Viruses, Worms and other Malicious Code

1
Viruses, Worms and other Malicious Code

2
Readings

• buffer overflow attack
• http//www.insecure.org/stf/smashstack.txt
• Java Security http//www.cs.princeton.edu/sip/faq/
  java-faq.php3
• Security 101 (this company is trying to sell you
  something) http//www.trustdigital.com/tut1.
  htm
• TEMPEST http//rr.sans.org/encryption/TEMPEST.ph
  p

3
Topics

• Viruses and worms
• Software vulnerabilities
• Famous incidents
• Covert channels
• Java security model

4
Viruses, Worms, etc.

• Computer Viruses and related programs have the
  ability to replicate themselves on an ever
  increasing number of computers. They originally
  spread by people sharing floppy disks. Now they
  spread primarily over the Internet (a Worm).
• Other Malicious Programs may be installed by
  hand on a single machine. They may also be built
  into widely distributed commercial software
  packages. These are very hard to detect before
  the payload activates (Trojan Horses, Trap Doors,
  and Logic Bombs).

5
Definitions

• Virus - code that copies itself into other
  programs.
• A Bacteria replicates until it fills all disk
  space, or CPU cycles.
• Payload - harmful things the malicious program
  does, after it has had time to spread.
• Worm - a program that replicates itself across
  the network (usually riding on email messages or
  attached documents (e.g., macro viruses).

6
Definitions

• Trojan Horse - instructions in an otherwise good
  program that have a different and hidden purpose
  (sending your data or password to an attacker
  over the net).
• Logic Bomb - malicious code that activates on an
  event (e.g., date).
• Trap Door (or Back Door) - undocumented entry
  point written into code for debugging that can
  allow unwanted users.

7
Definitions

• Easter Egg - extraneous code that does something
  cool. A way for programmers to show that they
  control the product.
• Rabbit (compare bacteria) a virus or worm that
  replicates without bound with the intention of
  exhausting some computing resource.

8
Taxonomy
Malicious Programs
Need Host Program
Independent
Trapdoors
Logic Bombs
Trojan Horses
Viruses
Bacteria
Worms
9
Life of a Virus

• Dormant phase - the virus is idle
• Propagation phase - the virus places an identical
  copy of itself into other programs
• Triggering phase the virus is activated to
  perform the function for which it was intended
• Execution phase the function is performed

10
Protect Yourself!

• Virus protection programs work! Use them and
  keep them up to date.
• Dont execute programs or macros from unknown
  sources (MS Word documents, hypercard files,
  email attachments).
• Choose less common operating systems and email
  programs.

11
Virus Types

• Parasitic Virus - attaches itself to executable
  files as part of their code. Runs whenever the
  host program runs.
• Memory-resident Virus - Lodges in main memory as
  part of the residual operating system.
• Boot Sector Virus - infects the boot sector of a
  disk, and spreads when the operating system boots
  up (original DOS viruses).
• Stealth Virus - explicitly designed to hide from
  Virus Scanning programs.
• Polymorphic Virus - mutates with every new host
  to prevent signature detection.

12
Macro Viruses

• Microsoft Office applications allow macros to
  be part of the document. The macro could run
  whenever the document is opened, or when a
  certain command is selected (Save File).
• Platform independent.
• Infect documents, delete files, generate email
  and edit letters.

13
Anti-virus Approaches

• 1st Generation, Scanners searched files for any
  of a library of known virus signatures. Checked
  executable files for length changes.
• 2nd Generation, Heuristic Scanners looks for
  more general signs than specific signatures (code
  segments common to many viruses). Checked files
  for checksum or hash changes.
• 3rd Generation, Activity Traps stay resident in
  memory and look for certain patterns of software
  behavior (e.g., scanning files).
• 4th Generation, Full Featured combine the best
  of the techniques above.

14
How Can Viruses Get Control?

• The goal of viruses, worms and other malicious
  code is to execute on the target computer with
  superuser or root privileges.
• Viruses begin executing in a user account. Worms
  must break into a user account usually by
  cracking the password.
• From the user account (with user privileges) it
  breaks into superuser mode.

