IT 221:
Introduction to Information Security Principles
Lecture 12: Intruders, Viruses and Worms
For Educational Purposes Only
Revised: November 20, 2002
Chapter 15 Outline (1)
•Chapter 15 Outline:
Case Study
Context and Overview
Types of Trespass
Intruder Properties
Intruder Classifications
Intrusion Techniques
UNIX Salt
Password Selection
Stages of Network Intrusion
Approaches to Intrusion Detection
Measures of Intrusion Detection
1
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Chapter 15 Outline (2)
•Chapter 15 Outline:
Viruses and ‘Malicious Programs
Anti-Virus Appraches
2
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Case Study: Technical Context
•Context [2]:
On November 2, 1988, a computer worm began to inch its way through the
Internet – at the time a government-funded network that linked more than 60K
computers across the United States.
Once installed, the Worm multiplied, created processes and rapidly clogged a
computer’s available space, until other work virtually halted.
-Collected user and network information
-Exploited UNIX security holes (e.g. sendmail facility and fingerd daemon)
-Camouflaged itself by changing its name to that of a standard UNIX
command interpreter.
3
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Case Study: Technical Consequences
•Context [2]:
Suns / VAXes using Berkeley Standard Distribution (BSD) UNIX fell victim.
-Original estimates:
-Later research:
6000 affected computers.
2,100-2,600 range
Although no data was destroyed, a great deal of sys-admin time was spent:
-Rebooting machines and vital network gateways
-Losing email, research time, and the ability to meet deadlines.
-Cost of system fixes and testing range:
$1M - $100M
4
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Case Study: Context and Analysis
•Context [2]:
Traced to Robert T. Morris, Cornell University graduate student.
-Claimed that the Worm was an experimental program containing a bug
that caused it to run rampant.
-Convicted on January 23, 1990 under the 1986 Computer and Fraud Act.
-Placed on 3-year probation and subjected to a $10K fine, 400 hours of
community service.
•Analysis [2]:
Worm had the side effect of increasing public awareness of computer security,
and creating a new generation of security consultants.
But despite the level of spending, increased public awareness, and
preparedness, most organizations haven’t significantly tightened security.
5
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Context and Overview
•Context [2]:
Significant security problem for networked systems is hostile (or at least
unwanted) trespass by users or software.
•Overview [2]:
Lecture will survey the subject of intruders and viruses, and will examine
prevention methods and strategies.
6
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Types of Trespass
•Classes of Trespass [2]:
User Trespass:
-Unauthorized Users: Unauthorized logon to a machine
-Authorized Users: Acquisition of privileges or performance of actions
beyond those that have been authorized.
Software Trespass:
-Can assume the form of a virus, worm or Trojan Horse.
•Cause For Concern [2]:
Both types of trespass relate to network security because system entry can
be achieved by means of a network.
7
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Intruder Properties
•Properties [2]:
Objective of the intruder is to gain access to a system or to increase the
range of privileges accessible on a system.
Generally, this requires the intruder to acquire information that should
have been protected.
Intruder attacks range from the benign to the serious, and be perpetrated
by both Insiders and/or Outsiders.
8
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Intruder Classifications
•Classes of Intruders [2]:
(1) Masquerader: Unauthorized individual user who penetrates a
system’s access controls to exploit a legitimate user’s account.
(2) Misfeasor: Legitimate user who accesses data, programs or resources
for which such access is not authorized, or who is authorized for such access
but misuses its privileges.
(3) Clandestine User: Individual who seized supervisory control of the
system and uses this control to evade auditing and access controls or to
suppress audit collection.
•Note [2]:
Masquerader is likely to be an Outsider; the Misfeasor generally is an
Insider; the Clandestine User can be either an Outsider or an Insider.
9
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Intrusion Techniques: Passwords (1)
•Password File [2]:
Systems typically maintain a file that associates a password with users.
If stored without protection, the file could be compromised.
•Prevention [2]:
Password file can be protected in one of two ways:
-(1) One-Way Encryption: System stores only an encrypted form of the
user’s password.
-(2) Access Control: Access to the password file is limited to one or a
very few accounts.
