The Attack and Defense of Computers

1

• The Attack and Defense of Computers
• Dr. ? ? ?

2

• Malware

3
Malicious Software (Malware)

• Security tools and toolkits
• Back doors (trap doors)
• Logic bombs
• Viruses
• Worms
• Binders
• Droppers
• Trojan Horses
• Bacteria or rabbit programs.
• Spyware
• Rootkit
• URL Injection
• Dialers

4
Security Tools and toolkits

• Automatically scan for computer security
  weaknesses.
• Can be used by both security professionals and
  attackers.
• E.g. Nessus, COPS, ISS, Tiger, and so on.
• There are also programs and tool sets whose only
  function is to attack computers.
• Script kids
• P.S. These tools may damage the systems that
  install them or may contain booby-trap that will
  compromise the systems that install them.

5
Logic Bombs

• A logic bomb is a piece of code intentionally
  inserted into a software system that will set off
  a malicious function when specified conditions
  are met.
• For example, a programmer may hide a piece of
  code that starts deleting files, should he ever
  leave the company (and the salary database).
• Usually written by inner programmers.

6
Logic Bombs and Viruses and Worms

• Software that is inherently malicious, such as
  viruses and worms, often contain logic bombs that
  execute a certain payload at a pre-defined time
  or when some other condition is met.
• This technique can be used by a virus or worm to
  gain momentum and spread before being noticed.
• Many viruses attack their host systems on
  specific dates, such as Friday the 13th or April
  Fool's Day.
• Trojans that activate on certain dates are often
  called "time bombs".

7
Key Logger

• A program or hardware device that captures every
  key depression on the computer.
• Also known as "Keystroke Cops," they are used to
  monitor a user's activities by recording every
  keystroke the user makes, including typos,
  backspacing and retyping.

8
Security Concerns about Key Loggers

• Keystroke logging can be achieved by both
  hardware and software means.
• There is no easy way to prevent keylogging
  software being installed on your PC, as it is
  usually done by a method of stealth.
• If you are using a home PC, then it is likely to
  be free on any keystroke logging hardware (but
  remember there may be keystroke logging
  software).
• Try and avoid typing private details on public
  PCs, and always try and avoid visiting sites on
  public PCs that require you to enter your login
  details, e.g. An online banking account.

9
Example

• Ardamax Keylogger 12

10
Dialers

• A program that
• replaces the phone number in a moderns dial-up
  connection with a long distance number, often out
  of the country, in order to run up phone charges
  on pay-per-dial numbers
• dials out at night to send keylogger or other
  information to an attacker.

11
URL Injection

• Change the URL submitted to a server belonging to
  some or all domains.

12
Bacteria and Rabbits

• Bacteria (also known as rabbit programs) are a
  type of malware that create many instances of
  themselves, or run many times simultaneously, in
  order to consume large amounts of system
  resources.
• Bacteria create a denial of service effect as
  legitimate programs may no longer be able to run,
  or at least may not run properly.

13

• Binder CA

14
Definition of Binder 

• A tool that combines two or more files into a
  single file, usually for the purpose of hiding
  one of them.
• A binder compiles the list of files that you
  select into one host file, which you can rename.
• A host file is a simple custom compiled program
  that will decompress and launch the embedded
  programs.
• When you start the host, the embedded files in it
  are automatically decompressed and launched.

15
Example

• When a Trojan is bound with Notepad, for
  instance, the result will appear to be Notepad,
  and appear to run like Notepad, but the Trojan
  will also be run.

16
Program

• YAB Yet Another Binder
• User Guide

17

• Dropper Wikipedia

18
Definition of a Dropper

• A dropper is a program (malware component) that
  has been designed to "install" some sort of
  malware (virus, backdoor, etc) to a target
  system.
• Single stage the malware code can be contained
  within the dropper in such a way as to avoid
  detection by virus scanners
• Two stages the dropper may download the malware
  to the target machine once activated

19
Types of Droppers

• There are two major types of droppers
• those that do not require user interaction
• perform through the exploitation of a system by
  some vulnerability
• those that require user interaction by convincing
  the user that it is some legitimate or benign
  program.

20
Examples

• 8sec!Trojan

21

• Trojan Horse Wikipedia

22
Trojan Horse

• In the context of computer software, a Trojan
  horse is a malicious program that is disguised as
  or embedded within legitimate software.
• Trojans use false and fake names to trick users
  into executing them.
• These strategies are often collectively termed
  social engineering.
• A Trojan is designed to operate with functions
  unknown to the victim.
• In most cases the program performs other,
  undesired functions, but not always.
• The useful, or seemingly useful, functions serve
  as camouflage for these undesired functions.

