Post on 30-May-2020
Viruses and Related Threats
2
Summary have considered:
various malicious programs trapdoor, logic bomb, trojan horse, zombie viruses worms countermeasures distributed denial of service attacks
3
Viruses and Related Threats Viruses
Computer viruses have got a lot of publicity One of a family of malicious software
Malicious software is software that is intentionally included or inserted in a system for a harmful purpose
Effects usually obvious They have figured in news reports, fiction, movies
often exaggerated getting more attention than deserve
4
Viruses and Related Threats Malicious Programs
Dependent program They Need host programs They cannot exist independent of some actual application E.g.: Viruses, Logic bomb, Backdoor
Independent program They can be scheduled and run by the OS E.g.: Worm, Zombie
5
Viruses and Related Threats
Taxonomy of Malicious Programs
6
Viruses and Related Threats Backdoor or Trapdoor
A secret entry point in a program It allows those who know access bypassing usual security
procedures It have been commonly used by developers A threat when left in production programs allowing
exploited by attackers It is very hard to block in O/S It requires good s/w development & update
7
Viruses and Related Threats Logic Bomb
One of oldest types of malicious software Code embedded in legitimate program It is activated when specified conditions met
Example presence/absence of some file particular date/time particular user
When triggered typically damage system E.g., modify/delete files/disks, halt machine, etc
8
Viruses and Related Threats Trojan Horse
A program (or some part of a program) with hiddenside-effects
Trojan horse is usually attractive to run E.g., freeware game, s/w upgrade, etc
when runs, it performs some additional tasks allows attacker to indirectly gain access they do not have directly
E.g., destroy/modify data, …
It often used to propagate a virus/worm or install a backdoor
9
Viruses and Related Threats Zombie
A program which secretly takes over another networkedcomputer
Then, the attacker uses the zombies to indirectly launchattacks (to the target host) => Zombies often used to launch distributed denial of service
(DDoS) attacks
Zombie exploits known flaws in network systems
10
Viruses and Related Threats The Nature of Viruses
Viruses: a piece of self-replicating code attached to someother code Cf. biological virus
Both (biological/computer virus) carry a payload and propagate itself Payload contains code to make copies of itself as well as code to
perform some covert task
11
Viruses and Related Threats Virus phases:
Dormant – waiting on trigger event Propagation – replicating to programs/disks Triggering – activated by event to execute payload Execution – performing the functions in the payload
Detailed phases usually depend on machine/OS specific exploiting features/weaknesses
12
Viruses and Related Threats
program V :={go to main :
1234567; subroutine infect-executable :=
{loop:file:=get-random-executable-file;if( first-line-of-file = 1234567 ) then goto loop else prepend V to file;}subroutine do-damage := {whatever damage is to be done}subroutine trigger-pulled := {return true if some condition holds}
main : main-program :={infect-executable;if trigger-pulled then do-damage;goto next;}
next;}
- A simple virus- This virus is easily detectedbecause an infected version of aprogram is longer than thecorresponding uninfected one
• Virus Structure
13
Viruses and Related Threats
program CV :={go to main :
01234567; subroutine infect-executable := {loop:
file:=get-random-executable-file;if( first-line-of-file = 1234567 ) then goto loop(1) compress file;(2) prepend CV to file; }
main : main-program :={infect-executable;(3) uncompress rest-of-file;(4) run uncompressed file;goto next;}
next;}
- A Compression virus :A way to thwart a means ofdetecting a simple virus is tocompress the executable file so thatboth the infected and uninfectedversions are of identical length.
• Logic of Compression Virus
Running steps of compressed P1’ filethat contains the virus code.
1. For each uninfected file P2,the virus first compress P2 toproduce P2’.
2. The virus code is prepended to theP2’
3. P1’ is uncompressed to P14. P1 is executed
14
Viruses and Related Threats
A Compression Virus
15
Viruses and Related Threats Types of Viruses
We can classify on basis of how they attack Parasitic virus
it attaches itself to executable files and replicates. Memory-resident virus
Lodges in main memory as part of a resident system program. Boot sector virus
Infects a master boot record or boot record. Stealth virus
A form of virus explicitly designed to hide itself from detection by antivirus software.
Polymorphic virus A virus that mutates with every infection.
16
Viruses and Related Threats Macro Virus
macro code can be attached to some data file which is interpreted by program using file E.g., Word/Excel macros Esp. using auto command & command macros
Macro code is now platform independent Macro virus is a major source of new viral infections There is blur distinction between data and program files Classic trade-off: "ease of use" vs "security” Successive release of Word provide increased protection,
and today macro virus is no longer dominant virus threat
17
Viruses and Related Threats Email Virus
Email viruses are spread using email with attachmentcontaining a macro virus cf Melissa
They are triggered when user opens attachment, or worseeven when mail viewed by using scripting features in mailagent => hence propagate very quickly
Usually targeted at Microsoft Outlook mail agent & Word/Excel documents
We need better O/S & application security
18
Viruses and Related Threats Worms
Originally, worms are self-replicating programs but not infecting ones.
