Slide 1

Announcement r Midterm 11/14, recitation 11/11 afternoon r Homework 3 out, due 11/10 midnight r Solutions of homework 1 and 2 will be emailed to you after all homework are graded r Feedback form at the end of class

Slide 2

Outlines r Mobile malcode Overview r Viruses r Worms r Denial of Services Attack

Slide 3

Mobile Malcode Overview r Malicious programs which spread from machine to machine without the consent of the owners/operators/users m Windows Automatic Update is (effectively) consensual r Many strains possible m Viruses m Worms m Compromised Auto-updates No user action required, very dangerous

Slide 4

Malicious Software

Slide 5

Trapdoors (Back doors) r Secret entry point into a program r Allows those who know access bypassing usual security procedures r Have been commonly used by developers r A threat when left in production programs allowing exploited by attackers r Very hard to block in O/S r Requires good s/w development & update

Slide 6

Logic Bomb r one of oldest types of malicious software r code embedded in legitimate program r activated when specified conditions met m eg presence/absence of some file m particular date/time m particular user m particular series of keystrokes r when triggered typically damage system m modify/delete files/disks

Slide 7

Trojan Horse r Programs that appear to have one function but actually perform another. Modern Trojan Horse: resemble a program that the user wishes to run - usually superficially attractive m eg game, s/w upgrade etc r When run performs some additional tasks m allows attacker to indirectly gain access they do not have directly r Often used to propagate a virus/worm or install a backdoor r Or simply to destroy data

Slide 8

Zombie r program which secretly takes over another networked computer r then uses it to indirectly launch attacks r often used to launch distributed denial of service (DDoS) attacks r exploits known flaws in network systems

Slide 9

Outlines r Mobile malcode Overview r Viruses r Worms r Denial of Services Attacks

Slide 10

Viruses r Definition from RFC 1135: A virus is a piece of code that inserts itself into a host, including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it. r On execution m Search for valid target files Usually executable files Often only infect uninfected files m Insert a copy into targeted files When the target is executed, the virus starts running r Only spread when contaminated files are moved from machine to machine r Mature defenses available

Slide 11

r 1988: Less than 10 known viruses r 1990: New virus found every day r 1993: 10-30 new viruses per week r 1999: 45,000 viruses and variants Source: McAfee

Slide 12

Virus Operation r virus phases: m dormant waiting on trigger event m propagation replicating to programs/disks m triggering by event to execute payload m execution of payload r details usually machine/OS specific m exploiting features/weaknesses

Slide 13

Anatomy of a Virus r Two primary components m Propagation mechanism m Payload r Propagation m Method by which the virus spreads itself. m Old days: single PC, transferred to other hosts by ways of floppy diskettes. m Nowadays: Internet.

Slide 14

Structure of A Virus Virus() { infectExecutable(); if (triggered()) { doDamage(); } jump to main of infected program; } void infectExecutable() { file = choose an uninfected executable file; prepend V to file; } void doDamage() {... } int triggered() { return (some test? 1 : 0); }

Slide 15

Virus Infectables r Executable files:.com,.exe,.bat r Macros m With macro languages the line between pure data files and executable files is blurring m An infected file might be attached to an E-mail m E-mail programs may use other programs (e.g., word) with macros to display incoming mail r System sector viruses m Infect control sectors on a disk DOS boot sectors Partition (MBR) sectors m System sector viruses spread easily via floppy disk infections

Slide 16

Virus Infectables (contd) r Companion viruses m Create a.com files for each.exe files m DOS runs COM files before EXE files m Relatively easy to find and eliminate r Cluster viruses m Change the DOS directory info so that directory entries point to the virus code instead of the real program m Even though every program on the disk may be "infected, there is only one copy of the virus on the disk

Slide 17

Variable Viruses r Polymorphic viruses m Change with each infection Executables virus code changing (macros: var name, line spacing, etc.) Control flow permutations (rearrange code with gotos) m Attempt to defeat scanners r Virus writing tool kits have been created to "simplify" creation of new viruses m Current tool kits create viruses that can be detected easily with existing scanner technology m But just a matter of time

Slide 18

Virus Detection/Evasion r Look for changes in size r Check time stamp on file r Look for bad behavior m False alarm prone r Look for patterns (byte streams) in virus code that are unique r Look for changes in file checksum r Compression of virus and target code r Modify time stamp to original r Do bad thing insidiously r Change patterns polymorphism r Rearrange data in the file r Disable anti-virus programs

Slide 19

More on Virus Detection r Scanning m Depend on prior knowledge of a virus m Check programs before execution m Need to be regularly updated r Integrity Checking m Read entire disk and record integrity data that acts as a signature for the files and system sectors m Use cryptographic computation technique instead of simple checksum

Slide 20

More on Virus Detection r Interception m Monitoring for system-level routines that perform destructive acts m Good for detecting logic bomb and Trojan horse m Cannot depend entirely upon behavior monitors as they are easily bypassed. r Combination of all three techniques can detect most viruses

