1 / 40

Viruses and Worms

Viruses and Worms. Agenda. How viruses work Virus detectors How worms work Example viruses/worms Melissa Morris My_SQL Lab discussion. Viruses. Propagates to other programs by modifying them Copies the virus code to other programs Viruses have to be activated to work

Download Presentation

Viruses and Worms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Viruses and Worms

  2. Agenda • How viruses work • Virus detectors • How worms work • Example viruses/worms • Melissa • Morris • My_SQL • Lab discussion ECE 4112

  3. Viruses • Propagates to other programs by modifying them • Copies the virus code to other programs • Viruses have to be activated to work • Attachment to programs/files by • appending (add-on) • surrounding (shell) • integration (intrusive) • replacement (intrusive) ECE 4112

  4. DesirableCharacteristics of Viruses • Hard to detect • Hard to destroy/deactivate • Spreads widely • Can re-infect • Easy to create • Machine independent ECE 4112

  5. Locations of Viruses (1) • Boot sector • placed in boot sector location • moves bootstrap loader, chains to it • Memory-resident • TSR -- terminate and stay resident routine • Application program • Libraries ECE 4112

  6. Locations of Viruses (2) • Macros • executable program inside a document • platform independent • infects documents, not executable files • common propagation via email ECE 4112

  7. Tactics of Viruses • Polymorhpism • change the signature • increase difficulty of detection • Stealth • attributes that help hide the virus • example: compress file so the size is the same as uninfected file ECE 4112

  8. Life-Cycle of Viruses • Dormant Phase (optional) • virus is idle • waits for trigger event • Propagation Phase • virus copies itself to other files • Triggering Phase • virus is activated by system event • Execution Phase • function of virus is performed ECE 4112

  9. MS-DOS Example • ROM BIOS routines • master boot record (MBR) execution • boot sector code execution • IO.SYS, MSDOS.SYS execution • CONFIG.SYS execution • COMMAND.COM execution • AUTOEXEC.BAT execution ECE 4112

  10. MS-DOS Example • ROM BIOS routines cannot be infected • master boot record (MBR) execution • can be infected • replace with virus that chains to orig. MBR • boot sector code execution • common target • capture control of system before virus scanners operate ECE 4112

  11. MS-DOS Example • IO.SYS, MSDOS.SYS execution • can be infected • CONFIG.SYS execution • can be infected • COMMAND.COM execution • can be infected • Lehigh virus • AUTOEXEC.BAT execution • can be infected ECE 4112

  12. Detection of Viruses • Program’s functionality impaired • File size changes • Virus at beginning of code -or- • “Jump” instructions to location of virus • Signatures ECE 4112

  13. Prevention • Use software from trusted sources • Use checksums to ensure downloaded software is the correct version • Test new/suspicious item on isolated machine • Make bootable disk • Backup copies of system files • Employ and update virus detectors • Disable macro execution ECE 4112

  14. Virus Detector Examples • Norton Anti-virus (Symantec) • VirusScan (McAfee Security) • eTrust EZ Anti-virus (Computer Associates) • Protector Plus (Proland Software) • AVG Anti-virus (free version available) ECE 4112

  15. Virus Detector Functions • Detection • post-infection • locate virus • Identification • ID type of virus • Removal • remove virus (repair/delete infected files) • restore system to original state ECE 4112

  16. Detecting Viruses • Signatures • Heuristics • look for code fragments (ex: encryption loop) • integrity checking (checksum) • Virus Activity • look for actions instead of signatures • done by memory-resident program • Generic Decryption • create virtual machine • run target code on it to see if a virus ECE 4112

  17. Defeat the Virus Detector • Polymorphism • Stealth • Encryption • Delete/corrupt key detector files • Load virus before detector execution ECE 4112

  18. Worms • Can run independently (don’t require program execution) • Propagates over network connections • via electronic mail • via remote execution capability • via remote login capability • Doesn’t have to alter programs • Can carry virus code that does ECE 4112

  19. Worm Tactics • Determine where to spread (examine host tables or similar data of remote system addresses) • Establish connection and copy itself to other systems (can also determine if target system already infected) • Cause the copy to run • Remain hidden as best as possible ECE 4112

  20. Defend Against Worms • Close any unused network services • Patch your system! • Use a properly configured firewall to help protect your system and help isolate the worm once your system is infected ECE 4112

  21. Example Viruses and Worms Melissa Morris My_SQL

  22. Melissa Virus • What is it? • Microsoft Word macro virus • Written in Visual Basic • What does it do? • Infects Microsoft Word 97 and 2000 docs • Uses MS Outlook to email itself out to first 50 users ECE 4112

  23. Melissa Virus (cont) • Systems Affected • Machines with Microsoft Word 97 or 00 • Any mail handling system could experience performance issues or DoS as a result of propagation through email, but only from users with Microsoft Outlook • MacOS not affected, however it can be stored on MacOS ECE 4112

  24. Melissa Virus (cont) • Description • Propagates through email • Subject “Important Message From <name>” • Body “Here is the document you asked for … don’t show anyone else ;-)” • Attachment named list.doc or actual documents created by the victim ECE 4112

