Digital Immunity -The Myths and Reality


Published on

Digital Immunity -The Myths and Reality From Christine M. Orshesky

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Digital Immunity -The Myths and Reality

    1. 1. Digital Immunity The Myths and Reality Cornell University 27 June 2002 Christine M. Orshesky, CISSP, CQA
    2. 2. Topics for Discussion <ul><li>Malware </li></ul><ul><ul><li>Threats and Techniques </li></ul></ul><ul><ul><li>Impact and Effects </li></ul></ul><ul><li>Incident Management </li></ul><ul><ul><li>Preparation </li></ul></ul><ul><ul><li>Detection and Containment </li></ul></ul><ul><ul><li>Eradication and Recovery </li></ul></ul><ul><ul><li>Reporting and Analysis </li></ul></ul><ul><li>Demonstration </li></ul><ul><li>Summary </li></ul>
    3. 3. What is Malware? <ul><li>Any piece of hardware, software or firmware that is intentionally included or introduced into a computer system for unauthorized purposes usually without the knowledge or consent of the use </li></ul><ul><li>Includes </li></ul><ul><ul><li>Viruses </li></ul></ul><ul><ul><li>Trojan horse programs </li></ul></ul><ul><ul><li>Worms </li></ul></ul><ul><ul><li>Hoaxes </li></ul></ul><ul><ul><li>Logic bombs </li></ul></ul><ul><ul><li>Joke programs </li></ul></ul>
    4. 4. Virus – Defined <ul><li>“… a program which makes a copy of itself in such a way as to ‘infect’ parts of the operating system and/or application programs.” - Survivor’s Guide to Computer Viruses, Virus Bulletin, 1993. </li></ul><ul><li>Replicates </li></ul><ul><ul><li>file to file </li></ul></ul><ul><ul><li>system to system </li></ul></ul><ul><ul><li>disk to disk </li></ul></ul><ul><li>Typically requires a “host” </li></ul><ul><li>Must be executed </li></ul><ul><li>May cause a symptom or damage (payload) </li></ul>
    5. 5. Virus Infection Process Ensures virus executes before original executable Pre-pend Append PE Infector Overwrite
    6. 6. Types of Viruses <ul><li>Boot sector </li></ul><ul><ul><li>Infects boot record on diskette or hard drive </li></ul></ul><ul><ul><li>Only spreads if booted from infected diskette </li></ul></ul><ul><li>File infector </li></ul><ul><ul><li>Infects program files or portable executables </li></ul></ul><ul><li>Macro </li></ul><ul><ul><li>Infects operating environment </li></ul></ul><ul><li>Scripts </li></ul><ul><ul><li>Similar to batch files </li></ul></ul><ul><li>Multi-partite </li></ul><ul><ul><li>Combinations of any of the types above </li></ul></ul>
    7. 7. Virus - Example <ul><li>W97M.Marker </li></ul><ul><ul><li>Infects Word documents </li></ul></ul><ul><ul><li>Records a log of the infection including user name, mailing address, and date/time of the infection </li></ul></ul><ul><ul><li>Attempts to send the log file to an outside organization via the Internet </li></ul></ul>
    8. 8. Worm - Defined <ul><li>Self-contained </li></ul><ul><li>Does not require a host </li></ul><ul><li>Replicates from system to system </li></ul><ul><li>Infects systems not files </li></ul><ul><li>Typically “network-aware” </li></ul>
    9. 9. Worm - Example <ul><li>ExploreZip </li></ul><ul><ul><li>Sends email with infected attachment </li></ul></ul><ul><ul><li>Infects local system – set file size to 0 </li></ul></ul><ul><ul><li>Attempts to infect mapped systems </li></ul></ul><ul><ul><li>Attempts to set file size to 0 on mapped systems </li></ul></ul><ul><ul><li>Attempts to infect remote systems with shared resources </li></ul></ul>
    10. 10. Trojan horse – Defined <ul><li>Deliberately do something unexpected </li></ul><ul><ul><li>Steal passwords </li></ul></ul><ul><ul><li>Delete files </li></ul></ul><ul><ul><li>Open backdoors </li></ul></ul><ul><ul><li>Connect to external sites </li></ul></ul><ul><li>Do not replicate </li></ul>
    11. 11. Trojan horse - Examples <ul><li>NetBus and BackOrifice </li></ul><ul><ul><li>Remote Administration Tools (RAT) </li></ul></ul><ul><ul><li>Usually sent inside a game, such as “checkers” or “whack a mole” </li></ul></ul><ul><ul><li>Allows a remote user to have control </li></ul></ul><ul><li>Subseven </li></ul><ul><ul><li>Arrives as masqueraded file (with double extension) </li></ul></ul><ul><ul><li>Uses IRC to notify others of infection </li></ul></ul><ul><ul><li>Grants access to system and can be used to launch DDoS </li></ul></ul>
    12. 12. Joke Program – Defined <ul><li>A type of Trojan horse </li></ul><ul><li>Does not replicate </li></ul><ul><li>Not intended to be malicious </li></ul>
