CIS 442: Chapter 5

Prevention and Defense

Understanding vulnerabilities

• Examples of vulnerabilities or weaknesses:• User apathy• Insufficient security control• Misuse of available security features• Weaknesses in the operating system• Unauthorized use• Anonymity of networks

Steps to protect a system

• (1) identifying vulnerabilities to viruses.• (2) correcting them, and plugging up security

holes, and,• (3) monitoring the results.

Resources for virus prevention• Training seminars• Any decisions pertaining to the acquisition of new software and

hardware should involve security experts• Monitoring user and network activity• Emergency policies must exist and users should be trained in

them• Limited sharing• “no external storage” policy• A company clearinghouse• “installing programs” policy.• Self isolation in an attack• Audit• Backup

Defenses Against Malware• Virus defense should involve:• (1) technical means, some of which are described here• (2) common sense in using your computer, and,• (3) legal means. • Applying all three approaches can keep a user out of

trouble for a long time, although perhaps not forever.• use common sense and be careful in using the

computer• limit transitivity

Anti-Virus Software• How can AV be very useful and can be useless?• In spite of its usefulness, anti-virus software has a

few problems that users should be aware of:• The main problem with anti-virus software, in the

opinion of this author, is that a new virus may spread quickly and infect thousands of computers

worldwide before any anti-virus software makers can isolate and analyze it and issue an update, and certainly before most users can download, install, and run this update.

• It takes perhaps an hour to scan and search an entire disk for viruses, but certain users consider this time period too long.

• The reason anti-virus software is fast is that it knows where in a file each virus is hidden and it checks only those locations.

• A user may use anti-virus software improperly. The software should be set to scan every disk drive, flash memory, CD, and DVD inserted into a drive or plugged into a port in the computer, but it should also be executed on a regular basis to scan the hard drive and all backup disks.

• A file may contain a bit pattern identical or very close to that of a known virus.

• Finally, anti-virus software is effective only against known viruses.

• A continuous integrity checker checks a file each time the file is opened.

• The integrity checker has saved the time T the file was last opened and checked by the integrity checker (the file size was also saved).

• If the file has a modification time different from T (or if its size differs from what it was at time T), the integrity checker raises an alarm.

AV goals or tasks• Ideally, we expect anti-virus software to accomplish the following goals:• To detect all known viruses and malware that already exist in the

computer, advise the user on each occurrence of rogue software discovered, and help the user to delete them.

• To detect unknown viruses• To scan incoming email, all downloaded files, and any removable storage

devices inserted into the computer, and detect all known viruses and malware in them.

• It is not enough to run this type of anti-virus software only from time to time. Instead, it has to be a startup item; it has to be launched automatically (i.e., by the operating system) each time the computer is started or is reset, and it has to reside in memory and be invoked by an interrupt each time any of the following actions takes place: (1) email is examined, (2) a file arrives from the outside, and (3) a new storage device is mounted.

• To record all its activities in a log file. Such a file should be examined by a person, because anti-virus software may accidentally suspect a clean file of harboring a virus and may delete or disinfect it.

• Also, when a virus is found in an incoming email message, the sender has to be notified. Imagine a virus infecting a computer owned by A. The virus searches the computer for email addresses (most personal computers have an address book with names and

email addresses) and sends email messages to every addressee found, with an attachment and some text enticing the receiver to open the attachment.

• When anti-virus software on another computer receives a message from A and discovers a virus in it, A should be notified. Thus, anti-virus operations should not be transparent to the user/owner.

Generic and specific detection methods• Virus-specific detection methods, as their name

implies, look for and identify specific viruses. Most anti-virus software operates this way.

• Generic virus detection techniques don’t look for specific viruses but instead examine the computer (files on the disk and programs in memory) for anything suspicious, unusual, or anomalous.

• A virus preventive technique creates an environment in the computer where viruses hesitate before they enter, or cannot thrive (i.e., execute) once they have entered

AV process challenges or difficulties

• Disassembling a program is much more complex and error-prone than assembling it.– Machine instructions have different sizes– A program is a mixture of instructions and data,

but the assembler translates everything into bits– When a program is written in assembler language,

certain instructions are labeled, so they can be referred to from other places in the program.

• The virus author may include several sections of unnecessary and unused code in the original program, some of it consisting of random numbers, in an attempt to confuse detectives and throw them off the right track.

• The virus may make decisions based on random numbers, it may mutate and it may compress and encrypt itself in different ways, depending on different keys.

• Once the virus code is understood, experts identify certain bit strings that constitute the “signature” of the virus. Anti-virus software that looks for specific viruses will have to look for those strings in executable files.

