Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trojan Horses Viruses Worms

Published byRoy Heath Modified over 6 years ago

Similar presentations

Presentation on theme: "Trojan Horses Viruses Worms"— Presentation transcript:

1 Trojan Horses Viruses Worms
Malicious Logic Trojan Horses Viruses Worms 2004 CS 395: Computer Security

2 Introduction Malicious Logic: a set of instructions that cause violation of security policy Idea taken from Troy: to breach an impenetrable perimeter, have someone from the inside unknowingly bring you inside Example: Name the following script ls and place in a directory Set UID of /tmp.xxsh to UID of person executing this script Remove this script and run ls 2004 CS 395: Computer Security

3 Trojan Horses Trojan Horse: A program with an overt (documented or known) effect and a covert (undocumented or unexpected) effect In example, overt action is to list files, covert is to create shell that is setuid to user executing script There is a key notion here of ``tricked’’ In the example script, if user root executed this unintentionally by typing ls in a directory, then we have a security policy violation. If root types out these lines and runs them intentionally, no violation Key problem: system does not know whether user really intends to run specific set of instructions 2004 CS 395: Computer Security

4 Example: NetBus Program that allows attacker to control Windows NT workstation remotely Can download and upload files, intercept mouse or key strokes, generally be sysadmin Requires small NetBus server on target machine Placed in several small game programs and other ``fun’’ stuff, then distributed to web sites where unsuspecting users would likely download them 2004 CS 395: Computer Security

5 Propogating Trojan Horse
Propogating Trojan Horse: (also replicating Trojan Horse) is a Trojan Horse that creates a copy of itself. Ex. Ken Thompson’s compiler Added Trojan horse to login program so it accepted a specific password in addition to user’s password Placed code that does this into compiler, so it would add it whenever it saw a login call. (So not visible in login code) Placed the Trojan horse for compiler into compiler binary, so if compiler was recompiled it would always include the trojan horse for login. Replaced source for compiler with clean source for compiler. 2004 CS 395: Computer Security

6 Computer Virus Computer Virus: A program that inserts itself into one or more files and then performs some (possibly null) action Insertion Phase: virus inserts itself into file Execution Phase: the action is performed 2004 CS 395: Computer Security

7 Virus Pseudocode 2004 CS 395: Computer Security

8 Virus A Trojan Horse? Some say YES: Purpose of infected program is overt action, injections and execution phase is the covert action Some say NO: Virus has no covert purpose. Its overt purpose is to infect and execute. Who cares. Bottom line is that defenses against Trojan horses inhibit viruses. 2004 CS 395: Computer Security

9 Some History 1983: Fred Cohen (at time grad student at USC) designed virus to acquire privileges on VAX-11/750 running Unix. Obtained all system rights within half hour on average Because virus didn’t degrade response time, most users never knew system under attack 1984: Experiment on UNIVAC 1108 showed virus could infect that system UNIVAC partially implemented Bell-LaPadula Model, using mandatory protection mechanisms Showed that if a system does not prohibit writing using mandatory access controls, then system does little, if anything, to prohibit virus propagation 2004 CS 395: Computer Security

10 More History 1986-87: Brain (Pakistani) virus infects IBM PCs
Alters boot sectors of floppy disks, possibly corrupting files. Spreads to any uninfected floppy inserted into system. Numerous variations have been reported 1987: MacMag Peace virus Infect Mac, Amiga, among others Prints ``universal message of peace’’ on March 2, 198, then deletes itself. Infected copies of Aldus FreeHand program, which were subsequently recalled by manufacturer 2004 CS 395: Computer Security

11 Still More History 1987: Tom Duff experiments on Unix with small virus that copies itself into executable files. Not virulent, but when placed in 48 programs on heavily used machine, spread to 46 different systems and 466 files in 8 days. Duff did not violate security mechanism by seeding files Wrote another virus in Bourne shell script. It could attach itself to any Unix program Demonstrated that viruses are not intrinsically machine-dependent and can spread to systems of varying architectures 2004 CS 395: Computer Security