    13. 13. Joke Program – Example <ul><li>Wobbler </li></ul><ul><ul><li>Causes victim’s screen display to “shake” as if experiencing an earthquake </li></ul></ul><ul><ul><li>Only stopped by hitting <ESC> key </li></ul></ul><ul><ul><li>No data loss as direct result </li></ul></ul>
    14. 14. Hoax – Defined <ul><li>Does not self-replicate </li></ul><ul><li>Messages only – false warnings </li></ul><ul><li>Spread rapidly </li></ul><ul><li>Cause no direct damage </li></ul>
    15. 15. Hoax - Example <ul><li>VIRUS WARNING !!!!!! </li></ul><ul><li>If you receive an email titled &quot;WIN A HOLIDAY&quot; DO NOT open it. It will erase everything on your hard drive. Forward this letter out to as many people as you can. This is a new, very malicious virus and not many people know about it. This information was announced yesterday morning from Microsoft; please share it with everyone that might access the Internet. Once again, pass this along to EVERYONE in our address book so that this may be stopped. </li></ul><ul><li>And so it goes on... </li></ul>
    16. 16. Logic Bomb – Defined <ul><li>Does not replicate </li></ul><ul><li>Portion of code that only activates based upon a pre-determined or programmed trigger </li></ul><ul><li>Typically cause some form of damage </li></ul>
    17. 17. Logic Bomb – Example <ul><li>Software programmer creates module to only execute when she is no longer displayed in payroll </li></ul><ul><li>Module is set to modify pay rates for management employees </li></ul>
    18. 18. Internet Threats <ul><li>JAVA </li></ul><ul><ul><li>Interpreted executable content </li></ul></ul><ul><ul><li>Interpreted at client computer </li></ul></ul><ul><ul><li>Sandbox model </li></ul></ul><ul><ul><ul><li>Behavior can be restricted </li></ul></ul></ul><ul><li>ActiveX </li></ul><ul><ul><li>Native executable content </li></ul></ul><ul><ul><li>No special restrictions </li></ul></ul><ul><ul><li>Can do anything that users can do </li></ul></ul><ul><li>Hostile applets </li></ul><ul><ul><li>Limited by accountability </li></ul></ul><ul><ul><li>System must be both a web server and browser for these to replicate </li></ul></ul>
    19. 19. Exposures <ul><li>Diskettes and other storage media </li></ul><ul><li>Shared files on servers </li></ul><ul><li>Web sites </li></ul><ul><li>Bulletin boards and downloaded files </li></ul><ul><li>Electronic mail messages and attachments </li></ul><ul><li>Newsgroups </li></ul><ul><li>Internet/network connections </li></ul>
    20. 20. Propagation Requirements <ul><li>“ Three basic things allow viruses to spread: sharing, programming, and changes. All we have to do is eliminate those three things and we will be perfectly free of viruses.” </li></ul>- Fred Cohen Short Course on Computer Viruses, 2 nd Edition
    21. 21. Propagation Requirements <ul><li>Ability to receive information or programs </li></ul><ul><li>Ability to store and process at minimal levels </li></ul><ul><li>Ability to communicate with other computers </li></ul><ul><li>Ability to accept information communicated from others as programming commands with access to a minimum level of resources </li></ul>
    22. 22. Propagation <ul><li>Malware can infect </li></ul><ul><ul><li>Program files </li></ul></ul><ul><ul><li>Files that contain executable portions, such as macros </li></ul></ul><ul><ul><li>Diskettes and other storage media </li></ul></ul><ul><ul><li>Email message attachments </li></ul></ul><ul><ul><li>HTML based email messages </li></ul></ul><ul><li>Malware cannot infect </li></ul><ul><ul><li>Hardware (though it can be malicious) </li></ul></ul><ul><ul><li>Text based files or messages </li></ul></ul><ul><ul><li>Write-protected storage media </li></ul></ul>
    23. 23. How Fast Do They Spread? Source: ICSA/TruSecure 22 minutes 2001 E-mail enabled script NIMDA 5 hours 2000 E-mail enabled script LoveLetter 4 days 1999 E-mail enabled word macro Melissa 4 months 1995 Word Macro Concept 3 years 1990 Boot Sector Form Time to #1 Year Type Malware
    24. 24. Concealment Techniques <ul><li>Spoofing/Stealth </li></ul><ul><ul><li>Trapping calls to system and providing false replies </li></ul></ul><ul><li>Encryption </li></ul><ul><ul><li>Using some key to encrypt code </li></ul></ul><ul><li>Polymorphism </li></ul><ul><ul><li>Cause virus to have a new look each time it is executed </li></ul></ul><ul><ul><li>Encryption is one form of polymorphism if encryption key is different each time </li></ul></ul><ul><ul><li>Mutation engine </li></ul></ul><ul><li>Social Engineering </li></ul>
