480 likes | 706 Views
Malicious Logic. Trojan Horses Viruses Worms. Introduction. Malicious Logic: a set of instructions that cause violation of security policy Idea taken from Troy: to breach an impenetrable perimeter, have someone from the inside unknowingly bring you inside
E N D
Malicious Logic Trojan Horses Viruses Worms CS 395: Computer Security
Introduction • Malicious Logic: a set of instructions that cause violation of security policy • Idea taken from Troy: to breach an impenetrable perimeter, have someone from the inside unknowingly bring you inside • Example: Name the following script ls and place in a directory Set UID of /tmp.xxsh to UID of person executing this script Remove this script and run ls CS 395: Computer Security
Trojan Horses • Trojan Horse: A program with an overt (documented or known) effect and a covert (undocumented or unexpected) effect • In example, overt action is to list files, covert is to create shell that is setuid to user executing script • There is a key notion here of ``tricked’’ • In the example script, if user root executed this unintentionally by typing ls in a directory, then we have a security policy violation. • If root types out these lines and runs them intentionally, no violation • Key problem: system does not know whether user really intends to run specific set of instructions CS 395: Computer Security
Example: NetBus • Program that allows attacker to control Windows NT workstation remotely • Can download and upload files, intercept mouse or key strokes, generally be sysadmin • Requires small NetBus server on target machine • Placed in several small game programs and other ``fun’’ stuff, then distributed to web sites where unsuspecting users would likely download them CS 395: Computer Security
Propogating Trojan Horse • Propogating Trojan Horse: (also replicating Trojan Horse) is a Trojan Horse that creates a copy of itself. • Ex. Ken Thompson’s compiler • Added Trojan horse to login program so it accepted a specific password in addition to user’s password • Placed code that does this into compiler, so it would add it whenever it saw a login call. (So not visible in login code) • Placed the Trojan horse for compiler into compiler binary, so if compiler was recompiled it would always include the trojan horse for login. • Replaced source for compiler with clean source for compiler. CS 395: Computer Security
Computer Virus • Computer Virus: A program that inserts itself into one or more files and then performs some (possibly null) action • Insertion Phase: virus inserts itself into file • Execution Phase: the action is performed CS 395: Computer Security
Virus Pseudocode CS 395: Computer Security
Virus A Trojan Horse? • Some say YES: Purpose of infected program is overt action, injections and execution phase is the covert action • Some say NO: Virus has no covert purpose. Its overt purpose is to infect and execute. • Who cares. Bottom line is that defenses against Trojan horses inhibit viruses. CS 395: Computer Security
Some History • 1983: Fred Cohen (at time grad student at USC) designed virus to acquire privileges on VAX-11/750 running Unix. • Obtained all system rights within half hour on average • Because virus didn’t degrade response time, most users never knew system under attack • 1984: Experiment on UNIVAC 1108 showed virus could infect that system • UNIVAC partially implemented Bell-LaPadula Model, using mandatory protection mechanisms • Showed that if a system does not prohibit writing using mandatory access controls, then system does little, if anything, to prohibit virus propagation CS 395: Computer Security
More History • 1986-87: Brain (Pakistani) virus infects IBM PCs • Alters boot sectors of floppy disks, possibly corrupting files. • Spreads to any uninfected floppy inserted into system. • Numerous variations have been reported • 1987: MacMag Peace virus • Infect Mac, Amiga, among others • Prints ``universal message of peace’’ on March 2, 198, then deletes itself. • Infected copies of Aldus FreeHand program, which were subsequently recalled by manufacturer CS 395: Computer Security
Still More History • 1987: Tom Duff experiments on Unix with small virus that copies itself into executable files. • Not virulent, but when placed in 48 programs on heavily used machine, spread to 46 different systems and 466 files in 8 days. • Duff did not violate security mechanism by seeding files • Wrote another virus in Bourne shell script. It could attach itself to any Unix program • Demonstrated that viruses are not intrinsically machine-dependent and can spread to systems of varying architectures CS 395: Computer Security
Ok, Even More History • 1989: Harold Highland develops Lotus 1-2-3 virus • Virus stored as set of commands for spreadsheet • Loads automatically when file opened • Was for demo only, so it changed the value in specific row and column then spread to other files. • Demonstrated that macros for office programs on PCs could contain viruses. CS 395: Computer Security
Virus Types • Boot Sector Infectors • Executable Infectors • Multipartite Viruses • TSR Viruses • Stealth Viruses • Encrypted Viruses • Polymorphic Viruses • Macro Viruses CS 395: Computer Security
Boot Sector Viruses • Boot sector is the part of a disk used to bootstrap the system or mount a disk • Code in boot sector is executed when system sees disk for first time • Boot sector virus is one that inserts itself into the boot sector of a disk • When system or disk boots, virus is executed • Original boot sector code is moved CS 395: Computer Security
Example: Brain Virus • When system boots from infected disk, virus is in boot sector and is loaded. • Moves disk interrupt vector (location 0x13) to location 0x6d and sets disk interrupt location to invoke Brain virus. • Brain virus then loads original boot sector and continues the boot • When user reads another floppy, interrupt at 0x13 is invoked, calling Brain virus • If value 0x1234 in word at location 0x4 of new disk, boot continues normally. If not, disk is infected • Infection sometimes overwrite some sectors, thus the sometimes destructive nature of the Brain virus CS 395: Computer Security
