Outline for Today’s Lecture Administrative: Objective: –Viruses and worms.

Outline for Today’s LectureAdministrative:

Objective: – Viruses and worms

Viruses and Worms

• Virus = program can reproduce itself by attaching its code to another executable program– Activated by executing its host

• Worm = program which replicates itself and causes execution of new copy– Self-contained– Hijacks or creates a new process

Lifecycle of an Attack

ProbePenetrate

Persist

Propagate

Paralyze

Scan portsPing addressesGuess passwordsGet address email address book

Mail attachmentsBuffer overflowsBackdoorsMacros

Create / modify filesInfect boot sectorModify registryWeaken security settingsHide and disguise actions

Use email clientBring up own SMTPor http serversftp

Do damageDestroy dataDenial of ServiceLeak information

History of Worms

1982 – PARC envisions works as an administrative mechanism to perform legit tasks on distributed system

1988 – Morris worm is the first Internet worm (with dramatic consequences)

…2001 – Code Red2003 – Slammer, Blaster2004 – Sasser, Witty

The Morris Internet Worm

• Nov. 1988, Robert Morris, Cornell grad student• Consisted of two programs

– bootstrap to upload worm– the worm itself

• Worm first hid its existence• Next replicated itself on new machines

– rsh– finger name@site - overflow finger daemon’s stack with long string– Bug in sendmail to mail bootstrap & exec it– Tried to break user passwords and go on

• Too aggressive – let 1 in 7 re-infects live• Caught and convicted

Stopping Attacks

• CERT – Computer Emergency Response Team – collects info on system flaws that can be attacked. Fields reports of security break-ins

• Traditional timeline of attack

Application released

with bug

Vulnerability announced

& patchreleased

Attack releasedBad guys

create attack

Good guyspatch fast

Often < 1 day

How Viruses Work

• Virus usually written in assembly language• Inserted into another program

– use tool called a “dropper”

• Virus dormant until program executed– then infects other programs– eventually executes its “payload”

• possibly waits for significant date

How Viruses Work

• An executable program• with a parasitic virus at the front• at the end• spread over free space within program (cavity virus)

Boot sector viruses1st hide the real boot sector

When booted, copies virus into memory, making it a memory resident virus

Then boots the OS

Device driver infected with virus, loads it at boot time.

How Viruses Work

How Viruses Work

• After virus has captured interrupt, trap vectors– Syscall trap a good one. Can look for exec calls

• After OS has retaken printer interrupt vector• After virus has noticed loss of printer interrupt vector and recaptured it

Macros

Applications like Word or Excel allow macros that get executed via keystroke or menu

Attach a macro to open file function and you are off and running

Can be sent in email attachments

Some emailers automatically open attachments

How Viruses Work

How Viruses Spread

• Virus placed where likely to be copied

• When copied– infects programs on hard drive, floppy– may try to spread over LAN

• Attach to innocent looking email– when it runs, use mailing list to replicate

Stopping Attacks

• Identifying viruses and worms before they execute – antivirus – trusted code only

• Catch’em in the act of misbehaving before they do harm

• Monitoring and controlling what suspicious code can do – interpreters and sandboxing

Antivirus and Anti-Antivirus Techniques

(a) A program(b) Infected program, metadata giveaways(c) Compressed infected program(d) Encrypted virus(e) Compressed virus with encrypted compression code

Antivirus and Anti-Antivirus Techniques

Examples of a polymorphic virusAll of these examples do the same thing

Mutation engine – code that morphs the signature part of the virus each time it spreads

Antivirus and Anti-Antivirus Techniques

• Integrity checkers - checksums• Behavioral checkers• Virus avoidance

– good OS– install only shrink-wrapped software– use antivirus software– do not click on attachments to email– avoid active content– frequent backups

• Recovery from virus attack– halt computer, reboot from safe disk, run antivirus

Trusted Mobile Code

When code is intentionally brought in, what can you do to protect yourself?Only download code from sources you trust – use digitally signed code

Mobile Code Sandboxing

Confine the effects of running (untrusted) code(a) Memory divided into 1-MB sandboxes(b) One way of checking an instruction for validity

Interpreted Mobile Code

Applets can be interpreted by a Web browser

Interpretation

• Interpreter never lets go of the program counter itself

• Interpreter can check each instruction as it is emulated

• Transfers of control flow are the danger points

• Performance cost, but can be mitigated

Covert Channels

Encapsulated server can still leak to collaborator via covert channels:Observable performance patterns (e.g., busy/blocked, page faulting)

Can information be leaked from “confined” processes?

Covert Channels

A covert channel using file locking

Covert Channels• Pictures appear the same

– 7-bit colors can not be distinguished from 8-bit colors

• Picture on right has text of 5 Shakespeare plays– Compressed & encrypted, inserted into low order bits of color values

ZebrasHamlet, Macbeth, Julius CaesarMerchant of Venice, King Lear

Is it a Technical Problem?

Lots of known solution techniques

• Access control

• Crypto

• Firewalls

• Intrusion detection

So why isn’t it a solved problem?

Economics

“The party who is in a position to protect a system is not the party who would suffer the results of security failure.”

Ross Anderson

Security• For whom is it built?• Who pays for it?