Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Digital Immunity -The Myths and Reality


Published on

Digital Immunity -The Myths and Reality From Christine M. Orshesky

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Digital Immunity -The Myths and Reality

  1. 1. Digital Immunity The Myths and Reality Cornell University 27 June 2002 Christine M. Orshesky, CISSP, CQA
  2. 2. Topics for Discussion <ul><li>Malware </li></ul><ul><ul><li>Threats and Techniques </li></ul></ul><ul><ul><li>Impact and Effects </li></ul></ul><ul><li>Incident Management </li></ul><ul><ul><li>Preparation </li></ul></ul><ul><ul><li>Detection and Containment </li></ul></ul><ul><ul><li>Eradication and Recovery </li></ul></ul><ul><ul><li>Reporting and Analysis </li></ul></ul><ul><li>Demonstration </li></ul><ul><li>Summary </li></ul>
  3. 3. What is Malware? <ul><li>Any piece of hardware, software or firmware that is intentionally included or introduced into a computer system for unauthorized purposes usually without the knowledge or consent of the use </li></ul><ul><li>Includes </li></ul><ul><ul><li>Viruses </li></ul></ul><ul><ul><li>Trojan horse programs </li></ul></ul><ul><ul><li>Worms </li></ul></ul><ul><ul><li>Hoaxes </li></ul></ul><ul><ul><li>Logic bombs </li></ul></ul><ul><ul><li>Joke programs </li></ul></ul>
  4. 4. Virus – Defined <ul><li>“… a program which makes a copy of itself in such a way as to ‘infect’ parts of the operating system and/or application programs.” - Survivor’s Guide to Computer Viruses, Virus Bulletin, 1993. </li></ul><ul><li>Replicates </li></ul><ul><ul><li>file to file </li></ul></ul><ul><ul><li>system to system </li></ul></ul><ul><ul><li>disk to disk </li></ul></ul><ul><li>Typically requires a “host” </li></ul><ul><li>Must be executed </li></ul><ul><li>May cause a symptom or damage (payload) </li></ul>
  5. 5. Virus Infection Process Ensures virus executes before original executable Pre-pend Append PE Infector Overwrite
  6. 6. Types of Viruses <ul><li>Boot sector </li></ul><ul><ul><li>Infects boot record on diskette or hard drive </li></ul></ul><ul><ul><li>Only spreads if booted from infected diskette </li></ul></ul><ul><li>File infector </li></ul><ul><ul><li>Infects program files or portable executables </li></ul></ul><ul><li>Macro </li></ul><ul><ul><li>Infects operating environment </li></ul></ul><ul><li>Scripts </li></ul><ul><ul><li>Similar to batch files </li></ul></ul><ul><li>Multi-partite </li></ul><ul><ul><li>Combinations of any of the types above </li></ul></ul>
  7. 7. Virus - Example <ul><li>W97M.Marker </li></ul><ul><ul><li>Infects Word documents </li></ul></ul><ul><ul><li>Records a log of the infection including user name, mailing address, and date/time of the infection </li></ul></ul><ul><ul><li>Attempts to send the log file to an outside organization via the Internet </li></ul></ul>
  8. 8. Worm - Defined <ul><li>Self-contained </li></ul><ul><li>Does not require a host </li></ul><ul><li>Replicates from system to system </li></ul><ul><li>Infects systems not files </li></ul><ul><li>Typically “network-aware” </li></ul>
  9. 9. Worm - Example <ul><li>ExploreZip </li></ul><ul><ul><li>Sends email with infected attachment </li></ul></ul><ul><ul><li>Infects local system – set file size to 0 </li></ul></ul><ul><ul><li>Attempts to infect mapped systems </li></ul></ul><ul><ul><li>Attempts to set file size to 0 on mapped systems </li></ul></ul><ul><ul><li>Attempts to infect remote systems with shared resources </li></ul></ul>
  10. 10. Trojan horse – Defined <ul><li>Deliberately do something unexpected </li></ul><ul><ul><li>Steal passwords </li></ul></ul><ul><ul><li>Delete files </li></ul></ul><ul><ul><li>Open backdoors </li></ul></ul><ul><ul><li>Connect to external sites </li></ul></ul><ul><li>Do not replicate </li></ul>
  11. 11. Trojan horse - Examples <ul><li>NetBus and BackOrifice </li></ul><ul><ul><li>Remote Administration Tools (RAT) </li></ul></ul><ul><ul><li>Usually sent inside a game, such as “checkers” or “whack a mole” </li></ul></ul><ul><ul><li>Allows a remote user to have control </li></ul></ul><ul><li>Subseven </li></ul><ul><ul><li>Arrives as masqueraded file (with double extension) </li></ul></ul><ul><ul><li>Uses IRC to notify others of infection </li></ul></ul><ul><ul><li>Grants access to system and can be used to launch DDoS </li></ul></ul>
  12. 12. Joke Program – Defined <ul><li>A type of Trojan horse </li></ul><ul><li>Does not replicate </li></ul><ul><li>Not intended to be malicious </li></ul>
