Malicious Logic

CS 334: Computer SecurityFall 2008 Slide #1

Malicious Logic

Trojan HorsesVirusesWorms


Introduction

• Malicious Logic: a set of instructions that cause violation of security policy

• Idea taken from Troy: to breach an impenetrable perimeter, have someone from the inside unknowingly bring you inside

• Example: Name the following script ls and place in a directory Set UID of

/tmp.xxsh to UIDof person executingthis script

Remove thisscript and run ls


Trojan Horses

• Trojan Horse: A program with an overt (documented or known) effect and a covert (undocumented or unexpected) effect– In example, overt action is to list files, covert is to

create shell that is setuid to user executing script• There is a key notion here of ``tricked’’

– In the example script, if user root executed this unintentionally by typing ls in a directory, then we have a security policy violation.

– If root types out these lines and runs them intentionally, no violation

– Key problem: system does not know whether user really intends to run specific set of instructions


Example: NetBus

• Program that allows attacker to control Windows NT workstation remotely– Can download and upload files, intercept

mouse or key strokes, generally be sysadmin

• Requires small NetBus server on target machine– Placed in several small game programs and

other ``fun’’ stuff, then distributed to web sites where unsuspecting users would likely download them


Propogating Trojan Horse

• Propogating Trojan Horse: (also replicating Trojan Horse) is a Trojan Horse that creates a copy of itself.

• Ex. Ken Thompson’s compiler – Added Trojan horse to login program so it accepted a

specific password in addition to user’s password– Placed code that does this into compiler, so it would

add it whenever it saw a login call. (So not visible in login code)

– Placed the Trojan horse for compiler into compiler binary, so if compiler was recompiled it would always include the trojan horse for login.

– Replaced source for compiler with clean source for compiler.


Computer Virus

• Computer Virus: A program that inserts itself into one or more files and then performs some (possibly null) action– Insertion Phase: virus inserts itself into file– Execution Phase: the action is performed


Virus Pseudocode


Virus A Trojan Horse?

• Some say YES: Purpose of infected program is overt action, injections and execution phase is the covert action

• Some say NO: Virus has no covert purpose. Its overt purpose is to infect and execute.

• Who cares. Bottom line is that defenses against Trojan horses inhibit viruses.


Some History

• 1983: Fred Cohen (at time grad student at USC) designed virus to acquire privileges on VAX-11/750 running Unix. – Obtained all system rights within half hour on

average– Because virus didn’t degrade response time, most

users never knew system under attack• 1984: Experiment on UNIVAC 1108 showed

virus could infect that system– UNIVAC partially implemented Bell-LaPadula Model,

using mandatory protection mechanisms– Showed that if a system does not prohibit writing

using mandatory access controls, then system does little, if anything, to prohibit virus propagation


More History

• 1986-87: Brain (Pakistani) virus infects IBM PCs– Alters boot sectors of floppy disks, possibly

corrupting files. – Spreads to any uninfected floppy inserted

into system. – Numerous variations have been reported

• 1987: MacMag Peace virus– Infect Mac, Amiga, among others– Prints ``universal message of peace’’ on

March 2, 198, then deletes itself. – Infected copies of Aldus FreeHand program,

which were subsequently recalled by manufacturer


Still More History• 1987: Tom Duff experiments on Unix

with small virus that copies itself into executable files.– Not virulent, but when placed in 48

programs on heavily used machine, spread to 46 different systems and 466 files in 8 days.

– Duff did not violate security mechanism by seeding files

– Wrote another virus in Bourne shell script. It could attach itself to any Unix program

– Demonstrated that viruses are not intrinsically machine-dependent and can spread to systems of varying architectures


Ok, Even More History

• 1989: Harold Highland develops Lotus 1-2-3 virus– Virus stored as set of commands for spreadsheet– Loads automatically when file opened– Was for demo only, so it changed the value in specific

row and column then spread to other files.– Demonstrated that macros for office programs on PCs

could contain viruses.


