Скачать презентацию Unix The world s first computer virus title Скачать презентацию Unix The world s first computer virus title

7f449fd88c9e17c867fdd0d8cac6adc1.ppt

  • Количество слайдов: 118

“Unix. The world's first computer virus. ” title of Chapter 1 of ‘The Unix “Unix. The world's first computer virus. ” title of Chapter 1 of ‘The Unix Haters Handbook’, written by serious computer scientists ISBN: 1 -56884 -203 -1 1

Classification of Threats may exploit weaknesses in 1. operating systems (W 32, W 95, Classification of Threats may exploit weaknesses in 1. operating systems (W 32, W 95, Linux, etc), 2. applications they infect (W 97 M, Word. Pro, X 97 M, etc) 3. languages (HTML; Scripting languages like VBS, JS; etc). Delivery of malicious codes to a user’s machine: 1. the most popular early methods of passing viruses by floppy disk. 2. Internet borne worms, that require no human intervention, once started. 2

Malware, security tools and toolkits: • Malware : any piece of malicious software. • Malware, security tools and toolkits: • Malware : any piece of malicious software. • Security tools and toolkits : • designed to be used by security professionals to protect their systems, networks and web-sites; • may also be used by unauthorized individuals to probe for weaknesses. The purposes, not the approach, makes a program malicious. • Many of the programs, that may be called malware, have benevolent uses also. 3

Benevolent Uses: • • Worms can be used to distribute computation on idle processors; Benevolent Uses: • • Worms can be used to distribute computation on idle processors; Trap doors/ back doors are useful for debugging programs; A trapdoor: a code that recognizes some special (unlikely) sequence of inputs or is triggered by being run from a special ID. Some programs require special privileges and authentication to access it. Or they may require long setup (providing many initial values of variables) and authentication. …………. . continued on the next slide 4

Benevolent Uses of Trap doors and Viruses: While debugging one may want to be Benevolent Uses of Trap doors and Viruses: While debugging one may want to be able to open the program without going through these procedures. A trapdoor allows one to activate the program even if something be wrong with the authentication procedure. • Viruses can be written to update source code and patch bugs. 5

A Normal Utility: Rootkit …. 1 n ROOTKIT: uses two words- A Normal Utility: Rootkit …. 1 n ROOTKIT: uses two words- "root" and "kit". n n Root: refers to the "Administrator" account on Unix and Linux systems; kit: a set of programs or utilities that allow someone to maintain root-level access to a computer. Additionally the presence of the rootkit should be undetectable. NORMAL USES of Rootkits ( known to exist since 1989 or earlier): For allowing maintenance of command control over a computer system, without the computer system user knowing about it. This requires the capability n n of executing files and changing system configurations on the target machine, of accessing log files or monitoring activity on the user's 6 computer usage.

A Normal Utility: Rootkit …. 2 n Legitimate users of rootkits: Administrators of n A Normal Utility: Rootkit …. 2 n Legitimate users of rootkits: Administrators of n Rootkit products: Spectorsoft’s two products: large networked systems, law enforcement agents or parents or employers wishing to retain remote command control and/or the ability to monitor activity on their employee's / children's computer systems. e. Blaster and Spector Pro, allow for such monitoring. LARGE SCALE ABNORMAL USE: In Dec 2004, hackers started using Rootkits against Windows systems. n Reference for slides 6 and 7: Tom Bradley, “What Is A Rootkit? “, http: //netsecurity. about. com/od/frequentlyaskedquestions/f/faq_rootkit. htm, as of 2 nd December 2007 7

Rootkit: A Hacker’s Tool n A rootkit: a collection of tools (programs) that enable Rootkit: A Hacker’s Tool n A rootkit: a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a hacker first obtains user-level access, either by exploiting a known vulnerability or cracking a password. Then he installs the rootkit. n A rootkit has tools for: n n n logging keystrokes, monitoring packets on the network to gain information ………continued 8

Tools in a Rootkit n n n Collecting usernames and passwords Obtaining multiple methods Tools in a Rootkit n n n Collecting usernames and passwords Obtaining multiple methods of backdoor entry, using different ports and protocols Gaining root or privileged access to the computer and other machines on the network – Thus if the first intrusion is detected, the hacker has other methods of intrusion in to the machine and the network. altering system log files and administrative tools to prevent detection for hiding the files and processes that the intruder may place on the system and for hiding port and protocol connections. ………continued 9

Tentacles of a Rootkit using the machine to launch attacks on other machines CLEANING Tentacles of a Rootkit using the machine to launch attacks on other machines CLEANING A MACHINE with a Rootkit: Difficult since the extent of infiltration in the machine and the network may not be known n n References: 1. Tom Bradley, “Rootkits”, http: //netsecurity. about. com/od/secureyourwindowspc/a/rootkit s. htm, as of 2 nd December 2007 2. “What is a rootkit? ” – a definition from Whatis. com, http: //searchsecurity. techtarget. com/s. Definition/0, , sid 14_gci 547279, 00. html , as of 2 nd December 2007 10

Classification of Malicious programs: First Method Malicious programs Need Host programs Trap doors Logic Classification of Malicious programs: First Method Malicious programs Need Host programs Trap doors Logic Bombs Trojan Horse Viruses Independent Zombie Worms Bacteria A Logic Bomb or a Trojan Horse may be part of a Virus or Worm. 11

Classification of malicious programs: • Programs that do not replicate: consist of fragments of Classification of malicious programs: • Programs that do not replicate: consist of fragments of programs that are activated, • • • when the host program is invoked or when in the host program, a specific function is performed. Programs that replicate: consist of • a program fragment (Example : Viruses) Or • an independent program (Example: Worm or bacterium) that, when executed, may produce one or more copies of itself on the same system or some other system. 12

