Information Systems Information Systems SecuritySecurity

Lecture 9Lecture 9

Malicious Software, Intrusion Detection, Malicious Software, Intrusion Detection, and Firewallsand Firewalls

22

OutlineOutline

1.1. Malicious codeMalicious code

2.2. Trojan horsesTrojan horses

3.3. VirusesViruses

4.4. WormsWorms

5.5. Other malicious codesOther malicious codes

6.6. Countermeasures Countermeasures

7.7. Intrusion DetectionIntrusion Detection

8.8. FirewallsFirewalls

33

What is Malicious Code?What is Malicious Code?

Any code which:Any code which:– Modifies or destroys dataModifies or destroys data

– Steals dataSteals data

– Allows unauthorized accessAllows unauthorized access

– Exploits or damages a systemExploits or damages a system

– Does something user did not intend to doDoes something user did not intend to do

Malware is a MALicious softWAREMalware is a MALicious softWARE

Malware can be any things: viruses, worms, trojan horses, etc.Malware can be any things: viruses, worms, trojan horses, etc.

44

Trojan HorseTrojan Horse

A Trojan horse is a program that appears to be useful or A Trojan horse is a program that appears to be useful or harmless but that contains hidden code designed to exploit or harmless but that contains hidden code designed to exploit or damage the system on which it is run. damage the system on which it is run.

Originally Trojan horses were not designed to spread Originally Trojan horses were not designed to spread themselves. themselves.

A Trojan horse tricks user into executing malicious code.A Trojan horse tricks user into executing malicious code. Examples:Examples:

– A simple example of a Trojan Horse would be a program named A simple example of a Trojan Horse would be a program named “Bush.EXE" that is posted on a website with a promise to be a fun “Bush.EXE" that is posted on a website with a promise to be a fun animation. animation.

– On the Microsoft Windows platform, an attacker might attach a Trojan On the Microsoft Windows platform, an attacker might attach a Trojan horse with an innocent-looking filename to an email message which horse with an innocent-looking filename to an email message which entices the recipient into opening the file. entices the recipient into opening the file.

– Phish-BuyPhone (1/7/2007).Phish-BuyPhone (1/7/2007).

55

66

77

VirusVirus

A virus uses code written with the express intention of A virus uses code written with the express intention of replicating itself. replicating itself.

A virus attempts to spread from computer to computer by A virus attempts to spread from computer to computer by attaching itself to a host program. attaching itself to a host program.

It may damage hardware, software, or data. When the host is It may damage hardware, software, or data. When the host is executed, the virus code also runs, infecting new hosts and executed, the virus code also runs, infecting new hosts and sometimes delivering an additional malicious actions.sometimes delivering an additional malicious actions.

Example: Example: – Melissa: MacrovirusMelissa: Macrovirus

88

Virus structureVirus structure

Program V:={goto main;

1234567;subroutine infect-executable :={loop:file := get-random-executable-file;if (first-line-of-file = 1234567)

then goto loopelse prepend V to file;

subroutine do-damage := {what ever damage to be done}

subroutine trigger-pulled :={return true if some condition holds}

Main: main-program := {infect-executable; if trigger-pulled then do-damage;goto next;}

next:}

(on right) A virus structure that is prepended to infected programs

Type of this virus: File virus.

A virus can be prepended or A virus can be prepended or postpended to an executable postpended to an executable programprogram

When an infected program When an infected program (containing a virus) is invoked, (containing a virus) is invoked, will first execute the virus code will first execute the virus code then execute the original code to then execute the original code to the programthe program. .

99

Types of virusesTypes of viruses

1.1. File virus, also called parasitic virus.File virus, also called parasitic virus.

2.2. Boot sector infectors: Infects a master boot record or boot record and Boot sector infectors: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.spreads when a system is booted from the disk containing the virus.

3.3. Macro virus: infects macro programming environment (e.g., Microsoft Macro virus: infects macro programming environment (e.g., Microsoft office application such as Word) rather than specific operating systems .office application such as Word) rather than specific operating systems .– A macro is a an executable program embedded in a word processing document A macro is a an executable program embedded in a word processing document

or other types of files. or other types of files.

