CSE331: Introduction to Networks and Security

1
CSE331Introduction to Networksand Security

• Lecture 32
• Fall 2002

2
Recap

• Malicious Programs
• Viruses
• Boot Viruses, Memory Resident, Macros
• Today
• Computer Virus Defenses
• Computer Worms

3
I Love You Virus/Worm

• Infection Rate
• At 500 pm EDT(GMT-4) May 8, 2000, CERT had
  received reports from more than 650 sites
• gt 500,000 individual systems
• VBScript
• Propagation
• Email, Windows file sharing, IRC, USENET news

4
Love Bug

• Signature
• An attachment named "LOVE-LETTER-FOR-YOU.TX
  T.VBS"
• A subject of "ILOVEYOU"
• Message body "kindly check the attached
  LOVELETTER coming from me."

5
Love Bug Behavior

• Replaced certain files with copies of itself
• Based on file extension (e.g. .vbs, .js, .hta,
  etc)
• Changed Internet Explorer start page
• Pointed the browser to infected web pages
• Mailed copies of itself
• Changed registry keys

6
Detecting Viruses

• Scanning
• Integrity checking
• Heuristic detection

7
Virus Signatures

• Viruses cant be completely invisible
• Code must be stored somewhere
• Virus must do something when it runs
• Fragments of the virus code itself
• Strings kindly check the attached LOVELETTER
• Effects on the computing environment
• Changes to the Windows registry
• Propagation Behavior
• Copying/modifying system files.

8
Virus Scanners

• Search the system for virus signatures
• Main memory
• All files in file system
• Should also check boot sector
• When to scan?
• On access (when a program is run)
• On demand (at users request, or scheduled)
• When e-mail is received?
• Before web content is displayed?

9
Virus Scanning Pros Cons

• Pros
• Effectively detects known viruses before they can
  cause harm
• Few false alarms
• Cons
• Can detect only viruses with known signatures
• Signature set must be kept up to date
• Virus writers can easily change virus signatures

10
Integrity Checks

• Virus scanner computes hash or checksum of
  executable files
• Assumed to be virus free!
• Stores the hash information
• Verifies new hash vs. saved one during scan

11
Integrity Checks Pros Cons

• Pros
• Can detect corruption of executables too
• Reliable
• Doesnt require virus signatures
• Cons
• False positives (i.e. recompilation)
• Cant use it on documents (they change too often)
• Not supported by most vedors

12
Heuristic Detection

• Collection of ad hoc rules that identifies virus
  behavior or virus-like programs
• Modification of system executables
• Modification of template documents like
  normal.doc
• Self-modifying and self-referential code

13
Heuristics Pros Cons

• Pros
• Perhaps able to detect unknown viruses
• Cons
• Heuristics are hard to develop
• Too may false positives

14
Polymorphic Viruses

• Virus writers know that virus signatures are the
  most effective way to detect viruses
• Polymorphic viruses mutate themselves during
  replication to prevent detection
• Virus should be capable of generating many
  different descendents
• Simply embedding random numbers into virus code
  is not enough

15
Strategies for Polymorphic Viruses

• Change data
• Use different subject lines in e-mail
• Encrypt most of the virus with a random key
• Virus first decrypts main body using random key
• Jumps to the code it decrypted
• When replicating, generate a new key and encrypt
  the main part of the replica
• Still possible to detect decryption portion of
  the virus using virus signatures

16
Advanced Polymorphic Viruses

• Randomly modify the decryption portion of the
  virus by
• Inserting no-op instructions subtract 0, move
  value to itself
• Reordering independent instructions
• Using different variable/register names
• Using equivalent instruction sequencesy x x
  vs. y 2 x

17
CERT Advice 1

• Use virus protection software
• Use a firewall
• Don't open unknown email attachments
• Don't run programs of unknown origin
• Disable hidden filename extensions
• Keep all applications, including your operating
  system, patched

18
Cert Advice 2

• Turn off your computer or disconnect from the
  network when not in use
• Disable Java, JavaScript, and ActiveX if possible
• Disable scripting features in email programs
• Make regular backups of critical data
• Make a boot disk in case your computer is damaged
  or compromised

19
Internet Worms

• November 2, 1988
• Robert T. Morris Jr. unleashed Internet worm
• Graduate student at Cornell University
• Convicted in 1990 of violating Computer Fraud and
  Abuse Act
• 10,000 fine, 3 yr. Suspended jail sentence,
  400 hours of community service
• Son of the chief scientist at the National
  Computer Security Center -- part of the National
  Security Agency
• Today hes a professor at MIT

20
Morris Worm Transmission

• Find user accounts on the target machine
• Dictionary attack on /etc/passwd
• If it found a match, it would log in and try the
  same username/password on other local machines
• Exploit bug in fingerd
• Classic buffer overflow attack
• Exploit trapdoor in sendmail
• Programmer left DEBUG mode in sendmail, which
  allowed sendmail to execute an arbitrary shell
  command string.

21
Morris Worm Infection

• Sent a small loader to target machine
• 99 lines of C code
• It was compiled on the remote platform (cross
  platform compatibility)
• The loader program transferred the rest of the
  worm from the infected host to the new target.
• Used authentication! To prevent sys admins from
  tampering with loaded code.
• If there was a transmission error, the loader
  would erase its tracks and exit.

22
Morris Worm Stealth

• When loader obtained full code
• It put into main memory and encrypted
• Original copies were deleted from disk
• (Even memory dump wouldnt expose worm)
• Worm periodically changed its name and process ID

23
Effects

• Resource exhaustion
• Denial of service
• There was a bug in the loader program that caused
  many copies of the worm to be spawned per host
• System administrators cut their network
  connections
• Couldnt use internet to exchange fixes!
• 6,000 networks were shut down or disconnected
• Down for several days
• Damage estimates 100,000 97 Million