12 Ok, Even More History 1989: Harold Highland develops Lotus 1-2-3 virus
Virus stored as set of commands for spreadsheet Loads automatically when file opened Was for demo only, so it changed the value in specific row and column then spread to other files. Demonstrated that macros for office programs on PCs could contain viruses. 2004 CS 395: Computer Security

13 Virus Types Boot Sector Infectors Executable Infectors
Multipartite Viruses TSR Viruses Stealth Viruses Encrypted Viruses Polymorphic Viruses Macro Viruses 2004 CS 395: Computer Security

14 Boot Sector Viruses Boot sector is the part of a disk used to bootstrap the system or mount a disk Code in boot sector is executed when system sees disk for first time Boot sector virus is one that inserts itself into the boot sector of a disk When system or disk boots, virus is executed Original boot sector code is moved 2004 CS 395: Computer Security

15 Example: Brain Virus When system boots from infected disk, virus is in boot sector and is loaded. Moves disk interrupt vector (location 0x13) to location 0x6d and sets disk interrupt location to invoke Brain virus. Brain virus then loads original boot sector and continues the boot When user reads another floppy, interrupt at 0x13 is invoked, calling Brain virus If value 0x1234 in word at location 0x4 of new disk, boot continues normally. If not, disk is infected Infection sometimes overwrite some sectors, thus the sometimes destructive nature of the Brain virus 2004 CS 395: Computer Security

16 Executable Infectors Executable infector: virus that infects executable programs On PC these are COM or EXE viruses because of the file types they infect Viruses prepends or appends itself to executable 2004

17 Example: Jerusalem Virus
Triggered when infected program is executed Virus puts value 0x0e0 into ax register and invokes DOS service interrupt (0x21) If on return the high eight bits of ax contain 0x3, virus is already on system and original program is invoked If not, virus sets itself up to respond to traps to DOS service interrupt vector 2004 CS 395: Computer Security

18 Example: Jerusalem Virus
Virus checks date if a Friday the 13th and year is not 1987, virus sets flag in memory to delete files instead of infecting them In memory, virus checks all calls to DOS service interrupt, looking for files to be executed (service call 0x4b00) Virus checks file name, and deletes file if destruct bit set (except for COMMAND.COM file) Virus checks last five bytes of file. If string MsDos, file is infected If not, virus checks whether name of file ends in E or M, in which case virus infects it (assuming its a COM or EXE file) 2004 CS 395: Computer Security

19 Multipartite Viruses Virus that can infect either boot sectors or applications Virus typically has two parts, one for each type. Appropriate part is invoked depending on circumstances 2004 CS 395: Computer Security

20 TSR Viruses Terminate and Stay Resident (TSR) virus is one that stays active (resident) in memory after application (or bootstrapping or disk mounting) has terminated. Can be boot sector or executable infectors Brain and Jerusalem are both TSR viruses Non TSR viruses execute only when host application is executed (or infected disk mounted, etc) 2004 CS 395: Computer Security

21 Stealth Viruses Stealth viruses are those that conceal the infection of files Intercept calls to the OS that access files If call is for file attributes, original (uninfected) file attributes returned If call is to read file, uninfected version is returned If call is to execute file, infected file is executed 2004 CS 395: Computer Security

22 Example: The Stealth Virus
Also called IDF virus or 4096 virus Modifies DOS service interrupt handler Not interrupt vector. This way inspection of interrupt vectors does not reveal presence of virus If call is for length of file, length of uninfected file returned If request to open file, file is temporarily disinfected, then reinfected when file is closed Changes last modification time for file to indicate the file is not infected 2004 CS 395: Computer Security

23 Encrypted Viruses Virus that enciphers all of the virus code except for a small decryption routine Anti-virus software looks for known sequences of code To fight this, some viruses encipher most of code, leaving only small decryption routine and random cryptographic key in clear 2004

24 Example: 1260 Virus Uses two keys stored in k1 and k2
Virus code begins at location sov and ends at location eov Dual keys and shifting of first key prevent simple xor from uncovering deciphered virus 2004

