200 likes | 206 Views
Learn about viruses, worms, Trojans, bacteria, droppers, backdoors, buffer overflow, IP spoofing, and more in network security intrusions.
E N D
Common Intrusions and Attacks Lecture 8 - NETW4006 NETW4006-Lecture08
Content • Virus, Worm and Trojan • Bacteria and Dropper • BackdoorsBuffer Overflow • IP Spoofing • Route Spoofing • TCP Exploit • Spam NETW4006-Lecture08
Virus, Worm and Trojan • Virus • A program or piece of code that is loaded onto your computer without your knowledge.Viruses can also replicate themselves. All computer viruses are manmade. • program that modifies other programs on a computer, inserting copies of themselves. A program is a file that adheres to a strict description of how its content is organized: alone, viruses are not programs - they cannot run on their own, and need to become part of some host program. When such an infected program is executed, the virus attaches itself to another and so on • Worm • malicious program that copies itself from one computer to another on a network. A worm is an independent program, in the sense described above, unlike a virus which is a part-program that must insert itself into a whole-program. A worm typically does not modify other programs. NETW4006-Lecture08
Virus, Worm and Trojan • Trojan horse – A Trojan Horse program hides within another program • program that appears to have one function but actually perform another function. Trojan horses are named after the Trojan horse of the Greek Trojan War. Provides a means to enter system without self-replication. Do not cause damage because must remain undiscovered. Found in binaries or source code - Trojan horses do not replicate themselves. • http://securityresponse.symantec.com/avcenter/refa.html • "Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. By using multiple methods and techniques, blended threats can rapidly spread and cause widespread damage.” NETW4006-Lecture08
Virus, Worm and Trojan • No human intervention: automatic tools that continuously scans the Internet for vulnerable servers to attack • Vulnerabilities Exploit: Takes advantage of known vulnerabilities: buffer overflows, HTTP input validation vulnerabilities, and known default passwords to gain unauthorized administrative access. (From http://securityresponse.symantec.com/avcenter/refa.html) NETW4006-Lecture08
Stages of virus life NETW4006-Lecture08
Bacteria and Dropper • Bacteria (rabbit) • make copies of themselves to overwhelm a computer system's resources. Bacteria do not explicitly damage any files. Their sole purpose is to replicate themselves. A typical bacteria program may do nothing more than execute two copies of itself simultaneously on multiprogramming systems, or perhaps create two new files, each of which is a copy of the original source file of the bacteria program. Both of those programs then may copy themselves twice, and so on. Bacteria reproduce exponentially, eventually taking up all the processor capacity, memory, or disk space, denying the user access to those resources • Dropper • program that is not a virus, nor is it infected with a virus, but when run it installs a virus into memory, on to the disk, or into a file. Droppers have been written sometimes as a convenient carrier for a virus, and sometimes as an act of sabotage (damage). Some anti-virus programs try to detect droppers NETW4006-Lecture08
Backdoor (1) • Backdoor, sometimes called trap door, allows unauthorized access to your system. • Installed by an attacker with root access who wants to hold onto system • Vulnerabilities and pre-installed Trojans are of course backdoors that the administrator is tricked into executing • Logic bombs • code embedded in legitimate program, activated when specified conditions met • Ex. presence/absence of some file, particular date/time, particular user • when triggered typically damage system, modify/delete files/disks • programmed threats that lie dormant (inactive) for an extended period of time until they are triggered; at this point, they perform a function that is not the intended function of the program in which they are contained. NETW4006-Lecture08
Backdoors • Network traffic backdoorsBackdoor to set up on a certain port number on a machine allowing access without going through the normal services. Because the traffic is going to a non-standard network port, the administrator can overlook the intruder's traffic: TCP, UDP, and ICMP, etc Many times, intruders will place the UDP Shell backdoor on that port and it will be allowed to by-pass the firewall. NETW4006-Lecture08
