PPT – PowerPoint presentation | free to download

About This Presentation

Title:

Description:

Many of the programs, that may be called malware, have benevolent uses also. 4. Benevolent Uses: ... Spreading Malware via the Internet. Trojan Horse vs Virus: ... – PowerPoint PPT presentation

Number of Views:33

Avg rating:3.0/5.0

Slides: 119

Provided by: aksh5

Category:

Tags: malware

more less

Transcript and Presenter's Notes

Title:

1

Unix. The world's first computer virus.
title of Chapter 1 of
The Unix Haters Handbook,
written by serious computer scientists ISBN
1-56884-203-1

2
Classification of Threats

Threats may exploit weaknesses in
1. operating systems (W32,W95, Linux, etc),
2. applications they infect (W97M, WordPro,
X97M, etc)
3. languages (HTML Scripting languages
like VBS, JS etc).
Delivery of malicious codes to a users machine
the most popular early methods of passing viruses
by floppy disk.
Internet borne worms, that require no human
intervention, once started.

3
Malware, security tools and toolkits

Malware any piece of malicious software.
Security tools and toolkits
designed to be used by security professionals to
protect their systems, networks and web-sites
may also be used by unauthorized individuals to
probe for weaknesses.
The purposes, not the approach, makes a
program malicious.
Many of the programs, that may be called malware,
have benevolent uses also.

4
Benevolent Uses

Worms can be used to distribute computation on
idle processors
Trap doors/ back doors are useful for debugging
programs
A trapdoor a code that recognizes some
special (unlikely) sequence of inputs or is
triggered by being run from a special ID.
Some programs require special privileges and
authentication to access it. Or they may require
long setup (providing many initial values of
variables) and authentication.
..continued on
the next slide

5
Benevolent Uses of Trap doors and Viruses

While debugging one may want to be able to open
the program without going through these
procedures.
A trapdoor allows one to activate the program
even if something be wrong with the
authentication procedure.
Viruses can be written to update source code and
patch bugs.

6
A Normal Utility Rootkit .1

ROOTKIT uses two words- "root" and "kit".
Root refers to the "Administrator" account on
Unix and Linux systems
kit a set of programs or utilities that allow
someone to maintain root-level access to a
computer.
Additionally the presence of the rootkit should
be undetectable.
NORMAL USES of Rootkits ( known to exist since
1989 or earlier) For allowing maintenance of
command and control over a computer system,
without the computer system user knowing about
it. This requires the capability
of executing files and changing system
configurations on the target machine,
of accessing log files or monitoring activity on
the user's computer usage.

7
A Normal Utility Rootkit .2

Legitimate users of rootkits Administrators of
large networked systems, law enforcement agents
or parents or employers wishing to retain remote
command and control and/or the ability to monitor
activity on their employee's / children's
computer systems.
Rootkit products Spectorsofts two products
eBlaster and Spector Pro, allow for such
monitoring.
LARGE SCALE ABNORMAL USE In Dec 2004, hackers
started using Rootkits against Windows systems.
Reference for slides 6 and 7 Tom Bradley, What
Is A Rootkit? , http//netsecurity.about.com/od/f
requentlyaskedquestions/f/faq_rootkit.htm, as of
2nd December 2007

8
Rootkit A Hackers Tool

A rootkit a collection of tools (programs) that
enable administrator-level access to a computer
or computer network.
Typically, a hacker first obtains user-level
access, either by exploiting a known
vulnerability or cracking a password. Then he
installs the rootkit.
A rootkit has tools for
logging keystrokes,
monitoring packets on the network to gain
information continued

9
Tools in a Rootkit

Collecting usernames and passwords
Obtaining multiple methods of backdoor entry,
using different ports and protocols
Gaining root or privileged access to the computer
and other machines on the network Thus if the
first intrusion is detected, the hacker has other
methods of intrusion in to the machine and the
network.
altering system log files and administrative
tools to prevent detection
for hiding the files and processes that the
intruder may place on the system and for hiding
port and protocol connections.
continued

10
Tentacles of a Rootkit

using the machine to launch attacks on other
machines
CLEANING A MACHINE with a Rootkit Difficult
since the extent of infiltration in the machine
and the network may not be known
References 1. Tom Bradley, Rootkits,
http//netsecurity.about.com/od/secureyourwindowsp
c/a/rootkits.htm, as of 2nd December 2007
2. What is a rootkit? a definition from
Whatis.com,http//searchsecurity.techtarget.com/sD
efinition/0,,sid14_gci547279,00.html , as of 2nd
December 2007

11
Classification of Malicious programs
First Method
Malicious programs
Independent
Need Host programs
Trap doors Logic Bombs Trojan Horse Viruses
Zombie Worms
Bacteria
A Logic Bomb or a Trojan Horse may be part of a
Virus or Worm.
12
Classification of malicious programs

Programs that do not replicate consist of
fragments of programs that are activated,
when the host program is invoked or
when in the host program, a specific function is
performed.
Programs that replicate consist of
a program fragment (Example Viruses) Or
an independent program (Example Worm or
bacterium)
that, when executed, may produce one or more
copies of itself on the same system or some other
system.