    25. 25. Impact and Effects <ul><li>Nuisance </li></ul><ul><li>Spoofing </li></ul><ul><li>Denial of Service </li></ul><ul><li>Overwriting and Data diddling </li></ul><ul><li>Destruction </li></ul><ul><li>Psychological </li></ul><ul><li>“ Netspionage” </li></ul><ul><ul><li>Siphoning data </li></ul></ul><ul><ul><li>Exposing vulnerabilities </li></ul></ul>
    26. 26. Impact and Effects (concluded) <ul><li>Compromise or Loss of Data </li></ul><ul><li>Loss of Productivity </li></ul><ul><li>Denial of Service </li></ul><ul><li>Data Manipulation </li></ul><ul><li>Loss of Credibility </li></ul><ul><li>Loss of Revenue </li></ul><ul><li>Embarrassment </li></ul>
    27. 27. Incident Management Model <ul><li>Preparation </li></ul><ul><ul><li>Know threats, vulnerabilities, risks </li></ul></ul><ul><ul><li>Implement controls </li></ul></ul><ul><ul><li>Document written incident response procedures </li></ul></ul><ul><ul><li>Identify Response Team </li></ul></ul><ul><ul><li>Test procedures </li></ul></ul>
    28. 28. Response Team Members <ul><li>System and Network Admins </li></ul><ul><ul><li>Email </li></ul></ul><ul><ul><li>Network </li></ul></ul><ul><ul><li>Firewalls </li></ul></ul><ul><ul><li>IDS </li></ul></ul><ul><li>Security Staff </li></ul><ul><li>Management </li></ul><ul><li>Legal Counsel </li></ul><ul><li>Public Relations </li></ul>
    29. 29. Incident Management Model (continued) <ul><li>Detection </li></ul><ul><ul><li>Detect and identify incident (diagnosis) </li></ul></ul><ul><ul><li>Products and tools can be beneficial </li></ul></ul><ul><ul><li>Determine source and scope </li></ul></ul><ul><li>Containment </li></ul><ul><ul><li>Limit spread of incident </li></ul></ul><ul><ul><li>Downstream liability </li></ul></ul>
    30. 30. Tools <ul><li>Scanners </li></ul><ul><li>Integrity checkers </li></ul><ul><li>Heuristics </li></ul><ul><li>Sandboxes </li></ul><ul><li>Content Filters </li></ul><ul><li>Firewalls </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Routers </li></ul>
    31. 31. Techniques <ul><li>Block addresses </li></ul><ul><li>Inbox/Outbox </li></ul><ul><li>Message Headers </li></ul>
    32. 32. Sample Message Header From: stranger <> To: bluminx Subject: Worm Klez.E immunity Date: Thu, 13 Jun 2002 09:39:56 -0400 MIME-Version: 1.0 Received: from [] by (3.2) with ESMTP id MHotMailBED1EBAB002B400431923F752C9606970; Thu, 13 Jun 2002 06:39:59 -0700 Received: from Zkprhj [] by  (SMTPD32-6.06) id A08E53F007E; Thu, 13 Jun 2002 09:39:26 -0400 From [email_address] Thu, 13 Jun 2002 06:41:03 -0700 Message-Id: <200206130939556.SM02700@Zkprhj>
    33. 33. Incident Management Model (continued) <ul><li>Eradication </li></ul><ul><ul><li>Remove source of incident </li></ul></ul><ul><ul><li>Remove residual effects </li></ul></ul><ul><li>Recovery </li></ul><ul><ul><li>Restore system from back-up </li></ul></ul><ul><ul><li>Institute business continuity or disaster recovery plans if necessary </li></ul></ul>
    34. 34. Incident Management Model (concluded) <ul><li>Reporting and Analysis </li></ul><ul><ul><li>Record metrics and lessons learned </li></ul></ul><ul><ul><li>Post-mortem analysis </li></ul></ul><ul><ul><li>Trend analysis </li></ul></ul><ul><ul><li>Process improvement </li></ul></ul>
    35. 35. Demonstration <ul><li>Virus Creation </li></ul><ul><li>Source Code Review </li></ul><ul><li>Mitigation </li></ul>
    36. 36. Summary <ul><li>Malware comes from people you do know </li></ul><ul><li>Malware will continue to evolve </li></ul><ul><li>There is no 100% solution or panacea </li></ul><ul><li>Mitigation and Management requires more than technology </li></ul>
    37. 37. Some Information Resources <ul><li>Anti-virus vendors </li></ul><ul><li>NIPC and other CERTS </li></ul><ul><li>Virus Bulletin </li></ul><ul><li>The Wildlist Organization </li></ul><ul><li>Virus Hoax Web Site </li></ul><ul><li>European Institute for Computer Anti-Virus Research (EICAR) </li></ul><ul><li>Anti-Virus Information Exchange Network (AVIEN) </li></ul>
    38. 38. Additional Resources <ul><li>“ The Generic Virus Writer” and other papers by Sarah Gordon </li></ul><ul><li>Short Course on Computer Viruses, 2 nd Edition by Fred Cohen </li></ul><ul><li>“ Free Macro Protection Techniques” by Chengi Jimmy Kuo, Network Associates </li></ul><ul><li>Computer Viruses Demystified </li></ul><ul><li>Viruses Revealed by Robert Slade, David Harley, et al. </li></ul>
    39. 39. End of Presentation <ul><li>Questions? </li></ul>