Viruses, Worms, Zombies, and other BeastiesEncrypted vs. SecureEncrypted ≠ SecureBreaking into a ComputerWhat’s at Stake?Main themes of today’s lectureBreaking into a ComputerTrojan HorsesBuffer Overflow AttacksViruses and WormsComputer VirusesEmail VirusesThe Melissa Virus (1999)Combating VirusesComputer WormsThe Morris Worm (1988)The Slammer Worm (2003)Can We Stop Worms?BotnetsZombiesReason 1: DDOS AttacksReason 2: Sending SpamOther Attacks…Spyware/AdwareSpoofing AttacksAttackers are AdaptiveCan we stop computer crime?Protecting Your ComputerKeep Software Up-to-DateUse Safe Software to Go OnlineAnti-virus / Anti-spyware ScansAdd an External FirewallBack Up Your DataLearn Online “Street Smarts”Viruses, Worms, Zombies, and other BeastiesCOS 1164/25/2006Guest Lecturer: Alex HaldermanEncrypted vs. SecureEncryption strongly protects data en routeBut attackers will choose weaker targetsYou Amazon.comEncrypted ≠ SecureBreak into your computer and “sniff”keystrokes as you typeYou Amazon.comBreaking into a ComputerWhat does it mean?How is it done?Can we prevent it?What’s at Stake?Kinds of damage caused by insecurity Data erased, corrupted, or held hostage Valuable information stolen(credit card numbers, trade secrets, etc.) Services made unavailable (email and web site outages, lost business)Main themes of today’s lectureComputer security is about much more than viruses and wormsThe current state of Internet security is like the Wild West: weak or nonexistent policing means citizens have to protect themselvesThere is no magic bullet against cyber crime, but following good security practices can help you stay safeBreaking into a ComputerWhat? Run unauthorized codeHow? Trick the user into running bad software Exploit software bugs to run bad software without the user’s helpTrojan HorsesCoolScreenSaver.exe1 2 6 0 0Buffer Overflow AttacksSpace reserved for email subjectReturn addressMemory100000From: COS 116 StaffSubject: Welcome Students!… W e l c o m e S t u d e n t s ! 1 2 6 0 0… < e v i l c o d e . . . . . . . . . . 1>.. 0 0 0 0From: Bad GuySubject: <evil code . . . . . . . . . . . . . . . . . >100000.Buffer overflow bug: Forget to check whether input is too big to fit in memoryViruses and WormsAutomated ways of breaking in;Use self-replicating programsComputer VirusesSelf-replicating programs that spread by infecting other programs or data filesPayloadCool Screen SaverMust fool users into opening the infected fileNotepad Solitaire PaintPayloadPayloadPayloadEmail Viruses Infected program, screen saver, or Word document launches virus when opened Use social engineering to entice you to open the virus attachment Self-spreading: after you open it, automatically emails copies to everyone in your address bookThe Melissa Virus (1999) Social engineering: Email says attachment contains porn site passwords Self-spreading: Random 50 people from address book Traffic forced shutdown of many email servers $80 million damage 20 months and $5000 fineDavid L. SmithCombating VirusesConstant battle between attackers and defendersExample: Anti-virus software looks for “signatures” of known Attacker response: Polymorphic viruses – change their code when they reproduce to make detection harder Anti-virus software adapts to find some kinds of polymorphism But an infinite number of ways to permute viruses are available to attackersPayloadComputer WormsSelf-replicating programs like viruses, except exploit security holes to spread on their own without human interventionPayloadPayloadPayloadPayloadPayloadPayloadThe Morris Worm (1988) First Internet worm Created by student at Cornell Exploited holes in email servers, other programs Infected ~10% of the net Spawned multiple copies, crippling infected servers Sentenced to 3 years probation, $10,000 fine, 400 hours community serviceRobert Tappan MorrisThe Slammer Worm (2003) Fastest spreading worm to date Only 376 bytes—Exploited buffer overflow in Microsoft database server products Spread by sending infection packets to random servers as fast as possible, hundreds per second Infected 90% of vulnerable systems within 10 minutes! 200,000 servers No destructive payload, but packet volume shut down large portions of the Internet for hours 911 systems, airlines, ATMs — $1 billion damage! Patch already available months before, not widely installedCan We Stop Worms?Spread of the Slammer wormWhy do people write worms and viruses?Botnets Virus/worm payload:Install bot program on target computer Bot makes target a zombie, remotely controlled by attacker Many zombies harnessed into armies called botnets – sometimes 100,000s of PCsBotZombiesBot program runs silently in the background, awaiting instructions from the attackerAttacker’sProgramWhy go to the trouble of creating a botnet?“Distributed Denial of Service”Objective: Overwhelm target site with trafficReason 1: DDOS Attacks“Attack www.store.com”Messages are hard to filter because there are thousands of sendersReason 2: Sending Spam“Forward this message:Subject: Viagra!…”Other Attacks…Spyware/Adware Hidden but not self-replicating Tracks web activity for marketing, shows popup ads, etc. Usually written by businesses: Legal gray areaSpoofing AttacksYouAmaz0n.comAttacker impersonates the merchant (“spoofing”)Your data is encrypted……all the way to the bad guy!Amaz0n.com’s keyAttackers are AdaptiveDefenders must continually adapt to keep upCan we stop computer crime?Probably not! Wild West nature of the Internet Software will always have bugs Rapid exponential spread of attacksBut we can take steps to reduce risks…Protecting Your ComputerSix easy things you can do… Keep your software up-to-date Use safe programs to surf the ‘net Run anti-virus and anti-spyware regularly Add an external firewall Back up your data Learn to be “street smart” onlineKeep Software Up-to-DateUse Safe Software to Go OnlineFirefox(web browser)Thunderbird(email)Anti-virus / Anti-spyware ScansSymantec Antivirus(Free from OIT)Spybot Search & Destroy(Free download)Add an External FirewallProvides layered security(think: castle walls, moat)Back Up Your DataTivoli Storage Manager(Free from OIT)Learn Online “Street Smarts” Be aware of your surroundings Is the web site being spoofed? Don’t accept candy from strangers How do
View Full Document