michelangelo’s birthday (March 6) wiped disks

– McAfee predicted 5,000,000 computers would be infected – only about 10,000 were. Sales gimmick?


Malware - Examples

• 1999: Melissa

– MS-Word macro virus

– When document opened, sent itself to first 50 entries in address book

– No direct damage, but seriously clogged many mail servers and networks

– Estimated to have hit 100,000 computers in first weekend

• 2000: Love Bug

– VBScript virus, spread by e-mail / MS-Outlook (similar to Melissa)

– Malicious actions: deleted media files (.jpg, .mp3, …)

– Author from the Philippines, and basically got away with it

• 2001: Code Red – spread via MS-IIS bug

• 2003: Blaster – spread via MS-SQL Server bug


Viruses and Worms

• Anonymous malicious codes• Virus is a code segment which replicates itself by attaching

copies toexecutables.– Replicates itself– Needs a host program as a carrier– Activated externally– Can spread through any medium

• Worm is a program that replicates itself and causes the execution of the new copy.– Replicates itself– No need for a host, copies itself as a stand-alone program– Activated by hijacking or creating a host– Operates through networks


Viruses – Basic Concepts

• Term coined by Fred Cohen in 1983

• Malicious code attaches to active content

– “Active content” can be program, script, boot sector, library, …


Start: mov eax,…

Good ProgramStart: mov eax,…

Good Program

VirusVStart:jmp Start

Start:jmp VStart

Good Program

VirusVStart:mov eax,…jmp Start+1

<next instr>

Some possibilities:

or

Viruses – Boot Sector Virus

• Boot process of a PC1. Starts in BIOS with POST, initialization, …

2. Loads first sector off boot device (disk)

3. Runs code found there, which typically chains to a larger “loader”

• Virus can make sure it gets control by placing itself in the boot sector


Viruses – Historical

• Early days of PCs were different:

– Booted off floppies, which held O.S. and programs as well as data

– Floppies were carried and swapped, so viruses spread easily

– No “users” or access control in MS-DOS or Windows 3.1/95, so everything was vulnerable!

• Some early solutions:

– BIOS and O.S. started checking boot sectors

– MS-DOS started putting “checksums” in directories


How a Virus Works

• Attaches itself by

– Appending to a program, e-mail• Executes with program

– Surrounding a program• Executes before and after program

• Leaves no tracks

– Integrating or replacing a program code

• Gains control

– Virus replaces the target

• Resides in one or more of the following

– Memory

– Application program

– Boot sector

– Libraries


Truths about Viruses

• Viruses– can infect any OS– can modify “hidden” or “read only” files– can appear anywhere (not only docs, data files) in the

system– can spread any place where sharing occurs– cannot remain in memory

• If a virus is memory resident, when power is off, the virus removes from RAM. But virus most probably have copied itself to disk!!

– Can infect software, but not directly hardware– can be malevolent, benevolent, and benign

• E.g. compressing some files. Still, this is done out of control of the user


What to do Against Viruses

• Detection: Trace the following

– Virus signatures

– Storage patterns

– Execution patterns

– Transmission patterns

• Prevention

– Don’t share executables

– Use commercial software from reliable sources

– Test new software on isolated computers

– Open only safe attachments

– Backup a recoverable system image in a safe place

– Backup executable system file copies

– Use regularly updated virus detectors


An Early Virus – “The Brain”

• Discovered in 1986– Thought to be the first PC virus “in the wild”

– Originated in Pakistan (sometimes called the “Pakistani Brain”)

• What it did:– Located itself in high memory and stayed resident

– Copied itself to boot sector

– Copied original boot sector and extra copies of itself to various disk locations, marked as “bad sectors”

– Intercepted all disk read/write requests to fake a read to the boot sector (replaces with original copy)

– During disk read/write, spread itself to all uninfected disks

– Otherwise no direct damage


Macro Viruses

• Now: Data not always passive!– MS-Word .doc’s can contain macros

– Many files (HTML, e-mail) can contain VBScript or JavaScript

• One of the earliest: Melissa (1999)– Used macro access to Outlook address book

• Half-fix: MS-Word/Excel/etc now warn if a document with macros is opened– How many people click “Enable Macros” without really knowing

what this does?!?


Virus Hoaxes

• Many virus hoaxes over the years:– “Virus Flambé”: rumored to set monitor sync rate so

high that it would burst into flames!

– Blue Mountain greeting card virus hoax: claimed a virus in electronic greeting cards…

– “Goodtimes” hoax (1994): First widespread hoax

• Bottom line: Always check with a reputable security/virus company (McAfee and Norton/Symantec both distribute good info)– Fun reading: http://hoaxbusters.ciac.org


Worms – Basics

• Specifically spread over a network

– Less “disk swapping” now, but more network connectivity

– Not completely different from a virus• Could infect executables after using network to spread

• But usually just install on system as extra, complete files

– Spread can either be automatic or require user work• Often try to trick a user into opening an active attachment

• File extensions can change to try to trick user (file.jpg.exe)

• Automatic spreading by e-mail (e.g., exploiting bug in Outlook) or via vulnerable network services (MS IIS, SQL Server, …)


Types of Worms

• Memory based– The payload arrive as packets on an open port

– Takes advantage of a program vulnerability

– Hijacks the program

– Self propagate

• E-mail based – The payload arrives as an e-mail attachment

– Payload gets executed• Social Engineering or

• Program vulnerability

– Self propagate


“The Internet Worm”

