Chapter 7
Program Security
Stallings
3/22/2016
Chp. 7,11,12
Prof. Ehud Gudes Security Ch 7
1
Malicious code
 Trojan Horses—A Trojan Horse is an apparently useful
program that has hidden functions, usually harmful. A
Trojan Horse can violate integrity more easily than
confidentiality.
 Viruses – A virus is a program that attaches itself to
another program, propagates, and usually causes some
data destruction. General virus detection is an
undecidable problem, but we can detect specific viruses.
Worms—A worm is a program that propagates itself
without infecting the host.
3/22/2016
Prof. Ehud Gudes Security Ch 7
2
Trojan Horses
Free program made available to
unsuspecting user
Actually contains code to do harm
Place altered version of utility program on
victim's computer
trick user into running that program
3/22/2016
Prof. Ehud Gudes Security Ch 7
3
Viruses and worms
Self-propagating
May destroy information and clog services
A mix of vandalism and ego trip
Take advantage of operating system and
utilities flaws and uniformity of systems
Examples of recent viruses - next
3/22/2016
Prof. Ehud Gudes Security Ch 7
4
Recent Viruses
• BOBBIT VIRUS: Removes a vital part of your hard disk then re-attaches
it. (But that part will never work properly again.)
• OPRAH WINFREY VIRUS: Your 200MB hard drive suddenly shrinks to
80MB, and then slowly expands back to 200MB.
• AT&T VIRUS: Every three minutes it tells you what great service you are
getting.
• POLITICALLY CORRECT VIRUS: Never calls itself a "virus", but instead
refers to itself as an "electronic micro-organism."
• RIGHT TO LIFE VIRUS: Won`t allow you to delete a file, regardless of
how old it is. If you attempt to erase a file, it requires you to first see a
counselor about possible alternatives.
• ROSS PEROT VIRUS: Activates every component in your system, just
before the whole damn thing quits.
• TED TURNER VIRUS: Colorizes your monochrome monitor.
• ARNOLD SCHWARZENEGGER VIRUS: Terminates and stays resident.
It`ll be back
3/22/2016
Prof. Ehud Gudes Security Ch 7
5
Program Threats
Trap door
 Code segment that misuses its environment and allows
malicious code (trojan horse) to execute.
 Exploits mechanisms for allowing programs written by users
to be executed by other users.
Trap Door examples
 Specific user identifier or password that circumvents normal
security procedures.
 Could be included in a compiler (Kernighan’s C compiler).
 Stack and Buffer Overflow - Exploits a bug in a program
(overflow either the stack or memory buffers.)
3/22/2016
Prof. Ehud Gudes Security Ch 7
6
Trap Doors
(a) Normal code.
(b) Code with a trapdoor inserted
3/22/2016
Prof. Ehud Gudes Security Ch 7
7
Logic Bombs
Company programmer writes program
potential to do harm
OK as long as he/she enters password daily
if programmer is fired, no password and bomb
explodes
3/22/2016
Prof. Ehud Gudes Security Ch 7
8
Login Spoofing
(a) Correct login screen
(b) Phony login screen
3/22/2016
Prof. Ehud Gudes Security Ch 7
9
Worms
replicating program that propagates over net
using email, remote exec, remote login
has phases like a virus:
dormant, propagation, triggering, execution
propagation phase: searches for other systems,
connects to it, copies self to it and runs
may disguise itself as a system process
concept seen in Brunner’s “Shockwave Rider”
implemented by Xerox Palo Alto labs in 1980’s
Morris Worm
one of best know worms
released by Robert Morris in 1988
various attacks on UNIX systems
cracking password file to use login/password
to logon to other systems
exploiting a bug in the finger protocol
exploiting a bug in sendmail
if succeed have remote shell access
sent bootstrap program to copy worm over
The Internet worm of 1988 [J6]
 Guessed and tried passwords with the use of a
dictionary
 Exploited bugs in the finger and sendmail programs,
including buffer overflow.
 Took advantage of the fact that some systems specify
trusted computers from which remote logins are
accepted without checking passwords.
 Used encryption and other ways to hide its existence
(a polymorphic virus).
3/22/2016
Prof. Ehud Gudes Security Ch 7
12
The Morris Internet Worm
3/22/2016
Prof. Ehud Gudes Security Ch 7
13
Worm Propagation Model
Recent Worm Attacks
Code Red
July 2001 exploiting MS IIS bug
probes random IP address, does DDoS attack
consumes significant net capacity when active
Code Red II variant includes backdoor
SQL Slammer
early 2003, attacks MS SQL Server
compact and very rapid spread
Mydoom
mass-mailing e-mail worm that appeared in 2004
installed remote access backdoor in infected systems
New Worm Technology
multiplatform
multi-exploit
ultrafast spreading
polymorphic
metamorphic
transport vehicles
zero-day exploit
Worm Countermeasures
overlaps with anti-virus techniques
once worm on system A/V can detect
worms also cause significant net activity
worm defense approaches include:
signature-based worm scan filtering
filter-based worm containment
payload-classification-based worm containment
threshold random walk scan detection
rate limiting and rate halting
Proactive Worm
Containment
Viruses
piece of software that infects programs
modifying them to include a copy of the virus
so it executes secretly when host program is run
specific to operating system and hardware
taking advantage of their details and weaknesses
a typical virus goes through phases of:
dormant
propagation
triggering
execution
Virus Damage Scenarios
Blackmail
(ask for money for decryption key)
Denial of service as long as virus runs
(fill out disk, clog CPU or memory)
Permanently damage hardware
(BIOS)
Target a competitor's computer
 do harm
 Espionage
Intra-corporate dirty tricks
 sabotage another corporate officer's files
3/22/2016
Prof. Ehud Gudes Security Ch 7
20
Viruses - program “segments”
Program segments attached to another executable
When program is run, the virus proliferates
actually a type of Trojan horse… but not personal..