13
Classification of Malicious Program
The Second Method
Malicious Programs
Those that wont replicate
Those that replicate themselves
Trap Doors Logic Bombs Trojan Horses Viruses
Zombie Worms
Bacteria
Ref Fig 19.1 pp.599, Stallings 2003
14
Malicious Software

Malicious software runs under the users
authority (without his knowledge and permission)
hence can do all that a user can himself do.
TYPES Back doors/ trap doors allow
unauthorized access to your system.
Logic bombs programmed threats that lie dormant
for an extended period of time until they are
triggered at this point, they perform a function
that is not the intended function of the program
in which they are contained .

15
Triggers for logic Bombs

Logic bombs usually embedded in programs by
software developers who have legitimate access to
the system.
Triggers for Logic Bombs
Presence or absence of certain files.
Particular day of the week or data.
Particular user running the application

16
Trojan horses

Trojan horses programs that appear to have one
function but actually perform another function.
The modern day Trojan horses resemble a program
that the user wishes to run a game, a
spreadsheet, or an editor.
While the program appears to be doing what the
user wants, it is also doing something else
unrelated to its advertised purpose, and without
the users knowledge.

17
Examples of Trojan horse attacks

Examples of Trojan horse attacks
A compiler was modified to insert additional code
into certain programs as these are compiled.
The code creates a trapdoor in the login
program that permits the author to log on to the
system using a special word. Difficult to
discover, by reading the source code of the
program.
Ref THOM 84 from Stallings2003

18
Examples of Trojan horse attacks
(continued)

Attach a (secret) program -- to the regular
program for listing the users files in a
particular format.
The attached program may change the file
permissions to make them readable by any user.
After the program is executed, any one can read
the files.

19
Viruses

Viruses programs that modify other programs on
a computer, inserting copies of themselves.
Viruses not distinct programs
need to have some host program, (of which they
are a part), executed to activate them
executes secretly, when the host program is run.
A typical virus takes control of the Operating
System. Whenever it comes in contact with any
uninfected piece of software, a fresh copy of the
virus is attached to the new program.
Reference A malicious program was called a Virus
by Cohen. Cohen F.,Computer Viruses, Computer
Security A Global Challenge, Elsevier Press,
1984, p143-158

20
Worms

Worms programs that propagate from computer to
computer on a network, without necessarily
modifying other programs on the target machines.
Worms
can run independently
travel from machine to machine across network
connections
may have portions of themselves running on many
different machines.
Worms do not change other programs, although they
may carry other code that does (for example, a
true virus or a Trojan horse may be implanted by
a worm).

21
Worms (continued)

To replicate itself, a worm uses some network
vehicle. Examples
Electronic mail A worm may mail a copy of itself
to another system.
Remote execution capability A worm may execute a
copy of itself on another system.
Remote log-in capability A worm logs on another
system as a user and then uses commands to copy
itself to the remote system.
A Worm may determine whether a host has been
infected before copying itself.

22
Worms (continued)

In a multiprogramming system, a worm may hide
itself by naming itself as a system process.
It may examine the routing tables to locate the
addresses of remote machines, to which it may
connect, without any information to the owner of
the local host.
Examples of Worms
Morris 1998 for unix systems,
Code Red, Code Red II, NIMDA,
W32/Netsky.P.worm, MyDoom.A, Sober.I worm,
Sobiq.E worm, Bagle.BC worm

23
A Rootkit Not a Virus or a Worm

A rootkit modifies the flow of the operating
system or changes the data set, which the
operating system uses.
A virus is designed to damage a system. A worm
scans for vulnerabilities and spreads to other
computers on the network. But a rootkit may stay
hidden and maintain its functionality, without
damaging a system for a long time.
A rootkit may be classified as a Trojan.

24
Phases of a virus and a worm

A worm as well as a virus have the following
phases
Dormant phase This phase lasts till the
worm/virus is activated
on some Date, or
by presence of some file or program, or
some action like the data on disc exceeding
certain limit.
Some viruses may not have this stage.

25
Phases of a virus and a worm (continued)

2. Propagation phase Both a worm and a virus
check whether the file/system is already
infected. If not, they do the job.
3. Triggering phase may be caused by some
system event.
4. Execution phase Performs a function
Benign function like showing a message on
screen.
Non-benign to damage/destroy certain files.
Viruses are designed to take advantage of the
weaknesses of the OS and/or a hardware platform.