Classification of Malicious Program: The Second Method Malicious Programs Those that won’t replicate Those Classification of Malicious Program: The Second Method Malicious Programs Those that won’t replicate Those that replicate themselves Trap Doors Logic Bombs Trojan Horses Viruses Zombie Worms Bacteria *Ref: Fig 19. 1 pp. 599, Stallings [2003] 13

Malicious Software Malicious software: runs under the user’s authority (without his knowledge and permission); Malicious Software Malicious software: runs under the user’s authority (without his knowledge and permission); hence can do all that a user can himself do. TYPES: Back doors/ trap doors : allow unauthorized access to your system. • Logic bombs: programmed threats that lie dormant for an extended period of time until they are triggered; at this point, they perform a function that is not the intended function of the program in which they are contained. 14

Triggers for logic Bombs: Logic bombs: usually embedded in programs by software developers who Triggers for logic Bombs: Logic bombs: usually embedded in programs by software developers who have legitimate access to the system. n Triggers for Logic Bombs: • Presence or absence of certain files. • Particular day of the week or data. • Particular user running the application 15

Trojan horses: • Trojan horses: programs that appear to have one function but actually Trojan horses: • Trojan horses: programs that appear to have one function but actually perform another function. • The modern – day Trojan horses resemble a program that the user wishes to run – a game, a spreadsheet, or an editor. • While the program appears to be doing what the user wants, it is also doing something else unrelated to its advertised purpose, and without the user’s knowledge. 16

Examples of Trojan horse attacks: 1. A compiler was modified to insert additional code Examples of Trojan horse attacks: 1. A compiler was modified to insert additional code into certain programs as these are compiled. The code creates a trapdoor in the login program that permits the author to log on to the system using a special word. Difficult to discover, by reading the source code of the program. Ref : THOM 84 from Stallings[2003] 17

Examples of Trojan horse attacks (continued) Attach a (secret) program -- to the regular Examples of Trojan horse attacks (continued) Attach a (secret) program -- to the regular program for listing the user’s files in a particular format. The attached program may change the file permissions to make them readable by any user. After the program is executed, any one can read the files. 2. 18

Viruses: • Viruses: “programs” that modify other programs on a computer, inserting copies of Viruses: • Viruses: “programs” that modify other programs on a computer, inserting copies of themselves. Viruses: * not distinct programs *need to have some host program, (of which they are a part), executed to activate them *executes secretly, when the host program is run. A typical virus: takes control of the Operating System. Whenever it comes in contact with any uninfected piece of software, a fresh copy of the virus is attached to the new program. Reference: A malicious program was called a Virus by Cohen F. , ’Computer Viruses’, Computer Security: A Global Challenge, Elsevier Press, 1984, p 143 -158 19

Worms: • Worms: programs that propagate from computer to computer on a network, without Worms: • Worms: programs that propagate from computer to computer on a network, without necessarily modifying other programs on the target machines. • Worms • can run independently; • travel from machine to machine across network connections; • may have portions of themselves running on many different machines. • Worms do not change other programs, although they may carry other code that does (for example, a true virus or a Trojan horse may be implanted by a worm). 20

Worms (continued) • 1. 2. 3. n To replicate itself, a worm uses some Worms (continued) • 1. 2. 3. n To replicate itself, a worm uses some network vehicle. Examples: Electronic mail: A worm may mail a copy of itself to another system. Remote execution capability: A worm may execute a copy of itself on another system. Remote log-in capability: A worm logs on another system as a user and then uses commands to copy itself to the remote system. A Worm may determine whether a host has been infected before copying itself. 21

Worms (continued) n n In a multiprogramming system, a worm may hide itself by Worms (continued) n n In a multiprogramming system, a worm may hide itself by naming itself as a system process. It may examine the routing tables to locate the addresses of remote machines, to which it may connect, without any information to the owner of the local host. Examples of Worms: Morris 1998 for unix systems, Code Red, Code Red II, NIMDA, W 32/Netsky. P. worm, My. Doom. A, Sober. I worm, Sobiq. E worm, Bagle. BC worm 22

A Rootkit: Not a Virus or a Worm n n n A rootkit modifies A Rootkit: Not a Virus or a Worm n n n A rootkit modifies the flow of the operating system or changes the data set, which the operating system uses. A virus is designed to damage a system. A worm scans for vulnerabilities and spreads to other computers on the network. But a rootkit may stay hidden and maintain its functionality, without damaging a system for a long time. 23 A rootkit may be classified as a Trojan.

Phases of a virus and a worm: • 1. A worm as well as Phases of a virus and a worm: • 1. A worm as well as a virus have the following phases: Dormant phase: This phase lasts till the worm/virus is activated • on some Date, or • by presence of some file or program, or • some action like the data on disc exceeding certain limit. Some viruses may not have this stage. 24

Phases of a virus and a worm (continued) 2. Propagation phase: Both a worm Phases of a virus and a worm (continued) 2. Propagation phase: Both a worm and a virus check whether the file/system is already infected. If not, they do the job. 3. Triggering phase: may be caused by some system event. 4. Execution phase: Performs a function Benign function: like showing a message on screen. • Non-benign: to damage/destroy certain files. Viruses are designed to take advantage of the weaknesses of the OS and/or a hardware platform. • 25

Spreading Malware via the Internet Trojan Horse vs Virus: • Whereas a Trojan horse Spreading Malware via the Internet Trojan Horse vs Virus: • Whereas a Trojan horse is delivered pre-built, a virus infects. Propagation of Virus: OLD DAYS: through tapes and disks the spread of a virus around the world took many months. TODAY: Trojan horses, and viruses are network deliverable as *E-mail, *java applets, *Active. X controls, *java. Scripted pages, *CGI-BIN scripts, or as *self-extracting packages. DELIVERED: as a part of a game or a useful utility, copied from some electronic bulletin board 26

