Isys20261 lecture 05

Computer Security Management(ISYS20261)Lecture 5 - Host-based Attacks

Module Leader: Dr Xiaoqi MaSchool of Science and Technology

Computer Security ManagementPage 2

Last Time:

• CSI Computer Security Survey• Offers good overview• Three basic types of attacks:

– Host-based Attacks– Network-based Attacks– Social Engineering

• Host-based attacks:– Malicious Code – Malicious Software


Today

• Malicious Code– Backdoors– Computer Viruses

• Malicious Software (Malware)– Computer Worms– Trojan Horses (Trojans)– Rootkits – Spyware


Backdoors (1)

• Sometimes referred to as Trapdoor• Secret build-in method for (unauthorised) access to a system– Universal standard password– Secret admin account

• Usually smuggled in by a third party– Programmer who wants to gain access to the system once it is put into

operations– Espionage– Viruses and Trojans– etc


Backdoors (2)

• Can be inserted at any point in tool-chain– Source code– Compiler– Executable

• Open source software less likely to contain a backdoor• Symmetric Backdoor– everybody who knows about the Backdoor can use it

• Asymmetric Backdoor– can only be used by the attacker who plants it– Based on asymmetric cryptography


Finding backdoors

• Code reviews– Only possible if the code is available (Open Source)– Similar to white box testing– Example: backdoor in Linux kernel's source code

• Disassembling and analysing of executables – Can be done for programs and libraries– Laborious and error prone


Computer viruses (1)

• Term was introduced in 1983 by Fred Cohen• Self-replicating code (viral code) that secretly embeds itself into a

host program without permission or knowledge of the owner/user (infection)

• If the infected program is executed, the virus is executed as well and tries to spread itself by infecting other programs

• Sometimes a virus is modifying its own code before it infects other programs to avoid detection (no fixed signature, i.e. sequence of instructions)– Polymorphic virus re-encrypts itself with each infection– Metamorphic virus re-writes its own code with each infection


Computer viruses (2)

• Viruses usually carry a payload, i.e. serve another (criminal) purpose– Installing malicious software on the computer– Deleting data and/or programs– Encryption of data (blackmailing!)

• Different infection methods– Boot sectors– Executable files– Macros in documents– Scripts on web pages


Boot sector viruses

• Oldest type of computer viruses• Does not infect an executable but the boot sector of a floppy disk or

the Master Boot Record (MBR) of a hard disk• MBRs and boot sectors contain a Boot Loader program that is

executed after the computer is switched on to load the operating system– Boot virus embeds itself into the Boot Loader– It is executed when the BIOS tries to run the Boot Loader– It then tries to infect the MBRs of installed hard drives before it carries out a

destructive action or before it loads the OS• Today extinct– Can easily be found by anti-virus software– The virus is very limited in memory (444 Bytes!)


File viruses (1)

• Embeds itself into an executable program file• Different infection methods– Overwriting viruses– Companion viruses– Parasitic viruses


File viruses (2)

• Overwriting virus: – Virus completely replaces the code of the infected program– Easy to detect since the original program does not work anymore– File size changed, can be detected by integrity-checking software

• Companion virus: – infects an .EXE file by creating a matching file with a .COM extension that

contains the viral code and puts it into the same directory– The OS gives preferences to .COM files over .EXE files and hence the viral code

is executed when the user starts the program– It then carries out the spread routine before executing the original .EXE file– Size of original file is not changed


File viruses (3)

• Parasitic viruses modify the code of the infected file• The infected file remains partially or fully functional• Different types:– Prepender– Appender – Entry Point Obscuring (inserting)– Cavity filler

• Stealth virus:– Tries to hide its existence– Example: parasitic virus that intercepts system calls that return the size of a file

to fool integrity-checking software


File viruses (4)

• Prepender virus:– Places its code at the beginning of the file it infects– Viral code is executed first when the infected file is executed– File size increased, can be detected by integrity-checking software

• Appender virus:– Places its code at the end of the file it infects– Adjusting the file's entry point to cause its code to be executed before that of

the original file– File size increased, can be detected by integrity-checking software


File viruses (5)

• Entry Point Obscuring:– Places its code in the middle of the files it infects– May move a section of the original code to the end of the file, or simply push the

code aside to make space for its own code – File size increased, can be detected by integrity-checking software

