390 likes | 564 Views
Herbert G. Mayer, PSU CS status 6/25/2011 Slides derived from prof. Wu-Chang Feng. CS 305 Social, Ethical, and Legal Implications of Computing Chapter 6 Computer Networks and Security. Syllabus. Malware Virus Worms Examples Backdoor Troyan Horse Rootkit Botnet Hackers and Phreaks
E N D
Herbert G. Mayer, PSU CS status 6/25/2011 Slides derived from prof. Wu-Chang Feng CS 305Social, Ethical, and LegalImplications of ComputingChapter 6Computer Networks and Security
Syllabus • Malware • Virus • Worms • Examples • Backdoor • Troyan Horse • Rootkit • Botnet • Hackers and Phreaks • Enforcement • OIn-Class Exercise
Malware • Def: Malware is unwanted SW attack, giving instructions to your computer to do something an attacker wants it to, such as: • Delete files to render your computer inoperable • Infect other systems --worms, viruses • Monitor activity --webcams, keystroke loggers • Gather information on you, your habits, web sites you visit • Provide unauthorized access --Trojans, backdoors • Steal files, store illicit files • Send spam or attack other systems • Stepping stone to launder activity --frame you for a crime • Hide activity --rootkits
Types of Malware • Viruses • Worms • Trojans • Backdoors • Rootkits (user & kernel level)
What is a Virus? • Self-replicating piece of code that attaches itself to other programs; usually requires human interaction to propagate
Two Virus Components • Payload • The malicious/anti-social thing that viruses & worms do that make them highly irritating • Examples: wiping your hard drive, deleting files, encrypting files for blackmail purposes • Propagation mechanism • How do viruses spread?
Virus Propagation • Locally • Simplest method • Write it to the file system • Local files, executables, documents • Write it into the boot sector/operating system • Removable storage • Initial viruses propagated through tapes and floppies • Rarely target CDs specifically but • Chernobyl (CIH) on Yamaha CDR update CD • NIMDA on Visual Studio .net in Korea • Modern media • Compact Flash, SD, USB Keys
Virus Propagation • Network • Most common currently • Email (Iloveyou) • Web • Newsgroups (Melissa) • P2P Networks (Fastrack, Gnutella, IRC, Torrent) • 2003 study showed 45% of executable files downloaded from KaZaA had viruses or Trojan horses • Beware of Warez! • NFS, Samba mounts • Social networks
Examples • Benign • Brain virus (1986) • Determine level of software piracy in Pakistan • Malicious • Michelangelo (1991) • Erased boot sector on March 6 • Love bug (2000) • Deleted files • Collected passwords and e-mailed them • Author was a 23 year old Filipino CS student • No hacking laws in Philippines so no prosecution
Worms • A worm is a self-replicating piece of code that spreads via networks; usually does not require human interaction to propagate
Virus vs. Worm • Similarities • Goal is to infect other machines • Can contain a payload • Virus • Infects other files (must have executable sections) • Transmitted via removable storage or network • Require user interaction for propagation -- e.g. Open a file, boot from floppy, launch an executable, click on e-mail attachment etc. • Worm • Travels through the network only key • May infect other files (might be cleared through reboot) • Does not require human interaction • Target misconfiguration or flaws/vulnerability in systems --buffer overflows!
