Intruders and Viruses

Outline Intruders Viruses and Related Threats Intrusion Techniques Password Protection Password Selection Strategies Intrusion Detection Viruses and Related Threats Malicious Programs The Nature of Viruses Antivirus Approaches Advanced Antivirus Techniques Recommended Reading and WEB Sites

Intruders Three classes of intruders (hackers or crackers): Masquerader, Misfeasor, and Clandestine user. Masquerader An unauthorized user who penetrates a computer system’s access control and gains acccess to user accounts.

Intruders Misfeasor >A legitimate user who accesses resources he is not authorized to access. >Who is authorized such access but misuses his privileges. Clandestine user A user who seizes the supervisory control of the system and uses it to evade auditing and access control.

Intrusion Techniques Objective: An intruder wants to gain access to a system. >>Access is generally protected by passwds. System maintains a file that associates a password with each authorized user. Password file can be protected with: One-way encryption and Access control

Intrusion Techniques One-way encryption: >A system stores passwds only in encrypted form. >One-way transformation Access Control >Access to the passwd file is limited to very few people.

Intrusion Techniques Techniques for guessing passwords: Try default passwords. (used with standard accounts that are shipped with systems.) Try all short words, 1 to 3 characters long. Try all the words in an electronic dictionary (60,000). Collect information about the user’s hobbies, family names, birthday, etc.

Intrusion Techniques Techniques for guessing passwords:.. Try user’s phone number, social security number, street address, etc. Try all license plate numbers (MUP103). Use a Trojan horse (to bypass restrictions on access). Tap the line between a remote user and the host system.

UNIX Password Scheme Passwords are stored in crypted form. User selects a password of chars. This password serves as the key to an encryption routine. Encryption routine is a modified version of DES. 12 bit Salt is used for modification. Salt: related to time the password is assigned.

UNIX Password Scheme Modified DES is used with data input as 64-bit block of zeros. This process is repeated 25 times. The resulting output is translated into an 11 chars sequence. (cipher passwd) Ciphertext password is stored in the table together with Salt.

UNIX Password Scheme Loading a new password

UNIX Password Scheme Verifying a password file

Storing UNIX Passwords UNIX passwords were kept in a publicly readable file, etc/passwords. Now they are kept in a “shadow” directory and only visible to “root”.

”Salt” The salt serves three purposes: Prevents duplicate passwords from being visible in the password file. //even if two users choose the same password, their ciphertexts will differ// Effectively increases the length of the password (by two chars). //makes password guessing difficult// Prevents the use of hardware implementations of DES.

Password Selecting Strategies Goal: Eliminate guessable passwords while allowing users to select passwords that are memorable. 1. User education >Told the importance of hard-to-guess passwds. >Provided guidelines to select strong passwords. >Many users ignore guidelines.

Password Selecting Strategies 2. Computer-generated passwords >Passwords will be random in nature and will be hard to memorize. 3. Reactive password checking >System runs its own password checker to find guessable passwords. >Users given a deadline to change the password //account is cancelled or frozen//

Password Selecting Strategies 4. Proactive password checking >A user is allowed to select his passwd. >At the time of selection, the system checks to see if the passwd is allowable. >It rejects the password if not allowable. >The most promising approach.

Proactive Password Checking Problem: How to efficiently and effectively check for passwords. >It is not practical to maintain a list of bad passwords and check it. >Two compact ways: Markov model and Bloom filters.

Proactive Password Checking Markov model: >Each state represents a chars. >The current state denotes the most recent char/letter. >Transition from a state to another state denotes the next char. >Transitions have probability associated to them.

Markov Model Henric Johnson

Markov Model Main problem: Building the transition matrix. The Markov chain should reflect the structure of words in the dictionary. All strings generated by the MC denote bad passwords. A dictionary of guessable words is created. Transition matrix is computed as follows:

Transition Matrix Determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character. Example: Password firefly consists of the following trigrams: fir, ire, ref, efl, fly.

Transition Matrix 2. For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij. 3. Compute the entries of T as follows:

Markov Model Checking for a bad password: >Passwords (strings) generated by the Markov model are rejected. >For a given password, transition probabilities of trigrams are looked up. >Statistical tests are performed to see if this password is likely by the model. >Passwords likely by the model are rejected.

