1.05k likes | 1.67k Views
Viruses and Worms. Agenda. How viruses work Virus detectors How worms work Example viruses/worms Melissa Morris My_SQL Lab discussion. Viruses. Propagates to other programs by modifying them Copies the virus code to other programs Viruses have to be activated to work
E N D
Agenda • How viruses work • Virus detectors • How worms work • Example viruses/worms • Melissa • Morris • My_SQL • Lab discussion ECE 4112
Viruses • Propagates to other programs by modifying them • Copies the virus code to other programs • Viruses have to be activated to work • Attachment to programs/files by • appending (add-on) • surrounding (shell) • integration (intrusive) • replacement (intrusive) ECE 4112
DesirableCharacteristics of Viruses • Hard to detect • Hard to destroy/deactivate • Spreads widely • Can re-infect • Easy to create • Machine independent ECE 4112
Locations of Viruses (1) • Boot sector • placed in boot sector location • moves bootstrap loader, chains to it • Memory-resident • TSR -- terminate and stay resident routine • Application program • Libraries ECE 4112
Locations of Viruses (2) • Macros • executable program inside a document • platform independent • infects documents, not executable files • common propagation via email ECE 4112
Tactics of Viruses • Polymorhpism • change the signature • increase difficulty of detection • Stealth • attributes that help hide the virus • example: compress file so the size is the same as uninfected file ECE 4112
Life-Cycle of Viruses • Dormant Phase (optional) • virus is idle • waits for trigger event • Propagation Phase • virus copies itself to other files • Triggering Phase • virus is activated by system event • Execution Phase • function of virus is performed ECE 4112
MS-DOS Example • ROM BIOS routines • master boot record (MBR) execution • boot sector code execution • IO.SYS, MSDOS.SYS execution • CONFIG.SYS execution • COMMAND.COM execution • AUTOEXEC.BAT execution ECE 4112
MS-DOS Example • ROM BIOS routines cannot be infected • master boot record (MBR) execution • can be infected • replace with virus that chains to orig. MBR • boot sector code execution • common target • capture control of system before virus scanners operate ECE 4112
MS-DOS Example • IO.SYS, MSDOS.SYS execution • can be infected • CONFIG.SYS execution • can be infected • COMMAND.COM execution • can be infected • Lehigh virus • AUTOEXEC.BAT execution • can be infected ECE 4112
Detection of Viruses • Program’s functionality impaired • File size changes • Virus at beginning of code -or- • “Jump” instructions to location of virus • Signatures ECE 4112
Prevention • Use software from trusted sources • Use checksums to ensure downloaded software is the correct version • Test new/suspicious item on isolated machine • Make bootable disk • Backup copies of system files • Employ and update virus detectors • Disable macro execution ECE 4112
Virus Detector Examples • Norton Anti-virus (Symantec) • VirusScan (McAfee Security) • eTrust EZ Anti-virus (Computer Associates) • Protector Plus (Proland Software) • AVG Anti-virus (free version available) ECE 4112
Virus Detector Functions • Detection • post-infection • locate virus • Identification • ID type of virus • Removal • remove virus (repair/delete infected files) • restore system to original state ECE 4112
Detecting Viruses • Signatures • Heuristics • look for code fragments (ex: encryption loop) • integrity checking (checksum) • Virus Activity • look for actions instead of signatures • done by memory-resident program • Generic Decryption • create virtual machine • run target code on it to see if a virus ECE 4112
Defeat the Virus Detector • Polymorphism • Stealth • Encryption • Delete/corrupt key detector files • Load virus before detector execution ECE 4112
Worms • Can run independently (don’t require program execution) • Propagates over network connections • via electronic mail • via remote execution capability • via remote login capability • Doesn’t have to alter programs • Can carry virus code that does ECE 4112
Worm Tactics • Determine where to spread (examine host tables or similar data of remote system addresses) • Establish connection and copy itself to other systems (can also determine if target system already infected) • Cause the copy to run • Remain hidden as best as possible ECE 4112
Defend Against Worms • Close any unused network services • Patch your system! • Use a properly configured firewall to help protect your system and help isolate the worm once your system is infected ECE 4112
Example Viruses and Worms Melissa Morris My_SQL
Melissa Virus • What is it? • Microsoft Word macro virus • Written in Visual Basic • What does it do? • Infects Microsoft Word 97 and 2000 docs • Uses MS Outlook to email itself out to first 50 users ECE 4112
Melissa Virus (cont) • Systems Affected • Machines with Microsoft Word 97 or 00 • Any mail handling system could experience performance issues or DoS as a result of propagation through email, but only from users with Microsoft Outlook • MacOS not affected, however it can be stored on MacOS ECE 4112
Melissa Virus (cont) • Description • Propagates through email • Subject “Important Message From <name>” • Body “Here is the document you asked for … don’t show anyone else ;-)” • Attachment named list.doc or actual documents created by the victim ECE 4112
