network security chapter 5 intruders & malicious software slides by h. johnson & s. malladi-...

Network SecurityNetwork Security

Chapter 5Chapter 5Intruders & Malicious Intruders & Malicious Software Software

Slides by H. Johnson & S. Malladi- Modified & Translated by Sukchatri P.

Outline

•Intruders▫Intrusion Detection Techniques

Statistical Anomaly Rule Based Detection

•Password management▫Password Protection▫Password Selection Strategies

•Recommended Reading and WEB Sites

14/12/2010

2

University of Phayao

Intruders•Three classes of intruders (hackers or

crackers):▫Masquerader- unauthorized individual who

exploits legitimate user’s account (outsider)▫Misfeasor- legitimate user, who misuses his or

her privileges (insider)▫Clandestine user- individual who seizes

supervisory control and uses it to evade auditing or access controls (insider or outsider)

14/12/2010

3


Intruders

•Clearly a growing publicized problem▫from “Wily Hacker” in 1986/87▫to clearly escalating CERT stats

•May seem benign, but still cost resources•May use compromised system to launch

other attacks

14/12/2010

4


Intrusion Detection•If intrusion is detected quickly, intruder

can be identified and ejected from system before damage is done

•An effective detection system acts as a deterrent, to prevent intrusions

•Detection enables the collection of information to strengthen the system.

14/12/2010

5


Intrusion Detection• The goal of an intrusion detection system (IDS) is to

detect that bad things are happening…▫ …just as they start happening (hope so)▫ How is this different from a firewall?

• Successful attack is usually (but not always) associated with an access control violation▫ A buffer overflow has been exploited, and now attack code is

being executed inside a legitimate program▫ Outsider gained access to a protected resource▫ A program or file has been modified▫ System is not behaving “as it should”

14/12/2010

6


Intrusion Detection Techniques•Objective of intruder is to gain access to the

system or to increase range of privlileges•System maintains a file that associates a

password with each authorized user.•Password file can be protected with:

▫One-way encryption▫Access Control

14/12/2010

7


Intrusion Techniques

•Aim to increase privileges on system•Basic attack methodology

▫target acquisition and information gathering ▫initial access ▫privilege escalation ▫covering tracks

•Key goal often is to acquire passwords•Then exercise access rights

14/12/2010

8


Intrusion Techniques• Techniques for guessing passwords:

• Try default passwords.• Try all short words, 1 to 3 characters long.• Try all the words in an electronic

dictionary(60,000).• Collect information about the user’s hobbies,

family names, birthday, etc.• Try user’s phone number, social security

number, street address, etc.• Try all license plate numbers (MUP103).• Use a Trojan horse• Tap the line between a remote user and the

host system.

Prevention: Enforce good password selection (Ij4Gf4Se%f#)

14/12/2010

9


Profiles of Behavior of Intruders and Authorized Users

14/12/2010

10


Intrusion Detection•Based on assumption that behavior of

intruder differs from legitimate user•Statistical anomaly detection

▫threshold detection (frequency of events)▫profile based (change in activity of user)

•Rule based detection▫anomaly detection (rules detect deviation in

behavior pattern)▫penetration identification(searches for suspicious

behavior)

14/12/2010

11


Intrusion Detection•Statistical anomaly attempts to define

normal or expected behavior and are effective against masqueraders.

•Rule based approaches attempt to define proper behavior and are effective against misfeasors

•Combination of both are generally used

14/12/2010

12


Tools for Intrusion Detection•Statistical Anomaly Detection primarily through

the analysis of audit records using the following metrics:▫Counter: eg. number of login attempts, password failures▫Gauge: value of user connections,applications, messages▫ Interval timer: length of time between events (eg. logins)▫Resource Utilization: quantity of resources consumed (eg.

pages printed, time consumed by program execution)

14/12/2010

13


Tools for Intrusion Detection•Audit Records - software that collects

information on user activity:▫Subject: action initiators (user or process)▫Action: operation performed▫Object: action receptors ( files, programs,

etc.)▫Exception Condition▫Resource usage▫Time stamp

14/12/2010

14


Other Measures Used for Intrusion Other Measures Used for Intrusion DetectionDetection

•Login frequency by day and time.•Frequency of login at different locations.•Time since last login.•Password failures at login.•Execution frequency.•Execution denials.•Read, write, create, delete frequency.•Failure count for read, write, create and

delete.