Spafford (Bloom Filter) where The following procedure is then applied to the dictionary: A hash table of N bits is defined, with all bits initially set to 0. For each password, its k hash values are calculated, and the responding bits in the hash table are set to 1

Bloom Filter False positive: A password that is not in the dictionary but it produces a match in the table. Example: hogan and bogan are present in the dictionary, but logan is not. H1(hogan)=32, H1(bogan)=76, H1(logan)=45 H2(hogan)=45, H2(hogan)=91, H2(logan)=32 >False positive cause a valid password to be rejected. >False positive should be minimized.

Spafford (Bloom Filter) Design the hash scheme to minimize false positive. Probability of false positive:

Performance of Bloom Filter

The Stages of a Network Intrusion 1. Scan the network to: • locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports 3. Get access to Shell program which is “suid” (has “root” privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast. 29

Intusion Detection Intrusion prevent may fail and intrusion detection is the next best defense. Motivations: If the intruder can be identified quickly enough, he can be ejected from the system and damage can be minimized. An effective intrusion detection can prevent intrusions. //can act as a deterrent//

Intusion Detection Motivations:... Collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility. Intrusion detection basis: “The behavior of intruders differs from that of a legitimate user in a quantifiable way.”

Profiles of Behavior of Intruders and Authorized Users Henric Johnson

Intrusion Detection There is likely to be some overlap in the behavior. Will generate “false positives”: Some authorized users will be branded as intruders. >If false positives are completely eliminated, some intruders will go undetected.

Intrusion Detection Two approaches are used: 1. Statistical anomaly detection >History of legitimate users is collected and a user profile is built. >Statistical tests are applied to the observed behavior to determine if it is an intrusion. --Two approaches are used.

Intrusion Detection 2. Rule based detection Treshold detection Uses thresolds for the frquency of occurrence of various events. Profile based User profile is used to detect changes in the behavior of a user. 2. Rule based detection Defines a set of rules that can be used to decide if a behavior is that of an intruder.

Intrusion Detection 2. Rule based detection... >Two approaches. Anomaly detection Rules detect deviation from previous usage patterns. Penetration identification An expert system-based approach that searches for suspicious behavior.

Measures used for Intrusion Detection Login frequency by day and time. Frequency of login at different locations. Time since last login. Password failures at login. Execution frequency. Data transfers Read, write, create, delete frequency. Failure count for read, write, create and delete.

Distributed Intrusion Detection Early IDSs were for single-stand alone systems (centralized IDS). A more effective defense can be achieved by cooperation among several intrusion detection systems across the network. >A diagram of such system (next slide)

Distributed Intrusion Detection Developed at University of California at Davis

Distributed ID Consists of three components: 1. Host agent module: Collects data on security related events on the host and passes them to the central manager. 2. LAN Monitor agent module: It analyzes LAN traffic and reports results to the central manager. (host-host connections, services used, volume of traffic, rlogin activity, etc.)

Distributed ID… 3. Central Manager module: >Receives reports from host agents and LAN monitor. >Processes and correlates the reports to detect intrusions. >Typically includes an expert system that draws inferences from the received data.

Distributed Intrusion Detection Henric Johnson

Viruses and ”Malicious Programs” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”). Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).

Taxanomy of Malicious Programs Need Host Program Independent Trapdoors Logic Bombs Trojan Horses Viruses Bacteria Worms

Definitions Virus - code that copies itself into other programs. A “Bacteria” replicates until it fills all disk space, or CPU cycles. Payload - harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses).

Definitions Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (e.g., date). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.

Virus Phases Dormant phase - the virus is idle Propagation phase - the virus places an identical copy of itself into other programs Triggering phase – the virus is activated to perform the function for which it was intended Execution phase – the function is performed

Virus Protection Have a well-known virus protection program, configured to scan disks and downloads automatically for known viruses. Do not execute programs (or "macro's") from unknown sources (e.g., PS files, Hypercard files, MS Office documents, Avoid the most common operating systems and email programs, if possible.

Virus Structure Henric Johnson

A Compression Virus Henric Johnson

Types of Viruses Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. Memory-resident Virus - Lodges in main memory as part of the residual operating system. Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses). Stealth Virus - explicitly designed to hide from Virus Scanning programs. Polymorphic Virus - mutates with every new host to prevent signature detection.

Macro Viruses Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File). Platform independent. Infect documents, delete files, generate email and edit letters.

Antivirus Approaches 1st Generation, Scanners: searched files for any of a library of known virus “signatures.” Checked executable files for length changes. 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files). 4th Generation, Full Featured: combine the best of the techniques above.

Advanced Antivirus Techniques Generic Decryption (GD) CPU Emulator Virus Signature Scanner Emulation Control Module For how long should a GD scanner run each interpretation?

Advanced Antivirus Techniques