CS 334 Computer Security Slide 1 Malicious Logic Trojan Horses Viruses Worms Fall 2008 CS 334 Computer Security Slide 2 Introduction Malicious Logic a set of instructions that cause violation of security policy ID: 152798
Download Presentation The PPT/PDF document "Fall 2008" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Fall 2008
CS 334: Computer Security
Slide #1
Malicious Logic
Trojan Horses
Viruses
WormsSlide2
Fall 2008
CS 334: Computer Security
Slide #2
Introduction
Malicious Logic: a set of instructions that cause violation of security policy
Idea taken from Troy: to breach an impenetrable perimeter, have someone from the inside unknowingly bring you inside
Example: Name the following script
ls
and place in a directory
Set UID of
/tmp.xxsh
to UIDof person executingthis script
Remove thisscript and run lsSlide3
Fall 2008
CS 334: Computer Security
Slide #3
Trojan Horses
Trojan Horse
: A program with an overt (documented or known) effect and a covert (undocumented or unexpected) effect
In example, overt action is to list files, covert is to create shell that is setuid to user executing script
There is a key notion here of ``tricked’’
In the example script, if user root executed this unintentionally by typing
ls in a directory, then we have a security policy violation.
If root types out these lines and runs them intentionally, no violationKey problem: system does not know whether user really intends to run specific set of instructionsSlide4
Fall 2008
CS 334: Computer Security
Slide #4
Example: NetBus
Program that allows attacker to control Windows NT workstation remotely
Can download and upload files, intercept mouse or key strokes, generally be sysadmin
Requires small NetBus server on target machine
Placed in several small game programs and other ``fun’’ stuff, then distributed to web sites where unsuspecting users would likely download them Slide5
Fall 2008
CS 334: Computer Security
Slide #5
Propogating Trojan Horse
Propogating Trojan Horse: (also replicating Trojan Horse) is a Trojan Horse that creates a copy of itself.
Ex. Ken Thompson’s compiler
Added Trojan horse to login program so it accepted a specific password in addition to user’s password
Placed code that does this into compiler, so it would add it whenever it saw a login call. (So not visible in login code)
Placed the Trojan horse for compiler into compiler binary, so if compiler was recompiled it would always include the trojan horse for login.
Replaced source for compiler with clean source for compiler. Slide6
Fall 2008
CS 334: Computer Security
Slide #6
Computer Virus
Computer Virus: A program that inserts itself into one or more files and then performs some (possibly null) action
Insertion Phase: virus inserts itself into file
Execution Phase: the action is performedSlide7
Fall 2008
CS 334: Computer Security
Slide #7
Virus PseudocodeSlide8
Fall 2008
CS 334: Computer Security
Slide #8
Virus A Trojan Horse?
Some say YES: Purpose of infected program is overt action, injections and execution phase is the covert action
Some say NO: Virus has no covert purpose. Its overt purpose is to infect and execute.
Who cares. Bottom line is that defenses against Trojan horses inhibit viruses.Slide9
Fall 2008
CS 334: Computer Security
Slide #9
Some History
1983: Fred Cohen (at time grad student at USC) designed virus to acquire privileges on VAX-11/750 running Unix.
Obtained all system rights within half hour on average
Because virus didn’t degrade response time, most users never knew system under attack
1984: Experiment on UNIVAC 1108 showed virus could infect that system
UNIVAC partially implemented Bell-LaPadula Model, using mandatory protection mechanisms
Showed that if a system does not prohibit writing using mandatory access controls, then system does little, if anything, to prohibit virus propagationSlide10
Fall 2008
CS 334: Computer Security
Slide #10
More History
1986-87: Brain (Pakistani) virus infects IBM PCs
Alters boot sectors of floppy disks, possibly corrupting files.
Spreads to any uninfected floppy inserted into system.
Numerous variations have been reported
1987: MacMag Peace virus
Infect Mac, Amiga, among othersPrints ``universal message of peace’’ on March 2, 198, then deletes itself.
Infected copies of Aldus FreeHand program, which were subsequently recalled by manufacturerSlide11
Fall 2008
CS 334: Computer Security
Slide #11
Still More History
1987: Tom Duff experiments on Unix with small virus that copies itself into executable files.
Not virulent, but when placed in 48 programs on heavily used machine, spread to 46 different systems and 466 files in 8 days.
Duff did not violate security mechanism by seeding files
Wrote another virus in Bourne shell script. It could attach itself to any Unix program
Demonstrated that viruses are not intrinsically machine-dependent and can spread to systems of varying architecturesSlide12
Fall 2008
CS 334: Computer Security
Slide #12
Ok, Even More History
1989: Harold Highland develops Lotus 1-2-3 virus
Virus stored as set of commands for spreadsheet
Loads automatically when file opened
Was for demo only, so it changed the value in specific row and column then spread to other files.
