CEN 448 Security and Internet Protocols Chapter 19 Malicious Software Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa Malicious Programs Programs that exploit vulnerabilities Cause damage to computer systems Programs that need host program viruses, logic bombs, backdoors Self-contained programs worms, zombies Threats hat do not replicate logic bombs, back doors Threats that produce copies of themselves viruses, worms
Malicious Programs
Backdoors / Trapdoors Secret entry point to program Allows bypassing normal security procedure Mainly used by programmers for debugging Example: special password, event sequence Threat if used to get unauthorized access Difficult to counter Focus on program development security Logic Bombs Coded embedded into some legit program Set to explode when certain conditions met Examples presence of certain files particular day of the week, month, year particular user
Trojan Horses Apparently useful program Contain hidden harmful code Will take privilege of user running it Can be implanted in a compiler All compiled applications will be infected Example backdoor in login application delete files in the background Zombie Program secretly planted in net computer Using virus or Trojan When activated, computer perform attacks Difficult to trace back to its creator Planted into hundreds of computers Used in DoS attacks
Virus Structure program V := special marker for victims {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled :={return true if some condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} infect other programs, do damage next: transfer control to original program } Virus Compression Previous structure easy detected from size Compression is used to hide virus
Types of Viruses Parasitic attach to exe, infect & do damage when executed Memory-resident virus load to memory, infect every executed application Boot sector virus infect MBR, spread when system boots up Stealth virus designed to hide itself from antivirus Polymorphic virus mutates with every infection, hard to detect signature Metamorphic virus rewrites itself completely each time, change behavior Worms Program that replicates itself Perform unwanted/harmful actions Send copies across network email, remote execution, remote login Recent worms Code Red: 360,000 servers in 14 hours Code Red II: targeted MS IIS, install backdoor Nimda: infect web servers, modify contents
Antivirus Approaches Main functions detection: determine virus infection occurred identification: identify specific virus removal: remove virus from infected programs First generation antivirus require virus signature to identify virus signature: structure, bit pattern, wildcards maintain length of programs, look for change Antivirus Approaches Second generation antivirus use heuristic rules, search for probable infection e.g. look for encryption loop, discover key integrity checking, use checksum, hash code Third generation antivirus memory resident identify virus by its actions, not signature Fourth generation antivirus package contain multiple AV techniques include access control, limit virus infection ability
Advanced Antivirus Techniques Generic Description (GD) technology enables detection of polymorphic viruses all executables run through GD scanner GD contains emulator (virtual computer) capture virus when it decrypted Digital immune system developed b IBM research, utilize GD emulator central server capture virus, analyze, remove pass info to other clients, systems Advanced Antivirus Techniques
Distributed Denial of Service Attacks Make system inaccessible by consuming resources with useless requests resource: internal (CPU, disk) or network (bandwidth) Prevent legit users from getting service DoS: launched by single user, host DDoS attacker recruit many Internet hosts coordinated attack against target sophisticated, difficult to trace back DDoS Examples SYN flood attack Flood target with many TCP SYN requests Target sends SYN/ACK, waiting for response SYN requests stored in target memory Eventually, memory filled, can t take more Legit users can t establish TCP connections
DDoS Examples Attack on network resources Multiple hosts send ICMP ECHO packets Spoof source IP address to victim target Nodes respond ICMP REPLY packets to spoofed address of target Target router get flooded with packets No bandwidth left for legitimate traffic
DoS Examples Consume system memory Simple program/script copy itself Consume process ID address table Consume disk space Generate many emails Generate many errors that must be logged Place files in network shared areas DDoS Levels Multiple layers of attack sources Direct DDoS attacks attacker, master zombies, slave zombies attacker coordinates, triggers master zombies master zombies trigger slave zombies Reflector DDoS attacks adds another layer: reflectors more difficulty added to trace and filter packets
DDoS Countermeasures Attack prevention: before attack enable victim to endure attack without denying service enforce policies on resource consumption provide backup resources modify internet protocols to reduce possibility of DDoS Attack detection (during attack) attempt to detect attack and respond immediately look for suspicious patterns, filter out offensive packets Attack trace back and identification (during, after) attempt to identify source to prevent future attack usually doesn t yield any results fast enough, if at all
Additional References What is botnet?, searchsecurity.techtarget.com/sdefinition/0,,sid1 4_gci1030284,00.html SYN Cookies, cr.yp.to/syncookies.html Router Expert: Smurf/fraggle attack defence using SACLs, searchnetworking.techtarget.com/tip/1,289483,si d7_gci856112,00.html