150 likes | 345 Views
Programmed Threats Richard Newman. What is a Programmed Threat?. Potential source of harm from computer code May be in form of - Executable program - Executable code attached to another program - Executable code pushed onto stack of running process - Standalone script
E N D
What is a Programmed Threat? Potential source of harm from computer code May be in form of - Executable program - Executable code attached to another program - Executable code pushed onto stack of running process - Standalone script - Commands run on startup of program - Commands embedded in “non-executable” file • JPEG • Postscript - Macros
Examples of Programmed Threats 1. Trojan Horse • Program that purports to do one thing but (also) does another 2. Virus • Embedded in another program/file (becomes Trojan) • Must get user or system to run program/open file • Infects other files/drives • Hitchhikes to other file systems on host file via removable media or email 3. Bacteria/Rabbits • Replicate so fast, use up all resources 4. Worm • Stand-alone program • Transfers itself to target system • Runs automatically on target system (generally)
More Programmed Threats 5. Buffer overflow attack • “Improper” parameters corrupts stack • Includes executable code • Return pointer in activation frame may be changed to point to code 6. SQL Injection • Interpretable commands included in SQL query • SQL engine executes malicious commands 7. Run command script • Malicious commands included in .rc (or similar) file • Commands executed when program is started5. Run command script 8. Back Door/Trap Door • “Secret” way to get access to system • May be included for field technicians or administrators • See http://cm.bell-labs.com/who/ken/trust.html • Often first goal of intruders
Viruses 1. History • Von Neumann's self-reproducing automata in 1960's • Seehttp://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms • First seriously appeared in early 1980's – Elk Cloner, Brain • Big issue with PCs and floppy disks/bulletin boards 2. General MO • Infected program run – viral code runs first • Optionally takes measures to hide • Looks for new files/drives to infect, infects them • Does “other stuff” • Logic Bomb • Time Bomb • Password cracking • Install back door • Wreak havoc • Returns control to original program
Viruses 3. Boot Sector Virus • Copies boot sector (small bootstrap program) to unused disk block • Overwrites boot sector with viral code • Intercepts calls to disk drive/TSR code • Redirects reads of boot sector to read copy in other location • Looks for new disk to infect whenever disk is accessed 4. Executable Virus • Adds viral code to executable program • May rewrite JUMP instruction to jump to viral code first, then issue JUMP to program code when done • May modify itself (code transformation) or modify where it is stored to evade detection (polymorphic virus)
Viruses 5. Macro Virus • Included in “non-executable” file with format supporting macros • Spreadsheets • Document preparation software • Graphics editors • Copies macros into other files of same type • Modifies file contents to exercise macros 4. Stealth Techniques • Intercept system calls to modify (man-in-the-middle) • Modify system meta-information (File control block, process info) • Compress itself so file size does not change • Modify itself • Encrypt viral code
Worms 1. History • 1971 “Creeper virus” at BBN - “Reaper” to kill it • Name coined in Brunner's “The Shockwave Rider” scifi • Xerox PARC worm for using idle workstations (1982) • Enabled by network/LAN technology • Morris worm 1987 • Code Red, etc. 2. General MO • Standalone program • Looks for target host • Transfers loader (micro-FTP) to target host See http://www.wormblog.com/
PARC Worm 3. Xerox PARC worm - 1982 • Users ran server pgm on W/S when idle • Worm “head” found idle workstations, sent work • “Segments” did work, reported to head • Head had backup segments also • Had to shut down all stations to get to stop! • See Shoch and Hupp, “The Worm Programs: Early Experience with a Distributed Computation,” Xerox Palo Alto Research Center, 1982. http://www.cs.berkeley.edu/~prabal/resources/osprelim/SH82.pdf
Morris Worm 4. Morris worm • Experiment by grad student at Cornell November 1988 • Looks for target host – random, /etc/hosts, .rhosts • Tried to get access • Sendmail “feature” - debug mode • Symmetry of trust • Finger flaw – buffer overflow • Password guessing • Transferred “grappling hook” to target host • Grappling hook got rest of worm, ran it • Overwhelmed hosts with processes • Overwhelmed networks
Morris Worm 4. Morris worm (con't) • Stealth techniques • “encrypted” code (flipped MSB in ASCII) • Changed process name to innocuous pgm • Changed process ID periodically – short life per proc • Died completely after short time • Sendmail access • Back door, poor configuration, poor interface • Symmetry of trust • Remote login without password required • Host lists trusted hosts • If a host B is on list of A, likely host A is on list of B spaf.cerias.purdue.edu/tech-reps/823.pdf
Code Red Worm 5. Code Red Worm • July 2001 • Attacked MS IIS • Buffer overflow attack • Patch had been available for a month • Spread • Only 1st – 19th of month – look for other IIS servers • Did not determine if IIS server was vulnerable first • Mischief • Deface website - “Hacked by Chinese” • Launch DoS attack 20th -27th of month vs. fixed IP addr
Code Red Worm 5. Code Red Worm IIS buffer overflow: GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNN %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Code Red Worm 5. Code Red Worm • July 2001 • Attacked MS IIS • Buffer overflow attack • Patch had been available for a month • Spread • Only 1st – 19th of month – look for other IIS servers • Did not determine if IIS server was vulnerable first • Mischief • Deface website - “Hacked by Chinese” • Launch DoS attack 20th -27th of month vs. fixed IP addr