1

Lecture 7

Security Problems and Virus

2

Contents How things go wrong

Change in environment Bound and syntax checking Convenient but dangerous design features Escapes from controlled invocation By pass at a lower layer Flaws in protocol implementation

Virus What is a Computer Virus? Virus Effects Virus Infections Virus Components Virus Types

3

The Mad Hacker Occurred in 1987, OS was VME/B For backups, there existed a user that owned

all file descriptors This user had no restrictions --- a bug

allowed flaw to be exploited VME/B sys admin figured it out Attacked many systems, deleted files, etc. He left messages from “The Mad Hacker”

4

CTSS CTSS an early time-sharing system In a famous incident, the password

file appears as message of day How could this happen?

Only one “manager” at a time --- later changed to allow multiple managers

This led to unexpected problem…

5

CTSS

One SCRATCH file, two managers:

Msg file

Pwd filescratch

6

CTSS

One SCRATCH file, two managers:1. First manager edits: SCRATCH = MSG

Msg file

Pwd fileMsg file

edit

7

CTSS

One SCRATCH file, two managers:1. First manager edits: SCRATCH = MSG2. Second manager edits: SCRATCH = PWD

Msg file

Pwd filePwd file

edit

8

CTSS

One SCRATCH file, two managers:1. First manager edits: SCRATCH = MSG2. Second manager edits: SCRATCH = PWD3. First manger saves: MSG = PWD

Pwd file

Pwd filePwd file

save

9

fingerd daemon bug fingerd is a server that provides a

network interface to the finger program This interface allows finger to display information about remote users.

UNIX fingerd did not check length of input

Buffer overflow Morris Worm exploited this to open

remote connection via TCP

10

VMS login Buffer overflow in login User could specify machine by

Username/DEVICE = <machine> Length of <machine> not checked Buffer overflow Could be exploited so that user could

set their own privilege level

11

rlogin bug Unix login

login [[-p] [-h<host.] [[-f]<user>] Where -f forces login (no pwd) Unix rlogin

rlogin [-l<user>] <machine> Uses login with first arg on <machine> rlogin -l –froot machine results in

login –froot machine

12

Sendmail “feature” Sendmail debug option Substitute commands for username in

mail, executed on host by sendmail Used to check remote configuration

without bothering administrator Debug option often left on Exploited by Morris Worm

13

VAX/VMS bug Access control info stored in Auth File

Caller: Request Set Auth File (parameters)System: Open Auth File

Read Caller’s Authorizationif authorized then return(true);else return(false);

Problem? File not closed

14

AS/400 machine language

System security levels 10,20,…,50 Machine language programs not subject to

security controls Intended use to speed up programs Attackers could write such code AS/400 then attempted to detect “bad”

commands Attackers overwrote table for checking

15

at bug Unix command at <time> -f<file> runs

commands at <time> Request put into /usr/spool/atjobs Bug: at does not check if <file> is readable by

user Feature: spool directory readable by user who

created entry Result: at <time> -f/etc/shadow gives

access to password file

16

TCP authentication

Alice Bob

SYN, SEQ a

SYN, ACK a+1, SEQ b

ACK b+1, data

Note: Initial sequence numbersare supposed to be unpredictable

17

TCP authentication attack

Alice

BobTrudy

1. SYN, SEQ t (as Trudy)2. SYN, ACK t+1, SEQ b1

3. SYN, SEQ t (as Alice)

4. SYN, A

CK t, SEQ b2

5. ACK b2+1, data

5.

5.

5.

5.

18

TCP authentication attack

Trudy cannot see what Bob sends, but she can send packets to server Bob, as Alice

Trudy must prevent Alice from receiving Bob’s packets (or Alice will terminate connection)

If password (or other authentication) required, this attack fails

If TCP is authentication, then attack succeeds Bad idea to rely on TCP for authentication

19

What is a Computer Virus?

To be defined as a virus, a program must: Replicate itself in order to carry out a mission. Be dependent on a "host" to carry out the

mission. Create damage to the computer system

"infected".

"A computer virus is an exact cybernetic analogy to its biological reference“

There are more than 20,000 different computer viruses.

20

Simple Definition A virus is a program which reproduces

itself, hides in other computer code without permission and does nasty or undesirable things, not intended by its victim.

Computer viruses are malicious programs that infect a computer system causing various problems with its use. They replicate and attach themselves to programs in the system.

21

Virus Effects Trivial, simply reproduces or displays messages. Minor, alters or deletes infected files. Moderate, wipes out entire disk drive. Major, slowly corrupts data with pattern, making

restoration difficult. Severe, slowly corrupts data without pattern,

making restoration impossible. Unlimited, virus which discovers system

administrator's password and mails it to one or more users, tempting them to use it for illegal purposes.

22

How Virus Infections Spread

Virus Infections spread by: Inserting a disk with an infected program

and then starting the program.

