NS-H /11041 Malicious Software
NS-H /11042 Why bother to secure data? Information has value, it can affect our lives and our livelihood Information has become an integral part of the structure of society Information needs to be trusted if it is to be useful, the breakdown of trust removes value from the information protected.
NS-H /11043 What are we protecting against? Deletion or destruction Alteration (Detected or undetected) Unauthorised Access (Privacy) Loss of productivity
NS-H /11044 Who is the enemy? External Threats Virus Attacks Hacker Attacks Theft of data Sabotage Natural Disaster
NS-H /11045 Hackers, Crackers & SK’s What is a Hacker? Traditionally used a term of respect High level user, talented in programming Renowned for finding previously undiscovered and often unexpected uses for computer systems and networks
NS-H /11046 Black Hat Hacker May be Amateur or Professional May attempt to destroy or alter data Will often use known security flaws to create a ”beachhead” Attempts to gain Administrator or root access Will prey on systems users’ naïveté or carelessness Will attempt to remove all traces of intrusion
NS-H /11047 Black Hat Arsenal Trojan programs “Spy ware” programs Password stealers Password crackers
NS-H /11048 Black Hat Tactics Exploit published or known security flaws to gain access User impersonation and deception Eavesdropping on correspondence
NS-H /11049 White Hat Hacker Cyber Idealist Often very active in online discussion Very competitive Wishes to expose poor programming and claim credit for being the “first” to find errors Feels compelled to inform cyber community of security issues
NS-H / Are they a Problem? Not Interested in stealing / altering data Often use carriers with weak payload or none at all Often view security in an abstract form (a challenge or test of cyber strength) May warn users of potential security risks without thought of reward
NS-H / The White Hat Dilemma Software is often “unsecured” when released Software producers are not always responsive to warnings Should a security flaw be published if there is no solution? The conflict of idealism and commercial reality
NS-H / Script Kiddies Not true hackers (i.e. relatively unskilled) Often immature Use tools devised by skilled hackers Will destroy data without understanding the implications of their actions Seeking attention from their peer group
NS-H / Malicious Programs Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”). Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).
NS-H / Taxanomy of Malicious Programs Need Host Program Independent Trapdoors Logic Bombs Trojan Horses Viruses BacteriaWorms Malicious Programs Zombie Replicate
NS-H / Definitions Virus - code that copies itself into other programs. A “Bacteria” replicates until it fills all disk space, or CPU cycles. Payload - harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on messages or attached documents (e.g., macro viruses).
NS-H / Definitions Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (e.g., date). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.
NS-H / What is a Virus? A program that is designed explore or exploit the security of a system Originally designed to perform useful functions they were given the name “daemons” Daemons are independent processes that have a “life” of their own. Daemons run in the background of a operating system and perform specified operations at predefined times or in response to certain events.
NS-H / Common Vectors of infection Removable media (Floppy disk, CDROM) Network Connections (LAN, WAN and Internet) – (Most Common) –WWW (Becoming more common e.g Nimda) –FTP (Rare)
NS-H / The Daemon evolves A Daemon can be used to “retrieve” passwords or other secure information and send them to an unauthorised user or third party. Viruses have further evolved over time, and exhibit similar strategies to their biological namesakes.
