html5-img
1 / 98

“Unix.  The world's first computer virus.” title of Chapter 1 of ‘The Unix Haters Handbook’, written by serious comput

“Unix.  The world's first computer virus.” title of Chapter 1 of ‘The Unix Haters Handbook’, written by serious computer scientists ISBN: 1-56884-203-1. Classification of Threats. Threats may exploit weaknesses in 1. operating system (W32,W95, Linux, etc),

dempster
Télécharger la présentation

“Unix.  The world's first computer virus.” title of Chapter 1 of ‘The Unix Haters Handbook’, written by serious comput

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Unix.  The world's first computer virus.” title of Chapter 1 of ‘The Unix Haters Handbook’, written by serious computer scientists ISBN: 1-56884-203-1

  2. Classification of Threats Threats may exploit weaknesses in 1. operating system (W32,W95, Linux, etc), 2. applications they infect (W97M, WordPro, X97M, etc) 3. language (HTML, VBS, JS, etc). Delivery of malicious codes to a users machine: • the most popular early methods of passing viruses by floppy disk. • Internet borne worms, that require no human intervention, once started.

  3. Malware, security tools and toolkits: • Malware : any piece of malicious software. • Security tools and toolkits : are designed to be used by security professionals to protect their sites. These can also be used by unauthorized individuals to probe for weaknesses. The purposes, not the approach, makes a program malicious. • Many of the programs that fall in the malware categories have benevolent uses also.

  4. Benevolent Uses: • Worms can be used to distribute computation on idle processors; • Trap doors/ back doors are useful for debugging programs; A trapdoor: a code that recognizes some special (unlikely) sequence of inputs or is triggered by being run from a special ID. Some programs require special privileges and authentication to access it. Or they may require long setup (providing many initial values of variables) and authentication.

  5. Benevolent Uses of Trap doors and Viruses: While debugging one may want to be able to open the program without going through these procedures. A trapdoor allows one to activate the program even if something be wrong with the authentication procedure. • Viruses can be written to update source code and patch bugs.

  6. Classification of Malicious programs: First Method Malicious programs Need Host programs Independent Trap doors Logic Bombs Trojan Horse Viruses Zombie Worms Bacteria A Logic Bomb or a Trojan Horse may be part of a Virus or Worm.

  7. Classification of malicious programs: • Programs that do not replicate: consist of fragments of programs that are activated, • when the host program is invoked or • when in the host program, a specific function is performed. • Programs that replicate: consist of • a program fragment (Example : Viruses) Or • an independent program (Example: Worm or bacterium) that, when executed, may produce one or more copies of itself on the same system or some other system.

  8. Classification of Malicious Program: The Second Method Malicious Programs Those that won’t replicate Those that replicate themselves Trap Doors Logic Bombs Trojan Horses Viruses Zombie Worms Bacteria *Ref: Fig 19.1 pp.599, Stallings [2003]

  9. Malicious Software Malicious software: runs under the user’s authority (without his knowledge and permission); hence can do all that a user can himself do. TYPES: Back doors/trap doors : allow unauthorized access to your system. • Logic bombs: programmed threats that lie dormant for an extended period of time until they are triggered; at this point, they perform a function that is not the intended function of the program in which they are contained .

  10. Triggers for logic Bombs: Logic bombs usually are embedded in programs by software developers who have legitimate access to the system. • Triggers for Logic Bombs: • Presence or absence of certain files. • Particular day of the week or data. • Particular user running the application

  11. Trojan horses: • Trojan horses: programs that appear to have one function but actually perform another function. • The modern – day Trojan horses resemble a program that the user wishes to run – a game, a spreadsheet, or an editor. • While the program appears to be doing what the user wants, it is also doing something else unrelated to its advertised purpose, and without the user’s knowledge.

  12. Examples of Trojan horse attacks: Examples of Trojan horse attacks: • A compiler was modified to insert additional code into certain programs as these are compiled. The code creates a trapdoor in the login program that permits the author to log on to the system using a special word. Difficult to discover, by reading the source code of the program. Ref : THOM 84 from Stallings[2003]

  13. Examples of Trojan horse attacks (continued) • Attach a program to the regular program for listing the user’s files in a particular format. The attached program may change the file permissions to make them readable by any user. After the program is executed, any one can read the files.