Mobile program Systems Examples: Javascript and Active. X. became popular with Web servers and Mobile program Systems Examples: Javascript and Active. X. became popular with Web servers and browsers, but are now integrated (e, g, Java into Lotus Notes, and Active. X into Outlook) with mail systems. • Security Bugs in both Java and Active. X A mobile program may act as the carrier of a virus. • Any mechanism for sharing of files – of programs, data, documents or images – can transfer a virus • 27

Structure of Viruses: In the infected binary, at a known byte location in the Structure of Viruses: In the infected binary, at a known byte location in the file, a virus inserts a signature byte, used to determine if a potential carrier program has been previously infected. • On invoking an infected program, it first transfers control to the virus part. • The virus part infects uninfected executable files. • Secondly it may damage the system in some way. Or like a logic bomb, the damaging action may take place in response to some trigger. • Finally it transfers control to the original program. Usually the first two steps may take so little time, that one may fail to notice any difference. • 28

Normal. COM vs. Infected. COM 29 Normal. COM vs. Infected. COM 29

Structure of a virus program: V() { infect. Executable(); If (triggered()){ Do Damage(); } Structure of a virus program: V() { infect. Executable(); If (triggered()){ Do Damage(); } Jump to main of infected program; } ……………. 30

Structure of a virus program (continued): Void infect. Executable() { file = choose an Structure of a virus program (continued): Void infect. Executable() { file = choose an uninfected executable file; Prepend V to file; } Void do. Damage(){ ……. } int triggered(){ Return (some test? 1: 0); } 31

Types of Viruses: Types of viruses: 1. Parasitic Virus: It attaches itself to executable Types of Viruses: Types of viruses: 1. Parasitic Virus: It attaches itself to executable files and replicates, when the infected program is executed, by finding other files to infect. 2. Memory – resident virus: stays in main memory as a part of a system program. Then it infects every program that executes. (Like Terminate and Stay Resident – TSR- programs ) n 32

Types of viruses (continued) Boot sector virus: It infects a boot record and spreads Types of viruses (continued) Boot sector virus: It infects a boot record and spreads when a system is booted from the disk containing the virus. Boot sector contains crucial files. Hence it is made 3. invisible by the OS. boot-sector virus files will not show up in a normal listing of files. Polymorphic virus: Creates copies that are functionally equivalent but have distinctly different bit patterns. Thus signature of each copy will vary and a virus scanner will find it difficult to locate it. 33 4.

Methods used by Polymorphic Viruses for variation in signature Random insertion of superfluous instructions Methods used by Polymorphic Viruses for variation in signature Random insertion of superfluous instructions n To interchange the order of independent instructions n Use of encryption: The virus has a mutation engine which generates a random key and then the engine is altered; the key is stored with the rest of the virus, which is encrypted. When this virus infects another host, the altered mutation engine would generate a different key. Thus every host would carry a different signature for the virus. 34 n

The Stealth Virus There are two other types: The Stealth virus and the Macro The Stealth Virus There are two other types: The Stealth virus and the Macro virus. A stealth virus has code in it that n n • seeks to conceal itself from discovery or defends itself against attempts to analyze or remove it. The stealth virus adds itself to a file or boot sector but, when you examine, it appears normal and unchanged. 35

Methods used by Stealth Virus The stealth virus performs this trickery by staying in Methods used by Stealth Virus The stealth virus performs this trickery by staying in memory after it is executed. From, there, it monitors and intercepts your system calls. When the system seeks to open an infected file, the stealth virus displays the uninfected version, thus hiding itself. n The four types of viruses, discussed in slides 32 and 33, make an infected file longer than it was, making it easy to spot. There are many techniques to leave the file length and even a check sum unchanged and yet infect. n 36

Stealth technique: Keeping the file length unchanged • • For example, many executable files Stealth technique: Keeping the file length unchanged • • For example, many executable files often contain long sequences of zero bytes, which can be replaced by the virus and re-generated. It is also possible to compress the original executable code like the typical Zip programs do, and uncompress before execution and pad with bytes so that the check sum comes out to be what it was. 37

Macros: • • • Macro languages are (often) equal in power to ordinary programming Macros: • • • Macro languages are (often) equal in power to ordinary programming languages such as C. A program written in a macro language is interpreted by the application. Macro languages are conceptually no different from so-called scripting languages. • • • Microsoft applications use Visual Basic script as macro languages. Gnu Emacs (Reference: http: //www. gnu. org/software/emacs/) uses a dialect of Lisp The typical use of a macro in applications, such as MS Word, is to extend the features of the 38 application.

Macros (continued) • • Can be used to define a sequence of key-strokes in Macros (continued) • • Can be used to define a sequence of key-strokes in a macro and to set it up so that when a function key is input, the whole of the sequence is invoked. Some of these macros, know as auto-execute macros, are executed in response to some events, such as…. . • • • closing a file, opening a file, starting an application, invoking a command such as ‘File. Save’ or pressing a certain key. 39

Auto-executing Macros in WORD Three types of auto-executing Macros: 1. Start-up Auto-execute: executed when Auto-executing Macros in WORD Three types of auto-executing Macros: 1. Start-up Auto-execute: executed when WORD is started. 2. Automacro: executes when some event like opening/closing a document, creating a new document, quitting WORD 3. Command: executes when a WORD command, like File. Save) is executed. MS has developed a Macro Virus Protection Tool. It detects suspicious files and alerts the user to the risk of opening them. 40

Macro Viruses • Macro Viruses form a large majority of the total number of Macro Viruses • Macro Viruses form a large majority of the total number of viruses today. A macro virus is a piece of self-replicating code inserted into an auto-execute macro. • Once a macro is running, the virus copies itself to other documents. • Another type of hazardous macro is one named for an existing command of an application. 41

