Upload
baldric-campbell
View
218
Download
1
Embed Size (px)
Citation preview
2
Contents How things go wrong
Change in environment Bound and syntax checking Convenient but dangerous design features Escapes from controlled invocation By pass at a lower layer Flaws in protocol implementation
Virus What is a Computer Virus? Virus Effects Virus Infections Virus Components Virus Types
3
The Mad Hacker Occurred in 1987, OS was VME/B For backups, there existed a user that owned
all file descriptors This user had no restrictions --- a bug
allowed flaw to be exploited VME/B sys admin figured it out Attacked many systems, deleted files, etc. He left messages from “The Mad Hacker”
4
CTSS CTSS an early time-sharing system In a famous incident, the password
file appears as message of day How could this happen?
Only one “manager” at a time --- later changed to allow multiple managers
This led to unexpected problem…
6
CTSS
One SCRATCH file, two managers:1. First manager edits: SCRATCH = MSG
Msg file
Pwd fileMsg file
edit
7
CTSS
One SCRATCH file, two managers:1. First manager edits: SCRATCH = MSG2. Second manager edits: SCRATCH = PWD
Msg file
Pwd filePwd file
edit
8
CTSS
One SCRATCH file, two managers:1. First manager edits: SCRATCH = MSG2. Second manager edits: SCRATCH = PWD3. First manger saves: MSG = PWD
Pwd file
Pwd filePwd file
save
9
fingerd daemon bug fingerd is a server that provides a
network interface to the finger program This interface allows finger to display information about remote users.
UNIX fingerd did not check length of input
Buffer overflow Morris Worm exploited this to open
remote connection via TCP
10
VMS login Buffer overflow in login User could specify machine by
Username/DEVICE = <machine> Length of <machine> not checked Buffer overflow Could be exploited so that user could
set their own privilege level
11
rlogin bug Unix login
login [[-p] [-h<host.] [[-f]<user>] Where -f forces login (no pwd) Unix rlogin
rlogin [-l<user>] <machine> Uses login with first arg on <machine> rlogin -l –froot machine results in
login –froot machine
12
Sendmail “feature” Sendmail debug option Substitute commands for username in
mail, executed on host by sendmail Used to check remote configuration
without bothering administrator Debug option often left on Exploited by Morris Worm
13
VAX/VMS bug Access control info stored in Auth File
Caller: Request Set Auth File (parameters)System: Open Auth File
Read Caller’s Authorizationif authorized then return(true);else return(false);
Problem? File not closed
14
AS/400 machine language
System security levels 10,20,…,50 Machine language programs not subject to
security controls Intended use to speed up programs Attackers could write such code AS/400 then attempted to detect “bad”
commands Attackers overwrote table for checking
15
at bug Unix command at <time> -f<file> runs
commands at <time> Request put into /usr/spool/atjobs Bug: at does not check if <file> is readable by
user Feature: spool directory readable by user who
created entry Result: at <time> -f/etc/shadow gives
access to password file
16
TCP authentication
Alice Bob
SYN, SEQ a
SYN, ACK a+1, SEQ b
ACK b+1, data
Note: Initial sequence numbersare supposed to be unpredictable
17
TCP authentication attack
Alice
BobTrudy
1. SYN, SEQ t (as Trudy)2. SYN, ACK t+1, SEQ b1
3. SYN, SEQ t (as Alice)
4. SYN, A
CK t, SEQ b2
5. ACK b2+1, data
5.
5.
5.
5.
18
TCP authentication attack
Trudy cannot see what Bob sends, but she can send packets to server Bob, as Alice
Trudy must prevent Alice from receiving Bob’s packets (or Alice will terminate connection)
If password (or other authentication) required, this attack fails
If TCP is authentication, then attack succeeds Bad idea to rely on TCP for authentication
19
What is a Computer Virus?
To be defined as a virus, a program must: Replicate itself in order to carry out a mission. Be dependent on a "host" to carry out the
mission. Create damage to the computer system
"infected".
"A computer virus is an exact cybernetic analogy to its biological reference“
There are more than 20,000 different computer viruses.
20
Simple Definition A virus is a program which reproduces
itself, hides in other computer code without permission and does nasty or undesirable things, not intended by its victim.
Computer viruses are malicious programs that infect a computer system causing various problems with its use. They replicate and attach themselves to programs in the system.
21
Virus Effects Trivial, simply reproduces or displays messages. Minor, alters or deletes infected files. Moderate, wipes out entire disk drive. Major, slowly corrupts data with pattern, making
restoration difficult. Severe, slowly corrupts data without pattern,
making restoration impossible. Unlimited, virus which discovers system
administrator's password and mails it to one or more users, tempting them to use it for illegal purposes.