NS-H / Boot Sector Infection Infect the Boot Sector of a Floppy disk Manually transferred by users sharing files via the floppy disk media Example: “The Brain Virus” (First recorded MSDOS virus)
NS-H / Basic or Overwriting Viruses/Worms Begin by infecting a single file May take residence in memory spread without any attempt to evade detection Usually limited to a single host Examples: The "Jerusalem" and Melissa (I Love You) Viruses
NS-H / Trojan or Malware Viruses Comprising of a Carrier and a Payload Disguise themselves as a harmless file or even a “useful” program Payload is triggered by either an internal counter or external trigger Example: Michael Angelo virus
NS-H / Polymorph or Mutating Viruses Attempts to evade detection by changing its shape and size randomly May employ tactics such as encryption May also have retro-virus characteristics Example: W32.Magistr worm
NS-H / Multipartite Viruses Combine File infection with MBR infection Employ anti-detection measures such as stealth, encryption, retro-virus and Trojan type behaviours These Viruses are the most sophisticated of all and therefore carry the greatest potential to damage data Example: W95.Babylonia Y2K Virus (Masqueraded as a Y2K fix)
NS-H / Viruses a piece of self-replicating code attached to some other code –cf biological virus both propagates itself & carries a payload –carries code to make copies of itself –as well as code to perform some covert task
NS-H / Virus Phases Dormant phase - the virus is idle Propagation phase - the virus places an identical copy of itself into other programs Triggering phase – the virus is activated to perform the function for which it was intended Execution phase – the function is performed
NS-H / Virus Protection Have a well-known virus protection program, configured to scan disks and downloads automatically for known viruses. Do not execute programs (or "macro's") from unknown sources (e.g., PS files, Hypercard files, MS Office documents, Avoid the most common operating systems and programs, if possible
NS-H / Virus Operation virus phases: –dormant – waiting on trigger event –propagation – replicating to programs/disks –triggering – by event to execute payload –execution – of payload details usually machine/OS specific –exploiting features/weaknesses
NS-H / Types of Viruses Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. Memory-resident Virus - Lodges in main memory as part of the residual operating system. Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses). Stealth Virus - explicitly designed to hide from Virus Scanning programs. Polymorphic Virus - mutates with every new host to prevent signature detection.
NS-H / Types of Viruses can classify on basis of how they attack parasitic virus memory-resident virus boot sector virus stealth polymorphic virus macro virus
NS-H / Virus spread using with attachment containing a macro virus –cf Melissa triggered when user opens attachment or worse even when mail viewed by using scripting features in mail agent usually targeted at Microsoft Outlook mail agent & Word/Excel documents
NS-H / Worms replicating but not infecting program typically spreads over a network –cf Morris Internet Worm in 1988 –led to creation of CERTs using users distributed privileges or by exploiting system vulnerabilities widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS major issue is lack of security of permanently connected systems, esp PC's
NS-H / Worm Operation worm phases like those of viruses: –dormant –propagation search for other systems to infect establish connection to target remote system replicate self onto remote system –triggering –execution
NS-H / Logic Bomb one of oldest types of malicious software code embedded in legitimate program activated when specified conditions met –eg presence/absence of some file –particular date/time –particular user when triggered typically damage system –modify/delete files/disks
NS-H / Trojan Horse program with hidden side-effects which is usually superficially attractive –eg game, s/w upgrade etc when run performs some additional tasks –allows attacker to indirectly gain access they do not have directly often used to propagate a virus/worm or install a backdoor or simply to destroy data
NS-H / Zombie program which secretly takes over another networked computer then uses it to indirectly launch attacks often used to launch distributed denial of service (DDoS) attacks exploits known flaws in network systems
NS-H / Virus Countermeasures viral attacks exploit lack of integrity control on systems to defend need to add such controls typically by one or more of: –prevention - block virus infection mechanism –detection - of viruses in infected system –reaction - restoring system to clean state
NS-H / Anti-Virus Software first-generation –scanner uses virus signature to identify virus –or change in length of programs second-generation –uses heuristic rules to spot viral infection –or uses program checksums to spot changes third-generation –memory-resident programs identify virus by actions fourth-generation –packages with a variety of antivirus techniques –eg scanning & activity traps, access-controls
NS-H / Antivirus Approaches 1st Generation, Scanners: searched files for any of a library of known virus “signatures.” Checked executable files for length changes. 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files). 4th Generation, Full Featured: combine the best of the techniques above.
NS-H / Advanced Antivirus Techniques Generic Decryption (GD) –CPU Emulator –Virus Signature Scanner –Emulation Control Module For how long should a GD scanner run each interpretation?
NS-H / Advanced Anti-Virus Techniques generic decryption –use CPU simulator to check program signature & behavior before actually running it digital immune system (IBM) –general purpose emulation & virus detection –any virus entering org is captured, analyzed, detection/shielding created for it, removed
NS-H / Advanced Antivirus Techniques
NS-H / Behavior-Blocking Software integrated with host O/S monitors program behavior in real-time –eg file access, disk format, executable mods, system settings changes, network access for possibly malicious actions –if detected can block, terminate, or seek ok has advantage over scanners but malicious code runs before detection
NS-H / Recommended Reading and WEB Sites Denning, P. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990 CERT Coordination Center (WEB Site) AntiVirus Online (IBM’s site)