Macro Viruses (continued) • • Example: If a macro named File. Save exists in Macro Viruses (continued) • • Example: If a macro named File. Save exists in the “normal. dot” template of MS Word, that macro is executed whenever you choose the Save command on the File menu. Unfortunately, there is often no way to disable such features. Such macro viruses may be carried in the command part of a text file, a database, a slide presentation or a spreadsheet. The user sees only the data part – and not the command part. So he would not be able to see the malicious code. Ref: For Loveletter virus for OUTLOOK (May 2000) http: //all. net/journal/cohen 0504 -2. htm 42

Spread of Macro Viruses spread fast because • Macro viruses may be platform independent Spread of Macro Viruses spread fast because • Macro viruses may be platform independent in that any hardware/software platform that supports the particular application can be infected. • Macro viruses affect documents and not executable portions of code. • Spread easily – by e-mail. Ex: A virus, called Melissa, used a micro, embedded in a WORD document attached to an e-mail. …………. 43

Melissa On opening the WORD attachment of e-mail, • it damages the local machine Melissa On opening the WORD attachment of e-mail, • it damages the local machine and • it sends itself to all the addresses in the e-mail address book. In 1999, new e-mail viruses appeared. These would be able to infect, as soon as one opens the carrier e-mail, and not by opening an attachment 44

Unix/Linux Viruses: • • The most famous of the security incidents in the last Unix/Linux Viruses: • • The most famous of the security incidents in the last decade was the internet Worm incident which began from a Unix system. Several Linux viruses have been discovered. The Staog virus first appeared in 1996 and was written in assembly language by the VLAD virus writing group, the same group responsible for creating the first Windows 95 virus called Boza. Like the Boza virus, the Staog virus is a proof-ofconcept virus to demonstrate the potential of Linux virus writing without actually causing any real damage. 45

Unix/Linux Viruses (continued) • • The second known Linux virus is called the Bliss Unix/Linux Viruses (continued) • • The second known Linux virus is called the Bliss virus. Unlike the Staog virus, the Bliss virus can not only spread in the wild, but also possesses a potentially dangerous payload that could wipe out data. 46

Zombie: A program that takes over a computer, without any authorization and without informing Zombie: A program that takes over a computer, without any authorization and without informing the owner of the system. The program originates from some other host. It then uses the computer, that has been taken over, for attacking a victim. Objectives: To hide the originator of the attack To attack the victim through a large number of zombie computers (as in a DDo. S attack) n 47

Bacteria or rabbit • Bacteria, or rabbit program, replicates without bound to overwhelm a Bacteria or rabbit • Bacteria, or rabbit program, replicates without bound to overwhelm a computer system’s resources. • Bacteria do not explicitly damage any files. Their sole purpose is to replicate themselves. • A typical bacteria program may do nothing more than execute two copies of itself simultaneously on multiprogramming systems, or perhaps create two new files, each of which is a copy of the original source file of the bacteria program. 48

Bacteria continued: • Both of those programs then may copy themselves twice, and so Bacteria continued: • Both of those programs then may copy themselves twice, and so on. Bacteria reproduce exponentially, eventually taking up all the processor capacity, memory, or disk space, denying the user access to those resources. 49

Dropper: • A dropper: a program that is not a virus, nor is it Dropper: • A dropper: a program that is not a virus, nor is it infected with a virus, but when the program is run, it installs a virus into memory, on to the disk, or into a file. • Droppers have been written sometimes as a convenient carrier for a virus, and sometimes as an act of sabotage. • Some anti-virus programs try to detect droppers. 50

Virus Detection: “Virus” is used, (in the following slides-for - detection-and-removal of viruses, ) Virus Detection: “Virus” is used, (in the following slides-for - detection-and-removal of viruses, ) to stand for all types of malicious programs. • • Virus detection programs analyze a suspect program for the presence of known viruses. Fred Cohen has proven mathematically: that perfect detection of unknown viruses is impossible: no program can look at other program and say either “a virus is present” or “no virus is present”, and always be correct. 51

Virus Detection (continued): Most new viruses are sufficiently like old viruses: the scanning for Virus Detection (continued): Most new viruses are sufficiently like old viruses: the scanning for old viruses may find the new ones. • There a large number of heuristic tricks that anti-virus programs use to detect new viruses, based either on how they look, or what they do. • Since brand-new viruses are comparatively rare, these methods may suffice. After detection of a virus, its identification and removal is required. • 52

‘generations’ of virus scanners n The first generation of virus scanners: n n n ‘generations’ of virus scanners n The first generation of virus scanners: n n n obtain a virus signature, a bit pattern, to detect a known virus. record and check the length of all executables. The second generation of virus scanners n n n scan executables with heuristic rules, looking for fragments of code associated with a typical virus. do integrity checking by calculating a checksum of a program and storing somewhere else the encrypted checksum. OR A better method is storing a hash function rather than a checksum. The encryption key is stored at a separate place. 53

‘generations’ of virus scanners (continued) The third generation of virus scanners: use a n ‘generations’ of virus scanners (continued) The third generation of virus scanners: use a n memory resident program to monitor the execution behavior of programs to identify a virus by the types of action that the virus takes. The fourth generation of virus scanners: combines all the previous approaches and includes access control capabilities so that system penetration and access to files may be denied. 54

Advanced Anti virus Techniques 1) Generic Decryption (GD) Technology It uses the following components Advanced Anti virus Techniques 1) Generic Decryption (GD) Technology It uses the following components : a) CPU Emulator: Consisting of a virtual computer with software versions of all registers and other processor hardware. b) Virus signature scanner c) Emulator control module Virus elements are usually activated immediately after a program starts execution. GD begins execution of an executable file in the CPU emulator. As each instruction is executed, the signature scanner tries to expose the virus. n n 55

Advanced Anti virus Techniques: Generic Decryption (GD) Technology n A polymorphic virus would decrypt Advanced Anti virus Techniques: Generic Decryption (GD) Technology n A polymorphic virus would decrypt itself and be recognized by the signature scanner. This process does not affect the computer, since the CPU emulator provides a safe and controlled environment. n Difficulties: n n n How many instruction may be interpreted through the emulator ? - is a design issue The user would complain if the GD scanner uses a great deal of computer resources and these are not available to the user. 56

