1. Viruses, Worms, Zombies, and other Beasties
(Based on Susan Whittemore, Sanjeev Arora, Alex Halderman, and Steve Shenfield)

2. The Threat Landscape
Impact: Costly regulatory inquiries and penalties, consumer and shareholder lawsuits, loss of consumer confidence
Motivation: Financial gain
2017 Outlook: Cyber-extortion will continue to rise
Impact: Competitive advantage, trade secret disclosure, operational disruption, brand and reputation
Motivation: Personal advantage, monetary gain, professional revenge, patriotism
2017 Outlook: More organizations will implement insider threat mitigation programs and processes
Impact: Disruption of business activities, brand and reputation, loss of consumer confidence
Motivation: Negatively impact reputation, drive attention to a cause, pressure for change
2017 Outlook: Expected to escalate attack methods with high-profile data breaches
Impact: loss of competitive advantage, disruption to critical infrastructure
Motivation: Economic, political, and/or military advantage
2017 Outlook: Will continue to strengthen their defensive and offensive cyber skills

3. Cybersecurity The cost and risks of cyber attacks are increasing
Cyber Threat Landscape
Cybersecurity events and costs are increasing:
79% of survey respondents detected a security incident in the past 12 months1
Average total cost of a data breach increased 23% over the past two years2
Average cost paid for each lost / stolen record increased 6%1
Industry Outlook
Data breaches are expected to reach $2.1 trillion globally by 20193
76% of survey respondents1 were more concerned about cybersecurity threats than in previous 12 months:
Increase from 59% in 2014
Reputational Risk
An IT security breach can have serious implications in how a company is perceived:
46% of companies suffered damage to reputation & brand value due to a security breach4
19% of companies suffered damage to reputation & brand value due to a third-party security breach or IT system failure4
The risk of losing customer trust is significant and rising:
82% of customers would consider leaving an institution that suffered a data breach5
Source: 1U.S. State of Cybercrime Survey, 2Ponemon Institute, 3Juniper Research , 4Forbes

4. 1 million cybersecurity job openings globally in 2016*4
*Cisco, 2016; 1Information System Security Certification Consortium, 2015;PricewaterhouseCoopers, 2015; Burning Glass, 2015; ISC2, 2015; Cybersecurity Ventures, 2016

5. Encryption Encryption strongly protects data en route
You
Amazon.com
Encryption strongly protects data en route
Today’s story: Attacker can compromise your computer without breaking encryption.

6. Encrypted ≠ Secure
You
Amazon.com
Break into your computer and “sniff” keystrokes as you type

7. Spoofing Attacks Attacker impersonates the merchant (“spoofing”)
Amaz0n.com’s key
Amaz0n.com
You
s to update your account information (ebay, bank, …)
Attacker impersonates the merchant (“spoofing”)
Your data is encrypted… …all the way to the bad guy!

8. Breaking into a Computer
What does it mean?
How is it done?
Can we prevent it?

9. What’s at Stake? Other fears: cybercrime, terrorism, etc.
Kinds of damage caused by insecurity
Nuisance: spam, …
Data erased, corrupted, or held hostage
Valuable information stolen (credit card numbers, trade secrets, etc.)
Services made unavailable ( and web site outages, lost business)
Hostage (break into your computer and encrypt files)
Information = $
Bring down a web site like Amazon or airline - cost them $
Other fears: cybercrime, terrorism, etc.

10. Main themes of today’s lecture
Self-reproducing programs: viruses, worms, zombies
Other threats to computer security
Internet = Today’s Wild West
There is no silver bullet against cyber crime, but follow good security practices
Wild west - very little policing of internet -> citizens have to look out for themselves
Little police results from architecture of net that also leads to little censure (so there is an upside).

