Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malicious Logic What is malicious logic Defenses

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Malicious Logic What is malicious logic Defenses"— Presentation transcript:

1 Malicious Logic What is malicious logic Defenses
Computer Security: Art and Science © Matt Bishop

2 Malicious Logic Set of instructions that cause site security policy to be violated Computer Security: Art and Science © Matt Bishop

3 Example Shell script on a UNIX system:
cp /bin/sh /tmp/.xyzzy chmod u+s,o+x /tmp/.xyzzy rm ./ls ls $* Place in program called “ls” and trick someone into executing it You now have a setuid-to-them shell! UNIX assigns a user-id to each user. The user-id ranges from 0 to 65,535. Each login name corresponds to a single user-id. More than one login name could be mapped to the same user-id. A special class of programs called setuid program create processes that have effective uids of the owner of the program, rather than the user process that initiates it. So, rights are that of the owner. chmod u+s - set the setuid bit O+x – for owner + execute permissions Together it means, change the permission to owners’s permission and allow owner to execute it. If the root runs this program, then you now have a shell calle /tmp/,xyzzy that has root access. So, you can later login and run that shell with root access. Computer Security: Art and Science © Matt Bishop

4 Trojan Horse Program with an overt purpose (known to user) and a covert purpose (unknown to user) Often called a Trojan Named by Dan Edwards in Anderson Report Example: previous script is Trojan horse Overt purpose: list files in directory Covert purpose: create setuid shell Computer Security: Art and Science © Matt Bishop

5 Violation of security policy
It is a violation if a user is tricked into running the modified “ls” script. It is not a violation if a user accidentally typed in the first two statements. Therefore, it is difficult to detect intent and hence whether it is malicious or not. Computer Security: Art and Science © Matt Bishop

6 Example: NetBus Designed for Windows NT system
Victim uploads and installs this Usually disguised as a game program, or in one Acts as a server, accepting and executing commands for remote administrator This includes intercepting keystrokes and mouse motions and sending them to attacker Also allows attacker to upload, download files Patch.exe, SysEdit.exe (server name) Modifies system registry, so it starts automatically on system startup Back Orifice – smaller and can gain access and then download NetBus Use anti-virus software to detect and remove. NetBuster pretends to be NetBus. NetBus = NetPrank in Swedish. Computer Security: Art and Science © Matt Bishop

7 Replicating Trojan Horse
Trojan horse that makes copies of itself Also called propagating Trojan horse Early version of animal game used this to delete copies of itself Hard to detect 1976: Karger and Schell suggested modifying compiler to include Trojan horse that copied itself into specific programs including later version of the compiler 1980s: Thompson implements this Computer Security: Art and Science © Matt Bishop

8 Thompson's Compiler Modify the compiler so that when it compiles login , login accepts the user's correct password or a fixed password (the same one for all users) Then modify the compiler again, so when it compiles a new version of the compiler, the extra code to do the first step is automatically inserted Recompile the compiler Delete the source containing the modification and put the undoctored source back The program in question was actually the preprocessor cpp(1), not the compiler proper (ccom). Question: how do you fix this? Your login source is right, and if you get suspicious and check your compiler source, it is too. You can even recompile both! Computer Security: Art and Science © Matt Bishop

9 The Login Program user password login source correct compiler
login executable logged in user password or Top part: giving the login program to the undoctored compiler gets you the correct login executable. Bottom part: giving the login program to the doctored compiler gets you a login program that accepts either the right password or the magic password. In both cases it is the same login source. magic password login source doctored compiler login executable logged in Computer Security: Art and Science © Matt Bishop

10 The Compiler login source compiler source correct compiler
compiler executable correct login executable Top part: giving the compiler program to the undoctored compiler gets you the correct compiler executable. Bottom part: giving the compiler program to the doctored compiler gets you a compiler program that adds the bogus code to the login program,. In both cases it is the same compiler source. login source compiler source doctored compiler compiler executable rigged login executable Computer Security: Art and Science © Matt Bishop

11 Comments Great pains taken to ensure second version of compiler never released Finally deleted when a new compiler executable from a different system overwrote the doctored compiler The point: no amount of source-level verification or scrutiny will protect you from using untrusted code Also: having source code helps, but does not ensure you’re safe Computer Security: Art and Science © Matt Bishop