23
Properties of Trojan Horses

• Trojan horse programs cannot operate
  autonomously, in contrast to some other types of
  malware, like worms.
• Just as the Greeks needed the Trojans to bring
  the horse inside for their plan to work,
• Trojan horse programs depend on actions by the
  intended victims
• if Trojans replicate and even distribute
  themselves, each new victim must run the
  program/Trojan.
• Due to the above reasons Trojan horses virulence
  depends on
• successful implementation of social engineering
  concepts
• not flaws in a computer system's security design
  or configuration.

24
Categories of Trojan Horses

• There are two common types of Trojan horses
• an otherwise useful software that has been
  corrupted by a cracker inserting malicious code
  that executes while the program is used.
• Examples include various implementations of
• weather alerting programs
• computer clock setting software
• peer to peer file sharing utilities.
• a standalone program that masquerades as
  something else, like a game or image file (e.g.
  firework.jpg.exe in Windows.)

25
Malware Parasitizes inside Trojan Horses

• In practice, Trojan Horses in the wild often
  contain
• spying functions (such as a packet sniffer)
• backdoor functions that allow a computer,
  unbeknownst to the owner, to be remotely
  controlled from the network, creating a zombie
  computer.
• The Sony/BMG rootkit Trojan, distributed on
  millions of music CDs through 2005, did both of
  these things.
• Because Trojan horses often have these harmful
  behaviors, there often arises the
  misunderstanding that such functions define a
  Trojan Horse.

26
Example of a Simple Trojan Horse

• A simple example of a Trojan horse would be a
  program named waterfalls.scr.exe claiming to be a
  free waterfall screensaver which, when run,
  instead begins erasing all the files on the
  computer.

27
E-Mail Trojan Horses

• On the Microsoft Windows platform, an attacker
  might attach a Trojan horse with an
  innocent-looking filename to an email message
  which entices the recipient into opening the
  file.
• The Trojan horse itself would typically be a
  Windows executable program file, and thus must
  have an executable filename extension such as
  .exe, .com, .scr, .bat, or .pif.
• Since Windows is sometimes configured by default
  to hide filename extensions from a user, the
  Trojan horse has an extension that might be
  "masked" by giving it a name such as
  Readme.txt.exe. With file extensions hidden, the
  user would only see Readme.txt and could mistake
  it for a harmless text file.
• Icons can also be chosen to imitate the icon
  associated with a different and benign program,
  or file type.

28
Commonly Used Methods of Infection

• Websites.
• E-mails.
• Downloaded Files.

29
Websites

• You can be infected by visiting a rogue website.
• Internet Explorer is most often targeted by
  makers of Trojans and other pests, because it
  contains numerous bugs, some of which improperly
  handle data (such as HTML or images) by executing
  it as a legitimate program. (Attackers who find
  such vulnerabilities can then specially craft a
  bit of malformed data so that it contains a valid
  program to do their bidding.)
• The more "features" a web browser has (for
  example ActiveX objects, and some older versions
  of Flash or Java), the higher your risk of having
  security holes that can be exploited by a Trojan
  horse.

30
Example 1 Microsoft IE window() Arbitrary Code
Execution Vulnerability Secunia

• The vulnerability is caused due to certain
  objects not being initialized correctly when the
  window() function is used in conjunction with the
  ltbody onloadgt event.
• This can be exploited to execute arbitrary code
  on a vulnerable browser via some specially
  crafted JavaScript code called directly when a
  site has been loaded.Exampleltbody
  onload"window()"gtSuccessful exploitation
  requires that the user is e.g. tricked into
  visiting a malicious website.
• PROOF OF CONCEPT

31

• Explanation Computer Terrorism

32
lt body onLoad gt HTML Code Tutorial

• The browser triggers onLoad when the document is
  finished loading. The contents of onLoad is one
  or more JavaScript commands. So, for example, the
  following lt body ...gt tag tells the browser to
  bring up an alert box once the page is completely
  loaded
• ltBODY onLoad"alert('hello world!')"gt

33
MS IE - Crash on JavaScript window()- calling (1)

• There is a bug in Microsoft Internet Explorer,
  which causes a crash in it.
• The bug occurs, because Microsoft Internet
  Explorer can't handle a call to a
  JavaScript-function with the name of the
  "window"-object.