Demonstrated that macros for office programs on PCs could contain viruses.Slide13
Fall 2008
CS 334: Computer Security
Slide #13
Virus Types
Boot Sector Infectors
Executable Infectors
Multipartite Viruses
TSR Viruses
Stealth Viruses
Encrypted VirusesPolymorphic VirusesMacro VirusesSlide14
Fall 2008
CS 334: Computer Security
Slide #14
Boot Sector Viruses
Boot sector is the part of a disk used to bootstrap the system or mount a disk
Code in boot sector is executed when system sees disk for first time
Boot sector virus is one that inserts itself into the boot sector of a disk
When system or disk boots, virus is executed
Original boot sector code is movedSlide15
Fall 2008
CS 334: Computer Security
Slide #15
Example: Brain Virus
When system boots from infected disk, virus is in boot sector and is loaded.
Moves disk interrupt vector (location 0x13) to location 0x6d and sets disk interrupt location to invoke Brain virus.
Brain virus then loads original boot sector and continues the boot
When user reads another floppy, interrupt at 0x13 is invoked, calling Brain virus
If value 0x1234 in word at location 0x4 of new disk, boot continues normally. If not, disk is infected
Infection sometimes overwrite some sectors, thus the sometimes destructive nature of the Brain virusSlide16
Fall 2008
CS 334: Computer Security
Slide #16
Executable Infectors
Executable infector: virus that infects executable programs
On PC these are COM or EXE viruses because of the file types they infect
Viruses prepends or appends itself to executableSlide17
Fall 2008
CS 334: Computer Security
Slide #17
Example: Jerusalem Virus
Triggered when infected program is executed
Virus puts value 0x0e0 into ax register and invokes DOS service interrupt (0x21)
If on return the high eight bits of ax contain 0x3, virus is already on system and original program is invoked
If not, virus sets itself up to respond to traps to DOS service interrupt vectorSlide18
Fall 2008
CS 334: Computer Security
Slide #18
Example: Jerusalem Virus
Virus checks date
if a Friday the 13
th
and year is not 1987, virus sets flag in memory to delete files instead of infecting them
In memory, virus checks all calls to DOS service interrupt, looking for files to be executed (service call 0x4b00)
Virus checks file name, and deletes file if destruct bit set (except for COMMAND.COM file)Virus checks last five bytes of file.
If string MsDos, file is infectedIf not, virus checks whether name of file ends in E or M, in which case virus infects it (assuming its a COM or EXE file)Slide19
Fall 2008
CS 334: Computer Security
Slide #19
Multipartite Viruses
Virus that can infect either boot sectors or applications
Virus typically has two parts, one for each type. Appropriate part is invoked depending on circumstancesSlide20
Fall 2008
CS 334: Computer Security
Slide #20
TSR Viruses
Terminate and Stay Resident (TSR) virus is one that stays active (resident) in memory after application (or bootstrapping or disk mounting) has terminated.
Can be boot sector or executable infectors
Brain and Jerusalem are both TSR viruses
Non TSR viruses execute only when host application is executed (or infected disk mounted, etc)Slide21
Fall 2008
CS 334: Computer Security
Slide #21
Stealth Viruses
Stealth viruses are those that conceal the infection of files
Intercept calls to the OS that access files
If call is for file attributes, original (uninfected) file attributes returned
If call is to read file, uninfected version is returned
If call is to execute file, infected file is executedSlide22
Fall 2008
CS 334: Computer Security
Slide #22
Example: The Stealth Virus
Also called IDF virus or 4096 virus
Modifies DOS service interrupt handler
Not interrupt vector. This way inspection of interrupt vectors does not reveal presence of virus
If call is for length of file, length of uninfected file returned
If request to open file, file is temporarily disinfected, then reinfected when file is closed
Changes last modification time for file to indicate the file is not infectedSlide23
Fall 2008
CS 334: Computer Security
Slide #23
Encrypted Viruses
Virus that enciphers all of the virus code except for a small decryption routine
Anti-virus software looks for known sequences of code
To fight this, some viruses encipher most of code, leaving only small decryption routine and random cryptographic key in clearSlide24
Fall 2008
CS 334: Computer Security
Slide #24
Example: 1260 Virus
Uses two keys stored in k1 and k2
Virus code begins at location sov and ends at location eov
Dual keys and shifting of first key prevent simple xor from uncovering deciphered virusSlide25
Fall 2008
CS 334: Computer Security
Slide #25
Polymorphic Viruses
A virus that changes its form each time it inserts itself into another program
Considered an encrypted virus
With straight encrypted virus, decryption portion can be detected!
Polymorphic viruses designed to defeat this.
They change instructions in virus to something equivalent but different. Technique is used to hide decryption code.