• Thus, anti-virus software should scan compressed files as an option. If a frequently-used disk has many compressed files and they slow down the anti-virus scan considerably, the owner may consider encrypting them.

• Another problem with disinfecting a file is that the file may contain a bit pattern identical or very close to that of a known virus. Disinfecting such a file (which is clean) leaves a damaged and unusable file. On the other hand, replacing the file with a clean version causes no harm.

• Generic anti-virus software does not look for the signature of any particular virus. Instead, it looks for suspicious activities and nauthorized modifications of operating system routines.

• This kind of software consists of two general types, activity monitors and behavior (or integrity) checkers.

Preventive techniques• Anti-malware organizations maintain useful online

information on recent viruses and other malware• All external disks and removable cartridges, and

most flash memories have a write-protect option.• Operating systems can greatly help in implementing

preventive measures• An open-source operating system has several

advantages, but it also constitutes a preventive measure because it enables programmers to peruse the source code and find security weaknesses.

• The Windows operating system by Microsoft has close ties to several applications, such as Outlook Express and Internet Explorer, also by Microsoft.

• Computers can perform complex tasks, but such tasks require complex programs. Without a program, a computer can do nothing. Programs are steadily becoming more complex and powerful, but are still no substitute for human intelligence.

• Those who are part of an organization sometimes get news, rumors, and warnings about viruses from buddies in the office or elsewhere. Those should be forwarded to the person in charge of security for confirmation

• Obviously, an attachment in an email message from an unknown person should not be opened, but what about an attachment in a message from a familiar, trusted person?

• A similar point is to be suspicious of files (mostly executable files, but also data files that can have macros) downloaded from newsgroups, from hacking/cracking Web servers, or from new, unfamiliar Web sites that offer useful and inexpensive software.

• Even a program sent by a trusted source may be infected. Recall that a virus may lay dormant for a long time before it releases its payload

• Many applications may benefit from a macro facility, but virtually all

• known macro viruses infect data files for Microsoft Word and Microsoft Excel, two components of the well-known Microsoft Office suite.

• Such files should be considered potentially dangerous, especially when received in email

• Anti-virus software can scan mounted disks and flash memories, so it should be used as a preventive measure.

• A firewall can stop viruses and is therefore a preventive measure.

• Older personal computers had to be booted from floppy disks. Later models had hard disks with the operating system installed, so booting from a floppy became an option.

• Two advanced and popular email programs, Outlook and Outlook Express, are particularly vulnerable to email infection

• Most operating systems support file names with extensions. The extension (often three letters) associates the file with an application and serves as handy identification.

• Another important preventive measure is to have regular backups of all important files.

Backups

• Backup as a last defense activity. [fault tolerance].

• Backup options [ onsite and offsite] partially or full backup.

Suspicious activities• A file has a “time stamp” indicating the last time it has been modified. If an old

file turns out to have a recent modification date, it should be cause for suspicion. The length of a program (executable) file should normally stay the same. Any unexplainable change in the length of such a file is also a reason to suspect that a virus attached itself to the file.

• A familiar program suddenly slows down or takes longer than usual to start.• Simple tasks require excessive disk access.• A program tries to write to a CD (which is normally read only).• Programs suddenly indicate less available memory than in the past.• The computer restarts itself suddenly, for no apparent reason, or requests

permission to restart, citing an official-looking but unfamiliar reason.• Unusual or irrelevant messages are displayed on the monitor screen.• There is suddenly an unusual amount of network traffic. This is easy to detect

when a modem (telephone or cable) is used. The lights on the modem flicker quickly, indicating heavy network traffic, while legitimate programs run slow.

Vaccines• Vaccines. Someone thinking about virus

eradication may come up with the following idea. • A virus normally checks a file before infecting it,

looking for its (the virus’) signature to avoid secondary infection.

• If the signature of a virus is known, we may embed it in all the files in our computer, which will fool the virus. This is the concept of a vaccine. It’s a simple concept, but it fails in practice for the following reasons:

• There are many known viruses and new ones appear all the time.

• Some viruses don’t leave a signature and simply reinfect any given file again and again.

• In extreme cases, vaccination may do more damage than the virus itself

• The signatures of different viruses may conflict, so vaccinating against one virus may expose a file up to infection by another virus

• Self repair. Error-detecting and error-correcting codes are currently very common and can be very powerful

Self correction• The principle of correcting errors through increased redundancy

can be carried out to virus detection and elimination. • Imagine a program that has redundant bits, so it can check itself

every time it is launched and even correct many errors in itself. When such a program gets infected by a virus, the next check will detect a problem.

• If the problem cannot be corrected automatically, the program will notify the user and will quit.

