Introduction • Malicious Logic: a set of instructions that cause violation of security policy Malicious Logic • Idea taken from Troy: to breach an impenetrable perimeter, have someone from the inside unknowingly bring you inside • Example: Name the following script ls and Trojan Horses place in a directory Set UID of Viruses /tmp.xxsh to UID Worms of person executing this script Remove this script and run ls Fall 2008 CS 334: Computer Security Slide #1 Fall 2008 CS 334: Computer Security Slide #2 Trojan Horses Example: NetBus • Trojan Horse : A program with an overt • Program that allows attacker to control (documented or known) effect and a covert Windows NT workstation remotely (undocumented or unexpected) effect – Can download and upload files, intercept – In example, overt action is to list files, covert is to mouse or key strokes, generally be create shell that is setuid to user executing script sysadmin • There is a key notion here of ``tricked’’ – In the example script, if user root executed this • Requires small NetBus server on target unintentionally by typing ls in a directory, then we machine have a security policy violation. – If root types out these lines and runs them – Placed in several small game programs and intentionally, no violation other ``fun’’ stuff, then distributed to web – Key problem: system does not know whether user sites where unsuspecting users would likely really intends to run specific set of instructions download them Fall 2008 CS 334: Computer Security Slide #3 Fall 2008 CS 334: Computer Security Slide #4 Propogating Trojan Horse Computer Virus • Propogating Trojan Horse: (also replicating • Computer Virus: A program that inserts itself Trojan Horse) is a Trojan Horse that creates a into one or more files and then performs some copy of itself. (possibly null) action • Ex. Ken Thompson’s compiler – Insertion Phase: virus inserts itself into file – Added Trojan horse to login program so it accepted a – Execution Phase: the action is performed specific password in addition to user’s password – Placed code that does this into compiler, so it would add it whenever it saw a login call. (So not visible in login code) – Placed the Trojan horse for compiler into compiler binary, so if compiler was recompiled it would always include the trojan horse for login. – Replaced source for compiler with clean source for compiler. Fall 2008 CS 334: Computer Security Slide #5 Fall 2008 CS 334: Computer Security Slide #6 1
Virus Pseudocode Virus A Trojan Horse? • Some say YES: Purpose of infected program is overt action, injections and execution phase is the covert action • Some say NO: Virus has no covert purpose. Its overt purpose is to infect and execute. • Who cares. Bottom line is that defenses against Trojan horses inhibit viruses. Fall 2008 CS 334: Computer Security Slide #7 Fall 2008 CS 334: Computer Security Slide #8 Some History More History • 1983: Fred Cohen (at time grad student at • 1986-87: Brain (Pakistani) virus infects USC) designed virus to acquire privileges on IBM PCs VAX-11/750 running Unix. – Alters boot sectors of floppy disks, possibly – Obtained all system rights within half hour on corrupting files. average – Spreads to any uninfected floppy inserted – Because virus didn’t degrade response time, most users never knew system under attack into system. • 1984: Experiment on UNIVAC 1108 showed – Numerous variations have been reported virus could infect that system • 1987: MacMag Peace virus – UNIVAC partially implemented Bell-LaPadula Model, – Infect Mac, Amiga, among others using mandatory protection mechanisms – Showed that if a system does not prohibit writing – Prints ``universal message of peace’’ on using mandatory access controls, then system does March 2, 198, then deletes itself. little, if anything, to prohibit virus propagation – Infected copies of Aldus FreeHand program, Fall 2008 CS 334: Computer Security Slide #9 Fall 2008 CS 334: Computer Security Slide #10 which were subsequently recalled by manufacturer Ok, Even More History Still More History • 1987: Tom Duff experiments on Unix • 1989: Harold Highland develops Lotus 1-2-3 with small virus that copies itself into virus executable files. – Virus stored as set of commands for spreadsheet – Not virulent, but when placed in 48 – Loads automatically when file opened programs on heavily used machine, spread – Was for demo only, so it changed the value in specific to 46 different systems and 466 files in 8 row and column then spread to other files. days. – Demonstrated that macros for office programs on PCs – Duff did not violate security mechanism by could contain viruses. seeding files – Wrote another virus in Bourne shell script. It could attach itself to any Unix program – Demonstrated that viruses are not intrinsically machine-dependent and can Fall 2008 CS 334: Computer Security Slide #11 Fall 2008 CS 334: Computer Security Slide #12 spread to systems of varying architectures 2
Virus Types Boot Sector Viruses • Boot Sector Infectors • Boot sector is the part of a disk used to bootstrap the system or mount a disk • Executable Infectors – Code in boot sector is executed when system sees • Multipartite Viruses disk for first time • Boot sector virus is one that inserts itself into • TSR Viruses the boot sector of a disk • Stealth Viruses – When system or disk boots, virus is executed • Encrypted Viruses – Original boot sector code is moved • Polymorphic Viruses • Macro Viruses Fall 2008 CS 334: Computer Security Slide #13 Fall 2008 CS 334: Computer Security Slide #14 Example: Brain Virus Executable Infectors • When system boots from infected disk, virus is in boot sector and is loaded. • Executable infector: virus that infects • Moves disk interrupt vector (location 0x13) to executable programs location 0x6d and sets disk interrupt location – On PC these are COM or EXE viruses to invoke Brain virus. • Brain virus then loads original boot sector and because of the file types they infect continues the boot • Viruses prepends or appends itself to • When user reads another floppy, interrupt at executable 0x13 is invoked, calling Brain virus – If value 0x1234 in word at location 0x4 of new disk, boot continues normally. If not, disk is infected – Infection sometimes overwrite some sectors, thus the sometimes destructive nature of the Brain virus Fall 2008 CS 334: Computer Security Slide #15 Fall 2008 CS 334: Computer Security Slide #16 Example: Jerusalem Virus Example: Jerusalem Virus • Triggered when infected program is • Virus checks date executed – if a Friday the 13 th and year is not 1987, virus sets flag in memory to delete files • Virus puts value 0x0e0 into ax register instead of infecting them and invokes DOS service interrupt • In memory, virus checks all calls to DOS service interrupt, looking for files to be (0x21) executed (service call 0x4b00) • If on return the high eight bits of ax – Virus checks file name, and deletes file if contain 0x3, virus is already on system destruct bit set (except for COMMAND.COM file) and original program is invoked – Virus checks last five bytes of file. • If not, virus sets itself up to respond to • If string MsDos, file is infected traps to DOS service interrupt vector • If not, virus checks whether name of file ends in E or M, in which case virus infects it (assuming its a Fall 2008 CS 334: Computer Security Slide #17 Fall 2008 CS 334: Computer Security Slide #18 COM or EXE file) 3
Recommend
More recommend