Advanced Anti virus Techniques: IBM’s Digital Immune System 2) IBM’s Digital Immune System (DIS): Advanced Anti virus Techniques: IBM’s Digital Immune System 2) IBM’s Digital Immune System (DIS): n n Since the viruses spread through e-mail, internet and mobile code, IBM has developed the system for fast response. When a new virus enters the system of an organization, DIS captures it, analyzes it, adds detection and shielding for it, removes it and informs other systems running IBM anti-virus about it 57

Components of DIS 1) Monitoring Program - on each PC - uses heuristics based Components of DIS 1) Monitoring Program - on each PC - uses heuristics based on system behaviour n changes to programs n virus signatures to monitor the presence of a virus in a program. Such an infected program is sent to an Administrative Machine in the organization n 58

Components of DIS continued 2) Administrative Machines : one machine located at each site Components of DIS continued 2) Administrative Machines : one machine located at each site n It encrypts suspect program received from any PC. n It sends the encrypted suspect program to the Central Virus Analysis machine. 3) Central Virus Analysis machine : n It provides a safe environment for running the suspect program (like the CPU emulator and Emulation Control module of the GD scanner). 59

Components of DIS continued 3) Central Virus Analysis machine : continued. . n n Components of DIS continued 3) Central Virus Analysis machine : continued. . n n It generates a prescription for identifying and removing the virus. The prescription is sent to all the clients in the world through their Administrative Machines. 60

Advanced Anti virus Techniques: Behavior Blocking Software 3) Behavior Blocking Software: monitors and blocks Advanced Anti virus Techniques: Behavior Blocking Software 3) Behavior Blocking Software: monitors and blocks malicious actions like n n n Attempts to open, view, delete or modify files Attempt to format a disk or other non-recoverable disk operations. Modifying logic of executable files or macros Modification of critical settings like start-up settings Initiation of network communication sending executable content through e-mail or instant messaging. 61

Behavior Blocking Software continued Irrespective of complexity of a virus, this realtime blocking of Behavior Blocking Software continued Irrespective of complexity of a virus, this realtime blocking of malicious request can keep the system safe. n However even a behavior, which may look normal, may be problematic, thus shuffling of files may make them unusable. So if shuffling of files is not blocked, a virus may still succeed in making the system unusable. But can we/ should we block shuffling of files? n 62

Prevention, Detection & Removal of Viruses n n Use software acquired from reliable vendors Prevention, Detection & Removal of Viruses n n Use software acquired from reliable vendors only Test all new software on isolated computers n n n with no hard disk and not connected to a network and with boot disk removed Check for any unexpected behavior. Scan with an up-to-date virus scanner, which should have been installed before running the new software. 63

Prevention, Detection & Removal of Viruses continued n n Open an attachment only if Prevention, Detection & Removal of Viruses continued n n Open an attachment only if it is safe. When the system is known to be virus free, prepare a recoverable system image and store it safely in a write-protected medium Prepare and store safely back-up copies of executable system files Use virus scanners and update them regularly. 64

Prevention, Detection & Removal of Viruses continued n Removal of a virus : possible Prevention, Detection & Removal of Viruses continued n Removal of a virus : possible only if it is detected and eliminated faster than it spreads n n A resident virus may disable system calls, used for deleting it. A virus may be hidden in a variety of files - even in normally hidden system files. 65

Examples of Viruses up to slide 83 66 Examples of Viruses up to slide 83 66

Example of Viruses: n Brain: It locates itself in the upper part of memory. Example of Viruses: n Brain: It locates itself in the upper part of memory. n n n Traps interrupt 19 (used in PCs for disk-read) by resetting the interrupt address table to point to itself. Uses interrupt 6 (unused in PCs) to point to the ‘former address’ of interrupt 19 Thus it receives all disk read calls and shows only the original uninfected boot sector to a user (thus hiding itself. ) 67

Example of Viruses: Brain It uses the boot sector and 6 other sectors on Example of Viruses: Brain It uses the boot sector and 6 other sectors on the disk. The brain virus splits itself into 3 parts. The first part is in the boot sector. The other 2 parts are in the two other sector of the disk. The 3 rd sector of the disk contains the original boot sector code. Another copy of the virus is stored in the remaining 3 sectors on the disk n 68

Example of Viruses: Brain continued n n The virus marks the six disk sectors Example of Viruses: Brain continued n n The virus marks the six disk sectors as faulty, so that OS may not use them. Signature: in 5 th and 6 th bytes of the file, it stores 1234 ( HEX ). Action : with every disk read, it examines the file for its signature. If it is not there, it infects the file. Name: It changes the label of any disk it attacks to the word BRAIN. 69

Morris Worm Released on Internet in the evening of Nov 2, 1988 by Robert Morris Worm Released on Internet in the evening of Nov 2, 1988 by Robert T. Morris Jr. , a grad student of Cornell. In 1990 he was sentenced to a fine of $10, 000, a suspended 3 year jail and 400 hours of community service. Morris exploited three flaws: 1. Unix Password file is stored in encrypted form. But any one can read the ciphertext. 70

Morris Worm: the first flaw To connect to a remote system, it tries to Morris Worm: the first flaw To connect to a remote system, it tries to crack the local password file by trying the following: n the 432 words (like password, guest, coffee, coke, aaa etc) included in the worm, n all the words in the dictionary file stored on the system for spell-check. 71

Morris Worm: the second flaw 2. ) the second flaw- in fingered: n fingered Morris Worm: the second flaw 2. ) the second flaw- in fingered: n fingered continuously runs to service requests, from other computers, about system users. n Security flaw in fingered : overflow of input buffer spills in to the return address stack n when a fingered call terminates, it may execute instructions, pushed through buffer overflow. This may cause the worm to connect to a remote shell. 72

