Viruses, Worms, Zombies, and other BeastiesCOS 116: 4/10/2008Sanjeev AroraEncryption (topic next week)Encryption strongly protects data en routeYou Amazon.comToday’s story: Attackers don’t need to break encryption to compromise your system.Encrypted ≠ SecureBreak into your computer and “sniff” keystrokes as you typeYou Amazon.comBreaking into a ComputerWhat does it mean?How is it done?Can we prevent it?What’s at Stake?Kinds of damage caused by insecurityData erased, corrupted, or held hostageValuable information stolen(credit card numbers, trade secrets, etc.)Services made unavailable (email and web site outages, lost business)Other fears: cybercrime, terrorism, etc.Main themes of today’s lectureSelf-reproducing programs and their uses in viruses, worms, zombiesOther threats to computer securityInternet = Today’s Wild West( weak or nonexistent policing means citizens have to protect themselves)There is no magic bullet against cyber crime, but following good security practices can help you stay safeBreaking into a ComputerWhat?Run unauthorized softwareHow?Trick the user into running bad software(“social engineering”)Exploit software bugs to run bad software without the user’s helpExample of attacks via social engineering: Trojan HorseCoolScreenSaver.exeViruses and WormsAutomated ways of breaking in;Use self-replicating programs(Recall self-replicating programs: Print the following line twice, the second time in quotes. “Print the following line twice, the second time in quotes.” )Computer VirusesSelf-replicating programs that spread by infecting other programs or data filesPayloadCool Screen SaverMust fool users into opening the infected fileNotepad Solitaire PaintPayloadPayloadPayloadEmail VirusesInfected program, screen saver, or Word document launches virus when openedUse social engineering to entice you to open the virus attachmentSelf-spreading: after you open it, automatically emails copies to everyone in your address bookThe Melissa Virus (1999)Social engineering: Email says attachment contains porn site passwordsSelf-spreading: Random 50 people from address bookTraffic forced shutdown of many email servers$80 million damage20 months and $5000 fineDavid L. SmithAberdeen, NJCombating VirusesConstant battle between attackers and defendersExample: Anti-virus software looks for “signatures” of known virusesAttacker response: Polymorphic viruses – change their code when they reproduce to make detection harderAnti-virus software adapts to find some kinds of polymorphismBut an infinite number of ways to permute viruses are available to attackersPayloadComputer WormsSelf-replicating programs like viruses, except exploit security holes to spread on their own without human interventionPayloadPayloadPayloadPayloadPayloadPayload1 2 6 0 0Frequent source of vulnerability: Buffer Overflow bugSpace reserved for email subjectReturn addressMemoryFrom: COS 116 StaffSubject: Welcome Students!… W e l c o m e S t u d e n t s ! 1 2 6 0 0… < e v i l c o d e . . . . . . . . . . 1>.. 0 0 0 0From: Bad GuySubject: <evil code . . . . . . . . . . . . . . . . . >100000.Buffer overflow bug: Programmer forgot to insert check for whether email subject is too big to fit in memory “buffer”↵memory address: 100000The Morris Worm (1988)First Internet wormCreated by student at CornellExploited holes in email servers, other programsInfected ~10% of the netSpawned multiple copies, crippling infected serversSentenced to 3 years probation, $10,000 fine, 400 hours community serviceRobert Tappan MorrisThe Slammer Worm (2003)Fastest spreading worm to dateOnly 376 bytes—Exploited buffer overflow in Microsoft database server productsSpread by sending infection packets to random servers as fast as possible, hundreds per secondInfected 90% of vulnerable systems within 10 minutes! 200,000 serversNo destructive payload, but packet volume shut down large portions of the Internet for hours911 systems, airlines, ATMs — $1 billion damage!Patch already available months previously, but not widely installedWhy is it so hard to stop Worms?Spread of the Slammer worm“Can we just develop a software to detect a virus/worm?”[Adleman’88] This task is undecidable.(so no software can work with 100% guarantee)Why do people write worms and viruses?Sometimes because they are misfits/anarchists/boredMain reason: BotnetsVirus/worm payload:Install bot program on target computerBot makes target a zombie, remotely controlled by attackerMany zombies harnessed into armies called botnets – often 100,000s of PCsBotZombiesBot program runs silently in the background, awaiting instructions from the attackerAttacker’s ProgramWhy go to the trouble of creating a botnet?“Distributed Denial of Service”Objective: Overwhelm target site with trafficReason 1: DDOS Attacks“Attack www.store.com”Messages are hard to filter because there are thousands of sendersReason 2: Sending Spam“Forward this message:Subject: Viagra!…”Other reasons•Click fraud.•Commit other cybercrime that is hard to traceStorm Botnet• Created via email scam in 2007; spread to a million computers• Owners unknown; said to be Russian• Used for DoS and Email spams; its services believed to befor rent/sale• Fiendishly clever design (a) distributed control, similar to Kazaa, Gnutella (b) rapidly morphing code; morphs every hour or so. (c ) seems to detect attempts to track/contain it, and “punishes”its pursuersIf you weren’t scared enough already…Spyware/AdwareHidden but not self-replicatingTracks web activity for marketing, shows popup ads, etc.Usually written by businesses: Legal gray areaSpoofing AttacksYouAmaz0n.comAttacker impersonates the merchant (“spoofing”)Your data is encrypted……all the way to the bad guy!Amaz0n.com’s keyAttackers are AdaptiveDefenders must continually adapt to keep upCan we stop computer crime?Probably not!Wild West nature of the InternetSoftware will always have bugs Rapid exponential spread of attacksBut we can take steps to reduce risks…Protecting Your ComputerSix easy things you can do…Keep your software up-to-dateUse safe programs to surf the ‘netRun anti-virus and anti-spyware regularlyAdd an external firewallBack up your dataLearn to be “street smart” onlineKeep Software Up-to-DateUse Safe Software to Go
View Full Document
Unlocking...