26
Spreading Malware via the Internet

Trojan Horse vs Virus
Whereas a Trojan horse is delivered pre-built, a
virus infects.
Propagation of Virus OLD DAYS through tapes and
disks ? the spread of a virus around the world
took many months.
TODAY Trojan horses, and viruses are network
deliverable as E-mail, java applets,
ActiveX controls, javaScripted pages,
CGI-BIN scripts, or as self-extracting
packages.
DELIVERED as a part of a game or a useful
utility, copied from some electronic bulletin
board

27
Mobile program Systems

Examples Javascript and ActiveX.
became popular with Web servers and browsers, but
are now integrated (e,g, Java into Lotus Notes,
and ActiveX into Outlook) with mail systems.
Security Bugs in both Java and ActiveX
A mobile program may act as the carrier of a
virus.
Any mechanism for sharing of files of programs,
data, documents or images can transfer a virus

28
Structure of Viruses

In the infected binary, at a known byte location
in the file, a virus inserts a signature byte,
used to determine if a potential carrier program
has been previously infected.
On invoking an infected program, it first
transfers control to the virus part.
The virus part infects uninfected executable
files.
Secondly it may damage the system in some way.
Or like a logic bomb, the damaging action may
take place in response to some trigger.
Finally it transfers control to the original
program.
Usually the first two steps may take so little
time, that one may fail to notice any difference.

29
Normal .COM vs. Infected .COM
30
Structure of a virus program

V()
infectExecutable()
If (triggered())
Do Damage()
Jump to main of infected program
.

31
Structure of a virus program (continued)

Void infectExecutable()
file choose an uninfected executable file
Prepend V to file
Void doDamage()
.
int triggered()
Return (some test? 10)

32
Types of Viruses

Types of viruses
Parasitic Virus
It attaches itself to executable files and
replicates, when the infected program is
executed, by finding other files to infect.
Memory resident virus
stays in main memory as a part of a system
program. Then it infects every program that
executes. (Like Terminate and Stay Resident
TSR- programs )

33
Types of viruses (continued)

Boot sector virus
It infects a boot record and spreads when a
system is booted from the disk containing the
virus.
Boot sector contains crucial files. Hence
it is made invisible by the OS. ? boot-sector
virus files will not show up in a normal listing
of files.
Polymorphic virus
Creates copies that are functionally
equivalent but have distinctly different bit
patterns. Thus signature of each copy will vary
and a virus scanner will find it difficult to
locate it.

34
Methods used by Polymorphic Viruses
for variation in signature

Random insertion of superfluous instructions
To interchange the order of independent
instructions
Use of encryption The virus has a mutation
engine which generates a random key and then the
engine is altered the key is stored with the
rest of the virus, which is encrypted.
When this virus infects another host, the altered
mutation engine would generate a different key.
Thus every host would carry a different signature
for the virus.

35
The Stealth Virus

There are two other types The Stealth virus and
the Macro virus.
A stealth virus has code in it that
seeks to conceal itself from discovery or
defends itself against attempts to analyze or
remove it.
The stealth virus adds itself to a file or boot
sector but, when you examine, it appears normal
and unchanged.

36
Methods used by Stealth Virus

The stealth virus performs this trickery by
staying in memory after it is executed. From,
there, it monitors and intercepts your system
calls.
When the system seeks to open an infected
file, the stealth virus displays the uninfected
version, thus hiding itself.
The four types of viruses, discussed in slides 32
and 33, make an infected file longer than it was,
making it easy to spot.
There are many techniques to leave the file
length and even a check sum unchanged and yet
infect.

37
Stealth technique Keeping the file
length unchanged

For example, many executable files often contain
long sequences of zero bytes, which can be
replaced by the virus and re-generated.
It is also possible to compress the original
executable code like the typical Zip programs do,
and uncompress before execution and pad with
bytes so that the check sum comes out to be what
it was.

38
Macros

Macro languages are (often) equal in power to
ordinary programming languages such as C.
A program written in a macro language is
interpreted by the application.
Macro languages are conceptually no different
from so-called scripting languages.
Microsoft applications use Visual Basic script as
macro languages.
Gnu Emacs (Reference http//www.gnu.org/software/
emacs/) uses a dialect of Lisp
The typical use of a macro in applications, such
as MS Word, is to extend the features of the
application.

39
Macros (continued)

Can be used to define a sequence of key-strokes
in a macro and to set it up so that when a
function key is input, the whole of the sequence
is invoked.
Some of these macros, know as auto-execute
macros, are executed in response to some events,
such as..
closing a file,
opening a file,
starting an application,
invoking a command such as FileSave or
pressing a certain key.

40
Auto-executing Macros in WORD

Three types of auto-executing Macros
1.Start-up Auto-execute executed when WORD is
started.
2.Automacro executes when some event like
opening/closing a document, creating a new
document, quitting WORD
3.Commandexecutes when a WORD command, like
FileSave) is executed.
MS has developed a Macro Virus Protection Tool.
It detects suspicious files and alerts the user
to the risk of opening them.