All do same thing!Slide26
Fall 2008
CS 334: Computer Security
Slide #26
ExampleSlide27
Fall 2008
CS 334: Computer Security
Slide #27
Polymorphic Viruses
Production of polymorphic viruses has been automated
Mutation Engine (ME)
Trident Polymorphic Engine (TPE)
Polymorphism can occur at different levels
A deciphering algorithm may have two different implementations
Two different algorithms may produce same result (much harder to detect)Slide28
Fall 2008
CS 334: Computer Security
Slide #28
Macro Viruses
A virus that it composed of a sequence of instructions that is interpreted rather than executed directly
Conceptually no different from ordinary computer viruses
Can execute on any system that can interpret the instructions
Can infect executables or data files (data virus)Slide29
Fall 2008
CS 334: Computer Security
Slide #29
Macro Virus
If infecting executable, must arrange to be interpreted at some point
Ex. Duff’s experiments wrapped executables with shell scripts. Resulting executables invoked Bourne shell which interpreted virus code before invoking usual executable
Macro viruses not bound by machine architecture – use specific programs
Any system that runs this program can be affected, though effects may differ
Ex. MS Word virus will work on PC, Mac, Slide30
Fall 2008
CS 334: Computer Security
Slide #30
Example: Melissa Virus
Infected Word 97 and 98 documents on Windows and Mac systems (written in Visual Basic)
Installs itself as the ``open’’ macro and copies itself into the Normal template so that any files that are opened are infected
Then invokes mail program and sends copies to names in address book
On PC spread was through mail
On Mac, most user didn’t use mail program that Melissa invokes, so spread was not via email.Slide31
Fall 2008
CS 334: Computer Security
Slide #31
Computer Worms
A computer worm is a program that copies itself from one computer to another (as opposed to hitching a ride)
Research on worms began in mid-1970s
Schopp and Hupp developed distributed programs to do various tasks. These probed workstations, to find idle machines on which they installed code segments do do work. When other work on machine started, segments shut down.Slide32
Fall 2008
CS 334: Computer Security
Slide #32
The Internet Worm
Nov. 2, 1988: program targeted Berkeley and Sun Unix based machines.
Within hours of introduction to Internet it had rendered thousands of computers unusable
Worm inserted instructions into a running process on target machine and arranged for instructions to be executedSlide33
Fall 2008
CS 334: Computer Security
Slide #33
The Internet Worm
Recovery
required disconnection from network and reboot
Several critical programs had to be changed and recompiled to prevent
re-infection
Worse, program disassembly required to determine whether other malicious effects present
Fortunately only purpose of worm was self propagation (could have been much worse!)Slide34
Fall 2008
CS 334: Computer Security
Slide #34
Internet Worm
Worm took advantage of flaws in some standard software installed on Unix systems
fingerd
is a utility that allows users to obtain information about other users
gets
is a routine that takes input into a buffer without performing a bounds check
sendmail is a program that routes mail in heterogeneous networks
Slide35
Fall 2008
CS 334: Computer Security
Slide #35
fingerd
Program runs as a daemon (background process)
Allows connections from remote programs
Reads single line of input, sends back appropriate output
Code used call to
gets
routine to get input. Worm smashed the stack using this callUnfortunately, several routines remain with such buffer overflow vulnerabilitiesSlide36
Fall 2008
CS 334: Computer Security
Slide #36
sendmail
Operates in several modes: worm exploited debug mode operation
Sendmail
listens on TCP port 25 for attempts to deliver mail using simple mail transfer protocol (SMTP)
When contacted,
sendmail
enters into dialog to determine sender, etc.Slide37
Fall 2008
CS 334: Computer Security
Slide #37
sendmail
Worm
used DEBUG command to specify the recipient of the message as a set of commands instead of a user address
This is not allowed in normal mode
In debug mode, allows testers to verify mail is arriving without having to invoke address resolution routines
That is, testers can run programs to show state of mail system without separate login connection or having to send mailSlide38
Fall 2008
CS 334: Computer Security
Slide #38
Aside: Unix Passwords
Passwords encrypted with
premuted
version of DES and ciphertext stored in world-readable accounting file
Worm used dictionary attack to break passwords (sometimes as many as 50% of the passwords on a system)
Unix now stores passwords in shadow password file that can only be accessed by
sysadmin
And encryption is done using a privileged routine that delays return for a second or so (prevents online testing)Slide39
Fall 2008
CS 334: Computer Security
Slide #39
Aside: Trusted Logins
BSD Unix has nice support for login from remote machines
One can specify a list of host/login name pairs that are assumed to be trusted. Login with these pairs does not require a password
hosts.equiv
and
.rhosts
filesWorm exploited this by trying to locate machines that might trust the current machine
How do you think it did this?When one found, worm placed itself on the target machineSlide40
Fall 2008
CS 334: Computer Security
Slide #40
Internet Worm (High level description)
Main program: collect info on other machines on network to which current machine could connect
Read config files
Run system utilities to get info about current state of network connections
Used previously mentioned flaws to attempt to establish bootstrap on these machines.Slide41
Fall 2008
CS 334: Computer Security
Slide #41
Internet Worm (High Level Description)
Bootstrap program:
99 lines of C code that would be compiled and run on remote machine
Once transferred to target machine, it was compiled and invoked with three command line arguments
Network address of infecting machine
Number of network port to connect to on machine to get copies of the main worm files
Magic number that acted as one-time challenge password
If worm on remote host and port didn’t receive magic number back, it would immediately disconnect from bootstrap programPossibly to prevent someone from capturing a copy of the worm by spoofing a Worm serverSlide42
Fall 2008
CS 334: Computer Security
Slide #42
Internet Worm (High Level Description)
Bootstrap program:
Connect back with worm that originated it and transfer a set of precompiled code (binaries) to local machine
These binaries represented versions of the main program for various OS versions and machine architectures.