Morris Worm: the third flaw 3) the third flaw --- in sendmail - in Morris Worm: the third flaw 3) the third flaw --- in sendmail - in debug mode – Normally sendmail runs in the background. It receives a ‘send’ instruction along with dest address. However in debug mode the worm can send a command string, in place of dest address. Then this command string may be executed. Assume that the Worm has been able to enter a host (without its knowledge or permission. ) 73

Morris Worm: action It examines the following lists on the host: n n tables Morris Worm: action It examines the following lists on the host: n n tables giving lists of trusted machines, mail forwarding lists, tables stating the access rights of the local host on remote machine status of network connections It selects a suitable target. n Uses - one of the three flaws - to send a bootstrap program of 99 lines of C code. n Through the host, it sends a command to execute the program on the target machine. Then the host logs off. n 74

Morris Worm: action continued n n n The bootstraps-on-target now connects to the host Morris Worm: action continued n n n The bootstraps-on-target now connects to the host to get the rest of the worm. The bootstrap authenticates by sending a password (so that a system admin should not be able to get the rest of the worm) The host sends the rest of the worm Efforts at stealth: n if any transmission error occurs while transferring, the bootstrap deletes all record, received till then. 75

Morris Worm: Efforts at Stealth n n After receiving the full code of the Morris Worm: Efforts at Stealth n n After receiving the full code of the worm, it is encrypted. The original copies are deleted from the target. It changes its name and identifier periodically Because of a flaw in the code of Morris, it created many copies of the worm on the same machine, thereby degrading its performance to normal tasks. After Morris, a Computer Emergency Response Team was set up in Carnegie - Mellon University. 76

Code Red n n n Uses a security hole in MS Internet Information Server Code Red n n n Uses a security hole in MS Internet Information Server (IIS). On July 12, one in 8 of the 6 million IIS servers were affected. The first version shows the following text on the web : Hello! Welcome to http: //www. worm. com ! Hacked by Chinese ! 77

Code Red: Action n n n Day 1 to 19 th, spawns 99 parallel Code Red: Action n n n Day 1 to 19 th, spawns 99 parallel threads & scans for other computers for infecting them; day 20 -27 it attacked www. whitehouse. gov by DDo. S; from day 28 to end of month it lies dormant. It disables the system File Checker in windows. It uses random IP addresses to spread to other machines. 78

Code Red: Action continued n n n It suspends its activities periodically and then Code Red: Action continued n n n It suspends its activities periodically and then restarts. Code Red II also installs a backdoor to permit a hacker to be able to use the victim machines. It would automatically stop after Oct 2002. Finally it reboots after 24/48 hours, wipes itself from memory but leaves the Trojan in place. 79

Code Red: Technique continued n n Vulnerability in IIS: buffer overflow in dynamic link Code Red: Technique continued n n Vulnerability in IIS: buffer overflow in dynamic link library called idq. dll Code red II creates a trapdoor by copying %windir%cmd. exe to 4 locations C: inetpubscriptsroot. txt C: progra~1common~1systemMSADCroot. exe d : inetpubscriptsroot. ext d: program 1common~1sytemMSADCroot. exe 80

Code Red: Technique continued n n n Code red also includes its own copy Code Red: Technique continued n n n Code red also includes its own copy of explorer. exe on c: and d: drives. It modifies system registry to allocate Read, Write and execute permission in some directories to every one. The Trojan horse continues to run in the background, resetting the registry every 10 minutes. Thus even if a system admin notices the changes in the registry and removes them, the Trojan will again create changes. Code red may be beta test for ‘information war fare. ’ 81

Two more well-known viruses n NIMDA: It had multiple spread modes: n e-mail n Two more well-known viruses n NIMDA: It had multiple spread modes: n e-mail n client-to-client through open network connection n web-server to client n client to web-server n by using backdoor left by Code Red II It modifies html files and some executable files. It creates numerous copies under various names. 82

The The "Slammer" virus n The "Slammer" virus ( also known as the "SQL" or "Sapphire" worm): n launched at midnight ET on Saturday in Jan 2003, shut down MS IIS based web-servers worldwide. n By Sunday morning, about 150, 000 to 200, 000 servers had been compromised. n By quickly copying itself and seeking to spread to the computers that manage Internet traffic, the worm overwhelmed networks worldwide, causing probably the most damaging attack in a year and a half. 83

Multi-pronged approach Attacks: from various fronts. So security has also to be multi-faceted. Example: Multi-pronged approach Attacks: from various fronts. So security has also to be multi-faceted. Example: A mobile user A, who may be a salesman, may be allowed to access a company network, protected by a firewall. A may have a wireless network at home, which may get connected to the company network. A malicious user, who may be a neighbor or even a computer, in a parked vehicle near A’s home, could in turn become a part of the wireless network. Thus firewall alone may not be able to provide a protection from such a malicious user. 84

Multi Pronged Protection Systems Based on Behavior Blocking Software idea of slide 61 n Multi Pronged Protection Systems Based on Behavior Blocking Software idea of slide 61 n MPPS: n n n monitor traffic characteristics. Use anomalies to develop real time warning and defensive actions. During an attack, MPPS determines the characteristics of malicious attack traffic by tracking various attributes of packets including: n n Source and destination socket addresses IP TTL protocol Packet length 85

Multi Pronged Protection Systems continued Characterization of the malicious traffic: by identifying the highest Multi Pronged Protection Systems continued Characterization of the malicious traffic: by identifying the highest volume values for each packet attribute and comparing current distributions of the attribute values to normal distributions. Two types of Triggers: n Bandwidth triggers based on packet and byte rates. They indicate attempts to flood a network and consume its bandwidth. n Suspicious traffic triggers based on packets that target resources on the network, such as TCP SYN flood attack packets. 86 n

