2. 2
Summary
have considered:
various malicious programs
trapdoor, logic bomb, trojan horse, zombie
viruses
worms
countermeasures
distributed denial of service attacks
3. 3
Viruses and Related Threats
Viruses
Computer viruses have got a lot of publicity
One of a family of malicious software
Malicious software is software that is intentionally included or ins
erted in a system for a harmful purpose
Effects usually obvious
They have figured in news reports, fiction, movies
often exaggerated
getting more attention than deserve
4. 4
Viruses and Related Threats
Malicious Programs
Dependent program
They Need host programs
They cannot exist independent of some actual application
E.g.: Viruses, Logic bomb, Backdoor
Independent program
They can be scheduled and run by the OS
E.g.: Worm, Zombie
6. 6
Viruses and Related Threats
Backdoor or Trapdoor
A secret entry point in a program
It allows those who know access bypassing usual security
procedures
It have been commonly used by developers
A threat when left in production programs allowing
exploited by attackers
It is very hard to block in O/S
It requires good s/w development & update
7. 7
Viruses and Related Threats
Logic Bomb
One of oldest types of malicious software
Code embedded in legitimate program
It is activated when specified conditions met
Example
presence/absence of some file
particular date/time
particular user
When triggered typically damage system
E.g., modify/delete files/disks, halt machine, etc
8. 8
Viruses and Related Threats
Trojan Horse
A program (or some part of a program) with hidden
side-effects
Trojan horse is usually attractive to run
E.g., freeware game, s/w upgrade, etc
when runs, it performs some additional tasks
allows attacker to indirectly gain access they do not have directly
E.g., destroy/modify data, …
It often used to propagate a virus/worm or install a backdo
or
9. 9
Viruses and Related Threats
Zombie
A program which secretly takes over another networked
computer
Then, the attacker uses the zombies to indirectly launch
attacks (to the target host)
=> Zombies often used to launch distributed denial of service
(DDoS) attacks
Zombie exploits known flaws in network systems
10. 10
Viruses and Related Threats
The Nature of Viruses
Viruses: a piece of self-replicating code attached to some
other code
Cf. biological virus
Both (biological/computer virus) carry a payload and prop
agate itself
Payload contains code to make copies of itself as well as code to
perform some covert task
11. 11
Viruses and Related Threats
Virus phases:
Dormant – waiting on trigger event
Propagation – replicating to programs/disks
Triggering – activated by event to execute payload
Execution – performing the functions in the payload
Detailed phases usually depend on machine/OS specific
exploiting features/weaknesses
12. 12
Viruses and Related Threats
program V :=
{go to main :
1234567;
subroutine infect-executable :=
{loop:
file:=get-random-executable-file;
if( first-line-of-file = 1234567 )
then goto loop
else prepend V to file;}
subroutine do-damage :=
{whatever damage is to be done}
subroutine trigger-pulled :=
{return true if some condition holds}
main : main-program :=
{infect-executable;
if trigger-pulled then do-damage;
goto next;}
next;
}
- A simple virus
- This virus is easily detected
because an infected version of a
program is longer than the
corresponding uninfected one
• Virus Structure
13. 13
Viruses and Related Threats
program CV :=
{go to main :
01234567;
subroutine infect-executable :=
{loop:
file:=get-random-executable-file;
if( first-line-of-file = 1234567 )
then goto loop
(1) compress file;
(2) prepend CV to file;
}
main : main-program :=
{infect-executable;
(3) uncompress rest-of-file;
(4) run uncompressed file;
goto next;}
next;
}
- A Compression virus
:A way to thwart a means of
detecting a simple virus is to
compress the executable file so that
both the infected and uninfected
versions are of identical length.
• Logic of Compression Virus
Running steps of compressed P1’ file
that contains the virus code.
1. For each uninfected file P2,
the virus first compress P2 to
produce P2’.
2. The virus code is prepended to the
P2’
3. P1’ is uncompressed to P1
4. P1 is executed
15. 15
Viruses and Related Threats
Types of Viruses
We can classify on basis of how they attack
Parasitic virus
it attaches itself to executable files and replicates.
Memory-resident virus
Lodges in main memory as part of a resident system program.
Boot sector virus
Infects a master boot record or boot record.
Stealth virus
A form of virus explicitly designed to hide itself from detection by antivi
rus software.
Polymorphic virus
A virus that mutates with every infection.
16. 16
Viruses and Related Threats
Macro Virus
macro code can be attached to some data file which is int
erpreted by program using file
E.g., Word/Excel macros
Esp. using auto command & command macros
Macro code is now platform independent
Macro virus is a major source of new viral infections
There is blur distinction between data and program files
Classic trade-off: "ease of use" vs "security”
Successive release of Word provide increased protection,
and today macro virus is no longer dominant virus threat
17. 17
Viruses and Related Threats
Email Virus
Email viruses are spread using email with attachment
containing a macro virus
cf Melissa
They are triggered when user opens attachment, or worse
even when mail viewed by using scripting features in mail
agent
=> hence propagate very quickly
Usually targeted at Microsoft Outlook mail agent & Word
/Excel documents
We need better O/S & application security
18. 18
Viruses and Related Threats
Worms
Originally, worms are self-replicating programs but not in
fecting ones.
