1Virus Protection and Intrusion DetectionJohn MitchellTopics uTrojans, worms, and virusesuVirus protection• Virus scanning methodsuDetecting system compromise• TripwireuDetecting system and network attacks• Scanning system call trace• Network intrusion detectionWhat is a Virus?uProgram embedded in fileuSpreads and does damage• Replicator– Portion of virus code that reproduces virus• Payload– Portion of virus code that does some other functionuCategories• Boot virus (boot sector of disk)• Virus in executable file• Macro virus (in file executed by application)Virus scanner is large collection of many techniquesThree related ideasUndesired functionalityHidden in codePropagatesUndesired functionalityUndesired functionalityPropagatesHidden in codeWormTrojan VirusTrojan Horse!!! PKZIP Trojan Horse Version -(Originally Posted May 1995) !!!… a fake version of PKZIP is being distributed as PKZ300B.ZIP or PKZ300.ZIP. It is not an official version from PKWARE and it will attempt to erase your hard drive if run. Not a virus since it doesn’t replicateWorm vs VirusuA worm is a program • can run independently• consume the resources of its host • can propagate a complete working version of itself to other machinesuA virus is a piece of code • inserts itself into a host program • cannot run independently• requires that host program be run to activate it2Internet WormuReleased November 1988• Program spread through Digital, Sun workstations • Exploited Unix security vulnerabilities– VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX codeuConsequences• No immediate damage from program itself • Replication and threat of damage – Load on network, systems used in attack– Many systems shut down to prevent further attackConsequences of attackuMorris worm, 1988• Infected approximately 6,000 machines– 10% of computers connected to the Internet • cost ~ $10 million in downtime and cleanupuCode Red worm, July 16 2001• Direct descendant of Morris’ worm• Infected more than 500,000 servers– Programmed to go into infinite sleep mode July 28 • Caused ~ $2.6 Billion in damages, Statistics: Computer Economics Inc., Carlsbad, CaliforniaLove Bug worm: $8.75 billion ?Internet Worm DescriptionuTwo parts• Program to spread worm– look for other machines that could be infected– try to find ways of infiltrating these machines• Vector program (99 lines of C) – compiled and run on the infected machines – transferred main program to continue attackuSecurity vulnerabilities• fingerd – Unix finger daemon• sendmail - mail distribution program• Trusted logins (.rhosts)• Weak passwordsThree ways the worm spreaduSendmail• Exploit debug option in sendmail to allow shell access uFingerd• Exploit a buffer overflow in the fgets function• Apparently, this was the most successful attackuRsh• Exploit trusted hosts• Password crackingsendmailuWorm used debug feature• Opens TCP connection to machine's SMTP port• Invokes debug mode• Sends a RCPT TO that pipes data through shell• Shell script retrieves worm main program– places 40-line C program in temporary file called x$$,l1.c where $$ is current process ID– Compiles and executes this program– Opens socket to machine that sent script– Retrieves worm main program, compiles it and runsfingerduWritten in C and runs continuouslyuArray bounds attack • Fingerd expects an input string • Worm writes long string to internal 512-byte buffer uAttack string • Includes machine instructions• Overwrites return address• Invokes a remote shell • Executes privileged commands3Remote shelluUnix trust information• /etc/host.equiv – system wide trusted hosts file• /.rhosts and ~/.rhosts – users’ trusted hosts fileuWorm exploited trust information• Examining files that listed trusted machines• Assume reciprocal trust– If X trusts Y, then maybe Y trusts XuPassword cracking– Worm was running as daemon (not root) so needed to break into accounts to use .rhosts feature– Dictionary attack– Read /etc/passwd, used ~400 common password stringsThe worm itselfuProgram is called 'sh' • Clobbers argv array so a 'ps' will not show its name• Opens all its files, then unlinks (deletes) them so they can't be found – since files are open, worm can still access their contentsuTries to infect as many other hosts as possible• When worm successfully connects, forks a child to continue the infection while the parent keeps trying new hostsSome things the worm did not dou … did not delete a system's files,u … did not modify existing files,u … did not install trojan horses,u … did not record or transmit decrypted passwords,u … did not try to capture superuser privileges,u … did not propagate over UUCP, X.25, DECNET, or BITNET.Detecting Internet WormuFiles• Strange files appeared in infected systems• Strange log messages for certain programsuSystem load• Infection generates a number of processes• Systems were reinfected => number of processes grew and systems became overloaded– Apparently not intended by worm’s creatorThousands of systems were shut downStopping the wormuSystem admins busy for several days • Devised, distributed, installed modifications uPerpetrator• Student at Cornell; discovered quickly and charged• Sentence: community service and $10,000 fine– Program did not cause deliberate damage – Tried (failed) to control # of processes on host machinesuLessons? • Security vulnerabilities come from system flaws • Diversity is useful for resisting attack• “Experiments” can be dangerousSources for more informationu Eugene H. Spafford, The Internet Worm: Crisis and Aftermath, CACM 32(6) 678-687, June 1989u IETF rfc1135 u ftp://coast.cs.purdue.edu/pub/doc/morris_wormu Page, Bob, "A Report on the Internet Worm", http://www.ee.ryerson.ca:8080/~elf/hack/iworm.html4Other significant wormsuCode Red, July 2001• Affects Microsoft Index Server 2.0, – Windows 2000 Indexing service on Windows NT 4.0.– Windows 2000 that run IIS 4.0 and 5.0 Web servers• Exploits known buffer overflow in Idq.dlluSQL Slammer, January 2003• Affects in Microsoft SQL 2000• Exploits known buffer overflow vulnerability– Server Resolution service vulnerability reported June 2002 – Patched released in July 2002 Bulletin MS02-39Code ReduSends its code as an HTTP requestuHTTP request exploits buffer overflow uMalicious code
View Full Document
Unlocking...