Virus Types

• Boot Sector Infectors• Executable Infectors• Multipartite Viruses• TSR Viruses• Stealth Viruses• Encrypted Viruses• Polymorphic Viruses• Macro Viruses


Boot Sector Viruses

• Boot sector is the part of a disk used to bootstrap the system or mount a disk– Code in boot sector is executed when system sees

disk for first time• Boot sector virus is one that inserts itself into

the boot sector of a disk– When system or disk boots, virus is executed– Original boot sector code is moved


Example: Brain Virus• When system boots from infected disk, virus is

in boot sector and is loaded.• Moves disk interrupt vector (location 0x13) to

location 0x6d and sets disk interrupt location to invoke Brain virus.

• Brain virus then loads original boot sector and continues the boot

• When user reads another floppy, interrupt at 0x13 is invoked, calling Brain virus– If value 0x1234 in word at location 0x4 of new disk,

boot continues normally. If not, disk is infected– Infection sometimes overwrite some sectors, thus

the sometimes destructive nature of the Brain virus


Executable Infectors

• Executable infector: virus that infects executable programs– On PC these are COM or EXE viruses

because of the file types they infect• Viruses prepends or appends itself to

executable


Example: Jerusalem Virus

• Triggered when infected program is executed

• Virus puts value 0x0e0 into ax register and invokes DOS service interrupt (0x21)

• If on return the high eight bits of ax contain 0x3, virus is already on system and original program is invoked

• If not, virus sets itself up to respond to traps to DOS service interrupt vector


Example: Jerusalem Virus• Virus checks date

– if a Friday the 13th and year is not 1987, virus sets flag in memory to delete files instead of infecting them

• In memory, virus checks all calls to DOS service interrupt, looking for files to be executed (service call 0x4b00)– Virus checks file name, and deletes file if

destruct bit set (except for COMMAND.COM file)

– Virus checks last five bytes of file. • If string MsDos, file is infected• If not, virus checks whether name of file ends in E

or M, in which case virus infects it (assuming its a COM or EXE file)


Multipartite Viruses

• Virus that can infect either boot sectors or applications

• Virus typically has two parts, one for each type. Appropriate part is invoked depending on circumstances


TSR Viruses

• Terminate and Stay Resident (TSR) virus is one that stays active (resident) in memory after application (or bootstrapping or disk mounting) has terminated.

• Can be boot sector or executable infectors– Brain and Jerusalem are both TSR viruses

• Non TSR viruses execute only when host application is executed (or infected disk mounted, etc)


Stealth Viruses

• Stealth viruses are those that conceal the infection of files

• Intercept calls to the OS that access files– If call is for file attributes, original (uninfected) file

attributes returned– If call is to read file, uninfected version is returned– If call is to execute file, infected file is executed


Example: The Stealth Virus• Also called IDF virus or 4096 virus• Modifies DOS service interrupt handler

– Not interrupt vector. This way inspection of interrupt vectors does not reveal presence of virus

• If call is for length of file, length of uninfected file returned

• If request to open file, file is temporarily disinfected, then reinfected when file is closed

• Changes last modification time for file to indicate the file is not infected


Encrypted Viruses

• Virus that enciphers all of the virus code except for a small decryption routine

• Anti-virus software looks for known sequences of code

• To fight this, some viruses encipher most of code, leaving only small decryption routine and random cryptographic key in clear


Example: 1260 Virus

• Uses two keys stored in k1 and k2• Virus code begins at location sov and ends at

location eov• Dual keys and shifting of first key prevent

simple xor from uncovering deciphered virus


Polymorphic Viruses

• A virus that changes its form each time it inserts itself into another program

• Considered an encrypted virus• With straight encrypted virus, decryption

portion can be detected! • Polymorphic viruses designed to defeat this.

– They change instructions in virus to something equivalent but different. Technique is used to hide decryption code.

All do same thing!


