1 Lecture 7 Security Problems and Virus
2 Contents u How things go wrong u Change in environment u Bound and syntax checking u Convenient but dangerous design features u Escapes from controlled invocation u By pass at a lower layer u Flaws in protocol implementation u Virus u What is a Computer Virus? u Virus Effects u Virus Infections u Virus Components u Virus Types
3 The Mad Hacker u Occurred in 1987, OS was VME/B u For backups, there existed a user that owned all file descriptors u This user had no restrictions --- a bug allowed flaw to be exploited u VME/B sys admin figured it out u Attacked many systems, deleted files, etc. u He left messages from “The Mad Hacker”
4 CTSS u CTSS an early time-sharing system u In a famous incident, the password file appears as message of day u How could this happen? u Only one “manager” at a time --- later changed to allow multiple managers u This led to unexpected problem…
5 CTSS One SCRATCH file, two managers: Msg file Pwd file scratch
6 CTSS One SCRATCH file, two managers: 1. First manager edits: SCRATCH = MSG Msg file Pwd file Msg file edit
7 CTSS One SCRATCH file, two managers: 1. First manager edits: SCRATCH = MSG 2. Second manager edits: SCRATCH = PWD Msg file Pwd file edit
8 CTSS One SCRATCH file, two managers: 1. First manager edits: SCRATCH = MSG 2. Second manager edits: SCRATCH = PWD 3. First manger saves: MSG = PWD Pwd file save
9 fingerd daemon bug u fingerd is a server that provides a network interface to the finger program This interface allows finger to display information about remote users. u UNIX fingerd did not check length of input u Buffer overflow u Morris Worm exploited this to open remote connection via TCP
10 VMS login u Buffer overflow in login u User could specify machine by Username/DEVICE = Length of not checked u Buffer overflow u Could be exploited so that user could set their own privilege level
11 rlogin bug Unix login login [[-p] [-h ] Where -f forces login (no pwd) Unix rlogin rlogin [-l ] Uses login with first arg on rlogin -l –froot machine results in login –froot machine
12 Sendmail “feature” u Sendmail debug option u Substitute commands for username in mail, executed on host by sendmail u Used to check remote configuration without bothering administrator u Debug option often left on u Exploited by Morris Worm
13 VAX/VMS bug Access control info stored in Auth File Caller: Request Set Auth File (parameters) System: Open Auth File Read Caller’s Authorization if authorized then return(true); else return(false); u Problem? u File not closed
14 AS/400 machine language u System security levels 10,20,…,50 u Machine language programs not subject to security controls u Intended use to speed up programs u Attackers could write such code u AS/400 then attempted to detect “bad” commands u Attackers overwrote table for checking
15 at bug Unix command at -f runs commands at Request put into /usr/spool/atjobs Bug: at does not check if is readable by user u Feature: spool directory readable by user who created entry Result: at -f/etc/shadow gives access to password file
16 TCP authentication Alice Bob SYN, SEQ a SYN, ACK a+1, SEQ b ACK b+1, data Note: Initial sequence numbers are supposed to be unpredictable
17 TCP authentication attack Alice Bob Trudy 1. SYN, SEQ t (as Trudy) 2. SYN, ACK t+1, SEQ b1 3. SYN, SEQ t (as Alice) 4. SYN, ACK t, SEQ b2 5. ACK b2+1, data 5.
18 TCP authentication attack u Trudy cannot see what Bob sends, but she can send packets to server Bob, as Alice u Trudy must prevent Alice from receiving Bob’s packets (or Alice will terminate connection) u If password (or other authentication) required, this attack fails u If TCP is authentication, then attack succeeds u Bad idea to rely on TCP for authentication
19 What is a Computer Virus? u To be defined as a virus, a program must: u Replicate itself in order to carry out a mission. u Be dependent on a "host" to carry out the mission. u Create damage to the computer system "infected". u "A computer virus is an exact cybernetic analogy to its biological reference“ u There are more than 20,000 different computer viruses.
20 Simple Definition u A virus is a program which reproduces itself, hides in other computer code without permission and does nasty or undesirable things, not intended by its victim. u Computer viruses are malicious programs that infect a computer system causing various problems with its use. They replicate and attach themselves to programs in the system.
21 Virus Effects u Trivial, simply reproduces or displays messages. u Minor, alters or deletes infected files. u Moderate, wipes out entire disk drive. u Major, slowly corrupts data with pattern, making restoration difficult. u Severe, slowly corrupts data without pattern, making restoration impossible. u Unlimited, virus which discovers system administrator's password and mails it to one or more users, tempting them to use it for illegal purposes.
22 How Virus Infections Spread Virus Infections spread by: u Inserting a disk with an infected program and then starting the program. u Downloading an infected program from the Internet. u Being on a network with an infected computer. u Opening an infected attachment.
