Cryptography and Cryptography and Network SecurityNetwork Security

Chapter 19Chapter 19

Fourth EditionFourth Edition

by William Stallingsby William Stallings

Chapter 19 – Malicious SoftwareChapter 19 – Malicious Software

What is the concept of defense: The What is the concept of defense: The parrying of a blow. What is its parrying of a blow. What is its characteristic feature: Awaiting the blow.characteristic feature: Awaiting the blow.

——On War, On War, Carl Von ClausewitzCarl Von Clausewitz

Viruses and Other Malicious Viruses and Other Malicious ContentContent

computer viruses have got a lot of publicity computer viruses have got a lot of publicity one of a family of one of a family of malicious softwaremalicious software effects usually obvious effects usually obvious have figured in news reports, fiction, have figured in news reports, fiction,

movies (often exaggerated) movies (often exaggerated) getting more attention than deserve getting more attention than deserve are a concern though are a concern though

Malicious SoftwareMalicious Software

Backdoor or TrapdoorBackdoor or Trapdoor

secret entry point into a programsecret entry point into a program allows those who know access bypassing allows those who know access bypassing

usual security proceduresusual security procedures have been commonly used by developershave been commonly used by developers a threat when left in production programs a threat when left in production programs

allowing exploited by attackersallowing exploited by attackers very hard to block in O/Svery hard to block in O/S requires good s/w development & updaterequires good s/w development & update

Logic BombLogic Bomb

one of oldest types of malicious softwareone of oldest types of malicious software code embedded in legitimate programcode embedded in legitimate program activated when specified conditions metactivated when specified conditions met

eg presence/absence of some fileeg presence/absence of some file particular date/timeparticular date/time particular userparticular user

when triggered typically damage systemwhen triggered typically damage system modify/delete files/disks, halt machine, etcmodify/delete files/disks, halt machine, etc

Trojan HorseTrojan Horse

program with hidden side-effects program with hidden side-effects which is usually superficially attractivewhich is usually superficially attractive

eg game, s/w upgrade etc eg game, s/w upgrade etc when run performs some additional taskswhen run performs some additional tasks

allows attacker to indirectly gain access they do not allows attacker to indirectly gain access they do not have directlyhave directly

often used to propagate a virus/worm or install a often used to propagate a virus/worm or install a backdoorbackdoor

or simply to destroy dataor simply to destroy data

ZombieZombie

program which secretly takes over another program which secretly takes over another networked computernetworked computer

then uses it to indirectly launch attacksthen uses it to indirectly launch attacks often used to launch distributed denial of often used to launch distributed denial of

service (DDoS) attacksservice (DDoS) attacks exploits known flaws in network systemsexploits known flaws in network systems

VirusesViruses

a piece of self-replicating code attached to a piece of self-replicating code attached to some other codesome other code cf biological viruscf biological virus

both propagates itself & carries a payloadboth propagates itself & carries a payload carries code to make copies of itselfcarries code to make copies of itself as well as code to perform some covert taskas well as code to perform some covert task

Virus OperationVirus Operation

virus phases:virus phases: dormant – waiting on trigger eventdormant – waiting on trigger event propagation – replicating to programs/diskspropagation – replicating to programs/disks triggering – by event to execute payloadtriggering – by event to execute payload execution – of payloadexecution – of payload

details usually machine/OS specificdetails usually machine/OS specific exploiting features/weaknessesexploiting features/weaknesses

Virus StructureVirus Structureprogram V :=program V :=

{goto main;{goto main;1234567;1234567;subroutine infect-executable :=subroutine infect-executable := {loop:{loop:

file := get-random-executable-file;file := get-random-executable-file;if (first-line-of-file = 1234567) then goto loopif (first-line-of-file = 1234567) then goto loopelse prepend V to file; }else prepend V to file; }

subroutine do-damage := {whatever damage is to be done}subroutine do-damage := {whatever damage is to be done}subroutine trigger-pulled := {return true if condition holds}subroutine trigger-pulled := {return true if condition holds}main: main-program :=main: main-program := {infect-executable;{infect-executable;

if trigger-pulled then do-damage;if trigger-pulled then do-damage;goto next;}goto next;}

next:next:}}

Types of VirusesTypes of Viruses

can classify on basis of how they attack can classify on basis of how they attack parasitic virusparasitic virus memory-resident virusmemory-resident virus boot sector virus boot sector virus stealthstealth polymorphic virus polymorphic virus metamorphic virus metamorphic virus

