Malicious Code. Different Malicious Code. Media Publicity. Boot Virus. Virus. Malicious Code an Increasing Problem

Transcription

1 Malicious Code an Increasing Problem Malicious Code mcrowds: Anonymity for the mobile Internet 2 DAV C19 Applied Security Media Publicity Different Malicious Code Malicious code ( Virus ) Virus Worms Malicious Scripts Trojans Logical Bombs Trap doors Replicate 3 DAV C19 Applied Security 4 DAV C19 Applied Security Virus Boot Virus A malicious piece of code that spreads itself from file to file Need a host file Different types of viruses Boot virus Program viruses Macro virus Virus as payload Infected File Hard drive virus Infects the Master Boot Record (MBR) of the hard drive before OS is loaded Spreads via bootable device, e.g. floppy disc 5 DAV C19 Applied Security 6 DAV C19 Applied Security, 1

2 Program Virus Example: Chernobyl/CIH (1998) Infects executable programs on the computer by appending itself to the code Destroys flash BIOS Makes data on hard drive unreadable Was triggered on every 26 th of April Logical bomb functionality 7 DAV C19 Applied Security 8 DAV C19 Applied Security Macro Virus Auto Executing Macros in Word Set of macro commands for a specific application which automatically executes and spreads to that applications documents Normally spread via Office applications (Visual Basic macros in Word, Excel, etc) Macros are spread via attachments Command macro If a macro stored in a global macro file, or attached to a document, has the same name as an existing Word command (e.g. Save file ), the macro is executed whenever a user performs that command 2. Autoexecute A macro named AutoExec in template normal.dot or in global template in Words startup directory is always executed when Word is started 3. Automacro An automacro is executed when a specific event occurs, e.g. opening a document or quitting Word 9 DAV C19 Applied Security 10 DAV C19 Applied Security Example: Concept Virus Malicious Scripts When infected document is opened If not already existing, creates the macro FileSaveAs in the NORMAL.DOT template in Word Also creates macro that contains message: Sub MAIN REM That's enough to prove my point End Sub When user chooses Save As in the menu, the macro FileSaveAs always executes User cannot specify which drive to save to and cannot specify file type Malicious scripts written in JavaScript, VBScript, Active X controls, etc. Hidden in s or web sites. Can also be part of viruses or worms Cross-site scripting vulnerabilities let scripts execute in user s browser or even locally 11 DAV C19 Applied Security 12 DAV C19 Applied Security, 2

3 Trojans Logical Bombs Trojan Horse Programs with hidden malicious functionalities Appears to be screen savers, games, or other useful programs Malicious code programmed to be activated on a specific date/time Action could be everything from format hard drive to display a silly message Often combined with virus/worm (e.g. Chernobyl virus) 13 DAV C19 Applied Security 14 DAV C19 Applied Security Trapdoors Worm A secret entry point into a program that allows someone aware of the trap door to gain access without going through normal security procedures Usually left by programmers for debugging and testing purposes, intentionally or unintentionally A malicious piece of code that spreads itself from computer to computer A worm needs no host file Can spread via attachments LAN or Internet 15 DAV C19 Applied Security 16 DAV C19 Applied Security Example: ILOVEYOU Example: Code Red Starts to spread when uses clicks on an attachment (ILOVEYOU.TXT.vbs) Extension sometimes hidden automatically by Windows The attachment is a malicious Visual Basic Script masked as a text file The script executes locally in Windows Scripting Host, where it first changes registry settings about the privileges of scripts, and then starts to spread itself via for example the contact list Requires human hand to spread, therefore sometimes called virus (e.g. in Stallings book) A worm that spread via HTTP exploiting a bufferoverflow vulnerability Spreads automatically when visiting web site I.e. does not require human hand to spread 17 DAV C19 Applied Security 18 DAV C19 Applied Security, 3