Once binaries transferred, loaded and linked with standard library routines on host machine, then one by one run.Slide43
Fall 2008
CS 334: Computer Security
Slide #43
Father Christmas Worm
Electronic Christmas Card passed around IBM-base networks
Card was letter instructing recipient to save letter and run as a program.
Program drew Christmas Tree (with blinking lights!) and printed Merry Christmas
Program checked recipients list of previously received mail as well as address book, then sent itself to all these addresses
Overwhelmed network and forced shutdown
Macro worm written in high-level job control languageSlide44
Fall 2008
CS 334: Computer Security
Slide #44
Rabbits and Bacteria
Program that absorbs all of some class of resource
Program copies multiply so fast that resources exhausted. A class of denial of service attack.
Ex. (Dennis Ritchie) This will exhaust disk space or
inode
tables on a Unix Version 7 systemSlide45
Fall 2008
CS 334: Computer Security
Slide #45
Examples
Internet worm:
During infection, opened a port on target machine.
When another worm tried to infect machine, it checked port. If opened it assumed machine infected.
But apparently to thwart sysadmins opening a small program on that port, every sixth attack it ignored the check.
Lead to many copies of the worm on single machine. These consumed the CPU.
Father Christmas:
Created so much network traffic that network became unusable and had to be shut downSlide46
Fall 2008
CS 334: Computer Security
Slide #46
Question: Is there an algorithm that can determine if an arbitrary program contains replicating code?Slide47
Fall 2008
CS 334: Computer Security
Slide #47
Answer (Cohen): No such algorithm can exist. It is provably undecidable whether an arbitrary program contains a computer virus. Slide48
Fall 2008
CS 334: Computer Security
Slide #48
Logic Bomb
Logic bomb is a program that
executes malicious logic when
some external event occurs
E.g. program attacks on specific date
Disaffected employees who plant Trojan horses in systems often use logic bombs
E.g. delete entire payroll roster when employee’s name is deletedSlide49
Fall 2008
CS 334: Computer Security
Slide #49
Example
Early 1980s: program posted to USENET promised to make administering systems easier
Directions:
Unpack
shar
archive containing program
Compile program and install as rootMidway down the shar archive:Slide50
A More Modern Perspective on Malicious Logic
We’ve talked a bit about classification and seen an important theoretical result. Now we consider more recent developments
.As always thanks to my Berkeley Colleagues for providing much of the slides on this modern perspective.
Fall 2008
CS 334: Computer Security
50Slide51
Outline
What is a Worm/Virus?Why are they created?
Infection Vectors and PayloadsHow they propagate and what they doWorm propagation ratesVirus/Worm detection/prevention
File scanners, host scanners, network scannersHost monitorsTargeted Worms and Viruses
Fall 2008
CS 334: Computer Security
51Slide52
Internet Worms and Viruses
Self-replicating code and data
Worms are self-propagating (search network)Typically exploit vulnerabilities in an application running on a machine or the machine’s OSViruses typically require a human interaction before propagating
Running e-mail attachment, or click link in e-mailInserting/connecting “infected” media to a PCBehavioral invariant: they seek to propagate
Fall 2008
CS 334: Computer Security
52Slide53
Why Create Worms/Viruses?
Formerly was a prestige motivation
Finding bugs, mass infections, …50% of viruses contain crackers’/groups’ namesCracking for profit, including organized crime
Create massive botnets 10-100,000+ machines infected
Overloading/attacking websites, pay-per-click scams,
spaming/phishing
e-mail, or
phishing
websites…
More on botnets later…Corporate/personal espionage (SSN, passwords, docs, …)Closing security loopholesIs this ethical?
Fall 2008
CS 334: Computer Security53Slide54
Revisiting Zotob
Virus (August 2005)
Financially-driven motiveInfected machines and set IE security to low (enables pop-up website ads)Revenue from ads that now appear
User may remove virus, but IE settings will likely remain set to lowContinued revenue from ads…Targeted (among others) ABC, CNN, the Associated Press, NY Times, Caterpillar Inc,
Cost an average of $97,000 and 80 hours of cleanup per company affected.
Fall 2008
CS 334: Computer Security
54Slide55
Revisiting Zotob
Virus (August 2005)
August 26th, 2005 (two weeks after Zotob)
Farid Essebar was arrested in Morocco, Atilla
Ekici
arrested in Turkey
September 16, 2006
Essebar
and friend Achraf Bahloul sentenced in Moroccan court.Ekici believed to have bought the worm for financial gain.Believed that Essebar
is part of larger group, the Dark-side Hackers, behind spread of Zotob
Fall 2008CS 334: Computer Security55Slide56
Infection Vectors and Payloads
Two components to worms and viruses
Infection vectorsHow they get onto your machine and then propagatePayloads
What they do on your machine
Fall 2008
CS 334: Computer Security
56Slide57
Infection Vectors
Network scanning for potential victims (worms)
Local/server/P2P files (viruses/worms)E-mail message components (viruses)
Web sites (worms/viruses)
Fall 2008
CS 334: Computer Security
57Slide58
Network Scanning for Potential Victims (Worms)
How to scan the network?
