Lecture 4

Lecture 4

Foundations of Network and Computer Security John Black CSCI 6268/TLEN 5550, Spring 2014 Viruses (Worms) Today, most everyone just calls them viruses Technically most are worms Worm is a self-contained propagating program Viruses embed in other programs and selfreplicate Kind of like viruses in biology

Viruses: History Morris Worm, Nov 2nd, 1988 The first worm (I know of) was the Morris worm Robert T. Morris, Jr. 23 years old Cornell grad student Father worked at the NSA (whoops!) Wrote a self-propagating program as a test concept Exploited Unix vulnerabilities in sendmail and fingerd Released at MIT Bug in the worm caused it to go wild Probably wouldnt have caused much damage otherwise!

Morris Worm (cont) Shut down thousands of Unix hosts But this was 1988 Reactions People didnt know what to do, so they panicked Disconnected from net Unable to receive patches! Morris fined $10k, 3 yrs probation, 400 hrs community service CERT was created

CERT -- They were first Carnegie mellon Ermergency Response Team But dont expand it into an acronym Provide technical advice and coordinate responses to security compromises Identify trends in intruder activity Work with other security experts to identify solutions to security problems Disseminate information to the broad community Analyze product vulnerabilities Publishes technical documents Presents training courses

Modern Viruses Almost all look for Windows hosts Windows runs on more than 90% of desktops these days A lot of hosts on cable modems Fast, always on Destructive payloads Wipe hard disk, eg Some install backdoors for later use All kinds of weird behaviors though Some innocuous

Viruses: Why? Who writes these things? Typical profile: male, teenager, geeky, smart Script Kiddies Dont really write them, but launch them Sometimes make small mods and call them their own Scariest hackers: beyond the reach of the law Why?

Intellectual challenge (sigh) Peer recognition Bot building (Zombie armies) Because its there? Brief History Would take weeks to look at all the viruses weve seen Also, wouldnt be that instructive Well look at the ones I think were most instructive, important, and which have interesting lessons

So its a selective brief history of viruses AIDS Trojan (1989) Often called a virus A trojan is a program with a surprise payload The AIDS trojan was distributed as a way to enable graphics on TTL monitors Duh Payload: erase harddisk Interesting note: first virus scanners appear around this time (1990)

Tequila (1990) First polymorphic virus Polymorphic means changing form This was done to defeat virus checkers Current status of polymorphic viruses Well, the current virus toolkits (MPC, VCS, VCL) create code which is still caught by scanners VCL Virus Creation Laboratory (1992); pull-down menus, selectable payload Michelangelo (1992) First virus to get lots of headlines Lives in MBR (master boot record)

Targets MS-DOS machines Transfers to floppies/hard-disks when intermixed Note this predates widespread use of the Internet Payload: destroy boot and FAT on March 6th Michelangelos birthday DMV (1995) Word Macro virus Macros are sets of executable instructions specific to an application Back in 1995, MS Word was configured out-of-the-box to execute immediately any macros in a Word document

This meant that simply opening a document in an email or from the Web was dangerous DMV Distributed with the paper Document Macro Viruses Harmless (even had dialog boxes) Trying to prove a point Other macro viruses possible with Excel, Access, Adobe Acrobat, and more Back Orifice Trojan (1998) Pun on MS Back Office Allows remote access via the Internet of Win 95/98

boxes (BO-2000 runs on Win 2k and NT) Waits for commands starting with *!*QWTY? US version used encryption; international could not! Doesnt show up in the task list Written by cDc (Cult of the Dead Cow) and advertised as a legitimate tool Used by network managers, in fact But has been abused of course Has plug-ins to 0wn your box (view remote screen, download registry, etc) Melissa (1999)

Just when you thought it was safe Melissa was a major virus Combination Word Macro virus and email virus Sent as an attached doc file Scanned Outlook address book and sent itself to first 50 addresses Subject: Important message from Body: Here is the document you asked for; dont show anyone Then attached the most recent doc you had been working on, infected with Melissa Spread VERY rapidly all over the world Tons of variants