14/12/2010

15


Statistical TestsStatistical Tests•Mean and Standard Deviation- average

behavior and its variability•Multivariate Model- correlation between two

or more variables•Markov Process- establishes transition

probabilities between two or more states•Time Series - focuses on time intervals•Operational Model- judgement of what is

abnormal ( See table p. 303)

14/12/2010

16


Rule Based DetectionRule Based Detection•Observe events and apply set of rules as to

whether or not they are suspicious, for example:▫Users should not read other user’s files▫Users must not write other’s files▫Users who login after hours usually use files they

used earlier in the day▫Users generally use system commands to open

devices▫Users should not be logged in more than once to

same system▫Users should not make copies of system programs

14/12/2010

17


The Stages of a Network The Stages of a Network IntrusionIntrusion1. Scan the network to:

• locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers).

2. Run “Exploit” scripts against open ports3. Get access to Shell program which is “suid” (has “root”

privileges).4. Download from Hacker Web site special versions of

systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs.

5. Use IRC (Internet Relay Chat) to invite friends to the feast.

18

14/12/2010

18


Where are IDS employed?Where are IDS employed?•Host-based intrusion detection

▫Monitor activity on a single host▫Advantage: better visibility into behavior of

individual applications running on the host•Network-based intrusion detection (NIDS)

▫Often placed on a router or firewall▫Monitor traffic, examine packet headers and

payloads▫Advantage: single NIDS can protect many hosts

and look for global patterns

14/12/2010

19


Distributed Intrusion DetectionDistributed Intrusion Detection•Major issues in design:

▫Need to deal with different audit record formats

▫One of more nodes in network will serve as collection points for data, which must then be transmitted securely

▫Centralized or decentralized architecture can be used

•Requires coordination and cooperation

14/12/2010

20


Distributed Intrusion Detection Distributed Intrusion Detection SystemSystem•Developed at Univ. of California-Davis:•Host Agent module: collects data on

security events in hosts and transmits to central manager

•LAN monitor agent module: analyzes LAN traffic and reports to central manager

•Central manager module: receives reports and correlates them to detect intrusion

14/12/2010

21


Distributed Intrusion DetectionDistributed Intrusion Detection

Developed at University of California at Davis

14/12/2010

22


Distributed Intrusion DetectionDistributed Intrusion Detection14/12/2010

23


RootKitRootKit• Rootkit is a set of Trojan system binaries

▫ Emerged in 1994, evolved since then • Typical infection path:

▫ Use stolen password or dictionary attack to log in ▫ Use buffer overflow in rdist, sendmail, loadmodule,

rpc.ypupdated, lpr, or passwd to gain root access▫ Download Rootkit by FTP, unpack, compile and install

• Includes a sniffer (to record users’ passwords)• Hides its own presence!

▫ Installs hacked binaries for netstat, ps, ls, du, login▫ Modified binaries have same checksum as originals

Can’t detect attacker’s processes, files or network connections by

running standard UNIX commands!