Macro VirusMacro Virus

macro codemacro code attached to some attached to some data filedata file interpreted by program using fileinterpreted by program using file

eg Word/Excel macroseg Word/Excel macros esp. using auto command & command macrosesp. using auto command & command macros

code is now platform independent code is now platform independent is a major source of new viral infectionsis a major source of new viral infections blur distinction between data and program filesblur distinction between data and program files classic trade-off: "ease of use" vs "security”classic trade-off: "ease of use" vs "security” have improving security in Word etc have improving security in Word etc are no longer dominant virus threat are no longer dominant virus threat

Email VirusEmail Virus spread using email with attachment spread using email with attachment

containing a macro viruscontaining a macro virus cf Melissacf Melissa

triggered when user opens attachmenttriggered when user opens attachment or worse even when mail viewed by using or worse even when mail viewed by using

scripting features in mail agentscripting features in mail agent hence propagate very quicklyhence propagate very quickly usually targeted at Microsoft Outlook mail usually targeted at Microsoft Outlook mail

agent & Word/Excel documentsagent & Word/Excel documents need better O/S & application securityneed better O/S & application security

WormsWorms

replicating but not infecting program replicating but not infecting program typically spreads over a network typically spreads over a network

cf Morris Internet Worm in 1988cf Morris Internet Worm in 1988 led to creation of CERTs led to creation of CERTs

using users distributed privileges or by exploiting using users distributed privileges or by exploiting system vulnerabilities system vulnerabilities

widely used by hackers to create widely used by hackers to create zombie PC'szombie PC's, , subsequently used for further attacks, esp DoS subsequently used for further attacks, esp DoS

major issue is lack of security of permanently major issue is lack of security of permanently connected systems, esp PC's connected systems, esp PC's

Worm OperationWorm Operation

worm phases like those of viruses:worm phases like those of viruses: dormantdormant propagationpropagation

• search for other systems to infectsearch for other systems to infect• establish connection to target remote systemestablish connection to target remote system• replicate self onto remote systemreplicate self onto remote system

triggeringtriggering executionexecution

Morris WormMorris Worm

best known classic wormbest known classic worm released by Robert Morris in 1988released by Robert Morris in 1988 targeted Unix systemstargeted Unix systems using several propagation techniquesusing several propagation techniques

simple password cracking of local pw filesimple password cracking of local pw file exploit bug in finger daemonexploit bug in finger daemon exploit debug trapdoor in sendmail daemonexploit debug trapdoor in sendmail daemon

if any attack succeeds then replicated selfif any attack succeeds then replicated self

Recent Worm AttacksRecent Worm Attacks new spate of attacks from mid-2001new spate of attacks from mid-2001 Code Red - used MS IIS bug Code Red - used MS IIS bug

probes random IPs for systems running IISprobes random IPs for systems running IIS had trigger time for denial-of-service attackhad trigger time for denial-of-service attack 22ndnd wave infected 360000 servers in 14 hours wave infected 360000 servers in 14 hours

Code Red 2 - installed backdoor Code Red 2 - installed backdoor Nimda - multiple infection mechanismsNimda - multiple infection mechanisms SQL Slammer - attacked MS SQL serverSQL Slammer - attacked MS SQL server Sobig.f - attacked open proxy serversSobig.f - attacked open proxy servers Mydoom - mass email worm + backdoorMydoom - mass email worm + backdoor

Worm TechologyWorm Techology

multiplatformmultiplatform multiexploitmultiexploit ultrafast spreadingultrafast spreading polymorphicpolymorphic metamorphicmetamorphic transport vehiclestransport vehicles zero-day exploitzero-day exploit