11. Breaking into a Computer
What?
Run unauthorized software
How?
Trick the user into running bad software (“social engineering”)
Exploit software bugs to run bad software without the user’s help
Social engineering

12. Example of “social engineering”: Trojan Horse
CoolScreenSaver.exe

13. Viruses and Worms (Recall self-replicating programs:
Automated ways of breaking in;
Use self-replicating programs
(Recall self-replicating programs:
Print the following line twice, the second time in quotes. “Print the following line twice, the second time in quotes.” )

14. Computer Viruses Must fool users into opening the infected file
Self-replicating programs that spread by infecting other programs or data files
Cool Screen Saver
Notepad
Solitaire
Paint
Payload
Payload
Payload
Payload
Explain that word files can contain programs (macros) and probably good idea not to run them.
Word virus that
Hooks into open and save dialog
Check see if this computer is infected
If not, add itself to MS master template
When you save file it checks to see if file contains virus and if not add it
So this spreads but doesn’t do anything bad
Could check to see if date is after X and if so delete all files on disk (time bomb)
Must fool users into opening the infected file

15. Viruses
Infected program, screen saver, or Word document launches virus when opened
Use social engineering to entice you to open the virus attachment
Self-spreading: after you open it, automatically s copies to everyone in your address book
Other forms of social engineering: downloadable software/games, P2P software, etc.
Examples of social engineering -- urgent title, looks like it’s from your friend

16. David L. Smith Aberdeen, NJ
The Melissa Virus (1999)
Social engineering: says attachment contains porn site passwords
Self-spreading: Random 50 people from address book
Traffic forced shutdown of many servers
$80 million damage
20 months and $5000 fine
Intel, lucent, microsoft -- all shut down corporate for a while while they cleaned up
Deal with FBI to work with them reduced sentence
David L. Smith Aberdeen, NJ

17. Computer Worms
Self-replicating programs like viruses, except exploit security holes in OS (e.g., bugs in networking software) to spread on their own without human intervention
Payload
Payload
Payload
Payload
Payload
Payload
Payload

18. “Can we just develop software to detect a virus/worm?”
[Adleman’88] This task is undecidable. (so no software can work with 100% guarantee)
Current methods: (i) Look for snippets of known virus programs on harddrive (ii) maintain log of activities such as network requests, read/writes to hard-drive and look for “suspicious” trends (iii) look for changes to OS code.
No real guarantee

19. A losing battle? Constant battle between attackers and defenders
Example:
Anti-virus software finds “signature” of known virus
Attacker response: Polymorphic virus – to thwart detection, change code when reproduced
Anti-virus software adapts to find some kinds of polymorphism
But an infinite number of ways to permute viruses available to attackers
Halting problem

20. Example of how worms spread: Buffer Overflow bug
From: COS 116 Staff Subject: Welcome Students!
Return
address
Space reserved for subject
Memory … W e l c o m e S t u d e n t s ! 1 2 6 
memory address:
Buffer overflow bug: Programmer forgot to insert check for whether subject is too big to fit in memory “buffer”
From: Bad Guy Subject: <evil code >100000 …
< e v i l c o d e . . . . . . . . . . . . .
> 1 1 2 6

21. The Morris Worm (1988) First Internet worm
Created by student at Cornell
Exploited holes in servers, other programs
Infected ~10% of the net
Spawned multiple copies, crippling infected servers
Sentenced to 3 years probation, $10,000 fine, 400 hours community service
Wanted to measure the size of internet
Robert Tappan Morris

22. The Slammer Worm (2003) Fastest spreading worm to date
Only 376 bytes—Exploited buffer overflow in Microsoft database server products
Spread by sending infection packets to random servers as fast as possible, hundreds per second
Infected 90% of vulnerable systems within 10 minutes! 200,000 servers
No destructive payload, but packet volume shut down large portions of the Internet for hours
911 systems, airlines, ATMs — $1 billion damage!
Patch already available months previously, but not widely installed
Gridlock
Author never caught

23. Why do people write worms and viruses?
Sometimes because they are
curious / misfits / anarchists / bored…
Once was glory
Now increasingly for profit
Possibly related to military goals
Botnets…

24. Main reason: Botnets
Virus/worm payload: Install bot program on target computer
Bot makes target a zombie, remotely controlled by attacker
Many zombies harnessed into armies called botnets – often 100,000s of PCs

25. Zombies
Attacker’s Program
Bot
Bot program runs silently in the background, awaiting instructions from the attacker

26. Why go to the trouble of creating a botnet?
Can rent these out for $
Can infect them with virus
Can cover your tracks for other activity

