1 / 24

CSE331: Introduction to Networks and Security

This lecture discusses the concepts of computer viruses and buffer overflows. It covers topics such as program security, consequences of buffer overrun, certificate revocation problems, and different types of viruses.

clorenzo
Download Presentation

CSE331: Introduction to Networks and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE331:Introduction to Networksand Security Lecture 31 Fall 2002

  2. Recap • Program Security • Buffer Overflows • Today: • Computer Viruses CSE331 Fall 2002

  3. Buffer Overrun in the News • From Slashdot • “There is an unchecked buffer in Microsoft Data Access Components (MDAC) prior to version 2.7, the company said. MDAC is a "ubiquitous" technology used in Internet Explorer and the IIS web server. The buffer can be overrun with a malformed HTTP request, allowing arbitrary code to be executed on the target machine.” • http://www.theregister.co.uk/content/55/28215.html CSE331 Fall 2002

  4. The Consequences • From Microsoft • “An attacker who successfully exploited it could gain complete control over an affected system, thereby gaining the ability to take any action that the legitimate user could take.” • http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-065.asp CSE331 Fall 2002

  5. Certificate Revocation Problems • “A malicious attacker would be able to reintroduce the vulnerable control with just a specially [constructed] HTML document.” • “the company recommends removing "Microsoft" from IE's Trusted Publisher list” • Doing so will cause a warning to appear when doing an update CSE331 Fall 2002

  6. Viruses • A computer virus is a (malicious) program • Creates (possibly modified) copies of itself • Attaches to a host program or data • Often has other effects (deleting files, “jokes”, messages) CSE331 Fall 2002

  7. Virus Attachment: Append • Simplest case: insert copy at the beginning of an executable file • Runs before other code of the program • Most common program virus Virus Original Program CSE331 Fall 2002

  8. Virus Attachment: Surround • Runs before & after original program • Virus can clean up after itself Virus Original Program Virus CSE331 Fall 2002

  9. Virus Attachment: Replace • Doesn’t change the size of the program • Virus writer must know structure of original program • Not as common, user more likely to detect. Original Program Modified Program CSE331 Fall 2002

  10. Virus Writer’s Goals • Hard to detect • Hard to destroy or deactivate • Spreads infection widely/quickly • Can reinfect a host • Easy to create • Machine/OS independent CSE331 Fall 2002

  11. Kinds of Viruses • Boot Sector Viruses • Memory Resident Viruses • Macro Viruses CSE331 Fall 2002

  12. Bootstrap Viruses • Bootstrap Process: • Firmware (ROM) copies MBR (master boot record) to memory, jumps to that program • MBR (or Boot Sector) • Fixed position on disk • “Chained” boot sectors permit longer Bootstrap Loaders MBR boot boot CSE331 Fall 2002

  13. Bootstrap Viruses • Virus breaks the chain • Inserts virus code • Reconnects chain afterwards MBR boot virus boot CSE331 Fall 2002

  14. Why the Bootstrap? • Automatically executed before OS is running • Also before detection tools are running • OS hides boot sector information from users • Hard to discover that the virus is there • Harder to fix • Any good virus scanning software scans the boot sectors CSE331 Fall 2002

  15. Other Homes for Viruses • System Software • IO.sys, NTLDR, NTDETECT.COM • autoexec.bat, config.sys, command.com • Memory resident software • Task manager • Window manager • Winamp • RealPlayer • … CSE331 Fall 2002

  16. Macro Viruses • Macros are just programs • Word processors & Spreadsheets • Startup macro • Macros turned on by default • Visual Basic Script (VBScript) CSE331 Fall 2002

  17. Melissa Virus • Transmission Rate • The first confirmed reports of Melissa were received on Friday, March 26, 1999. • By Monday, March 29, it had reached more than 100,000 computers. • One site got 32,000 infected messages in 45 minutes. • Damage • Denial of service: mail systems off-line. • Could have been much worse CSE331 Fall 2002

  18. Melissa Macro Virus • Implementation • VBA (Visual Basic for Applications) code associated with the "document.open" method of Word • Strategy • Email message containing an infected Word document as an attachment • Opening Word document triggers virus if macros are enabled • Under certain conditions included attached documents created by the victim CSE331 Fall 2002

  19. Melissa Macro Virus: Behavior • Setup • lowers the macro security settings • permit all macros to run without warning • Checks registry for key value “… by Kwyjibo” • HKEY_Current_User\Software\Microsoft\Office\Melissa? • Propagation • sends email message to the first 50 entries in every Microsoft Outlook MAPI address book readable by the user executing the macro CSE331 Fall 2002

  20. Melissa Macro Virus: Behavior • Propagation Continued • Infects Normal.dot template file • Normal.dot is used by all Word documents • “Joke” • If minute matches the day of the month, the macro inserts message “Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here.” CSE331 Fall 2002

  21. Melissa: Remedy • Filter mail for virus signature (macro in .doc files) • Clean Normal.doc CSE331 Fall 2002

  22. “I Love You” Virus/Worm • Infection Rate • At 5:00 pm EDT(GMT-4) May 8, 2000, CERT had received reports from more than 650 sites • > 500,000 individual systems • VBScript • Propagation • Email, Windows file sharing, IRC, USENET news CSE331 Fall 2002

  23. Love Bug • Signature • An attachment named "LOVE-LETTER-FOR-YOU.TXT.VBS" • A subject of "ILOVEYOU" • Message body: "kindly check the attached LOVELETTER coming from me." CSE331 Fall 2002

  24. Love Bug Behavior • Replaced certain files with copies of itself • Based on file extension (e.g. .vbs, .js, .hta, etc) • Changed Internet Explorer start page • Pointed the browser to infected web pages • Mailed copies of itself • Changed registry keys CSE331 Fall 2002

More Related