  13. 13. Joke Program – Example <ul><li>Wobbler </li></ul><ul><ul><li>Causes victim’s screen display to “shake” as if experiencing an earthquake </li></ul></ul><ul><ul><li>Only stopped by hitting <ESC> key </li></ul></ul><ul><ul><li>No data loss as direct result </li></ul></ul>
  14. 14. Hoax – Defined <ul><li>Does not self-replicate </li></ul><ul><li>Messages only – false warnings </li></ul><ul><li>Spread rapidly </li></ul><ul><li>Cause no direct damage </li></ul>
  15. 15. Hoax - Example <ul><li>VIRUS WARNING !!!!!! </li></ul><ul><li>If you receive an email titled &quot;WIN A HOLIDAY&quot; DO NOT open it. It will erase everything on your hard drive. Forward this letter out to as many people as you can. This is a new, very malicious virus and not many people know about it. This information was announced yesterday morning from Microsoft; please share it with everyone that might access the Internet. Once again, pass this along to EVERYONE in our address book so that this may be stopped. </li></ul><ul><li>And so it goes on... </li></ul>
  16. 16. Logic Bomb – Defined <ul><li>Does not replicate </li></ul><ul><li>Portion of code that only activates based upon a pre-determined or programmed trigger </li></ul><ul><li>Typically cause some form of damage </li></ul>
  17. 17. Logic Bomb – Example <ul><li>Software programmer creates module to only execute when she is no longer displayed in payroll </li></ul><ul><li>Module is set to modify pay rates for management employees </li></ul>
  18. 18. Internet Threats <ul><li>JAVA </li></ul><ul><ul><li>Interpreted executable content </li></ul></ul><ul><ul><li>Interpreted at client computer </li></ul></ul><ul><ul><li>Sandbox model </li></ul></ul><ul><ul><ul><li>Behavior can be restricted </li></ul></ul></ul><ul><li>ActiveX </li></ul><ul><ul><li>Native executable content </li></ul></ul><ul><ul><li>No special restrictions </li></ul></ul><ul><ul><li>Can do anything that users can do </li></ul></ul><ul><li>Hostile applets </li></ul><ul><ul><li>Limited by accountability </li></ul></ul><ul><ul><li>System must be both a web server and browser for these to replicate </li></ul></ul>
  19. 19. Exposures <ul><li>Diskettes and other storage media </li></ul><ul><li>Shared files on servers </li></ul><ul><li>Web sites </li></ul><ul><li>Bulletin boards and downloaded files </li></ul><ul><li>Electronic mail messages and attachments </li></ul><ul><li>Newsgroups </li></ul><ul><li>Internet/network connections </li></ul>
  20. 20. Propagation Requirements <ul><li>“ Three basic things allow viruses to spread: sharing, programming, and changes. All we have to do is eliminate those three things and we will be perfectly free of viruses.” </li></ul>- Fred Cohen Short Course on Computer Viruses, 2 nd Edition
  21. 21. Propagation Requirements <ul><li>Ability to receive information or programs </li></ul><ul><li>Ability to store and process at minimal levels </li></ul><ul><li>Ability to communicate with other computers </li></ul><ul><li>Ability to accept information communicated from others as programming commands with access to a minimum level of resources </li></ul>
  22. 22. Propagation <ul><li>Malware can infect </li></ul><ul><ul><li>Program files </li></ul></ul><ul><ul><li>Files that contain executable portions, such as macros </li></ul></ul><ul><ul><li>Diskettes and other storage media </li></ul></ul><ul><ul><li>Email message attachments </li></ul></ul><ul><ul><li>HTML based email messages </li></ul></ul><ul><li>Malware cannot infect </li></ul><ul><ul><li>Hardware (though it can be malicious) </li></ul></ul><ul><ul><li>Text based files or messages </li></ul></ul><ul><ul><li>Write-protected storage media </li></ul></ul>
  23. 23. How Fast Do They Spread? Source: ICSA/TruSecure 22 minutes 2001 E-mail enabled script NIMDA 5 hours 2000 E-mail enabled script LoveLetter 4 days 1999 E-mail enabled word macro Melissa 4 months 1995 Word Macro Concept 3 years 1990 Boot Sector Form Time to #1 Year Type Malware
  24. 24. Concealment Techniques <ul><li>Spoofing/Stealth </li></ul><ul><ul><li>Trapping calls to system and providing false replies </li></ul></ul><ul><li>Encryption </li></ul><ul><ul><li>Using some key to encrypt code </li></ul></ul><ul><li>Polymorphism </li></ul><ul><ul><li>Cause virus to have a new look each time it is executed </li></ul></ul><ul><ul><li>Encryption is one form of polymorphism if encryption key is different each time </li></ul></ul><ul><ul><li>Mutation engine </li></ul></ul><ul><li>Social Engineering </li></ul>
