Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

CSE331: Introduction to Networks and Security Lecture 32

advertisement 
CSE331:
Introduction to Networks
and Security
Lecture 32
Fall 2002
Recap
• Malicious Programs
– Viruses
– Boot Viruses, Memory Resident, Macros
• Today:
– Computer Virus Defenses
– Computer Worms
CSE331 Fall 2002
2
“I Love You” Virus/Worm
• Infection Rate
– At 5:00 pm EDT(GMT-4) May 8, 2000, CERT had
received reports from more than 650 sites
– > 500,000 individual systems
• VBScript
• Propagation
– Email, Windows file sharing, IRC, USENET news
CSE331 Fall 2002
3
Love Bug
• Signature
– An attachment named
"LOVE-LETTER-FOR-YOU.TXT.VBS"
– A subject of "ILOVEYOU"
– Message body: "kindly check the attached
LOVELETTER coming from me."
CSE331 Fall 2002
4
Love Bug Behavior
• Replaced certain files with copies of itself
– Based on file extension (e.g. .vbs, .js, .hta, etc)
• Changed Internet Explorer start page
– Pointed the browser to infected web pages
• Mailed copies of itself
• Changed registry keys
CSE331 Fall 2002
5
Detecting Viruses
• Scanning
• Integrity checking
• Heuristic detection
CSE331 Fall 2002
6
Virus Signatures
• Viruses can’t be completely invisible:
– Code must be stored somewhere
– Virus must do something when it runs
• Fragments of the virus code itself
– Strings “kindly check the attached LOVELETTER”
• Effects on the computing environment
– Changes to the Windows registry
• Propagation Behavior
– Copying/modifying system files.
CSE331 Fall 2002
7
Virus Scanners
• Search the system for virus signatures
– Main memory
– All files in file system
– Should also check boot sector
• When to scan?
–
–
–
–
On access (when a program is run)
On demand (at user’s request, or scheduled)
When e-mail is received?
Before web content is displayed?
CSE331 Fall 2002
8
Virus Scanning: Pros & Cons
• Pros
– Effectively detects known viruses before they can
cause harm
– Few false alarms
• Cons
– Can detect only viruses with known signatures
– Signature set must be kept up to date
– Virus writers can easily change virus signatures
CSE331 Fall 2002
9
Integrity Checks
• Virus scanner computes hash or checksum of
executable files
– Assumed to be virus free!
– Stores the hash information
• Verifies new hash vs. saved one during scan
CSE331 Fall 2002
10
Integrity Checks: Pros & Cons
• Pros
– Can detect corruption of executables too
– Reliable
– Doesn’t require virus signatures
• Cons
– False positives (i.e. recompilation)
– Can’t use it on documents (they change too often)
– Not supported by most vedors
CSE331 Fall 2002
11
Heuristic Detection
• Collection of ad hoc rules that identifies virus
behavior or virus-like programs
– Modification of system executables
– Modification of “template documents” like
normal.doc
– Self-modifying and self-referential code
–…
CSE331 Fall 2002
12
Heuristics: Pros & Cons
• Pros
– Perhaps able to detect unknown viruses
• Cons
– Heuristics are hard to develop
– Too may false positives
CSE331 Fall 2002
13
Polymorphic Viruses
• Virus writers know that virus signatures are
the most effective way to detect viruses
• Polymorphic viruses mutate themselves
during replication to prevent detection
– Virus should be capable of generating many
different descendents
– Simply embedding random numbers into virus
code is not enough
CSE331 Fall 2002
14
Strategies for Polymorphic Viruses
• Change data:
– Use different subject lines in e-mail
• Encrypt most of the virus with a random key
– Virus first decrypts main body using random key
– Jumps to the code it decrypted
– When replicating, generate a new key and encrypt
the main part of the replica
• Still possible to detect decryption portion of
the virus using virus signatures
CSE331 Fall 2002
15
Advanced Polymorphic Viruses
• Randomly modify the decryption portion of
the virus by:
– Inserting no-op instructions: subtract 0, move
value to itself
– Reordering independent instructions
– Using different variable/register names
– Using equivalent instruction sequences
y=x+x
vs. y = 2 * x
CSE331 Fall 2002
16
CERT Advice 1
•
•
•
•
•
•
Use virus protection software
Use a firewall
Don't open unknown email attachments
Don't run programs of unknown origin
Disable hidden filename extensions
Keep all applications, including your
operating system, patched
CSE331 Fall 2002
17
Cert Advice 2
• Turn off your computer or disconnect from the
network when not in use
• Disable Java, JavaScript, and ActiveX if
possible
• Disable scripting features in email programs
• Make regular backups of critical data
• Make a boot disk in case your computer is
damaged or compromised
CSE331 Fall 2002
18
Internet Worms
• November 2, 1988
• Robert T. Morris Jr. unleashed Internet worm
– Graduate student at Cornell University
– Convicted in 1990 of violating Computer Fraud
and Abuse Act
– $10,000 fine, 3 yr. Suspended jail sentence, 400
hours of community service
– Son of the chief scientist at the National Computer
Security Center -- part of the National Security
Agency
– Today he’s a professor at MIT
CSE331 Fall 2002
19
Morris Worm Transmission
• Find user accounts on the target machine
– Dictionary attack on /etc/passwd
– If it found a match, it would log in and try the same
username/password on other local machines
• Exploit bug in fingerd
– Classic buffer overflow attack
• Exploit trapdoor in sendmail
– Programmer left DEBUG mode in sendmail, which allowed
sendmail to execute an arbitrary shell command string.
CSE331 Fall 2002
20
Morris Worm Infection
• Sent a small loader to target machine
– 99 lines of C code
– It was compiled on the remote platform (cross
platform compatibility)
– The loader program transferred the rest of the
worm from the infected host to the new target.
– Used authentication! To prevent sys admins from
tampering with loaded code.
– If there was a transmission error, the loader would
erase its tracks and exit.
CSE331 Fall 2002
21
Morris Worm Stealth
• When loader obtained full code
– It put into main memory and encrypted
– Original copies were deleted from disk
– (Even memory dump wouldn’t expose worm)
• Worm periodically changed its name and
process ID
CSE331 Fall 2002
22
Effects
• Resource exhaustion
– Denial of service
– There was a bug in the loader program that
caused many copies of the worm to be spawned
per host
• System administrators cut their network
connections
– Couldn’t use internet to exchange fixes!
• 6,000 networks were shut down or
disconnected
– Down for several days
– Damage estimates: $100,000 — $97 Million
CSE331 Fall 2002
23
Related documents
CSE331: Introduction to Networks and Security Lecture 14
CSE331: Introduction to Networks and Security Lecture 14
Understanding Viruses Video Notes Integrated Science 2
Understanding Viruses Video Notes Integrated Science 2
b) HIV, c) the tobacco mosaic virus, and d) the... cell. The virus’ genetic material enters the host cell, and... Figure 2.2:
b) HIV, c) the tobacco mosaic virus, and d) the... cell. The virus’ genetic material enters the host cell, and... Figure 2.2:
Causes of Diseases Notetakers
Causes of Diseases Notetakers
Download
advertisement