Buffer Overflow (1) • Buffer Overflow • When a program or process tries to store more data in a buffer than it was intended to hold • The extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them • It may occur accidentally through programming error. • It is common type of security attack on data integrity • the extra data may contain codes designed to trigger specific actions, sending new instructions to the attacked host: damage the user's files, change data, change right access or disclose confidential information • Programs in C language supplied the framework, and poor programming practices supplied the vulnerability. NETW4006-Lecture08
Buffer NETW4006-Lecture08
Buffer Overflow (2) • The Buffer Overflow Example • strcpy(p, q) is a common part of codes in most systems programs. • The strcpy(p, q) is proper only when • p is pointing to a char array of size m, • q is pointing to a char array of size n, • m >= n, • q[i] == '\0' for some i where 0 <= i <= n-1 • But only a few programs verify (2) prior to invoking strcpy(p, q). A buffer overflow occurs when an object of size m + d is placed into a container of size m. If n > m in the strcpy(p, q) of above an area of memory beyond &p[m] gets overwritten NETW4006-Lecture08
Buffer Overflow (3) • Exploitsof this programming mistake • injection of executable-code into the area beyond the declared sizes. If buffer is a local C variable -> overflow can force a function (via its argument) to run a code: stack smashing attack • Stack smashing overflow • Effect: code invokes a shell and overwrite the stack in such that control gets passed to the attack code. If the exploited program runs with root privilege, the attacker gets that privilege in the interactive session!!! This is so BAD NETW4006-Lecture08
Buffer Overflow (4) • Prevention • Modern Programming Languages: java • Careful use of C libraries: avoid functions that do not check bounds • Use alternative: dynamically string reallocation instead of fixed-size buffers: recommended by GNU programming guidelines • Install newer libraries for C: include the strlcpy() and strlcat() functions, with prototypes: were not installed per default in lots of Unix systems NETW4006-Lecture08
Spoofing (1) • Spoofing could mean: • To deceive for the purpose of gaining access to someone else's resources: fake IP @ • To simulate a communication protocol by a program that is interjected into a normal sequence of processes: adding some useful function NETW4006-Lecture08
IP Spoofing (2) • Usually replaces the sender IP addresswith a different address: spoofer talks directly to the raw network device • IP spoofing normally used to deposit another exploit on the target host • Any services that authenticate based on the IP addresses or host names are vulnerable: RPC, NFS, r-commands (rlogin, rsh, rcp, etc.), anything wrapped by the TCP daemon wrappers, X windows, and other applications that use source IP addresses for authentication NETW4006-Lecture08
IP Spoofing (3) • IP Spoofing Example: • Atakes over the identity of a trusted T to subvert the security of the target H(T is down temporarily or is disabled by A) • Blind attack • A is unable to see the replies from H to T • Non-blind attack • All T-H conversation is seen by A • Depending on how the intervening routers are configured, A non necessary on the same subnet as T • Note that simply reassigning the IP address of T to the host A using ifconfig will not be good enough. Why? NETW4006-Lecture08
Route Spoofing (4) • There are three main mechanisms by which an attacker can spoof routing information • ICMP redirect packetwith the source address set to the regular router with thefake new router to use -> recipient change routing tablesreplacing the old router with the new one (Internet Control message Protocol ) • Redirection can be made to any chosen target/host • RIP-based attacks:broadcasting illegitimate routing information to passive RIP hosts and routers via UDP port 520 • redirection can be made to any chosen target/host • Source routing: The sending host chooses a route that a packet must travel to get to its destination. Traffic coming back takes the reverse route → designs a route so that the packets go through attacker’s site • Loose source root • Strict source root Routing Information protocol passive-interface command NETW4006-Lecture08
Spoofing (5) • Detection of IP spoofing • Network-monitoring: • Indication of IP spoofing: packet on external interfacewith source and destination IP @ in the local domain • Comparison of accounting logs between systems on your internal network: If IP spoofing on one of your systems, a log entry on the victim machine with remote access but no corresponding remote access initiated in the apparent fake source machine • Prevention of IP Spoofing • Routers with proper IP filtering rules: only route packets from legitimate sources • Most routers with options to check the source address of a packet against the routing table to ensure the return path of the packet is through the interface it was received on • (cf. Lecture about firewalls) NETW4006-Lecture08