ILoveYou (2000) Clever technology, great social engineering Subject: I love you Body: Kindly check attached love letter from me And message was from sender you know! Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs Note the double-extension VBS script If you didnt have your OS set to show extensions, youd just see LOVE-LETTER-FOR-YOU.TXT

ILoveYou (cont) Was wildly successful Mostly due to human nature: someone loves me Has countless variants Joke attached Mothers Day Gift confirmation Now thats just wrong How to stop the ILoveYou virus It Gets Worse SirCam, Nimda, CodeRed, BadTrans

Nimda: very complex Mostly spread via unpatched IIS servers, but also Via email (attached EXE) Browsing dubious web sites with unsecured browser Using backdoors from other viruses (CodeRed II, eg) Payload: back door access Code Red: still around today!

Code Red Payload Coordinated attack against www1.whitehouse.gov Used hardcoded IP address Checked to ensure port 80 was active first Easy to stop this, and indeed the IP was moved before Code Red launched its payload, so no direct damage done windowsupdate.microsoft.com was infected too Users got infected while trying to patch! First version used static seed for random() Limited the number of IPs it generated

Five days later this was fixed Code Red Details Spreads as a bad HTTP request. The IIS system mishandles the request, and instead executes the included packet with full permissions. The infected server then creates 99 threads which each attack random IP addresses Random number generator works properly now This continues for the 1-19 of the month. On the 20-27 of the month, all the threads attack a specific IP at www.whitehouse.gov

Still see network traffic surges today from this worm People dont patch! Defaces current pages on the server Welcome to http://www.worm.com! Hacked by Chinese! SQL/Slammer (2003) Exploits buffer overflow in MS SQL server UDP traffic to port 1434 Side-effect was DoS Worm propagated so fast that it shut down many sites Launched 12:30am EST victim numbers doubled

every 8.5 seconds By 12:45am, large pieces of the Internet were basically gone 300,000 cable modem users in Portugal down South Korea off the map (no cell phones or computer access) Seattle 911 resorted to paper Continental cancelled flights from Newark hub Witty Worm (March 2004) Attacked a security product! Internet Security Systems (ISS) ISS RealSecure Network, RealSecure Server Sensor,

RealSecure Desktop, and BlackICE You cant even trust your security systems?! Vulnerability revealed by eEye Digital Security Witty released 10 hours after vulnerability was released Destructive payload (deletes pieces of hard drive) Flash Viruses Viruses can spread very fast SQL/Slammer had only a 376 byte code size No pause between propagation attempts

Reading assignment Read How to 0wn the Internet in your Spare Time A real problem If you reinstall an old OS and attempt to download patches, you may be infected before you can patch! Prevention Stay patched windowsupdate.com Linux patches (yum) Reduce network services to those needed Best block is not be there Mr. Miagi

Windows still comes with a ton of stuff turned on Getting better though! SQL Slammer victims didnt even know they were running an SQL server! netstat a Might surprise you Prevention (cont) Dont open attachments unless youre sure Always run a virus scanner Even Word docs are dangerous Dont visit questionable web sites

Esp if your browser is set to low security levels Javascript is evil Feltons Javascript attack Trojans Malicious code hidden within another object Email attachments can contain trojans This is how many viruses spread Backdoor is usually considered as a synonym

Putting a backdoor into login.c qualifies Thompsons Turing Award Lecture (1995) Thompson and Ritchie won the Turing award for creating Unix Thompsons is my favorite Turing award lecture Reflections on Trusting Trust Please read it (its short) His lecture has three stages Stage I: a Quine A Quine is a program which outputs its own source code

A Quine in C char*f="char*f=%c%s%c;main() {printf(f,34,f,34,10);}%c"; {printf(f,34,f,34,10);} main() We printf the string f, inserting f into itself as a parameter Yow! We could attach any extra code we like here File this away in your head for now: we can write a program which outputs its own source code

