400 likes | 560 Views
Mario Muñoz Universidad Carlos III de Madrid mario@it.uc3m.es. Internet Security: Virus Attacks. Index. Definition History Classification Anti-viruses Examples. Definition.
E N D
Mario Muñoz Universidad Carlos III de Madrid mario@it.uc3m.es Internet Security:Virus Attacks
Index • Definition • History • Classification • Anti-viruses • Examples
Definition • First used by F. Cohen (USA), a Lehigh university scholar, in 1984, at the seventh conference on computer security, which was held in the United States. • Difficulty: it is impossible to name features, which viruses and only viruses have • THE NECESSARY CONDITION OF BEING A COMPUTER VIRUS is the capability to produce copies of itself (not exact bytewise replicas) and to incorporate them into computer networks and/or files, system areas of computers, and other executable objects. In addition to this, copies also maintain the capability to spread further
In the early days… • In the mid-eighties, the Amjad brothers of Pakistan ran a computer store. Frustrated by computer piracy, they wrote the first computer virus, a boot sector virus called Brain. • From those simple beginnings, an entire counter- culture industry of virus creation and distribution emerged, leaving us today with several tens of thousands of viruses.
Some Historical Notes 1949 Computer virus theory created (self-replicating program). 1983 “Virus” label defined. 1986 First boot-sector virus. 1987 Virus scanners introduced. 1988 Morris Internet Worm ~$100 million in losses. 1989 Virus signature file introduced. 2000 Love Bug does $8.75 billion in damages. 2001 Code Red, SirCam, & Nimda do $4.4 billion in damages. 2002 DOS, Klez, SoBig, & MANY macro worms.
Some Historical Notes • 1988 - Less than 10 known viruses • 1990 - New virus found every 2 days • 1993 - 10 to 30 new viruses per week • 1995 - 6,800+ viruses and variants
Classification • Viruses can be divided into classes according to the following characteristics: • environment • file • boot • macro • network • Operating system (OS) • different algorithms of work • destructive capabilities
Different algorithms of work • TSR capability. TSR virus, while infecting a computer, leaves its resident part in the RAM, which then intercepts system calls to target objects and incorporates into them. • The use of Stealth algorithms allows viruses to completely or partially cover their tracks inside the OS. The most common stealth algorithm is the interception of OS read/write calls to infected objects. • Self encryption and polymorphic capability are used by virtually all types of viruses to make the virus detection procedure as complicated as possible. • The use of non-standard techniques are used in viruses to hide themselves as deep as possible in the OS kernel
Destructive capabilities • Harmless, that is, having no effect on computing (except for the lowering of some free disk space as a result of propagation); • Not dangerous, limiting their effect to the lowering of free disk space and a few graphical, sound or other FX); • Dangerous viruses, which may seriously disrupt a computer's operation; • Very dangerous, the operating algorithms of which intentionally contain routines that may lead to loss of data, data destruction, erasure of vital information in system areas, and even, according to one of the unconfirmed computer legends, inflict damage to the moving mechanical parts by causing resonance in some types of HDDs.
Summary: Main types • File Viruses • Boot Viruses • Multipartite (File and Boot) Viruses • Multi-Platform Viruses • Macro Viruses (Word, Excel, Access, PowerPoint, Amipro and Visio) • Java Viruses • Polymorphic Generators and Generator-based Viruses • Trojan horses • Script Viruses • Internet Worms • Computer Virus Hoaxes
Worms • Worms - software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there. • - example: the Code Red worm replicated itself over 250, 000 times in approximately nine hours on July 19, 2001.
Trojan Horses • Trojan Horses - The program claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). • Trojan horses have no way to replicate automatically.
Computer Virus Hoaxes • Computer hoaxes are message alerts warning users about new unknown viruses or Trojan programs. These messages "inform" that there is a new type of virus spreading through the Internet channels and/or e-mail and destroying information on affected computers. • These messages are deliberately false and started by people with malicious intentions. The duped users then pass these messages to other people thinking they are helping them to protect themselves against a new danger. Usually, the text of these fake "new virus" messages is written in panicky script and may appear as an example of the following: • WARNING!!! If you receive an e-mail titled "JOIN THE CREW" DO NOT open it! It will erase EVERYTHING on your hard drive! Send this letter out to as many people you can....this is a new virus and not many people know about it!
Computer Virus Hoaxes • The names of the most well-known computer hoaxes are: • AOL4FREE.COM, Good times, National Bank Chain, Bud Frogs warning, Hackingburgh, NaughtyRobot, Buddlylst, Hacky B-day, Penpal Greetings, Cancer chain, Irina, Sandman homepage warning, Deeyenda Maddick, Join the Club, WIN A HOLIDAY, Disneyworld, Join the Crew, Get more money, Londhouse.
