1 viruses and worms. ece 41122 agenda how viruses work virus detectors how worms work example...

40
1 Viruses and Worms

Upload: erick-hutchinson

Post on 12-Jan-2016

217 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

1

Viruses and Worms

Page 2: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 2

Agenda

• How viruses work• Virus detectors• How worms work• Example viruses/worms

Melissa Morris My_SQL

• Lab discussion

Page 3: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 3

Viruses

• Propagates to other programs by modifying them

• Copies the virus code to other programs• Viruses have to be activated to work• Attachment to programs/files by

appending (add-on) surrounding (shell) integration (intrusive) replacement (intrusive)

Page 4: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 4

DesirableCharacteristics of Viruses

• Hard to detect• Hard to destroy/deactivate• Spreads widely• Can re-infect• Easy to create• Machine independent

Page 5: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 5

Locations of Viruses (1)

• Boot sector placed in boot sector location moves bootstrap loader, chains to it

• Memory-resident TSR -- terminate and stay resident

routine

• Application program• Libraries

Page 6: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 6

Locations of Viruses (2)

• Macros executable program inside a

document platform independent infects documents, not executable

files common propagation via email

Page 7: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 7

Tactics of Viruses

• Polymorhpism change the signature increase difficulty of detection

• Stealth attributes that help hide the virus example: compress file so the size is the

same as uninfected file

Page 8: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 8

Life-Cycle of Viruses

• Dormant Phase (optional) virus is idle waits for trigger event

• Propagation Phase virus copies itself to other files

• Triggering Phase virus is activated by system event

• Execution Phase function of virus is performed

Page 9: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 9

MS-DOS Example

• ROM BIOS routines• master boot record (MBR) execution• boot sector code execution• IO.SYS, MSDOS.SYS execution• CONFIG.SYS execution• COMMAND.COM execution• AUTOEXEC.BAT execution

Page 10: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 10

MS-DOS Example

• ROM BIOS routines cannot be infected• master boot record (MBR) execution

can be infected replace with virus that chains to orig. MBR

• boot sector code execution common target capture control of system before virus

scanners operate

Page 11: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 11

MS-DOS Example

• IO.SYS, MSDOS.SYS execution can be infected

• CONFIG.SYS execution can be infected

• COMMAND.COM execution can be infected Lehigh virus

• AUTOEXEC.BAT execution can be infected

Page 12: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 12

Detection of Viruses

• Program’s functionality impaired• File size changes• Virus at beginning of code -or-• “Jump” instructions to location of

virus• Signatures

Page 13: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 13

Prevention

• Use software from trusted sources• Use checksums to ensure downloaded

software is the correct version• Test new/suspicious item on isolated

machine• Make bootable disk• Backup copies of system files• Employ and update virus detectors• Disable macro execution

Page 14: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 14

Virus Detector Examples

• Norton Anti-virus (Symantec)• VirusScan (McAfee Security)• eTrust EZ Anti-virus (Computer

Associates)• Protector Plus (Proland Software)• AVG Anti-virus (free version

available)

Page 15: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 15

Virus Detector Functions

• Detection post-infection locate virus

• Identification ID type of virus

• Removal remove virus (repair/delete infected files) restore system to original state

Page 16: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 16

Detecting Viruses• Signatures• Heuristics

look for code fragments (ex: encryption loop) integrity checking (checksum)

• Virus Activity look for actions instead of signatures done by memory-resident program

• Generic Decryption create virtual machine run target code on it to see if a virus

Page 17: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 17

Defeat the Virus Detector

• Polymorphism• Stealth• Encryption• Delete/corrupt key detector files• Load virus before detector execution

Page 18: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 18

Worms

• Can run independently (don’t require program execution)

• Propagates over network connections via electronic mail via remote execution capability via remote login capability

• Doesn’t have to alter programs• Can carry virus code that does

Page 19: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 19

Worm Tactics

• Determine where to spread (examine host tables or similar data of remote system addresses)

• Establish connection and copy itself to other systems (can also determine if target system already infected)

• Cause the copy to run• Remain hidden as best as possible

Page 20: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 20

Defend Against Worms

• Close any unused network services• Patch your system!• Use a properly configured firewall to

help protect your system and help isolate the worm once your system is infected

Page 21: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

21

Example Viruses and Worms

MelissaMorris

My_SQL

Page 22: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 22

Melissa Virus

• What is it? Microsoft Word macro virus Written in Visual Basic

• What does it do? Infects Microsoft Word 97 and 2000

docs Uses MS Outlook to email itself out to

first 50 users

Page 23: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 23

Melissa Virus (cont)

• Systems Affected Machines with Microsoft Word 97 or 00 Any mail handling system could

experience performance issues or DoS as a result of propagation through email, but only from users with Microsoft Outlook

MacOS not affected, however it can be stored on MacOS

Page 24: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 24

Melissa Virus (cont)

• Description Propagates through email Subject “Important Message From

<name>” Body “Here is the document you asked

for … don’t show anyone else ;-)” Attachment named list.doc or actual

documents created by the victim

Page 25: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 25

Melissa Virus (cont)

• Upon Execution Turns off macro detection Checks registry key for value of “… by

Kwyjibo” "HKEY_Current_User\Software\Microsoft\Office\Melissa?"

