Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE331: Introduction to Networks and Security Lecture 32 Fall 2002.

Published byGonzalo Urich Modified over 9 years ago

Similar presentations

Presentation on theme: "CSE331: Introduction to Networks and Security Lecture 32 Fall 2002."— Presentation transcript:

1 CSE331: Introduction to Networks and Security Lecture 32 Fall 2002

2 CSE331 Fall 20022 Recap Malicious Programs –Viruses –Boot Viruses, Memory Resident, Macros Today: –Computer Virus Defenses –Computer Worms

3 CSE331 Fall 20023 “I Love You” Virus/Worm Infection Rate –At 5:00 pm EDT(GMT-4) May 8, 2000, CERT had received reports from more than 650 sites –> 500,000 individual systems VBScript Propagation –Email, Windows file sharing, IRC, USENET news

4 CSE331 Fall 20024 Love Bug Signature –An attachment named "LOVE-LETTER-FOR-YOU.TXT.VBS" –A subject of "ILOVEYOU" –Message body: "kindly check the attached LOVELETTER coming from me."

5 CSE331 Fall 20025 Love Bug Behavior Replaced certain files with copies of itself –Based on file extension (e.g..vbs,.js,.hta, etc) Changed Internet Explorer start page –Pointed the browser to infected web pages Mailed copies of itself Changed registry keys

6 CSE331 Fall 20026 Detecting Viruses Scanning Integrity checking Heuristic detection

7 CSE331 Fall 20027 Virus Signatures Viruses can’t be completely invisible: –Code must be stored somewhere –Virus must do something when it runs Fragments of the virus code itself –Strings “kindly check the attached LOVELETTER” Effects on the computing environment –Changes to the Windows registry Propagation Behavior –Copying/modifying system files.

8 CSE331 Fall 20028 Virus Scanners Search the system for virus signatures –Main memory –All files in file system –Should also check boot sector When to scan? –On access (when a program is run) –On demand (at user’s request, or scheduled) –When e-mail is received? –Before web content is displayed?

9 CSE331 Fall 20029 Virus Scanning: Pros & Cons Pros –Effectively detects known viruses before they can cause harm –Few false alarms Cons –Can detect only viruses with known signatures –Signature set must be kept up to date –Virus writers can easily change virus signatures

10 CSE331 Fall 200210 Integrity Checks Virus scanner computes hash or checksum of executable files –Assumed to be virus free! –Stores the hash information Verifies new hash vs. saved one during scan

11 CSE331 Fall 200211 Integrity Checks: Pros & Cons Pros –Can detect corruption of executables too –Reliable –Doesn’t require virus signatures Cons –False positives (i.e. recompilation) –Can’t use it on documents (they change too often) –Not supported by most vedors

12 CSE331 Fall 200212 Heuristic Detection Collection of ad hoc rules that identifies virus behavior or virus-like programs –Modification of system executables –Modification of “template documents” like normal.doc –Self-modifying and self-referential code –…

13 CSE331 Fall 200213 Heuristics: Pros & Cons Pros –Perhaps able to detect unknown viruses Cons –Heuristics are hard to develop –Too may false positives

14 CSE331 Fall 200214 Polymorphic Viruses Virus writers know that virus signatures are the most effective way to detect viruses Polymorphic viruses mutate themselves during replication to prevent detection –Virus should be capable of generating many different descendents –Simply embedding random numbers into virus code is not enough

15 CSE331 Fall 200215 Strategies for Polymorphic Viruses Change data: –Use different subject lines in e-mail Encrypt most of the virus with a random key –Virus first decrypts main body using random key –Jumps to the code it decrypted –When replicating, generate a new key and encrypt the main part of the replica Still possible to detect decryption portion of the virus using virus signatures

16 CSE331 Fall 200216 Advanced Polymorphic Viruses Randomly modify the decryption portion of the virus by: –Inserting no-op instructions: subtract 0, move value to itself –Reordering independent instructions –Using different variable/register names –Using equivalent instruction sequences y = x + x vs. y = 2 * x

17 CSE331 Fall 200217 CERT Advice 1 Use virus protection software Use a firewall Don't open unknown email attachments Don't run programs of unknown origin Disable hidden filename extensions Keep all applications, including your operating system, patched

18 CSE331 Fall 200218 Cert Advice 2 Turn off your computer or disconnect from the network when not in use Disable Java, JavaScript, and ActiveX if possible Disable scripting features in email programs Make regular backups of critical data Make a boot disk in case your computer is damaged or compromised

19 CSE331 Fall 200219 Internet Worms November 2, 1988 Robert T. Morris Jr. unleashed Internet worm –Graduate student at Cornell University –Convicted in 1990 of violating Computer Fraud and Abuse Act –$10,000 fine, 3 yr. Suspended jail sentence, 400 hours of community service –Son of the chief scientist at the National Computer Security Center -- part of the National Security Agency –Today he’s a professor at MIT

20 CSE331 Fall 200220 Morris Worm Transmission Find user accounts on the target machine –Dictionary attack on /etc/passwd –If it found a match, it would log in and try the same username/password on other local machines Exploit bug in fingerd –Classic buffer overflow attack Exploit trapdoor in sendmail –Programmer left DEBUG mode in sendmail, which allowed sendmail to execute an arbitrary shell command string.

21 CSE331 Fall 200221 Morris Worm Infection Sent a small loader to target machine –99 lines of C code –It was compiled on the remote platform (cross platform compatibility) –The loader program transferred the rest of the worm from the infected host to the new target. –Used authentication! To prevent sys admins from tampering with loaded code. –If there was a transmission error, the loader would erase its tracks and exit.

22 CSE331 Fall 200222 Morris Worm Stealth When loader obtained full code –It put into main memory and encrypted –Original copies were deleted from disk –(Even memory dump wouldn’t expose worm) Worm periodically changed its name and process ID

23 CSE331 Fall 200223 Effects Resource exhaustion –Denial of service –There was a bug in the loader program that caused many copies of the worm to be spawned per host System administrators cut their network connections –Couldn’t use internet to exchange fixes! 6,000 networks were shut down or disconnected –Down for several days –Damage estimates: $100,000 — $97 Million

Download ppt "CSE331: Introduction to Networks and Security Lecture 32 Fall 2002."

Similar presentations

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
30/04/2015Tim S Roberts 20081 COIT13152 Operating Systems T1, 2008 Tim S Roberts.

30/04/2015Tim S Roberts COIT13152 Operating Systems T1, 2008 Tim S Roberts.
Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.

Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Lecturer: Fadwa Tlaelan

Lecturer: Fadwa Tlaelan
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Unit 18 Data Security 1.

Unit 18 Data Security 1.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
CSE331: Introduction to Networks and Security Lecture 31 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 31 Fall 2002.
CSE331: Introduction to Networks and Security Lecture 33 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 33 Fall 2002.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Computer Viruses By Patsy Speer What is a Virus? Malicious programs that cause damage to your computer, files and information They slow down the internet.

Computer Viruses By Patsy Speer What is a Virus? Malicious programs that cause damage to your computer, files and information They slow down the internet.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Similar presentations

Ads by Google