Solutions n Once an attack is detected, there are two solution approaches: n n Solutions n Once an attack is detected, there are two solution approaches: n n Black-hole routing allows the administrator to take all malicious traffic and route it to a null IP address or drop it. Sinkhole routing The malicious traffic is sent to an IP address where it can be examined. 87

Multi Pronged Protection Systems continued n Both Black-hole and Sink-hole routing can be used Multi Pronged Protection Systems continued n Both Black-hole and Sink-hole routing can be used n at the enterprise level. Or n at the ISP level, who can prevent the malicious traffic from reaching the customer's network. (Most ISPs have some level of DDo. S traffic crossing their networks virtually all the time. This costs them money in terms of bandwidth and annoys customers. ) n DISADVANTAGE of using Filtering at ISP: the possibility of catching legitimate traffic as well. 88

Virus vs Spyware n n A virus: designed to damage the machine in some Virus vs Spyware n n A virus: designed to damage the machine in some way Spyware: n n n a form of adware with tracking capability; hidden in free open-source software; used to collect information about a user Use Spybot or Ad. Aware for removing Spyware from your machine. 89

To end n three news-item on security one on ticking time-bombs in the weakest To end n three news-item on security one on ticking time-bombs in the weakest link – the PCs and two on 1 st April pranks by security companies 90

A honey-pot is added n Bill Mc. Carty, an Associate Professor of Web and A honey-pot is added n Bill Mc. Carty, an Associate Professor of Web and Information Technology at Azusa Pacific University, Calif. , said a Windows 2000 "honey pot" machine that he runs has been added to several bot networks, or botnets – reportedly many hundreds of thousand strong as of now. (A honey pot is a machine connected to the Internet and left defenseless so that security experts can observe hackers' activities or methods. ) n 91

Two pranks of April 1, 2003 n A news-item in the Register, a U. Two pranks of April 1, 2003 n A news-item in the Register, a U. K. IT news Web site: Availability of an Intruder Retaliation Systems (IRS) by a new (fake) security company. The first IRS, called the Payback 1. 0: an application that n n instantly and dynamically 'traces' the IP source address—no matter how well masked—of the network attack/infection and responds by launching either a Domain Name or mail server flood attack in the direction of the attacker. " 92

The second prank: An advisory posted to Bug. Traq (by an Internet security company The second prank: An advisory posted to Bug. Traq (by an Internet security company – but not on Internet security) n n A (fake) company called S. E. L. L. warns that "a DDo. S condition is present in the election system in many polypartisan democratic countries. A group of determined but unskilled and not equipped lowincome individuals, usually between 0. 05% and 2% of the overall population of the country, can cause serious disruptions or even a complete downfall of the democratic system and its institutions. The fix for this vulnerability: for affected parliaments to either "establish a convenient dictatorship or a monarchy, or [become] the 51 st state. " 93

Abbreviations n n n n n IPSec: IP Sec protocol SSL: Secure Socket layer Abbreviations n n n n n IPSec: IP Sec protocol SSL: Secure Socket layer TLS: Transport Level Security SSH: Secure SHell Kerberos: Project Athena’s Authentication Service SHA: Secure Hash Algorithm DSA: Digital Signature Algorithm RSA: RSA Laboratories named after its founders: Ron Rivest, Adi Shamir, Leonard Adelman DES: Data Encryption Standard MD: Message Digest 94

References n 1. To study the details of a scanner Sandeep Kumar, and Gene References n 1. To study the details of a scanner Sandeep Kumar, and Gene Spafford, “A Generic Virus Scanner in C++, ” Proceedings of the 8 th Computer Security Applications Conference, IEEE Press, Piscataway, NJ; pp. 210 -219, 2 -4 Dec 1992 2. For a complete list of known viruses www. cai. com/virusinfo/encyclopedia/ n 3. For cryptography G. C. Kessler, “An Overview of Cryptography” n http: //www. hill. com/library/staffpubs/crypto. html RSA Laboratories, “RSALabs FAQ, ” http: //www. rsasecurity. com/rsalabs/faq/ 95

References continued 4. For MPPS n n n http: //www. mazunetworks. com/products/enf orcer. html References continued 4. For MPPS n n n http: //www. mazunetworks. com/products/enf orcer. html http: //www. intruvert. com/resources/inde x. htm http: //www. okena. com/areas/products/p roducts_literature. html#COMPARE 96

“Malware payloads have been boring……. . Payloads can be malign and I expect that “Malware payloads have been boring……. . Payloads can be malign and I expect that we’ll see more devious payloads over the next few years. ” - Bruce Schneier author of Applied Cryptography FIREWALLS up to slide 97

Firewall: a definition • A Firewall is a set of related hardware and/or software, Firewall: a definition • A Firewall is a set of related hardware and/or software, which protects the resources of a private network from the outside networks. n watch single point rather than every PC • A firewall provides strict access control between your systems and the outside world. 98

 • Packet-Filtering Router Applies a set of rules to each incoming IP packet • Packet-Filtering Router Applies a set of rules to each incoming IP packet and then forwards or discards the packet, usually for both directions. n The rules are mainly based on the IP and transport (TCP or UDP) header, including n n source and destination IP address, IP protocol field, TCP/UDP port number. 99

Application-Level Gateway (Proxy Server) Acts as a relay of application-level traffic. Users contact the Application-Level Gateway (Proxy Server) Acts as a relay of application-level traffic. Users contact the gateway using a TCP/IP application (such as FTP or Telnet) with the information of the remote host to be accessed. The gateway will contact the application on the remote host and convey TCP segments containing the application data between the two endpoints. 100

Firewall Limitations Firewall can not protect against attacks that bypass the firewall (e. g. Firewall Limitations Firewall can not protect against attacks that bypass the firewall (e. g. dial-up modem) Firewall does not protect against internal threats, such as a bad employee Firewall can not protect against the transfer of virus-infected files can’t prevent people walking out with disks 101