Executable Infectors • Executable infector: virus that infects executable programs • On PC these are COM or EXE viruses because of the file types they infect • Viruses prepends or appends itself to executable CS 395: Computer Security
Example: Jerusalem Virus • Triggered when infected program is executed • Virus puts value 0x0e0 into ax register and invokes DOS service interrupt (0x21) • If on return the high eight bits of ax contain 0x3, virus is already on system and original program is invoked • If not, virus sets itself up to respond to traps to DOS service interrupt vector CS 395: Computer Security
Example: Jerusalem Virus • Virus checks date • if a Friday the 13th and year is not 1987, virus sets flag in memory to delete files instead of infecting them • In memory, virus checks all calls to DOS service interrupt, looking for files to be executed (service call 0x4b00) • Virus checks file name, and deletes file if destruct bit set (except for COMMAND.COM file) • Virus checks last five bytes of file. • If string MsDos, file is infected • If not, virus checks whether name of file ends in E or M, in which case virus infects it (assuming its a COM or EXE file) CS 395: Computer Security
Multipartite Viruses • Virus that can infect either boot sectors or applications • Virus typically has two parts, one for each type. Appropriate part is invoked depending on circumstances CS 395: Computer Security
TSR Viruses • Terminate and Stay Resident (TSR) virus is one that stays active (resident) in memory after application (or bootstrapping or disk mounting) has terminated. • Can be boot sector or executable infectors • Brain and Jerusalem are both TSR viruses • Non TSR viruses execute only when host application is executed (or infected disk mounted, etc) CS 395: Computer Security
Stealth Viruses • Stealth viruses are those that conceal the infection of files • Intercept calls to the OS that access files • If call is for file attributes, original (uninfected) file attributes returned • If call is to read file, uninfected version is returned • If call is to execute file, infected file is executed CS 395: Computer Security
Example: The Stealth Virus • Also called IDF virus or 4096 virus • Modifies DOS service interrupt handler • Not interrupt vector. This way inspection of interrupt vectors does not reveal presence of virus • If call is for length of file, length of uninfected file returned • If request to open file, file is temporarily disinfected, then reinfected when file is closed • Changes last modification time for file to indicate the file is not infected CS 395: Computer Security
Encrypted Viruses • Virus that enciphers all of the virus code except for a small decryption routine • Anti-virus software looks for known sequences of code • To fight this, some viruses encipher most of code, leaving only small decryption routine and random cryptographic key in clear CS 395: Computer Security
Example: 1260 Virus • Uses two keys stored in k1 and k2 • Virus code begins at location sov and ends at location eov • Dual keys and shifting of first key prevent simple xor from uncovering deciphered virus CS 395: Computer Security
Polymorphic Viruses • A virus that changes its form each time it inserts itself into another program • Considered an encrypted virus • With straight encrypted virus, decryption portion can be detected! • Polymorphic viruses designed to defeat this. • They change instructions in virus to something equivalent but different. Technique is used to hide decryption code. All do same thing! CS 395: Computer Security
Example CS 395: Computer Security
Polymorphic Viruses • Production of polymorphic viruses has been automated • Mutation Engine (ME) • Trident Polymorphic Engine (TPE) • Polymorphism can occur at different levels • A deciphering algorithm may have two different implementations • Two different algorithms may produce same result (much harder to detect) CS 395: Computer Security
Macro Viruses • A virus that it composed of a sequence of instructions that is interpreted rather than executed directly • Conceptually no different from ordinary computer viruses • Can execute on any system that can interpret the instructions • Can infect executables or data files (data virus) CS 395: Computer Security
Macro Virus • If infecting executable, must arrange to be interpreted at some point • Ex. Duff’s experiments wrapped executables with shell scripts. Resulting executables invoked Bourne shell which interpreted virus code before invoking usual executable • Macro viruses not bound by machine architecture – use specific programs • Any system that runs this program can be affected, though effects may differ • Ex. MS Word virus will work on PC, Mac, CS 395: Computer Security
Example: Melissa Virus • Infected Word 97 and 98 documents on Windows and Mac systems (written in Visual Basic) • Installs itself as the ``open’’ macro and copies itself into the Normal template so that any files that are opened are infected • Then invokes mail program and sends copies to names in address book • On PC spread was through mail • On Mac, most user didn’t use mail program that Melissa invokes, so spread was not via email. CS 395: Computer Security
Computer Worms • A computer worm is a program that copies itself from one computer to another (as opposed to hitching a ride) • Research on worms began in mid-1970s • Schopp and Hupp developed distributed programs to do various tasks. These probed workstations, to find idle machines on which they installed code segments do do work. When other work on machine started, segments shut down. CS 395: Computer Security
The Internet Worm • Nov. 2, 1988: program targeted Berkeley and Sun Unix based machines. • Within hours of introduction to Internet it had rendered thousands of computers unusable • Worm inserted instructions into a running process on target machine and arranged for instructions to be executed • Recovery required disconnection from network and reboot • Several critical programs had to be changed and recompiled to prevent reinfection • Worse, program disassembly required to determine whether other malicious effects present • Fortunately only purpose of worm was self propagation (could have been much worse!) CS 395: Computer Security