Example


Polymorphic Viruses

• Production of polymorphic viruses has been automated– Mutation Engine (ME)– Trident Polymorphic Engine (TPE)

• Polymorphism can occur at different levels– A deciphering algorithm may have two

different implementations– Two different algorithms may produce same

result (much harder to detect)


Macro Viruses

• A virus that it composed of a sequence of instructions that is interpreted rather than executed directly

• Conceptually no different from ordinary computer viruses

• Can execute on any system that can interpret the instructions

• Can infect executables or data files (data virus)


Macro Virus• If infecting executable, must arrange to

be interpreted at some point– Ex. Duff’s experiments wrapped executables

with shell scripts. Resulting executables invoked Bourne shell which interpreted virus code before invoking usual executable

• Macro viruses not bound by machine architecture – use specific programs– Any system that runs this program can be

affected, though effects may differ– Ex. MS Word virus will work on PC, Mac,


Example: Melissa Virus

• Infected Word 97 and 98 documents on Windows and Mac systems (written in Visual Basic)

• Installs itself as the ``open’’ macro and copies itself into the Normal template so that any files that are opened are infected

• Then invokes mail program and sends copies to names in address book– On PC spread was through mail – On Mac, most user didn’t use mail program

that Melissa invokes, so spread was not via email.


Computer Worms

• A computer worm is a program that copies itself from one computer to another (as opposed to hitching a ride)

• Research on worms began in mid-1970s– Schopp and Hupp developed distributed

programs to do various tasks. These probed workstations, to find idle machines on which they installed code segments do do work. When other work on machine started, segments shut down.


The Internet Worm

• Nov. 2, 1988: program targeted Berkeley and Sun Unix based machines.

• Within hours of introduction to Internet it had rendered thousands of computers unusable

• Worm inserted instructions into a running process on target machine and arranged for instructions to be executed


The Internet Worm

• Recovery required disconnection from network and reboot– Several critical programs had to be changed and

recompiled to prevent re-infection– Worse, program disassembly required to determine

whether other malicious effects present– Fortunately only purpose of worm was self

propagation (could have been much worse!)


Internet Worm

• Worm took advantage of flaws in some standard software installed on Unix systems

• fingerd is a utility that allows users to obtain information about other users

• gets is a routine that takes input into a buffer without performing a bounds check

• sendmail is a program that routes mail in heterogeneous networks


fingerd

• Program runs as a daemon (background process) – Allows connections from remote programs– Reads single line of input, sends back

appropriate output• Code used call to gets routine to get

input. Worm smashed the stack using this call

• Unfortunately, several routines remain with such buffer overflow vulnerabilities


sendmail

• Operates in several modes: worm exploited debug mode operation

• Sendmail listens on TCP port 25 for attempts to deliver mail using simple mail transfer protocol (SMTP)– When contacted, sendmail enters into dialog to

determine sender, etc.


sendmail

• Worm used DEBUG command to specify the recipient of the message as a set of commands instead of a user address– This is not allowed in normal mode– In debug mode, allows testers to verify mail is

arriving without having to invoke address resolution routines

– That is, testers can run programs to show state of mail system without separate login connection or having to send mail


Aside: Unix Passwords• Passwords encrypted with premuted

version of DES and ciphertext stored in world-readable accounting file

• Worm used dictionary attack to break passwords (sometimes as many as 50% of the passwords on a system)

• Unix now stores passwords in shadow password file that can only be accessed by sysadmin– And encryption is done using a privileged

routine that delays return for a second or so (prevents online testing)


Aside: Trusted Logins

• BSD Unix has nice support for login from remote machines

• One can specify a list of host/login name pairs that are assumed to be trusted. Login with these pairs does not require a password– hosts.equiv and .rhosts files

• Worm exploited this by trying to locate machines that might trust the current machine– How do you think it did this?– When one found, worm placed itself on the target

machine


Internet Worm (High level description)

• Main program: collect info on other machines on network to which current machine could connect– Read config files– Run system utilities to get info about current state of

network connections– Used previously mentioned flaws to attempt to

establish bootstrap on these machines.


