Programmed Threats
Richard Newman
What is a Programmed Threat?
Potential source of harm from computer code
May be in form of
- Executable program
- Executable code attached to another program
- Executable code pushed onto stack of running process
- Standalone script
- Commands run on startup of program
- Commands embedded in “non-executable” file
–
–
JPEG
Postscript
- Macros
Examples of Programmed Threats
1. Trojan Horse
–
Program that purports to do one thing but (also) does another
2. Virus
–
–
–
–
Embedded in another program/file (becomes Trojan)
Must get user or system to run program/open file
Infects other files/drives
Hitchhikes to other file systems on host file via removable media or
email
3. Bacteria/Rabbits
–
Replicate so fast, use up all resources
4. Worm
–
–
–
Stand-alone program
Transfers itself to target system
Runs automatically on target system (generally)
More Programmed Threats
5. Buffer overflow attack
–
–
–
“Improper” parameters corrupts stack
Includes executable code
Return pointer in activation frame may be changed to point to code
6. SQL Injection
–
–
Interpretable commands included in SQL query
SQL engine executes malicious commands
7. Run command script
–
–
Malicious commands included in .rc (or similar) file
Commands executed when program is started5. Run command script
8. Back Door/Trap Door
–
–
–
–
“Secret” way to get access to system
May be included for field technicians or administrators
See http://cm.bell-labs.com/who/ken/trust.html
Often first goal of intruders
Viruses
1. History
–
–
–
–
Von Neumann's self-reproducing automata in 1960's
See http://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms
First seriously appeared in early 1980's – Elk Cloner, Brain
Big issue with PCs and floppy disks/bulletin boards
2. General MO
–
–
–
–
–
Infected program run – viral code runs first
Optionally takes measures to hide
Looks for new files/drives to infect, infects them
Does “other stuff”
•
Logic Bomb
•
Time Bomb
•
Password cracking
•
Install back door
•
Wreak havoc
Returns control to original program
Viruses
3. Boot Sector Virus
– Copies boot sector (small bootstrap program) to unused
disk block
– Overwrites boot sector with viral code
– Intercepts calls to disk drive/TSR code
– Redirects reads of boot sector to read copy in other
location
– Looks for new disk to infect whenever disk is accessed
4. Executable Virus
– Adds viral code to executable program
– May rewrite JUMP instruction to jump to viral code first,
then issue JUMP to program code when done
– May modify itself (code transformation) or modify where it
is stored to evade detection (polymorphic virus)
Viruses
5. Macro Virus
– Included in “non-executable” file with format supporting macros
• Spreadsheets
• Document preparation software
• Graphics editors
– Copies macros into other files of same type
– Modifies file contents to exercise macros
4. Stealth Techniques
– Intercept system calls to modify (man-in-the-middle)
– Modify system meta-information (File control block, process
info)
– Compress itself so file size does not change
– Modify itself
– Encrypt viral code
Worms
1. History
–
–
–
–
–
–
1971 “Creeper virus” at BBN - “Reaper” to kill it
Name coined in Brunner's “The Shockwave Rider” scifi
Xerox PARC worm for using idle workstations (1982)
Enabled by network/LAN technology
Morris worm 1987
Code Red, etc.
2. General MO
–
–
–
Standalone program
Looks for target host
Transfers loader (micro-FTP) to target host
See http://www.wormblog.com/
PARC Worm
3. Xerox PARC worm - 1982
–
–
–
–
–
–
Users ran server pgm on W/S when idle
Worm “head” found idle workstations, sent work
“Segments” did work, reported to head
Head had backup segments also
Had to shut down all stations to get to stop!
See Shoch and Hupp, “The Worm Programs: Early
Experience with a Distributed Computation,” Xerox Palo
Alto Research Center, 1982.
http://www.cs.berkeley.edu/~prabal/resources/osprelim/SH82.pdf
Morris Worm
4. Morris worm
–
–
–
–
–
–
–
Experiment by grad student at Cornell November 1988
Looks for target host – random, /etc/hosts, .rhosts
Tried to get access
• Sendmail “feature” - debug mode
• Symmetry of trust
• Finger flaw – buffer overflow
• Password guessing
Transferred “grappling hook” to target host
Grappling hook got rest of worm, ran it
Overwhelmed hosts with processes
Overwhelmed networks
Morris Worm
4. Morris worm (con't)
–
–
–
Stealth techniques
• “encrypted” code (flipped MSB in ASCII)
• Changed process name to innocuous pgm
• Changed process ID periodically – short life per proc
• Died completely after short time
Sendmail access
• Back door, poor configuration, poor interface
Symmetry of trust
• Remote login without password required
• Host lists trusted hosts
• If a host B is on list of A, likely host A is on list of B
spaf.cerias.purdue.edu/tech-reps/823.pdf
Code Red Worm
5. Code Red Worm
–
–
–
–
July 2001
Attacked MS IIS
• Buffer overflow attack
• Patch had been available for a month
Spread
• Only 1st – 19th of month – look for other IIS servers
• Did not determine if IIS server was vulnerable first
Mischief
• Deface website - “Hacked by Chinese”
• Launch DoS attack 20th -27th of month vs. fixed IP addr
Code Red Worm
5. Code Red Worm IIS buffer overflow:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNN
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Code Red Worm
5. Code Red Worm
–
–
–
–
July 2001
Attacked MS IIS
• Buffer overflow attack
• Patch had been available for a month
Spread
• Only 1st – 19th of month – look for other IIS servers
• Did not determine if IIS server was vulnerable first
Mischief
• Deface website - “Hacked by Chinese”
• Launch DoS attack 20th -27th of month vs. fixed IP addr