25 Polymorphic Viruses A virus that changes its form each time it inserts itself into another program Considered an encrypted virus With straight encrypted virus, decryption portion can be detected! Polymorphic viruses designed to defeat this. They change instructions in virus to something equivalent but different. Technique is used to hide decryption code. All do same thing! 2004 CS 395: Computer Security

26 Example 2004 CS 395: Computer Security

27 Polymorphic Viruses Production of polymorphic viruses has been automated Mutation Engine (ME) Trident Polymorphic Engine (TPE) Polymorphism can occur at different levels A deciphering algorithm may have two different implementations Two different algorithms may produce same result (much harder to detect) 2004 CS 395: Computer Security

28 Macro Viruses A virus that it composed of a sequence of instructions that is interpreted rather than executed directly Conceptually no different from ordinary computer viruses Can execute on any system that can interpret the instructions Can infect executables or data files (data virus) 2004 CS 395: Computer Security

29 Macro Virus If infecting executable, must arrange to be interpreted at some point Ex. Duff’s experiments wrapped executables with shell scripts. Resulting executables invoked Bourne shell which interpreted virus code before invoking usual executable Macro viruses not bound by machine architecture – use specific programs Any system that runs this program can be affected, though effects may differ Ex. MS Word virus will work on PC, Mac, 2004 CS 395: Computer Security

30 Example: Melissa Virus
Infected Word 97 and 98 documents on Windows and Mac systems (written in Visual Basic) Installs itself as the ``open’’ macro and copies itself into the Normal template so that any files that are opened are infected Then invokes mail program and sends copies to names in address book On PC spread was through mail On Mac, most user didn’t use mail program that Melissa invokes, so spread was not via . 2004 CS 395: Computer Security

31 Computer Worms A computer worm is a program that copies itself from one computer to another (as opposed to hitching a ride) Research on worms began in mid-1970s Schopp and Hupp developed distributed programs to do various tasks. These probed workstations, to find idle machines on which they installed code segments do do work. When other work on machine started, segments shut down. 2004 CS 395: Computer Security

32 The Internet Worm Nov. 2, 1988: program targeted Berkeley and Sun Unix based machines. Within hours of introduction to Internet it had rendered thousands of computers unusable Worm inserted instructions into a running process on target machine and arranged for instructions to be executed Recovery required disconnection from network and reboot Several critical programs had to be changed and recompiled to prevent reinfection Worse, program disassembly required to determine whether other malicious effects present Fortunately only purpose of worm was self propagation (could have been much worse!) 2004

33 Internet Worm Worm took advantage of flaws in some standard software installed on Unix systems fingerd is a utility that allows users to obtain information about other users gets is a routine that takes input into a buffer without performing a bounds check sendmail is a program that routes mail in heterogeneous networks 2004 CS 395: Computer Security

34 fingerd Program runs as a daemon (background process)
Allows connections from remote programs Reads single line of input, sends back appropriate output Code used call to gets routine to get input. Worm smashed the stack using this call Unfortunately, several routines remain with such buffer overflow vulnerabilities 2004 CS 395: Computer Security

35 sendmail Operates in several modes: worm exploited debug mode operation Sendmail listens on TCP port 25 for attempts to deliver mail using simple mail transfer protocol (SMTP) When contacted, sendmail enters into dialog to determine sender, etc. Worm used DEBUG command to specify the recipient of the message as a set of commands instead of a user address This is not allowed in normal mode In debug mode, allows testers to verify mail is arriving without having to invoke address resolution routines That is, testers can run programs to show state of mail system without separate login connection or having to send mail 2004 CS 395: Computer Security

36 Aside: Unix Passwords Passwords encrypted with premuted version of DES and ciphertext stored in world-readable accounting file Worm used dictionary attack to break passwords (sometimes as many as 50% of the passwords on a system) Unix now stores passwords in shadow password file that can only be accessed by sysadmin And encryption is done using a privileged routine that delays return for a second or so (prevents online testing) 2004 CS 395: Computer Security

