Lecture 14 Overview

Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650 Lecture 14: Program Flaws

Security Flaws by Genesis Genesis – Intentional Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus Non-malicious – Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error 3 CS 450/650 Lecture 14: Program Flaws

Flaws by time Time of introduction – During development Requirement/specification/design Source code Object code – During maintenance – During operation 4 CS 450/650 Lecture 14: Program Flaws

Flaws by Location Location – Software Operating system: system initialization, memory management, process management, device management, file management, identification/authentication, other Support tools: privileged utilities, unprivileged utilities Application – Hardware 5 CS 450/650 Lecture 14: Program Flaws

Malware Evolution 1980s – Malware for entertainment (pranks) – 1983: “virus” – 1988: Internet Worm 1990s – Malware for social status / experiments – 1990: antivirus software Early 2000s – Malware to spam Mid 2000s – Criminal malware CS 450/650 Lecture 14: Program Flaws 6

Lecture 15 Malicious Codes CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Csilla Farkas and Brandon Phillips

Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted function – Viruses are not programs – Definition from RFC 1135: A virus is a piece of code that inserts itself into a host [program], including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it. 8 CS 450/650 Lecture 15: Malicious Codes

Kinds of Malicious Code Worm: a program that propagates copies of itself through the network. – Independent program. – May carry other code, including programs and viruses. – Definition from RFC 1135: A worm is a program that can run independently, will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines. 9 CS 450/650 Lecture 15: Malicious Codes

Kinds of Malicious Code Rabbit/Bacteria: make copies of themselves to overwhelm a computer system's resources – Denying the user access to the resources Logic/Time Bomb: programmed threats that lie dormant for an extended period of time until they are triggered – When triggered, malicious code is executed 10 CS 450/650 Lecture 15: Malicious Codes

Kinds of Malicious Code Trojan Horse: secret, undocumented routine embedded within a useful program – Execution of the program results in execution of secret code Trapdoor: secret, undocumented entry point into a program, used to grant access without normal methods of access authentication Dropper: Not a virus or infected file – When executed, it installs a virus into memory, on to the disk, or into a file 11 CS 450/650 Lecture 15: Malicious Codes

Malware Proliferation (Microsoft Security Intelligence Report 6)‏ CS 450/650 Lecture 15: Malicious Codes 12

Malware Families CS 450/650 Lecture 15: Malicious Codes 13

Regional Threat Categories (Microsoft Security Intelligence Report 6)‏ CS 450/650 Lecture 15: Malicious Codes 14

Virus Lifecycle Dormant phase: the virus is idle – not all viruses have this stage Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas Triggering phase: the virus is activated to perform the function for which it was created Execution phase: the function is performed – The function may be harmless or damaging 15 CS 450/650 Lecture 15: Malicious Codes

Virus Types Parasitic virus: – Attaches itself to a file and replicates when the infected program is executed – most common form Memory resident virus: – lodged in main memory as part of a resident system program – Virus may infect every program that executes 16 CS 450/650 Lecture 15: Malicious Codes

Virus Types Boot Sector Viruses: – Infects the boot record and spreads when system is booted – Gains control of machine before the virus detection tools – Very hard to notice Macro Virus: – virus is part of the macro associated with a document 17 CS 450/650 Lecture 15: Malicious Codes

Virus Types Stealth virus: – A form of virus explicitly designed to hide from detection by antivirus software Polymorphic virus: – A virus that mutates with every infection making detection by the “signature” of the virus difficult 18 CS 450/650 Lecture 15: Malicious Codes

How Viruses Append 19 Original program virus Original program virus Virus appended to program += CS 450/650 Lecture 15: Malicious Codes

How Viruses Append 20 Original program virus Original program Virus-1 Virus surrounding a program += Virus-2 CS 450/650 Lecture 15: Malicious Codes

How Viruses Append 21 Original program virus Original program Virus-1 Virus integrated into program += Virus-2 Virus-3 Virus-4 CS 450/650 Lecture 15: Malicious Codes

How Viruses Gain Control Virus V has to be invoked instead of target T – V overwrites T – V changes pointers from T to V 22 CS 450/650 Lecture 15: Malicious Codes

High risk virus properties Hard to detect Hard to destroy Spread infection widely Can re-infect Easy to create Machine independent 23 CS 450/650 Lecture 15: Malicious Codes

Virus Signatures Storage pattern – Code always located on a specific address – Increased file size Execution pattern Transmission pattern Polymorphic Viruses 24 CS 450/650 Lecture 15: Malicious Codes

Antivirus Approaches Detection: – determine infection and locate the virus Identification: – identify the specific virus Removal: – remove the virus from all infected systems, so the disease cannot spread further Recovery: – restore the system to its original state 25 CS 450/650 Lecture 15: Malicious Codes

Preventing Virus Infection Prevention: – Good source of software installed – Isolated testing phase – Use virus detectors Limit damage: – Make bootable diskette – Make and retain backup copies important resources 26 CS 450/650 Lecture 15: Malicious Codes

Nyxem Virus Estimate of total number of infected computers is between 470K and 945K At least 45K of the infected computers were also compromised by other forms of spyware or botware Spread 27 CS 450/650 Lecture 15: Malicious Codes

Worm Self-replicating (like virus) Objective: system penetration (intruder) Phases: dormant, propagation, triggering, and execution Propagation: – Searches for other systems to infect e.g., host tables – Establishes connection with remote system – Copies itself to remote system – Execute 28 CS 450/650 Lecture 15: Malicious Codes

Code-Red Worm On July 19, 2001, more than 359,000 computers connected to the Internet were infected with the Code-Red (CRv2) worm in less than 14 hours Spread 29 CS 450/650 Lecture 15: Malicious Codes

Sapphire/Slammer Worm was the fastest computer worm in history – doubled in size every 8.5 seconds – infected more than 90 percent of vulnerable ~75K hosts within 10 minutes. 30 CS 450/650 Lecture 15: Malicious Codes

Witty Worm reached its peak activity after approximately 45 minutes – at which point the majority of vulnerable hosts had been infected World USA 31 CS 450/650 Lecture 15: Malicious Codes