430 likes | 1.02k Views
Malicious Code. Program Flaws. Taxonomy of flaws: how (genesis) when (time) where (location) the flaw was introduced into the system. Security Flaws by Genesis. Genesis Intentional Inadvertent. Intentional Genesis. Malicious: Trojan Horse, Trapdoor, Logic Bomb, covert channels
E N D
Program Flaws Taxonomy of flaws: • how (genesis) • when (time) • where (location) the flaw was introduced into the system CSCE 522 - Farkas/Eastman -- Fall 2005
Security Flaws by Genesis • Genesis • Intentional • Inadvertent CSCE 522 - Farkas/Eastman -- Fall 2005
Intentional Genesis • Malicious: Trojan Horse, Trapdoor, Logic Bomb, covert channels • Non-malicious CSCE 522 - Farkas/Eastman -- Fall 2005
Inadvertent Genesis • Validation error • Domain error • Serialization error • Identification/authentication error • Other error CSCE 522 - Farkas/Eastman -- Fall 2005
Kinds of Malicious Codes • Virus • Rabbit (Bacteria) • Worm • Trojan horse • Logic bomb (Time bomb) • Trapdoor CSCE 522 - Farkas/Eastman -- Fall 2005
Virus • A program that attaches copies of itself into other programs • Propagates and performs some unwanted function CSCE 522 - Farkas/Eastman -- Fall 2005
Rabbit • Program that consumes system resources by replicating itself • Also known as bacteria • The Trouble with Tribbles (Star Trek) CSCE 522 - Farkas/Eastman -- Fall 2005
Worm • A program that propagates copies of itself through the network • Usually performs some unwanted function • Does not attach to other programs CSCE 522 - Farkas/Eastman -- Fall 2005
Trojan Horse • Secret, undocumented routine embedded within a useful program • Execution of the program results in execution of secret code. CSCE 522 - Farkas/Eastman -- Fall 2005
Logic Bomb • Logic embedded in a program that checks for a certain set of conditions to be present in the system • When these conditions are present, some malicious code is executed • Also known as time bomb CSCE 522 - Farkas/Eastman -- Fall 2005
Trapdoor • Secret, undocumented entry point into a program • Used to grant access without normal methods of access authentication CSCE 522 - Farkas/Eastman -- Fall 2005
Virus Lifecycle • Dormant phase: the virus is idle • Propagation phase: the virus places an identical copy of itself into other programs • Triggering phase: virus is activated • Execution phase: the function is performed CSCE 522 - Farkas/Eastman -- Fall 2005
Virus Types • Transient (parasitic) virus • Memory resident virus • Boot sector virus • Stealth virus • Polymorphic virus CSCE 522 - Farkas/Eastman -- Fall 2005
Transient Virus • Most common form. • Attaches itself to a file • Replicates when the infected program is executed CSCE 522 - Farkas/Eastman -- Fall 2005
Memory Resident Virus • Lodged in main memory as part of a resident system program • May infect every program that executes CSCE 522 - Farkas/Eastman -- Fall 2005
Boot Sector Virus • Infects the boot record • Spreads when system is booted • Gains control of machine before the virus detection tools can act • Very hard to notice • Carrier files: AUTOEXEC.BAT, CONFIG.SYS,IO.SYS CSCE 522 - Farkas/Eastman -- Fall 2005
Stealth Virus • A form of virus explicitly designed to hide from detection by antivirus software CSCE 522 - Farkas/Eastman -- Fall 2005
Polymorphic Virus • Mutates with every infection • Detection by the “signature” of the virus difficult CSCE 522 - Farkas/Eastman -- Fall 2005
How Viruses Attach • Append to file • Surround file • Integrate into file CSCE 522 - Farkas/Eastman -- Fall 2005
Append to File + = virus virus Original program Original program Virus appended to program CSCE 522 - Farkas/Eastman -- Fall 2005
Surround the File + = Virus-1 virus Original program Original program Virus-2 Virus surrounding a program CSCE 522 - Farkas/Eastman -- Fall 2005
