Rogue Programs. Rogue Programs - Topics. Security in Compu4ng - Chapter 3. l Rogue programs can be classified by the way they propagate

Transcription

1 Rogue Programs Security in Compu4ng - Chapter 3 Rogue Programs - Topics l Rogue programs can be classified by the way they propagate l Virus l Trojan l Worm l Or how they are ac4vated l Time Bomb l Logic Bomb l Back Door Computer Security & Forensics 2

2 Rogue Programs - Topics l A third considera4on is what they do - their payload, for example: l Remote access server e.g. VNC, FTP, HTTP l Key logger l Data dele4on l Security sovware disabler l Denial- of- service awack agent (DoS) Computer Security & Forensics 3 Rogue Program Structure l A rogue program therefore consists of 3 elements l Execu4on Logic l The code required to get the program to run, oven wrapped around legi4mate program code l It will frequently pass back control to infected code once its mission is complete l Propaga4on Code l The code required to either copy itself onto relevant code on the users PC or awach itself to networked data (e.g. s) and get sent across the internet l Payload l The code that does the damage - same payload can be awached to different viruses Computer Security & Forensics 4

3 Running the code l A rogue program such as a Virus or Trojan needs to be run in order to propagate itself l A Trojan usually relies on a user ac4va4ng it but could contain viral elements l A virus may install its offspring on self- execu4ng media l Boot sector of a hard drive, auto- run func4on of CD,DVDs or USB s4cks l Processes running in memory l AWachments l On Windows, document type is no guide to whether document may be executed l It could try to add itself to common ini4alisa4on loca4ons l Start up folders, system processes, 4med system events Computer Security & Forensics 5 Goals for a Virus Writer l A virus writer will usually try to make a virus l Hard to detect l Hard to eradicate l Spread widely l Reinfect with ease l Useful for when it appears to have been cleaned out l Easy to create/modify l If it is simple, it allows for variants to be easily produced l OS independent Computer Security & Forensics 6

4 Rogue Program Structure l Viruses awach themselves to programs in a number of different ways l The varia4on is usually aimed at making them hard to detect, for example, cleaning up aver infec4on/ac4on Virus Virus Virus Program Program OR Program OR Program Computer Security & Forensics 7 Detec4ng Rogue Code l Rogue Programs are detected either by l What they do l Some4mes their ac4vity is recognised which then leads to a search for their loca4on l What they look like - their signature l Virus scanners look for tell- tale sec4ons of machine code or signatures that belong to specific viruses to determine if they are present - these signatures will be dispersed through system sovware/documents l Viruses try to disperse themselves to avoid this detec4on l If code sec4ons are small enough, AV sovware will start to get false posi4ves l Polymorphic viruses change sec4ons of their own code to confuse AV sovware l Scanners can also check known system file sizes to verify that they are correct l Ideally, all O.S. files would have checksums that could be verified before the file/program is used. l Currently this takes too long but may become viable in the future. Computer Security & Forensics 8

5 Virus l Most general term for a rogue program l Derived from biological term for an infec4ous agent l Quite apt given biological and computer viruses use their host system to replicate l AWaches itself to or overwrites machine code on infected system l AWachment is less likely to be detected since the user will no4ce absence of func4oning program l Certain document types contain executable code l Virus can add itself to these macros and hide it s existence l Propagates when the program is run l E.g. Virus can run when user opens document since there is oven an OnOpen event that can be awached to code Computer Security & Forensics 9 Trojans l A program that appears to have one func4on but contains a surprise l Named aver the Trojan Horse of Troy fame where the people of Troy thought they were receiving a giv aver their awackers had given up. The giv was full of soldiers who opened the gates of Troy in the middle of the night - where is Troy now? l Trojan s can be legi4mate looking sovware applica4ons distributed as free ware or share ware (and some4mes pay ware) or even just awachments l Be wary of web sovware offers that promise to scan your computer for security weaknesses - you may get more than you expect l Ad- ware is a frequent, less malicious form of Trojan Computer Security & Forensics 10