Virus CountermeasuresVirus Countermeasures

best countermeasure is preventionbest countermeasure is prevention but in general not possible but in general not possible hence need to do one or more of: hence need to do one or more of:

detectiondetection - of viruses in infected system - of viruses in infected system identificationidentification - of specific infecting virus - of specific infecting virus removealremoveal - restoring system to clean state - restoring system to clean state

Anti-Virus SoftwareAnti-Virus Software first-generationfirst-generation

scanner uses virus signature to identify virusscanner uses virus signature to identify virus or change in length of programsor change in length of programs

second-generation second-generation uses heuristic rules to spot viral infectionuses heuristic rules to spot viral infection or uses crypto hash of program to spot changesor uses crypto hash of program to spot changes

third-generation third-generation memory-resident programs identify virus by actions memory-resident programs identify virus by actions

fourth-generation fourth-generation packages with a variety of antivirus techniquespackages with a variety of antivirus techniques eg scanning & activity traps, access-controlseg scanning & activity traps, access-controls

arms race continuesarms race continues

Advanced Anti-Virus TechniquesAdvanced Anti-Virus Techniques

generic decryptiongeneric decryption use CPU simulator to check program use CPU simulator to check program

signature & behavior before actually running itsignature & behavior before actually running it digital immune system (IBM)digital immune system (IBM)

general purpose emulation & virus detectiongeneral purpose emulation & virus detection any virus entering org is captured, analyzed, any virus entering org is captured, analyzed,

detection/shielding created for it, removeddetection/shielding created for it, removed

Digital Immune SystemDigital Immune System

Behavior-Blocking SoftwareBehavior-Blocking Software

integrated with host O/Sintegrated with host O/S monitors program behavior in real-timemonitors program behavior in real-time

eg file access, disk format, executable mods, eg file access, disk format, executable mods, system settings changes, network accesssystem settings changes, network access

for possibly malicious actionsfor possibly malicious actions if detected can block, terminate, or seek okif detected can block, terminate, or seek ok

has advantage over scannershas advantage over scanners but malicious code runs before detectionbut malicious code runs before detection

Distributed Denial of Service Distributed Denial of Service Attacks (DDoS)Attacks (DDoS)

Distributed Denial of Service (DDoS) Distributed Denial of Service (DDoS) attacks form a significant security threatattacks form a significant security threat

making networked systems unavailablemaking networked systems unavailable by flooding with useless trafficby flooding with useless traffic using large numbers of “zombies” using large numbers of “zombies” growing sophistication of attacksgrowing sophistication of attacks defense technologies struggling to copedefense technologies struggling to cope

Distributed Denial of Service Distributed Denial of Service Attacks (DDoS)Attacks (DDoS)

Contructing the DDoS Attack Contructing the DDoS Attack NetworkNetwork

must infect large number of zombiesmust infect large number of zombies needs:needs:

1.1. software to implement the DDoS attacksoftware to implement the DDoS attack

2.2. an unpatched vulnerability on many systemsan unpatched vulnerability on many systems

3.3. scanning strategy to find vulnerable systemsscanning strategy to find vulnerable systems random, hit-list, topological, local subnetrandom, hit-list, topological, local subnet

DDoS CountermeasuresDDoS Countermeasures

three broad lines of three broad lines of defensedefense::1.1. attack prevention & preemption (before)attack prevention & preemption (before)2.2. attack detection & filtering (during)attack detection & filtering (during)3.3. attack source traceback & ident (after)attack source traceback & ident (after)

huge range of attack possibilitieshuge range of attack possibilities hence evolving countermeasureshence evolving countermeasures

SummarySummary

have considered:have considered: various malicious programsvarious malicious programs trapdoor, logic bomb, trojan horse, zombietrapdoor, logic bomb, trojan horse, zombie virusesviruses wormsworms countermeasurescountermeasures distributed denial of service attacksdistributed denial of service attacks