Computer Security:
Computer Security:
Principles and Practice
Principles and Practice
First Edition First Edition
by William Stallings and Lawrie Brown by William Stallings and Lawrie Brown
Chapter 7 –
Agenda
Agenda
Review Quiz 1Review Quiz 1
Questions about Lab 3Questions about Lab 3
Grade ReportsGrade Reports
MalwareMalware
VirusesViruses
WormsWorms
BotsBots
RootkitsRootkits
BreakBreak
Malicious Software
Malicious Software
programs exploiting system vulnerabilitiesprograms exploiting system vulnerabilities
known as malicious software or malwareknown as malicious software or malware
program fragments that need a host programprogram fragments that need a host program
• e.g. viruses, logic bombs, and backdoors e.g. viruses, logic bombs, and backdoors
independent self-contained programsindependent self-contained programs
• e.g. worms, botse.g. worms, bots
replicating or notreplicating or not
Malware Terminology (p. 217)
Malware Terminology (p. 217)
Virus – replicates itself into other executable codeVirus – replicates itself into other executable code Worm – runs independently and propagates itselfWorm – runs independently and propagates itself
Logic bomb – program inserted to execute upon triggerLogic bomb – program inserted to execute upon trigger Trojan horse – useful program containing malwareTrojan horse – useful program containing malware
Backdoor (trapdoor) – bypasses normal security checkBackdoor (trapdoor) – bypasses normal security check Mobile code – software that can be shipped over netMobile code – software that can be shipped over net Auto-rooter Kit (virus generator) – tools for malwareAuto-rooter Kit (virus generator) – tools for malware Spammer and Flooder programs – spam and DoSSpammer and Flooder programs – spam and DoS Keyloggers – Captures keystrokesKeyloggers – Captures keystrokes
Rootkit – hacker tools for a compromised systemRootkit – hacker tools for a compromised system
Viruses
Viruses
piece of software that infects programspiece of software that infects programs
modifying them to include a copy of the virusmodifying them to include a copy of the virus
so it executes secretly when host program is runso it executes secretly when host program is run
specific to operating system and hardwarespecific to operating system and hardware
taking advantage of their details and weaknessestaking advantage of their details and weaknesses
a typical virus goes through phases of:a typical virus goes through phases of:
dormantdormant
propagationpropagation triggeringtriggering
execution
Virus Structure
Virus Structure
components:components:
infection mechanism - enables replicationinfection mechanism - enables replication
trigger - event that makes payload activatetrigger - event that makes payload activate
payload - what it does, malicious or benignpayload - what it does, malicious or benign
prepended / postpended / embedded prepended / postpended / embedded
when infected program invoked, executes when infected program invoked, executes
virus code then original program code virus code then original program code
can block initial infection (difficult)can block initial infection (difficult)
Virus Classification
Virus Classification
boot sector – infects master boot recordboot sector – infects master boot record
file infector – infects OS filesfile infector – infects OS files
macro virus – code interpreted by appmacro virus – code interpreted by app
encrypted virus – code encrypted with keyencrypted virus – code encrypted with key
stealth virus – hides itselfstealth virus – hides itself
polymorphic virus – mutates formpolymorphic virus – mutates form
Macro Virus
Macro Virus
became very common in mid-1990s sincebecame very common in mid-1990s since
platform independentplatform independent
infect documentsinfect documents
easily spreadeasily spread
exploit macro capability of office appsexploit macro capability of office apps
executable program embedded in office docexecutable program embedded in office doc
often a form of Basicoften a form of Basic
more recent releases include protectionmore recent releases include protection
E-Mail Viruses
E-Mail Viruses
more recent developmentmore recent development
e.g. Melissae.g. Melissa
exploits MS Word macro in attached docexploits MS Word macro in attached doc
if attachment opened, macro activatesif attachment opened, macro activates
sends email to all on users address listsends email to all on users address list
and does local damageand does local damage
then saw versions triggered reading emailthen saw versions triggered reading email
Virus Countermeasures
Virus Countermeasures
prevention - ideal solution but difficultprevention - ideal solution but difficult
realistically need:realistically need:
detectiondetection
identificationidentification
removalremoval
if detect but can’t identify or remove, must if detect but can’t identify or remove, must
Anti-Virus Evolution
Anti-Virus Evolution
virus & antivirus tech have both evolvedvirus & antivirus tech have both evolved
