Running code securely An overview of threats and countermeasures Almut Herzog Overview over protective technology for end users anti-virus software anti-spyware personal firewall backup encryption ssl and other network encryption, ssh, file encryption, password storage Lecture on Network Security knowledge smooth surface: keep updated, shut down unnecessary services Almut Herzog 1
Source: Peter Ször. The Art of Computer Research and Defense. Addison-Wesley. 2005. Malicious code some names, not a taxonomy a program that recursively and explicitly copies a possibly evolved version of itself. Worm a network virus: mailers and mass-mailer worms, octopus (exist on more than one computer on the network), rabbit (single copy that moves around) Logic bombs programmed malfunction of a legitimate application; Easter eggs (non-malicious, give credit to developers, MS flight simulator, Spyware? Adware?) Trojan horse useful functionality to entice or subversion of an existing tool (ps, ls, password, logon screen), backdoors (listen on port). Germs first-generation virus, not attached to an infected file but plain, readable code. Exploits specific to one or more vulnerabilities, shows that a vulnerability can be exploited. Downloaders installs a set of other items on a machine Dialers modem users are directed to a premium-rate Internet connection. Droppers installer for first-generation virus code. Injectors dropper that installs virus code in memory, also network injector Auto rooters break into new machines using an exploit to gain root access automatically Kits (virus generators) generate new computer viruses automatically Spammer programs send unsolicited messages (spim instant messaging, spit SMS) Flooders stage an DoS attack Keyloggers capture keystrokes Rootkits used after an attacker has broken into a computer system and gained root-level access to change legitimate programs into Trojan horses Miscellaneous joke programs (lock screen randomly), hoaxes (chain letters), adware, spyware. self-protection techniques = how viruses protect themselves from being found tunnelling virus installs on the layer below, preferably on the very lowest layer armoured virus, armoured against (fast) attempts by anti-virus analysts to find out about the virus code encryption, obfuscation, match checksums rather than strings, anti-debugging aggressive retrovirus disables countermeasures code evolution encryption, oligomorphic changes the decryptor, polymorphic mutates decryptor, metamorphic evolves code (NOP, recompile on host, ) Almut Herzog 2
classification according to payload no payload, virus replicates only accidentally destructive non-destructive (display message, open/close CD tray etc.) somewhat destructive: flip bitmap, stop service highly destructive overwrite data (format HD), data diddler, encrypt, HW destruction (overheat), DoS on local or remote host, steal data file infection strategies Overwriting virus: overwrites/destroys a file on disk with virus code, usually starting at the beginning of the file Random overwriting virus overwrites at a random position in the host file, may not execute but destroys host Appending virus: appends virus code to host code, host starts by jumping to the end Overwriting virus that changes host size Overwriting virus that does not change host size JMP Random overwriting virus Appending virus Almut Herzog 3
file infection strategies Prepending virus: virus code first, then full host code Classic parasitic virus prepends virus code and appends overwritten code to the end of the host file Amoeba infection prepend + append virus code Prepending virus (Head) Classic parasitic virus Amoeba (Tail) file infection strategies Cavity virus does not increase file size, overwrites unused portions of the host file Fractioned cavity virus: virus code scattered in the file, program starts with modified entry point that points to virus code Compressing virus compresses host file to hide size increase due to virus code infection + decompressor Packed Cavity virus Compressing virus Almut Herzog 4
file infection strategies Embedded decryptor: decryptor scattered in host file, overwritten code saved at the end, host starts by invoking the decryptor that uncompresses and launches appended virus code Embedded decryptor and virus body: both decryptor and virus body are scattered in the file, overwritten parts are appended JMP De cr yp t or saved blocks Embedded Encryptor file infection strategies Entry-point obscuring (EPO): an arbitrary instruction is replaced by a jump to the virus code EP JMP JMP (1) first instruction is jump to virus code (2) arbitrary instruction is jump to virus code Almut Herzog 5
file infection strategies Possible future infection techniques: code builders (build virus out of the legal host instructions) ASKDITUOVEITUIDEOIEPLAKS JDFLIRTOEPRSDFCNMXJDFH QOQDJRIEPXBNMIALUWSPZS ASKDITUOVEITUIDEOIEPLAKS JDFLIRTOEPRSDFCNMXJDFH QOQDJRIEPXBNMIALUWSPZS JMP Builder V + I + R + U + S in-memory strategies single-tasking operating system non-resident/direct action: virus code looks for new targets to infect before letting the host program run memory-resident: virus code loads itself in memory (stays resident) and then lets host program run hooks interrupt handler swapping virus: executed upon interrupt, finds target of attack, infects and terminates multi-tasking operating system viruses in processes, threads Almut Herzog 6
