pag. 1 Jan Devos

IT Beveiliging

Prof. Dr. ir Jan Devos Universiteit Gent, Campus Kortrijk

Graaf Karel De Goedelaan 5

BE-8500 KORTRIJK - BELGIUM

T: +32 56 24 12 72 (rechtstreeks nr)

e-mail: jang.devos@ugent.be

linkedIn: www.linkedin.com/in/jangdevos

Blog: jangdevos.wordpress.org

twitter: @jangdevos

pag. 2 Jan Devos

Malicious Software

A program that is inserted into a system, usually

covertly, with the intent of compromising the

confidentiality, integrity or availability of the victim’s

data, applications, or operating system or

otherwise annoying or disrupting the victim.

pag. 3 Jan Devos

Malicious Software • programs exploiting system vulnerabilities

• known as malicious software or malware

– program fragments that need a host program

• e.g. viruses, logic bombs, and backdoors

– independent self-contained programs

• e.g. worms, bots

– replicating or not

• sophisticated threat to computer systems

pag. 4 Jan Devos

pag. 5 Jan Devos

classified into two broad categories:

based first on how it spreads or propagates to reach the desired

targets

then on the actions or payloads it performs once a target is reached

also classified by:

those that need a host program (parasitic code such as viruses)

those that are independent, self-contained programs (worms,

trojans, and bots)

malware that does not replicate (trojans and spam e-mail)

malware that does replicate (viruses and worms)

pag. 6 Jan Devos

propagation mechanisms include:

• infection of existing content by viruses that is subsequently spread to other systems

• exploit of software vulnerabilities by worms or drive-by-downloads to allow the malware to replicate

• social engineering attacks that convince users to bypass security mechanisms to install Trojans or to respond to phishing attacks

payload actions performed by malware once it reaches a target system can include:

• corruption of system or data files

• theft of service/make the system a zombie agent of attack as part of a botnet

• theft of information from the system/keylogging

• stealthing/hiding its presence on the system

pag. 7 Jan Devos

pag. 8 Jan Devos

Backdoor / Trapdoor

• Secret entry point into a program

Any mechanism that bypasses a normal security check

• Legitimately: maintenance hook (CTRL-ALT-DEL)

– Quit access to a program (by the developer)

– Avoiding the authentication procedure

• Threat:

– difficult to prevent or detect

– Control over the development

and maintenance activities

pag. 9 Jan Devos

Easter Eggs http://www.eeggs.com

Examples:

WORD:

1. Open a new word document

2. Type "=rand(200,99)" (without the quotes)

3. Press enter

4. Wait a few second and see

FIREFOX

1. Type about:mozilla in address bar

2. Hit enter.

pag. 10 Jan Devos

Logic

Bomb

pag. 11 Jan Devos

Logic Bomb

• Program inserted into software by an intruder

• Dormant until a predefined condition is met

• Unauthorized act

Case Study Tim Lloyd / Omega

pag. 12 Jan Devos

Trojan Horses • An apparently useful program containing hidden

code that performs some unwanted or harmful function

• Harmful functions: – Authorization for unauthorized users

– Data destruction

– Spyware

• Techniques: – Modified compiler

– Internet downloads

pag. 13 Jan Devos

Mobile Code

• Programs that can be shipped unchanged to a heterogeneous collections of platforms (e.g. Windows) and execute with identical semantics

• Mobile Code act as a mechanism for a virus, worm or Trojan Horse to be transmitted

• Examples of Mobile Code: – Java Applets

– ActiveX controls

– JavaScript

– VB-Script

pag. 14 Jan Devos

Viruses

• Malware that, when executed, tries to replicate itself into other executable code.

• First appearance in 1983 (after launching the PC)

• Fred Cohen

pag. 15 Jan Devos

Viruses

• piece of software that infects programs

– modifying them to include a copy of the virus

– it executes secretly when host program is run

• specific to operating system and hardware

– taking advantage of their details and weaknesses

• a typical virus goes through phases of:

infection / dormant / propagation / triggering / execution

pag. 16 Jan Devos

Viruses

• components: – infection mechanism - enables replication

– trigger - event that makes payload activate

– payload - what it does, malicious or benign

• prepended / postpended / embedded

• when infected program invoked, executes virus code then original program code

• can block initial infection (difficult)

• or propagation (with access controls)

pag. 17 Jan Devos

Virus Structure

pag. 18 Jan Devos

pag. 19 Jan Devos

Viruses Classification • boot sector

• file infector

• macro virus

• encrypted virus: creates a Key and encrypts

itself (= another pattern)

• stealth virus: hides itself from detection

• polymorphic virus: virus mutates !

