Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 2 Viruses, Worms, and Malicious Software Operating Systems Security - Chapter 2 Viruses, Worms, and Malicious Software Chapter Overview In this chapter, students learn how viruses, worms, and Trojan horses spread through operating systems and across networks. They learn what they target and why. Students also learn about the typical forms of malicious software, such as boot sector viruses and viruses that attack through macros. After students learn how these forms of malicious software work, they learn how to set up defenses, such as operating system patches and repair disks. Learning Objectives After reading this chapter and completing the exercises, students will be able to: 1) Explain how viruses, worms, and Trojan horses spread 2) Discuss typical forms of malicious software and understand how they work 3) Use techniques to protect operating systems from malicious software and to recover from an attack Lecture Notes How Viruses, Worms, and Trojan Horses Spread Viruses, Worms, and Trojan horses are all classified as forms of malicious software, or malware. Malicious software is intended to cause distress to a user, to damage files or systems, and/or to disrupt normal computer and network functions. Viruses A virus is a program that is borne by a disk or a file and has the ability to replicate throughout a system, typically without the user’s knowledge until there is a visible outcome or problem. W32.Pinfi is an example of a virus that replicates throughout systems and shared drives. It may come into a system through an unused service, such as FTP or Telnet, and then attach to a file. INIT 1984 is an example of a destructive virus that can infect Mac OS systems. This virus replicates in the background without the user’s knowledge. It can only become destructive if the user executes an infected file on a Friday the thirteenth. Viruses spread in stages. The first stage involves transporting the virus from one medium or system to another. The next stage, replicating throughout a system, is designed to spread the infection in that system. Another stage involves the actual mark that a virus leaves on a system, which is the form of attack. Viruses are sometimes classified according to different schemes. One way to classify viruses is by how they infect systems, as follows: Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 1 of 7 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Boot or partition sector Macro Chapter 2 Viruses, Worms, and Malicious Software File infector Multipartite Another way to classify viruses is by the way they protect themselves from detection or from a virus scanner, as follows: Armored Stealth Polymorphic Companion A third way to classify viruses is benign or destructive. Worms A worm is a program that replicates and replicates on the same computer, or one that sends itself to many other computers on a network or the Internet. Code Red and Code Red II are examples of worms that use buffer overflow to do damage. Both versions of Code Red target older Windows NT and Windows 2000 servers running Internet Information Services (IIS) or indexing services, without patches installed to defend against this worm. Besides taking up file space on the local computer, the worm uses a portion of the new files to search for other computers to attack. At the same time, it opens a back door to all computers it successfully attacks, giving the worm’s initiator access to those computers. A back door is a secret avenue into an operating system that often bypasses normal security. Trojan Horses A Trojan horse is a program that appears useful and harmless, but instead does harm to the user’s computer. Backdoor.Egghead is a Trojan horse targeted at Windows NT, Windows 2000, and Windows XP systems. When this program runs, it creates a new folder called Vchost, under \Winnt\System32 or \Windows\System32, and places its own files in that folder. Quick Reference Discuss the common locations for viruses, worms, and Trojan horses listed in Table 2-1 on pages 52 and 53 of the text. Typical Methods Used by Malicious Software Viruses, Worms, Trojan horses, and other forms of malicious software use many methods to accomplish their dirty work and spread to other systems. Executable Methods An executable virus, worm, or Trojan horse is a file that contains lines of computer code that can be run. An interpreter takes a file of instructions and executes them, typically one line at a time. Some examples of executable-type file extensions are listed on page 55. A parallel, but somewhat different, interpretation of an executable virus is one that infects the source or execution code of programs. The virus may use commands available from the command line or an editor to append or insert malicious code affecting one or more programs, batch files, or scripts. Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 2 of 7 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 2 Viruses, Worms, and Malicious Software Boot and Partition Sector Methods Boot sector or partition sector viruses particularly affect Windows and UNIX/Linux systems (including Mac OS X). A boot sector or partition sector virus typically infects or replaces the instructions in the Master Boot Record (MBR) or the partition Boot Sector. Another method is to corrupt the address of the (active) primary partition, which is specified in the partition table of a disk. Typically, eradicating boot sector or partition sector viruses involves recreating the MBR and partition Boot Sector instructions. On Windows and NetWare systems using the FAT file system, you can use the fdisk /mbr –or- dos sys command-line commands to recreate these instruction sets. For Windows systems that uses NTFS, there are utilities on the installation disk to replace the MBR and partition Boot Sector instructions. Also, in NTFS, you can use the fixboot command from the recovery console to fix the boot sector, or fixmbr command to fix only the MBR. Macro Methods A macro is scripting language or a set of instructions or keystrokes that is started by using the name of the macro or pressing a key on the keyboard. Macros are used in software, such as word processors and spreadsheets, and they are used programming languages. A virus can infect a macro and spread each time the macro is used. E-mail Methods Most e-mail users are now aware that viruses, worms, and Trojan horses can be sent as attachments to e-mail. One of the most famous macro viruses, the Melissa virus, was sent as an e-mail attachment with the subject header: “Import Message From username”. The Melissa virus did not destroy data, but instead inserted the following line in the virus-carrying document when it was opened: “Twenty-two points, plus triple-word score, plus fifty points for using all my letters. Game’s over. I’m outta here.” Microsoft and other software vendors now configure software, such as the Microsoft Office products, so that macros are disabled unless they are digitally signed by a trusted source (see Figure 2-3 on page 58 of the text). A digital signature is a code that is placed in the file to verify its authenticity by showing that it originated from a trusted source. Software Exploitation When there is a new version of an operating system, attackers may begin by looking for problems (e.g. exploits) in services, applications, systems, and functions that are known to be vulnerable, such as the following: DNS services Network services and applications Internet services and applications Database systems Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Newly developed or enhanced services E-mail and messaging services Remote access services Buffer overflow handling Page 3 of 7 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 2 Viruses, Worms, and Malicious Software Spyware Spyware is software that is placed on a computer, typically without the user’s knowledge, and then reports back informationto an attacker or an advertiser. On the Internet, some forms of spyware operate through monitoring cookies. A cookie is information that a Web server stores on a client computer, such as the client’s preferences when accessing a particular Web site, or where the client has been on the Web site. Protecting an Operating System from Malicious Software There are several basic steps to take to protect an operating system from malicious software. These include: 1) 2) 3) 4) 5) 6) Installing updates Viewing what is loaded when a system is booted Using malicious software scanners Using digital signatures for system and driver files Backing up systems and creating repair disks Creating and implementing organizational policies 1. Installing Updates Installing updates and patches is an effective way to prevent attacks on an operating system. Windows 2000, Windows XP Professional, and Windows Server 2003/2008 The two main ways to install updates for Windows 2000, Windows XP Professional, and Windows Server 2003/2008 are Windows Update and service packs. Windows (Automatic) Update (WAU) is used to provide access to patches that are regularly issued, particularly security patches. Windows 2000 Server and Windows 2000 Professional, the Windows Update option is available Start menu. Windows XP Professional and Windows Server 2003/2008 come with the Automatic Updates Setup Wizard. Service packs are designed to address security issues as well as In from the problems affecting stability, performance, or the operation of features included with the operating system. Service packs come out less frequently than the patches you obtain from Windows Update, but they Windows Update, major fixes, new operating system features, and any previous service packs. generally include, in one place, patches that can be obtained from Quick Reference Examine the guidelines when installing the latest service packs for Windows XP Pro, and Windows Server 2003/2008 listed on page 62 of the text. Red Hat Linux Red Hat issues frequent updates for Red Hat Linux that can be downloaded from Red Hat’s Web site (www.redhat.com) by using the Red Hat Network Alert Notification Tool. Quick Reference Discuss the options available when you right-click the notification tool and the general steps for configuring the Red Hat Network Alert Notification Tool as shown on pages 63 and 64 of the text. Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 4 of 7 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 2 Viruses, Worms, and Malicious Software NetWare Novell maintains a support section on its Web site that enables you to download updates for NetWare 6.x and access the support portion of the Web site and then select a link to find patches and fixes for NetWare. Novell also offers consolidated support packs for its operating systems that are similar in principle to Microsoft’s service packs. Mac OS X Mac OS X uses a Software Update tool that connects to the Internet to obtain patches. The Software Update tool is accessed through the Software Update icon in the System section of System Preferences, as shown in Figure 2-8 on page 65 of the text. This tool enables you to: 1) Configure the system to automatically check for updates at specified intervals when the system is connected to the Internet, with weekly as the default 2) Manually check for updates 3) View the currently installed updates 2. Viewing What Is Loaded When A System Is Booted One way to troubleshoot a boot problem caused by malicious code in the boot sector or partition sector is to use an operating system mode that enables you to watch on-screen what is loading in an operating system as it is booting, or to view a log of the process. Here are some options provided by different operating systems: 1) In Windows 2000, Windows XP Professional, and Windows Server 2003/2008 you can view the information on-screen or have a log record the information so that you can view the log after the system has booted. 