• Such a self-correcting program seems a good weapon in the war against viruses, and it is, but only up to a point.

• Once virus writers learn of this trend, they may counter it in various ways, some of which are listed here:

• The obvious problem is that the virus writer will discover how the redundancy was generated (the formula or the algorithm to compute the redundant bits).

• A virus may be written specifically to modify the redundant part of a program in a way that will infect the program.

• Even in cases where the virus knows (or suspects) only that redundancy is used to protect a program, the virus can defeat this protection

• Limit permissions. Most viruses infect executable programs, so it seems that it should be enough to limit the permissions of executable programs.

• Software fault tolerance. The concept of fault tolerance is to have several copies of the same hardware circuit or the same software program.

• When one copy fails, another copy is immediately used instead.• A cryptographic checksum. Normally, a checksum or a CRC is enough

to guarantee the integrity of a data file. If the file is modified as a result of data corruption, its new CRC will differ from the original CRC.

• The discussion on page 86, however, shows that a virus can embed itself in a file and change bytes of data until the new CRC of the infected file equals the original CRC.

Botnets, Zombies, and Remote Control• A botnet is a collection of compromised computers (members) that are

controlled remotely by their (illegitimate) owner, who is often referred to as a “botherd” or “botherder.”

• Each member computer of a botnet is running a bot program and these programs work either separately (stealing personal data, for example) or together (sending a flood of messages to create a denial of service in an attempt to compromise an important website).

• Writing and debugging the software of a sophisticated bot is a demanding job that requires detailed knowledge of several fields.

• Here are examples of the special “skills” required for implementing and releasing a potent bot: (1) How to invade Web servers and use them to spread malware. (2) How to program malware in general. (3) How to organize a botnet once enough computers have been invaded and infected. (4) How to distribute spam and other malware from a compromised host. (5) How to search a host for useful data. (6) How to use this data to sell account information, commit credit card fraud, or siphon money from bank accounts.

Hoaxes• Virus hoaxes are reports of nonexistent viruses. They are propagated as email

messages that include some of the following:• Announce the discovery of an undetectable, highly-destructive new virus.• Warn users not to read emails with a particular subject line such as “Join the

Crew” or “Budweiser Frogs.”• Pretend that the warning was issued by a well-known security organization,

ISP, or government agency, most often IBM, Microsoft, AOL, or the federal communications commission (FCC) in the United States.

• Make a fantastic claim about the payload of a new virus. For example, a hoax called “a moment of silence” claims “no program needs to be exchanged for a new computer to be infected by this virus.”

• Employ nonsensical technical jargon to describe the effects of the virus.• For example, a hoax called “good times” says that the virus can put the CPU

into “an nth-complexity infinite binary loop;” a nonexistent condition.• Urge readers to forward the warning to others (such a hoax is known as a chain

letter).

Why Hoaxes are bad ?• Hoaxes can be as disruptive and costly as a genuine virus.• Users tend to believe a hoax, overreact to it, and forward hoax messages to everyone on

their mailing list. This can create a temporary deluge of email which overloads mail servers and causes delays in delivering mail and even crashes. The damage may be equivalent to that done by a real virus, with the difference that the hoaxer doesn’t have to design, implement, and test any code.

• An organization that receives a hoax may also overreact and take drastic action, such as temporarily closing down a mail server or shutting down its entire network. This cripples communications and adversely affects normal business at least as effectively as a real virus, again with very little effort on the part of the hoaxer.

• Virus experts who deal with real viruses and other threats may get distracted by a hoax and waste precious time and effort trying to track it.

• A hoax, like other rumors, can persist for a long time before it dies off, and its cumulative effect (wasting users’ time and causing pain and suffering) may be out of proportion to the work needed to start it.

• A hoax can inspire new viruses (the opposite is also true). The “good time” hoax, for example, was followed by a real “good time” virus (also called GT-Spoof).

• A hoax may turn out to be real. This causes psychological damage followed by real physical damage.

• Chain letters. An electronic chain letter is an email message that urges

• readers to forward it to others. There are four main types of chain letters as

• follows:• Hoaxes. A chain letter may warn readers about a terrorist

attack, a• scam, or a new computer security threat. Some of these

hoaxes can be• classified as myths, but all should be ignored by

conscientious readers.

• Fake freebies.• Petitions.• Jokes and Pranks.

How to avoid hoaxes ?• An organization should have a clear policy on

virus hoaxes• Any security-conscious computer user should

be kept informed about hoaxes.• Don’t forward chain email letters even if they

offer money, fame, gifts, or useful information• When receiving unsolicited email don’t trust

any links in it, even if they seem familiar and legitimate