14/12/2010

24


Popular IDSPopular IDS• Snort

▫Most popular open-source tool▫Large rule sets for known vulnerabilities

Date: 2005-04-05 Synopsis: the Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting various implementations of Telnet […] Programming errors in the telnet client code from various vendors may present an attacker with the opportunity to overflow a fixed length buffer […] Rules to detect attacks against this vulnerability are included in this rule pack

• Bro (www.bro-ids.org) ▫Developed by Vern Paxson at Lawrence Berkeley Labs▫Separates data collection and security decisions

Event Engine distills the packet stream into high-level events describing what’s happening on the network

Policy Script Interpeter uses a script defining the network’s security policy to decide what to do in response

14/12/2010

25


Detecting Backdoors with NIDS•Look for telltale signs of sniffer and rootkit

activity•Entrap sniffers into revealing themselves

▫Use bogus IP addresses and username/password pairs; open bogus TCP connections, then measure ping times Sniffer may try a reverse DNS query on the planted address;

rootkit may try to log in with the planted username If sniffer is active, latency will increase

▫Clever sniffer can use these to detect NIDS presence!•Detect attacker returning to his backdoor

▫Small packets with large inter-arrival times▫Simply search for root shell prompt “# ” (!!)

14/12/2010

26


Attacks on Network-Based IDS•Overload NIDS with huge data streams, then

attempt the intrusion▫Bro solution: watchdog timer

Check that all packets are processed by Bro within T seconds; if not, terminate Bro, use tcpdump to log all subsequent traffic

•Hide malicious data, split into multiple packets▫NIDS does not have full TCP state and does not

always understand every command of receiving application

▫Simple example: send “ROB<DEL><BS><BS>OT”, receiving application may reassemble to “ROOT”

14/12/2010

27


Detecting Attack Strings•Want to detect “USER root” in packet stream•Scanning for it in every packet is not enough

▫Attacker can split attack string into several packets; this will defeat stateless NIDS

•Recording previous packet’s text is not enough▫Attacker can send packets out of order

•Full reassembly of TCP state is not enough▫Attacker can use TCP tricks so that certain packets

are seen by NIDS but dropped by the receiving application Manipulate checksums, TTL (time-to-live), fragmentation

14/12/2010

28


E

TCP Attacks on NIDSInsertion attack

NIDS

U S R r X o o t

Insert packet with

bogus checksum

EU S R r

X

o o t

Dropped

E

TTL attack

NIDS

U S R r

X

o o t

EU S R r

X

o o t

10 hops 8 hops

TTL=20

TTL=12

Short TTL to ensure this packet

doesn’t reach destination

TTL=20Dropped (TTL

expired)

14/12/2010

29


Intrusion Detection SummaryIntrusion Detection Summary• No bullet-proof solutions, constant arms race• Increasing diversity of traffic = challenge for NIDS

▫ Lots of anomalous, but benign junk ▫ Vern Paxson on stuff they’ve seen on a DMZ:

Storms of 10,000+ FIN or RST packets due to TCP bugs Horrible fragmentation TCPs that acknowledge data that was never sent TCPs that retransmit different data from what was sent

• False alarms are THE problem for IDS▫“The Boy Who Cried Wolf” (base-rate fallacy)▫Can’t flag every anomaly as an attack

14/12/2010

30


Storing UNIX Passwords

•UNIX passwords were kept in in a publicly readable file, etc/passwords.

•Now they are kept in a “shadow” directory and only visible by “root”.

14/12/2010

31


Password Management•Frontline of defense against intruders is the

password system:•User ID - determines if user is authorized to

gain access, and determines the privileges accorded to user

•Password authenticates the ID of the individual

14/12/2010

32


Managing Passwords•Need policies and good user education •Ensure every account has a default password •Ensure users change the default passwords to

something they can remember •Protect password file from general access•Set technical policies to enforce good

passwords ▫minimum length (>6) ▫require a mix of upper & lower case letters,

numbers, punctuation ▫block know dictionary words

14/12/2010

33


Managing Passwords•May reactively run password guessing tools

▫note that good dictionaries exist for almost any language/interest group

•May enforce periodic changing of passwords •Have system monitor failed login attempts, &

lockout account if see too many in a short period

•Need to educate users and get support •Balance requirements with user acceptance •Be aware of social engineering attacks

14/12/2010

34


Proactive Password Checking•Most promising approach to improving

password security•Allow users to select own password•But have system verify it is acceptable