Pick address, try to exploit protocol vulnerabilitiesHow to generate addresses?Use a PRG, but how to initialize the PRG?Same seed on each host (common flaw!)
Need to generate local seed…Generate 32-bit IP address or 4 8-bit parts?Is even or uneven probing better?
Local hosts are likely to be same OS/patch level and have higher bandwidth
Also local
addr
space is denser
Fall 2008
CS 334: Computer Security
58Slide59
Worm Exploits
Buffer overflow on servers/clients
Identify de-serializing errors, send exploit codeMSBlaster DCOM/RPC exploit
Forcing protocol parsing errorsIdentify errors in protocol handling/state machineMorris worm
fingerd
remote code exec
Weak passwords (more on this in a moment)
Brute force: try name backwards, appended, …
Out-of-the box configuration errors
Default ID/passwordDebugging mode enabled (Morris worm sendmail exploit)Fall 2008
CS 334: Computer Security
59Slide60
Infecting via Files
Factory installed
Removable media (viruses)Floppies, CD/DVD-ROMs, USB drives/keys
Files on shared servers and P2P networks (
worms/viruses)
Have
to convince user to click to open…
Or
, an infected existing document
E-mail file attachments (viruses)Have to convince user to click to open…
Fall 2008CS 334: Computer Security
60Slide61
Infecting via E-mail
E-mail attachments (viruses)
Files (see last slide)Scripts: Windows Scripting Host
HTML files: browser exploits (next slide)HTML
-formatted e-mail messages
Browser
exploits (next slide)
User
clicks on links (leads to browser exploits)
Windows Scripting HostExecutes simply by viewing e-mail msg (LoveLetter
)Embedded images (JPEG/PNG render exploits)
Fall 2008CS 334: Computer Security61Slide62
Why E-mail based Infections?
E-mail has become globally ubiquitous
By 2006, e-mail traffic is expected to surge to 60 billion messages daily
Message Labs scanned 14.7 billion emails scanned, found >6% were
viral
Nearly
all of the most virulent worms
of 2004
spread by email (Symantec/
Sophos)Fall 2008
CS 334: Computer Security
62Slide63
Web Sites (Worms/Viruses)
Set up malicious server, or infect existing server
Porn, Warez/Crackz/Gamez, anti-spyware
(!) sitesExploit bugs in browser rendering engine
“
Drive-by-download” infection
ActiveX
exploits
Leverage
bugs in ActiveX componentsEnable remote script/code executionHTML parsing vulnerabilitiesRedirect
to malicious sitesCause buffer overflow, or file download and execute
Fall 2008CS 334: Computer Security63Slide64
Types of Payloads
Bootstrap loader
MessagePropagation engineSystem settings/DNS changer, file installer
Destructive actionsZombie
software installer
Trojans
/Browser Help Objects installer
But
, sometimes payloads don’t work
Inadvertent system crashes insteadFall 2008
CS 334: Computer Security
64Slide65
Payloads
Bootstrap loader
Used when exploit can only send a small amount of code/scriptEstablishes
TFTP connection back to infecting machine to retrieve real payload
Message
(could be null)
Propagation
engine
Permanently
installs virus/worm by changing system settings, or replacing/infecting system files (rootkit)Infect local/server/P2P documents, music, etc.
Malicious: disk corruption, or BIOS re-flash
Fall 2008CS 334: Computer Security65Slide66
Payloads
Zombie software install
Password crackerSpambot or Distributed Denial of Service
botTrojans/Browser Help Objects installer
Adware
/spyware
install
Typically
, implemented as
BHOsCollect personal info, logins/passwords for financial sites, files/data and send to attackerCreate popups
and search redirectsFall 2008
CS 334: Computer Security66Slide67
Fast Propagating Worm/Virus Side Effects
Traffic floods network links
Slammer prevented admins from accessing servers
to shut them down/patch themAffected the access links
Border
Gateway Protocol heartbeats monitor links
Timeouts
caused links to drop, stopped worm traffic
Heartbeats
get through, links come back up, worm traffic flows again (repeat!)Overwhelms servers (e-mail/other)
Denial of service (sometimes intentional)
Fall 2008CS 334: Computer Security67Slide68
Virus/Worm Toolkits
Dozens of websites and downloadable toolkits
for building worms/virusesMake it easy for script kiddies to create new
threatsBut, most are built from common building blocks
with the same polymorphic engines
Can
create signatures for blocks and engines
Encryption
is a looming threat…
Fall 2008CS 334: Computer Security
68Slide69
Our Path
What is a Worm/Virus?
