ch06 MaliciousSoftware

Computer Security:

Computer Security:

Principles and Practice

Principles and Practice

First Edition First Edition

by William Stallings and Lawrie Brown by William Stallings and Lawrie Brown

Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown

Chapter 7 –

Malicious Software

Malicious Software

 programs exploiting system vulnerabilities_{programs exploiting system vulnerabilities}

 known as malicious software or malware_{known as malicious software or malware}

 program fragments that need a host programprogram fragments that need a host program

• e.g. viruses, logic bombs, and backdoors _{e.g. viruses, logic bombs, and backdoors}

 independent self-contained programsindependent self-contained programs

• e.g. worms, bots_{e.g. worms, bots}

 replicating or notreplicating or not

Malware Terminology

Malware Terminology

 Virus_Virus  Worm_Worm

 Logic bomb_{Logic bomb}  Trojan horse_{Trojan horse}

 Backdoor (trapdoor)_{Backdoor (trapdoor)}  Mobile code_{Mobile code}

 _{Auto-rooter Kit (virus generator)Auto-rooter Kit (virus generator)}  Spammer and Flooder programs_{Spammer and Flooder programs}  Keyloggers_Keyloggers

 _{RootkitRootkit}

Viruses

Viruses

 piece of software that infects programs_{piece of software that infects programs}

 modifying them to include a copy of the virusmodifying them to include a copy of the virus

 so it executes secretly when host program is runso it executes secretly when host program is run  _{specific to operating system and hardwarespecific to operating system and hardware}

 taking advantage of their details and weaknessestaking advantage of their details and weaknesses  a typical virus goes through phases of:_{a typical virus goes through phases of:}

 dormantdormant

 propagationpropagation  triggeringtriggering

execution

Virus Structure

Virus Structure

 components:_components:

 infection mechanism - enables replicationinfection mechanism - enables replication

 trigger - event that makes payload activatetrigger - event that makes payload activate

 payload - what it does, malicious or benignpayload - what it does, malicious or benign

 prepended / postpended / embedded _{prepended / postpended / embedded}

 when infected program invoked, executes _{when infected program invoked, executes} virus code then original program code

virus code then original program code

 can block initial infection (difficult)_{can block initial infection (difficult)}

Virus Classification

Virus Classification

 boot sector_{boot sector}

 file infector_{file infector}  macro virus_{macro virus}

 encrypted virus_{encrypted virus}

 stealth virus_{stealth virus}

 polymorphic virus_{polymorphic virus}

Macro Virus

Macro Virus

 became very common in mid-1990s since_{became very common in mid-1990s since}

 platform independentplatform independent

 infect documentsinfect documents

 easily spreadeasily spread

 exploit macro capability of office apps_{exploit macro capability of office apps}

 executable program embedded in office docexecutable program embedded in office doc

 often a form of Basicoften a form of Basic

 more recent releases include protection_{more recent releases include protection}

E-Mail Viruses

E-Mail Viruses

 more recent development_{more recent development}

 e.g. Melissa_{e.g. Melissa}

 exploits MS Word macro in attached docexploits MS Word macro in attached doc

 if attachment opened, macro activatesif attachment opened, macro activates

 sends email to all on users address listsends email to all on users address list

 and does local damageand does local damage

 then saw versions triggered reading email_{then saw versions triggered reading email}

Virus Countermeasures

Virus Countermeasures

 prevention - ideal solution but difficult_{prevention - ideal solution but difficult}

 realistically need:_{realistically need:}

 detectiondetection

 identificationidentification

 removalremoval

 if detect but can’t identify or remove, must _{if detect but can’t identify or remove, must} discard and replace infected program

Anti-Virus Evolution

Anti-Virus Evolution

 virus & antivirus tech have both evolved_{virus & antivirus tech have both evolved}

 early viruses simple code, easily removed_{early viruses simple code, easily removed}

 as become more complex, so must the _{as become more complex, so must the}

countermeasures countermeasures

 generations_generations

 first - signature scannersfirst - signature scanners  second - heuristicssecond - heuristics

 third - identify actionsthird - identify actions

fourth - combination packages

Generic Decryption

Generic Decryption

 runs executable files through GD scanner:_{runs executable files through GD scanner:}