  14. Viruses: • Viruses: “programs” that modify other programs on a computer, inserting copies of themselves. Viruses:* not distinct programs *need to have some host program, of which they are a part, executed to activate them *executes secretly, when the host program is run. A typical virus, in a computer, takes control of its Disk Operating System. Whenever it comes in contact with any uninfected piece of software, a fresh copy of the virus is attached to the new program. Reference: A malicious program was called a Virus by Cohen.Cohen F.,’Computer Viruses’, Computer Security: A Global Challenge, Elsevier Press, 1984, p143-158

  15. Worms: • Worms: programs that propagatefrom computer to computer on a network, without necessarily modifying other programs on the target machines. • Worms • can run independently; • travel from machine to machine across network connections; • may have portions of themselves running on many different machines. • Worms do not change other programs, although they may carry other code that does (for example, a true virus or a Trojan horse may be implanted by a worm).

  16. Worms (continued) • To replicate itself, a worm uses some network vehicle. Examples: • Electronic mail: A worm may mail a copy of itself to another system. • Remote execution capability: A worm may execute a copy of itself on another system. • Remote log-in capability: A worm logs on another system as a user and then uses commands to copy itself to the remote system. • In a multiprogramming system, a worm may hide itself by naming itself as a system process.

  17. Worms (continued) • A Worm may determine whether a host has been infected before copying itself. • It may examine the routing tables to locate the addresses of remote machines, to which it may connect, without any information to the owner of the local host. Examples of Worms: Morris 1998 for unix systems, Code Red (July 2001), Code Red II, NIMDA (late 2001)

  18. Phases of a virus and a worm: • A worm as well as a virus have the following phases: • Dormant phase: activated • on some Date or • by presence of some file or program or • some action like the data on disc exceeding certain limit. Some viruses may not have this stage.

  19. Phases of a virus and a worm (continued) 2. Propagation phase: Both a worm and a virus check whether the file/system is already infected. If not, they do the job. 3. Triggering phase: may be caused by some system event. 4. Execution phase: Performs a function • Benign function: like showing a message on screen. • Non-benign: to damage/destroy certain files. Viruses are designed to take advantage of the weaknesses of the OS and/or a hardware platform.

  20. Spreading Malware via the Internet Trojan Horse vs Virus: • Whereas a Trojan horse is delivered pre-built, a virus infects. Propagation of Virus: Malicious programs arrived via tapes and disks, and the spread of a virus around the world took many months. Today, Trojan horses, and viruses are network deliverable as *E-mail, *java applets, *ActiveX controls, *javaScripted pages, *CGI-BIN scripts, or as *self-extracting packages. They could arrive as a part of a game or a useful utility, copied from some electronic bulletin board

  21. Mobile program Systems Mobile-program system: Ex.: java and ActiveX. • This technology became popular with Web servers and browsers, but it is now integrated (e,g, java into Lotus Notes, and ActiveX into Outlook) mail systems. • Security Bugs in both java and ActiveX A mobile program may act as the carrier of a virus. Any mechanism for sharing of files – of programs, data, documents or images – can transfer a virus

  22. Structure of Viruses: • In the infected binary, at a known byte location in the file, a virus inserts a signature byte, used to determine if a potential carrier program has been previously infected. • On invoking an infected program, it first transfers control to the virus part. • The virus part infects uninfected executable files. • Secondly it may damage the system in some way. Or like a logic bomb, the damaging action may take place in response to some trigger. • Finally it transfers control to the original program. Usually the first two steps may take so little time, that one may fail to notice any difference.

  23. Normal .COM vs. Infected .COM

  24. Structure of a virus program: V() { infectExecutable(); If (triggered()){ Do Damage(); } Jump to main of infected program; } …………….