41
Macro Viruses

Macro Viruses form a large majority of the total
number of viruses today.
A macro virus is a piece of self-replicating code
inserted into an auto-execute macro.
Once a macro is running, the virus copies
itself to other documents.
Another type of hazardous macro is one named for
an existing command of an application.

42
Macro Viruses (continued)

Example If a macro named FileSave exists in the
normal.dot template of MS Word, that macro is
executed whenever you choose the Save command on
the File menu.
Unfortunately, there is often no way to disable
such features.
Such macro viruses may be carried in the command
part of a text file, a database, a slide
presentation or a spreadsheet. The user sees only
the data part and not the command part. So he
would not be able to see the malicious code.
Ref For Loveletter virus for OUTLOOK (May 2000)
http//all.net/journal/cohen0504-2.htm

43
Spread of Macro Viruses

Macro Viruses spread fast because
Macro viruses may be platform independent in that
any hardware/software platform that supports the
particular application can be infected.
Macro viruses affect documents and not executable
portions of code.
Spread easily by e-mail.
Ex A virus, called Melissa, used a micro,
embedded in a WORD document attached to an
e-mail. .

44
Melissa

On opening the WORD attachment of e-mail,
it damages the local machine and
it sends itself to all the addresses in the
e-mail address book.
In 1999, new e-mail viruses appeared. These would
be able to infect, as soon as one opens the
carrier e-mail, and not by opening an attachment

45
Unix/Linux Viruses

The most famous of the security incidents in the
last decade was the internet Worm incident which
began from a Unix system.
Several Linux viruses have been discovered.
The Staog virus first appeared in 1996 and was
written in assembly language by the VLAD virus
writing group, the same group responsible for
creating the first Windows 95 virus called Boza.
Like the Boza virus, the Staog virus is a
proof-of-concept virus to demonstrate the
potential of Linux virus writing without actually
causing any real damage.

46
Unix/Linux Viruses (continued)

The second known Linux virus is called the Bliss
virus.
Unlike the Staog virus, the Bliss virus can not
only spread in the wild, but also possesses a
potentially dangerous payload that could wipe out
data.

47
Zombie

Zombie A program that takes over a computer,
without any authorization and without informing
the owner of the system.
The program originates from some other host.
It then uses the computer, that has been taken
over, for attacking a victim.
Objectives To hide the originator of the attack
To attack the victim through a
large number of zombie computers (as in a DDoS
attack)

48
Bacteria or rabbit

Bacteria, or rabbit program, replicates without
bound to overwhelm a computer systems resources.
Bacteria do not explicitly damage any files.
Their sole purpose is to replicate themselves.
A typical bacteria program may do nothing more
than execute two copies of itself simultaneously
on multiprogramming systems, or perhaps create
two new files, each of which is a copy of the
original source file of the bacteria program.

49
Bacteria continued

Both of those programs then may copy themselves
twice, and so on. Bacteria reproduce
exponentially, eventually taking up all the
processor capacity, memory, or disk space,
denying the user access to those resources.

50
Dropper

A dropper a program that is not a virus, nor is
it infected with a virus, but when the program is
run, it installs a virus into memory, on to the
disk, or into a file.
Droppers have been written sometimes as a
convenient carrier for a virus, and sometimes as
an act of sabotage.
Some anti-virus programs try to detect droppers.

51
Virus Detection

Virus is used, (in the following slides-for-
detection-and-removal of viruses,) to stand for
all types of malicious programs.
Virus detection programs analyze a suspect
program for the presence of known viruses.
Fred Cohen has proven mathematically that
perfect detection of unknown viruses is
impossible no program can look at other program
and say either a virus is present or no virus
is present, and always be correct.

52
Virus Detection (continued)

Most new viruses are sufficiently like old
viruses ? the scanning for old viruses may find
the new ones.
There are a large number of heuristic tricks that
anti-virus programs use to detect new viruses,
based either on how they look, or what they do.
Since brand-new viruses are comparatively rare,
these methods may suffice.
After detection of a virus, its identification
and removal is required.

53
generations of virus scanners

The first generation of virus scanners
obtain a virus signature, a bit pattern, to
detect a known virus.
record and check the length of all executables.
The second generation of virus scanners
scan executables with heuristic rules, looking
for fragments of code associated with a typical
virus.
do integrity checking by calculating a checksum
of a program and storing somewhere else the
encrypted checksum.
OR A better method is storing a hash function
rather than a checksum. The encryption key is
stored at a separate place.

54
generations of virus scanners
(continued)

The third generation of virus scanners use a
memory resident program to monitor the execution
behavior of programs to identify a virus by the
types of action that the virus takes.
The fourth generation of virus scanners combines
all the previous approaches and includes access
control capabilities so that system penetration
and access to files may be denied.

