1 / 25

Outline for Today’s Lecture

Outline for Today’s Lecture. Administrative: Objective: Viruses and worms. Viruses and Worms. Virus = program can reproduce itself by attaching its code to another executable program Activated by executing its host Worm = program which replicates itself and causes execution of new copy

albany
Download Presentation

Outline for Today’s Lecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Outline for Today’s Lecture Administrative: Objective: • Viruses and worms

  2. Viruses and Worms • Virus = program can reproduce itself by attaching its code to another executable program • Activated by executing its host • Worm = program which replicates itself and causes execution of new copy • Self-contained • Hijacks or creates a new process

  3. Lifecycle of an Attack Scan ports Ping addresses Guess passwordsGet address email address book Probe Penetrate Mail attachmentsBuffer overflowsBackdoorsMacros Paralyze Do damageDestroy dataDenial of ServiceLeak information Persist Propagate Create / modify filesInfect boot sectorModify registryWeaken security settingsHide and disguise actions Use email clientBring up own SMTPor http serversftp

  4. History of Worms 1982 – PARC envisions works as an administrative mechanism to perform legit tasks on distributed system 1988 – Morris worm is the first Internet worm (with dramatic consequences) … 2001 – Code Red 2003 – Slammer, Blaster 2004 – Sasser, Witty

  5. The Morris Internet Worm • Nov. 1988, Robert Morris, Cornell grad student • Consisted of two programs • bootstrap to upload worm • the worm itself • Worm first hid its existence • Next replicated itself on new machines • rsh • finger name@site - overflow finger daemon’s stack with long string • Bug in sendmail to mail bootstrap & exec it • Tried to break user passwords and go on • Too aggressive – let 1 in 7 re-infects live • Caught and convicted

  6. Often < 1 day Stopping Attacks • CERT – Computer Emergency Response Team – collects info on system flaws that can be attacked. Fields reports of security break-ins • Traditional timeline of attack Application released with bug Good guyspatch fast Vulnerability announced& patchreleased Attack released Bad guys create attack

  7. How Viruses Work • Virus usually written in assembly language • Inserted into another program • use tool called a “dropper” • Virus dormant until program executed • then infects other programs • eventually executes its “payload” • possibly waits for significant date

  8. How Viruses Work • An executable program • with a parasitic virus at the front • at the end • spread over free space within program (cavity virus)

  9. How Viruses Work Boot sector viruses 1st hide the real boot sector When booted, copies virus into memory, making it a memory resident virus Then boots the OS Device driver infected with virus, loads it at boot time.

  10. How Viruses Work • After virus has captured interrupt, trap vectors • Syscall trap a good one. Can look for exec calls • After OS has retaken printer interrupt vector • After virus has noticed loss of printer interrupt vector and recaptured it

  11. How Viruses Work Macros Applications like Word or Excel allow macros that get executed via keystroke or menu Attach a macro to open file function and you are off and running Can be sent in email attachments Some emailers automatically open attachments

  12. How Viruses Spread • Virus placed where likely to be copied • When copied • infects programs on hard drive, floppy • may try to spread over LAN • Attach to innocent looking email • when it runs, use mailing list to replicate

  13. Stopping Attacks • Identifying viruses and worms before they execute • antivirus • trusted code only • Catch’em in the act of misbehaving before they do harm • Monitoring and controlling what suspicious code can do • interpreters and sandboxing

  14. Antivirus and Anti-Antivirus Techniques (a) A program (b) Infected program, metadata giveaways (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code

  15. Antivirus and Anti-Antivirus Techniques Examples of a polymorphic virus All of these examples do the same thing Mutation engine – code that morphs the signature part of the virus each time it spreads

  16. Antivirus and Anti-Antivirus Techniques • Integrity checkers - checksums • Behavioral checkers • Virus avoidance • good OS • install only shrink-wrapped software • use antivirus software • do not click on attachments to email • avoid active content • frequent backups • Recovery from virus attack • halt computer, reboot from safe disk, run antivirus

  17. Trusted Mobile Code When code is intentionally brought in, what can you do to protect yourself?Only download code from sources you trust – use digitally signed code

  18. Mobile Code Sandboxing Confine the effects of running (untrusted) code(a) Memory divided into 1-MB sandboxes(b) One way of checking an instruction for validity

  19. Interpreted Mobile Code Applets can be interpreted by a Web browser

  20. Interpretation • Interpreter never lets go of the program counter itself • Interpreter can check each instruction as it is emulated • Transfers of control flow are the danger points • Performance cost, but can be mitigated

  21. Covert Channels Can information be leaked from “confined” processes? Encapsulated server can still leak to collaborator via covert channels:Observable performance patterns (e.g., busy/blocked, page faulting)

  22. Covert Channels A covert channel using file locking

  23. Covert Channels • Pictures appear the same • 7-bit colors can not be distinguished from 8-bit colors • Picture on right has text of 5 Shakespeare plays • Compressed & encrypted, inserted into low order bits of color values Hamlet, Macbeth, Julius Caesar Merchant of Venice, King Lear Zebras

  24. Is it a Technical Problem? Lots of known solution techniques • Access control • Crypto • Firewalls • Intrusion detection So why isn’t it a solved problem?

  25. Economics “The party who is in a position to protect a system is not the party who would suffer the results of security failure.” Ross Anderson Security • For whom is it built? • Who pays for it?

More Related