  25. Structure of a virus program (continued): Void infectExecutable() { file = choose an uninfected executable file; Prepend V to file; } Void doDamage(){ ……. } int triggered(){ Return (some test? 1:0); }

  26. Types of Viruses: • Types of viruses: • Parasitic Viruses: It attaches itself to executable files and replicates, when the infected program is executed, by finding other files to infect. • Memory – resident virus: stays in main memory as a part of a system program. Then it infects every program that executes. (Like Terminate and Stay Resident – TSR- programs )

  27. Types of viruses (continued) • Boot sector virus: It infects a boot record and spreads when a system is booted from the disk containing the virus. Boot sector contains crucial files. Hence it is made invisible by the OS.  boot-sector virus files will not show up in a normal listing of files. • Polymorphic virus: Creates copies that are functionally equivalent but have distinctly different bit patterns. Thus signature of each copy will vary and a virus scanner will find it difficult to locate it.

  28. Methods used by Polymorphic Viruses for variation in signature • Random insertion of superfluous instructions • To interchange the order of independent instructions • Use of encryption: The virus has a mutation engine which generates a random key and then the engine is altered; the key is stored with the rest of the virus, which is encrypted. When this virus infects another host, the altered mutation engine would generate a different key. Thus every host would carry a different signature for the virus.

  29. The Stealth Virus There are two other types: The Stealth virus and the Macro virus. A stealth virus has code in it that seeks to conceal itself from discovery or defends itself against attempts to analyze or remove it. • The stealth virus adds itself to a file or boot sector but, when you examine, it appears normal and unchanged.

  30. Methods used by Stealth Virus • The stealth virus performs this trickery by staying in memory after it is executed. From, there, it monitors and intercepts your system calls. When the system seeks to open an infected file, the stealth virus displays the uninfected version, thus hiding itself. • The four types of viruses, discussed in slides 32 and 33, make an infected file longer than it was, making it easy to spot. There are many techniques to leave the file lengthand even a check sum unchanged and yet infect.

  31. Stealth technique: Keeping the file length unchanged • For example, many executable files often contain long sequences of zero bytes, which can be replaced by the virus and re-generated. • It is also possible to compress the original executable code like the typical Zip programs do, and uncompress before execution and pad with bytes so that the check sum comes out to be what it was.

  32. Macros: • Macro languages are (often) equal in power to ordinary programming languages such as C. • A program written in a macro language is interpreted by the application. • Macro languages are conceptually no different from so-called scripting languages. • Gnu Emacs uses Lisp, most Microsoft applications use Visual Basic script as macro languages. • The typical use of a macro in applications, such as MS Word, is to extend the features of the application.

  33. Macros (continued) • Can be used to define a sequence of key-strokes in a macro and to set it up so that when a function key is input, the whole of the sequence is invoked. • Some of these macros, know as auto-execute macros, are executed in response to some events, such as….. • closing a file, • opening a file, • starting an application, • invoking a command such as ‘FileSave’ or • pressing a certain key.

  34. Auto-executing Macros in WORD Three types of auto-executing Macros: 1.Start-up Auto-execute: executed when WORD is started. 2.Automacro: executes when some event like opening/closing a document, creating a new document, quitting WORD 3.Command:executes when a WORD command, like FileSave) is executed. MS has developed a Macro Virus Protection Tool. It detects suspicious files and alerts the user to the risk of opening them.

  35. Macro Viruses • Macro Viruses form a large majority of the total number of viruses today. A macro virus is a piece of self-replicating code inserted into an auto-execute macro. • Once a macro is running, the virus copies itself to other documents. • Another type of hazardous macro is one named for an existing command of an application.

  36. Macro Viruses (continued) • Example: If a macro named FileSave exists in the “normal.dot” template of MS Word, that macro is executed whenever you choose the Save command on the File menu. • Unfortunately, there is often no way to disable such features. • Such macro viruses may be carried in the command part of a text file, a database, a slide presentation or a spreadsheet. The user sees only the data part – and not the command part. So he would not be able to see the malicious code. • Ref: For Loveletter virus for OUTLOOK (May 2000) http://all.net/journal/cohen0504-2.htm

  37. Spread of Macro Viruses Macro Viruses spread fast because • Macro viruses may be platform independent in that any hardware/software platform that supports the particular application can be infected. • Macro viruses affect documents and not executable portions of code. • Spread easily – by e-mail. Ex: A virus, called Melissa, used a micro, embedded in a WORD document attached to an e-mail. …………………….

