Virus Protection and Intrusion DetectionTopicsWhat is a Virus?Three related ideasTrojan HorseWorm vs VirusInternet WormConsequences of attackInternet Worm DescriptionThree ways the worm spreadsendmailfingerdRemote shellThe worm itselfSome things the worm did not doDetecting Internet WormStopping the wormSources for more informationOther significant wormsCode RedSQL SlammerBefore we talk about viruses …Virus ExamplesMelissa EmailFunLove VirusViruses – What’s Out There?Who writes viruses?How hard is it to do?Simple File-Infecting VirusPerformance IssuesMore General LimitationVirus EncryptionVirus CleaningPolymorphic VirusesPolymorphic Virus DetectionIntrusion detectionTripwireIs Tripwire too late?Detect modified binary in memory?Example code and automatonGeneral intrusion detectionMisuse example - rootkitMisuse example - port sweepAnomaly DetectionAnomaly – sys call sequencesDifficulties in intrusion detectionResponse to intrusion?Example (UCD Computer Security Lab)SYN-flood Attack from InternetResponse from ID SystemStrategic Intrusion Assessment [Lunt]Slide 52SNORTVirus Protection and Intrusion Detection John MitchellTopics Trojans, worms, and virusesVirus protection•Virus scanning methodsDetecting system compromise•TripwireDetecting system and network attacks•Scanning system call trace•Network intrusion detectionWhat is a Virus?Program embedded in fileSpreads and does damage•Replicator–Portion of virus code that reproduces virus•Payload–Portion of virus code that does some other functionCategories•Boot virus (boot sector of disk)•Virus in executable file•Macro virus (in file executed by application) Virus scanner is large collection of many techniquesThree related ideasUndesired functionalityHidden in codePropagatesUndesired functionalityUndesired functionalityPropagatesHidden in codeWormTrojan VirusTrojan Horse !!! PKZIP Trojan Horse Version - (Originally Posted May 1995) !!! … a fake version of PKZIP is being distributed as PKZ300B.ZIP or PKZ300.ZIP. It is not an official version from PKWARE and it will attempt to erase your hard drive if run. Not a virus since it doesn’t replicateWorm vs VirusA worm is a program •can run independently•consume the resources of its host •can propagate a complete working version of itself to other machinesA virus is a piece of code •inserts itself into a host program •cannot run independently•requires that host program be run to activate itInternet WormReleased November 1988•Program spread through Digital, Sun workstations •Exploited Unix security vulnerabilities–VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX codeConsequences•No immediate damage from program itself •Replication and threat of damage –Load on network, systems used in attack–Many systems shut down to prevent further attackConsequences of attackMorris worm, 1988•Infected approximately 6,000 machines–10% of computers connected to the Internet •cost ~ $10 million in downtime and cleanupCode Red worm, July 16 2001•Direct descendant of Morris’ worm•Infected more than 500,000 servers–Programmed to go into infinite sleep mode July 28 •Caused ~ $2.6 Billion in damages, Statistics: Computer Economics Inc., Carlsbad, CaliforniaLove Bug worm: $8.75 billion ?Internet Worm DescriptionTwo parts•Program to spread worm–look for other machines that could be infected–try to find ways of infiltrating these machines•Vector program (99 lines of C) –compiled and run on the infected machines –transferred main program to continue attackSecurity vulnerabilities•fingerd – Unix finger daemon•sendmail - mail distribution program•Trusted logins (.rhosts)•Weak passwordsThree ways the worm spreadSendmail•Exploit debug option in sendmail to allow shell access Fingerd•Exploit a buffer overflow in the fgets function•Apparently, this was the most successful attackRsh•Exploit trusted hosts•Password crackingsendmailWorm used debug feature•Opens TCP connection to machine's SMTP port•Invokes debug mode•Sends a RCPT TO that pipes data through shell•Shell script retrieves worm main program–places 40-line C program in temporary file called x$$,l1.c where $$ is current process ID–Compiles and executes this program–Opens socket to machine that sent script–Retrieves worm main program, compiles it and runsfingerdWritten in C and runs continuouslyArray bounds attack •Fingerd expects an input string •Worm writes long string to internal 512-byte buffer Attack string •Includes machine instructions•Overwrites return address•Invokes a remote shell •Executes privileged commandsRemote shellUnix trust information•/etc/host.equiv – system wide trusted hosts file•/.rhosts and ~/.rhosts – users’ trusted hosts fileWorm exploited trust information •Examining files that listed trusted machines•Assume reciprocal trust–If X trusts Y, then maybe Y trusts XPassword cracking–Worm was running as daemon (not root) so needed to break into accounts to use .rhosts feature–Dictionary attack–Read /etc/passwd, used ~400 common password stringsThe worm itselfProgram is called 'sh' •Clobbers argv array so a 'ps' will not show its name•Opens all its files, then unlinks (deletes) them so they can't be found –since files are open, worm can still access their contentsTries to infect as many other hosts as possible•When worm successfully connects, forks a child to continue the infection while the parent keeps trying new hostsSome things the worm did not do… did not delete a system's files,… did not modify existing files,… did not install trojan horses,… did not record or transmit decrypted passwords,… did not try to capture superuser privileges,… did not propagate over UUCP, X.25, DECNET, or BITNET.Detecting Internet WormFiles•Strange files appeared in infected systems•Strange log messages for certain programsSystem load•Infection generates a number of processes•Systems were reinfected => number of processes grew and systems became overloaded–Apparently not intended by worm’s creator Thousands of systems were shut downStopping the wormSystem admins busy for several days •Devised, distributed, installed modifications Perpetrator•Student at Cornell; discovered quickly and charged•Sentence: community
View Full Document