Why are Worms Powerful? • Fast scaling • Can take over a vast number of machines, each of which will act as a launch point to infect other machines • Goal: Infect 10,000 machine • Serial example • Suppose an average of 1 hour per machine • Includes time to find a vulnerable machine, as well as infecting it • 10000 hours = 416 days > 1 year! • Worm example • Again, suppose an average of 1 hour per machine, • Infected machines will subsequently take an hour to infect another • 1st hour: 1 infection • 2nd hour: 3 infections • 3rd hour: 7 infections • 14th hour: 16,383 infections = 714 times faster than serial
Anatomy of Worm • A worm is composed of • Warhead • Propagation Engine • Target Selection Algorithm • Scanning Engine • Payload
Warhead • Warhead – the mechanism by which a worm gains entry into a system • This is the part that we protect our systems against. The warhead contains the exploit code • Buffer overflow, copying into open file shares, password attacks
Propagation Engine • Propagation Engine – How the worm transports a new copy of itself into another machine • Often, warheads contain the entire worm, but not always • Warhead code can download the rest of the worm code, e.g. remote root shell exploit followed by an ftp
Target Selection Algorithm • Target Selection Algorithm – How a worm selects its next target • Want to choose nearby targets. Nearby targets are much faster to infect than far away targets • IP address proximity, network neighborhood, e-mail address books
Scanning Engine • Scanning Engine – Code that probes machines to determine if addresses generated by the targeting algorithm are vulnerable. • Pretty simple usually – send probing packets (TCP SYN) to targets, wait for response • If successful in opening a socket, attempt to compromise
Payload • Payload – The malicious code that the worm actually delivers • Early worms often had no payload, just the mere act of spreading itself around will damage the Internet • Install a backdoor, Trojan, or rootkit • Alter or destroy files (immediately, timed, on-demand) • Encrypt your data, delete the originals, hold it for ransom • Form a botnet (e-mail spam, search engine spam, phishing) • Launch DoS attacks
Examples • The first few worms were “ethical” worms – worms that tried to perform a useful service • Creeper • First worm developed for the assistance of air traffic controllers by Bob Thomas in 1971 • Notified air traffic controllers when the controls of a plane moved from one computer to another • Traveled from one computer screen to the other on the network showing the message, "I'm creeper! Catch me if you can!" • Did not reproduce itself
Examples • Xerox PARC worms • John Shock and Jon Hepps of Xerox PARC, early eighties • Worms as efficient carriers of software • "town crier" worm posted announcements on all computers of network • More complex – activated only at night to consume unused CPU cycles • Escaped laboratory into Xerox’s network • One morning the employees returned to find that all the computers had crashed. When they tried to restart the computers, they crashed again • One of the worms malfunctioned and had created havoc in the network • A "vaccine" had to be created so as to deactivate the worm
Examples • The Internet worm (1988) • Robert Morris (student at Cornell) discovers multiple security holes in Unix (ftp, sendmail, and fingerd) • Wanted to research whether one could create an automated means for exploiting them • Goal was to infect quickly, but do no other damage (i.e. files left alone) • In the middle of the design, a patch was released for one vulnerability • Morris quickly launched worm before it was completed • Released November 2, 1988 • Brought down the Internet • Morris suspended from Cornell and convicted of felony under U.S. Computer Fraud and Abuse act. (Given probation) • Went back to school at Princeton, now a professor at MIT • Ethics? • Malicious or selfish?
Code Red (2001) • Targeted indexing service used in Windows IIS web server • Spreads as a bad HTTP request (buffer overflow) • Infected server creates 99 threads to attack random IP addresses • windowsupdate.microsoft.com was infected too • Infection rate • Over 20,000 infections in less than 10 minutes • Over 250,000 infections in less than 9 hours • Over 975,000 total infections • Payload • DDoS attack against whitehouse.gov’s IP
Code Red (2001) • People don’t patch • IIS vulnerability was fixed months before Code Red launched • Infected machines observed years later
Santy (2004) • Attacks PHP Bulletin Board (phpBB) website software. • Exploit • URL descrambling error in PHP on input allows arbitrary PHP script to execute. • Novel target selection algorithm • How do you find vulnerable phpBB2 software to attack? • The same way you do. It Googles for it. • 40000 phpBB2 servers hit • Google eventually started blocking/censoring searches to slow down worm • Result: New variant of Santy used AOL and Yahoo search engines • “Ethical” worm developed 1 week later • Anti-Santy worm used same method Google used • Defaced webpage: “viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11.”
Ethical Worms • Suppose you create a worm that… • Exploits the vulnerability • Patches the system • Removes itself • Should you release it? • What if it spreads out of control? • What if it doesn’t work? • Patching could bring about problems • E.g. Critical application depends on vulnerability to work correctly • E.g. Application depends on a certain interpretation of the specification • Patches have to be tested thoroughly! • Are ethical worms an oxymoron? • Perhaps not worth the trouble? • How would one analyze this using ethical frameworks?