Internet Worm (High Level Description)

• Bootstrap program:– 99 lines of C code that would be compiled and run on

remote machine– Once transferred to target machine, it was compiled

and invoked with three command line arguments• Network address of infecting machine• Number of network port to connect to on machine to

get copies of the main worm files• Magic number that acted as one-time challenge

password– If worm on remote host and port didn’t receive magic

number back, it would immediately disconnect from bootstrap program

» Possibly to prevent someone from capturing a copy of the worm by spoofing a Worm server


Internet Worm (High Level Description)

• Bootstrap program:– Connect back with worm that originated it and

transfer a set of precompiled code (binaries) to local machine

– These binaries represented versions of the main program for various OS versions and machine architectures.

– Once binaries transferred, loaded and linked with standard library routines on host machine, then one by one run.


Father Christmas Worm

• Electronic Christmas Card passed around IBM-base networks– Card was letter instructing recipient to save letter

and run as a program. – Program drew Christmas Tree (with blinking lights!)

and printed Merry Christmas• Program checked recipients list of previously

received mail as well as address book, then sent itself to all these addresses

• Overwhelmed network and forced shutdown• Macro worm written in high-level job control

language


Rabbits and Bacteria• Program that absorbs all of some class

of resource– Program copies multiply so fast that

resources exhausted. A class of denial of service attack.

• Ex. (Dennis Ritchie) This will exhaust disk space or inode tables on a Unix Version 7 system


Examples

• Internet worm: – During infection, opened a port on target machine. – When another worm tried to infect machine, it

checked port. If opened it assumed machine infected.

– But apparently to thwart sysadmins opening a small program on that port, every sixth attack it ignored the check.

– Lead to many copies of the worm on single machine. These consumed the CPU.

• Father Christmas:– Created so much network traffic that network

became unusable and had to be shut down


Question: Is there an algorithm that can determine if an arbitrary

program contains replicating code?


Answer (Cohen): No such algorithm can exist. It is provably undecidable

whether an arbitrary program contains a computer virus.


Logic Bomb

• Logic bomb is a program that executes malicious logic when some external event occurs– E.g. program attacks on specific date

• Disaffected employees who plant Trojan horses in systems often use logic bombs– E.g. delete entire payroll roster when employee’s

name is deleted


Example

• Early 1980s: program posted to USENET promised to make administering systems easier

• Directions: – Unpack shar archive containing program– Compile program and install as root

• Midway down the shar archive:

CS 334: Computer Security 50

A More Modern Perspective on Malicious Logic

We’ve talked a bit about classification and seen an important theoretical

result. Now we consider more recent developments.

As always thanks to my Berkeley Colleagues for providing much of the slides on this modern perspective.

Fall 2008


Outline

• What is a Worm/Virus?• Why are they created?• Infection Vectors and Payloads

– How they propagate and what they do• Worm propagation rates• Virus/Worm detection/prevention

– File scanners, host scanners, network scanners– Host monitors

• Targeted Worms and Viruses

Fall 2008


Internet Worms and Viruses

• Self-replicating code and data– Worms are self-propagating (search network)

• Typically exploit vulnerabilities in an application running on a machine or the machine’s OS

– Viruses typically require a human interaction before propagating• Running e-mail attachment, or click link in e-mail• Inserting/connecting “infected” media to a PC

• Behavioral invariant: they seek to propagate

Fall 2008


Why Create Worms/Viruses?• Formerly was a prestige motivation

– Finding bugs, mass infections, …– 50% of viruses contain crackers’/groups’ names

• Cracking for profit, including organized crime– Create massive botnets 10-100,000+ machines

infected• Overloading/attacking websites, pay-per-click scams,

spaming/phishing e-mail, or phishing websites…– More on botnets later…– Corporate/personal espionage (SSN, passwords,

docs, …)• Closing security loopholes

– Is this ethical?

Fall 2008


Revisiting Zotob Virus (August 2005)

• Financially-driven motive– Infected machines and set IE security to low (enables

pop-up website ads)– Revenue from ads that now appear– User may remove virus, but IE settings will likely

remain set to low– Continued revenue from ads…

• Targeted (among others) ABC, CNN, the Associated Press, NY Times, Caterpillar Inc, – Cost an average of $97,000 and 80 hours of cleanup

per company affected.