37 Aside: Trusted Logins BSD Unix has nice support for login from remote machines One can specify a list of host/login name pairs that are assumed to be trusted. Login with these pairs does not require a password hosts.equiv and .rhosts files Worm exploited this by trying to locate machines that might trust the current machine How do you think it did this? When one found, worm placed itself on the target machine 2004 CS 395: Computer Security

38 Internet Worm (High level description)
Main program: collect info on other machines on network to which current machine could connect Read config files Run system utilities to get info about current state of network connections Used previously mentioned flaws to attempt to establish bootstrap on these machines. 2004 CS 395: Computer Security

39 Internet Worm (High Level Description)
Bootstrap program: 99 lines of C code that would be compiled and run on remote machine Once transferred to target machine, it was compiled and invoked with three command line arguments Network address of infecting machine Number of network port to connect to on machine to get copies of the main worm files Magic number that acted as one-time challenge password If worm on remote host and port didn’t receive magic number back, it would immediately disconnect from bootstrap program Possibly to prevent someone from capturing a copy of the worm by spoofing a Worm server 2004 CS 395: Computer Security

40 Internet Worm (High Level Description)
Bootstrap program: Connect back with worm that originated it and transfer a set of precompiled code (binaries) to local machine These binaries represented versions of the main program for various OS versions and machine architectures. Once binaries transferred, loaded and linked with standard library routines on host machine, then one by one run. 2004 CS 395: Computer Security

41 Father Christmas Worm Electronic Christmas Card passed around IBM-base networks Card was letter instructing recipient to save letter and run as a program. Program drew Christmas Tree (with blinking lights!) and printed Merry Christmas Program checked recipients list of previously received mail as well as address book, then sent itself to all these addresses Overwhelmed network and forced shutdown Macro worm written in high-level job control language 2004 CS 395: Computer Security

42 Rabbits and Bacteria Program that absorbs all of some class of resource Program copies multiply so fast that resources exhausted. A class of denial of service attack. Ex. (Dennis Ritchie) This will exhaust disk space or inode tables on a Unix Version 7 system 2004 CS 395: Computer Security

43 Examples Internet worm: Father Christmas:
During infection, opened a port on target machine. When another worm tried to infect machine, it checked port. If opened it assumed machine infected. But apparently to thwart sysadmins opening a small program on that port, every sixth attack it ignored the check. Lead to many copies of the worm on single machine. These consumed the CPU. Father Christmas: Created so much network traffic that network became unusable and had to be shut down 2004 CS 395: Computer Security

44 Question: Is there an algorithm that can determine if an arbitrary program contains replicating code? 2004 CS 395: Computer Security

45 Answer (Cohen): No such algorithm can exist
Answer (Cohen): No such algorithm can exist. It is provably undecidable whether an arbitrary program contains a computer virus. 2004 CS 395: Computer Security

46 Logic Bomb Logic bomb is a program that performs an action that violates the security policy when some external event occurs E.g. program attacks on specific date Disaffected employees who plant Trojan horses in systems often use logic bombs E.g. delete entire payroll roster when employee’s name is deleted 2004 CS 395: Computer Security

47 Example Early 1980s: program posted to USENET promised to make administering systems easier Directions: Unpack shar archive containing program Compile program and install as root Midway down the shar archive: 2004 CS 395: Computer Security

Download ppt "Trojan Horses Viruses Worms"

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.1 Malicious Logic.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.1 Malicious Logic.
C risis And A ftermath Eugene H. Spafford 발표자 : 손유민.

C risis And A ftermath Eugene H. Spafford 발표자 : 손유민.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.

CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.
Unit 18 Data Security 1.

Unit 18 Data Security 1.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious logic.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious logic.
Fall 2008CS 334: Computer SecuritySlide #1 Malicious Logic Trojan Horses Viruses Worms.

Fall 2008CS 334: Computer SecuritySlide #1 Malicious Logic Trojan Horses Viruses Worms.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.

Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Malicious Logic What is malicious logic Defenses

Malicious Logic What is malicious logic Defenses
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.

1 Malicious Logic CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 25, 2004.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Similar presentations

Ads by Google