• Cavity filler: – virus which seeks out unused space within the files it infects– inserting its code into these gaps to avoid changing the size of the file– not alerting integrity-checking software to its presence


Macro viruses

• Relies on application programs that use documents with embedded macros, e.g. MS Word, MS Excel, etc

• Viral code is programmed as a macro and embedded in an infected document

• If an infected document is opened in the application program, the macro is executed

• The macro tries to locate other documents of that type and embeds copies of itself into the documents found


Script viruses

• Very similar to macro viruses• Uses web applications and script languages, e.g. JavaScript• Normally, scripts are embedded in HTMP web pages to provide

additional functionality, e.g. dynamic web pages, guest books, etc• Script virus embeds itself into HTML page• Most browsers execute embedded scripts automatically!• If executed, it tries to spread or carries out its payload


How to protect against computer viruses

• Use anti-virus software with up-to-date signature database• Install software patches immediately (OS and applications)• Disable macros in applications unless you really need them• Disable scripting in web browsers


Computer Worms

• Self-replicating computer program that secretly copies itself to other computers without permission or knowledge of the owner/user (infection)

• It uses a network to send copies of itself to other nodes (computers)• It may do so without any user intervention but sometimes some user

action is required (email worms)• Unlike viruses, worms do not need to attach themselves to an

existing program• Worms always consume network bandwidth and might carry a

payload, e.g. to install backdoors on infected machines


How to protect against computer worms

• Use a firewall• Install software patches immediately (OS and applications)• Do not open unexpected emails or run unknown email attachments


Trojan Horses (Trojans)

• Malicious software (malware) that appears to perform a desirable function but also performs undisclosed malicious functions

• Term is derived from the classical story of the Trojan Horse• Always requires some user action to install• Trojans usually installs malware (payload) to– Gain unauthorised remote access (backdoors)– Destruct data– Download even more malware (spyware)– Disable security software– Start denial-of-service attacks

• Once the malware is installed, deleting the Trojan does not help!


How to protect against Trojans

• Do not install software from an unknown source• Do not run attachments from unexpected emails• Use anti-virus software with up-to-date signature database


Rootkits (1)

• Malicious program that hides malicious files or folders from normal sight

• Often used by malware to conceal its presence and activities• The term rootkit applied originally to the UNIX-based operating

systems• It is a collection of tools to enable a user to obtain root

(administrator-level) access to a system and to conceal any changes they might make

• Such tools often included malicious versions of standard system monitoring programs which would hide the rootkit operators' activities

• More recently: malware using stealth techniques


Rootkits (2)

• Rootkits can operate at a number of levels• Application level– replacing or adjusting the settings of system software to prevent the display of

certain information• Operating system level– hooking certain system functions – inserting modules or drivers into the operating system kernel

• Firmware level/virtualisation level– firmware and/or virtual machines are activated before the operating system and

thus even harder to detect while the system is running


Rootkits (3)

• Example: in 2005, Sony BMG caused a scandal by including a rootkit on music CDs, in an attempt to enforce DRM; it allowed anyone who knew about the rootkit to gain administrator rights on an infected machine

• Rootkit binaries are easy to detect using anti-virus software• However, once they run they are hidden and hence very difficult to

detect• Might be detected using anti-spyware software• Detection based on analysis of the behaviour of a system• Rootkits are difficult to remove once detected!


Spyware/Adware• Software that collects private information or monitors user

behaviour secretly• The term spyware essentially covers any software that gathers

information and passes it to a third party without adequate permission from the owner of the data

• Examples– Keylogger: monitors the keys pressed and thus records any sensitive data, such

as passwords, entered by the user– Password stealer: steals user data such as login IDs/passwords– Packet analyser (sniffer): intercepts and logs traffic passing over a digital

network– Cookies: allows the identification of a computer/user, e.g. for tracking etc

• Adware: software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed ( privacy-invasive software)


Summary

• Host-based attacks are carried out using malicious code and software– Code: Backdoors and viruses– Software: Worms, trojans, rootkits, spyware, …

• The sophistication increases all the time which led to an arms race between the developers of malicious software and security software

• The baddies are usually one step ahead• They are professionals, highly trained and educated• Usually linked to organised crime

Isys20261 lecture 05

Documents

boot loader

computer viruses

malicious

based attacks

user action

infected file

virus software

viral code