▫simple rule enforcement (see previous slide)▫compare against dictionary of bad passwords▫use algorithmic (markov model or bloom

filter) to detect poor choices

14/12/2010

35


UNIX Password System▫User selects password ( 5-8 characters)▫Converted to 56 bit value used as key to

encryption routine- crypt 3- based on DES▫ Modified using a 12 bit “salt” value- related to

time at which password was assigned prevents duplicates from being visible in

password file increases length of password prevents use of hardware implementation of DES

▫Output encrypted 25 times more

14/12/2010

36


UNIX Password Scheme

Loading a new password

14/12/2010

37


UNIX Password Scheme

Verifying a password file

14/12/2010

38


Threats to Password Files

•Encryption scheme is designed to discourage guessing but▫users can gain access on a machine using a

guest account and run a password guessing program or “cracker”

▫if opponent can gain access to password file, cracker can be run on another machine

•Cracker programs are getting better and hardware executes them faster…. ( See p. 312)

14/12/2010

39


Password Capture•Another attack involves password capture

▫watching over shoulder as password is entered ▫using a trojan horse program to collect▫monitoring an insecure network login (eg. telnet,

FTP, web, email) ▫extracting recorded info after successful login

(web history/cache, last number dialed etc) •Using valid login/password can impersonate

user•Users need to be educated to use suitable

precautions/countermeasures

14/12/2010

40


Password Guessing• One of the most common attacks• Attacker knows a login (from email/web page etc) • Then attempts to guess password for it

▫ try default passwords shipped with systems▫ try all short passwords▫ then try by searching dictionaries of common words▫ intelligent searches try passwords associated with the user

(variations on names, birthday, phone, common words/interests)

▫ before exhaustively searching all possible passwords • Check by login attempt or against stolen password

file • Success depends on password chosen by user• Surveys show many users choose poorly

14/12/2010

41


Password Selecting Strategies•User education -

▫must be long and complex enough▫many choose password <= 3 characters▫not easily guessable

•Computer-generated passwords - hard to remember

•Reactive password checking- randomly checks, cancels ones that are guessed

•Proactive password checking- check at time of creation, reject any too simple

14/12/2010

42


Proactive Password Checkers

•Two techniques for rejecting words on a list show promise:

•Markov Model- based on structure of passwords

•Spafford- based on use of a Bloom Filter

14/12/2010

43


Markov Model 14/12/2010

44


Markov Model•Resulting model reflects the structure of the

words in a dictionary.▫“Is this a bad password?” becomes▫“Can this string be generated by the Markov

Model?”▫Statistical test can be done to see if the

password is likely and, if so, it is rejected.

14/12/2010

45


Network Security

Malicious Software

Slides by H. Johnson & S. Malladi- Modified & Translated by Sukchatri P.

Overview•Viruses and Related Threats

▫Malicious Programs▫The Nature of Viruses▫Antivirus Approaches▫Advanced Antivirus Techniques

14/12/2010

47


Malicious Logic

•Malicious logic is a set of instructions that cause a site’s security policy to be violated.▫Trojan horses▫viruses▫worms

14/12/2010

48


Viruses and ”Malicious” Programs

• Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”).

• Other “Malicious” Programs may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).

14/12/2010

49


Taxonomy of Malicious Programs

Need Host Program

Independent

Trapdoors Logic Bombs

TrojanHorses

Viruses Bacteria Worms

Malicious Programs

14/12/2010

50


Definitions•Virus - code that copies itself into other

programs•A “Bacteria” replicates until it fills all disk

space, or CPU cycles•Payload - harmful things the malicious

program does, after it has had time to spread •Worm - a program that replicates itself across

the network (usually riding on email messages or attached documents (e.g., macro viruses)

•Macro - virus composed of sequence of instructions that are interpreted rather than executed directly

14/12/2010

51


Definitions•Boot Sector is used to bootstrap a system

or mount a disk- executed when the system “sees” the disk for the first time

•Boot sector infector - virus that inserts itself into the boot sector of a disk

14/12/2010

52


Definitions•TSR - terminate and stay resident virus -

stays active in memory after the application has terminated

•Stealth viruses - conceal the infection of files

•Polymorphic - viruses that change form each time it inserts itself into a program

14/12/2010

53


Definitions• Trojan Horse - instructions in an otherwise good

program that cause bad things to happen (sending your data or password to an attacker over the net).