23 Virus Components u The Replication mechanism u allows virus to copy itself u The Protection mechanism u Hides virus from detection u The Trigger u Mechanism which will set off the payload u The Payload u Effect of the virus
24 Virus Types u Viruses are classified by the portion of the system they affect. There are five main types: u Boot Viruses u File Viruses u Multi-partite Viruses u Polymorphic Viruses u Macro Viruses
25 Boot Viruses u Infect the boot block on a floppy or hard disk. u Usually replaces the boot block with all or part of a virus program. u Most have trigger dates, when booted on that day severe damage will be done. u Virus loads into memory and infects other disks. u Execute each time the computer is started. u May lead to the destruction of all data. u Example is Michaelangelo - on March 6 (Michelangelo's birthday) garbage is written through entire drive.
26 BOOT Master Boot sector ROMDOS Boot sector IO.SYS AUTOEXEC.BAT MSDOS.SYS
27 Infection pattern with a boot virus Master Boot sector Viral Code Boot sector Master Boot sector
28 File Viruses (Parasitic) u Infect.EXE or.COM files. u Usually append the virus code to the file, new versions hide the virus. u Damage is done when program is run and the virus will attach to other files. u Attach themselves to program files. u Spread to other programs on the hard drive. u Are the most common type of virus. u Example is Friday the 13th - if the date matches Friday the 13th when the virus is executed, all.EXE files are deleted.
29 Multi-partite Viruses u Infect both boot blocks and executable files. u Combine the capabilities of boot viruses and file viruses. u Example is Tequila - will display graphics and text rather than running programs.
30 Polymorphic Viruses u Can infect the boot sector, files or both. u Is self-modifying, changes each time it infects a file or disk. u Very difficult to detect and remove. u Example is tremor which triggers 3 months after infection and displays "-M OMENT-OF-TERROR-IS-THE- BEGINNING-OF-LIFE-" with every warm boot.
31 Macro Viruses Infect the automatic command capabilities of productivity software. Attach themselves to the data files in word processing, spreadsheet, and database programs. Spread when the data files are exchanged between users. Carried in data files for Microsoft Word documents Example is Concept - which will infect the global template and all files loaded from then on. Was distributed by Microsoft on a CD-ROM called Microsoft Windows 95 Software Compatibility Test.
32 Time Bombs u Are also called logic bombs. u Are harmless until a certain event or circumstance activates the program.
33 Computer Trojans u Computer Trojans are simply malicious computer programs disguised as something useful. The major difference between viruses and Trojans is that viruses reproduce, while a Trojan is just a one time program which executes its payload as soon as the Trojan is executed. Trojans are the most common way of bringing a virus into a system. A current example of a Trojan is a program called pkz300b.exe which disguises itself as an archiving utility, but when run it will delete your entire hard drive.
34 Computer Worms Computer Worms are reproducing programs that run independantly and travel across network connections. The main difference between viruses and worms is the method in which they reproduce and spread. A virus is dependant upon a host file or boot sector, and the transfer of files between machines to spread, while a worm can run completely independently and spread of its own will through network connections. An example of a worm is the famous internet worm of 1988: Overnight the worm copied itself across the internet, infecting every Sun-3 and VAX system with so many copies of itself that the systems were unusable. Eventually several sites disconnected themselves from the internet to avoid reinfection.internet worm
35 Virus Prevention u Never use a "foreign" disk or CD-ROM without scanning it for viruses. u Always scan files downloaded from the internet or bulletin boards. u Never boot your PC from a floppy unless you are certain it is virus free. u Write protect your disks to prevent viruses from reproducing onto your disks. u Use licensed software from a reputable dealer. u Password protect your PC to prevent copying of files in your absence. u Make regular backup copies of all your work and system configurations. u Install and use anti-virus software regularly. u Update your anti-virus software regularly so it can detect new viruses.
36 Cryptographic Checksum u It is a standard integrity protection technique. u A checksum is computed for a clean version of a file to be protected. u The checksum is stored in a secure place. u Advantage: it does not need to know what the virus is u Disadvantage: it does not know what virus is. u Vulnerability: when the checksum is recomputed.
37 Antivirus Programs u Antivirus programs are called vaccines or virus checkers. u They use pattern-matching techniques to examine program files for patterns of virus code. u Two drawbacks: u They cannot find viruses not in their database. u They cannot find new viruses that alter themselves to evade detection. u Use antivirus programs that offer frequent updates and monitor system functions. u Check disks that were used on another system for viruses.
38 Summary u How things go wrong u Change in environment u Bound and syntax checking u Convenient but dangerous design features u Escapes from controlled invocation u By pass at a lower layer u Flaws in protocol implementation u Virus u What is a Computer Virus? u Virus Effects u Virus Infections u Virus Components u Virus Types