• First widespread, serious Internet incident

– November 2, 1988

– Supposed to spread but cause no other damage

• But: Bug in replication code caused it to repeatedly infect same host

• Clogged many systems – sysadmins simply disconnected

– Exploited 3 bugs: guessed logins, fingered buffer overflow, sendmail“debug mode”

– Tracked down to Cornell grad student Robert Morris

• Usually called the “Morris worm”

• First person convicted under 1986 Computer Fraud and Abuse Act ($10k fine, 3 year suspended sentence, 400 hours of community service)

• One good result: people started paying attention to security – CERT created to response to incidents


Recent Worms – Code Red

• Spread via MS IIS buffer overflow vulnerability

• Discovered in Summer 2001– Analyzed in marathon all-nighter, fueled by Mountain Dew Code

Red (the source of the name!)

• Estimated 700,000 servers infected• The damage cost $2-2.9 billion

• Possibly politically motivated– Message “Hacked by Chinese” left on machines

– A few months after the “spy-plane” incident

– Included a timebomb DoS attack on www.whitehouse.gov

• Two main phases: scan/infect and attack (based on day of month)


An Example: Code Red Worm


Recent Worms – Slammer

• Also known as “Sapphire” or “SQL Slammer”

• Spread via buffer overflow vulnerability in MS SQL Server

• Discovered in early 2003

• Extremely rapid spreading!

– Infected hosts doubled every 8.5 seconds

– Infected over 90% of vulnerable hosts in 10 minutes

– Infected by UDP (not TCP) service


Targeted Malicious Code

• Trapdoors: Undocumented entry point to a module– Program stubs during testing– Intentionally or unintentionally left

• Simply forgotten• Left for testing or maintenance

– integration testing: Test how modules function as they exchange messages

– unit testing: Ensure that program components work properly– Risk of undefined opcodes!

• Left intentionally for covert access

• Salami attack: Merges bits of innocent looking inconsequential data to yield powerful results– Ex: deliberate diversion of fractional cents

• Very hard to detect


Current Threats


Malware ControlsVirus Scanners

• How can you protect against malware?– Extreme: Don’t connect to network and don’t use untrusted

software• Not very practical for most people

• But certain high-security systems should be run this way!

– Use a virus scanner on all machines• Detects known viruses and/or suspicious behavior

– Typically look for patterns or “signatures”

• Must keep known virus database up to date!– Caution: Many anti-virus programs w/new computers have a limited “free

trial period” for virus updates – then stop!

• Even very good virus scanners aren’t perfect:– Encrypted viruses

– Polymorphic viruses

– Use a virus scrubber on e-mail server• Benefits: Run by dedicated people who make sure it’s up to date


Malware ControlsSystem Integrity Protection – Tripwire

• Designed to detect rootkits

• Basic ideas:– Fingerprint system/configuration files

• Uses a cryptographic hash (message digest)

– All stored in a database that is signed– Verification key and hashes available to everyone

• Everyone can check system• Have to be careful with integrity of verification key• Can automate and e-mail alerts

– Private signature key encrypted with passphrase• Updating database only by system administrator

• Some problems – need to remember to update tripwire database when software installed/updated


Controls Against Program Threats

• Developmental methods

– Software Engineering

• Operating System

• Administrative


Developmental methods – S/w Eng.


Requirements Analysis

System Design

Program Design

Coding

Unit and Integration Testing

System Testing

Acceptance Testing

Maintenance

SDLC – WATERFALL MODEL

SDLC

Collaborative work teams

Reviews

Documentation

Configuration Management

Project Management


• Modularity– Dividing a task into subtasks

– Provides ease of program development and security

– Should be single purpose, small, simple and independent, loosely coupled

• Encapsulation– Isolating one component from the others

– Easy to trace faults

• Information Hiding– Each component hides its implementation and design details from

others



• Mutual Suspicion– procedure A suspects procedure B changes the content of array List

Lecture 16

procedure A {array List[5]={1, 2, 3, 4, 5}……call B(List)…

}procedure B {……………}


• Confinement– Limit the access rights of a non trustworthy program.

• Genetic Diversity

– Provide services from different providers so as to generate diversity and hence more secure components.

– e.g. Morris virus ran on Unix and Code Red ran on Windows OSs



• Techniques to build “solid software”– Peer Reviews: Sharing a product with colleagues to test its

correctness• Review

• Walk-through

• Inspection

– Hazard Analysis: Set of systematic techniques intended to expose potentially hazardous system states.

• Hazard and Operability Studies: Structured Analysis Technique for process control and chemical plant industries.

• Failure Modes and Effects Analysis: Bottom-up technique applied at the system component level.

• Fault Tree Analysis: A top-down technique that begins with a postulated hazardous system malfunction



• Testing: Making the product failure free or fault tolerant.

• Good design

• Prediction

• Static Analysis: Examine the system’s design and code to check for security flaws before the system is up and running.

– Control flow structure

– Data flow structure

– Data structure

• Configuration management

• Analysis of mistakes


Documents

Introduction to Computer Security - UNT Computer Sciencemgomathi/teaching/2009/csce5550/Lectures/Lecture... · Introduction to Computer Security ... • Virus is a code segment which