Outline • Introduction Malicious Code • Viruses CS 236 • Trojan horses Computer Security • Trap doors March 14, 2007 • Logic bombs • Worms • Examples Lecture 15 Lecture 15 Page 1 Page 2 CS 236, Winter 2007 CS 236, Winter 2007 Where Does Malicious Code Introduction Come From? • Most typically, it’s willingly (but Clever programmers can get software to unwittingly) imported into the system do their dirty work for them – Electronic mail (most common today) Programs have several advantages for – Downloaded executables these purposes • Often automatically from web pages –Speed – Sometimes shrinkwrapped software –Mutability • Sometimes it breaks in –Anonymity • Sometimes an insider intentionally introduces it Lecture 15 Lecture 15 Page 3 Page 4 CS 236, Winter 2007 CS 236, Winter 2007 Is Malicious Code Really a More Alarming Statistics Problem? • Considering viruses only, by 1994 there were over • In 1992, there were around 2000 1,000,000 annual infections unique viruses known – One survey shows 10-fold increase in viruses since 1996 • Today, Symantec’s databases of • In November 2003, 1 email in 93 scanned by viruses includes 73,000+ entries particular survey contained a virus • Kaspersky Labs added 80,000 virus • 2006 FBI report shows 65% of survey respondents had malicious code incidents signatures to its database in 2006 – And viruses caused the most economic damage • The numbers continue to grow of all attacks to respondents Lecture 15 Lecture 15 Page 5 Page 6 CS 236, Winter 2007 CS 236, Winter 2007 1
But Don’t Get too Alarmed How Much Do Viruses Cost? • Group called mi2g estimated that MyDoom • Most viruses are never found “in the wild” worm cost $38.5 billion worldwide • Most viruses die out quickly – Cleanup costs, lost productivity, etc. • The Wild List 1 shows 792 active viruses • Many folks believe this (and other worldwide estimates) are bogus publicity stunts – With another 2382 or so with only a – Methodology lacking for real estimates single incident reported • Even if it’s two or three orders of magnitude – Many on both lists are slight variants on a off, that’s serious money particular virus 1 www.wildlist.org Lecture 15 Lecture 15 Page 7 Page 8 CS 236, Winter 2007 CS 236, Winter 2007 But Do I Really Have to Worry Viruses About Viruses? • “Self-replicating programs containing code • “After all, I run Linux/Mac OS/Solaris/BSD” that explicitly copies itself and that can • “Aren’t all viruses for Windows?” ‘infect’ other programs by modifying them • Mostly true in practice or their environment” – Definitely not true in theory • Typically attached to some other program – First MacOSX virus discovered one month ago – When that program runs, the virus • OSX/Leap-A becomes active and infects others • Anyone, at any time, can write and release a virus • Not all malicious codes are viruses that can clobber your machine, regardless of what OS you run Lecture 15 Lecture 15 Page 9 Page 10 CS 236, Winter 2007 CS 236, Winter 2007 How Do Viruses Work? Typical Virus Actions • When a program is run, it typically has 1). Find uninfected writable programs the full privileges of its running user 2). Modify those programs • Including write privileges for some 3). Perform normal actions of infected other programs program • A virus can use those privileges to 4). Do whatever other damage is desired replace those programs with infected versions Lecture 15 Lecture 15 Page 11 Page 12 CS 236, Winter 2007 CS 236, Winter 2007 2
Before the Infected Program The Infected Program Runs Runs Virus Code Virus Code Infected Uninfected Infected Uninfected Program Program Program Program Lecture 15 Lecture 15 Page 13 Page 14 CS 236, Winter 2007 CS 236, Winter 2007 Infecting the Other Program Macro and Attachment Viruses • Modern data files often contain executables – Macros Virus Code Virus Code – Email attachments – Ability to run arbitrary executables from Infected Infected Uninfected many applications, embedded in data Program Program Program • Easily the most popular form of new viruses – Requires less sophistication to get right • Most widespread viruses today use attachments Lecture 15 Lecture 15 Page 15 Page 16 CS 236, Winter 2007 CS 236, Winter 2007 Virus Toolkits How To Find Viruses • Helpful hackers have written toolkits • Basic precautions that make it easy to create viruses • Looking for changes in file sizes • A typical smart high school student can • Scan for signatures of viruses easily create a virus given a toolkit • TSR monitoring • Generally easy to detect viruses generated by toolkits • Multi-level generic detection –But we may see “smarter” toolkits Lecture 15 Lecture 15 Page 17 Page 18 CS 236, Winter 2007 CS 236, Winter 2007 3
Precautions to Avoid Viruses Other Precautionary Measures • Don’t import untrusted programs • Scan incoming programs for viruses – But who can you trust? –Some viruses are designed to hide • Viruses have been found in commercial • Limit the targets viruses can reach shrink-wrap software • Monitor updates to executables • The hackers who released Back Orifice carefully were embarrassed to find a virus on their CD release –Requires a broad definition of “executable” • Trusting someone means not just trusting their honesty, but also their caution Lecture 15 Lecture 15 Page 19 Page 20 CS 236, Winter 2007 CS 236, Winter 2007 Containment Viruses and File Sizes • Typically, a virus tries to hide • Run suspect programs in an encapsulated environment • So it doesn’t disable the infected program • Instead, extra code is added –Limiting their forms of access to • But if it’s added naively, the size of the file prevent virus spread grows • Requires versatile security model and • Virus detectors can look for this growth strong protection guarantees Lecture 15 Lecture 15 Page 21 Page 22 CS 236, Winter 2007 CS 236, Winter 2007 Problems With Size Checking for Signature Scanning Virus Detection • Requires keeping carefully protected • If a virus lives in code, it must leave records of valid file sizes some traces • Won’t work for files whose sizes typically • In early and unsophisticated viruses, change these traces were essentially – E.g., Word files with possibly infected characteristic code patterns macros • Find the virus by looking for the • Clever viruses find ways around it signature – E.g., cavity viruses that fit themselves into “holes” in programs Lecture 15 Lecture 15 Page 23 Page 24 CS 236, Winter 2007 CS 236, Winter 2007 4
Weaknesses of Scanning for How To Scan For Signatures Signatures • Create a database of known virus • What if the virus changes its signature? signatures • What if the virus takes active measures • Read every file in the system and look to prevent you from finding the for matches in its contents signature? • Also check every newly imported file • You can only scan for known virus • Also scan boot sectors and other signatures interesting places Lecture 15 Lecture 15 Page 25 Page 26 CS 236, Winter 2007 CS 236, Winter 2007 Polymorphic Viruses Stealth Viruses • A polymorphic virus produces varying but • A virus that tries actively to hide all signs of operational copies of itself its presence • Essentially avoiding having a signature • Typically a resident virus • Sometimes only a few possibilities • For example, it traps calls to read infected files – E.g., Whale virus has 32 forms – And disinfects them before returning the • But sometimes a lot bytes – Recent Storm worm had more than – E.g., the Brain virus 54,000 formats Lecture 15 Lecture 15 Page 27 Page 28 CS 236, Winter 2007 CS 236, Winter 2007 Combating Stealth Viruses TSR Monitoring • Stealth viruses can hide what’s in the • TSR - Terminate-and-Stay-Resident files –Essentially a daemon process • But may be unable to hide that they’re • A virus detector that runs in the in memory background • Also, if you reboot carefully from a • Automatically scans (and possibly clean source, the stealth virus can’t get takes other actions) continuously a foothold Lecture 15 Lecture 15 Page 29 Page 30 CS 236, Winter 2007 CS 236, Winter 2007 5
Recommend
More recommend