Internet Worm • Worm took advantage of flaws in some standard software installed on Unix systems • fingerd is a utility that allows users to obtain information about other users • gets is a routine that takes input into a buffer without performing a bounds check • sendmail is a program that routes mail in heterogeneous networks CS 395: Computer Security
fingerd • Program runs as a daemon (background process) • Allows connections from remote programs • Reads single line of input, sends back appropriate output • Code used call to gets routine to get input. Worm smashed the stack using this call • Unfortunately, several routines remain with such buffer overflow vulnerabilities CS 395: Computer Security
sendmail • Operates in several modes: worm exploited debug mode operation • Sendmail listens on TCP port 25 for attempts to deliver mail using simple mail transfer protocol (SMTP) • When contacted, sendmail enters into dialog to determine sender, etc. • Worm used DEBUG command to specify the recipient of the message as a set of commands instead of a user address • This is not allowed in normal mode • In debug mode, allows testers to verify mail is arriving without having to invoke address resolution routines • That is, testers can run programs to show state of mail system without separate login connection or having to send mail CS 395: Computer Security
Aside: Unix Passwords • Passwords encrypted with premuted version of DES and ciphertext stored in world-readable accounting file • Worm used dictionary attack to break passwords (sometimes as many as 50% of the passwords on a system) • Unix now stores passwords in shadow password file that can only be accessed by sysadmin • And encryption is done using a privileged routine that delays return for a second or so (prevents online testing) CS 395: Computer Security
Aside: Trusted Logins • BSD Unix has nice support for login from remote machines • One can specify a list of host/login name pairs that are assumed to be trusted. Login with these pairs does not require a password • hosts.equiv and .rhosts files • Worm exploited this by trying to locate machines that might trust the current machine • How do you think it did this? • When one found, worm placed itself on the target machine CS 395: Computer Security
Internet Worm (High level description) • Main program: collect info on other machines on network to which current machine could connect • Read config files • Run system utilities to get info about current state of network connections • Used previously mentioned flaws to attempt to establish bootstrap on these machines. CS 395: Computer Security
Internet Worm (High Level Description) • Bootstrap program: • 99 lines of C code that would be compiled and run on remote machine • Once transferred to target machine, it was compiled and invoked with three command line arguments • Network address of infecting machine • Number of network port to connect to on machine to get copies of the main worm files • Magic number that acted as one-time challenge password • If worm on remote host and port didn’t receive magic number back, it would immediately disconnect from bootstrap program • Possibly to prevent someone from capturing a copy of the worm by spoofing a Worm server CS 395: Computer Security
Internet Worm (High Level Description) • Bootstrap program: • Connect back with worm that originated it and transfer a set of precompiled code (binaries) to local machine • These binaries represented versions of the main program for various OS versions and machine architectures. • Once binaries transferred, loaded and linked with standard library routines on host machine, then one by one run. CS 395: Computer Security
Father Christmas Worm • Electronic Christmas Card passed around IBM-base networks • Card was letter instructing recipient to save letter and run as a program. • Program drew Christmas Tree (with blinking lights!) and printed Merry Christmas • Program checked recipients list of previously received mail as well as address book, then sent itself to all these addresses • Overwhelmed network and forced shutdown • Macro worm written in high-level job control language CS 395: Computer Security
Rabbits and Bacteria • Program that absorbs all of some class of resource • Program copies multiply so fast that resources exhausted. A class of denial of service attack. • Ex. (Dennis Ritchie) This will exhaust disk space or inode tables on a Unix Version 7 system CS 395: Computer Security
Examples • Internet worm: • During infection, opened a port on target machine. • When another worm tried to infect machine, it checked port. If opened it assumed machine infected. • But apparently to thwart sysadmins opening a small program on that port, every sixth attack it ignored the check. • Lead to many copies of the worm on single machine. These consumed the CPU. • Father Christmas: • Created so much network traffic that network became unusable and had to be shut down CS 395: Computer Security
Question: Is there an algorithm that can determine if an arbitrary program contains replicating code? CS 395: Computer Security
Answer (Cohen): No such algorithm can exist. It is provably undecidable whether an arbitrary program contains a computer virus. CS 395: Computer Security
Logic Bomb • Logic bomb is a program that performs an action that violates the security policy when some external event occurs • E.g. program attacks on specific date • Disaffected employees who plant Trojan horses in systems often use logic bombs • E.g. delete entire payroll roster when employee’s name is deleted CS 395: Computer Security
Example • Early 1980s: program posted to USENET promised to make administering systems easier • Directions: • Unpack shar archive containing program • Compile program and install as root • Midway down the shar archive: CS 395: Computer Security