Numerous possible actions:
 erasing, modifying, encrypting files
 display extortion note: send $$$
 damage boot sector on hard disk (or ask for password..)
Defenses:
 look for known viruses in files
 perform checksum on files
 make directories of binary files unwritable for users...
3/22/2016
Prof. Ehud Gudes Security Ch 7
21
Virus Structure
components:
infection mechanism - enables replication
trigger - event that makes payload activate
payload - what it does, malicious or benign
prepended / postpended / embedded
when infected program invoked, executes
virus code then original program code
can block initial infection (difficult)
or propogation (with access controls)
Virus Structure
Compression Virus
Virus Classification
boot sector
file infector
macro virus
encrypted virus
stealth virus
polymorphic virus
metamorphic virus
How Viruses Spread
Virus placed where likely to be copied
When copied
infects programs on hard drive, floppy
may try to spread over LAN
Attach to innocent looking email
when it runs, use mailing list to
replicate(News-group)
Use naïve subjects: I miss you, I am ill, etc
Hide inside application macros (Ms-word,
MS-excel)
3/22/2016
Prof. Ehud Gudes Security Ch 7
26
How Viruses Work (1)
Virus written in assembly language
Inserted into another program
use tool called a “dropper”
Virus dormant until program executed
then infects other programs
eventually executes its “payload”
3/22/2016
Prof. Ehud Gudes Security Ch 7
27
How Viruses Work (2)
Recursive procedure
that finds
executable files
on a UNIX system
Virus could
infect them all
3/22/2016
Prof. Ehud Gudes Security Ch 7
28
How Viruses Work (3)




3/22/2016
An executable program
With a virus at the front
With the virus at the end
With a virus spread over free space within program
Prof. Ehud Gudes Security Ch 7
29
Macro Virus
became very common in mid-1990s since
platform independent
infect documents
easily spread
exploit macro capability of office apps
executable program embedded in office doc
often a form of Basic
more recent releases include protection
recognized by many anti-virus programs
E-Mail Viruses
more recent development
e.g. Melissa
exploits MS Word macro in attached doc
if attachment opened, macro activates
sends email to all on users address list
and does local damage
then saw versions triggered reading email
hence much faster propagation
Compressed and Encrypted Viruses
(a) A program
(b) Infected program
(c) Compressed infected program
(d) Encrypted virus
(e) Compressed virus with encrypted compression code
3/22/2016
Prof. Ehud Gudes Security Ch 7
32
Polymorphic Viruses
Examples of a polymorphic virus
All of these examples do the same thing
3/22/2016
Prof. Ehud Gudes Security Ch 7
33
Virus Countermeasures
prevention - ideal solution but difficult
realistically need:
detection
identification
removal
if detect but can’t identify or remove,
must discard and replace infected
program
Anti-Virus Evolution [J7]
virus & antivirus tech have both evolved
early viruses simple code, easily removed
as become more complex, so must the
countermeasures
generations
first - signature scanners
second - heuristics
third - identify actions
fourth - combination packages
Antivirus and Anti-Antivirus Techniques
Integrity checkers
Behavioral checkers
Virus avoidance
 good OS
 install only shrink-wrapped software
 use antivirus software
 do not click on attachments to email
 frequent backups
Recovery from virus attack
 halt computer, reboot from safe disk, run antivirus
3/22/2016
Prof. Ehud Gudes Security Ch 7
36
Antivirus and Anti-Antivirus Techniques
Inoculation – insert code like a virus. A virus does
not attack a file which is already “affected”.
Problem: need to know which virus will attack
next?!
Disinfection – returning the original entry point and
erasing virus code.
Problem: what if this was an overwriting virus or
apadding virus
Scanning and checking file size and signature
during OPEN
Problem: a boot sector or a ROM virus may
override open and bypass this check!
Summary: a never ending war!
3/22/2016
Prof. Ehud Gudes Security Ch 7
37
Digital Immune System
Behavior-Blocking
Software
Buffer Overflow
 (a) Situation when main program is running
 (b) After program A called
 (c) Buffer overflow shown in gray
3/22/2016
Prof. Ehud Gudes Security Ch 7
40
Buffer Overflow example
#define BUFSIZE 4
void myFunc(char *someBuf)
{ char buf[BUFSIZE ];
printf printf ("Copying ...");
/* Let's do a REALLY stupid thing here */
strcpy(buf,someBuf); /* NO Bounds check! */
printf ("Returning... \n");
}
The example above shows how overflows are
performed, in practice. An unsafe C standard
library function (in this case, strcpy(), which
knows no bounds), copies a buffer, and exceeds
the allocated space.
3/22/2016
Prof. Ehud Gudes Security Ch 7
41