Typically, spread over a network
E.g., Morris Internet Worm in 1988, which led to creation of CER
Ts
Worms propagate by using users’ distributed privileges or
by exploiting system vulnerabilities
Recently, worms are widely used by hackers to create zo
mbie PC's, subsequently used for further attacks, esp. Do
S (Denial-of-Services) attack.
Major issue is lack of security of permanently connected s
ystems, esp. PC's
19. 19
Viruses and Related Threats
It exhibits the same characteristics as a computer virus
The propagation phase performs the following functions :
Search for other systems to infect by examining host tables
Establish a connection with a remote system.
Copy itself to the remote system and cause the copy to be run.
It may also disguise its presence by naming itself as a syst
em process or using some other name that may not be noti
ced by a system operator.
20. 20
Viruses and Related Threats
Morris Worm
best known classic worm
released by Robert Morris in 1988
targeted Unix systems
using several propagation techniques
simple password cracking of local pw file
exploit bug in finger daemon
exploit debug trapdoor in sendmail daemon
if any attack succeeds then replicated self
21. 21
Viruses and Related Threats
Recent Worm
Attacks new spate of attacks from mid-2001
Code Red - used MS IIS bug
probes random IPs for systems running IIS
had trigger time for denial-of-service attack
2nd wave infected 360000 servers in 14 hours
Code Red 2 - installed backdoor
Nimda - multiple infection mechanisms
SQL Slammer - attacked MS SQL server
Sobig.f - attacked open proxy servers
Mydoom - mass email worm + backdoor
22. 22
Viruses and Related Threats
State of Worm Technology
multiplatform
multiexploit
ultrafast spreading
polymorphic
metamorphic
transport vehicles
zero-day exploit
23. 23
Virus Countermeasures
Best countermeasure is prevention
However, in general not possible
Hence, we need to do one or more of:
Detection - of viruses in infected system
Identification - of specific infecting virus
Removal - restoring system to clean state
24. 24
Virus Countermeasures
Anti-Virus Approaches
first-generation
scanner uses virus signature to identify virus
or change in length of programs
second-generation
uses heuristic rules to spot viral infection
or uses crypto hash of program to spot changes
third-generation
memory-resident programs identify virus by actions
fourth-generation
packages with a variety of antivirus techniques
eg scanning & activity traps, access-controls
arms race continues
25. 25
Virus Countermeasures
Advanced Anti-Virus Techniques
Generic decryption
It use CPU simulator to check program signature & behavior befo
re actually running it
It start the simulator to simulate the file execution
Note that all polymorphic virus should decrypt itself to activate.
By periodically scanning the memory, decrypted virus code can be detected.
26. 26
Virus Countermeasures
Digital Immune System
It is a comprehensive approach to virus protection developed by I
BM
The objective of this system is to provide rapid response time so t
hat viruses can be stamped out almost as soon as they are introduc
ed
It uses general purpose emulation & virus detection
Any virus entering org is captured, analyzed, detection/shielding c
reated for it, removed
28. 28
Virus Countermeasures
Behavior-Blocking Software
integrated with host O/S
monitors program behavior in real-time
E.g., file access, disk format, executable modifications, system set
tings changes, network access
For possibly malicious actions, if detected can block, term
inate, or seek OK
B-B s/w has advantage over scanners
But, malicious code runs before detection
29. 29
Distributed Denial of Service Attacks
(DDoS)
Denial of Service (DoS) attacks
An attempt to make a computer resource unavailable to its intended u
sers.
Typically, the targets are high-profile web servers where the attack is
aiming to cause the hosted web pages to be unavailable on the Interne
t.
Distributed Denial of Service (DDoS) attacks
Attacks form a significant security threat where it makes networked
systems unavailable by flooding with useless traffic
It uses large numbers of “zombies”
It is one of growing sophistication of attacks
Defense technologies are struggling to cope
30. 30
Distributed Denial of Service Attacks
(DDoS)
Distributed Denial of Service Attacks (Distributed Denial of Service Attacks (DDoSDDoS))
31. 31
Distributed Denial of Service Attacks
(DDoS)
Constructing the DDoS Attack Network
We must infect large number of zombies
Requirements.:
1. Software to implement the DDoS attack
2. An unpatched vulnerability on many systems
3. A scanning strategy to find vulnerable systems
random, hit-list, topological, local subnet
32. 32
Distributed Denial of Service Attacks
(DDoS)
DDoS Countermeasures
Three broad lines of defense:
1. Attack prevention & preemption (before)
2. Attack detection & filtering (during)
3. Attack source traceback & identification (after)
There are huge range of attack possibilities
Hence, DDos contermeasures must evolve with the threat