Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.
-
Upload
guadalupe-birkes -
Category
Documents
-
view
225 -
download
0
Transcript of Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.
![Page 1: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/1.jpg)
CS363Week 6 - Friday
![Page 2: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/2.jpg)
Last time
What did we talk about last time? Viruses and other malicious code
![Page 3: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/3.jpg)
Questions?
![Page 4: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/4.jpg)
Project 1
![Page 5: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/5.jpg)
Security Tidbit 1
You guys probably don't use online dating tools much (yet)
Tinder is an app for iOS and Android that uses your Facebook network and geographic location to suggest matches If both matched people "like" the other, the
app allows them to communicate Include Security discovered that it was
possible to use the Tinder API to track the location of any user
The vulnerability was known for months and finally fixed around the beginning of 2014
Follow the story: http://www.net-security.org/secworld.php?
id=16391
![Page 6: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/6.jpg)
Security Tidbit 2
A leaked NSA document viewed by Der Spiegel contained a 50-page catalog of hardware and software exploits made by the ANT division of the NSA for their Tailored Access Operations (TAO) It reads like a product brochure and even has prices! http://www.spiegel.de/international/world/catalog-
reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
Many of the details date from 2008 There is presumably a newer catalog now Bruce Schneier has been discussing some of the
more interesting items in the catalog
![Page 7: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/7.jpg)
Security Tidbit 2 (continued)
CANDYGRAM is one of the exploits Schneier recently discussed
It's hardware and software that pretends to be a GSM cell tower
When a phone on a target list gets close enough to it, the phone connects to the "tower" and NSA agents receive SMS messages
Of course, the NSA can get data from cell phone providers
But this might be faster when working in the field
Cost: $40,000 More information:
https://www.schneier.com/blog/archives/2014/02/candygram_nsa_e.html
![Page 8: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/8.jpg)
Exam 1 Post-Mortem
![Page 9: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/9.jpg)
Virus Case Studies
![Page 10: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/10.jpg)
The Internet Worm
In 1988 Robert Morris, a Cornell graduate student, wrote an worm that infected a lot of the Internet that existed at that time
Serious connectivity issues happened because of the worm and because people disconnected uninfected system
He claimed the point was the measure the size of the Internet
The worm’s goal:1. Determine where it could spread to2. Spread its infection3. Remain undiscovered
![Page 11: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/11.jpg)
Determining where to spread It tried to find user accounts on the host
machine It tried 432 common passwords and
compared their hash to the list of password hashes
Ideally, this list should not have been visible It tried to exploit a bug in the fingerd
program (using a buffer overflow) and a trapdoor in the sendmail mail program Both were known vulnerabilities that should
have been patched
![Page 12: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/12.jpg)
Spreading infection
Once a target was found, the worm would send a short loader program to the target machine
The program (99 lines of C) would compile and then get the rest of the virus
It would use a one-time password to talk to the host
If the host got the wrong password, it would break connection
This mechanism was to prevent outsiders from gaining access to the worm’s code
![Page 13: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/13.jpg)
Remain undiscovered
Any errors in transmission would cause the loader to delete any code and exit
As soon as the code was successfully transmitted, the worm would run, encrypt itself, and delete all disk copies
It periodically changed its name and process identifier so that it would be harder to spot
![Page 14: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/14.jpg)
What happened
The worm would ask machines if they were already infected
Because of a flaw in the code, it would reinfect machines 1 out of 7 times
Huge numbers of copies of the worm started filling infected machines System and network performance dropped
Estimates of the damage are between $100,000 and $97 million Morris was fined $10,000 and sentenced to 400 hours of
community service The CERT was formed to deal with similar
problems
![Page 15: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/15.jpg)
Code Red
Code Red appeared in 2001 It infected a quarter of a million systems
in 9 hours It is estimated that it infected 1/8 of the
systems that were vulnerable It exploited a vulnerability by
creating a buffer overflow in a DLL in the Microsoft Internet Information Server software
It only worked on systems running an MS web server, but many machines did by default
![Page 16: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/16.jpg)
Versions
The original version of Code Red defaced the website that was being run
Then, it tried to spread to other machines on days 1-19 of a month
Then, it did a distributed denial of service attack on whitehouse.gov on days 20-27
Later versions attacked random IP addresses
It also installed a trap door so that infected systems could be controlled from the outside
![Page 17: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/17.jpg)
Targeted Malicious Code
![Page 18: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/18.jpg)
Trapdoors
A trapdoor is a way to access functionality that is not documented
They are often inserted during development for testing purposes
Sometimes a trapdoor is because of error cases that are not correctly checked or handled
![Page 19: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/19.jpg)
Causes of trapdoors
Intentionally created trapdoors can exist in production code when developers: Forget to remove them Intentionally leave them in for testing Intentionally leave them in for
maintenance Intentionally leave them in as a covert
means of access to the production system
![Page 20: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/20.jpg)
Salami attacks
I have never heard this term before I read this book
This is the Office Space attack Steal tiny amounts of money when a cent is
rounded in financial transactions Or, steal a few cents from millions of
people Steal more if the account hasn’t been used
much The rewards can be huge, and these kinds
of attacks are hard to catch
![Page 21: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/21.jpg)
The Sony XCP rootkit
A rootkit is malicious code that gives an attacker access to a system as root (a privileged user) and hides from detection
Sony put a program on music CDs called XCP (extended copy protection) which allowed users to listen to the CD on Windows but not rip its contents
It installed itself without the user’s knowledge It had to have control over Windows and be hard to
remove It would hide the presence of any program starting
with the name $sys$, but malicious users could take advantage of that
![Page 22: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/22.jpg)
Privilege escalation
Most programs are supposed to execute with some kind of baseline privileges Not the high level privileges needed to change system
data Windows Vista, 7, and 8 ask you if you want to
have privileges escalated Some times you can be tricked Symantec needed high level privileges to run Live
Update Unfortunately, it ran some local programs with high
privileges If a malicious user had replaced those local programs
with his own, ouch
![Page 23: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/23.jpg)
Keystroke logging
It’s possible to install software that logs all the keystrokes a user enters
If designed correctly, these values come from the keyboard drivers, so all data (including passwords) is visible
There are also hardware keystroke loggers Most are around $40 Is your keyboard free from a logger?
![Page 24: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/24.jpg)
Quiz
![Page 25: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/25.jpg)
Upcoming
![Page 26: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/26.jpg)
Next time…
Controls against program threats OS security Omar Mustardo presents
![Page 27: Week 6 - Friday. What did we talk about last time? Viruses and other malicious code.](https://reader035.fdocuments.in/reader035/viewer/2022062216/56649cab5503460f9496ce83/html5/thumbnails/27.jpg)
Reminders
Read Sections 4.1 through 4.4Finish Project 1
Due tonight!