  25. 25. Impact and Effects <ul><li>Nuisance </li></ul><ul><li>Spoofing </li></ul><ul><li>Denial of Service </li></ul><ul><li>Overwriting and Data diddling </li></ul><ul><li>Destruction </li></ul><ul><li>Psychological </li></ul><ul><li>“ Netspionage” </li></ul><ul><ul><li>Siphoning data </li></ul></ul><ul><ul><li>Exposing vulnerabilities </li></ul></ul>
  26. 26. Impact and Effects (concluded) <ul><li>Compromise or Loss of Data </li></ul><ul><li>Loss of Productivity </li></ul><ul><li>Denial of Service </li></ul><ul><li>Data Manipulation </li></ul><ul><li>Loss of Credibility </li></ul><ul><li>Loss of Revenue </li></ul><ul><li>Embarrassment </li></ul>
  27. 27. Incident Management Model <ul><li>Preparation </li></ul><ul><ul><li>Know threats, vulnerabilities, risks </li></ul></ul><ul><ul><li>Implement controls </li></ul></ul><ul><ul><li>Document written incident response procedures </li></ul></ul><ul><ul><li>Identify Response Team </li></ul></ul><ul><ul><li>Test procedures </li></ul></ul>
  28. 28. Response Team Members <ul><li>System and Network Admins </li></ul><ul><ul><li>Email </li></ul></ul><ul><ul><li>Network </li></ul></ul><ul><ul><li>Firewalls </li></ul></ul><ul><ul><li>IDS </li></ul></ul><ul><li>Security Staff </li></ul><ul><li>Management </li></ul><ul><li>Legal Counsel </li></ul><ul><li>Public Relations </li></ul>
  29. 29. Incident Management Model (continued) <ul><li>Detection </li></ul><ul><ul><li>Detect and identify incident (diagnosis) </li></ul></ul><ul><ul><li>Products and tools can be beneficial </li></ul></ul><ul><ul><li>Determine source and scope </li></ul></ul><ul><li>Containment </li></ul><ul><ul><li>Limit spread of incident </li></ul></ul><ul><ul><li>Downstream liability </li></ul></ul>
  30. 30. Tools <ul><li>Scanners </li></ul><ul><li>Integrity checkers </li></ul><ul><li>Heuristics </li></ul><ul><li>Sandboxes </li></ul><ul><li>Content Filters </li></ul><ul><li>Firewalls </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Routers </li></ul>
  31. 31. Techniques <ul><li>Block addresses </li></ul><ul><li>Inbox/Outbox </li></ul><ul><li>Message Headers </li></ul>
  32. 32. Sample Message Header From: stranger <> To: bluminx Subject: Worm Klez.E immunity Date: Thu, 13 Jun 2002 09:39:56 -0400 MIME-Version: 1.0 Received: from [] by (3.2) with ESMTP id MHotMailBED1EBAB002B400431923F752C9606970; Thu, 13 Jun 2002 06:39:59 -0700 Received: from Zkprhj [] by  (SMTPD32-6.06) id A08E53F007E; Thu, 13 Jun 2002 09:39:26 -0400 From [email_address] Thu, 13 Jun 2002 06:41:03 -0700 Message-Id: <200206130939556.SM02700@Zkprhj>
  33. 33. Incident Management Model (continued) <ul><li>Eradication </li></ul><ul><ul><li>Remove source of incident </li></ul></ul><ul><ul><li>Remove residual effects </li></ul></ul><ul><li>Recovery </li></ul><ul><ul><li>Restore system from back-up </li></ul></ul><ul><ul><li>Institute business continuity or disaster recovery plans if necessary </li></ul></ul>
  34. 34. Incident Management Model (concluded) <ul><li>Reporting and Analysis </li></ul><ul><ul><li>Record metrics and lessons learned </li></ul></ul><ul><ul><li>Post-mortem analysis </li></ul></ul><ul><ul><li>Trend analysis </li></ul></ul><ul><ul><li>Process improvement </li></ul></ul>
  35. 35. Demonstration <ul><li>Virus Creation </li></ul><ul><li>Source Code Review </li></ul><ul><li>Mitigation </li></ul>
  36. 36. Summary <ul><li>Malware comes from people you do know </li></ul><ul><li>Malware will continue to evolve </li></ul><ul><li>There is no 100% solution or panacea </li></ul><ul><li>Mitigation and Management requires more than technology </li></ul>
  37. 37. Some Information Resources <ul><li>Anti-virus vendors </li></ul><ul><li>NIPC and other CERTS </li></ul><ul><li>Virus Bulletin </li></ul><ul><li>The Wildlist Organization </li></ul><ul><li>Virus Hoax Web Site </li></ul><ul><li>European Institute for Computer Anti-Virus Research (EICAR) </li></ul><ul><li>Anti-Virus Information Exchange Network (AVIEN) </li></ul>
  38. 38. Additional Resources <ul><li>“ The Generic Virus Writer” and other papers by Sarah Gordon </li></ul><ul><li>Short Course on Computer Viruses, 2 nd Edition by Fred Cohen </li></ul><ul><li>“ Free Macro Protection Techniques” by Chengi Jimmy Kuo, Network Associates </li></ul><ul><li>Computer Viruses Demystified </li></ul><ul><li>Viruses Revealed by Robert Slade, David Harley, et al. </li></ul>
  39. 39. End of Presentation <ul><li>Questions? </li></ul>