USC CSci530 Computer Security Systems Lecture notes Fall 2008CSci530: Security Systems Lecture 7, October 10 2008 Introduction to Malicious CodeClasses of Malicious CodeSlide 4Activities of Malicious CodeDefenses to Malicious CodeTrojan HorsesSlide 8VirusesSlide 10Slide 11Recent Viruses Spread by EmailViruses PhasesAnalogy to Real VirusesHow Viruses HideMacro VirusesWormsDelayed EffectZombies/BotsSpywareSome Spyware LocalTheorySlide 23Slide 24Root KitsBest Detection is from the OutsideCopyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530Computer Security Systems Lecture notesFall 2008Dr. Clifford NeumanUniversity of Southern CaliforniaInformation Sciences InstituteCopyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Security SystemsLecture 7, October 10 2008Introduction to Malicious CodeDr. Clifford NeumanUniversity of Southern CaliforniaInformation Sciences InstituteCopyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Classes of Malicious CodeHow propagated•Trojan Horses–Embedded in useful program that others willwant to run. –Covert secondary effect.•Viruses–When program started will try topropagate itself.•Worms–Exploits bugs to infect running programs.–Infection is immediate.Copyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Classes of Malicious CodeThe perceived effect•Viruses–Propagation and payload•Worms–Propagation and payload•Spyware–Reports back to others•Zombies–Controllable from elsewhereCopyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Activities of Malicious Code•Modification of data–Propagation and payload•Spying–Propagation and payload•Advertising–Reports back to others or uses locally•Propagation–Controllable from elsewhere•Self Preservation–Covering their tracksCopyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Defenses to Malicious Code•Detection–Virus scanning–Intrusion Detection•Least Privilege–Don’t run as root–Separate users ID’s•Sandboxing–Limit what the program can do•Backup–Keep something stable to recoverCopyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Trojan Horses•A desirable documented effect–Is why people run a program•A malicious payload–An “undocumented” activity that might be counter to the interests of the user.•Examples: Some viruses, much spyware.•Issues: how to get user to run program.Copyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Trojan Horses•Software that doesn’t come from a reputable source may embed trojans.•Program with same name as one commonly used inserted in search path.•Depending on settings, visiting a web site or reading email may cause program to execute.Copyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Viruses•Resides within another program–Propagates itself to infect new programs (or new instances)•May be an instance of Trojan Horse–Email requiring manual execution–Infected program becomes trojanCopyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Viruses•Early viruses used boot sector–Instruction for booting system–Modified to start virus then system.–Virus writes itself to boot sector of all media.–Propagates by shared disks.Copyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Viruses•Some viruses infect program–Same concept, on start program jumps to code for the virus.–Virus may propagate to other programs then jump back to host.–Virus may deliver payload.Copyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Recent Viruses Spread by Email•Self propagating programs–Use mailbox and address book for likely targets.–Mail program to targeted addresses.–Forge sender to trick recipient to open program.–Exploit bugs to cause auto execution on remote site.–Trick users into opening attachments.Copyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Viruses Phases•Insertion Phase–How the virus propagates•Execution phase–Virus performs other malicious action•Virus returns to host programCopyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Analogy to Real Viruses•Self propagating•Requires a host program to replicate.•Similar strategies–If deadly to start won’t spreadvery far – it kills the host.–If infects and propagates before causing damage, can go unnoticed until it is too late to react.Copyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE How Viruses Hide•Encrypted in random key to hide signature.•Polymorphic viruses changes the code on each infection.•Some viruses cloak themselves by trapping system calls.Copyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Macro Viruses•Code is interpreted by common application such as word, excel, postscript interpreter, etc.•May be virulent across architectures.Copyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Worms•Propagate across systems by exploiting vulnerabilities in programs already running.–Buffer overruns on network ports–Does not require user to “run” the worm, instead it seeks out vulnerable machines.–Often propagates server to server.–Can have very fast spread times.Copyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Delayed Effect•Malicious code may go undetected if effect is delayed until some external event.–A particular time–Some occurrence–An unlikely event used to trigger the logic.Copyright © 1995-2008 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Zombies/Bots•Machines controlled remotely–Infected by virus, worm, or trojan–Can
View Full Document
Unlocking...