  25. Melissa Virus (cont) • Upon Execution • Turns off macro detection • Checks registry key for value of “… by Kwyjibo” "HKEY_Current_User\Software\Microsoft\Office\Melissa?" • If the key doesn’t exist or have that value, it propagates then changes the registry key • Keeps the virus from repeatedly propagating every time an infected item is opened ECE 4112

  26. Melissa Virus (cont) • Execution (cont) • Infects Normal.doc template • If (minute of the hour == day of the month) it inserts "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." into the current documents (Simpson’s quote) ECE 4112

  27. Melissa Virus (cont) • Impact • Possible DoS on mail servers • Users with macros enabled will effectively infect any new document they create • Solutions • Block messages with virus signature at mail transfer agents • Disable all macros in Microsoft Word • Use Virus Scanning Utilities ECE 4112

  28. Morris Worm • One of the earliest documented cases (Nov 2nd, 1988) • Systems • Sun Microsystems Sun 3 • DEC VAX systems ECE 4112

  29. Morris Worm • Two main parts: • Bootstrap or Vector Program (Initialize) • Acts as a hook. It is injected first. Contacts the infected “server” and uploads the main program. • Then compiles and runs the main program • Main Program (Doit) • Collected data on other networked machines to which the current machine could connect • Then used three main attacks to infect other systems with the bootstrap ECE 4112

  30. Morris Worm (cont) • Fingerd and gets • Overran the finger command input buffer – overwrote the stack • On VAX machines this resulted in a remote shell for the worm via the TCP connection by overwriting part of the stack • Sendmail • Issued a DEBUG option often left usable by admins for testing the mail service. • Gained access to mail server and onto the system, then continued with infection of system ECE 4112

  31. Morris Worm (cont) • Passwords • Worm read through etc/hosts.equiv and /.rhosts to find names on other machines • Also read /etc/passwd and .forward to account information • Then attempted to crack passwords using several different methods ECE 4112

  32. Morris Worm (cont) • Passwords (cont) • The worm first tried simple choices • Account, User Name, Tnuocca (acct backwards), etc. including lower case variations • Next it tested the passwords against an internal dictionary of 432 words • Finally, it tested the passwords against an online dictionary using upper and lower case variations ECE 4112

  33. Morris Worm (cont) • Solution • Worm halted because of informal communication between system admins and research community • Prompted DARPA to create CERT (Computer Emergency Response Team) ECE 4112

  34. Morris Worm – Log of Events • All the following events occurred on the evening of Nov. 2, 1988. • 6:00 PM At about this time the Worm is launched. • 8:49 PM The Worm infects a VAX 8600 at the University of Utah (cs.utah.edu) • 9:09 PM The Worm initiates the first of its attacks to infect other computers from the infected VAX • 9:21 PM The load average on the system reaches 5. (Load average is a measure of how hard the computer system is working. At 9:30 at night, the load average of the VAX was usually 1. Any load average higher than 5 causes delays in data processing.) • 9:41 PM The load average reaches 7 • 10:01 PM The load average reaches 16 • 10:06 PM At this point there are so many worms infecting the system that no new processes can be started. No users can use the system anymore. • 10:20 PM The system administrator kills off the worms • 10:41 PM The system is re-infected and the load average reaches 27 • 10:49 PM The system administrator shuts down the system. The system is subsequently restarted • 11:21 PM Re-infestation causes the load average to reach 37. • In short, in under 90 minutes from the time of infection, the Worm had made the infected system unusable. ECE 4112

  35. My SQL Worm • What is it? • Self-propagating code that exploits a vulnerability in MS SQL Server 2000 and MSDE 2000 • What does it do? • Propagation caused varied levels of network degradation ECE 4112

  36. My SQL Worm (cont) • Systems Affected • Microsoft SQL Server 2000 • Microsoft Desktop Engine (MSDE) 2000 • Description • Exploits a vulnerability that allows for execution of arbitrary code on the SQL Server due to a stack buffer overflow • Once it compromises, it tries to propagate ECE 4112

  37. My SQL Worm (cont) • Description (cont) • Worm crafts 376-byte packets and sends them to randomly chosen IP addresses on port 1434/UDP • If sent to a vulnerable machine, the machine will become infected and also begin to propagate ECE 4112

  38. My SQL Worm (cont) • Impact • Compromise confirms that a system is vulnerable to allowing a remote attacker to execute arbitrary code as local SYSTEM user • High volume of 1434/UDP traffic may lead to performance issues (including possible DoS) ECE 4112

  39. My SQL Worm (cont) • Solution • Apply a patch • Ingress/Egress filtering for messages on systems already infected • Block port 1434/UDP ECE 4112

  40. References • http://www.cs.virginia.edu/~jones/cs551S/slides • http://www.cert.org/advisories/CA-1999-04.html • http://www.cert.org/advisories/CA-2003-04.html • “Security in Computing” by Charles Pfleeger • “Chapter 6: Computer Viruses” by Eugene Spafford • “Network Security Essentials” by William Stallings ECE 4112

More Related