Downloading an infected program from the Internet.

Being on a network with an infected computer.

Opening an infected e-mail attachment.

23

Virus Components The Replication mechanism

allows virus to copy itself The Protection mechanism

Hides virus from detection The Trigger

Mechanism which will set off the payload The Payload

Effect of the virus

24

Virus Types Viruses are classified by the portion of

the system they affect. There are five main types: Boot Viruses File Viruses Multi-partite Viruses Polymorphic Viruses Macro Viruses

25

Boot Viruses Infect the boot block on a floppy or hard disk. Usually replaces the boot block with all or part of

a virus program. Most have trigger dates, when booted on that

day severe damage will be done. Virus loads into memory and infects other disks. Execute each time the computer is started. May lead to the destruction of all data. Example is Michaelangelo - on March 6

(Michelangelo's birthday) garbage is written through entire drive.

26

BOOT MasterBoot sector

ROM DOSBoot sector

IO.SYS

AUTOEXEC.BAT

MSDOS.SYS

27

Infection pattern with a boot virus

MasterBoot sector

Boot sector

Boot sector

ViralCode Boot

sectorBoot sector

MasterBoot sector

28

File Viruses (Parasitic) Infect .EXE or .COM files. Usually append the virus code to the file,

new versions hide the virus. Damage is done when program is run and

the virus will attach to other files. Attach themselves to program files. Spread to other programs on the hard drive. Are the most common type of virus. Example is Friday the 13th - if the date

matches Friday the 13th when the virus is executed, all .EXE files are deleted.

29

Multi-partite Viruses Infect both boot blocks and executable

files. Combine the capabilities of boot

viruses and file viruses. Example is Tequila - will display

graphics and text rather than running programs.

30

Polymorphic Viruses Can infect the boot sector, files or both. Is self-modifying, changes each time it

infects a file or disk. Very difficult to detect and remove. Example is tremor which triggers 3

months after infection and displays "-M OMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-" with every warm boot.

31

Macro Viruses Infect the automatic command capabilities of

productivity software.

Attach themselves to the data files in word processing, spreadsheet, and database programs.

Spread when the data files are exchanged between users.

Carried in data files for Microsoft Word documents Example is Concept - which will infect the global

template and all files loaded from then on. Was distributed by Microsoft on a CD-ROM called Microsoft Windows 95 Software Compatibility Test.

32

Time Bombs

Are also called logic bombs. Are harmless until a certain event

or circumstance activates the program.

33

Computer Trojans Computer Trojans are simply malicious

computer programs disguised as something useful. The major difference between viruses and Trojans is that viruses reproduce, while a Trojan is just a one time program which executes its payload as soon as the Trojan is executed. Trojans are the most common way of bringing a virus into a system. A current example of a Trojan is a program called pkz300b.exe which disguises itself as an archiving utility, but when run it will delete your entire hard drive.

34

Computer Worms Computer Worms are reproducing programs that run

independantly and travel across network connections. The main difference between viruses and worms is the method in which they reproduce and spread. A virus is dependant upon a host file or boot sector, and the transfer of files between machines to spread, while a worm can run completely independently and spread of its own will through network connections. An example of a worm is the famous internet worm of 1988: Overnight the worm copied itself across the internet, infecting every Sun-3 and VAX system with so many copies of itself that the systems were unusable. Eventually several sites disconnected themselves from the internet to avoid reinfection.

35

Virus Prevention Never use a "foreign" disk or CD-ROM without scanning it

for viruses. Always scan files downloaded from the internet or bulletin

boards. Never boot your PC from a floppy unless you are certain it is

virus free. Write protect your disks to prevent viruses from reproducing

onto your disks. Use licensed software from a reputable dealer. Password protect your PC to prevent copying of files in your

absence. Make regular backup copies of all your work and system

configurations. Install and use anti-virus software regularly. Update your anti-virus software regularly so it can detect

new viruses.

36

Cryptographic Checksum

It is a standard integrity protection technique. A checksum is computed for a clean version

of a file to be protected. The checksum is stored in a secure place. Advantage: it does not need to know what

the virus is Disadvantage: it does not know what virus is. Vulnerability: when the checksum is

recomputed.

37

Antivirus Programs Antivirus programs are called vaccines or

virus checkers. They use pattern-matching techniques to

examine program files for patterns of virus code.

Two drawbacks: They cannot find viruses not in their database. They cannot find new viruses that alter

themselves to evade detection. Use antivirus programs that offer frequent

updates and monitor system functions. Check disks that were used on another

system for viruses.

38

Summary How things go wrong

Change in environment Bound and syntax checking Convenient but dangerous design features Escapes from controlled invocation By pass at a lower layer Flaws in protocol implementation

Virus What is a Computer Virus? Virus Effects Virus Infections Virus Components Virus Types