Slide 21

Virus Recovery r Extricate the virus from the infected file to leave the original behind r Remove the redirection to the virus code r Recover the file from backup r Delete the files and move on with life

Slide 22

Outlines r Mobile malcode Overview r Viruses r Worms r Denial of Services Attacks

Slide 23

Worms r Autonomous, active code that can replicate to remote hosts without any triggering m Replicating but not infecting program r Because they propagate autonomously, they can spread much more quickly than viruses! r Speed and general lack of user interaction make them the most significant threats

Slide 24

+ Attacker Target Discovery Carrier Activation Payload Worm Overview

Slide 25

Target Discovery Port Scanning Sequential: working through an address block Random Target Lists Externally generated through Meta servers Internal target list Passive worms

Slide 26

External Target Lists: Metaserver Worms r Many systems use a "metaserver", a server for information about other servers m Games: Use as a matchmaker for local servers m Google: Query google to find web servers m Windows Active Directory: Maintains the "Network Neighborhood" r Worm can leverage these services m Construct a query to find new targets m Each new victim also constructs queries Creates a divide-and-conquer infection strategy r Original strategy, not yet seen Metaserver Server

Slide 27

How Fast Are Metaserver Worms? r Game Metaserver: Use to attack a small population (eg, all Half-Life servers) m ~1 minute to infect all targets r Google: Use to enhance a scanning web worm m Each worm conducts initial queries to find URLs

Slide 28

Internal Target Lists: Topological Information r Look for local information to find new targets m URLs on disk and in caches m Mail addresses m.ssh/known_hosts r Ubiquitous in mail worms m More recent mail worms are more aggressive at finding new addresses r Basis of the Morris worm m Address space was too sparse for scanning to work

Slide 29

How Fast are Topological Worms? r Depends on the topology G = (V, E) m Vulnerable machines are vertices, edges are local information m Time to infect is a function of the shortest paths from the initial point of infection r Power law or similar graph (KaZaA) m Depends greatly on the parameters, but generally very, VERY fast

Slide 30

Passive Worms r Wait for information about other targets m CRclean, an anti-CodeRed II worm Wait for Code Red, respond with counterattack m Nimda: Infect vulnerable IE versions with Trojan web-page r Speed is highly variable m Depends on normal communication traffic r Very high stealth m Have to detect the act of infection, not target selection

Slide 31

Carrier Self-Carried active transmission Second Channel e.g. blaster worm use RPC to exploit, but use TFTP to download the whole virus body Embedded e.g. web requests

Slide 32

Activation

Slide 33

r Human Activation m Needs social engineering, especially for email worms Melissa Attached is an important message for you! Iloveyou Open this message to see who loves you! r Human activity-based activation m E.g. logging in, rebooting (Nimdas secondary propagation) r Scheduled process activation m E.g. updates, backup etc. r Self Activation m E.g. Code Red exploit the IIS web servers

Slide 34

Slide 35

Slide 36

Slide 37

Payload

Slide 38

Payloads r None/nonfunctional m Most common m Still can have significant effects through traffic and machine load (e.g., Morris worm) r Internet Remote Control m Code Red II open backdoor on victim machines: anyone with a web browser can execute arbitrary code r Internet Denial of Service (DOS) m E.g., Code Red, Yaha r Data Collection r Data Damage: Chernobyl, Klez r Worm maintenance

Slide 39

Attacker Experimental Curiosity Pride and Power Commercial Advantage Extortion and criminal gain Terrorism Cyber Warfare

Slide 40 75,000Spread worldwide in 10 minutes">

Some Major Worms WormYearStrategyVictimsOther Notes Morris1988 Topological6000First major autonomous worm. Attacked multiple vulnerabilities. Code Red2001 Scanning~300,000First recent "fast" worm, 2 nd wave infected 360,000 servers in 14 hours CRClean2001 PassivenoneUnreleased Anti-Code-Red worm. Nimda2001 Scanning IIS, Code Red 2 backdoor, etc ~200,000Local subnet scanning. Effective mix of techniques Scalper2002 Scanning75,000Spread worldwide in 10 minutes

Slide 41

The Spread of the Sapphire/Slammer SQL Worm

Slide 42

How Fast was Slammer? r Infected ~75,000 machines in 10 minutes r Full scanning rate in ~3 minutes m >55 Million IPs/s r Initial doubling rate was about every 8.5 seconds

Slide 43

Why Was Sapphire Fast: A Bandwidth-Limited Scanner r Code Red's scanner is latency-limited m In many threads: send SYN to random address, wait for response or timeout m Code Red ~6 scans/second, population doubles about every 40 minutes r Every Sapphire copy sent infectious packets at maximum rate m 1 Mb upload bandwidth 280 scans/second m 100 Mb upload bandwidth 28,000 scans/second r Any reasonably small TCP worm can spread like Sapphire m Needs to construct SYNs at line rate, receive ACKs in a separate thread