Some successful viruses • CONCEPT, MELISSA, I-LOVE-YOU: Word documents, e-mail. Deletes files • FORM: Makes clicking sound, corrupts data • EXPLORE.EXE: Attached to e-mail, tries to e-mail to others, destroys files • MONKEY: Windows won’t run • CHERNOBYL: Erases hard drive, ROM BIOS • JUNKIE: Infects files, boot sector, memory conflicts
Anti-viruses • "Working with bad data implies good code“ Andrew Krukov, AVP Team • Anti-virus programs are the most effective means of fighting viruses. But I would like to point out at once that there are no anti-viruses guaranteeing 100 percent protection from viruses.
Anti-viruses • Concepts: • False Positive - when an uninfected object (file, sector or system memory) triggers the anti-virus program. The opposite term - False Negative - means that an infected object arrived undetected. • On-demand Scanning - a virus scan starts upon user request. In this mode, the anti-virus program remains inactive until a user invokes it from a command line, batch file or system scheduler. • On-the-fly Scanning - all the objects that are processed in any way (opened, closed, created, read from or written to etc.) are being constantly checked for viruses. In this mode, the anti-virus program is always active, it is a memory resident and checks objects without user request.
Virus avoidance • Virus avoidance (It is better to prevent than to remedy) • good OS • Separate user/system mode/protection to minimise damage • install only reputable software • use antivirus software • Do not open attachments to email • frequent backups
References • http://www.viruslist.com • http://www.sarc.com/ • http://www.vmyths.com/ • http://www.virusbtn.com/index.xml • http://www.bbc.co.uk/science/hottopics/computerviruses/ • http://literacy.kent.edu/Oasis/compvirus.html • http://csc.colstate.edu/summers/virus.htm
Internet Worm • Released November 1988 • Program spread through Digital, Sun workstations • Exploited Unix security vulnerabilities • VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX code • Consequences • No immediate damage from program itself • Replication and threat of damage • Load on network, systems used in attack • Many systems shut down to prevent further attack
Consequences of attack • Morris worm, 1988 • Infected approximately 6,000 machines • 10% of computers connected to the Internet • cost ~ $10 million in downtime and cleanup • Code Red worm, July 16 2001 • Direct descendant of Morris’ worm • Infected more than 500,000 servers • Programmed to go into infinite sleep mode July 28 • Caused ~ $2.6 Billion in damages,
Internet Worm Description • Two parts • Program to spread worm • look for other machines that could be infected • try to find ways of infiltrating these machines • Vector program (99 lines of C) • compiled and run on the infected machines • transferred main program to continue attack • Security vulnerabilities • fingerd – Unix finger daemon • sendmail - mail distribution program • Trusted logins (.rhosts) • Weak passwords
Three ways the worm spread • Sendmail • Exploit debug option in sendmail to allow shell access • Fingerd • Exploit a buffer overflow in the fgets function • Apparently, this was the most successful attack • Rsh • Exploit trusted hosts • Password cracking
sendmail • Worm used debug feature • Opens TCP connection to machine's SMTP port • Invokes debug mode • Sends a RCPT TO that pipes data through shell • Shell script retrieves worm main program • places 40-line C program in temporary file called x$$,l1.c where $$ is current process ID • Compiles and executes this program • Opens socket to machine that sent script • Retrieves worm main program, compiles it and runs
fingerd • Written in C and runs continuously • Array bounds attack • Fingerd expects an input string • Worm writes long string to internal 512-byte buffer • Attack string • Includes machine instructions • Overwrites return address • Invokes a remote shell • Executes privileged commands
Remote shell • Unix trust information • /etc/host.equiv – system wide trusted hosts file • /.rhosts and ~/.rhosts – users’ trusted hosts file • Worm exploited trust information • Examining files that listed trusted machines • Assume reciprocal trust • If X trusts Y, then maybe Y trusts X • Password cracking • Worm was running as daemon (not root) so needed to break into accounts to use .rhosts feature • Dictionary attack • Read /etc/passwd, used ~400 common password strings
The worm itself • Program is called 'sh' • Clobbers argv array so a 'ps' will not show its name • Opens all its files, then unlinks (deletes) them so they can't be found • since files are open, worm can still access their contents • Tries to infect as many other hosts as possible • When worm successfully connects, forks a child to continue the infection while the parent keeps trying new hosts
Some things the worm did not do • … did not delete a system's files, • … did not modify existing files, • … did not install trojan horses, • … did not record or transmit decrypted passwords, • … did not try to capture superuser privileges, • … did not propagate over UUCP, X.25, DECNET, or BITNET.