An object used in Javascript.
34
MS IE - Crash on JavaScript window()- calling (2)
symantic

• Internet Explorer fails to properly initialize
  the JavaScript Window()' function. When the
  'onLoad' handler is set to call the improperly
  initialized Window()' function, the Web browser
  attempts to call the address 0x006F005B, which is
  derived from the Unicode representation of
  'OBJECT'.
• CALL DWORD ECX8
• It is shown that JavaScript prompt boxes can be
  used by attackers to fill the memory region at
  0x00600000 with attacker-supplied data, allowing
  executable machine code to be placed into the
  required address space.

• Crash, if pointing to non-code.
• Execution, if pointing to code.

35
Dangerous Web Site

• The web site pointed by the following URL is one
  containing the trap described in the previous
  slides.
• HTTP MSIE JavaScript OnLoad Rte CodeExec
  symantic
• http//marc.theaimsgroup.com/?lbugtraqm11174639
  4106172w2

36
Example 2 Trojan Downloader F-SecureMicrosoft

• Trojan downloader is usually a standalone program
  that attempts to secretly download and run other
  files from remote web and ftp sites.
• Usually Trojan downloaders
• download different Trojans and backdoors
• activate them on an affected system without
  user's approval.
• Trojan downloader, when run, usually installs
  itself to system and waits until Internet
  connection becomes available. After that it
  attempts to connect to a web or ftp site,
  download specific file or files and run them.

37
Example 3 Trojan Horse Exploits Image Flaw
Declan McCullagh et al.

• EasyNews, a provider of Usenet newsgroups, said
  it has identified two JPEG images that take
  advantage of a previously identified flaw ( a
  heap-based buffer overflow Michael Cobb ) in
  the way Microsoft software handles graphics
  files.
• Windows users could have their computers infected
  merely by opening one of those Trojan horse
  images.
• Attackers tried to use these JPEGs to download
  Trojan (horse programs) to vulnerable computers.

38
Example 4 Comprise a Web Server and Add Hidden
Download Instructions in Web Pages

• Create frame with size 0.

39
Emails and Trojan Horses

• The majority of Trojan horse infections occur
  because the user was tricked into running an
  infected program.
• This is why you're not supposed to open
  unexpected attachments on emails -- the program
  is often a cute animation or a sexy picture, but
  behind the scenes it infects the computer with a
  Trojan or virus.

40
Microsoft Outlook

• If you use Microsoft Outlook, you're vulnerable
  to many of the same problems that Internet
  Explorer has, even if you don't use IE directly.
• The same vulnerabilities exist since Outlook
  allows email to contain HTML and images (and
  actually uses much of the same code to process
  these as Internet Explorer).

41
Downloaded Files

• The infected program doesn't have to arrive via
  email, though it can be
• sent to you in an Instant Message
• downloaded from a Web site or by FTP
• delivered on a CD or floppy disk

42
Precautions against Trojan Horses (1)

• Trojan Horses are most commonly spread through an
  e-mail, much like other types of common viruses.
  The only difference being of course is that a
  Trojan Horse is hidden.
• The best ways to protect yourself and your
  company from Trojan Horses are as follows
• If you receive e-mail from someone that you do
  not know or you receive an unknown attachment
  never open it right away.
• As an e-mail user you should confirm the source.
• Some hackers have the ability to steal an address
  books so if you see e-mail from someone you know
  that does not necessarily make it safe.

43
Precautions against Trojan Horses (2)

• When setting up your e-mail client make sure that
  you have the settings so that attachments do not
  open automatically.
• Some e-mail clients come ready with an anti-virus
  program that scans any attachments before they
  are opened.
• If your client does not come with this it would
  be best to purchase on or download one for free.
• Make sure your computer has an anti-virus program
  on it and make sure you update it regularly.
• If you have an auto-update option included in
  your anti-virus program you should turn it on,
  that way if you forget to update your software
  you can still be protected from threats

44
Precautions against Trojan Horses (3)

• Operating systems offer patches to protect their
  users from certain threats and viruses, including
  Trojan Horses.
• Software developers like Microsoft offer patches
  that in a sense close the hole that the Trojan
  horse or other virus would use to get through to
  your system. If you keep your system updated with
  these patches your computer is kept much safer.
• Avoid using peer-2-peer or P2P sharing networks
  like Kazaa, Limewire, Ares, or Gnutella because
• those programs are generally unprotected from
  Trojan Horses
• Trojan Horses are especially easy to spread
  through these programs
• Some of these programs do offer some virus
  protection but often they are not strong enough.