Why
are they created?Infection
Vectors and Payloads
How
they propagate and what they do
Worm
propagation rates
Virus/Worm detection/prevention
File scanners, host scanners, network scannersHost
monitors Targeted Worms and VirusesFall 2008CS 334: Computer Security
69Slide70
Propagation Rates
Classic theoryFunction of # vulnerable hosts (N), initial compromise rate (K), start time (T)
Logistics equation:
a is the number of infected hosts
Fall 2008
CS 334: Computer Security
70Slide71
Code Red I Propagation
Can’t
easily count infected hostsCount scans insteadTheory matches observed
Fall 2008
CS 334: Computer Security
71Slide72
Propagation Rates (New Theory)
Slammer
Doesn’t apply to fast propagating wormsLinks have bandwidth / latency constraintsNo universal connectivity
Fall 2008
CS 334: Computer Security
72Slide73
Other Factors
TCP (3-way) versus UDP
Latency between attacker and victim has major impact for TCP
Timeout delay when scanningAlso, function of scan algorithm
PRN
quality
Broken
algorithms mean missed hosts
Seed
computationScan distribution (even or local bias?)Fall 2008
CS 334: Computer Security
73Slide74
Propagation Behavior
More efficient scanning finds victims faster (< 1hr)
Even faster propagation is possible if you cheat
Wasted effort scanning non-existent or non-vulnerable hostsWarhol
: seed worm with a “hit list” of vulnerable hosts (15
mins
)
Fall 2008
CS 334: Computer Security
74Slide75
Virus Propagation Rates
How to determine virus propagation rates?
Don’t have universal connectivitySmall worlds effect: 6-degrees of separation
Have to account for queuing delaysLimited
(delayed) by human interaction rate
Very
hard to model analytically
E
-mail viruses tend to appear first in Asia
, then Europe, finally North/South AmericaFollows business day/timezones
Fall 2008
CS 334: Computer Security75Slide76
Our Path
What is a Worm/Virus?
Why
are they created?Infection
Vectors and Payloads
How
they propagate and what they do
Worm propagation rates
Virus
/Worm detection/prevention
File scanners, host scanners, network scannersHost monitors
Targeted Worms and VirusesFall 2008CS 334: Computer Security
76Slide77
Detection/Prevention Techniques
File and host scanners and monitors
Signature-based scannersHave “zero” false negatives/positives
Significant human delay (hours to days)Heuristic
-based scanners
Non
-zero false negative/positive rates
Network
scanners
FirewallsThrottlingFall 2008
CS 334: Computer Security
77Slide78
Signature Generation Requires Human Intervention
Human element slows reaction times
Malcode collection can take hoursSignature
generation can take hours to daysSignature distribution can take hours to days
Novel
malcode
propagates faster than signatures
Signature
methods are mired in an arms race
MyDoom.m and Netsky.b slipped through many mail scannersMalcode: polymorphic today, encrypted in future
Signature-based approach alone is insufficient
Fall 2008CS 334: Computer Security78Slide79
File/Host Scanners and Monitors
File
One-time/periodic “scan” or continuous real-time monitorScan all files on read/write
Heuristic: look for code similarities (e.g., propagation engines), not identical matches
Host
scanner
One
-time/periodic “scan” or continuous real-time monitor
Scan
active processes, bios, registry, … for infectionsHeuristic: examine process memory, look for anomalous registry entries, …
Fall 2008
CS 334: Computer Security79Slide80
Network Scanners
Place at network ingress point
Scan all incoming traffic, especially e-mailUses signatures like file scanners
Also heuristic e-mail scanning (phishing, spam)
Can
also apply
exfiltration
scanning
Phishing
attempts, viruses/worms that attempt to transmit personal/sensitive/corporate dataScaling and reliability issues
Fall 2008
CS 334: Computer Security80Slide81
Firewalls
Usually deployed at network ingress points
Default deny allStops worm scans
Except for public services, like web servers!And
, trusted servers/clients
Can
lead to complacency
Remember
, network is only one propagation method
Laptops are a problemPartial solution: host-based firewallsNow mandatory at
many placesStill need signatures for detection
Fall 2008CS 334: Computer Security81Slide82
Network Throttling
Heuristic approach: limit #connections/min
Idea: slow down worm scans or outgoing virus e-mails
Algorithm placed in routersLimit outbound connections to slow down worms
Can’t
set a fixed limit, why?
Users
have different sending rates, servers, …
Inverse
throttlingTarpitsDelay connections to non-existent/protected hostsConsumes
precious OS resources on worm machine
Fall 2008CS 334: Computer Security82Slide83
Our Path
What is a Worm/Virus?
Why
are they created?Infection
Vectors and Payloads
How
they propagate and what they do
Worm propagation rates
Virus/Worm detection/prevention
File scanners, host scanners, network scanners
Host monitors
Targeted Worms and VirusesFall 2008CS 334: Computer Security
83Slide84
Example Scenario
You arrive at work and start reading e-mail
In your inbox is a business proposal from your biggest
competitorYou’re curious so you open and read the proposal
You
decide to ignore it and continue on
with your work
Two
weeks later you lose your biggest clients to
the competitor, they lowball you on a bid, announce a better version of your planned killer product, …Fact or fiction?