55
Advanced Anti virus Techniques

1) Generic Decryption (GD) Technology
It uses the following components
a) CPU Emulator Consisting of a virtual computer
with software versions of all registers and other
processor hardware.
b) Virus signature scanner
c) Emulator control module
Virus elements are usually activated immediately
after a program starts execution.
GD begins execution of an executable file in the
CPU emulator. As each instruction is executed,
the signature scanner tries to expose the virus.

56
Advanced Anti virus Techniques Generic
Decryption (GD) Technology

A polymorphic virus would decrypt itself and be
recognized by the signature scanner.
This process does not affect the computer, since
the CPU emulator provides a safe and controlled
environment.
Difficulties
How many instruction may be interpreted through
the emulator ? - is a design issue
The user would complain if the GD scanner uses a
great deal of computer resources and these are
not available to the user.

57
Advanced Anti virus Techniques
IBMs Digital Immune System

2) IBMs Digital Immune System (DIS)
Since the viruses spread through e-mail, internet
and mobile code, IBM has developed the system for
fast response.
When a new virus enters the system of an
organization, DIS captures it, analyzes it, adds
detection and shielding for it, removes it and
informs other systems running IBM anti-virus
about it

58
Components of DIS

1) Monitoring Program - on each PC - uses
heuristics based on
system behaviour
changes to programs
virus signatures
to monitor the presence of a virus in a program.
Such an infected program is sent to an
Administrative Machine in the organization

59
Components of DIS continued

2) Administrative Machines one machine located
at each site
It encrypts suspect program received from any PC.
It sends the encrypted suspect program to the
Central Virus Analysis machine.
3) Central Virus Analysis machine
It provides a safe environment for running the
suspect program (like the CPU emulator and
Emulation Control module of the GD scanner).

60
Components of DIS continued

3) Central Virus Analysis machine
continued..
It generates a prescription for identifying and
removing the virus.
The prescription is sent to all the clients in
the world through their Administrative Machines.

61
Advanced Anti virus Techniques
Behavior Blocking Software

3) Behavior Blocking Software monitors and
blocks malicious actions like
Attempts to open, view, delete or modify files
Attempt to format a disk or other non-recoverable
disk operations.
Modifying logic of executable files or macros
Modification of critical settings like start-up
settings
Initiation of network communication
sending executable content through e-mail or
instant messaging.

62
Behavior Blocking Software continued

Irrespective of complexity of a virus, this
real-time blocking of malicious request can keep
the system safe.
However even a behavior, which may look normal,
may be problematic, thus shuffling of files may
make them unusable. So if shuffling of files is
not blocked, a virus may still succeed in making
the system unusable.
But can we/ should we block shuffling of
files?

63
Prevention, Detection Removal of Viruses

Use software acquired from reliable vendors only
Test all new software on isolated computers
with no hard disk and
not connected to a network and
with boot disk removed
Check for any unexpected behavior.
Scan with an up-to-date virus scanner, which
should have been installed before running the new
software.

64
Prevention, Detection Removal of Viruses
continued

Open an attachment only if it is safe.
When the system is known to be virus free,
prepare a recoverable system image and store it
safely in a write-protected medium
Prepare and store safely back-up copies of
executable system files
Use virus scanners and update them regularly.

65
Prevention, Detection Removal of Viruses
continued

Removal of a virus possible only if it is
detected and eliminated faster than it spreads
A resident virus may disable system calls, used
for deleting it.
A virus may be hidden in a variety of files -
even in normally hidden system files.

Examples of Viruses
up to slide 83

67
Example of Viruses

Brain It locates itself in the upper part of
memory.
Traps interrupt 19 (used in PCs for disk-read) by
resetting the interrupt address table to point to
itself.
Uses interrupt 6 (unused in PCs) to point to the
former address of interrupt 19
Thus it receives all disk read calls and shows
only the original uninfected boot sector to a
user (thus hiding itself.)

68
Example of Viruses Brain

It uses the boot sector and 6 other sectors on
the disk.
The brain virus splits itself into 3 parts.
The first part is in the boot sector. The other 2
parts are in the two other sector of the disk.
The 3rd sector of the disk contains the original
boot sector code.
Another copy of the virus is stored in the
remaining 3 sectors on the disk

69
Example of Viruses Brain
continued

The virus marks the six disk sectors as faulty,
so that OS may not use them.
Signature in 5th and 6th bytes of the file, it
stores 1234 ( HEX ).
Action with every disk read, it examines the
file for its signature. If it is not there, it
infects the file.
Name It changes the label of any disk it attacks
to the word BRAIN.

70
Morris Worm

Released on Internet in the evening of Nov 2,
1988 by Robert T. Morris Jr., a grad student of
Cornell.
In 1990 he was sentenced to a fine of 10,000, a
suspended 3 year jail and 400 hours of community
service.
Morris exploited three flaws
1. Unix Password file is stored in encrypted
form.
But any one can read the ciphertext.