10
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Intrusion Techniques: Passwords (2)
•Password Guessing [3]:
Try default passwords.
Try all short words, 1 to 3 characters long.
Try all the words in an electronic dictionary (60,000).
Collect information about the user’s hobbies, family names, birthday, etc.
Try user’s phone number, social security number, street address, etc.
Try all license plate numbers (MUP103).
Use a Trojan horse
Tap the line between a remote user and the host system.
•Prevention [2]:
Enforce strong password selection.
11
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Example: UNIX Password Selection
•Loading a New Password [2]:
(1) Each user selects a password of up to 8 printable characters in length
(2) Password is converted into a 56-bit value that serves as the input block
of an encryption routine – crypt(3), which is based on DES.
(3) 12-bit ‘Salt’ value is introduced into the encryption process.
(4) Ciphertext is then stored, together with a plaintext copy of the salt, in
the password file for the corresponding user ID.
12
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Purpose of UNIX Salt
•Purpose of UNIX Salt [3]:
Prevents duplicate passwords.
Effectively increases the length of the password. The number of possible
passwords is increased by a factor of 4096.
Prevents the use of hardware implementations of DES, which would ease
the difficult of a brute-force quessing attack.
13
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Password Selection Strategies
•Password Selection Strategies [2]:
Computer-generated Passwords
Reactive Password Checking
Proactive Password Checker
•Proactive Password Checker Strategies [2]:
Two techniques for developing an effective and efficient proactive password
checker that is based on rejecting words on a list show promise:
(1) Markov Model
(2) Spafford (Bloom Filter)
14
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Stages of Network Intrusion
•Network Intrusion [3]:
 (1) Scan the network to:
- Locate which IP addresses are in use,
- Identify what operating system is in use,
- Identify what TCP or UDP ports are “open” (being listened to by Servers).
(2) Run “Exploit” scripts against open ports
(3) Get access to Shell program which is “suid” (has “root” privileges).
(4) Download special versions of systems files that will let Hackers have free
access without his /her CPU time or disk storage space being noticed by
auditing programs.
(5) Use IRC (Internet Relay Chat) to invite fellow hackers.
15
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Intrusion Detection
•Context [2]:
Inevitably, the best intrusion prevention system will fail. A system’s second
line of defense is intrusion detection.
Motivation is a function of several considerations:
-If detected early, the intruder can be identified and ejected from the
system.
-An effective intrusion detection can prevent intrusions.
-Intrusion detection enables the collection of information about intrusion
techniques that can be used to strengthen the intrusion prevention facility.
16
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Behavioral Profiles of Intruders and Authorized Users
•Profiles [3]:
17
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Approaches to Intrusion Detection
•Approaches to Intrusion Detection [2]:
Statistical Anomaly Detection: Involves the collection of data relating to the
behavior of legitimate users over a period of time. Then statistical tests are
applied to observed behavior to determine with a high level of confidence
whether that behavior is not legitimate user behavior.
-Treshold Detection
-Profile Based
Rule Based Detection: Involves an attempt to define a set of rules that can be
used to decide that a given behavior is that of an intruder.
-Anomaly Detection
-Penetration Identidication
18
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Measures of Intrusion Detection
•Measures [3]:
Login frequency by day and time.
Frequency of login at different locations.
Time since last login.
Password failures at login.
Execution frequency.
Execution denials.
Read, Write, Create, Delete frequency.
Failure count for Read, Write, Create and Delete.
19
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Viruses and ‘Malicious’ Programs
•Terms [3]:
Computer “Viruses”: Possess the ability to replicate themselves across an ever
increasing number of computers. They originally spread by users sharing
floppy disks. Now they spread primarily over the Internet (a “Worm”).
“Malicious Programs”: May be installed by hand on a single machine. They
may also be built into widely distributed commercial software packages. These
are very hard to detect before the payload activates (Trojan Horses, Trap Doors,
and Logic Bombs).
20
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Basic Definitions
•Basic Terms [3]:
Virus: Code that copies itself into other programs.
“Bacteria”: Replicates until it fills all disk spaces, or CPU cycles.
Payload: Harmful things a malicious program does, after it has had time to
propagate.