Fall 2008CS 334: Computer Security
84Slide85
Fact!
You’re the victim of a targeted attack
Opening the proposal secretly installed a Trojan horse program
The Trojan searched your hard drives and network shares for confidential documents and
e-mail messages
Then
, it sent them out to a server run by
your competitor
Custom
attacks are hard to detectOne-of nature means no signaturesFall 2008
CS 334: Computer Security
85Slide86
Targeted Attacks
Israel (May 19, 2005)
7 businessmen and 11 private detectives arrested for using Trojan horse for cyber industrial espionage
Satellite TV, cell phone, auto import businessTrojan designed by husband-wife pair in Britain
Named
Rona (variant of
Hotword
Trojan)
Caught
because husband installed it on father- in-law’s computer and it posted copies of a private manuscript online
Fall 2008CS 334: Computer Security
86Slide87
Designing a Targeted Attack
How to profile target to identify OS, SW?
Send an e-mail message and examine reply!User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US
; rv:1.5) Gecko/20031007More work to determine OS/SW patch levels
Then
craft an attack:
HTML
script vulnerabilities
Embedded
/remote imagesWeb site exploitsOffice documents (macros, scripts, …)
Other document types (PDF, PS, …)
Fall 2008CS 334: Computer Security87Slide88
Worm/Virus Summary
Arms race between creators and protectors
Existing signature approaches are limitedFinancial motive poses growing threat
High risk from Warhol wormsViruses
are still a critical threat
FBI
survey of 269 companies in 2004
found that
viruses caused ~$55 million in damages
Fall 2008CS 334: Computer Security
88Slide89
Fall 2006
CS 395: Computer Security
89
An aside: User Authentication
E.g., How can
a system tell
you’re you
? Unlike “real world” authentication (e.g., you recognize someone’s voice over the phone) computer can’t “recognize” someone (well, not in the same way).Slide90
Fall 2006
CS 395: Computer Security
90
The Basics
Three
quantities used to confirm user’s identity
Something the user
knows
Passwords, PIN numbers, secret handshake, mother’s maiden name
Something the user hasIdentity badge, physical key, driver’s license, uniformSomething the user
isBiometrics: based on physical characteristics of user (e.g., fingerprint, pattern of person’s voice, picture of face).These three can be
combinedPassword is the most common means of user authentication to OSSlide91
Fall 2006
CS 395: Computer Security
91
Passwords
Although
secure in theory, human practice often degrades quality of this means of authentication
Must handle:
Loss: depending on implementation, it is possible that no one will be able to restore a lost password.
Use: Supplying password for each file access can be inconvenient and time consuming.
Disclosure: If password disclosed to unauthorized individual, file becomes immediately accessible. If password is then changed, all other legitimate users must be notified.Revocation: To revoke one user’s access rights to a file, someone must change the password, causing same problems as disclosure.Slide92
Fall 2006
CS 395: Computer Security
92
Aside: Multifactor Authentication
This is fancy name for use of additional authentication information
E.g., log in allowed only if password check is valid and
Log in request received from specific IP address and/or port AND
Log in request received during specific time period (say between 8 a.m. and 5 p.m
.Slide93
Fall 2006
CS 395: Computer Security
93
Aside: Multifactor Authentication
Two
forms if authentication (two-factor authentication) better than one if both are strong
But as number of forms increase, so does inconvenience
AND each authentication factor requires system to manage more security info (which, in addition to increased protection resources) may also increase complexity of implementationSlide94
Fall 2006
CS 395: Computer Security
94
Attacks on Passwords
Passwords limited as protection devices because of the relatively small number of bits of info they contain
Ways to obtain user’s password (in decreasing order of difficulty)
Try them all
Try frequently used passwords
Try passwords likely for the particular user
Search for system list of passwordsAsk the userSystems don’t help here, as they often provide attacker with partial information.Slide95
Fall 2006
CS 395: Computer Security
95
Loose-Lipped Systems
Note password authentication is based on premise that user knows nothing of the system. But systems often help an attacker
Consider system messages look like above (uppercase is system message, lowercase is user)
System is identified, and attacker knows adams is not a valid user name. Intruder can use this with common surnames to build a list of authorized users.Slide96
Fall 2006
CS 395: Computer Security
96
Loose-Lipped Systems
Better: User is not told whether it is the username or the password that is bad
But message still provides name of the system.Slide97
Fall 2006
CS 395: Computer Security
97
Loose-Lipped Systems
Best: adversary receives no information until after successful authentication.
After all, legitimate user should know the name of the system, so why provide it beforehand?Slide98
Fall 2006
CS 395: Computer Security
98
Exhaustive Attack
A.k.a. brute-force attack, is when attacker tries all passwords (usually in an automated fashion) until correct one is found
Difficulty depends on implementation (how long are passwords, etc)Slide99
Fall 2006
CS 395: Computer Security
99
Exhaustive Attack
Example
: Assume passwords consist of 26 characters from A-Z, and can have length from 1 to 8 characters.