71
Morris Worm the first flaw

To connect to a remote system, it tries to crack
the local password file by trying the following
the 432 words (like password, guest, coffee,
coke, aaa etc) included in the worm,
all the words in the dictionary file stored on
the system for spell-check.

72
Morris Worm the second flaw

2.) the second flaw- in fingered
fingered continuously runs to service requests,
from other computers, about system users.
Security flaw in fingered overflow of input
buffer spills in to the return address stack
when a fingered call terminates, it may execute
instructions, pushed through buffer overflow.
This may cause the worm to connect to a remote
shell.

73
Morris Worm the third flaw

3) the third flaw --- in sendmail - in debug
mode
Normally sendmail runs in the background. It
receives a send instruction along with dest
address.
However in debug mode the worm can send a
command string, in place of dest address. Then
this command string may be executed.
Assume that the Worm has been able to enter a
host (without its knowledge or permission.)

74
Morris Worm action

It examines the following lists on the host
tables giving lists of trusted machines,
mail forwarding lists,
tables stating the access rights of the local
host on remote machine
status of network connections
It selects a suitable target.
Uses - one of the three flaws - to send a
bootstrap program of 99 lines of C code.
Through the host, it sends a command to execute
the program on the target machine.
Then the host logs off.

75
Morris Worm action continued

The bootstraps-on-target now connects to the host
to get the rest of the worm.
The bootstrap authenticates by sending a password
(so that a system admin should not be able to get
the rest of the worm)
The host sends the rest of the worm
Efforts at stealth
if any transmission error occurs while
transferring, the bootstrap deletes all record,
received till then.

76
Morris Worm Efforts at Stealth

After receiving the full code of the worm, it is
encrypted. The original copies are deleted from
the target.
It changes its name and identifier periodically
Because of a flaw in the code of Morris, it
created many copies of the worm on the same
machine, thereby degrading its performance to
normal tasks.
After Morris, a Computer Emergency Response Team
was set up in Carnegie - Mellon University.

77
Code Red

Uses a security hole in MS Internet Information
Server (IIS).
On July 12, one in 8 of the 6 million IIS servers
were affected.
The first version shows the following text on the
web
Hello!
Welcome to http//www.worm.com !
Hacked by Chinese !

78
Code Red Action

Day 1 to 19th, spawns 99 parallel threads scans
for other computers for infecting them
day 20-27 it attacked www.whitehouse.gov by DDoS
from day 28 to end of month it lies dormant.
It disables the system File Checker in windows.
It uses random IP addresses to spread to other
machines.

79
Code Red Action continued

It suspends its activities periodically and then
restarts.
Code Red II also installs a backdoor to permit a
hacker to be able to use the victim machines.
It would automatically stop after Oct 2002.
Finally it reboots after 24/48 hours, wipes
itself from memory but leaves the Trojan in place.

80
Code Red Technique continued

Vulnerability in IIS buffer overflow in dynamic
link library called idq.dll
Code red II creates a trapdoor by copying
windir\cmd.exe to 4 locations
C\inetpub\scripts\root.txt
C\progra1\common1\system\MSADC\root.exe
d \inetpub\scripts\root.ext
d\program1\common1\sytem\MSADC\root.exe

81
Code Red Technique continued

Code red also includes its own copy of
explorer.exe on c and d drives.
It modifies system registry to allocate Read,
Write and execute permission in some directories
to every one.
The Trojan horse continues to run in the
background, resetting the registry every 10
minutes.
Thus even if a system admin notices the changes
in the registry and removes them, the Trojan will
again create changes.
Code red may be beta test for information war
fare.

82
Two more well-known viruses

NIMDA It had multiple spread modes
e-mail
client-to-client through open network connection
web-server to client
client to web-server
by using backdoor left by Code Red II
It modifies html files and some executable files.
It creates numerous copies under various names.

83
The "Slammer" virus

The "Slammer" virus ( also known as the "SQL" or
"Sapphire" worm)
launched at midnight ET on Saturday in Jan 2003,
shut down MS IIS based web-servers worldwide.
By Sunday morning, about 150,000 to 200,000
servers had been compromised.
By quickly copying itself and seeking to spread
to the computers that manage Internet traffic,
the worm overwhelmed networks worldwide,
causing probably the most damaging attack in a
year and a half.

84
Multi-pronged approach

Attacks from various fronts.
So security has also to be multi-faceted.
Example A mobile user A, who may be a salesman,
may be allowed to access a company network,
protected by a firewall.
A may have a wireless network at home, which may
get
connected to the company network.
A malicious user, who may be a neighbor or even a
computer, in a parked vehicle near As home,
could in
turn become a part of the wireless network.
Thus firewall alone may not be able to provide a
protection from such a malicious user.

