PROGRAM AND SYSTEM THREATS - Reddhi Sekhar Basu(559)
Transcript
1. - Reddhi Sekhar Basu(559) PROGRAM AND SYSTEM THREATS
2. Trojan Horse A Trojan horse is a code segment that misuses
its environment. A Trojan, is a type of malware that masquerades as
a legitimate file or helpful program possibly with the purpose of
granting a hacker unauthorized access to a computer. According to a
survey conducted by BitDefender from January to June 2009,
"Trojan-type malware is on the rise, accounting for 83-percent of
the global malware detected in the world."
3. Trojan Horse Long search paths, such as are common on UNIX
systems, exacerbate the Trojan horse problem. For instance, the use
of . character in a search path, tells the shell to include the
current directory in the search. So, if an user A has . in his
search path, has set his current directory to user Bs directory,
and enters a normal system command, the command would be executed
from user Bs directory instead. The program would run on user Bs
domain, allowing the program to do anything that the user is
allowed to do, including deleting files.
4. Popular Trojan Horses Netbus Subseven or Sub7 Y3K Remote
Administration Tool Back Orifice Beast Zeus The Blachhole Exploit
Kit Flashback Trojan
5. Login Emulator An unsuspecting user logs in at a terminal
and notices that he has apparently mistyped his password. He tries
again and is successful. What has happened is that his
authentication key and password have been stolen by the login
emulator that was left running on the terminal by the thief. The
emulator stored away the password, printed out a login error
message, and exited; the user was then provided with a genuine
login prompt.
6. A Trojan may give a hacker remote access to a targeted
computer system. Operations that could be performed by a hacker on
a targeted computer system may include: Use of the machine as part
of a botnet (e.g. to perform automated spamming or to distribute
Denial-of-Service attacks) Electronic Money theft Data Theft(e.g.
retrieving passwords or credit card information) Installation of
software, including third-party malware Downloading or uploading of
files on the user's computer Modification deletion of files
Crashing the Computer Anonymizing Internet Viewing
7. Trapdoor Trap Door is a type of security breach where the
designer of a program or a system leaves a hole in the software
that only he is capable of using. A Trap Door is a secret entry
point into a program that allows someone to gain access without
normal methods of access authentication.
8. Example of a trapdoor Programmers have been arrested for
embezzling from banks by including rounding errors in heir code,
and having the occasional half cents credited to their accounts.
This account crediting can add up to a large sum of money,
considering the number of transactions that a large bank
executes.
9. Trapdoors Trapdoors can be included in the compiler as well.
The compiler could generate standard object code as well as a
trapdoor, regardless of the source code being compiled. Trapdoors
pose a difficult problem since to detect them we have to analyze
all the source code for all components of a system.
10. Stack and Buffer Overflow Stack or buffer overflow is the
most common way for an attacker outside of the system, on a network
or dial-up connection to gain unauthorized access to the target
system. This be used by the unauthorised user for privilege
escalation. Buffer overflow attacks are especially pernicious as it
can be run within a system and travel over allowed communications
channels. They can even bypass the security added by
firewalls.
11. The attacker exploits a bug in the program. The bug can be
a simple case of poor programming, in which the programmer
neglected to code bounds checking on an input field. In this case,
the attacker sends more data than the program was expecting. Using
trial and error, or by examination of the source code of the
attacked program if it is available, the attacker determines the
vulnerability and writes a program to do the following: 1. Overflow
an input field, command line argument, of input buffer until it
writes into the stack. 2. Overwrite the current return address on
the stack with the address of the exploit code loaded in the next
step. 3. Write a simple setoff code for the next space in the stack
that includes the commands that the attacker wishes to execute
(e.g. spawn a shell)
12. Worm A worm is a process that uses the spawn mechanism to
clobber system performance. The worm spawns copies of itself, using
up system resources and perhaps locking out system use by all other
processes.