• Logic Bomb - malicious code that activates on an event (e.g., date).

• Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users.

• Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.

14/12/2010

54


Virus Phases

•Dormant phase - the virus is idle•Propagation phase - the virus places an

identical copy of itself into other programs

•Triggering phase – the virus is activated to perform the function for which it was intended

•Execution phase – the function is performed

14/12/2010

55


Virus ProtectionHave a well-known virus protection program, configured to

scan disks and downloads automatically for known viruses.

Do not execute programs (or "macro's") from unknown

sources (e.g., PS files, Hypercard files, MS Office documents,

Avoid the most common operating systems and email

programs, if possible.

14/12/2010

56


Virus Structure 14/12/2010

57


Virus Techniques

•Stealth viruses▫ Infect OS so that infected files appear normal to user

•Macro viruses▫A macro is an executable program embedded in a word

processing document (MS Word) or spreadsheet (Excel)▫When infected document is opened, virus copies itself

into global macro file and makes itself auto-executing (e.g., gets invoked whenever any document is opened)

•Polymorphic viruses▫Viruses that mutate and/or encrypt parts of their code

with a randomly generated key

14/12/2010

58


Types of Viruses

• Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs.

• Memory-resident Virus - Lodges in main memory as part of the residual operating system.

• Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).

• Stealth Virus - explicitly designed to hide from Virus Scanning programs.

• Polymorphic Virus - mutates with every new host to prevent signature detection.

14/12/2010

59


Macro Viruses

•Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File).

•Platform independent.•Infect documents, delete files, generate

email and edit letters.

14/12/2010

60


Antivirus Approaches1st Generation, Scanners: searched files for any of a

library of known virus “signatures.” Checked executable files for length changes.

2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes.

3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files).

4th Generation, Full Featured: combine the best of the techniques above.

14/12/2010

61


Advanced Antivirus Techniques

•Generic Decryption (GD)▫CPU Emulator▫Virus Signature Scanner▫Emulation Control Module

•For how long should a GD scanner run each interpretation?

14/12/2010

62


Advanced Antivirus Techniques

14/12/2010

63


Trojans and Viruses

Malware

•Malicious code often masquerades as good software or attaches itself to good software

•Some malicious programs need host programs▫Trojan horses, logic bombs, viruses

•Others can exist and propagate independently▫Worms, automated viruses

•There are many infection vectors and propagation mechanisms

14/12/2010

65


Trojan Horses

•A trojan horse is malicious code hidden in an apparently useful host program

•When the host program is executed, trojan does something harmful or unwanted▫User must be tricked into executing the host

program▫In 1995, a program distributed as PKZ300B.EXE

looked like a new version of PKZIP… When executed, it formatted your hard drive.

•Trojans do not replicate▫This is the main difference between worms and

viruses

14/12/2010

66


Viruses

•Virus propagates by infecting other programs▫Automatically creates copies of itself, but to

propagate, a human has to run an infected program Self-propagating malicious programs are usually called

worms

•Viruses employ many propagation methods▫Insert a copy into every executable (.COM, .EXE)▫Insert a copy into boot sectors of disks

“Stoned” virus infected PCs booted from infected floppies, stayed in memory and infected every floppy inserted into PC

▫Infect TSR (terminate-and-stay-resident) routines By infecting a common OS routine, a virus can always stay

in memory and infect all disks, executables, etc.