Slide 44

Outlines r Mobile malcode Overview r Viruses r Worms r Denial of Service Attacks

Slide 45

Denial of Service Attacks r Definition r Point-to-point network denial of service m Smurf r Distributed denial of service attacks m Trin00, TFN, Stacheldraht, TFN2K

Slide 46

Denial of Service Attack Definition r An explicit attempt by attackers to prevent legitimate users of a service from using that service r Threat model taxonomy from CERT m Consumption of network connectivity and/or bandwidth m Consumption of other resources, e.g. queue, CPU m Destruction or alternation of configuration information Malformed packets confusing an application, cause it to freeze m Physical destruction or alternation of network components

Slide 47

Status r DoS attacks increasing in frequency, severity and sophistication m 32% respondents detected DoS attacks (1999 CSI/FBI survey) m Yahoo, Amazon, eBay and MicroSoft DDoS attacked m About 4,000 attacks per week in 2000 m Internet's root DNS servers (9 out of 13) attacked on Oct 2002

Slide 48

Two General Classes of Attacks r Flooding Attacks m Point-to-point attacks: TCP/UDP/ICMP flooding, Smurf attacks m Distributed attacks: hierarchical structures r Corruption Attacks m Application/service specific

Slide 49

Smurf DoS Attack r Send ping request to brdcst addr (ICMP Echo Req) r Lots of responses: m Every host on target network generates a ping reply (ICMP Echo Reply) to victim m Ping reply stream can overload victim Prevention: reject external packets to brdcst address. gateway DoS Source DoS Target 1 ICMP Echo Req Src: Dos Target Dest: brdct addr 3 ICMP Echo Reply Dest: Dos Target

Slide 50

DDOS Handler Agent Victim Unidirectional commands Attack traffic Coordinating communication BadGuy Handler

Slide 51

Attack using Trin00 r In August 1999, network of > 2,200 systems took University of Minnesota offline for 3 days m scan for known vulnerabilities, then attack with UDP traffic m once host compromised, script the installation of the DDoS master agents r According to the incident report m Took about 3 seconds to get root access m In 4 hours, set up > 2,200 agents

Slide 52

Can you find source of attack? r Hard to find BadGuy m Originator of attack compromised the handlers m Originator not active when DDOS attack occurs r Can try to find agents m Source IP address in packets is not reliable m Need to examine traffic at many points, modify traffic, or modify routers

Slide 53

Backup Slides

Slide 54

Internet checksum Sender: r treat segment contents as sequence of 16-bit integers r checksum: addition (1s complement sum) of segment contents r sender puts checksum value into UDP checksum field Receiver: r compute checksum of received segment r check if computed checksum equals checksum field value: m NO - error detected m YES - no error detected. But maybe errors nonetheless? More later . Goal: detect errors (e.g., flipped bits) in transmitted segment (note: used at transport layer only)

Slide 55

Fred Cohens Work: 1983 r First documented work with viruses m Cohens PhD advisor, Leo Adelman, coined the term virus m Virus: a program that can infect other programs by modifying them to include a version of itself m Viruses can quickly (~30 min) spread through a networked file system r Dissertation (1986) conclusion: "universal" detection of a virus is undecidable m No 100% guaranteed detection for virus/worm

Slide 56

Early Mail Virus: Happy99 (1999) r One of the earliest viruses that propagated automatically when an infected attachment is executed r Did not infect files, only email user accounts r Email sent from infected person to others in address book (novelty at the time)

Slide 57

Morris Worm r best known classic worm r released by Robert Morris in 1988 r targeted Unix systems r using several propagation techniques m simple password cracking of local pw file m exploit bug in finger daemon m exploit debug trapdoor in sendmail daemon r if any attack succeeds then replicated self

Slide 58

History of Viruses

Slide 59

First Wild Viruses Apple I/II/III: 1981 r Three viruses for the Apple machines emerged in 1981 m Boot sector viruses r Floppies of that time had the disk operating system (DOS) on them by default m Wrote it without malice

Slide 60

First PC Virus: Pakistani Brain Virus (1986) r Written by Pakistani brothers to protect their copyright m Claim: infect only machines that had an unlicensed copy of their software m Boot sector m Printed Welcome to the Dungeon (c) 1986 Basit * Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE :430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination............. !!"

Slide 61

Destructive Virus: Chernobyl (1998) r Designed to inflict harm m Flash BIOS: would cause permanent hardware damage to vulnerable motherboards m Also overwrote first 2K sectors of each disk Typically resulted in a loss of data and made it unbootable r Previously believed that being benign was necessary for virus longevity m Chernobyl provided evidence to the contrary

Slide 62

Early Macro Virus: Melissa (1999) r Microsoft Word 97 Macro virus r Target first 50 entries in Outlooks address book r Adjusted subject Important messages from ______ r Points to attachment as a document requested m Contains a list of porn sites r Macro security was greatly increased with Melissa