– A macros is an executable file that can modify commands within the application A macros is an executable file that can modify commands within the application menu. menu.

– Macro virus infects data files rather than executable files.Macro virus infects data files rather than executable files.

4.4. Stealth virus: a form of virus explicitly designed to hide itself from Stealth virus: a form of virus explicitly designed to hide itself from detection by antivirus softwares.detection by antivirus softwares.

5.5. Polymorphic virus: a virus that mutates with every infection, making its Polymorphic virus: a virus that mutates with every infection, making its detection impossible. detection impossible.

6.6. ……

1010

WormsWorms

A worm uses self-propagating malicious code that can A worm uses self-propagating malicious code that can automatically distribute itself from one computer to another automatically distribute itself from one computer to another through network connections.through network connections.– i.e.i.e., Worms can execute and spread without user intervention., Worms can execute and spread without user intervention.

A worm can take harmful actions, such as:A worm can take harmful actions, such as:– consuming network or local system resourcesconsuming network or local system resources

– causing a denial of service attack. causing a denial of service attack.

– deleting data, spying users, …deleting data, spying users, …

1111

WormsWorms

By denition, a worm is supposed to hop from machine to machine on its own, it needs to come equipped with considerable networking support.

With regard to autonomous network hopping, the important question to raise is: What does it mean for a program to hop from machine to machine?

A program may hop from one machine to another by a variety of means:– By using the remote shell facilities, as provided by rsh and rexec in Unix,

to execute a command on the remote machine.– By cracking the passwords and logging in as a regular user on a remote

machine.

Example: The Slammer Worm (online info)

1212

Other malwaresOther malwares

Trap door: a secret entry point into a program that allows Trap door: a secret entry point into a program that allows someone that is aware of the trapdoor to gain access without someone that is aware of the trapdoor to gain access without going through the usual security procedures.going through the usual security procedures.

Logic bomb: is a code embedded in some legitimate program Logic bomb: is a code embedded in some legitimate program that is set to explode when certain conditions are met (time, or that is set to explode when certain conditions are met (time, or data).data).

Zombie: is a program that secretly takes over another Internet-Zombie: is a program that secretly takes over another Internet-attached computer and then uses this computer to launch attacks attached computer and then uses this computer to launch attacks

1313

Other malwaresOther malwares

What is not malware?What is not malware?– Spyware (also called Spyware (also called spybotspybot or or tracking software)tracking software). programs that conduct . programs that conduct

certain activities (collecting personal information) on a computer without certain activities (collecting personal information) on a computer without obtaining appropriate consent from the user. obtaining appropriate consent from the user.

– Adware: Adware: pop-up advertisementspop-up advertisements

– Spam: is unsolicited e-mail generated to advertise some service or Spam: is unsolicited e-mail generated to advertise some service or productproduct

– Scams: An e-mail message that attempts to trick the recipient into Scams: An e-mail message that attempts to trick the recipient into revealing personal information that can be used for unlawful purposes revealing personal information that can be used for unlawful purposes

1414

Virus countermeasuresVirus countermeasures

The antivirus approach: the ideal solution to the threat of viruses The antivirus approach: the ideal solution to the threat of viruses is prevention:is prevention:– Don’t allow malware to get into the systemDon’t allow malware to get into the system

This is difficult (even impossible) to achieveThis is difficult (even impossible) to achieve

Follow the following approach:Follow the following approach:– Detection: once the infection has occurred, locate the virus.Detection: once the infection has occurred, locate the virus.

– Identification: identify the specific virus that has infected a program.Identification: identify the specific virus that has infected a program.

– Removal: remove all traces of the virus from the infected program and Removal: remove all traces of the virus from the infected program and restore it to its original state. restore it to its original state.