6 Trojans - Example l Spam awachments frequently contain malicious code l They are a combina4on of a worm (since they spread through a network via ) and a Trojan since they purport to contain something of interest (e.g. a postcard or picture ) but actually contain a duplica4ng version of themselves (and a picture if you are lucky). l Example: Storm Trojan l Used interes4ng news stories to en4ce readers to open awached video In January 2008 it accounted for 1 in 25 of all s being sent in the world l At one point it managed to raise this to 1 in every 6 of all s... l In 2007, there were over 50,000 variants of the Storm Trojan l It gets worse... Computer Security & Forensics 11 Storm Trojan The Storm worm is figh4ng back against security researchers that seek to destroy it and has them running scared, Interop New York show awendees heard Tuesday. The worm can figure out which users are trying to probe its command- and- control servers, and it retaliates by launching DDoS awacks against them, shuong down their Internet access for days, says Josh Corman, host- protec4on architect for IBM/ISS, who led a session on network threats. As you try to inves4gate [Storm], it knows, and it punishes, he says. It fights back. hwp:// storm- worm- security.html Computer Security & Forensics 12

7 Logic Bomb l Executes malicious code when a certain set of condi4ons are met l The logic element is the fuse l The bomb element is the payload l Can oven be put in place by a malicious insider when system is coded or added via a virus infec4on l Simple cases would be using OpenDocument or PrintDocument events in macros l More complex versions are usually built into the system l May sit dormant for years l If hacker is clever, they could use a rare feature interac4on event to trigger payload l It may be easier to detect malicious payload than the trigger Computer Security & Forensics 13 Backdoor / Trapdoor l Allows unauthorised access to the program or host computer l A malicious insider could simply create undocumented accounts with root level access l A more complex but effec4ve alterna4ve is to develop code that allows an external user to either l Log in to the program l Decrypt/view sensi4ve informa4on l e.g. Password storage applica4ons, banking sovware l Backdoor could use logic / 4me bomb to open access channel l e.g. If user x is disabled then enable account y... l Recent hacking toolkits have been found to have backdoors Computer Security & Forensics 14

8 Worm l A form of virus that propagates via a computer network l Can frequently propagate without human interac4on l Spreads very fast if a network service is common and vulnerable l It may operate at the network service level l Scan local network ports for network services l Once a vulnerable service is detected on a port, service is awacked in a awempt to inject worm code l Common worms use as a propaga4on route l e.g. Look up your address book and send infected to all members l Some worms were ini4ally developed as network tes4ng tools that got a bit out of hand Computer Security & Forensics 15 Preven4ng Infec4on l Use reliable, established sovware vendors l It s dangerous to be on the leading/bleeding edge of the development wave l Test untrusted sovware on an isolated computer l If you think you might be at risk of infec4on, use a machine which contains no sensi4ve data and on which you will not enter sensi4ve informa4on l Only open trusted awachments, even from friends/colleagues l The origin of an is no guarantee of safety since can be spoofed or intercepted l Back up data and in par4cular system files l Use appropriate An4 Virus sovware and ensure they are up to date Computer Security & Forensics 16

9 Examples l SiC, Chapter 3 pages contains further examples of rogue programs l BRAIN Virus - Labelled infected disks as BRAIN, not overtly malicous l AWacked old MS Windows PC l Infected boot sector, hid its executable in upper memory, monitored disk reads l Internet/Morris Worm l Bug in code caused a resource drain on infected computers l Used known Unix services bugs to awack networked machines Computer Security & Forensics 17 Examples - Code Red l Code Red Worm l Exploited a buffer overflow vulnerability in MicrosoV s Internet Informa4on Server (IIS) l In 9 hours it infected 250,000 machines l Infected 12% of all vulnerable servers in the world l Payload l Defaced web sites hosted by IIS l Launched Denial of Service awack against Computer Security & Forensics 18

10 Rogue Programs - Summary Type Virus Trojan Logic Bomb Back door Worm Rabbit Characteris4cs AWaches itself to a program and propagates when the program is run A program that appears to have one func4on but contains a surprise Executes malicious code when a certain set of condi4ons are met Allows unauthorised access to the program or host computer A virus that propagates via a computer network A virus that spreads uncondi4onally with the aim of exhaus4ng resources Computer Security & Forensics 19 Rogue Programs - Summary l We have looked at: l Rogue Program Classifica4ons l Goals of a Virus Writer l Structure l Detec4on l Types and Examples Computer Security & Forensics 20