early viruses simple code, easily removedearly viruses simple code, easily removed
as become more complex, so must the as become more complex, so must the
countermeasures countermeasures
generationsgenerations
first - signature scannersfirst - signature scanners
second - heuristicssecond - heuristics
third - identify actionsthird - identify actions
Generic Decryption
Generic Decryption
runs executable files through GD scanner:runs executable files through GD scanner:
CPU emulator to interpret instructionsCPU emulator to interpret instructions
virus scanner to check known virus signaturesvirus scanner to check known virus signatures
emulation control module to manage processemulation control module to manage process
lets virus decrypt itself in interpreterlets virus decrypt itself in interpreter
periodically scan for virus signaturesperiodically scan for virus signatures
issue is long to interpret and scanissue is long to interpret and scan
Worms
Worms
replicating program that propagates over netreplicating program that propagates over net
using email, remote exec, remote login using email, remote exec, remote login
has phases like a virus:has phases like a virus:
dormant, propagation, triggering, executiondormant, propagation, triggering, execution
propagation phase: searches for other systems, propagation phase: searches for other systems,
connects to it, copies self to it and runs
connects to it, copies self to it and runs
may disguise itself as a system processmay disguise itself as a system process
concept seen in Brunner’s “Shockwave Rider”concept seen in Brunner’s “Shockwave Rider”
Morris Worm
Morris Worm
one of best know wormsone of best know worms
released by Robert Morris in 1988released by Robert Morris in 1988
various attacks on UNIX systemsvarious attacks on UNIX systems
cracking password file to use login/password cracking password file to use login/password
to logon to other systems to logon to other systems
exploiting a bug in the finger protocolexploiting a bug in the finger protocol
exploiting a bug in sendmailexploiting a bug in sendmail
if succeed have remote shell accessif succeed have remote shell access
Recent Worm Attacks
Recent Worm Attacks
Code RedCode Red
July 2001 exploiting MS IIS bugJuly 2001 exploiting MS IIS bug
probes random IP address, does DDoS attackprobes random IP address, does DDoS attack consumes significant net capacity when activeconsumes significant net capacity when active
Code Red II variant includes backdoorCode Red II variant includes backdoor SQL SlammerSQL Slammer
early 2003, attacks MS SQL Serverearly 2003, attacks MS SQL Server compact and very rapid spreadcompact and very rapid spread
MydoomMydoom
mass-mailing e-mail worm that appeared in 2004mass-mailing e-mail worm that appeared in 2004
Worm Technology
Worm Technology
multi-platformmulti-platform
multi-exploitmulti-exploit
ultrafast spreadingultrafast spreading
polymorphicpolymorphic
metamorphicmetamorphic
transport vehiclestransport vehicles
Worm Countermeasures
Worm Countermeasures
overlaps with anti-virus techniquesoverlaps with anti-virus techniques
once worm on system A/V can detectonce worm on system A/V can detect
worms also cause significant net activityworms also cause significant net activity
worm defense approaches include:worm defense approaches include:
signature-based worm scan filteringsignature-based worm scan filtering
filter-based worm containmentfilter-based worm containment
payload-classification-based worm containmentpayload-classification-based worm containment
threshold random walk scan detectionthreshold random walk scan detection
Bots
Bots
program taking over other computersprogram taking over other computers
to launch hard to trace attacksto launch hard to trace attacks
if coordinated form a botnetif coordinated form a botnet
characteristics:characteristics:
remote control facilityremote control facility
• via IRC/HTTP etcvia IRC/HTTP etc
spreading mechanismspreading mechanism
• attack software, vulnerability, scanning strategyattack software, vulnerability, scanning strategy
Rootkits
Rootkits
set of programs installed for admin accessset of programs installed for admin access
malicious and stealthy changes to host O/Smalicious and stealthy changes to host O/S
may hide its existencemay hide its existence
subverting report mechanisms on processes, files, registry subverting report mechanisms on processes, files, registry
entries etc entries etc
may be:may be:
persistent or memory-basedpersistent or memory-based
user or kernel modeuser or kernel mode
installed by user via trojan or intruder on systeminstalled by user via trojan or intruder on system
Summary
Summary
introduced types of malicous softwareintroduced types of malicous software
incl backdoor, logic bomb, trojan horse, mobileincl backdoor, logic bomb, trojan horse, mobile
virus types and countermeasuresvirus types and countermeasures
worm types and countermeasuresworm types and countermeasures
botsbots