12 Computer Virus Program that inserts itself into one or more files and performs some action Insertion phase is inserting itself into file Execution phase is performing some (possibly null) action Insertion phase must be present Need not always be executed Lehigh virus inserted itself into boot file only if boot file not infected Erased the disk if the counter was 4. Computer Security: Art and Science © Matt Bishop

13 Pseudocode beginvirus: if spread-condition then begin for some set of target files do begin if target is not infected then begin determine where to place virus instructions copy instructions from beginvirus to endvirus into target alter target to execute added instructions end; perform some action(s) goto beginning of infected program endvirus: Computer Security: Art and Science © Matt Bishop

14 Trojan Horse Or Not? Yes No Semantic, philosophical differences
Overt action = infected program’s actions Covert action = virus’ actions (infect, execute) No Overt purpose = virus’ actions (infect, execute) Covert purpose = none Semantic, philosophical differences Defenses against Trojan horse also inhibit computer viruses Computer Security: Art and Science © Matt Bishop

15 History of virus Programmers for Apple II wrote some Fred Cohen
Not called viruses; very experimental Fred Cohen Graduate student at USC who described them Teacher (Adleman) named it “computer virus” Tested idea on UNIX systems and UNIVAC 1108 system Computer Security: Art and Science © Matt Bishop

16 Cohen’s Experiments UNIX systems: goal was to get superuser privileges
Max time 60m, min time 5m, average 30m Virus small, so no degrading of response time UNIVAC 1108 system: goal was to spread Mechanisms of systems that did not inhibit writing using mandatory access controls did little to prohibit virus propagation. Mandatory Access Control (MAC) system mechanism controls access to object, and individual cannot alter that access Rule-based access control Computer Security: Art and Science © Matt Bishop

17 First Reports Brain (Pakistani) virus (1986) Written for IBM PCs
Alters boot sectors of floppies, spreads to other floppies Slows down the floppy disk drive. Does not affect hard disk drives. Computer Security: Art and Science © Matt Bishop

18 First Reports MacMag Peace virus (1987) Written for Macintosh
Prints “universal message of peace” on March 2, 1988 and deletes itself 1st anniversary of Macintosh II introduction Computer Security: Art and Science © Matt Bishop

19 More Reports Duff’s experiments (1987)
Small virus placed on UNIX system, spread to 46 systems in 8 days Attached to a Bourne shell script Showed that viruses are not intrinsically machine-dependent Highland’s Lotus virus (1989) Stored as a set of commands in a spreadsheet and loaded when spreadsheet opened Changed a value in a specific row, column and spread to other files Lotus is a spreadsheet program from IBM. Computer Security: Art and Science © Matt Bishop

20 Types of Viruses Boot sector infectors Executable infectors
Multipartite viruses TSR viruses Stealth viruses Encrypted viruses Polymorphic viruses Macro viruses Computer Security: Art and Science © Matt Bishop

21 Boot Sector Infectors A virus that inserts itself into the boot sector of a disk Section of disk containing code Executed when system first “sees” the disk Including at boot time …  Example: Brain virus Computer Security: Art and Science © Matt Bishop

22 Executable Infectors A virus that infects executable programs
Can infect either .EXE or .COM on PCs May prepend itself (as shown) or put itself anywhere, fixing up binary so it is executed at some point Computer Security: Art and Science © Matt Bishop

23 Executable Infectors (con’t)
Jerusalem (Israeli) virus Checks if system infected If not, set up to respond to requests to execute files Checks date If not 1987 or Friday 13th, set up to respond to clock interrupts and then run program Otherwise, set destructive flag; will delete, not infect, files Then: check all calls asking files to be executed Do nothing for COMND.COM Otherwise, infect or delete Error: doesn’t set signature when .EXE executes So .EXE files continually reinfected Computer Security: Art and Science © Matt Bishop

24 Multipartite Viruses A virus that can infect either boot sectors or executables Typically, two parts One part boot sector infector Other part executable infector Computer Security: Art and Science © Matt Bishop

25 TSR Viruses A virus that stays active in memory after the application (or bootstrapping, or disk mounting) is completed TSR is “Terminate and Stay Resident” Examples: Brain, Jerusalem viruses Stay in memory after program or disk mount is completed Computer Security: Art and Science © Matt Bishop

