1 viruses and worms. ece 41122 agenda how viruses work virus detectors how worms work example...
TRANSCRIPT
1
Viruses and Worms
ECE 4112 2
Agenda
• How viruses work• Virus detectors• How worms work• Example viruses/worms
Melissa Morris My_SQL
• Lab discussion
ECE 4112 3
Viruses
• Propagates to other programs by modifying them
• Copies the virus code to other programs• Viruses have to be activated to work• Attachment to programs/files by
appending (add-on) surrounding (shell) integration (intrusive) replacement (intrusive)
ECE 4112 4
DesirableCharacteristics of Viruses
• Hard to detect• Hard to destroy/deactivate• Spreads widely• Can re-infect• Easy to create• Machine independent
ECE 4112 5
Locations of Viruses (1)
• Boot sector placed in boot sector location moves bootstrap loader, chains to it
• Memory-resident TSR -- terminate and stay resident
routine
• Application program• Libraries
ECE 4112 6
Locations of Viruses (2)
• Macros executable program inside a
document platform independent infects documents, not executable
files common propagation via email
ECE 4112 7
Tactics of Viruses
• Polymorhpism change the signature increase difficulty of detection
• Stealth attributes that help hide the virus example: compress file so the size is the
same as uninfected file
ECE 4112 8
Life-Cycle of Viruses
• Dormant Phase (optional) virus is idle waits for trigger event
• Propagation Phase virus copies itself to other files
• Triggering Phase virus is activated by system event
• Execution Phase function of virus is performed
ECE 4112 9
MS-DOS Example
• ROM BIOS routines• master boot record (MBR) execution• boot sector code execution• IO.SYS, MSDOS.SYS execution• CONFIG.SYS execution• COMMAND.COM execution• AUTOEXEC.BAT execution
ECE 4112 10
MS-DOS Example
• ROM BIOS routines cannot be infected• master boot record (MBR) execution
can be infected replace with virus that chains to orig. MBR
• boot sector code execution common target capture control of system before virus
scanners operate
ECE 4112 11
MS-DOS Example
• IO.SYS, MSDOS.SYS execution can be infected
• CONFIG.SYS execution can be infected
• COMMAND.COM execution can be infected Lehigh virus
• AUTOEXEC.BAT execution can be infected
ECE 4112 12
Detection of Viruses
• Program’s functionality impaired• File size changes• Virus at beginning of code -or-• “Jump” instructions to location of
virus• Signatures
ECE 4112 13
Prevention
• Use software from trusted sources• Use checksums to ensure downloaded
software is the correct version• Test new/suspicious item on isolated
machine• Make bootable disk• Backup copies of system files• Employ and update virus detectors• Disable macro execution
ECE 4112 14
Virus Detector Examples
• Norton Anti-virus (Symantec)• VirusScan (McAfee Security)• eTrust EZ Anti-virus (Computer
Associates)• Protector Plus (Proland Software)• AVG Anti-virus (free version
available)
ECE 4112 15
Virus Detector Functions
• Detection post-infection locate virus
• Identification ID type of virus
• Removal remove virus (repair/delete infected files) restore system to original state
ECE 4112 16
Detecting Viruses• Signatures• Heuristics
look for code fragments (ex: encryption loop) integrity checking (checksum)
• Virus Activity look for actions instead of signatures done by memory-resident program
• Generic Decryption create virtual machine run target code on it to see if a virus
ECE 4112 17
Defeat the Virus Detector
• Polymorphism• Stealth• Encryption• Delete/corrupt key detector files• Load virus before detector execution
ECE 4112 18
Worms
• Can run independently (don’t require program execution)
• Propagates over network connections via electronic mail via remote execution capability via remote login capability
• Doesn’t have to alter programs• Can carry virus code that does
ECE 4112 19
Worm Tactics
• Determine where to spread (examine host tables or similar data of remote system addresses)
• Establish connection and copy itself to other systems (can also determine if target system already infected)
• Cause the copy to run• Remain hidden as best as possible
ECE 4112 20
Defend Against Worms
• Close any unused network services• Patch your system!• Use a properly configured firewall to
help protect your system and help isolate the worm once your system is infected
21
Example Viruses and Worms
MelissaMorris
My_SQL
ECE 4112 22
Melissa Virus
• What is it? Microsoft Word macro virus Written in Visual Basic
• What does it do? Infects Microsoft Word 97 and 2000
docs Uses MS Outlook to email itself out to
first 50 users
ECE 4112 23
Melissa Virus (cont)
• Systems Affected Machines with Microsoft Word 97 or 00 Any mail handling system could
experience performance issues or DoS as a result of propagation through email, but only from users with Microsoft Outlook
MacOS not affected, however it can be stored on MacOS
ECE 4112 24
Melissa Virus (cont)
• Description Propagates through email Subject “Important Message From
<name>” Body “Here is the document you asked
for … don’t show anyone else ;-)” Attachment named list.doc or actual
documents created by the victim
ECE 4112 25
Melissa Virus (cont)
• Upon Execution Turns off macro detection Checks registry key for value of “… by
Kwyjibo” "HKEY_Current_User\Software\Microsoft\Office\Melissa?"