2) Red Hat Linux and NetWare automatically display the boot load information to the screen each time one of these systems is booted. 3) In Mac OS X, you can display the boot process by booting into either single user mode or verbose mode 3. Using Malicious Software Scanners Malicious software (Malware) scanners are an effective way to help protect an operating system. Although they scan systems for viruses, worms, and Trojan horses, these scanners are often called virus scanners. Figure 2-10 illustrates Norton AntiVirus installed for Mac OS X. Quick Reference Discuss the number of features to look for when purchasing virus scanning software as described on page 67. Also, examine Table 2-2, which describes different virus scanning software shown on pages 68 and 69 of the text. 4. Using Digital Signatures for System and Driver Files When a system file or driver is verified by Microsoft, a unique digital signature is incorporated by Microsoft into that system file or driver, in a process called driver signing. Setting your system to require digital signatures in system files and drivers triggers two protective mechanisms: Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 5 of 7 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 2 Viruses, Worms, and Malicious Software 1) Whenever there is an attempt to install a new system or driver file, the operating system checks to make sure it is digitally signed. 2) If for some reason a system or driver file is compressed, whenever the operating system reboots, it replaces that file with the last known good version of it that is stored in a backup system folder. 5. Backing Up Systems and Creating Repair Disks Besides backups, some operating systems enable you to create a boot disk or repair disk to be used in the event that a system file is corrupted and the system won’t boot. These disks enable you to either boot the computer from operating system files on a floppy disk or CD, or to use a repair disk to recover system files. 6. Creating a Windows “Emergency Repair Disk” After Windows 2000 Server or Professional is installed, you can choose to create an emergency repair disk (ERD), which enables you to fix problems that may arise with the server, such as corrupted system files. Plan to create a new ERD each time you install software, make a server configuration change, install a new adapter, add a NIC, restructure a partition, or upgrade the operating system. Quick Reference Describe how to create and use a Windows Emergency Repair Disk as illustrated on pages 70 through 72 of the text. Creating an Automated System Recovery Set For each computer running Windows XP Pro –or- Windows Server 2003/2008, you should create an Automated System Recovery (ASR) set in the event that your system fails. The Automated System Recovery (ASR) set is similar to an emergency repair disk that is created under previous Windows versions and contains the system files needed to start your system. The ASR set has two components: a backup of all system files –and- a backup of system settings. The ASR set does not back up application data files, which you must do separately. Creating a Red Hat Linux Boot Disk You can create a Red Hat Linux boot disk that enables booting a system from a floppy disk, in case a system file on the hard disk is corrupted. When you install Red Hat Linux, the final steps of the installation process include the opportunity to create a boot disk. If you did not make a boot disk during installation, then you can make one later from a terminal window. Quick Reference Discuss the general steps for making a boot disk for Red Hat Linux as shown on page 74 of the text. Creating and Implementing Organizational Policies One of the most effective forms of defense is to educate users through organizational policies and training. Some organizations establish computer security committees that set up security guidelines. Organizational policies work best when users are included in the process. Social engineering, in relation to computer system attacks, refers to the use of human interaction to gain access to a system or to do damage. Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 6 of 7 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 2 Viruses, Worms, and Malicious Software Sample areas of focus for an organizational computer security policy include: 1) Provide training to users in security techniques. 2) Train users about common malicious software. 3) Require that users scan floppy disks and CD-Rs with a virus scanner before taking them to be used on another computer. 4) Refer to page 75 of the text for the remainder of this list. Discussion Questions Discuss the many ways that anyone can protect their computer from virus infection. Discuss the procedures involved in developing an organizational security policy. Additional Activities Create your own organizational computer security policy and compare it with one created by professionals and chart the differences. Utilizing the Internet, search for and compare different anti-virus software. Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 7 of 7 ISBN: 0-619-16040-3