45
Precautions against Trojan Horses (4)

• NEVER download blindly from people or sites which
  you arent 100 sure about.
• However, legal web sites may be comprised by
  attackers who may modify web pages to contain
  scripts to download malware.
• Even if the file comes form a friend, you still
  must be sure what the file is before opening it.
  (Ask your friend whether she/he sent the files to
  you.)
• Beware of hidden file extensions (Under Windows
  susie.jpg.exe is only shown as susie.jpg)
• Never user features in your programs that
  automatically get or preview files (outlook,
  preview mode ).
• Never blindly type commands that others tell you
  to type, or go to the web site mentioned by
  strangers.

46
Well-known Trojan Horses

• Back Orifice
• Back Orifice 2000
• Beast Trojan
• NetBus
• SubSeven
• Downloader-EV
• Pest Trap
• flooder
• Tagasaurus
• Vundo trojan
• Gromozon Trojan

47
Experiment

• Survey some Trojan horses to see what approaches
  are adopted by them to fool a user to execute
  them.

48
List of Trojan Horses

• http//en.wikipedia.org/wiki/List_of_trojan_horses

49

• Spyware Wikipedia

50
A Large Number of Toolbars, Some Added by
Spyware, Overwhelm an IE Session
51
Definition of Spyware

• Spyware is computer software that is installed
  surreptitiously on a personal computer to
  monitor, intercept or take partial control over
  the user's interaction with the computer, without
  the user's informed consent.
• Spyware programs can
• secretly monitor the user's behavior and then
  send this information to a hacker over the
  Internet
• collect various types of personal information
• interfere with user control of the computer in
  other ways, such as
• installing additional software
• redirecting Web browser activity
• diverting advertising revenue to a third party.

52
Types of Information Collected by Spyware

• Spyware can collect many different types of
  information about a user.
• More benign programs can attempt to track what
  types of websites a user visits and send this
  information to an advertisement agency.
• More malicious versions can try to record what a
  user types to try to intercept passwords or
  credit card numbers.
• Yet other versions simply launch pop-ups with
  advertisements.

53
OSes Where Spyware Resides

• As of 2006, spyware has become one of the
  pre-eminent security threats to computer-systems
  running Microsoft Windows OSes.
• Some malware on the Linux and Mac OS X platforms
  has behavior similar to Windows spyware, but to
  date has not become anywhere near as widespread.

54
Spyware Certification

• The Spyware-Free Certification program evaluates
  software to ensure that the program does not
  install or execute any forms of malicious code.

55
Typical Tactics Adopted by Spyware

• Delivery of unsolicited pop-up advertisements.
• Monitoring of Web-browsing activity for marketing
  purposes.
• Theft of personal information

56
Adware

• The term adware frequently refers to any software
  which displays advertisements, whether or not it
  does so with the user's consent.
• Programs such as the Eudora mail client display
  advertisements as an alternative to shareware
  registration fees. These classify as "adware" in
  the sense of advertising-supported software, but
  not as spyware.
• Adware in this form does not operate
  surreptitiously or mislead the user, and provides
  the user with a specific service.

57
Spyware and Pop-up Ads

• Spyware displays advertisements related to what
  it finds from spying on you, not the ones posted
  by advertisers.
• Claria Corporation's Gator Software and Exact
  Advertising's BargainBuddy provide examples of
  this sort of program.
• Visited Web sites frequently install Gator on
  client machines in a surreptitious manner, and it
  directs revenue to the installing site and to
  Claria by displaying advertisements to the user.
  The user experiences a large number of pop-up
  advertisements.

58
Pop-up Ads

• Pop-up ads or popups are a form of online
  advertising on the World Wide Web.
• It works when certain web pages open a new web
  browser window to display advertisements.
• The pop-up window containing an advertisement is
  usually generated by JavaScript, but can be
  generated by other means as well.

59
Pop-under Ads

• A variation on the pop-up window is the pop-under
  advertisement. This opens a new browser window,
  behind the active window.
• Pop-unders interrupt the user less, but are not
  seen until the desired windows are closed, making
  it more difficult for the user to determine which
  Web page opened them.