22
How Virus Infections Spread
Virus Infections spread by: Inserting a disk with an infected program
and then starting the program.
Downloading an infected program from the Internet.
Being on a network with an infected computer.
Opening an infected e-mail attachment.
23
Virus Components The Replication mechanism
allows virus to copy itself The Protection mechanism
Hides virus from detection The Trigger
Mechanism which will set off the payload The Payload
Effect of the virus
24
Virus Types Viruses are classified by the portion of
the system they affect. There are five main types: Boot Viruses File Viruses Multi-partite Viruses Polymorphic Viruses Macro Viruses
25
Boot Viruses Infect the boot block on a floppy or hard disk. Usually replaces the boot block with all or part of
a virus program. Most have trigger dates, when booted on that
day severe damage will be done. Virus loads into memory and infects other disks. Execute each time the computer is started. May lead to the destruction of all data. Example is Michaelangelo - on March 6
(Michelangelo's birthday) garbage is written through entire drive.
27
Infection pattern with a boot virus
MasterBoot sector
Boot sector
Boot sector
ViralCode Boot
sectorBoot sector
MasterBoot sector
28
File Viruses (Parasitic) Infect .EXE or .COM files. Usually append the virus code to the file,
new versions hide the virus. Damage is done when program is run and
the virus will attach to other files. Attach themselves to program files. Spread to other programs on the hard drive. Are the most common type of virus. Example is Friday the 13th - if the date
matches Friday the 13th when the virus is executed, all .EXE files are deleted.
29
Multi-partite Viruses Infect both boot blocks and executable
files. Combine the capabilities of boot
viruses and file viruses. Example is Tequila - will display
graphics and text rather than running programs.
30
Polymorphic Viruses Can infect the boot sector, files or both. Is self-modifying, changes each time it
infects a file or disk. Very difficult to detect and remove. Example is tremor which triggers 3
months after infection and displays "-M OMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-" with every warm boot.
31
Macro Viruses Infect the automatic command capabilities of
productivity software.
Attach themselves to the data files in word processing, spreadsheet, and database programs.
Spread when the data files are exchanged between users.
Carried in data files for Microsoft Word documents Example is Concept - which will infect the global
template and all files loaded from then on. Was distributed by Microsoft on a CD-ROM called Microsoft Windows 95 Software Compatibility Test.
32
Time Bombs
Are also called logic bombs. Are harmless until a certain event
or circumstance activates the program.
33
Computer Trojans Computer Trojans are simply malicious
computer programs disguised as something useful. The major difference between viruses and Trojans is that viruses reproduce, while a Trojan is just a one time program which executes its payload as soon as the Trojan is executed. Trojans are the most common way of bringing a virus into a system. A current example of a Trojan is a program called pkz300b.exe which disguises itself as an archiving utility, but when run it will delete your entire hard drive.
34
Computer Worms Computer Worms are reproducing programs that run
independantly and travel across network connections. The main difference between viruses and worms is the method in which they reproduce and spread. A virus is dependant upon a host file or boot sector, and the transfer of files between machines to spread, while a worm can run completely independently and spread of its own will through network connections. An example of a worm is the famous internet worm of 1988: Overnight the worm copied itself across the internet, infecting every Sun-3 and VAX system with so many copies of itself that the systems were unusable. Eventually several sites disconnected themselves from the internet to avoid reinfection.
35
Virus Prevention Never use a "foreign" disk or CD-ROM without scanning it
for viruses. Always scan files downloaded from the internet or bulletin
boards. Never boot your PC from a floppy unless you are certain it is
virus free. Write protect your disks to prevent viruses from reproducing
onto your disks. Use licensed software from a reputable dealer. Password protect your PC to prevent copying of files in your
absence. Make regular backup copies of all your work and system
configurations. Install and use anti-virus software regularly. Update your anti-virus software regularly so it can detect
new viruses.
36
Cryptographic Checksum
It is a standard integrity protection technique. A checksum is computed for a clean version
of a file to be protected. The checksum is stored in a secure place. Advantage: it does not need to know what
the virus is Disadvantage: it does not know what virus is. Vulnerability: when the checksum is
recomputed.
37
Antivirus Programs Antivirus programs are called vaccines or
virus checkers. They use pattern-matching techniques to
examine program files for patterns of virus code.
Two drawbacks: They cannot find viruses not in their database. They cannot find new viruses that alter
themselves to evade detection. Use antivirus programs that offer frequent
updates and monitor system functions. Check disks that were used on another
system for viruses.
38
Summary How things go wrong
Change in environment Bound and syntax checking Convenient but dangerous design features Escapes from controlled invocation By pass at a lower layer Flaws in protocol implementation
Virus What is a Computer Virus? Virus Effects Virus Infections Virus Components Virus Types