26 Stealth Viruses A virus that conceals infection of files
Example: IDF virus modifies DOS service interrupt handler as follows: Request for file length: return length of uninfected file Request to open file: temporarily disinfect file, and reinfect on closing Request to load file for execution: load infected file Compromises the FAT table, because it appends to executables. Israeli Defense Forces Name: 4096 virus (also known as the 4k, Stealth, IDF--Israel Defense Forces, 100 years, Century, and Frodo virus) Types: Two known versions (also see note 1 about Fish virus) Platform: MS-DOS computers running DOS 3.x or 4.x ; does not appear to infect files in DOS 2.x Damage: Can damage files by destructive cross-linking Symptoms: May slow system performance somewhat; may cause the system to crash/hang, or may create hard disk errors; may write "FRODO LIVES" on screen on or after September 22, 1990 (one variant only) Detection: VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, IBM Scan, FPROT Eradication: VIRHUNT, CodeSafe, FPROT, and others (contact CIAC for information about these products) Computer Security: Art and Science © Matt Bishop

27 Encrypted Viruses A virus that is enciphered except for a small deciphering routine Detecting virus by signature now much harder as most of virus is enciphered Computer Security: Art and Science © Matt Bishop

28 Example (* Decryption code of the 1260 virus *) (* initialize the registers with the keys *) rA = k1; rB = k2; (* initialize rC with the virus; starts at sov, ends at eov *) rC = sov; (* the encipherment loop *) while (rC != eov) do begin (* encipher the byte of the message *) (*rC) = (*rC) xor rA xor rB; (* advance all the counters *) rC = rC + 1; rA = rA + 1; end Computer Security: Art and Science © Matt Bishop

29 Polymorphic Viruses A virus that changes its form each time it inserts itself into another program Idea is to prevent signature detection by changing the “signature” or instructions used for deciphering routine At instruction level: substitute instructions At algorithm level: different algorithms to achieve the same purpose Toolkits to make these exist (Mutation Engine, Trident Polymorphic Engine) Computer Security: Art and Science © Matt Bishop

30 Example These are different instructions (with different bit patterns) but have the same effect: add 0 to register subtract 0 from register xor 0 with register no-op Polymorphic virus would pick randomly from among these instructions Computer Security: Art and Science © Matt Bishop

31 Macro Viruses A virus composed of a sequence of instructions that are interpreted rather than executed directly Can infect either executables (Duff’s shell virus) or data files (Highland’s Lotus spreadsheet virus) Independent of machine architecture But their effects may be machine dependent Computer Security: Art and Science © Matt Bishop

32 Example Melissa Infected Microsoft Word 97 and Word 98 documents
Windows and Macintosh systems Invoked when program opens infected file Installs itself as “open” macro and copies itself into Normal template This way, infects any files that are opened in future Invokes mail program, sends itself to everyone in user’s address book Computer Security: Art and Science © Matt Bishop

Download ppt "Malicious Logic What is malicious logic Defenses"

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.1 Malicious Logic.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.1 Malicious Logic.
Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.

Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Compiled by : S. Agarwal, Lecturer & Systems Incharge, St. Xavier's Computer Centre, Kolkata : Compiled By : S. Agarwal, S. Agarwal, Lecturer.

Compiled by : S. Agarwal, Lecturer & Systems Incharge, St. Xavier's Computer Centre, Kolkata : Compiled By : S. Agarwal, S. Agarwal, Lecturer.
Lecturer: Fadwa Tlaelan

Lecturer: Fadwa Tlaelan
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #19-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #19-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious.
CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.

CS526: Information Security Chris Clifton November 25, 2003 Malicious Code.
Unit 18 Data Security 1.

Unit 18 Data Security 1.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious logic.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #9-1 Chapter 19: Malicious Logic What is malicious logic Types of malicious logic.
Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious.

Introduction to Malware Dan Fleck CS469 Security Engineering Reference: Angelos Stavrou’s ISA564 and Computer Security by Bishop Coming up: What is Malicious.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science ©2002-2004 Matt Bishop.

Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Fall 2008CS 334: Computer SecuritySlide #1 Malicious Logic Trojan Horses Viruses Worms.

Fall 2008CS 334: Computer SecuritySlide #1 Malicious Logic Trojan Horses Viruses Worms.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]

________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.

Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #22-1 Chapter 22: Malicious Logic What is malicious logic Types of malicious.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #22-1 Chapter 22: Malicious Logic What is malicious logic Types of malicious.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Similar presentations

Ads by Google