Thierry Sans
15-349: Introduction to Computer and Network Security

➢
You may have heard about these words
•
•
•
•
•
•
•
•
•
Malware
Virus
Logic Bomb
Rabbits
Worm
Trojan horse
Backdoor
Trapdoor
Spyware

How do we get infected by malicious code?
➢
A “non well-known” program may be executed by the user (social engineering)
➢
•
The program is a Trojan horse
A malicious program might be executed without the consent of the user
•
It may be a worm exploiting a security flaw

How do we get infected by malicious code?
➢
A user might execute a “well-known” program that does not behave as expected
➢
•
•
Has been infected by a virus
Or contains a trapdoor (security flaw)
A “well-known” program has a hidden functionality
•
The program contains a spyware

➢
A malicious code
➢
•
• may need user action to be activated (virus)
Or may be totally autonomous (worms)
Everything .... depending on the execution context
➢
• privileges of the program
The effects of the malicious code depends on the payload
•
From a simple joke up to severe consequences
(financial losses)

➢
70's
➢
•
The era of the first self-replicating programs: virus
80's
➢
•
The era of maturity and pandemics
90's
➢
•
The era of self-modifying virus code
2000's
•
The era of internet worms

The era of the first self-replicating programs (70's)
➢
ANIMAL (a popular game)
➢
•
Replication: through the filesystem
Simple joke
•
Effects: none
Creeper (and Reaper ) on Tenex OS (Arpanet)
➢
•
•
Replication: through a modem and copied itself to the remote system
Disruptive
Effects: displaying the message
'I'M THE CREEPER : CATCH ME IF YOU CAN
The Rabbit program
•
•
Destructive
Replication: through the filesystem
Effects: reducing system performance till crashing

➢
A self-replicating program ...
➢
• concept of infection
... that may change the system behavior
➢
•
Concept of payload
So far, the users needs to execute a infected programs to activate the virus and starts the infection

How a virus can spread: the infection method
➢
Infection strategies
•
•
The malicious program exists by itself and replicates through the filesystem or network
The malicious code is embedded in an existing program and replicates itself by infecting other programs through the filesystem or the network
•
•
Non-resident viruses: the virus becomes inactive as soon as the infected program terminates
Resident viruses: the virus remains in memory even after the infected programs terminates

➢
It could be
A simple joke (such as displaying a message at once)
Disruptive (annoying behaviors of the system)
Destructive: data losses and system crashes
•
Example: The Michelangelo logic bomb (1992)
A boot sector virus that remains dormant until March 6
(the birthday of Renaissance artist Michelangelo)
Intrusive: Backdoors (also called trapdoors)
•
•
Since 2000, it's the new trend
Used for Spam and Botnets
•
•
•
•

➢
Apparition of boot sector viruses such as
•
•
The Elk Cloner virus (Apple II) in 1982
•
An infected computer would display a short poem on every
50th boot
The Brain virus (IBM/PC) in 1984
•
The disk label is changed to “Brain” and an advertisement text is written in boot sectors

•
•
•
Jerusalem (MS-DOS)
•
Destroys all executable files on infected machines upon every occurrence of Friday the 13th
SCA virus (Amiga)
•
•
Displays a text every 15 th boot
40% of the Amiga owners were infected
Christmas Tree EXEC (IBM/PC)
•
•
Displays a snow flow animation
Paralyzed several international computer networks in
December 1987

(end of 80's)
➢
Virus scanner (detection)
➢
•
Signature based
•
•
Using a signature database of existing viruses
Behavior based
•
Looking for suspicious code patterns that can be used by viruses
Virus removal tools (sanitation)
•
Cleaning the memory and infected programs

Avoiding detection: the Cascade virus (1997)
➢
Each instance of the Cascade virus does not look the same
•
How?
The virus encrypts itself with a cryptographic key and changes this key when replicating itself
•
So, how to detect it?
Detecting the small piece of code used to decipher the rest of the code
Later, this work will inspired polymorphic viruses

➢
The Chameleon family: the first family of polymorphic virus
•
Started with the release of 1260
➢
1996 "Ply"
•
DOS 16-bit based complicated polymorphic virus appeared with built-in permutation engine