Ethical Disclosure • Publishing zero-day exploits • Zero-Day worms especially dangerous as they target brand new exploits • No patch available! (Have to hope that your system/network is adequately hardened) • Is it ethical to disclose such vulnerabilities? • How long should one wait to disclose them? • Publishing better ways to design worms • Staniford, Paxson, Weaver, “How to 0wn the Internet in your own spare time”, in Usenix Secuirty 02 • Warhol Worms/Flash Worms • Infect the entire Internet in 15 minutes/30 seconds. (!) • Is it ethical to disclose such techniques?
Backdoors • A backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker’s own terms
Types of Backdoors • Local escalation of privileges • Allow attackers with account administrator privileges • Remote execution of individual commands • Remote attackers can send a message to a victim machine that allows them to execute a single command on the victim machine • Remote command-line access (aka remote shell) • Remote attacker can type directly into a command prompt of the victim machine across the network • Remote control of GUI • Remote attacker controls the GUI of the victim machine across the network
Trojan Horse • A Trojan horse is a program which appears to have some useful or benign capability, but conceals some hidden, malicious functionality • Origin of term: The ancient Greeks laying siege to Troy…
Rootkits • Rootkits are Trojan backdoor tools that modify existing operating system software so that attacker can keep access to and hide on a machine
Botnets • A bot is a software program that responds to commands sent by a command-and-control program located on an external computer • Botnets are coordinated collections of bots under a single central control • Launch denial-of-service attacks • Send spam • Host phishing sites
Hackers and Phreaks • Hackers – two definitions: good and bad • Someone highly skilled in programming and use of computer systems (sign of respect in some circles) • Someone that breaks into computer systems (sign of bad behavior in public circles) • Phone phreak – someone that manipulates the telephone system in order to communicate with others without paying • Stealing access codes, using outlawed hardware
Early Hacking Incidents • PDP-11 • Programmable minicomputer shared by many students at MIT • Students forbidden to modify hardware • Stewart Nelson (1960s) • Added a new hardware instruction in the middle of the night to “improve” performance • Also did it to demonstrate his skills • Ethical evaluation • Does it depend on the outcome? • What good is an ethical framework if you can only tell afterwards if an action is right or wrong?
U.S. Law on Hacking • Computer Fraud and Abuse Act • Transmitting code that causes damage to a computer system • Accessing without authorization any computer connected to the Internet • Transmitting classified government information • Trafficking in computer passwords • Computer fraud • Computer extortion • Maximum penalty – 20 years and $250k fine • Other acts that can be applied to Internet-based crime • Wire Fraud Act • National Stolen Property ace • Identity Theft and Assumption Deterrence Act
Recent Enforcement • Ancheta (2005) • Created botnet of hundreds of thousands of machines • Some within the DoD • Used to spam • Arrested and convicted under Computer Fraud Abuse act and CAN-SPAM act in May 2005 • 57 months in prison, $15,000 in restitution to US government • Forfeiture of illegal proceeds and computer equipment • Gonzalez (2009) • With Russian co-conspirators, obtained 130 million credit/debit card numbers • Indicted • Success of enforcement few and far between due to stealth measures that are easy to implement
Blue Security • Fighting bots with bots • Users sign up for Blue Security service • Whenever they mark a message as spam, inform BlueSecurity service • Blue Security bot automatically sends opt-out message to spammer • Spammers target Blue Security and its users with enormous volume of spam • Service discontinued
In-Class Exercise • Oberlin College in Ohio requires that every computer brought to campus by a student be inspected for viruses. System administrators remove all viruses from the students’ computers. Students whose computers subsequently pick up and spread a virus may be fined $25, whether they knew about the virus or not. Is this a morally justifiable policy?
In-Class Exercise • SATAN hacker toolkit • Security Administrator Tool for Analyzing Networks • Probe computers for security weaknesses • Could be used for good and evil • Morality of publishing SATAN using ethical frameworks?
In-Class Exercise • On-line voting • Used in many countries to render elections cheap, easily accessible • Local elections in the UK (since 2001) • U.S. primary elections in Alaska and Arizona (2000) • Controversial • Election goals • Tamper-resistance • One vote per person • Prevent vote trading/selling • Audit trail to ensure proper tallying • Authenticating both the voter and the election service • Privacy • Ease of use to avoid voter disenfranchisement (e.g. “Butterfly” ballot of 2000) • Ethical evaluation?