Malicious Software Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Outline Viruses and Related Threats Malicious Programs The Nature of Viruses Antivirus Approaches Advanced Antivirus Techniques DDoS attacks and countermeasures 2 1
Viruses and Malicious Programs Computer Viruses and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a Worm ). Other Malicious Programs may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs). 3 Taxonomy of Malicious Programs 4 2
Backdoor or Trapdoor secret entry point into a program allows those who know access bypassing usual security procedures have been commonly used by developers a threat when left in production programs allowing exploited by attackers very hard to block in OS 5 Logic Bomb one of oldest types of malicious software code embedded in legitimate program activated when specified conditions met E.g., presence/absence of some file particular date/time particular user when triggered typically damage system modify/delete files/disks, halt machine, etc. 6 3
Trojan Horse program with hidden side-effects which is usually superficially attractive E.g., game, s/w upgrade, etc. when run performs some additional tasks allows attacker to indirectly gain access they do not have directly often used to propagate a virus/worm or install a backdoor or simply to destroy data Mail the password file. 7 Zombie program which secretly takes over another networked computer then uses it to indirectly launch attacks (difficult to trace zombie s creator) often used to launch distributed denial of service (DDoS) attacks exploits known flaws in network systems 8 4
Bacteria A Bacteria replicates until it fills all disk space, or CPU cycles. 9 Worms A program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses). Similar to virus, but spreads across the network instead of between files. 10 5
Viruses a piece of self-replicating code attached to some other code attaches itself to another program and executes secretly when the host program is executed. propagates itself & carries a payload carries code to make copies of itself as well as code to perform some covert task 11 Virus Phases Dormant phase - the virus is idle Propagation phase - the virus places an identical copy of itself into other programs Triggering phase the virus is activated to perform the function for which it was intended Execution phase the function is performed Details usually machine/os specific exploiting features/weaknesses 12 6
Virus Structure program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next: } 13 Types of Viruses Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs. Memory-resident Virus - Lodges in main memory as part of the residual operating system. Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses). Stealth Virus - explicitly designed to hide from Virus Scanning programs. Polymorphic Virus - mutates with every new host to prevent signature detection. Metamorphic virus - mutates with every infection, but rewrites itself completely every time. Making it extremely difficult to detect. 14 7
A Compression Virus 15 Macro Viruses Microsoft Office applications allow macros to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File). Platform independent. Infect documents, delete files, generate email and edit letters. 16 8
Email Virus spread using email with attachment containing a macro virus triggered when user opens attachment or worse even when mail viewed by using scripting features in mail agent hence propagates very quickly usually targeted at Microsoft Outlook mail agent & Word/Excel documents 17 Worms replicating but not infecting program (does not attach itself to a program) typically spreads over a network Morris Internet Worm in 1988 using users distributed privileges or by exploiting system vulnerabilities worms perform unwanted functions widely used by hackers to create zombie PC's, subsequently used for further attacks, esp DoS major issue is lack of security of permanently connected systems, esp PC's 18 9
Worm Operation worm has phases like those of viruses: dormant propagation search for other systems to infect establish connection to target remote system replicate self onto remote system triggering execution 19 Morris Worm One of the best known classic worms released by Robert Morris in 1988 targeted Unix systems using several propagation techniques simple password cracking of local pw file exploit bug in finger daemon exploit debug trapdoor in sendmail daemon if any attack succeeds then replicated self 20 10
Malicious Software Protection Have well-known virus protection and anti spybot programs etc., configured to scan disks and downloads automatically for known viruses. Do not execute programs (or "macro's") from unknown sources (e.g., PS files, HyperCard files, MS Office documents. Avoid the most common operating systems and email programs, if possible. 21 Malicious Software Protection Best countermeasure is prevention (do not allow a virus to get into the system in the first place.) But in general not possible Hence need to do one or more of: detection - of viruses in infected system identification - of specific infecting virus removal - restoring system to clean state 22 11
Antivirus Approaches 1st Generation, Scanners: searched files for any of a library of known virus signatures. Checked executable files for length changes. 2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes. 3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behaviour (e.g., scanning files). 4th Generation, Full Featured: combine the best of the techniques above. Scanning & activity traps, access controls etc. 23 Generic Decryption (GD) CPU Emulator Virus Signature Scanner Emulation Control Module Advanced Antivirus Techniques For how long should a GD scanner run each interpretation? Digital Immune System Next page 24 12
Digital Immune System 25 Behavior-Blocking Software integrated with host OS monitors program behavior in real-time Eg. file access, disk format, executable mods, system settings changes, network access for possibly malicious actions if detected can block and/or terminate has advantage over scanners but malicious code runs before detection 26 13
Distributed Denial of Service Attacks (DDoS) Distributed Denial of Service (DDoS) attacks form a significant security threat making networked systems unavailable by flooding with useless traffic using large numbers of zombies growing sophistication of attacks defense technologies struggling to cope 27 Distributed Denial of Service Attacks (DDoS) 28 14
Direct DDoS attack 29 Reflector DDoS Attack 30 15
DDoS Countermeasures three broad lines of defense: 1. attack prevention & preemption (before) 2. attack detection & filtering (during) 3. attack source traceback & identification (after) huge range of attack possibilities hence evolving countermeasures 31 have considered: various malicious programs trapdoor, logic bomb, trojan horse, zombie viruses worms countermeasures Summary distributed denial of service attacks 32 16