Num. Passwords = 26
1
+ 26
2 + 263 +…+ 268 = 26
9 -1 ≈ 5 x 1012
At one password/millisecond, takes 150 yearsAt on password/microsecond, takes two months!Reasonable time if reward is large enough (e.g. password protecting file of credit card numbers)And expected search times, if all passwords random, is half these timesSlide100
Fall 2006
CS 395: Computer Security
100
Probable Passwords
Reduce search space significantly!
When humans choose words at random, they tend to choose words that are short, common, and easy to spell and pronounce.
Attackers use this info:
Search passwords from shortest to longest
All passwords 5 chars or less can be searched in under 4 hours.
Time given assumes people choose all passwords with equal probability (e.g.
hdlzm, ehlzx are chosen as often as pizza and
beer)Spell-checkers often have dictionaries of commonly used words One of these contains 80,000 words. Trying all of them takes only 80 seconds.Slide101
Fall 2006
CS 395: Computer Security
101
Passwords Likely for a User
Usually meaningful to the person
Name of spouse, child, brother, sister, pet, street name, or something memorable or familiar
List of these things is often only a few hundred entries long at most. Can be checked in under a second!Slide102
Fall 2006
CS 395: Computer Security
102
Distribution of Actual Passwords
1979 study by Morris and Thompson
Considered 3,289 passwords
Results:
15 were single ASCII characters
72 were two ASCII characters
464 were three ASCII characters477 were four alphabetic letters706 were five alphabetic letters, all same case
605 were six lowercase alphabetic letters492 were words in dictionaries or lists of namesTotal: 2831 (86%) contained in this list!Slide103
Fall 2006
CS 395: Computer Security
103
Figures are Not Dated
1990: Klein collected
appx
15,000 passwords
2.7% guessed within 15 minutes, 21% within one week
1992:
Spafford collected appx 15,000 passwordsAverage length 6.8 characters
28.9% consisted of only lowercase alphabetic charactersSlide104
Fall 2006
CS 395: Computer Security
104
Figures are Not Dated
2002
: British online bank Egg finds 50% of passwords for online banking service were family members’ names:
23% children’s names
19% spouse or partner
9% their own name
8% pet names9% each for celebrity and soccer star’s namesSlide105
Fall 2006
CS 395: Computer Security
105
Still Worse
1998: Knight and Hartley report
appx
35% of passwords derived from syllables and initials of account owner’s name.
Several articles claim that
God
, sex, love, and money are four most common passwords
Lists of common passwords posted onlinehttp://www.geodsoft.com/howto/password/common.htm
http://www.phenoelit.de/dpl/dpl.htmlAlso sites that post dictionaries of phrases, science fiction characters, places, mythological names, Chinese words, Yiddish words, and several other specialized listsSysadmin utilities such as SATAN, COPS, and Crack allow administrators to check for weak passwords. They also allow attackers to do the same.Changing letters to numbers (e.g., 0 for letter O, 1 for lowercase L, etc): been done, and the attackers know it.Slide106
Fall 2006
CS 395: Computer Security
106
Knight and Hartley 12 Password Guessing Steps
No password
The same as the user ID
Is, or is derived from, the user name
Common word list (e.g.,
password
, secret) plus common names and patterns (e.g., asdfg, aaaaaa
)Short college dictionaryComplete English word listCommon non-English language dictionaries
Short college dictionary with capitalizations (PaSsWorD) and substitutions (0 for O, etc)Complete English with capitalizations and substitutionsCommon non-English dictionaries with capitalizations and substitutionsBrute force, lowercase alphabetic charactersBrute force, full character setSlide107
Fall 2006
CS 395: Computer Security
107
Plaintext System Password List
Not a good idea
Even if protected via access control (e.g., only OS level functions can access it) it’s not good
Many OS functions never need to read the file, and opening it to all OS functions means that if even one of these functions is compromised, password list is compromised as well
System backups often lack protection mechanisms (physical security and access control to the backup tapes themselves are only security for these).
Password file is stored on a disk, so anyone who can overcome file restrictions or have access to disk can obtain password file.Slide108
Fall 2006
CS 395: Computer Security
108
Encrypted Password File
Password table entries are encrypted using a one way function (e.g. hash) and then stored.
One log in, hash of user password is checked with entry in the password file.
A problem: two users who pick same password will notice that they have the same password hash
Salt: A small number formed from other info, and appended to password
Password + salt is what is hashed
Salt stored in plaintext. On authentication attempt, OS appends salt to the password and hashes the extended password to check against password file. E.g., Unix salt is a 12-bit number formed from system time and process ID.
Still a good idea to limit access to password file (even if encrypted) Slide109
Fall 2006
CS 395: Computer Security
109
Indiscreet Users
Tape password to side of terminal or write it down on card just inside top desk drawer
Users sharing files share passwords “my password is x, just get the file yourself”
Verisign (2005) in unscientific poll found that 2/3 of people approached on street volunteered to disclose their password in exchange for coupon good for a cup of coffee. 79% admitted they use same password for multiple systems or sites.