If the key doesn’t exist or have that value, it propagates then changes the registry key

Keeps the virus from repeatedly propagating every time an infected item is opened

Page 26: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 26

Melissa Virus (cont)

• Execution (cont) Infects Normal.doc template If (minute of the hour == day of the

month) it inserts "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." into the current documents (Simpson’s quote)

Page 27: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 27

Melissa Virus (cont)

• Impact Possible DoS on mail servers Users with macros enabled will effectively

infect any new document they create

• Solutions Block messages with virus signature at mail

transfer agents Disable all macros in Microsoft Word Use Virus Scanning Utilities

Page 28: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 28

Morris Worm

• One of the earliest documented cases (Nov 2nd, 1988)

• Systems Sun Microsystems Sun 3 DEC VAX systems

Page 29: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 29

Morris Worm

• Two main parts: Bootstrap or Vector Program (Initialize)

– Acts as a hook. It is injected first. Contacts the infected “server” and uploads the main program.

– Then compiles and runs the main program Main Program (Doit)

– Collected data on other networked machines to which the current machine could connect

– Then used three main attacks to infect other systems with the bootstrap

Page 30: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 30

Morris Worm (cont)

• Fingerd and gets Overran the finger command input buffer –

overwrote the stack On VAX machines this resulted in a remote

shell for the worm via the TCP connection by overwriting part of the stack

• Sendmail Issued a DEBUG option often left usable by

admins for testing the mail service. Gained access to mail server and onto the

system, then continued with infection of system

Page 31: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 31

Morris Worm (cont)

• Passwords Worm read through etc/hosts.equiv

and /.rhosts to find names on other machines

Also read /etc/passwd and .forward to account information

Then attempted to crack passwords using several different methods

Page 32: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 32

Morris Worm (cont)

• Passwords (cont) The worm first tried simple choices

– Account, User Name, Tnuocca (acct backwards), etc. including lower case variations

Next it tested the passwords against an internal dictionary of 432 words

Finally, it tested the passwords against an online dictionary using upper and lower case variations

Page 33: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 33

Morris Worm (cont)

• Solution Worm halted because of informal

communication between system admins and research community

Prompted DARPA to create CERT (Computer Emergency Response Team)

Page 34: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 34

Morris Worm – Log of Events

• All the following events occurred on the evening of Nov. 2, 1988. 6:00 PM At about this time the Worm is launched. 8:49 PM The Worm infects a VAX 8600 at the University of Utah (cs.utah.edu) 9:09 PM The Worm initiates the first of its attacks to infect other computers from

the infected VAX 9:21 PM The load average on the system reaches 5. (Load average is a measure

of how hard the computer system is working. At 9:30 at night, the load average of the VAX was usually 1. Any load average higher than 5 causes delays in data processing.)

9:41 PM The load average reaches 7 10:01 PM The load average reaches 16 10:06 PM At this point there are so many worms infecting the system that no

new processes can be started. No users can use the system anymore. 10:20 PM The system administrator kills off the worms 10:41 PM The system is re-infected and the load average reaches 27 10:49 PM The system administrator shuts down the system. The system is

subsequently restarted 11:21 PM Re-infestation causes the load average to reach 37.

• In short, in under 90 minutes from the time of infection, the Worm had made the infected system unusable.

Page 35: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 35

My SQL Worm

• What is it? Self-propagating code that exploits a

vulnerability in MS SQL Server 2000 and MSDE 2000

• What does it do? Propagation caused varied levels of

network degradation

Page 36: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 36

My SQL Worm (cont)

• Systems Affected Microsoft SQL Server 2000 Microsoft Desktop Engine (MSDE) 2000

• Description Exploits a vulnerability that allows for

execution of arbitrary code on the SQL Server due to a stack buffer overflow

Once it compromises, it tries to propagate

Page 37: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 37

My SQL Worm (cont)

• Description (cont) Worm crafts 376-byte packets and

sends them to randomly chosen IP addresses on port 1434/UDP

If sent to a vulnerable machine, the machine will become infected and also begin to propagate

Page 38: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 38

My SQL Worm (cont)

• Impact Compromise confirms that a system is

vulnerable to allowing a remote attacker to execute arbitrary code as local SYSTEM user

High volume of 1434/UDP traffic may lead to performance issues (including possible DoS)

Page 39: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 39

My SQL Worm (cont)

• Solution Apply a patch Ingress/Egress filtering for messages on

systems already infected Block port 1434/UDP

Page 40: 1 Viruses and Worms. ECE 41122 Agenda How viruses work Virus detectors How worms work Example viruses/worms  Melissa  Morris  My_SQL Lab discussion

ECE 4112 40

References

• http://www.cs.virginia.edu/~jones/cs551S/slides

• http://www.cert.org/advisories/CA-1999-04.html

• http://www.cert.org/advisories/CA-2003-04.html

• “Security in Computing” by Charles Pfleeger

• “Chapter 6: Computer Viruses” by Eugene Spafford

• “Network Security Essentials” by William Stallings