Malicious Code Karlstads universitet mCrowds: Anonymity for the - - PDF document

2005-10-12 Datavetenskap, Karlstads universitet 1

Karlstads universitet Datavetenskap mCrowds: Anonymity for the mobile Internet 2005-10-12

Malicious Code

2

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Malicious Code an Increasing Problem

3

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Media Publicity

4

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Different Malicious Code

Malicious code (“Virus”) Virus Worms Malicious Scripts Trojans Logical Bombs Trap doors Replicate

5

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Virus

• A malicious piece of code that

spreads itself from file to file

• Need a host file
• Different types of viruses

– Boot virus – Program viruses – Macro virus

Infected File Virus as payload

6

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Boot Virus

• Hard drive virus

– Infects the Master Boot Record (MBR) of the hard drive before OS is loaded – Spreads via bootable device, e.g. floppy disc

2005-10-12 Datavetenskap, Karlstads universitet 2

7

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Program Virus

• Infects executable programs on the computer by

appending itself to the code

8

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Example: Chernobyl/CIH (1998)

• Destroys flash BIOS
• Makes data on hard drive unreadable
• Was triggered on every 26th of April

– “Logical bomb” functionality

9

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Macro Virus

• Set of macro commands for a specific application

which automatically executes and spreads to that applications documents

• Normally spread via Office applications (Visual

Basic macros in Word, Excel, etc)

• Macros are spread via e-mail attachments

1011011 010 10

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Auto Executing Macros in Word

1. Command macro

• If a macro stored in a global macro file, or attached to a document,

has the same name as an existing Word command (e.g. “Save file”), the macro is executed whenever a user performs that command

2. Autoexecute

• A macro named “AutoExec” in template “normal.dot” or in global

template in Words startup directory is always executed when Word is started

3. Automacro

• An “automacro” is executed when a specific event occurs, e.g.
• pening a document or quitting Word

11

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Example: Concept Virus

• When infected document is opened

– If not already existing, creates the macro “FileSaveAs” in the “NORMAL.DOT” template in Word – Also creates macro that contains message:

• When user chooses “Save As” in

the menu, the macro FileSaveAs always executes

– User cannot specify which drive to save to and cannot specify file type

Sub MAIN REM That's enough to prove my point End Sub 12

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Malicious Scripts

• Malicious scripts written in JavaScript, VBScript,

Active X controls, etc.

• Hidden in e-mails or web sites. Can also be part
• f viruses or worms
• Cross-site scripting

vulnerabilities let scripts execute in user’s browser

• r even locally

2005-10-12 Datavetenskap, Karlstads universitet 3

13

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Trojans

• “Trojan Horse”
• Programs with hidden

malicious functionalities

• Appears to be screen

savers, games, or other “useful” programs

14

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Logical Bombs

• Malicious code programmed to be activated on

a specific date/time

• Action could be everything from format hard

drive to display a silly message

• Often combined with

virus/worm (e.g. Chernobyl virus)

15

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Trapdoors

• A secret entry point into a

program that allows someone aware of the trap door to gain access without going through normal security procedures

• Usually left by programmers for

debugging and testing purposes, intentionally or unintentionally

16

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Worm

• A malicious piece of code that spreads itself

from computer to computer

• A worm needs no host file
• Can spread via

– E-mail attachments – LAN or Internet

17

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Example: ILOVEYOU

• Starts to spread when uses clicks on an e-mail

attachment (ILOVEYOU.TXT.vbs)

– The attachment is a malicious Visual Basic Script masked as a text file – The script executes locally in Windows Scripting Host, where it first changes registry settings about the privileges of scripts, and then starts to spread itself via for example the contact list

• Requires “human hand” to spread, therefore

sometimes called virus (e.g. in Stallings book)

Extension sometimes hidden automatically by Windows 18

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Example: Code Red

• A worm that spread via

HTTP exploiting a buffer-

• verflow vulnerability
• Spreads automatically

when visiting web site

– I.e. does not require “human hand” to spread

2005-10-12 Datavetenskap, Karlstads universitet 4

19

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Vulnerabilities

• A vulnerability is a security weakness in a

program/OS that could be exploited by malicious software, e.g. viruses/worms

• Microsoft rolls out update patches that tries to

patch novel vulnerabilities

20

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Vulnerabilities

• Buffer Overflow

– Occurs when a program writes more information into the buffer than the space it has allocated in the