Virus-1 Virus-2 Virus-3 Virus-4 Integrate into File + = virus Original program Original program Virus integrated into program CSCE 522 - Farkas/Eastman -- Fall 2005
How Viruses Spread • Executable code (exe) • Data files • Word documents • Databases • Presentations • File sharing CSCE 522 - Farkas/Eastman -- Fall 2005
Assume that, if you can install or use it on your computer, it might have a virus CSCE 522 - Farkas/Eastman -- Fall 2005
How Viruses Gain Control • Virus V has to be invoked instead of target T. • V overwrite T • V changes pointers from T to V CSCE 522 - Farkas/Eastman -- Fall 2005
High Risk Virus Properties • Hard to detect • Hard to destroy • Spread infection widely • Can re-infect • Easy to create • Machine independent CSCE 522 - Farkas/Eastman -- Fall 2005
Preventing Virus Infections Prevention: • Good source of software installed • Isolated testing phase • Use virus detectors Limit damage: • Make bootable diskette • Make and retain backup copies important resources CSCE 522 - Farkas/Eastman -- Fall 2005
Antivirus Approaches • Detection: determine infection and locate the virus. • Identification: identify the specific virus. • Removal: remove the virus from all infected systems, so the disease cannot spread further. • Recovery: restore the system to its original state. CSCE 522 - Farkas/Eastman -- Fall 2005
Virus Signatures • Storage pattern • Code always located at a specific address • Increased file size • Execution pattern • Transmission pattern • Polymorphic Viruses CSCE 522 - Farkas/Eastman -- Fall 2005
Antivirus Programs • Look for virus signatures • Look for changes in file size • Need to be updated regularly as new viruses appear • Eliminate viruses found • Attempt to undo virus damage CSCE 522 - Farkas/Eastman -- Fall 2005
More on Worms • Characteristics • Phases • Propagation CSCE 522 - Farkas/Eastman -- Fall 2005
Worm Characteristics • Self-replicating (like virus) • Objective: system penetration (intruder) CSCE 522 - Farkas/Eastman -- Fall 2005
Worm Phases • Dormancy • Propagation • Triggering • Execution CSCE 522 - Farkas/Eastman -- Fall 2005
Worm Propagation • Searches for other systems to infect • Establishes connection with remote system • Copies itself to remote system • Executes CSCE 522 - Farkas/Eastman -- Fall 2005
Some Examples • The Brain Virus • The Internet Worm • Code Red CSCE 522 - Farkas/Eastman -- Fall 2005
The Brain Virus • Changes label of infected disk to Brain • Locates in upper memory and traps disk reads • Upon read to boot sector takes over • Marks its sectors faulty • Looks for uninfected disks to infect CSCE 522 - Farkas/Eastman -- Fall 2005
The Internet Worm • Caused 6,000 installations to shut down or disconnect from the Internet • Created by Robert T. Morris at Cornell • Attacked Unix machines • Found new machines by password guessing, exploiting finger, and using a trapdoor in sendmail • Tried to remain undiscovered CSCE 522 - Farkas/Eastman -- Fall 2005
Code Red • Infected more than 250,000 machines in nine hours • Attacked machines running Microsoft IIS software • Spread to random or target IP addresses • Dormant after infection phase CSCE 522 - Farkas/Eastman -- Fall 2005
USC Security Measures • Gamecock, September 3, 2004 • Smart Enforcer • Checks for needed updates to OS (Microsoft) and antivirus programs (McAfee) before network access is allowed • Why? Students do not always make needed updates CSCE 522 - Farkas/Eastman -- Fall 2005
A “Good” Parasite/Virus • Does not kill its host • Lives off host resources • Uses host resources to propagate itself • May change host behavior • May be dormant after infection phase • May enter into a symbiotic relationship • Many biological parallels CSCE 522 - Farkas/Eastman -- Fall 2005