Viruses and Related Threats

1
Viruses and Related Threats
2
Malicious Programs

• Needs host program
• trap doors
• logic bombs
• Trojan horses
• viruses
• Independent
• viruses
• worms

3
Trap Doors

• A secret entry point to a program or system
• get in without the usual security access
  procedures
• Recognize some special sequence of inputs, or
  special user ID

4
Logic Bomb

• Embedded in some legitimate program
• Explode when certain conditions are met

5
Trojan Horses

• Hidden in an apparently useful host program
• Perform some unwanted/harmful function when the
  host program is executed

6
Worms and Bacteria

• Worms
• Use network connections to spread from system to
  system
• Bacteria
• No explicitly damage, just replicate

7
Viruses

• Infect a program by modifying it
• Self-copied into the program to spread
• Four stages
• dormant phase
• propagation phase
• E.g., attachment to email
• triggering phase
• execution phase

8
Virus Structure

• First line got to main of virus program
• Second line a special mark (infected or not)
• Main
• find uninfected programs
• infect and mark them
• do something damaging to the system
• now go to the first line of the original
  program
• appear to do the normal work
• Avoid detection by looking at size of program
• compress/decompress the original program

9
Types of Viruses

• Parasitic virus
• search and infect executable files
• Memory-resident virus
• infect running programs
• Boot sector virus
• spreads whenever the system is booted
• Stealth virus
• Polymorphic virus
• encrypt part of the virus program using randomly
  generated key

10
Macro Viruses

• Macro
• an executable program (e.g., opening a file,
  starting an application) embedded in a word
  processing document, e.g. MS Word
• Common technique for spreading
• A virus macro is attached to a Word document
• Document is loaded and opened in the local system
• When the macro executes, it copies itself to the
  global macro file
• The global macro can be activated/spread when new
  documents are opened.

11
Truth and Misconceptions about Viruses

• Can only infect Microsoft Windows
• Can modify hidden and read-only files
• Spread only on disks or in email
• Cannot remain in memory after reboot
• Cannot infect hardware
• Can be malevolent, benign, or benevolent

12
Antivirus Approach

• Prevention
• Limit contact to outside world
• Detection and identification
• Removal
• 4 generations of antivirus software
• simple scanners
• use signatures of known viruses
• heuristic scanners
• integrity checking checksum, encrypted hash
• activity traps
• full-featured protection

13
Digital Immune System

• Each PC is equipped with a monitoring program
• Suspicious program is forwarded into an
  administrative PC of the LAN
• Administrative PC securely transmit the sample to
  central virus analysis site
• for emulation, analysis, prescription
• The prescription is sent back to the
  administrative PC, then all PCs in the LAN
• to other LANs as well

14
The Internet Worm

• What it did
• Determine where it could spread
• Spread its infection
• Remain undiscovered and undiscoverable
• Effect
• Resource exhaustion repeated infection due to a
  programming bug
• Servers are disconnected from the Internet by sys
  admin to stop infection

15
The Internet Worm

• How it worked
• Where to spread
• Exploit security flaws
• Guess password (encrypted passwd file readable)
• fingerd buffer overflow
• sendmail trapdoor (accepts shell commands)
• Spread
• Bootstrap loader to target machine, then fetch
  rest of code (password authenticated)
• Remain undiscoverable
• Load code in memory, encrypt, remove file
• Periodically changed name and process ID

16
The Internet Worm

• What we learned
• Security scanning and patching
• Computer Emergency Response Team (CERT)

17
Code Red and Beyond

• http//www.icir.org/vern/talks/vp-0wn-UCB.pdf

18
Code Red Worm Propagation Modeling and Analysis

• Cliff Changchun Zou, Weibo Gong, Don Towsley
• Univ. Massachusetts, Amherst

19
Motivation

• Code Red worm incident of July 19th, 2001
• Showed how fast a worm can spread.
• more than 350,000 infected in less than one day.
• A friendly worm?
• No real damage to compromised computers.
• Did not send out flooding traffic.
• A good model can
• Predict worm propagation and damage.
• Understand the worm spreading characteristics.
• Help to find effective mitigation technique.

20
Code Red worm background

• Sent HTTP Get request to buffer overflow Win IIS
  server.
• It generated 100 threads to scan simultaneously
• One reason for its fast spreading.
• Huge scan traffic might have caused congestion.
• Characteristics
• Uniformly picked IP addresses to send scan
  packets.

21
Epidemic modeling introduction

• infectious hosts continuously infect others.
• removed hosts in epidemic area
• Recover and immune to the virus.
• Dead because of the disease.
• removed hosts in computer area
• Patched computers that are clean and immune to
  the worm.
• Computers that are shut down or cut off from
  worms circulation.