Typically, spread over a network E.g., Morris Internet Worm in 1988, which led to creation of CER
Ts Worms propagate by using users’ distributed privileges or
by exploiting system vulnerabilities Recently, worms are widely used by hackers to create zo
mbie PC's, subsequently used for further attacks, esp. DoS (Denial-of-Services) attack.
Major issue is lack of security of permanently connected systems, esp. PC's
19
Viruses and Related Threats It exhibits the same characteristics as a computer virus The propagation phase performs the following functions :
Search for other systems to infect by examining host tables Establish a connection with a remote system. Copy itself to the remote system and cause the copy to be run.
It may also disguise its presence by naming itself as a system process or using some other name that may not be noticed by a system operator.
20
Viruses and Related Threats Morris Worm
best known classic worm released by Robert Morris in 1988 targeted Unix systems using several propagation techniques
simple password cracking of local pw file exploit bug in finger daemon exploit debug trapdoor in sendmail daemon
if any attack succeeds then replicated self
21
Viruses and Related Threats Recent Worm
Attacks new spate of attacks from mid-2001 Code Red - used MS IIS bug
probes random IPs for systems running IIS had trigger time for denial-of-service attack 2nd wave infected 360000 servers in 14 hours
Code Red 2 - installed backdoor Nimda - multiple infection mechanisms SQL Slammer - attacked MS SQL server Sobig.f - attacked open proxy servers Mydoom - mass email worm + backdoor
22
Viruses and Related Threats State of Worm Technology
multiplatform multiexploit ultrafast spreading polymorphic metamorphic transport vehicles zero-day exploit
23
Virus Countermeasures Best countermeasure is prevention However, in general not possible Hence, we need to do one or more of:
Detection - of viruses in infected system Identification - of specific infecting virus Removal - restoring system to clean state
24
Virus Countermeasures Anti-Virus Approaches
first-generation scanner uses virus signature to identify virus or change in length of programs
second-generation uses heuristic rules to spot viral infection or uses crypto hash of program to spot changes
third-generation memory-resident programs identify virus by actions
fourth-generation packages with a variety of antivirus techniques eg scanning & activity traps, access-controls
arms race continues
25
Virus Countermeasures Advanced Anti-Virus Techniques
Generic decryption It use CPU simulator to check program signature & behavior befo
re actually running it It start the simulator to simulate the file execution Note that all polymorphic virus should decrypt itself to activate. By periodically scanning the memory, decrypted virus code can be detected.
26
Virus Countermeasures Digital Immune System
It is a comprehensive approach to virus protection developed by IBM
The objective of this system is to provide rapid response time so that viruses can be stamped out almost as soon as they are introduced
It uses general purpose emulation & virus detection Any virus entering org is captured, analyzed, detection/shielding c
reated for it, removed
27
Virus Countermeasures
Digital Immune SystemDigital Immune System
28
Virus Countermeasures Behavior-Blocking Software
integrated with host O/S monitors program behavior in real-time
E.g., file access, disk format, executable modifications, system settings changes, network access
For possibly malicious actions, if detected can block, terminate, or seek OK
B-B s/w has advantage over scanners But, malicious code runs before detection
29
Distributed Denial of Service Attacks(DDoS)
Denial of Service (DoS) attacks An attempt to make a computer resource unavailable to its intended u
sers. Typically, the targets are high-profile web servers where the attack is
aiming to cause the hosted web pages to be unavailable on the Internet.
Distributed Denial of Service (DDoS) attacks Attacks form a significant security threat where it makes networked
systems unavailable by flooding with useless traffic It uses large numbers of “zombies” It is one of growing sophistication of attacks Defense technologies are struggling to cope
30
Distributed Denial of Service Attacks(DDoS)
Distributed Denial of Service Attacks (Distributed Denial of Service Attacks (DDoSDDoS))
31
Distributed Denial of Service Attacks(DDoS)
Constructing the DDoS Attack Network We must infect large number of zombies Requirements.:1. Software to implement the DDoS attack2. An unpatched vulnerability on many systems3. A scanning strategy to find vulnerable systems
random, hit-list, topological, local subnet
32
Distributed Denial of Service Attacks(DDoS)
DDoS Countermeasures Three broad lines of defense:
1. Attack prevention & preemption (before)2. Attack detection & filtering (during)3. Attack source traceback & identification (after)
There are huge range of attack possibilities Hence, DDos contermeasures must evolve with the threat