CSCE 465 Lecture 7

« previous | Tuesday, February 5, 2013 | next »

Malware

Some malware needs host program

• Trap doors: program leaves a security hole so someone can get access
• Logic bombs: performs an action at a trigger (e.g. time)
• Trojan horses: program masquerades as something important, but has a malicious, covert purpose
• Viruses: "Infects" program by modifying it

Other are completely independent:

• Worms
• Bots

Viruses

1. dormant phase
2. propagation phase (e.g. attachment to email)
3. triggering phase
4. excution phase

• First line: go to main of virus program
• Second line: special mark (infected or not; may be identified by antivirus software)
• main:
  • find uninfected programs (infect and mark them)
  • do somehing damaging to the system
  • now "go to" the first line of the original program and do the normal work
• Avoid detection by looking at size of program: compress/decompress original program

Types

parasitic virus

search and infect executable files

memory-resident virus

sits in memory, infecting running programs

boot sector virus

spreads whenever system is booted

polymorphic virus

encrypt part of the virus program using randomly generated key

macro virus

macro: an executable program embedded in a word processing document, e.g. MS Word

common technique is to copy local document macro into global macro to execute whenever documents are opened.

Truths and Myths

Can only infect MS Windows?

false; a vast majority are for Windows, but some exist for Mac, UNIX, Linux, etc.

Can modify hidden and read-only files

true

Spread only on disks or in email

false; worms can propagate over network

Cannot remain in memory after reboot

false

Cannot infect hardware

false; can infect rewritable firmware

Can be malevolent, benign, or benevolent

???; I think that a virus to replace IE with Chrome would be a good virus

BUT— who am I to use someone else's computer without their permission?

Antivirus Approach

Prevention, detection/identification, removal

Generations:

1. simple scanner
2. heuristic scanner
3. activity traps
4. full-featured protection

Worms

Code that replicates and propagates across a network (often carries a "payload")

Exploits flaws in open services

First worm: Robert Morris, November 1988 (infected 6–10% of all Internet hosts!)

Many more, but not on same scale since 2001

Morris Worm

What id did:

• Determine where it could spread
• spread its infection
• remain undiscovered and undiscoverable

Effects:

• Resource exhaustion: repeated infection due to programming bug

How it worked:

• Where to spread; exploited 3 security flaws (multiple propagation vectors)
  • guess password with rainbow table
  • fingerd buffer overflow
  • sendmail trapdoor (DEBUG accepts shell commands)
• Spread

Summer 2001

Code Red I

13 Jul 2001: first worm of modern era

Exploited Microsoft IIS

first 20 days of each month: spread

• find targets by random scan of IP address space (spawn 99 threads to generate addresses and look for IIS)
• forgot to seed random number generator, so every copy scanned the same set of addresses

remainder of month: attack

• Take down web servers saying "HELLO! Welcome to http://www.<blah>.com. Hacked by Chinese."

Code Red II

Used same code base, but killed Code Red I and fixed random number generator

Infected 340,000 machines in the first week. EXPONENTIAL RATE!

DDoS of whitehouse.gov

Worked only on Windows 2000, crashed NT

Scanning algorithm preferred nearby addresses

• Class A: p = 0.5
• Class B: p = 0.375
• Internet: p = 0.125

Designing Fast-Spreading Worms

• Hit-list scanning
  • reconnaissance (stealthy scans, etc)
  • target first ${\displaystyle n}$ known vulnerable machines
• Permutation scanning
  • Most scanning is redundant, so share the permutation of address space
  • start from own IP address, re-randomize when another infected machine is found
• Flash Worm
  • Infect whole Internet in 30 seconds.

How to stop?