Outline Introduction Malicious Code Viruses CS 239 Trojan - PDF document

Outline • Introduction Malicious Code • Viruses CS 239 • Trojan horses Computer Security • Trap doors March 15, 2004 • Logic bombs • Worms • Examples Lecture 16 Lecture 16 Page 1 Page 2 CS 239, Winter 2004 CS 239, Winter 2004 Where Does Malicious Code Introduction Come From? • Most typically, it’s willingly (but Clever programmers can get software to unwittingly) imported into the system do their dirty work for them – Electronic mail (most common today) Programs have several advantages for – Floppy disks these purposes – Downloaded executables –Speed – Sometimes shrinkwrapped software –Mutability • Sometimes it breaks in –Anonymity • Sometimes an insider intentionally introduces it Lecture 16 Lecture 16 Page 3 Page 4 CS 239, Winter 2004 CS 239, Winter 2004 Is Malicious Code Really a More Alarming Statistics Problem? • Considering viruses only, by 1994 there were over • In 1992, there were around 2000 1,000,000 annual infections unique viruses known – One survey shows 10-fold increase in viruses since 1996 • Today, Symantec’s databases of • In November 2003, 1 email in 93 scanned by viruses includes 66,000+ entries particular survey contained a virus • The numbers continue to grow • 2003 FBI report shows 82% of survey respondents had malicious code incidents – Around 64% had financial losses from them Lecture 16 Lecture 16 Page 5 Page 6 CS 239, Winter 2004 CS 239, Winter 2004 1

But Don’t Get too Alarmed How Much Do Viruses Cost? • Group called mi2g estimated that • Most viruses are never found “in the MyDoom worm cost $38.5 billion wild” worldwide • Most viruses die out quickly • The Wild List 1 shows 261 active –Cleanup costs, lost productivity, etc. viruses worldwide • Many folks believe this (and other –With another 652 or so with only a estimates) are bogus publicity stunts single incident reported –Methodology lacking for real estimates 1 www.wildlist.org Lecture 16 Lecture 16 Page 7 Page 8 CS 239, Winter 2004 CS 239, Winter 2004 • Even if it’s two orders of magnitude But Do I Really Have to Worry Viruses About Viruses? • “Self-replicating programs containing code • “After all, I run Linux/Mac that explicitly copies itself and that can OS/Solaris/BSD” ‘infect’ other programs by modifying them • “Aren’t all viruses for Windows?” or their environment” • Mostly true in practice • Typically attached to some other program – Definitely not true in theory – When that program runs, the virus becomes active and infects others • Anyone, at any time, can write and release a virus that can clobber your machine, • Not all malicious codes are viruses regardless of what OS you run Lecture 16 Lecture 16 Page 9 Page 10 CS 239, Winter 2004 CS 239, Winter 2004 How Do Viruses Work? Typical Virus Actions • When a program is run, it typically has 1). Find uninfected writable programs the full privileges of its running user 2). Modify those programs • Including write privileges for some 3). Perform normal actions of infected other programs program • A virus can use those privileges to 4). Do whatever other damage is desired replace those programs with infected versions Lecture 16 Lecture 16 Page 11 Page 12 CS 239, Winter 2004 CS 239, Winter 2004 2

Before the Infected Program The Infected Program Runs Runs Virus Code Virus Code Infected Uninfected Infected Uninfected Program Program Program Program Lecture 16 Lecture 16 Page 13 Page 14 CS 239, Winter 2004 CS 239, Winter 2004 Infecting the Other Program A Taxonomy of Viruses • File infectors Virus Code Virus Code –Direct-action –Resident Infected Infected Uninfected Program Program • System or boot infectors Program • Macro and attachment viruses Lecture 16 Lecture 16 Page 15 Page 16 CS 239, Winter 2004 CS 239, Winter 2004 File Infectors Direct-Action File Infectors • The most basic kind of virus • File infector viruses attach themselves to ordinary files • When an infected program runs, it infects a previously uninfected target –Most typically executables –Or possibly several –But source code viruses have been • Activated only when an infected discovered program is executed • E.g., the Vienna virus Lecture 16 Lecture 16 Page 17 Page 18 CS 239, Winter 2004 CS 239, Winter 2004 3

Resident File Infectors System Infectors • Also known as boot section infectors • The first time a resident file infector is run, it leaves a daemon running • Rather than living in programs, they live in the boot sectors of disks –Or some other persistent and useful • Typically memory resident RAM entity • Typically infect any disk exposed to them • Whenever any other program is run, • E.g., the Michelangelo virus the daemon infects it • Multipartite viruses can live in both • E.g., the Jerusalem virus programs and boot sectors Lecture 16 Lecture 16 Page 19 Page 20 CS 239, Winter 2004 CS 239, Winter 2004 Macro and Attachment Viruses Virus Toolkits • Modern data files often contain executables • Helpful hackers have written toolkits – Macros that make it easy to create viruses – Email attachments • A typical smart high school student can – Ability to run arbitrary executables from easily create a virus given a toolkit many applications, embedded in data • Generally easy to detect viruses • Easily the most popular form of new viruses generated by toolkits – Requires less sophistication to get right –But we may see “smarter” toolkits • Most widespread viruses today use attachments Lecture 16 Lecture 16 Page 21 Page 22 CS 239, Winter 2004 CS 239, Winter 2004 How To Find Viruses Precautions to Avoid Viruses • Don’t import untrusted programs • Basic precautions – But who can you trust? • Looking for changes in file sizes • Viruses have been found in commercial • Scan for signatures of viruses shrink-wrap software • TSR monitoring • The hackers who released Back Orifice were embarrassed to find a virus on their • Multi-level generic detection CD release • Trusting someone means not just trusting their honesty, but also their caution Lecture 16 Lecture 16 Page 23 Page 24 CS 239, Winter 2004 CS 239, Winter 2004 4

Other Precautionary Measures Containment • Scan incoming programs for viruses • Run suspect programs in an –Some viruses are designed to hide encapsulated environment • Limit the targets viruses can reach –Limiting their forms of access to • Monitor updates to executables prevent virus spread carefully • Requires versatile security model and –Requires a broad definition of strong protection guarantees “executable” Lecture 16 Lecture 16 Page 25 Page 26 CS 239, Winter 2004 CS 239, Winter 2004 Problems With Size Checking for Viruses and File Sizes Virus Detection • Typically, a virus tries to hide • Requires keeping carefully protected records of valid file sizes • So it doesn’t disable the infected program • Won’t work for files whose sizes typically • Instead, extra code is added change • But if it’s added naively, the size of the file – E.g., Word files with possibly infected grows macros • Virus detectors can look for this growth • Clever viruses find ways around it – E.g., cavity viruses that fit themselves into “holes” in programs Lecture 16 Lecture 16 Page 27 Page 28 CS 239, Winter 2004 CS 239, Winter 2004 Signature Scanning How To Scan For Signatures • If a virus lives in code, it must leave • Create a database of known virus some traces signatures • In early and unsophisticated viruses, • Read every file in the system and look these traces were essentially for matches in its contents characteristic code patterns • Also check every newly imported file • Find the virus by looking for the • Also scan boot sectors and other signature interesting places Lecture 16 Lecture 16 Page 29 Page 30 CS 239, Winter 2004 CS 239, Winter 2004 5