Malicious Software NS-H0503-02/1104 1 Why bother to secure data? • Information has value, it can affect our lives and our livelihood • Information has become an integral part of the structure of society • Information needs to be trusted if it is to be useful, the breakdown of trust removes value from the information protected. NS-H0503-02/1104 2 What are we protecting against? • • • • NS-H0503-02/1104 Deletion or destruction Alteration (Detected or undetected) Unauthorised Access (Privacy) Loss of productivity 3 Who is the enemy? • • • • • NS-H0503-02/1104 External Threats Virus Attacks Hacker Attacks Theft of data Sabotage Natural Disaster 4 Hackers, Crackers & SK’s What is a Hacker? • Traditionally used a term of respect • High level user, talented in programming • Renowned for finding previously undiscovered and often unexpected uses for computer systems and networks NS-H0503-02/1104 5 Black Hat Hacker • May be Amateur or Professional • May attempt to destroy or alter data • Will often use known security flaws to create a ”beachhead” • Attempts to gain Administrator or root access • Will prey on systems users’ naïveté or carelessness • Will attempt to remove all traces of intrusion NS-H0503-02/1104 6 Black Hat Arsenal • • • • NS-H0503-02/1104 Trojan programs “Spy ware” programs Password stealers Password crackers 7 Black Hat Tactics • Exploit published or known security flaws to gain access • User impersonation and deception • Eavesdropping on Email correspondence NS-H0503-02/1104 8 White Hat Hacker • • • • Cyber Idealist Often very active in online discussion Very competitive Wishes to expose poor programming and claim credit for being the “first” to find errors • Feels compelled to inform cyber community of security issues NS-H0503-02/1104 9 Are they a Problem? • Not Interested in stealing / altering data • Often use carriers with weak payload or none at all • Often view security in an abstract form (a challenge or test of cyber strength) • May warn users of potential security risks without thought of reward NS-H0503-02/1104 10 The White Hat Dilemma • Software is often “unsecured” when released • Software producers are not always responsive to warnings • Should a security flaw be published if there is no solution? • The conflict of idealism and commercial reality NS-H0503-02/1104 11 Script Kiddies • • • • Not true hackers (i.e. relatively unskilled) Often immature Use tools devised by skilled hackers Will destroy data without understanding the implications of their actions • Seeking attention from their peer group NS-H0503-02/1104 12 Malicious Programs • Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”). • Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs). NS-H0503-02/1104 13 Taxanomy of Malicious Programs Malicious Programs Need Host Program Independent Trapdoors Viruses Logic Bombs Trojan Horses Zombie Bacteria Worms Replicate NS-H0503-02/1104 14 Definitions • Virus - code that copies itself into other programs. • A “Bacteria” replicates until it fills all disk space, or CPU cycles. • Payload - harmful things the malicious program does, after it has had time to spread. • Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses). NS-H0503-02/1104 15 Definitions • Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). • Logic Bomb - malicious code that activates on an event (e.g., date). • Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. • Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product. NS-H0503-02/1104 16 What is a Virus? • A program that is designed explore or exploit the security of a system • Originally designed to perform useful functions they were given the name “daemons” • Daemons are independent processes that have a “life” of their own. • Daemons run in the background of a operating system and perform specified operations at predefined times or in response to certain events. NS-H0503-02/1104 17 Common Vectors of infection • Removable media (Floppy disk, CDROM) • Network Connections (LAN, WAN and Internet) – Email (Most Common) – WWW (Becoming more common e.g Nimda) – FTP (Rare) NS-H0503-02/1104 18 The Daemon evolves • A Daemon can be used to “retrieve” passwords or other secure information and send them to an unauthorised user or third party. • Viruses have further evolved over time, and exhibit similar strategies to their biological namesakes. NS-H0503-02/1104 19 Boot Sector Infection • Infect the Boot Sector of a Floppy disk • Manually transferred by users sharing files via the floppy disk media • Example: “The Brain Virus” (First recorded MSDOS virus) NS-H0503-02/1104 20 Basic or Overwriting Viruses/Worms • • • • • NS-H0503-02/1104 Begin by infecting a single file May take residence in memory spread without any attempt to evade detection Usually limited to a single host Examples: The "Jerusalem" and Melissa (I Love You) Viruses 21 Trojan or Malware Viruses • Comprising of a Carrier and a Payload • Disguise themselves as a harmless file or even a “useful” program • Payload is triggered by either an internal counter or external trigger • Example: Michael Angelo virus NS-H0503-02/1104 22 Polymorph or Mutating Viruses • Attempts to evade detection by changing its shape and size randomly • May employ tactics such as encryption • May also have retro-virus characteristics • Example: W32.Magistr email worm NS-H0503-02/1104 23 Multipartite Viruses • Combine File infection with MBR infection • Employ anti-detection measures such as stealth, encryption, retro-virus and Trojan type behaviours • These Viruses are the most sophisticated of all and therefore carry the greatest potential to damage data • Example: W95.Babylonia Y2K Virus (Masqueraded as a Y2K fix) NS-H0503-02/1104 24 Viruses • a piece of self-replicating code attached to some other code – cf biological virus • both propagates itself & carries a payload – carries code to make copies of itself – as well as code to perform some covert task NS-H0503-02/1104 25 Virus Phases • Dormant phase - the virus is idle • Propagation phase - the virus places an identical copy of itself into other programs • Triggering phase – the virus is activated to perform the function for which it was intended • Execution phase – the function is performed NS-H0503-02/1104 26 Virus Protection Have a well-known virus protection program, configured to scan disks and downloads automatically for known viruses. Do not execute programs (or "macro's") from unknown sources (e.g., PS files, Hypercard files, MS Office documents, Avoid the most common operating systems and email programs, if possible NS-H0503-02/1104 27 Virus Operation • virus phases: – dormant – waiting on trigger event – propagation – replicating to programs/disks – triggering – by event to execute payload – execution – of payload • details usually machine/OS specific – exploiting features/weaknesses NS-H0503-02/1104 28 Types of Viruses • Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. • Memory-resident Virus - Lodges in main memory as part of the residual operating system. • Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses). • Stealth Virus - explicitly designed to hide from Virus Scanning programs. • Polymorphic Virus - mutates with every new host to prevent signature detection. NS-H0503-02/1104 29 Types of Viruses • • • • • • • NS-H0503-02/1104 can classify on basis of how they attack parasitic virus memory-resident virus boot sector virus stealth polymorphic virus macro virus 30 Email Virus • spread using email with attachment containing a macro virus – cf Melissa • triggered when user opens attachment • or worse even when mail viewed by using scripting features in mail agent • usually targeted at Microsoft Outlook mail agent & Word/Excel documents NS-H0503-02/1104 31 Worms • replicating but not infecting program • typically spreads over a network – cf Morris Internet Worm in 1988 – led to creation of CERTs • using users distributed privileges or by exploiting system vulnerabilities • widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS • major issue is lack of security of permanently connected systems, esp PC's NS-H0503-02/1104 32 Worm Operation • worm phases like those of viruses: – dormant – propagation • search for other systems to infect • establish connection to target remote system • replicate self onto remote system – triggering – execution NS-H0503-02/1104 33 Logic Bomb • one of oldest types of malicious software • code embedded in legitimate program • activated when specified conditions met – eg presence/absence of some file – particular date/time – particular user • when triggered typically damage system – modify/delete files/disks NS-H0503-02/1104 34 Trojan Horse • program with hidden side-effects • which is usually superficially attractive – eg game, s/w upgrade etc • when run performs some additional tasks – allows attacker to indirectly gain access they do not have directly • often used to propagate a virus/worm or install a backdoor • or simply to destroy data NS-H0503-02/1104 35 Zombie • program which secretly takes over another networked computer • then uses it to indirectly launch attacks • often used to launch distributed denial of service (DDoS) attacks • exploits known flaws in network systems NS-H0503-02/1104 36 Virus Countermeasures • viral attacks exploit lack of integrity control on systems • to defend need to add such controls • typically by one or more of: – prevention - block virus infection mechanism – detection - of viruses in infected system – reaction - restoring system to clean state NS-H0503-02/1104 37 Anti-Virus Software • first-generation – scanner uses virus signature to identify virus – or change in length of programs • second-generation – uses heuristic rules to spot viral infection – or uses program checksums to spot changes • third-generation – memory-resident programs identify virus by actions • fourth-generation – packages with a variety of antivirus techniques – eg scanning & activity traps, access-controls NS-H0503-02/1104 38 Antivirus Approaches 1st Generation, Scanners: searched files for any of a library of known virus “signatures.” Checked executable files for length changes. 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files). 4th Generation, Full Featured: combine the best of the techniques above. NS-H0503-02/1104 39 Advanced Antivirus Techniques • Generic Decryption (GD) – CPU Emulator – Virus Signature Scanner – Emulation Control Module • For how long should a GD scanner run each interpretation? NS-H0503-02/1104 40 Advanced Anti-Virus Techniques • generic decryption – use CPU simulator to check program signature & behavior before actually running it • digital immune system (IBM) – general purpose emulation & virus detection – any virus entering org is captured, analyzed, detection/shielding created for it, removed NS-H0503-02/1104 41 Advanced Antivirus Techniques NS-H0503-02/1104 42 Behavior-Blocking Software • integrated with host O/S • monitors program behavior in real-time – eg file access, disk format, executable mods, system settings changes, network access • for possibly malicious actions – if detected can block, terminate, or seek ok • has advantage over scanners • but malicious code runs before detection NS-H0503-02/1104 43 Recommended Reading and WEB Sites • Denning, P. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990 • CERT Coordination Center (WEB Site) • AntiVirus Online (IBM’s site) NS-H0503-02/1104 44