13. Worms Spread independently of human action usually by
utilizing a security hole in a piece of software by scanning a
network for another machine that has a specific security hole and
copies itself to the new machine using the security hole
14. Morris Worm Robert Tappan Morris is an American computer
scientist, best known for creating the Morris Worm in 1988,
considered the first computer worm on Internet - and subsequently
becoming the first person convicted under Computer Fraud and Abuse
Act.
15. Morris Worm Disk containing the source code for the Morris
Worm held at the Boston Museum of Science
16. Working of the Morris Worm
17. Morris Worm Once in place, the main program undertook
systematic attempts to discover user passwords. This happened in 3
stages: 1. Trying simple cases of no passwords or passwords
constructed of account user name combinations. 2. Using comparisons
with an internal dictionary of 432 password choices. 3. Trying each
word in the online UNIX dictionary This elaborate and efficient
3-stage password cracking algorithm enabled the worm to gain
further access to other user accounts on the infected system. With
each new access the worm searched for already active copies of
itself. If it found one the new copy exited except for every
seventh instance.
18. Computer Viruses A virus is a fragment of code embedded in
a legitimate program unlike a worm which is structured as a
complete, standalone program.
19. Spread of Viruses Viruses are spread by users downloading
viral programs from public bulletin boards or exchanging disks
containing an infection. Exchange of Microsoft Office documents are
a common form of virus transmission these days because these
documents contain so-called macros which are Visual Basic
programs.
20. Classification of Viruses NON-RESIDENT VIRUSES Non-resident
viruses can be thought of as consisting of a finder module and a
replication module. The finder module is responsible for finding
new files to infect. For each new executable file the finder module
encounters, it calls the replication module to infect that file.
RESIDENT VIRUSES The virus loads the replication module into memory
when it is executed instead and ensures that this module is
executed each time the operating system is called to perform a
certain operation.
21. Classification (contd.) POLYMORPHIC VIRUS Change viruss
signature each time. Its designed to avoid detection by antivirus
software. It acts like a chameleon. STEALTH VIRUS It use some
tactics to avoid detection such as altering its file size,
concealing itself in memory, and Modifies parts of the system that
can be used to detect it.
22. Creeper Virus The Creeper virus was first detected on
ARPANET. Creeper was an experimental selfreplicating program
written by Bob Thomas at BBN Technologies in 1971. Creeper used the
ARPANET to infect DEC PDP-10 computers running the TENEX operating
system. Creeper gained access via the ARPANET and copied itself to
the remote system where the message, "I'm the creeper, catch me if
you can!" was displayed. The Reaper program was created to delete
Creeper.
23. Michelangelo Virus On March 6, 1992, the 517th birthday of
Michelangelo, the Michelangelo virus was scheduled to erase
infected hard disk files. But because of the extensive popularity
surrounding the virus, most sites had detected and destroyed the
virus before it was activated, so it caused little or no
damage.
24. Love Bug Virus In 2000, the Love Bug became very
widespread. It appeared to be a love note sent by the friend of the
receiver. Once invoked, by opening the Virtual Basic script, it
propagated by sending itself to the first users in users email
contact list. It just clogged users inbox and email systems, but
was relatively harmless.
25. Protection against Viruses The problem of viruses can be
dealt with by using antivirus software. They work by searching all
the programs on a system for the specific pattern of instructions
known to make up a virus. When they find a known pattern, they
remove the instructions, disinfecting the program. The best
protection against virus is the method of safe computing :
purchasing unopened software from vendor and avoiding free or
pirated copies from public sources or disk exchange.
26. Worms v/s Viruses WORMS rely little or not at all on humans
to spread VIRUSES dependent upon a host file spread across a
network need the help of humans to spread spread rapidly take a
while to spread
27. Denial of Service Denial of service does not involve
stealing of resources or gaining information, but rather disabling
legitimate use of a system or facilty. It is easier than breaking
into a machine. They are network based. They fall into 2
categories: 1. An attack that uses so many facility resources that,
in essence, no work can be done. 2. An attack that disrupts the
network facility of the computer. It is impossible to prevent
Denial of Service attacks. Frequently it is difficult to determine
if a system slowdown is due to surge in use or an attack.