Post on 12-Jan-2016
Lecture 14 Overview
Program Flaws
• Taxonomy of flaws:– how (genesis)– when (time)– where (location)
• the flaw was introduced into the system
2CS 450/650 Lecture 14: Program Flaws
Security Flaws by Genesis• Genesis– Intentional
• Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus
• Non-malicious
– Inadvertent• Validation error• Domain error• Serialization error• Identification/authentication error• Other error
3CS 450/650 Lecture 14: Program Flaws
Flaws by time
• Time of introduction– During development• Requirement/specification/design• Source code• Object code
– During maintenance
– During operation
4CS 450/650 Lecture 14: Program Flaws
Flaws by Location
• Location– Software• Operating system: system initialization, memory
management, process management, device management, file management, identification/authentication, other• Support tools: privileged utilities, unprivileged utilities• Application
– Hardware
5CS 450/650 Lecture 14: Program Flaws
Malware Evolution• 1980s
– Malware for entertainment (pranks)
– 1983: “virus”– 1988: Internet Worm
• 1990s– Malware for social status /
experiments– 1990: antivirus software
• Early 2000s– Malware to spam
• Mid 2000s– Criminal malware
CS 450/650 Lecture 14: Program Flaws 6
Lecture 15
Malicious Codes
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Csilla Farkas and Brandon Phillips
Kinds of Malicious Codes
• Virus: a program that attaches copies of itself into other programs. – Propagates and performs some
unwanted function– Viruses are not programs– Definition from RFC 1135: A virus is a piece of code
that inserts itself into a host [program], including operating systems, to propagate. It cannot run independently. It requires that its host program be run to activate it.
8CS 450/650 Lecture 15: Malicious Codes
Kinds of Malicious Code• Worm: a program that propagates copies of
itself through the network. – Independent program. – May carry other code, including
programs and viruses. – Definition from RFC 1135: A worm is a program that
can run independently, will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines.
9CS 450/650 Lecture 15: Malicious Codes
Kinds of Malicious Code
• Rabbit/Bacteria: make copies of themselves to overwhelm a computer system's resources– Denying the user access to the resources
• Logic/Time Bomb: programmed threats that lie dormant for an extended period of time until they are triggered– When triggered, malicious code is executed
10CS 450/650 Lecture 15: Malicious Codes
Kinds of Malicious Code• Trojan Horse: secret, undocumented routine
embedded within a useful program – Execution of the program results in execution of
secret code• Trapdoor: secret, undocumented entry point
into a program, used to grant access without normal methods of access authentication
• Dropper: Not a virus or infected file– When executed, it installs a virus into memory, on
to the disk, or into a file11CS 450/650 Lecture 15: Malicious Codes
Malware Proliferation
(Microsoft Security Intelligence Report 6)
CS 450/650 Lecture 15: Malicious Codes 12
Malware Families
CS 450/650 Lecture 15: Malicious Codes 13
Regional Threat Categories(Microsoft Security Intelligence Report 6)
CS 450/650 Lecture 15: Malicious Codes 14
Virus Lifecycle
• Dormant phase: the virus is idle– not all viruses have this stage
• Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas
• Triggering phase: the virus is activated to perform the function for which it was created
• Execution phase: the function is performed– The function may be harmless or damaging
15CS 450/650 Lecture 15: Malicious Codes
Virus Types
• Parasitic virus: – Attaches itself to a file and replicates when the
infected program is executed– most common form
• Memory resident virus: – lodged in main memory as part of a resident
system program– Virus may infect every program that executes
16CS 450/650 Lecture 15: Malicious Codes
Virus Types
• Boot Sector Viruses:– Infects the boot record and spreads when system
is booted– Gains control of machine before the virus
detection tools– Very hard to notice
• Macro Virus:– virus is part of the macro associated with a
document17CS 450/650 Lecture 15: Malicious Codes
Virus Types
• Stealth virus: – A form of virus explicitly designed to hide from
detection by antivirus software
• Polymorphic virus: – A virus that mutates with every infection making
detection by the “signature” of the virus difficult
18CS 450/650 Lecture 15: Malicious Codes
How Viruses Append
19
Original
program
virus
Original
program
virus
Virus appended to program
+ =
CS 450/650 Lecture 15: Malicious Codes
How Viruses Append
20
Original
program
virus
Original
program
Virus-1
Virus surrounding a program
+ =
Virus-2
CS 450/650 Lecture 15: Malicious Codes
How Viruses Append
21
Original
program
virus
Original
program
Virus-1
Virus integrated into program
+ =
Virus-2
Virus-3Virus-4
CS 450/650 Lecture 15: Malicious Codes
How Viruses Gain Control
• Virus V has to be invoked instead of target T– V overwrites T– V changes pointers from T to V
22CS 450/650 Lecture 15: Malicious Codes
High risk virus properties
• Hard to detect• Hard to destroy• Spread infection widely• Can re-infect• Easy to create • Machine independent
23CS 450/650 Lecture 15: Malicious Codes
Virus Signatures
• Storage pattern– Code always located on a specific address– Increased file size
• Execution pattern
• Transmission pattern
• Polymorphic Viruses
24CS 450/650 Lecture 15: Malicious Codes
Antivirus Approaches
• Detection: – determine infection and locate the virus
• Identification: – identify the specific virus
• Removal: – remove the virus from all infected systems, so the
disease cannot spread further
• Recovery: – restore the system to its original state
25CS 450/650 Lecture 15: Malicious Codes
Preventing Virus Infection
• Prevention:– Good source of software installed – Isolated testing phase– Use virus detectors
• Limit damage:– Make bootable diskette– Make and retain backup copies important
resources
26CS 450/650 Lecture 15: Malicious Codes
Nyxem Email Virus
• Estimate of total number of infected computers is between 470K and 945K
• At least 45K of the infected computers were also compromised by other forms of spyware or botware
• Spread
27CS 450/650 Lecture 15: Malicious Codes
Worm• Self-replicating (like virus)• Objective: system penetration (intruder)• Phases: dormant, propagation, triggering, and
execution • Propagation:– Searches for other systems to infect
• e.g., host tables
– Establishes connection with remote system– Copies itself to remote system– Execute
28CS 450/650 Lecture 15: Malicious Codes
Code-Red Worm• On July 19, 2001, more than 359,000 computers connected to the Internet
were infected with the Code-Red (CRv2) worm in less than 14 hours
• Spread
29CS 450/650 Lecture 15: Malicious Codes
Sapphire/Slammer Worm
• was the fastest computer worm in history– doubled in size every 8.5 seconds– infected more than 90 percent of vulnerable ~75K
hosts within 10 minutes.
30CS 450/650 Lecture 15: Malicious Codes
Witty Worm
• reached its peak activity after approximately 45 minutes– at which point the majority of vulnerable hosts
had been infected
• World• USA
31CS 450/650 Lecture 15: Malicious Codes