85
Multi Pronged Protection Systems

Based on Behavior Blocking Software idea of slide
61
MPPS
monitor traffic characteristics.
Use anomalies to develop real time warning and
defensive actions.
During an attack, MPPS determines the
characteristics of malicious attack traffic by
tracking various attributes of packets including
Source and destination socket addresses
IP TTL
protocol
Packet length

86
Multi Pronged Protection Systems
continued

Characterization of the malicious traffic by
identifying the highest volume values for each
packet attribute and comparing current
distributions of the attribute values to normal
distributions.
Two types of Triggers
Bandwidth triggers based on packet and byte
rates. They indicate attempts to flood a network
and consume its bandwidth.
Suspicious traffic triggers based on packets
that target resources on the network, such as TCP
SYN flood attack packets.

87
Solutions

Once an attack is detected, there are two
solution approaches
Black-hole routing allows the administrator to
take all malicious traffic and route it to a null
IP address or drop it.
Sinkhole routing The malicious traffic is sent to
an IP address where it can be examined.

88
Multi Pronged Protection Systems
continued

Both Black-hole and Sink-hole routing can be used
at the enterprise level. Or
at the ISP level, who can prevent the malicious
traffic from reaching the customer's network.
(Most ISPs have some level of DDoS traffic
crossing their networks virtually all the time.
This costs them money in terms of bandwidth and
annoys customers.)
DISADVANTAGE of using Filtering at ISP the
possibility of catching legitimate traffic as
well.

89
Virus vs Spyware

A virus designed to damage the machine in some
way
Spyware
a form of adware with tracking capability
hidden in free open-source software
used to collect information about a user
Use Spybot or AdAware for removing Spyware from
your machine.

90
To end

three news-item on security
one on ticking time-bombs in the weakest link
the PCs
and
two on 1st April pranks by security companies

91
A honey-pot is added

Bill McCarty, an Associate Professor of Web and
Information Technology at Azusa Pacific
University, Calif., said a Windows 2000 "honey
pot" machine that he runs has been added to
several bot networks, or botnets reportedly
many hundreds of thousand strong as of now.
(A honey pot is a machine connected to the
Internet and left defenseless so that security
experts can observe hackers' activities or
methods.)

92
Two pranks of April 1, 2003

A news-item in the Register, a U.K. IT news Web
site Availability of an Intruder Retaliation
Systems (IRS) by a new (fake) security company.
The first IRS, called the Payback 1.0 an
application that
instantly and dynamically 'traces' the IP source
addressno matter how well maskedof the network
attack/infection and
responds by launching either a Domain Name or
mail server flood attack in the direction of the
attacker."

93
The second prankAn advisory posted to BugTraq
(by an Internet security company
but not on Internet security)

A (fake) company called S.E.L.L.warns that "a
DDoS condition is present in the election system
in many polypartisan democratic countries. A
group of determined but unskilled and not
equipped low-income individuals, usually between
0.05 and 2 of the overall population of the
country, can cause serious disruptions or even a
complete downfall of the democratic system and
its institutions.
The fix for this vulnerability for affected
parliaments to either "establish a convenient
dictatorship or a monarchy, or become the 51st
state."

94
Abbreviations

IPSec IP Sec protocol
SSL Secure Socket layer
TLS Transport Level Security
SSH Secure SHell
KerberosProject Athenas Authentication Service
SHA Secure Hash Algorithm
DSA Digital Signature Algorithm
RSA RSA Laboratories named after its founders
Ron Rivest, Adi Shamir, Leonard Adelman
DES Data Encryption Standard
MD Message Digest

95
References

1.To study the details of a scanner
Sandeep Kumar, and Gene Spafford, A Generic
Virus Scanner in C, Proceedings of the 8th
Computer Security Applications Conference, IEEE
Press, Piscataway, NJ pp.210-219, 2-4 Dec 1992
2.For a complete list of known viruses
www.cai.com/virusinfo/encyclopedia/
3.For cryptography
G.C.Kessler, An Overview of Cryptography
http//www.hill.com/library/staffpubs/crypto.
html
RSA Laboratories, RSALabs FAQ,
http//www.rsasecurity.com/rsalabs/faq/

96
References continued

4.For MPPS
http//www.mazunetworks.com/products/enforcer.html
http//www.intruvert.com/resources/index.htm
http//www.okena.com/areas/products/products_liter
ature.htmlCOMPARE

Malware payloads have been boring..
Payloads can be malign and I expect that
well see more devious payloads over the
next few years.
- Bruce Schneier
author of Applied Cryptography
FIREWALLS up to slide

98
Firewall a
definition

A Firewall is a set of related hardware and/or
software, which protects the resources of a
private network from the outside networks.
watch single point rather than every PC
A firewall provides strict access control between
your systems and the outside world.

99
Packet-Filtering Router

Applies a set of rules to each incoming IP
packet and then forwards or discards the
packet, usually for both directions.
The rules are mainly based on the IP and
transport (TCP or UDP) header, including
source and destination IP address,
IP protocol field,
TCP/UDP port number.