22
Epidemic modeling introduction

• Homogeneous assumption
• Any host has the equal probability to contact any
  other hosts in the system.
• Number of contacts ? I ? S
• Code Red propagation has homogeneous property
• Direct connect via IP
• Uniformly IP scan

23
Deterministic epidemic models Simple epidemic
model

• State transition
• N population S(t) susceptible hosts I(t)
  infectious hosts
• dI(t)/dt ? S(t) I(t)
• S(t) I(t) N

• I(t) ? S(t) symmetric
• Problems
• Constant infection rate ?
• No removed state.

24
Deterministic epidemic models Kermack-McKendrick
epidemic model

• State transition
• R(t) removed from infectious ? removal rate
• dI(t)/dt ? S(t) I(t) dR(t)/dt
• dR(t)/dt ?I(t) S(t) I(t) R(t) N

• Epidemic threshold
• No outbreak if S(0) lt ? / ?.
• Problems
• Constant infection rate ?
• No

I(t)
t
25
Code Red modeling Consider human
countermeasures

• Human countermeasures
• Clean and patch download cleaning program,
  patches.
• Filter put filters on firewalls, gateways.
• Disconnect computers.
• Reasons for
• Suppress most new viruses/worms from outbreak.
• Eliminate virulent viruses/worms eventually.
• Removal of both susceptible and infectious hosts.

26
Code Red modeling Consider human
countermeasures

• Model (extended from KM model)
• Q(t) removal from susceptible hosts.
• R(t) removal from infectious hosts.
• I(t) infectious hosts.
• J(t) ? I(t)R(t) Number of infected hosts
• hosts that have ever been infected
• dS(t)/dt -? S(t) I(t) - dQ(t)/dt
• dR(t)/dt ?I(t)
• dQ(t)/dt ?S(t)J(t)
• S(t) I(t) R(t) Q(t) N

27
Code Red modeling Two-factor worm model

• Code Red worm may have caused congestion
• Huge number of scan packets with unused IP
  addresses.
• Routing table cache misses. ( about 30 of IP
  space is used)
• Generation of ICMP (router error) in case of
  invalid IP.
• Possible BGP instability.
• Effect slowing down of worm propagation rate ?
  ? ?(t)
• Two-factor worm model
• dS(t)/dt -?(t)S(t)I(t) - dQ(t)/dt
• dR(t)/dt ?I(t)
• dQ(t)/dt ?S(t)J(t)
• ?(t) ?0 1 - I(t)/N ?
• S(t) I(t) R(t) Q(t) N

28
Validation of observed data on Code Red

• Network monitor
• record Code Red scan traffic into the local
  network.
• Code Red worm uniformly picked IP to scan.
• of scans a cite received ? Size of the IP space
  of the cite.
• of scans a cite received at time t ? Overall
  scans in Internet at t.
• of infectious hosts sent scans to a cite at
  time t ? Overall infectious hosts in Internet at
  t.

• Local observation preserves global worm
  propagation pattern.

29
Observed data on Code Red worm

• Two independent Class B networks x.x.0.0/16
  (1/65536 of IP space)
• Count of Code Red scan packets and source IPs
  for each hour.
• Corresponding to infectious hosts I(t) at each
  hour, not infected hosts J(t)I(t)R(t).
• Uniformly scan IP ? Two networks, same results.

30
Code Red worm modeling Simple epidemic
modeling

• Staniford et al. used simple epidemic model
  approach.
• Conclusion from this model
• At around 2000UTC (1600 EDT), Code Red infected
  almost all susceptible hosts.
• On average, a worm infected 1.8 susceptible hosts
  per hour.

?
EDT hours (July 19)
31
Code Red worm modeling Simple epidemic
modeling

• Possible overestimation?
• Issues on using simple epidemic for Code Red
• Constant infection rate ? No considering of the
  impact of worm traffic
• No recovery removal from infectious hosts
• No patching before infection removal from
  susceptible hosts

32
Code Red modeling numerical analysis
Two-factor model
Two-factor model

• Conclusions
• At 2000UTC (1600 EDT), 60 70 have ever been
  infected.
• Simple epidemic model overestimates worm
  spreading.
• ? 0.14 14 infectious hosts would be removed
  after an hour.

33
Code Red Modeling If no congestion is
considered
If no congestion considered

• The congestion assumption is reasonable.

34
Summary

• We must consider the changing environment when we
  model virus/worm propagation.
• Human countermeasures/changing of behaviors.
• Virus/worm impact on Internet infrastructure.
• Worm modeling limitation
• Modeling worm continuously spreading part.
• Homogeneous systems.
• Future work how to predict before worms
  outbreak?
• Determine parameters of a virus/worm model.