• memory. This allows an attacker to (1) overwrite data

that controls the program execution path and (2) hijack the control of the program to (3) execute the attacker’s code instead the process code

Example: http://nsfsecurity.pr.erau.edu/bom/Smasher.html Example: http://nsfsecurity.pr.erau.edu/bom/Smasher.html

21

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Vulnerabilities

• Unvalidated input

– Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack (by injecting malicious code) backside components through a web application

• Cross site scripting, script injection, …

– The web application can be used as a mechanism to transport an attack to an end user’s browser – Clicking links in web pages or emails, etc, lets remote (malicious) scripts execute in the user’s browser

22

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Blended Threats

• Advanced malicious code that

combines the characteristics of viruses, worms, Trojans and malicious scripts are sometimes called “blended Threats”

• Exploit vulnerabilities in programs
• r operating systems

– Nowadays often Microsoft OS/apps – Why is that?

23

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Blended Threats

• Worms are spread by exploiting vulnerabilities and
• ften does not require human intervention
• 2nd generation of worms automatically searches

for vulnerable computers and infects them

• Whole Internet can be infected in less than 20

minutes

24

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Example: Appix (Sep, 2002)

• A combined worm, virus and Trojan horse
• Exploits vulnerabilities in Outlook Express and

Internet Explorer

• Can infect directly from a web page
• Uses an own SMTP server
• Spreads via e-mail, KaZaA or eDonkey2000
• Kills anti virus software and personal firewalls

2005-10-12 Datavetenskap, Karlstads universitet 5

25

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Example: Sasser (May, 2004)

• Starts up an FTP server and automatically scans

randomly chosen IP addresses for vulnerabilities

• 128 threads that scans IP addresses are started

– System will be very slow

• Stops user from shutting down computer

26

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Viruses in Mobile Phones

• Mobile phones starting to behave like small

computers with Internet access – Not to mention PDAs… The virus problem will probably spread to mobile phones in the near future

27

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Viruses in Mobile Phones

Spring 2005…

28

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Viruses in Mobile Phones

Fall 2005…

29

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Hacker Tools

30

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Example: Back Orifice

Back Orifice Remotely control other computers. Similar programs: NetBus

2005-10-12 Datavetenskap, Karlstads universitet 6

31

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Hacker Tools

• Trojans are often used as hacker tools

– IP scanners, port scanners, network sniffers, proxy servers, etc – Information is sent to hacker via ICQ, MSN, mail, … – Trojans could also act as servers (FTP, HTTP, WAP, POP3, IRC, etc) – Your computer could be a server sending SPAM e-mails

32

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Spyware

• A.k.a. “advertising supported software” (adware)
• “Invisible” programs/servers that collects and

reports information about users

• Used for directed marketing
• Users may get free licenses

if they accept spyware …

• …or they may not know that

they installed spyware

Karlstads universitet Datavetenskap mCrowds: Anonymity for the mobile Internet 2005-10-12

Antivirus Software and Firewalls

34

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Anti Virus Software

• Defensive components in anti virus software

I. Detection II. Identification III. Removal

Compressed program code + virus Uninfected program code

1001011010101

File size Virus Actions

35

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Anti Virus Software

• 1st generation: simple scanners

– Search for bit patterns (“signatures”), length of files

• 2nd generation: heuristic scanners

– Search for viruses using heuristic rules

• 3rd generation: activity traps

– Memory resident program that detect viruses based on their actions

• 4th generation: combined techniques

– Combines the abovementioned techniques with access control measures

36

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Anti Virus Software

• “Arms race”: stronger antivirus software creates

more advanced viruses:

– Memory resident viruses – Infects master boot record of hard drive – Hiding “Stealth viruses” – Mutating polymorphic viruses – Multiple versions of same virus – …

2005-10-12 Datavetenskap, Karlstads universitet 7

37

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Firewalls

• Should preferably control both ingoing and
• utgoing traffic

– Windows XP firewall controls only ingoing traffic – Trojans can start up servers on the inside

• Firewall should preferable inspect packets
• n the application layer

– Network layer based packet filters do not provide adequate protection

38

DAV C19 – Applied Security 2005-10-12 Karlstads universitet Datavetenskap

Firewalls

• New worms/viruses often tries to kill firewall

and anti virus processes

• “Tunneled Worms”

– Tunnel IP packet within other IP packet to hide real IP header – Tunneling program can be built in in Trojans

Tunneled IP packet