100
Application-Level Gateway
(Proxy Server)

Acts as a relay of application-level traffic.
Users contact the gateway using a TCP/IP
application (such as FTP or Telnet) with
the information of the remote host to be
accessed. The gateway will contact the
application on the remote host and convey
TCP segments containing the application
data between the two endpoints.

101
Firewall Limitations

Firewall can not protect against attacks that
bypass the firewall (e.g. dial-up modem)
Firewall does not protect against internal
threats, such as a bad employee
Firewall can not protect against the transfer of
virus-infected files
cant prevent people walking out with disks

102
Packet Filtering Advantages and
Disadvantages

Advantages Fast, Flexible, and Inexpensive
Disadvantages
Lack the ability to provide detailed audit-
information about the traffic they transmit
Vulnerable to attack.
Firewall can become a bottleneck for a big
system. ? Multiple firewalls in parallel, divided
by function?

103
FIREWALLS the common architecture

The most common firewall architecture contains at
least four hardware components
an (exterior) router,
a secure server (called a Bastion Host),
an exposed network (called a Perimeter Network),
an (interior) filtering router.

104
Firewall an example

Screened subnet type of firewall

105
Firewall an example (continued)

Exterior Router uses packet filtering to
eliminate packets coming from the external world
that have a source address that matches that of
the internal network.
The interior router does the bulk of the access
control work. It filters packets on
address
protocol and
port numbers
to control the services that are accessible to
and from the interior network.

106
Firewall an example (continued)

The bastion host
a secure server.
provides an interconnection point between the
enterprise network and the outside world for the
restricted services.
Some of the services that are restricted by the
interior gateway may be essential for a useful
network. Those essential services are provided
through the bastion host in a secure manner. The
bastion host
provides some services directly, such as DNS,
SMTP mail services, and anonymous FTP
May also provide other services as proxy
services.

107
Firewall an example (continued)

bastion host (continued)
When the bastion host acts as a proxy server,
internal clients connect to the outside world
through the bastion hosts and external systems
respond back to the internal clients through the
host.

108
Typical Enterprise Network Topology
(without VPN)
109
Network Address Translator

NA(P)T network address (and port) translator are
not firewalls, but can prevent all incoming
connections

110
NAT
111
IPS vs IDS

NEW IPS Intrusion Prevention Systems
IDS Intrusion Detection Systems IDS devices sit
on a monitor port and simply report problems.
While an IPS device takes action, IDS products
usually just send an alert to an IT staff person,
who must then evaluate the alert and take action.
PROBLEM with IPS
Costly
need to be periodically tuned so that good
traffic is not inadvertently dumped.

112
IPS devices

operate inline, often at wire speed,
tuned to drop bad traffic from the network.
most IPS devices must be used in conjunction with
a firewall at the perimeter.
process packet contents, not just the headers,
track the state of network connections fast and
thwart DoS (denial-of-service) attacks by quickly
identifying malicious connections. (through fast
identification, statistical pattern analysis and
re-routing suspect traffic to a mitigation
engine, which examines the traffic carefully)
However no method can eliminate the problem of
bandwidth starvation to valid users

113

We are going backward, not forward todays
systems dont even achieve the security level
Multics had in the seventies.
Karger and Schell, 2002
Thirty years later Lessons from the Multics
security evaluation, Proceedings of the Annual
Computer Security Applications Conference, 2002,
pp. 332

114
Internet security protocols at layers
SSH, SFTP, PGP, PEM, HTTPS
SSL/TLS, SSH
IPSec
Security in data link layer?
Other security systems Kerberos, X.509
Figure 2.10
115
Terms about Internet security

HTTPS
Secure Hypertext Transfer Protocol
an application layer protocol for WWW
using a Secure Socket Layer (SSL).
SSL
Secure Socket Layer,
a transport layer protocol
Similar to socket but adding encryption and
authentication
TLS
Transport Layer Security
A transport layer protocol
The IETF version of SSL

116
Terms about Internet security

SSH
Secure SHell
An application layer protocol (initially)
Replace telnet, rlogin, ftp
Generalized as a transport layer protocol
PGP
Pretty Good Privacy
An application layer protocol
Embedded in email such as elm
Flexible public key certificate and verification

117
Terms about Internet security

PEM
Privacy Enhanced Mail
An application protocol
For secure email
Strict hierarchy in public key certificate
IPSec
Internet Protocol Security
A network layer protocol
Contains two parts (may use separately)
AH Authentication Header
ESP Encapsulation Security Payload

118
Terms about Internet security

IKE
Internet Key Exchange, Establishing key used in
IPSec.
PKI
Public Key Infrastructure
Refer to the widespread availability of public
keys and certificates
ISAKMP
Internet Security Association and Key Management
Protocol.
Kerberos used in large distributed systems or
Grids
A system for authentication based on secret keys
OAKLEY
An IETF protocol that provides s mechanism that
two authenticated parties can agree on secure and
secret keying material