Worm: Program that replicates itself across the network (usually riding on
email messages or attached documents (e.g., macro viruses).
Trojan Horse: Instructions in an otherwise good program that cause bad
things to happen (sending your data or password to an attacker over the net).
Logic Bomb: Malicious code that activates on an event (e.g., date).
Trap Door (or Back Door): Undocumented entry point written into code for
debugging that can allow unwanted users.
Easter Egg: Extraneous code that does something “cool.” A way for
programmers to show that they control the product.
21
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Phases of Viruses
•Phases [3]:
(1) Dormant Phase: Virus is idle
(2) Propagation Phase: Virus places an identical copy of itself into other
programs
(3) Triggering Phase: Virus is activated to perform the function for which it
was intended
(4) Execution Phase: Function is performed
22
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Types of Viruses
•Types [3]:
Parasitic Virus: Attaches itself to executable files as part of their code. Runs
whenever the host program runs.
Memory-resident Virus: Lodges in main memory as part of the residual
operating system.
Boot Sector Virus: Infects the boot sector of a disk, and spreads when the
operating system boots up (original DOS viruses).
Stealth Virus: Explicitly designed to hide from Virus Scanning programs.
Polymorphic Virus: Mutates with every new host to prevent signature
detection.
23
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Macro Viruses
•Macro Virus [3]:
Microsoft Office applications allow “macros” to be part of the document. The
macro could run whenever the document is opened, or when a certain
command is selected (Save File).
Platform independent.
Infect documents, delete files, generate email and edit letters.
24
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Anti-Virus Approaches
•Anti-Virus Approaches (1) [3]:
1st Generation, Scanners: Searches files for any of a library of known virus
“signatures.” Checked executable files for length changes.
2nd Generation, Heuristic Scanners: Looks for more general signs than
specific signatures (code segments common to many viruses). Checked files for
checksum or hash changes.
3rd Generation, Activity Traps: Stays resident in memory and look for certain
patterns of software behavior (e.g., scanning files).
4th Generation, Full Featured: Combines the best of the techniques above.
25
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Appendix 1: Loading a New UNIX Password
•Loading a New Unix Password [3]:
26
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Appendix 2: Verifying a UNIX Password
•Verifying a Unix Password [3]:
27
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Appendix 3: Markov Model
•Markov Model [3]:
28
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Appendix 4: Spafford Model (1)
•Spafford Model (1) [3]:
Hi ( X i )  y
1  i  k ; 1  j  D; 0  y  N  1
X i  jth word in password dictionary
D  number of word in password dictionary
The following procedure is then applied to the dictionary:
1.
A hash table of N bits is definied, with all bits initially set to 0.
2.
For each password, its k hash values are calculated, and the responding
bits in the hash table are set to 1
29
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Appendix 5: Spafford Model (2)
•Spafford Model (2) [3]:
P  (1  e  kD / N ) k  (1  e  k / R ) k
or , equivalently ,
R
k
ln( 1  P1/ k )
where
k  number of hash function
N  number of bits in hash table
D  number of words in dictionary
R  N / D, ratio of hash table size (bits ) to dictionary size ( words )
30
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Appendix 6: Performance of Bloom Filter
•Performance of Bloom Filter [3]:
31
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Appendix 7: Distributed Intrusion Detection (1)
•Distributed Intrusion Detection (1) [3]:
32
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Appendix 8: Distributed Intrusion Detection (2)
•Distributed Intrusion Detection (2) [3]:
33
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Appendix 9: Virus Structure
•Virus Structure [3]:
34
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Appendix 10: Compression Virus
•Compression Virus [3]:
35
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Appendix 11: Advanced Anti-Virus Approaches
•Advanced Anti-Virus Approaches [3]:
36
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only
Resources
•[1] Stallings, William. Cryptography and Network Security, Prentice Hall, 1999.
Chap 15.
•[2] Russell Deborah and GT Gangemi. Computer Security Basics. O’Reilly.
1991.
•[3] Johnson, Hedric. ‘IP Security’. Blekinge Institute of Technology, Sweden.
Lecture based on Stallings, William. Chap-15.
37
November 20, 2002
IT 221: Introduction to Information Security Principles
For Educational Purposes Only