Software Flaws and Malware

Giảng viên hướng dẫn :

Sinh viên :Hoàng Xuân Nhật HuyNguyễn Nam Tiệp

What are software flaws and malware ?

Program flaws (unintentional)Buffer overflowRace conditions

Malicious software (intentional)VirusesWormsOther breeds of malware

Buffer Overflow

In the following example, a program has two data items which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte big-endian integer, B.

Initially, A contains nothing but zero bytes, and B contains the number 1979.

Now, the program attempts to store the null-terminated string "excessive" with ASCII encoding in the A buffer.

"excessive" is 9 characters long and encodes to 10 bytes including the terminator, but A can take only 8 bytes. By failing to check the length of the string, it also overwrites the value of B:

Race Conditions

Race conditions are commonRace conditions may be more prevalent than buffer

overflowsBut race conditions harder to exploit

Critical race conditions and non-critical race conditions

A critical race occurs when the order in which internal variables are changed determines the eventual state that the state machine will end up in.

A non-critical race occurs when the order in which internal variables are changed does not alter the eventual state..

Dining philosophers problem

0

1

23

4 0 1

4 23

Solutionthink until the left fork is available; when it is, pick it up;think until the right fork is available; when it is, pick it

up;when both forks are held, eat for a fixed amount of time;then, put the right fork down;then, put the left fork down;repeat from the beginning.

Malware

Types of malware (no standard definition) Virus passive propagation Worm active propagation Trojan horse unexpected functionality Trapdoor/backdoor unauthorized access Spyware steals info, such as passwords

Where do Viruses Live?Boot sectorMemoryApplications, macros, data, etc.Library routinesCompilers, debuggers, virus checker, etc.

Malware ExamplesBrain virus (1986)Morris worm (1988)Mac trojan (2001)Backdoor through Powershell (2004)Ardamax keylog (2010)

Virus : Blame virusq First appeared in 1986q More annoying than harmfulq A prototype for later virusesq Not much reaction by usersq What it did

1. Placed itself in boot sector (and other places)2. Screened disk calls to avoid detection3. Each disk read, checked boot sector to see if boot sector

infected; if not, goto 1q Brain did nothing really malicious

Worm : Morris WormFirst appeared in 1988What it tried to do

Determine where it could spread, then……spread its infection and……remain undiscovered

Morris claimed his worm had a bug!It tried to re-infect infected systemsLed to resource exhaustionEffect was like a so-called rabbit

Trojan horse : Mac trojanTrojan: unexpected functionalityFile icon for freeMusic.mp3: For a real mp3, double click on icon

o iTunes openso Music in mp3 file plays

But for freeMusic.mp3, unexpected results

Double click on freeMusic.mp3iTunes opens (expected)“Wild Laugh” (not expected)Message box (not expected)

Backdoor : Power Shell A backdoor is a method of bypassing normal

authentication, securing unauthorized remote access to a computer,

Open a port from 0 to 65535.

Spyware : ArdamaxRecords all typed keystrokes, passwords and hidden

characters.Records a log of all websites visited for all browsers.Ardamax Keylogger can upload recorded logs through

FTP delivery.Record voice from the microphone with real-time

compression.