1Virus Protection andIntrusion DetectionJohn MitchellTopicsu Trojans, worms, and virusesu Virus protection• Virus scanning methodsu Detecting system compromise• Tripwireu Detecting system and network attacks• Scanning system call trace• Network intrusion detectionWhat is a Virus?u Program embedded in fileu Spreads and does damage• Replicator– Portion of virus code that reproduces virus• Payload– Portion of virus code that does some other functionu Categories• Boot virus (boot sector of disk)• Virus in executable file• Macro virus (in file executed by application) Virus scanner is large collection of many techniquesThree related ideasUndesiredfunctionalityHidden incodePropagatesUndesiredfunctionalityUndesiredfunctionalityPropagatesHidden incodeWormTrojan Virus2Trojan Horse !!! PKZIP Trojan Horse Version - (Originally Posted May 1995) !!! … a fake version of PKZIP is being distributed asPKZ300B.ZIP or PKZ300.ZIP. It is not an officialversion from PKWARE and it will attempt to eraseyour hard drive if run.Not a virus since it doesn’t replicateInternet Wormu Released November 1988• Program spread through Digital, Sun workstations• Exploited Unix security vulnerabilitiesu Consequences• No immediate damage from program itself• Replication and threat of damage– Load on network, systems used in attack– Many systems shut down to prevent further attackWorm descriptionu Two parts• Program to spread worm– look for other machines that might be infected– try to find ways of infiltrating these machines• Vector program (99 lines of C)– compiled and run on the infected machines– transferred main program to continue attacku Security vulnerabilities• fingerd – Unix finger daemon• sendmail - mail distribution program• Password cracking• Trusted loginsComponents of Internet Worm Attacku Sendmail• Exploit debug option in sendmail to allow shellaccessu Rsh• Exploit trusted hostsu Fingerd• Exploit a buffer overflow in the fgets function3fingerdu Written in C and runs continuouslyu Array bounds attack• Fingerd expects an input string• Worm uses long string to overwrite memoryu Attack string• Includes machine instructions• Overwrites return address• Invokes a remote shell• Executes privileged commandssendmailu Worm used debug feature• Allows a set of commands to be sent to sendmail• Send messages to new hosts through the mailsystem without processing normal mail messagesPassword crackingu Dictionary attack• Read /etc/passwd• Used list of ~400 common password stringsRemote shellu Unix trust information• /etc/host.equiv – system wide trusted hosts file• /.rhosts and ~/.rhosts – users’ trusted hosts fileu Worm exploited trust information• Examining files that listed trusted machines• Assume reciprocal trust– If X trusts Y, then maybe Y trusts XDetecting Internet Wormu Files• Strange files appeared in infected systems• Strange log messages for certain programsu System load• Infection generates a number of processes• Systems were reinfected => number of processesgrew and systems became overloaded Thousands of systems were shut down4Stopping the wormu System admins busy for several days• Devised, distributed, installed modificationsu Perpetrator• Student at Cornell; discovered quickly and charged• Sentence: community service, $10,000 fine– Program did not cause deliberate damage– Tried (failed) to control # of processes on host machinesu Lessons?• Security vulnerabilities come from system flaws• Diversity is useful for resisting attack• “Experiments” can be dangerousReferenceu Eugene H. Spafford; The Internet Worm:Crisis and Aftermath; COMMUNICATIONSOF THE ACM; 32(6), pp. 678-687, Jun 1989Virus Examplesu Jerusalem• One oldest and most common; many variants• Will infect both .EXE and .COM files• Every Friday 13th, deletes programs run that dayu Melissa• Word macro virus spread by email• Initially distributed in an internet group alt.sex• Sent in a file called LIST.DOC• When opened, macro emails to 50 people listed inthe address book of the user.Melissa Emailu Recipients likely to open a document fromsomeone they knowFrom: (name of infected user)Subject: Important Message From (name of infected user)To: (50 names from alias list)Here is that document you asked for ... don't show anyoneelse ;-)Attachment: LIST.DOC5Viruses – What’s Out There?u Wild List http://www.wildlist.org/• Industry standard• Currently 64 participants– mostly from security companies– keep watch for active viruses• About 200 current sightings– Viruses not sighted by two independent participants dropoff listu Virus families• Many viruses reuse replicators that have proveneffectiveWho writes viruses?u Limited scientific study• Sarah Gordon papers athttp://www.research.ibm.com/antivirus/SciPapers.htmu Identified four groups by survey• Early adolescent, College student,Adult/professiona, Ex-writer of virusesu Trends• “Those who have continued a normal ethicaldevelopment have aged out of virus writing”• Some are older and more skilled than before– Viruses like Zhengxi and Concept point to an advancedknowledge of programming techniquesHow hard is it to do?u Google search: virus construction toolkitu First link:• Name: OVCT• Type: Virus Creation Kit• Info:Overwritting Virus Construction Toolkit is a virus sourcegenerator program designed for makeing overwritting virii.u Links to ~40 other construction kits athttp://www.ebcvg.com/creation_labs.php• I do not recommend downloading or running these!!Simple File Infecting Virusu Propagate identical copy of itselfu Identified by “signature”• Characteristic bit pattern in virus code• Often detects family of viruses with similarreplicatorExecutable FileVirus6Performance Issuesu Many files to scan, many signaturesu Optimizations?• Many viruses at beginning or end of a file• Almost all viruses are less than 4KBVirusMore General Limitationu Virus must be executed to be effective• Most viruses at an entry point or after non-branching codeu Antivirus programs check entry points• Establish a variable E for the program’s entry point• Each entry point scans the instruction at thatlocation• If it transfers control to another location, set E tothat location and go back to step 2• Search the bytes at location E for virus signaturesReference: Nachenberg articleVirus
View Full Document
Unlocking...