4 Vulnerabilities Vulnerabilities A vulnerability is a security weakness in a program/os that could be exploited by malicious software, e.g. viruses/worms Microsoft rolls out update patches that tries to patch novel vulnerabilities Buffer Overflow Occurs when a program writes more information into the buffer than the space it has allocated in the memory. This allows an attacker to (1) overwrite data that controls the program execution path and (2) hijack the control of the program to (3) execute the attacker s code instead the process code Example: 19 DAV C19 Applied Security 20 DAV C19 Applied Security Vulnerabilities Blended Threats Unvalidated input Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack (by injecting malicious code) backside components through a web application Cross site scripting, script injection, The web application can be used as a mechanism to transport an attack to an end user s browser Clicking links in web pages or s, etc, lets remote (malicious) scripts execute in the user s browser Advanced malicious code that combines the characteristics of viruses, worms, Trojans and malicious scripts are sometimes called blended Threats Exploit vulnerabilities in programs or operating systems Nowadays often Microsoft OS/apps Why is that? 21 DAV C19 Applied Security 22 DAV C19 Applied Security Blended Threats Example: Appix (Sep, 2002) Worms are spread by exploiting vulnerabilities and often does not require human intervention 2 nd generation of worms automatically searches for vulnerable computers and infects them Whole Internet can be infected in less than 20 minutes A combined worm, virus and Trojan horse Exploits vulnerabilities in Outlook Express and Internet Explorer Can infect directly from a web page Uses an own SMTP server Spreads via , KaZaA or edonkey2000 Kills anti virus software and personal firewalls 23 DAV C19 Applied Security 24 DAV C19 Applied Security, 4

5 Example: Sasser (May, 2004) Viruses in Mobile Phones Starts up an FTP server and automatically scans randomly chosen IP addresses for vulnerabilities 128 threads that scans IP addresses are started System will be very slow Stops user from shutting down computer Mobile phones starting to behave like small computers with Internet access Not to mention PDAs The virus problem will probably spread to mobile phones in the near future 25 DAV C19 Applied Security 26 DAV C19 Applied Security Viruses in Mobile Phones Viruses in Mobile Phones Spring 2005 Fall DAV C19 Applied Security 28 DAV C19 Applied Security Hacker Tools Example: Back Orifice Back Orifice Remotely control other computers. Similar programs: NetBus 29 DAV C19 Applied Security 30 DAV C19 Applied Security, 5

6 Hacker Tools Spyware Trojans are often used as hacker tools IP scanners, port scanners, network sniffers, proxy servers, etc Information is sent to hacker via ICQ, MSN, mail, Trojans could also act as servers (FTP, HTTP, WAP, POP3, IRC, etc) Your computer could be a server sending SPAM s A.k.a. advertising supported software (adware) Invisible programs/servers that collects and reports information about users Used for directed marketing Users may get free licenses if they accept spyware or they may not know that they installed spyware 31 DAV C19 Applied Security 32 DAV C19 Applied Security Anti Virus Software Antivirus Software and Firewalls Defensive components in anti virus software I. Detection II. Identification III. Removal Virus Actions Uninfected program code Compressed program code + virus File size mcrowds: Anonymity for the mobile Internet 34 DAV C19 Applied Security Anti Virus Software Anti Virus Software 1 st generation: simple scanners Search for bit patterns ( signatures ), length of files 2 nd generation: heuristic scanners Search for viruses using heuristic rules 3 rd generation: activity traps Memory resident program that detect viruses based on their actions 4 th generation: combined techniques Combines the abovementioned techniques with access control measures Arms race : stronger antivirus software creates more advanced viruses: Memory resident viruses Infects master boot record of hard drive Hiding Stealth viruses Mutating polymorphic viruses Multiple versions of same virus 35 DAV C19 Applied Security 36 DAV C19 Applied Security, 6

7 Firewalls Firewalls Should preferably control both ingoing and outgoing traffic Windows XP firewall controls only ingoing traffic Trojans can start up servers on the inside Firewall should preferable inspect packets on the application layer Network layer based packet filters do not provide adequate protection New worms/viruses often tries to kill firewall and anti virus processes Tunneled Worms Tunnel IP packet within other IP packet to hide real IP header Tunneling program can be built in in Trojans Tunneled IP packet 37 DAV C19 Applied Security 38 DAV C19 Applied Security, 7