Follow Virus Alert’s website: (eg, next slide)Follow Virus Alert’s website: (eg, next slide) Example:Example:

– The Windows case (the antivirus Defense-in-Depth Guide, Ch4) The Windows case (the antivirus Defense-in-Depth Guide, Ch4)

1515

1616

Windows’s antivirus Windows’s antivirus Defense-in-Depth GuideDefense-in-Depth Guide

1.1. Active processes and servicesActive processes and services– Task Manager, Ps Tools, Process Explorer Task Manager, Ps Tools, Process Explorer

2.2. The local registryThe local registry– Regedit (the registry editor)Regedit (the registry editor)

3.3. Files in the Microsoft Windows system folders.Files in the Microsoft Windows system folders.– Use the “Windows Search”Use the “Windows Search”

4.4. New user or group accounts, especially with Administrator New user or group accounts, especially with Administrator privilegesprivileges

5.5. Shared folders (including hidden folders).Shared folders (including hidden folders).6.6. Newly created files with normal looking file names but in Newly created files with normal looking file names but in

unusual locationsunusual locations7.7. Opened network portsOpened network ports

– Netstat, FPortNetstat, FPort

1717

Intrusion Detection

1818

Intrusion detectionIntrusion detection

Viruses and intrusion are the most publicized threats to system Viruses and intrusion are the most publicized threats to system securitysecurity

Intrusion: illegally gaining access to systemsIntrusion: illegally gaining access to systems Intrusion techniques: acquiring protected information (often user Intrusion techniques: acquiring protected information (often user

passwords)passwords)– Passwords are associated with users in filesPasswords are associated with users in files

Password files must be protectedPassword files must be protected

Countermeasures: prevention and detectionCountermeasures: prevention and detection– If intrusion prevention fails, If intrusion prevention fails,

– Intrusion detection is the real defense line.Intrusion detection is the real defense line.

1919

Intrusion detectionIntrusion detection

Intrusion detection is based on the assumption that the behavior Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that of the intruder differs from that of a legitimate user in ways that can be quantified.can be quantified.

Intrusion detection approaches:Intrusion detection approaches:– Statistical anomaly detectionStatistical anomaly detection– Rule-based detectionRule-based detection

Audit Records: is a fundamental tool for intrusion detection Audit Records: is a fundamental tool for intrusion detection – A detection record may contain subject (user, process), action (login, A detection record may contain subject (user, process), action (login,

read, write), object (files, programs), resource usage, timestamp read, write), object (files, programs), resource usage, timestamp

Examples of IDS:Examples of IDS:– Cisco’s Secure IDSCisco’s Secure IDS– ISS RealSecureISS RealSecure– SnortSnort

2020

Firewall

2121

FirewallFirewall

A firewall is any device used as a network-level access control A firewall is any device used as a network-level access control mechanism for a particular network or a set of networksmechanism for a particular network or a set of networks– Firewall is used to prevent outsiders from accessing an internal network.Firewall is used to prevent outsiders from accessing an internal network.

Firewalls may be stand-alone computers, routers, or firewall Firewalls may be stand-alone computers, routers, or firewall appliances (sometimes with their own OS)appliances (sometimes with their own OS)

They serve as control points to and from networksThey serve as control points to and from networks They check whether or not network traffic should be allowed They check whether or not network traffic should be allowed

according to sets of rules or policies. according to sets of rules or policies.

Pitfalls: slowing data transmission, impairing networkingPitfalls: slowing data transmission, impairing networking

2222

Types of firewallsTypes of firewalls

Packet filtering routersPacket filtering routers Stateful-inspection firewallsStateful-inspection firewalls Application-level gateway (also called proxy server)Application-level gateway (also called proxy server) Circuit-level gatewayCircuit-level gateway

Examples:Examples:– CheckPoint’s Firewall-1: Stateful-inspection-basedCheckPoint’s Firewall-1: Stateful-inspection-based

– Cisco’s PIX:stateful packet filter-basedCisco’s PIX:stateful packet filter-based

– Border’s FireWall Server: Proxy-basedBorder’s FireWall Server: Proxy-based

– Tiny Software’s Tiny Personal Firewall: Packet filter-basedTiny Software’s Tiny Personal Firewall: Packet filter-based