• metamorphic virus: virus mutates + rewrites

itself

pag. 20 Jan Devos

Macro Viruses • very common in mid-1990s since

– platform independent

– infect documents

– easily spread

• exploit macro capability of office apps

– executable program embedded in office doc

– often a form of Basic

• more recent releases include protection

• recognized by many anti-virus programs

pag. 21 Jan Devos

E-Mail Viruses

• more recent development

• e.g. Melissa

– exploits MS Word macro in attached doc

– if attachment opened, macro activates

– sends email to all on users address list

– and does local damage

• then saw versions triggered reading email

• hence much faster propagation

pag. 22 Jan Devos

Virus Countermeasures

• prevention - ideal solution but difficult

• realistically need:

– detection

– identification

– removal

• if detect but can’t identify or remove, must

discard and replace infected program

pag. 23 Jan Devos

Virus Countermeasures

• virus & antivirus tech have both evolved

• early viruses simple code, easily removed

• as become more complex, so must the countermeasures

• generations – first - signature scanners

– second - heuristics

– third - identify actions

– fourth - combination packages

pag. 24 Jan Devos

Virus Countermeasures • first - signature scanners

– Static

– Signature-specific scanners

– Detection of known viruses

– Detection based on the length of the programs

• second - heuristics

– No specific signature

– Heuristic rules

• Fragments of code

• Integrity checking (checksum check / hashing)

pag. 25 Jan Devos

Virus Countermeasures

• third - identify actions

– Memory-resident

– Identification by its actions rather than structure

• fourth - combination packages

– Variety of antivirus techniques used in conjunction

– Scanning and activity trap

pag. 26 Jan Devos

Generic Decryption

• runs executable files through GD scanner:

– CPU emulator to interpret instructions

– virus scanner to check known virus signatures

– emulation control module to manage process

• lets virus decrypt itself in interpreter

• periodically scan for virus signatures

• issue is long to interpret and scan

– tradeoff chance of detection vs time delay

pag. 27 Jan Devos

Digital Immune System

pag. 28 Jan Devos

Behavior-Blocking Software

pag. 29 Jan Devos

Worms

• replicating program that propagates over net

– using email, remote exec, remote login

• has phases like a virus:

– dormant, propagation, triggering, execution

– propagation phase: searches for other systems,

connects to it, copies self to it and runs

• may disguise itself as a system process

• concept seen in Brunner’s “Shockwave Rider”

• implemented by Xerox Palo Alto labs in 1980’s

pag. 30 Jan Devos

Morris Worm • one of best known worms

• released by Robert Morris in 1988

• various attacks on UNIX systems

– cracking password file to use login/password to logon to other systems

– exploiting a bug in the finger protocol

– exploiting a bug in sendmail

• if succeed have remote shell access

– sent bootstrap program to copy worm over

pag. 31 Jan Devos

Worm Propagation Model

pag. 32 Jan Devos

• Code Red – July 2001 exploiting MS IIS bug

– probes random IP address, does DDoS attack (360,000 servers in 14 hours)

– consumes significant net capacity when active

• Code Red II variant includes backdoor

• SQL Slammer – early 2003, attacks MS SQL Server

– compact and very rapid spread

• Mydoom – mass-mailing e-mail worm that appeared in 2004

– installed remote access backdoor in infected systems

pag. 33 Jan Devos

• multiplatform

• multi-exploit

• ultrafast spreading

• polymorphic

• metamorphic

• transport vehicles

• zero-day exploit

• mobile phone worms (since 2004: BlueTooth, MMS)

pag. 34 Jan Devos

Worm Countermeasures • overlaps with anti-virus techniques

• once worm on system AntiVirus can detect

• worms also cause significant net activity

• worm defense approaches include:

– signature-based worm scan filtering

– filter-based worm containment

– payload-classification-based worm containment

– threshold random walk scan detection

– rate limiting and rate halting

pag. 35 Jan Devos

Proactive Worm Containment

pag. 36 Jan Devos

Network-Based Worm Defense

pag. 37 Jan Devos

(Ro)Bots

• aka Zombies, Drones

• program taking over other computers

• to launch hard to trace attacks

• if coordinated form a botnet

• characteristics: – remote control facility (differs from worms)

• via IRC/HTTP etc

– spreading mechanism • attack software, vulnerability, scanning strategy

• various counter-measures applicable

pag. 38 Jan Devos

Uses of (Ro)Bots

• DDOS attacks

• Spamming

• Sniffing traffic

• Keylogging: capturing keystrokes

• Spreading new malware

• Ad add-ons and BHO (Browser helper objects): Generating clicks

• Attacking IRC chat networks

• Manipulating online polls and games

pag. 39 Jan Devos

Remote Controle Facilty

• A bot is controlled by a RCF

• The RCF is typically implemented via an IRC server or via HTTP

• Simplest form = issuing commands

• Advanced form = update commands for downloads and then execution

pag. 40 Jan Devos

Constructing a bot network

• Software that carries out the attack

– Run on a large number of machines

– Conceal its existence

– Able to communicate with the attacker or have a time-triggered mechanism (e.g. Friday the 13th)

• A vulnerability in a large number of systems

• Scanning or fingerprinting = locating and identifying vulnerable machines

pag. 41 Jan Devos

Constructing a bot network

• Scanning or fingerprinting strategies

– Random: each host probes random IP addresses

– Hit-list: a compiled list with potential vulnerable machines

– Topological: using information on the infected victim machine

– Local subnet: looking for victims behind the firewall

pag. 42 Jan Devos

Countermeasures

• IDS

• Honeypots

• DIS

• Try to detect the botnet during its construction phase

pag. 43 Jan Devos

Rootkits / Crimeware

• set of programs installed for admin access

• malicious and stealthy changes to host O/S

• may hide its existence

– subverting report mechanisms on processes, files, registry entries

etc

• may be:

– persisitent or memory-based

– user or kernel mode

• installed by user via trojan or intruder on system

• range of countermeasures needed

pag. 44 Jan Devos

Rootkits

pag. 45 Jan Devos

DDOS

pag. 46 Jan Devos

DDOS