➢
A polymorphic virus mutates when replicating
(but keeps the original algorithm intact)
➢
•
•
•
Using cryptographic techniques
(like the Cascade virus)
By injecting garbage code
By doing permutations within certain instructions or block of instructions
How to detect it?
•
By detecting code patterns used for the selfmodification

➢
A Metamorphic virus can reprogram itself
•
• by using different instructions and by using different strategies to implement a functionality
•
•
Zmist in 2000 was the first metamorphic virus
Simile in 2001 was a multi-OS metamorphic virus

➢
So far, a virus is an executable file
➢
•
Targets a given architecture and/or a given OS
A new trend appeared: the macro-viruses
•
•
•
Written in scripting languages used by some office applications (can be then cross-platform)
The Concept virus (1995)
The Melissa virus (1999)
•
•
Written in VBS, embedded in a MS-office document, activated when the document is open ( autoload function)
March 26 1999, Melissa shut down Internet mail systems that got clogged with infected e-mails propagating from the worm

➢
A users is tricked by an email with the malicious code in attachment ...
• as a “Trojan Horse”
➢
.. and this program replicates itself by email
• as a “Virus”

➢
The VBS/Loveletter ILOVEYOU in 2000
•
Caused 5.5 to 10 billion dollars in damage
➢
The Sobig virus in 2002
•
Sobig.F set a record in sheer volume of e-mails
➢
The MyDoom virus in 2002
•
Broke the record set by Sobig.F

➢
The context of the wide adoption of internet
•
•
More machines interconnected
•
The global network is a good medium for virus pandemics
(fast transmission and more victims)
The multiplication of internet applications and services
•
•
•
Fast publication of program flaws
Slow release of corrective patches
Slower adoption of these patches (not automatic)
•
A perfect context for internet worms

➢
A worm is a self-replicating program that does not need a user intervention to be activated
➢
•
Contrary to viruses
How does is it work?
➢
•
Exploits a security flaw (often of a network service) to infect the machine and replicates itself through the network
Characteristics
•
•
Very fast infection
Has a payload as well (more or less harmful)

➢
Code-Red
➢
•
•
Exploits a security flaw (buffer overflaw) of
Microsoft IIS web server (MS01-033) patched one month earlier
In few days, 359 000 machines infected
Nimda
•
•
Exploits another security flaw of MS-IIS
The Internet’s most widespread wormso far
(The most part of the infection was done in 22min)

➢
Klez
•
•
Exploits a security flaw of Microsoft Internet
Explorer layout engine used by Outlook and IE
Infection through email attachment however the user does not have to open this attachment to get infected

➢
SQL-Slammer (also called Sapphire )
➢
•
Exploits a security flaw in MS-SQL servers for which a patch had been released six months earlier
(MS02-039)
•
Infected 75,000 machines in 10 minutes causing caused a massive denial of service and dramatically slowed down general Internet traffic
Sasser
•
•
Exploiting a buffer overflow of Microsoft LSASS on Windows 200 and XP systems
Many companies had to shut down their services

➢
Blaster (also known as Lovesan )
➢
•
Exploits a security flaw in DCOM-RPC services on
Windows 2000 and XP
•
Was supposed to do SYN flood on August 15, 2003 against port 80 of windowsupdate.com
Welchia (also known as Nachia )
•
•
Exploits the same security flaw than Blaster
Corrects the security flaw by patching the system

➢
Santy
•
•
•
Exploited a vulnerability in phpBB and used Google in order to find new targets
It infected around 40000 sites before Google filtered the search query used by the worm, preventing it from spreading
The first web-worm

➢
Exploiting a cross site scripting (XSS) within a website
•
See lectures 23-24
•
•
Samy in 2005
•
Targeting MySpace (social network)
JTV.worm in 2008
•
Targeting Justin.tv (video casting)

➢
Receiving an email about a new virus ...
➢
•
• asking you to transfer this email to your contact and/or giving you the method to detect and remove the virus (often a real and important system file)
Effects
➢
•
Hoax virus are harmless (almost) and do nothing by themselves (but the user may do)
Counter-measures
•
Delete the email :)