15
Buffer Overflow

• char sample10
• The C compiler sets aside 10 bytes to store
  this buffer, sample0 through sample9. Now
  execute the statement
• samplei A // i 10
• The A may overwrite user code or data or
  spill into a memory area being used by the
  operating system. By carefully choosing what is
  written, you can overwrite part of the OS with
  your own code.
• Especially vulnerable OS routines that use
• strcpy instead of strncpy

16
Stack Overflow

• Subroutine calls are executed with the help of a
  runtime stack. The activation record (or frame,
  containing the parameters, local variables and
  return address) for the most recently called
  procedure is pushed on the stack.
• By entering long unchecked parameters, the
  attacker can manipulate the return address.
• If the procedure was a system routine running
  with root privileges, the attacker can get those
  privileges.

17
Web Server Overflow Problems

• Parameters are frequently passed in the URL.
  Here, the page userinput receives the parameters
  parm1 with value (808)555-1212 and parm2 with
  value 2004Jan01
• http//www.somesite.com/subpage/userinputparm1
  (808)555-1212 parm2 2004Jan01
• What if these parameters are manipulated? See
  http//www.cerberus-infosec.co.uk/advdialer.html

18
Incomplete Mediation

• Incomplete mediation occurs when parameters are
  manipulated and not revalidated.
• Thing.com sells stuff on their web site. The
  customer chooses what he wants and his browser
  completes a form like this
• http//www.thing.com/order/finalcustID101part5
  5qty10price12shipcost4total124
• The malicious user changes the URL to
  http//www.thing.com/order/finalcustID101part5
  5qty10price2shipcost4total24

19
Famous Incidents Morris Worm

• Released on the Internet on Nov. 2, 1988.
• Perpetrator was Robert Morris, Jr. a graduate
  student at Cornell who created the worm.
  Convicted in 1990 of violating the 1986 Computer
  Fraud and Abuse Act.
• Worms goal was determine where to spread
  spread the infection remain undiscovered.

20
Morris Worm Effects

• Primary effect was resource exhaustion worm was
  supposed to check if target was already infected
  and if so, only one copy would continue.
• Flaw in the checking mechanism caused multiple
  copies to infect a machine.
• Secondary effect many systems disconnected from
  the Internet to avoid infection or avoid further
  spread.
• Disconnections caused communications disruptions
  including containment and recovery info.
• 6,000 systems were shut down or disconnected from
  the Internet some for several days.

21
Morris Worm How It Worked

• Where to spread worm used known flaws
• User accounts on current machine get password
  file and try popular passwords and dictionary
  attack.
• Use finger on remote system with input buffer
  overflow to cause worm to be connected to remote
  shell.
• Use a trapdoor in sendmail to execute a command
  string.

22
Morris Worm How It Worked

• Infect new machine or account send bootstrap
  loader (99 lines of C code) to be compiled and
  executed, which would fetch the rest of the worm.
• Worm attempted to hide its tracks deleted disk
  files written during transmission process
  periodically changed its process ID to avoid
  detection.

23
Morris Worm What Was Learned

• Shocked the Internet community which at that time
  (1988) was mostly researchers.
• Prompted the development of an infrastructure for
  reporting and correcting vulnerabilities and
  malicious code.
• Computer Emergency Response Team (CERT) was
  started.

24
Another Worm Code Red

• Code Red infected more than 250,000 systems in
  about nine hours in July 2001.
• Ultimately, over 750,000 servers were infected
  causing over 2 billion in damage.
• There were several versions of Code Red infecting
  web servers running Microsofts Internet
  Information Server (IIS).
• Checks port 80 of other servers to find a
  vulnerable one. Then does a buffer overflow in
  idq.dll to get into memory.

25
Code Red Effect

• First version defaced the web site
• HELLO!
• Welcome to
• http//www.worm.com !
• Hacked by Chinese!
• Looked for other sites to infect from day 1 to
  day 19. From day 20 to 27, launched a denial of
  service attack against www.whitehouse.gov

26
Code Red How It Worked

• Exploited buffer overflow on PCs running
  Microsoft IIS. Windows NT servers would crash
  Windows 2000 servers would execute the worm code
  giving the worm root privileges.
• Some worm versions installed a modified version
  of explorer.exe with a Trojan horse.