14/12/2010

67


Evolution of Polymorphic Viruses (1)

•Anti-virus scanners detect viruses by looking for signatures (snippets of known virus code)▫Virus writers constantly try to foil scanners

•Encrypted viruses: virus consists of a constant decryptor, followed by the encrypted virus body▫Cascade (DOS), Mad (Win95), Zombie (Win95)▫Relatively easy to detect because decryptor is constant

•Oligomorphic viruses: different versions of virus have different encryptions of the same body▫Small number of decryptors (96 for Memorial viruses); to

detect, must understand how they are generated

14/12/2010

68


Evolution of Polymorphic Viruses (2)

•Polymorphic viruses: constantly create new random encryptions of the same virus body▫Marburg (Win95), HPS (Win95), Coke (Win32)▫Virus must contain a polymorphic engine for creating

new keys and new encryptions of its body Rather than use an explicit decryptor in each mutation, Crypto

virus (Win32) decrypts its body by brute-force key search

•Polymorphic viruses can be detected by emulation▫When analyzing an executable, scanner emulates CPU

for a bit. Virus will eventually decrypt and try to execute its body, which will be recognized by scanner.

▫This only works because virus body is constant!

14/12/2010

69


Metamorphic Viruses

•Obvious next step: mutate the virus body, too!•Virus can carry its source code (which

deliberately contains some useless junk) and recompile itself▫Apparition virus (Win32)▫Virus first looks for an installed compiler

Unix machines have C compilers installed by default

▫Virus changes junk in its source and recompiles itself New binary mutation looks completely different!

•Many macro and script viruses evolve and mutate their code▫Macros/scripts are usually interpreted, not compiled

14/12/2010

70


Metamorphic Mutation Techniques

•Same code, different register names▫Regswap (Win32)

•Same code, different subroutine order▫BadBoy (DOS), Ghost (Win32)▫ If n subroutines, then n! possible mutations

•Decrypt virus body instruction by instruction, push instructions on stack, insert and remove jumps, rebuild body on stack▫Zmorph (Win95)▫Can be detected by emulation because the

rebuilt body has a constant instruction sequence

14/12/2010

71


Putting It All Together: Zmist

•Zmist was designed in 2001 by Russian virus writer Z0mbie of “Total Zombification” fame

•New technique: code integration▫Virus merges itself into the instruction flow of its

host▫“Islands” of code are integrated into random locations in the host program and linked by jumps▫When/if virus code is run, it infects every available portable executable

Randomly inserted virus entry point may not be reached in a particular execution

14/12/2010

72


Simplified Zmist Infection Process

Pick a PortableExecutable binary< 448Kb in size

Disassemble, insert space for newcode blocks, generate new binary

Insert mutated virus body• Split into jump-linked “islands”• Mutate opcodes (XORSUB, ORTEST)• Swap register moves and PUSH/POP, etc.

Encrypt virus body byXOR (ADD, SUB) with arandomly generated key,insert mutated decryptor

Insert random garbage instructions usingExecutable Trash Generator

Decryptor must restore host’s registers to preserve host’sfunctionality

Randomly insertindirect call OR jumpto decryptor’s entrypoint OR rely oninstruction flow toreach it

14/12/2010

73


How Hard Is It to Write a Virus?

•498 matches for “virus creation tool” in Spyware Encyclopedia▫ Including dozens of poly- and metamorphic engines

•OverWriting Virus Construction Toolkit▫"The perfect choice for beginners“

•Biological Warfare Virus Creation Kit▫Note: all viruses will be detected by Norton Anti-

Virus •Vbs Worm Generator (for Visual Basic worms)

▫Used to create the Anna Kournikova worm•Many others

14/12/2010

74


Thank you

14/12/2010

75


network security chapter 5 intruders & malicious software slides by h. johnson & s. malladi-...

Documents

university of phayaouniversity

host system

compromised system

intrusion detection

phayaointrusion techniquesaim

phayaointrusion detectionbased

password file

access controls insider