27. Reason 1: DDOS Attacks “Distributed Denial of Service”
Objective: Overwhelm target site with traffic.
Example: Wikileaks incidents 2010
“Attack
Extortion -- if you don’t give me $ I’ll launch this attack

28. Reason 2: Sending Spam
Messages are hard to filter because there are thousands of senders
“Forward this message:
Subject: Viagra! …”

29. Other reasons Click fraud.
Commit other cybercrime that is hard to trace

30. Storm Botnet Created via email scam in 2007
spread to a million computers
Owners unknown (believed to be Russian)
Used for DoS and spams, available for “rent”
Fiendishly clever design
distributed control, similar to Kazaa, Gnutella
rapidly morphing code; morphs every hour or so
seems to detect attempts to track/contain it and “punishes” its pursuers

31. And if you weren’t scared enough already…

33. Spyware/Adware Hidden but not self-replicating
Tracks web activity for marketing, shows popup ads, etc.
Usually written by businesses: Legal gray area
Download kazaa the installer puts some extra stuff on your computer

34. International warfare by other means
Stuxnet: Computer worm allegedly created by US and Israeli intelligence to target Iranian nuclear processing faciltiies.

35. Attackers are Adaptive
Defenders must continually adapt to keep up

36. Can we stop computer crime?
Probably not!
Wild West nature of the Internet
Software will always have bugs
Rapid exponential spread of attacks
But we can take steps to reduce risks…
Theory: halting problem
Practice: 1 security bug / 20k lines of code (high quality) 40 million lines == 2k bugs (handful corrected / month)

37. Protecting Your Computer
Six easy things you can do…
Keep your software up-to-date
Use safe programs to surf the ‘net
Run anti-virus and anti-spyware regularly
Add an external firewall
Back up your data
Learn to be “street smart” online

38. Learn Online “Street Smarts”
Be aware of your surroundings
Is the web site being spoofed?
Don’t accept candy from strangers
How do you know an attachment or download isn’t a virus, Trojan, or spyware?
Don’t believe everything you read
may contain viruses or phishing attack – remember, bad guys can forge from your friends

39. First Line of Defense For Users For Businesses
Install system security mechanisms
Protect yourself from being a zombie
For Businesses
Security companies can guard a client’s network
ex) Prolexis Technologies

40. System Security Mechanisms
Firewalls
Switches & Routers
Blackholing
Sinkholing
Clean Pipes
Intrusion Prevention Systems (IPS)

41. Defenses Firewalls Pros Will prevent simple flood attacks
ex) SYN flood
Able to allow or deny protocols, ports, or IP addresses
Cons
Unable to prevent more complex
attacks

42. Defenses Switches & Routers Pros
Both have the ability to limit data rate
Both have network Access Control Lists
ACLs are custom router filters
Able to filter both inbound and outbound traffic
Cons
Most can be easily overwhelmed

43. Routing Technique 1 Blackholing
Attempts to mitigate the impact of an attack
Redirects traffic from attacked DNS or IP address to a “black hole”
Then all traffic will be dropped
Must know IP address of attacker or else legitimate traffic will be dropped as well

44. Routing Technique 2 Sinkholing
Routes suspicious traffic to a valid IP address where it can be analyzed
Capturing traffic and analyzing it can be done with a sniffer
Traffic found to be malicious is rejected
Cons
Unable to react to severe attacks as effectively as blackholing

45. Defenses Continue Clean Pipes
Best used when deployed inside Internet Service Providers (ISPs)
When an attack occurs, traffic is diverted to a cleaning center in the ISP
Here the traffic is “cleaned” by specialized filtering devices and malicious activity is removed
Only legitimate traffic is passed to the destination

46. A Final Defense Intrusion Prevention System(IPS)
Monitors network traffic for malicious activity
Scans both inbound and outbound
Searches for suspicious patterns known as signatures or rules
System logs malicious activity and will attempt to stop it

47. Sources
-4/dos_attacks.html
hmaker.biz/whitepapers/CSISurvey2009.pdf
it-security
10.pdf