27
Code Red What Was Learned

• More than 6 million servers use IIS. A patch to
  fix the vulnerability is available now from
  Microsoft, but not all admins install the fixes
  in a timely manner.
• These security threats are the result of a
  general willingness to buy and install code that
  does not meet security standards and reluctance
  to devote resources to keeping up to date with
  vendor patches.
• Note SQL Slammer worm that shut down ATMs in Jan
  2003 exploited a known flaw in MS SQL Server 2000
  for which a patch had been available for 6 months.

28
Covert Channels

• Covert channels are programs that leak
  information to people who are not authorized to
  have that information and the transmission is
  hidden or disguised so that it is not easily
  discovered.
• Trojan horse programs often create covert
  channels.

29
Covert Channel Example

• Bob has access to confidential information that
  Alice does not (whether or not an instructor is
  planning a pop quiz for the afternoon class).
  Bob also produces a non-confidential report
  (total attendance at the morning class) that
  Alice will see.
• In order to leak the confidential info to Alice,
  the attendance report will say TOTAL if there
  is going to be a quiz and Total if there is no
  quiz.

30
Covert Channels

• Covert channels can be storage channels where
  information is conveyed by the presence (or
  absence) of certain objects in storage.
• Covert channels can be timing channels, where the
  information is conveyed through the speed at
  which things happen.

31
Identifying Potential Covert Channels

• The basis for covert channels is shared
  resources, so potential channels can be found
  with a shared resource matrix.

pid 1 pid 2 pid 3 pid 4 File a r,w r,w r r File
b r r,w r File c r
32
Covert Channels

• The access patterns identify potential leaks

pid 1 pid 2 pid 3 File a r,w r,w r File b
r r,w
pid 1 pid 2 pid 3 File a r,w r,w r File b
r r,w r
This pattern implies you could have a covert
channel giving this pattern
33
Java Program Security

• Java was the first general purpose programming
  language to consider security.
• The original security model provided by the Java
  platform, known as the "sandbox" model, existed
  in order to provide a very restricted environment
  in which to run untrusted code obtained from the
  open network.

34

• Local code is trusted to have full access to
  vital system resources, such as the file system,
  but downloaded remote code (an applet) is not
  trusted and can access only the limited resources
  provided inside the sandbox.

A security manager is responsible for determining
which resource accesses are allowed.
35
Java Security

• JDK 1.1 introduced the concept of a "signed
  applet". A digitally signed applet is treated
  like local code, with full access to resources,
  if the public key used to verify the signature is
  trusted. Unsigned applets are still run in the
  sandbox.
• Signed applets are delivered, with their
  respective signatures, in signed JAR (Java
  ARchive) files.

36
Java Security

• JDK 1.2 introduces a number of improvements over
  JDK 1.1. All code, local or remote, can be
  subject to a security policy.
• The security policy defines the set of
  permissions available for code from various
  signers or locations and can be configured by the
  user or system administrator. Each permission
  specifies access to a particular resource, such
  as read and write access to a specified file or
  directory or connect access to a given host and
  port.

37
Java 1.2 Security

• Classes whose instances have the same set of
  permissions are organized by the runtime system
  into domains. A domain can be configured to be
  equivalent to the sandbox, so applets can still
  be run in a restricted environment if the user or
  the administrator so chooses. Applications run
  unrestricted, as before, by default but can
  optionally be subject to a security policy.

38
Java 1.2 Security
39
Other Java Security Features

• In JDK 1.1 a provider could, for example, contain
  an implementation of one or more digital
  signature algorithms, message digest algorithms,
  and key-generation algorithms.
• JDK 1.2 adds five more types of services
• Keystore creation and management
• Algorithm parameter management
• Algorithm parameter generation
• Key factory support to convert between different
  key representations
• Certificate factory support to generate
  certificates and certificate revocation lists
  (CRLs) from their encodings

40
For Further Reading

• Denning, P. Computers Under Attack Intruders,
  Worms, and Viruses. Addison-Wesley, 1990
• http//wwwzenger.informatik.tu-muenchen.de/persons
  /huckle/bugse.html