Worms worm = network virus, does not need to infect files to propagate structure of a worm 1. target locator finds new victims in address books, news groups, search engines, by contacting more or less random IP addresses 2. infection propagator transfers to new node and gets control through e-mail with social engineering, backdoor, exploit vulnerability 3. (optional) remote control so author can control infected nodes 4. (optional) life-cycle manager if worm commits suicide 5. (optional) payload: many do not have any, DoS, spam relay 6. (optional) self-tracker sends away spread info future of worms: worm communication protocol and plug-in API Anti- software on-demand scanning on-access scanning memory-resident hook interrupts scan files when opened, created or closed challenge: must do all the searching in a limited amount of time scan only first and last 2, 4 or 8 kb of a file scan only around the entry point (after first jump or call instruction) earlier: access raw disk, today: too many file systems and disk controllers Almut Herzog 7
Anti- software strategies first-generation: search pre-defined areas of files or system areas for given signature strings wildcards, mismatch (slow), bookmarks (offset to virus body start + offset to virus detection string) second-generation no more NOP confusion, two signature, compare checksum of constant bytes algorithmic scanning: signatures have evolved into code code emulation geometric detection, integrity checks heuristics for detecting previously unknown viruses code execution starts in the last section, suspicious flags, incorrect virtual size, suspicious code redirection inoculation access control, sandbox Disinfection Erase virus from disk reverse of the infection strategy, only possible if the virus has not destroyed the host program Terminate infected process which may not be so easy: keep-alive/twin processes multiple infected processes Almut Herzog 8
Spyware Def.: Any software intended to aid an unauthorised person or entity in causing a computer, without the knowledge of the computer s user or owner, to divulge private information., software programs that act as data sensors and illicitly collect and transmit information about end users, and then send it back to a third party, sources: pop-ups, free downloads, shareware, driveby downloads Spyware classification cookies and web bugs invisibly keeping track of people adware browser hijackers, browser changers, browser plugins alter start page, change browser security settings, insert toolbars/buttons, spoof sites, deny access to sites, monitor surf habits extortion ware installs spyware, informs user and demands payment to uninstall keyloggers capture every keystroke (passwords, credit card information) tracks, spybots trojan, bundleware masks as a harmless or desirable application Almut Herzog 9
Spyware effects slow down computer (at strange rates/patterns), especially start-up destabilise computer hijack browser start page prevent starting certain programs (IE, anti-virus, antispyware) cannot be removed hidden tasks privacy data collection Anti-Spyware Much like anti-virus software signature-based behaviour-based (Windows Defender) mixture For testing: http://www.spycar.org/spycar.html Almut Herzog 10
Personal Firewall (all) realised in software (all) make the computer invisible by not answering to any packets, drop all unsolicited incoming packets (all) control incoming connections (some) control outgoing connections Personal Firewalls Problems A software firewall resides on the target of attack. Evil programs may attach themselves with DLLs to regular programs. An evil process may modify the memory of an allowed application. Attacker can use a driver to inject the packets below the level where the process filtering is done, and then he only has to worry about the packet filter. Malware can change firewall rule. Almut Herzog 11
Last year s project: Usability and security of personal firewalls two use cases making a successful outgoing connection with WinSCP to remote-und.ida.liu.se setting up an FTP server and only allowing one specific host to connect to it two misuse cases port scanning replacing an application Backup strategies no one needs a backup, until they need one strategies unstructured full + incremental/differential mirror + reverse continuous reasonable backup media for home users: USB-devices, CD, P2P network, service Almut Herzog 12
Knowledge: A checklist A Home User's Security Checklist for Windows http://www.securityfocus.com/columnists/220 Do your own risk analysis and assess your security. When to choose what: risk analysis Identify the assets data, hardware, network, services Identify threats a possible danger to your system: spy, hacker, disgruntled employees, blackout, flood, theft, break down, virus/worm/spyware/adware infection Identify vulnerabilities Absence or weakness of a countermeasure, a condition that has the potential to allow a threat to occur no mail/network encryption used, closeness to a river, cheap locks, exposed area Identify countermeasures (controls, safeguards) Almut Herzog 13
Typical Risk Analysis Identify the assets, threats, vulnerabilities, countermeasures Identify the risk = probabilities for attack (the materialisation of a vulnerability) P, costs for replacement of assets C A and costs for countermeasures C C Mathematically: Only if P C A > C C is it feasible to install the countermeasure. Practically: How to quantify the cost of volatile assets such as knowledgeable staff, good reputation, reliable customers, etc. Almut Herzog 14