Detecting Internet Worm • Files • Strange files appeared in infected systems • Strange log messages for certain programs • System load • Infection generates a number of processes • Systems were reinfected => number of processes grew and systems became overloaded • Apparently not intended by worm’s creator Thousands of systems were shut down
Stopping the worm • System admins busy for several days • Devised, distributed, installed modifications • Perpetrator • Student at Cornell; discovered quickly and charged • Sentence: community service and $10,000 fine • Program did not cause deliberate damage • Tried (failed) to control # of processes on host machines • Lessons? • Security vulnerabilities come from system flaws • Diversity is useful for resisting attack • “Experiments” can be dangerous
Sources for more information • Eugene H. Spafford, The Internet Worm: Crisis and Aftermath, CACM 32(6) 678-687, June 1989 • IETF rfc1135 • ftp://coast.cs.purdue.edu/pub/doc/morris_worm • Page, Bob, "A Report on the Internet Worm", http://www.ee.ryerson.ca:8080/~elf/hack/iworm.html
Other significant worms • Code Red, July 2001 • Affects Microsoft Index Server 2.0, • Windows 2000 Indexing service on Windows NT 4.0. • Windows 2000 that run IIS 4.0 and 5.0 Web servers • Exploits known buffer overflow in Idq.dll • SQL Slammer, January 2003 • Affects in Microsoft SQL 2000 • Exploits known buffer overflow vulnerability • Server Resolution service vulnerability reported June 2002 • Patched released in July 2002 Bulletin MS02-39
Code Red • Sends its code as an HTTP request • HTTP request exploits buffer overflow • Malicious code is not stored in a file • Placed in memory and then run • When executed, • Worm checks for the file C:\Notworm • If file exists, the worm thread goes into infinite sleep state • Creates new threads • If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses
SQL Slammer • Server Resolution vulnerability • Two buffer overflow vulnerabilities • packet to Resolution Service overwrites system memory • the heap in one case, the stack in the other • Attack code runs in security context of SQL Server • Security context chosen by administrator at installation • Default is a Domain User • Attacker does not have OS privileges • But can create threads and send HTTP requests • Damage caused by network overload
Virus Examples • Jerusalem • One oldest and most common; many variants • Will infect both .EXE and .COM files • Every Friday 13th, deletes programs run that day • Melissa • Word macro virus spread by email • Initially distributed in internet group alt.sex • Sent in a file called LIST.DOC • When opened, macro emails to 50 people listed in the address book of the user
Melissa Email • From: (name of infected user) • Subject: Important Message From (name of infected user) • To: (50 names from alias list) • Here is that document you asked for ... don't show anyone else ;-) • Attachment: LIST.DOC • Recipients likely to open a document from someone they know
FunLove Virus • Also called W32.FunLove.4099 • Modifies WinNT kernel • Works only if infected user is administrator • Modifies access control code so all users have access to all files
Nimda-A • The news: • “Counterpane Security Monitoring Service is currently tracking a new Internet worm threat. At approximately 09:00 EDT on September 18 (2001), Counterpane detected a dramatic increase in IDS message volume from the majority of our customers. A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept Virus, Code Rainbow) began to propagate at an extremely fast pace. W32/Nimda-A exploits up to 16 previously known IIS, Outlook, and Outlook Express vulnerabilities. Specifically, we have seen signs of Unicode directory traversals and GET requests for both root.exe and cmd.exe. “
Nimda-A • There are at least 6 different attack vectors: • E-mail attachments, most frequently called readme.exe, of file type MIME audio/x-wav - these may cause RealPlayer or Windows Media Player to launch spontaneously if auto-launch is not explicitly turned off. • IE browsing an infected IIS Web server with JavaScript enabled, for IE versions 5.0 or 5.1 without SP2 installed. The only verified non-vulnerable versions of Internet Explorer are IE5.01-SP2, IE5.5-SP2 or IE6.0. For more information, reference Incorrect MIME Header Can Cause IE to Execute E-Mail Attachment. The patch for this vulnerability is included in the patch for flawed Web Server certificate validation in IE. • Sharing the C:\ drive of an infected system, and creating a Guest user with Admin privileges - the worm will infect all executable files on the mapped drive and its subfolders. • TFTP access from infected Internet Information Servers. • Web folder traversal vulnerability on IIS servers - the worm then installs readme.exe and instructs viewers to download a file containing the worm (which may in turn cause Windows Media Player or RealPlayer to launch on the Web client). • Highlighting a file with extension .eml or .nws in Windows Explorer with Active Desktop enabled. If IE is a vulnerable version (described above) and security zone settings permit files to be executed without prompting, the file will be executed.