Packet Filtering : Advantages and Disadvantages Advantages: Fast, Flexible, and Inexpensive Disadvantages: Lack the Packet Filtering : Advantages and Disadvantages Advantages: Fast, Flexible, and Inexpensive Disadvantages: Lack the ability to provide detailed auditinformation about the traffic they transmit; Vulnerable to attack. Firewall can become a bottleneck for a big system. Multiple firewalls in parallel, divided by function? 102

FIREWALLS: the common architecture n The most common firewall architecture contains at least four FIREWALLS: the common architecture n The most common firewall architecture contains at least four hardware components: n n an (exterior) router, a secure server (called a Bastion Host), an exposed network (called a Perimeter Network), an (interior) filtering router. 103

Firewall: an example n Screened subnet type of firewall: 104 Firewall: an example n Screened subnet type of firewall: 104

Firewall: an example (continued) n n Exterior Router: uses packet filtering to eliminate packets Firewall: an example (continued) n n Exterior Router: uses packet filtering to eliminate packets coming from the external world that have a source address that matches that of the internal network. The interior router does the bulk of the access control work. It filters packets on n address protocol and port numbers to control the services that are accessible to and from the interior network. 105

Firewall: an example (continued) n The bastion host: n n n a secure server. Firewall: an example (continued) n The bastion host: n n n a secure server. provides an interconnection point between the enterprise network and the outside world for the restricted services. Some of the services that are restricted by the interior gateway may be essential for a useful network. Those essential services are provided through the bastion host in a secure manner. The bastion host n n provides some services directly, such as DNS, SMTP mail services, and anonymous FTP May also provide other services as proxy services. 106

Firewall: an example (continued) bastion host (continued) n When the bastion host acts as Firewall: an example (continued) bastion host (continued) n When the bastion host acts as a proxy server, internal clients connect to the outside world through the bastion hosts and external systems respond back to the internal clients through the host. 107

Typical Enterprise Network Topology (without VPN) Public Internet Firewall Locations R Extranet Links With Typical Enterprise Network Topology (without VPN) Public Internet Firewall Locations R Extranet Links With Trading Partners R Authentication Server R R R Corporate Intranet R A S Remote Access Server Remote Client Remote Access 108

Network Address Translator n NA(P)T: network address (and port) translator are not firewalls, but Network Address Translator n NA(P)T: network address (and port) translator are not firewalls, but can prevent all incoming connections 109

NAT 110 NAT 110

IPS vs IDS n n NEW: IPS: Intrusion Prevention Systems IDS: Intrusion Detection Systems: IPS vs IDS n n NEW: IPS: Intrusion Prevention Systems IDS: Intrusion Detection Systems: IDS devices sit on a monitor port and simply report problems. While an IPS device takes action, IDS products usually just send an alert to an IT staff person, who must then evaluate the alert and take action. PROBLEM with IPS: n n Costly need to be periodically tuned so that good traffic is not inadvertently dumped. 111

IPS devices n n n operate inline, often at wire speed, tuned to drop IPS devices n n n operate inline, often at wire speed, tuned to drop bad traffic from the network. most IPS devices must be used in conjunction with a firewall at the perimeter. process packet contents, not just the headers, track the state of network connections fast and thwart Do. S (denial-of-service) attacks by quickly identifying malicious connections. (through fast identification, statistical pattern analysis and rerouting suspect traffic to a mitigation engine, which examines the traffic carefully): However no method can eliminate the problem of bandwidth starvation to 112 valid users

“We are going backward, not forward; today’s systems don’t even achieve the security level “We are going backward, not forward; today’s systems don’t even achieve the security level Multics had in the seventies. ” Karger and Schell, 2002 “Thirty years later: Lessons from the Multics security evaluation”, Proceedings of the Annual Computer Security Applications Conference, 2002, pp. 332 113

Internet security protocols at layers Application Layer Transport Layer SSH, SFTP, PGP, PEM, HTTPS Internet security protocols at layers Application Layer Transport Layer SSH, SFTP, PGP, PEM, HTTPS SSL/TLS, SSH Internet Layer IPSec Network Interface Security in data link layer? Other security systems: Kerberos, X. 509 114 Figure 2. 10

Terms about Internet security n HTTPS: n n SSL: n n Secure Hypertext Transfer Terms about Internet security n HTTPS: n n SSL: n n Secure Hypertext Transfer Protocol an application layer protocol for WWW using a Secure Socket Layer (SSL). Secure Socket Layer, a transport layer protocol Similar to socket but adding encryption and authentication TLS: n n n Transport Layer Security A transport layer protocol The IETF version of SSL 115

Terms about Internet security n SSH: n n n Secure SHell An application layer Terms about Internet security n SSH: n n n Secure SHell An application layer protocol (initially) Replace telnet, rlogin, ftp Generalized as a transport layer protocol PGP: n n Pretty Good Privacy An application layer protocol Embedded in email such as elm Flexible public key certificate and verification 116

Terms about Internet security n PEM: n n n Privacy Enhanced Mail An application Terms about Internet security n PEM: n n n Privacy Enhanced Mail An application protocol For secure email Strict hierarchy in public key certificate IPSec: n n n Internet Protocol Security A network layer protocol Contains two parts (may use separately) n n AH: Authentication Header ESP: Encapsulation Security Payload 117

Terms about Internet security n IKE: n n PKI: n n n Internet Security Terms about Internet security n IKE: n n PKI: n n n Internet Security Association and Key Management Protocol. Kerberos: used in large distributed systems or Grids n n Public Key Infrastructure Refer to the widespread availability of public keys and certificates ISAKMP: n n Internet Key Exchange, Establishing key used in IPSec. A system for authentication based on secret keys OAKLEY n An IETF protocol that provides s mechanism that two authenticated parties can agree on secure and secret keying material 118