60
Dozens of Pop-up Ads Cover a Desktop.
61
Web Activity Monitor

• Other spyware behavior, such as reporting on
  websites the user visits, frequently accompany
  the displaying of advertisements.
• Monitoring web activity aims at building up a
  marketing profile on users in order to sell
  "targeted" advertisement impressions.
• The prevalence of spyware has cast suspicion upon
  other programs that track Web browsing, even for
  statistical or research purposes.
• Some observers describe the Alexa Toolbar, an
  Internet Explorer plug-in published by
  Amazon.com, as spyware (and some anti-spyware
  programs report it as such) although many users
  choose to install it.

62
Identity Theft and Fraud

• Some spyware is closely associated with identity
  theft.
• Spyware may transmit the following information to
  attackers
• chat sessions,
• user names,
• passwords,
• bank information, etc.
• Spyware has principally become associated with
  identity theft in that keyloggers are routinely
  packaged with spyware.
• John Bambenek, who researches information
  security, estimates that identity thieves have
  stolen over 24 billion US dollars of account
  information in the United States alone

63

• Routes of Infection

64
Routes of Infection

• Spyware does not directly spread in the manner of
  a computer virus or worm
• generally, an infected system does not attempt to
  transmit the infection to other computers.
• Instead, spyware gets on a system
• through deception of the user
• or through exploitation of software
  vulnerabilities.

65
Masquerade

• One way of distributing spyware involves tricking
  users by manipulating security features designed
  to prevent unwanted installations.
• The Internet Explorer Web browser, by design,
  prevents websites from initiating an unwanted
  download. Instead, a user action (such as
  clicking on a link) must normally trigger a
  download. However, links can prove deceptive
• For instance, a pop-up ad may appear like a
  standard Windows dialog box. The box contains a
  message such as "Would you like to optimise your
  Internet access?" with links which look like
  buttons reading Yes and No. No matter which
  "button" the user presses, a download starts,
  placing the spyware on the user's system.

66
A Masquerade Example

• Malicious websites may attempt to install spyware
  on readers' computers.
• In this screenshot a website has triggered a
  pop-up that offers spyware in the guise of a
  security upgrade.

67
Bundled with Shareware

• Spyware can also come bundled with
• shareware
• other downloadable software
• music CDs.
• The user downloads a program (for instance, a
  music program or a file-trading utility) and
  installs it, and the installer additionally
  installs the spyware. Although the desirable
  software itself may do no harm, the bundled
  spyware does.
• In some cases, spyware authors have paid
  shareware authors to bundle spyware with their
  software.
• In other cases, spyware authors have repackaged
  desirable free software with installers that add
  spyware.

68
Bundled Shareware Example

• The BearShare file-trading program, "supported"
  by WhenU spyware. In order to install BearShare,
  users must agree to install "the SAVE! bundle"
  from WhenU. The installer provides only a tiny
  window in which to read the lengthy license
  agreement. Although the installer claims
  otherwise, the software transmits users' browsing
  activity to WhenU servers.

69
Through Trojan Horse

• Classically, a Trojan horse, by definition,
  smuggles in something dangerous in the guise of
  something desirable. Some spyware programs get
  spread in just this manner.
• The distributor of spyware presents the program
  as a useful utility for instance as a Web
  accelerator or as a helpful software agent.
• Users download and install the software without
  immediately suspecting that it could cause harm.

70
Vulnerabilities in Web Browsers

• Some spyware authors infect a system by attacking
  security holes in the Web browser or in other
  software.
• When the user navigates to a Web page controlled
  by the spyware author, the page contains code
  which attacks the browser and forces the download
  and install of spyware.
• Common browser exploits target security
  vulnerabilities in Internet Explorer and in the
  Microsoft Java runtime.

71
Notable Programs Distributed with Spyware

• Messenger Plus! (only if you agree to install
  their "sponsor" program)
• Bearshare
• Bonzi Buddy
• DAEMON Tools (only if you agree to install their
  "sponsor" program)
• DivX (except for the paid version, and the
  "standard" version without the encoder). DivX
  announced removal of GAIN software from version
  5.2.
• Dope Wars
• ErrorGuard
• FlashGet (free version)
• Grokster
• Kazaa
• Morpheus
• RadLight
• WeatherBug
• EDonkey2000

72

• Worm

73
Worms

• Attack running processes to spread themselves.
• Most frequently used attack approaches included
  buffer overflow attacks, format string attacks,
  integer overflow attacks, and so on.
• Morris Worm ,1988
• Code Red, Slammer.

74
Comparisons between Viruses, Trojan Horses, and
Worms

• The way they behave
• How are they triggered?
• How do they spread?
• Need host programs?