 CPU emulator to interpret instructionsCPU emulator to interpret instructions

 virus scanner to check known virus signaturesvirus scanner to check known virus signatures

 emulation control module to manage processemulation control module to manage process

 lets virus decrypt itself in interpreter_{lets virus decrypt itself in interpreter}

 periodically scan for virus signatures_{periodically scan for virus signatures}  issue is long to interpret and scan_{issue is long to interpret and scan}

Worms

Worms

 replicating program that propagates over net_{replicating program that propagates over net}

 using email, remote exec, remote login using email, remote exec, remote login  has phases like a virus:_{has phases like a virus:}

 dormant, propagation, triggering, executiondormant, propagation, triggering, execution

 propagation phase: searches for other systems, propagation phase: searches for other systems,

connects to it, copies self to it and runs

connects to it, copies self to it and runs

 _{may disguise itself as a system processmay disguise itself as a system process}

 concept seen in Brunner’s “Shockwave Rider”_{concept seen in Brunner’s “Shockwave Rider”}

Morris Worm

Morris Worm

 one of best know worms_{one of best know worms}

 released by Robert Morris in 1988_{released by Robert Morris in 1988}  various attacks on UNIX systems_{various attacks on UNIX systems}

 cracking password file to use login/password cracking password file to use login/password to logon to other systems

to logon to other systems

 exploiting a bug in the finger protocolexploiting a bug in the finger protocol

 exploiting a bug in sendmailexploiting a bug in sendmail

 if succeed have remote shell access_{if succeed have remote shell access}

Recent Worm Attacks

Recent Worm Attacks

 Code Red_{Code Red}

 July 2001 exploiting MS IIS bugJuly 2001 exploiting MS IIS bug

 probes random IP address, does DDoS attackprobes random IP address, does DDoS attack

 consumes significant net capacity when activeconsumes significant net capacity when active

 Code Red II variant includes backdoor_{Code Red II variant includes backdoor}  SQL Slammer_{SQL Slammer}

 early 2003, attacks MS SQL Serverearly 2003, attacks MS SQL Server

 compact and very rapid spreadcompact and very rapid spread

 Mydoom_Mydoom

 mass-mailing e-mail worm that appeared in 2004mass-mailing e-mail worm that appeared in 2004

Worm Technology

Worm Technology

 multiplatform_{multiplatform}

 multi-exploit_{multi-exploit}

 ultrafast spreading_{ultrafast spreading}

 polymorphic_polymorphic

 metamorphic_metamorphic

 transport vehicles_{transport vehicles}

Worm Countermeasures

Worm Countermeasures

 overlaps with anti-virus techniques_{overlaps with anti-virus techniques}

 once worm on system A/V can detect_{once worm on system A/V can detect}

 worms also cause significant net activity_{worms also cause significant net activity}  worm defense approaches include:_{worm defense approaches include:}

 signature-based worm scan filteringsignature-based worm scan filtering

 filter-based worm containmentfilter-based worm containment

 payload-classification-based worm containmentpayload-classification-based worm containment

 threshold random walk scan detectionthreshold random walk scan detection

Bots

Bots

 program taking over other computers_{program taking over other computers}  to launch hard to trace attacks_{to launch hard to trace attacks}

 if coordinated form a botnet_{if coordinated form a botnet}  characteristics:_{characteristics:}

 remote control facilityremote control facility

• via IRC/HTTP etc_{via IRC/HTTP etc}

 spreading mechanismspreading mechanism

• attack software, vulnerability, scanning strategy_{attack software, vulnerability, scanning strategy}

Rootkits

Rootkits

 set of programs installed for admin access_{set of programs installed for admin access}

 _{malicious and stealthy changes to host O/Smalicious and stealthy changes to host O/S}  _{may hide its existencemay hide its existence}

 subverting report mechanisms on processes, files, registry subverting report mechanisms on processes, files, registry entries etc

entries etc

 _{may be:may be:}

 persisitent or memory-basedpersisitent or memory-based

 user or kernel modeuser or kernel mode

Summary

Summary

 introduced types of malicous software_{introduced types of malicous software}

 incl backdoor, logic bomb, trojan horse, mobileincl backdoor, logic bomb, trojan horse, mobile

 virus types and countermeasures_{virus types and countermeasures}

 worm types and countermeasures_{worm types and countermeasures}

 bots_bots