  38. Melissa On opening the WORD attachment of e-mail, • it damages the local machine and • it sends itself to all the addresses in the e-mail address book. In 1999, new e-mail viruses appeared. These would be able to infect, as soon as one opens the carrier e-mail, and not by opening an attachment

  39. Unix/Linux Viruses: • The most famous of the security incidents in the last decade was the internet Worm incident which began from a Unix system. • Several Linux viruses have been discovered. • The Staog virus first appeared in 1996 and was written in assembly language by the VLAD virus writing group, the same group responsible for creating the first Windows 95 virus called Boza. • Like the Boza virus, the Staog virus is a proof-of-concept virus to demonstrate the potential of Linux virus writing without actually causing any real damage.

  40. Unix/Linux Viruses (continued) • The second known Linux virus is called the Bliss virus. • Unlike the Staog virus, the Bliss virus can not only spread in the wild, but also possesses a potentially dangerous payload that could wipe out data.

  41. Zombie • Zombie: A program that takes over a computer, without any authorization and without informing the owner of the system. The program originates from some other host. It then uses the computer, that has been taken over, for attacking a victim. Objectives: To hide the originator of the attack To attack the victim through a large number of zombie computers (as in a DDoS attack)

  42. Bacteria or rabbit • Bacteria, or rabbit program, replicates without bound to overwhelm a computer system’s resources. • Bacteria do not explicitly damage any files. Their sole purpose is to replicate themselves. • A typical bacteria program may do nothing more than execute two copies of itself simultaneously on multiprogramming systems, or perhaps create two new files, each of which is a copy of the original source file of the bacteria program.

  43. Bacteria continued: • Both of those programs then may copy themselves twice, and so on. Bacteria reproduce exponentially, eventually taking up all the processor capacity, memory, or disk space, denying the user access to those resources.

  44. Dropper: • A dropper: a program that is not a virus, nor is it infected with a virus, but when the program is run, it installs a virus into memory, on to the disk, or into a file. • Droppers have been written sometimes as a convenient carrier for a virus, and sometimes as an act of sabotage. • Some anti-virus programs try to detect droppers.

  45. Virus Detection: “Virus” is used, (in the following slides-for- detection-and-removal of viruses,) to stand for all types of malicious programs. • Virus detection programs analyze a suspect program for the presence of known viruses. • Fred Cohen has proven mathematically: that perfect detection of unknown viruses is impossible: no program can look at other program and say either “a virus is present” or “no virus is present”, and always be correct.

  46. Virus Detection (continued): • Most new viruses are sufficiently like old viruses:  the scanning for old viruses may find the new ones. • There are a large number of heuristic tricks that anti-virus programs use to detect new viruses, based either on how they look, or what they do. • Since brand-new viruses are comparatively rare, these methods may suffice. After detection of a virus, its identification and removal is required.

  47. ‘generations’ of virus scanners • The first generation virus scanners: obtained a virus signature, a bit pattern, to detect a known virus. They record and check the length of all executables. • The second generation scans executables with heuristic rules, looking for fragments of code associated with a typical virus. They also do integrity checking by calculating a checksum of a program and storing somewhere else the encrypted checksum.

  48. ‘generations’ of virus scanners (continued) Second generation (continued)….A better method is storing a hash function rather than a checksum. The encryption key is stored at a separate place. • The third generation: use a memory resident program to monitor the execution behavior of programs to identify a virus by the types of action that the virus takes. • The fourth generation: combines all the previous approaches and includes access control capabilities so that system penetration and access to files may be denied.

  49. Advanced Anti virus Techniques 1) Generic Decryption (GD) Technology • It uses the following components : a) CPU Emulator: Consisting of a virtual computer with software versions of all registers and other processor hardware. b) Virus signature scanner c) Emulator control module Virus elements are usually activated immediately after a program starts execution. • GD begins execution of an executable file in the CPU emulator. As each instruction is executed, the signature scanner tries to expose the virus.

  50. Advanced Anti virus Techniques: Generic Decryption (GD) Technology • A polymorphic virus would decrypt itself and be recognized by the signature scanner. • This process does not affect the computer, since the CPU emulator provides a safe and controlled environment. • Difficulties: • How many instruction may be interpreted through the emulator ? - is a design issue • The user would complain if the GD scanner uses a great deal of computer resources and these are not available to the user.

More Related