If the key doesn’t exist or have that value, it propagates then changes the registry key
Keeps the virus from repeatedly propagating every time an infected item is opened
ECE 4112 26
Melissa Virus (cont)
• Execution (cont) Infects Normal.doc template If (minute of the hour == day of the
month) it inserts "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." into the current documents (Simpson’s quote)
ECE 4112 27
Melissa Virus (cont)
• Impact Possible DoS on mail servers Users with macros enabled will effectively
infect any new document they create
• Solutions Block messages with virus signature at mail
transfer agents Disable all macros in Microsoft Word Use Virus Scanning Utilities
ECE 4112 28
Morris Worm
• One of the earliest documented cases (Nov 2nd, 1988)
• Systems Sun Microsystems Sun 3 DEC VAX systems
ECE 4112 29
Morris Worm
• Two main parts: Bootstrap or Vector Program (Initialize)
– Acts as a hook. It is injected first. Contacts the infected “server” and uploads the main program.
– Then compiles and runs the main program Main Program (Doit)
– Collected data on other networked machines to which the current machine could connect
– Then used three main attacks to infect other systems with the bootstrap
ECE 4112 30
Morris Worm (cont)
• Fingerd and gets Overran the finger command input buffer –
overwrote the stack On VAX machines this resulted in a remote
shell for the worm via the TCP connection by overwriting part of the stack
• Sendmail Issued a DEBUG option often left usable by
admins for testing the mail service. Gained access to mail server and onto the
system, then continued with infection of system
ECE 4112 31
Morris Worm (cont)
• Passwords Worm read through etc/hosts.equiv
and /.rhosts to find names on other machines
Also read /etc/passwd and .forward to account information
Then attempted to crack passwords using several different methods
ECE 4112 32
Morris Worm (cont)
• Passwords (cont) The worm first tried simple choices
– Account, User Name, Tnuocca (acct backwards), etc. including lower case variations
Next it tested the passwords against an internal dictionary of 432 words
Finally, it tested the passwords against an online dictionary using upper and lower case variations
ECE 4112 33
Morris Worm (cont)
• Solution Worm halted because of informal
communication between system admins and research community
Prompted DARPA to create CERT (Computer Emergency Response Team)
ECE 4112 34
Morris Worm – Log of Events
• All the following events occurred on the evening of Nov. 2, 1988. 6:00 PM At about this time the Worm is launched. 8:49 PM The Worm infects a VAX 8600 at the University of Utah (cs.utah.edu) 9:09 PM The Worm initiates the first of its attacks to infect other computers from
the infected VAX 9:21 PM The load average on the system reaches 5. (Load average is a measure
of how hard the computer system is working. At 9:30 at night, the load average of the VAX was usually 1. Any load average higher than 5 causes delays in data processing.)
9:41 PM The load average reaches 7 10:01 PM The load average reaches 16 10:06 PM At this point there are so many worms infecting the system that no
new processes can be started. No users can use the system anymore. 10:20 PM The system administrator kills off the worms 10:41 PM The system is re-infected and the load average reaches 27 10:49 PM The system administrator shuts down the system. The system is
subsequently restarted 11:21 PM Re-infestation causes the load average to reach 37.
• In short, in under 90 minutes from the time of infection, the Worm had made the infected system unusable.
ECE 4112 35
My SQL Worm
• What is it? Self-propagating code that exploits a
vulnerability in MS SQL Server 2000 and MSDE 2000
• What does it do? Propagation caused varied levels of
network degradation
ECE 4112 36
My SQL Worm (cont)
• Systems Affected Microsoft SQL Server 2000 Microsoft Desktop Engine (MSDE) 2000
• Description Exploits a vulnerability that allows for
execution of arbitrary code on the SQL Server due to a stack buffer overflow
Once it compromises, it tries to propagate
ECE 4112 37
My SQL Worm (cont)
• Description (cont) Worm crafts 376-byte packets and
sends them to randomly chosen IP addresses on port 1434/UDP
If sent to a vulnerable machine, the machine will become infected and also begin to propagate
ECE 4112 38
My SQL Worm (cont)
• Impact Compromise confirms that a system is
vulnerable to allowing a remote attacker to execute arbitrary code as local SYSTEM user
High volume of 1434/UDP traffic may lead to performance issues (including possible DoS)
ECE 4112 39
My SQL Worm (cont)
• Solution Apply a patch Ingress/Egress filtering for messages on
systems already infected Block port 1434/UDP
ECE 4112 40
References
• http://www.cs.virginia.edu/~jones/cs551S/slides
• http://www.cert.org/advisories/CA-1999-04.html
• http://www.cert.org/advisories/CA-2003-04.html
• “Security in Computing” by Charles Pfleeger
• “Chapter 6: Computer Viruses” by Eugene Spafford
• “Network Security Essentials” by William Stallings