Thompson, Stage II Note that a C compiler is often written in C Kind of strange chicken-and-egg problem How to bootstrap Interesting learning behavior You add a feature, compile compiler with itself, then it knows the feature Once you get a rudimentary compiler written, it can be arbitrarily extended Thompson, Stage III

Add a backdoor to login.c Allow valid passwords plus some master password Note that this would be caught soon enough because it exists in the login.c source code Ok, so be sneakier Add code in cc.c (the C compiler) to add the backdoor to login.c whenever compiling login.c Add self-replicating code to the C compiler to reproduce itself plus the login.c backdoor! Implementing the Trojan Now compile login.c Compiler adds the backdoor

Compile cc.c Compiler sees that its compiling itself and selfreplicating code runs to ensure login.c trojan and cc.c trojan are compiled into cc binary Now remove all this new code from cc.c Back door exists only in binary! login.c and cc.c will continue to have trojan even after infinite recompiles Moral of the Story The amount of cleverness we havent even thought of yet is scary Were probably never going to have

completely secure computers and networks The most we can hope for is best effort from those we trust and from ourselves Its going to be an eternal battle between us and the criminals

Recently Viewed Presentations

  • Programmering - fra instruktion til modellering

    Programmering - fra instruktion til modellering

    Organization of conferences. Each conference has a program committee . with 20-30 PC-members lead. by . 1-2 . two PC-chairs. All PC-members are well-known researchers within the area covered by the conference (typically appointed by a steering committee in cooperation...
  • Systems Engineering - Research School of Computer Science

    Systems Engineering - Research School of Computer Science

    Currently studying Mphil (ANU - Systems Engineering) Industry experience of over 15 years (10 prior to returning to Systems Engineering) What is Systems Engineering 1. Systems Engineering is a process for System Design that looks at the broader aspects of...
  • The Proceeds of Crime Act, 2018

    The Proceeds of Crime Act, 2018

    The offence on which the application is based is the third such offence or the person has been convicted three times for the same offence in 10 years. ... unexplained wealth order and require the affected person to appear and...
  • What might we discover in a new neighborhood?

    What might we discover in a new neighborhood?

    up us bug cut fun tub jump stuck truck buzz hunt must elephant CVC - When there is only one vowel at the beginning or in the middle of a word or syllable, it usually stands for its short sound....
  • The Pathways Commission - Navigating Accounting

    The Pathways Commission - Navigating Accounting

    The Committee was appointed by the Pathways Commission, co-sponsored by the AAA and AICPA. Our charter was to create a vision to transform the first course in accounting to attract diverse, high-potential students. That was our charter, but, the vision...
  • AOSS 321, Fall 2006 Earth Systems Dynamics 10/9/2006 ...

    AOSS 321, Fall 2006 Earth Systems Dynamics 10/9/2006 ...

    Arial MS Pゴシック Symbol Wingdings Blank Presentation Microsoft Equation AOSS 321, Winter 2009 Earth System Dynamics Lecture 3 1/15/2009 Class News Today's lecture Pressure, temperature, density Pressure, temperature, density The ideal gas law Ideal gas law Another form of the...
  • Forensic Science II Ballistics - Pearson's Place

    Forensic Science II Ballistics - Pearson's Place

    Internal, external, and terminal ballistics can each aid in weapon identification. Recoil is due to the equal and opposite reaction to a bullet leaving a gun. Projectile wounding differs based on type of projectile, speed of projectile, and substance being...
  • ALCOHOL SUBSTANCE USE CONTINUUM  When does substance use

    ALCOHOL SUBSTANCE USE CONTINUUM When does substance use

    to dilute alcohol . Have . less alcohol . dehydrogenase - enzyme that breaks down alcohol in the stomach. Have . changing hormone. levels. that alter how alcohol is processed in our bodies. All of these factors mean that alcohol...