Melissa Virus (cont) • Upon Execution • Turns off macro detection • Checks registry key for value of “… by Kwyjibo” "HKEY_Current_User\Software\Microsoft\Office\Melissa?" • If the key doesn’t exist or have that value, it propagates then changes the registry key • Keeps the virus from repeatedly propagating every time an infected item is opened ECE 4112
Melissa Virus (cont) • Execution (cont) • Infects Normal.doc template • If (minute of the hour == day of the month) it inserts "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." into the current documents (Simpson’s quote) ECE 4112
Melissa Virus (cont) • Impact • Possible DoS on mail servers • Users with macros enabled will effectively infect any new document they create • Solutions • Block messages with virus signature at mail transfer agents • Disable all macros in Microsoft Word • Use Virus Scanning Utilities ECE 4112
Morris Worm • One of the earliest documented cases (Nov 2nd, 1988) • Systems • Sun Microsystems Sun 3 • DEC VAX systems ECE 4112
Morris Worm • Two main parts: • Bootstrap or Vector Program (Initialize) • Acts as a hook. It is injected first. Contacts the infected “server” and uploads the main program. • Then compiles and runs the main program • Main Program (Doit) • Collected data on other networked machines to which the current machine could connect • Then used three main attacks to infect other systems with the bootstrap ECE 4112
Morris Worm (cont) • Fingerd and gets • Overran the finger command input buffer – overwrote the stack • On VAX machines this resulted in a remote shell for the worm via the TCP connection by overwriting part of the stack • Sendmail • Issued a DEBUG option often left usable by admins for testing the mail service. • Gained access to mail server and onto the system, then continued with infection of system ECE 4112
Morris Worm (cont) • Passwords • Worm read through etc/hosts.equiv and /.rhosts to find names on other machines • Also read /etc/passwd and .forward to account information • Then attempted to crack passwords using several different methods ECE 4112
Morris Worm (cont) • Passwords (cont) • The worm first tried simple choices • Account, User Name, Tnuocca (acct backwards), etc. including lower case variations • Next it tested the passwords against an internal dictionary of 432 words • Finally, it tested the passwords against an online dictionary using upper and lower case variations ECE 4112
Morris Worm (cont) • Solution • Worm halted because of informal communication between system admins and research community • Prompted DARPA to create CERT (Computer Emergency Response Team) ECE 4112
Morris Worm – Log of Events • All the following events occurred on the evening of Nov. 2, 1988. • 6:00 PM At about this time the Worm is launched. • 8:49 PM The Worm infects a VAX 8600 at the University of Utah (cs.utah.edu) • 9:09 PM The Worm initiates the first of its attacks to infect other computers from the infected VAX • 9:21 PM The load average on the system reaches 5. (Load average is a measure of how hard the computer system is working. At 9:30 at night, the load average of the VAX was usually 1. Any load average higher than 5 causes delays in data processing.) • 9:41 PM The load average reaches 7 • 10:01 PM The load average reaches 16 • 10:06 PM At this point there are so many worms infecting the system that no new processes can be started. No users can use the system anymore. • 10:20 PM The system administrator kills off the worms • 10:41 PM The system is re-infected and the load average reaches 27 • 10:49 PM The system administrator shuts down the system. The system is subsequently restarted • 11:21 PM Re-infestation causes the load average to reach 37. • In short, in under 90 minutes from the time of infection, the Worm had made the infected system unusable. ECE 4112
My SQL Worm • What is it? • Self-propagating code that exploits a vulnerability in MS SQL Server 2000 and MSDE 2000 • What does it do? • Propagation caused varied levels of network degradation ECE 4112
My SQL Worm (cont) • Systems Affected • Microsoft SQL Server 2000 • Microsoft Desktop Engine (MSDE) 2000 • Description • Exploits a vulnerability that allows for execution of arbitrary code on the SQL Server due to a stack buffer overflow • Once it compromises, it tries to propagate ECE 4112
My SQL Worm (cont) • Description (cont) • Worm crafts 376-byte packets and sends them to randomly chosen IP addresses on port 1434/UDP • If sent to a vulnerable machine, the machine will become infected and also begin to propagate ECE 4112
My SQL Worm (cont) • Impact • Compromise confirms that a system is vulnerable to allowing a remote attacker to execute arbitrary code as local SYSTEM user • High volume of 1434/UDP traffic may lead to performance issues (including possible DoS) ECE 4112
My SQL Worm (cont) • Solution • Apply a patch • Ingress/Egress filtering for messages on systems already infected • Block port 1434/UDP ECE 4112
References • http://www.cs.virginia.edu/~jones/cs551S/slides • http://www.cert.org/advisories/CA-1999-04.html • http://www.cert.org/advisories/CA-2003-04.html • “Security in Computing” by Charles Pfleeger • “Chapter 6: Computer Viruses” by Eugene Spafford • “Network Security Essentials” by William Stallings ECE 4112