Fall 2008


Revisiting Zotob Virus (August 2005)

• August 26th, 2005 (two weeks after Zotob)– Farid Essebar was arrested in Morocco, Atilla Ekici

arrested in Turkey• September 16, 2006

– Essebar and friend Achraf Bahloul sentenced in Moroccan court.

• Ekici believed to have bought the worm for financial gain.

• Believed that Essebar is part of larger group, the Dark-side Hackers, behind spread of Zotob

Fall 2008


Infection Vectors and Payloads

• Two components to worms and viruses

• Infection vectors– How they get onto your machine and then propagate

• Payloads– What they do on your machine

Fall 2008


Infection Vectors

• Network scanning for potential victims (worms)

• Local/server/P2P files (viruses/worms)

• E-mail message components (viruses)

• Web sites (worms/viruses)

Fall 2008


Network Scanning for Potential Victims (Worms)

• How to scan the network?– Pick address, try to exploit protocol vulnerabilities

• How to generate addresses?– Use a PRG, but how to initialize the PRG?

• Same seed on each host (common flaw!)– Need to generate local seed…

• Generate 32-bit IP address or 4 8-bit parts?– Is even or uneven probing better?– Local hosts are likely to be same OS/patch level and

have higher bandwidth– Also local addr space is denser

Fall 2008


Worm Exploits• Buffer overflow on servers/clients

– Identify de-serializing errors, send exploit code– MSBlaster DCOM/RPC exploit

• Forcing protocol parsing errors– Identify errors in protocol handling/state machine– Morris worm fingerd remote code exec

• Weak passwords (more on this in a moment)– Brute force: try name backwards, appended, …

• Out-of-the box configuration errors– Default ID/password– Debugging mode enabled (Morris worm sendmail

exploit)

Fall 2008


Infecting via Files

• Factory installed• Removable media (viruses)

– Floppies, CD/DVD-ROMs, USB drives/keys• Files on shared servers and P2P networks

(worms/viruses)– Have to convince user to click to open…– Or, an infected existing document

• E-mail file attachments (viruses)– Have to convince user to click to open…

Fall 2008


Infecting via E-mail

• E-mail attachments (viruses)– Files (see last slide)– Scripts: Windows Scripting Host– HTML files: browser exploits (next slide)

• HTML-formatted e-mail messages– Browser exploits (next slide)– User clicks on links (leads to browser exploits)– Windows Scripting Host

• Executes simply by viewing e-mail msg (LoveLetter)– Embedded images (JPEG/PNG render exploits)

Fall 2008


Why E-mail based Infections?

• E-mail has become globally ubiquitous– By 2006, e-mail traffic is expected to surge to 60

billion messages daily

• Message Labs scanned 14.7 billion emails scanned, found >6% were viral

• Nearly all of the most virulent worms of 2004 spread by email (Symantec/Sophos)

Fall 2008


Web Sites (Worms/Viruses)

• Set up malicious server, or infect existing server– Porn, Warez/Crackz/Gamez, anti-spyware(!) sites

• Exploit bugs in browser rendering engine– “Drive-by-download” infection

• ActiveX exploits– Leverage bugs in ActiveX components– Enable remote script/code execution

• HTML parsing vulnerabilities– Redirect to malicious sites– Cause buffer overflow, or file download and execute

Fall 2008


Types of Payloads

• Bootstrap loader• Message• Propagation engine

– System settings/DNS changer, file installer• Destructive actions• Zombie software installer• Trojans/Browser Help Objects installer• But, sometimes payloads don’t work

– Inadvertent system crashes instead

Fall 2008


Payloads

• Bootstrap loader– Used when exploit can only send a small amount of

code/script– Establishes TFTP connection back to infecting

machine to retrieve real payload• Message (could be null)• Propagation engine

– Permanently installs virus/worm by changing system settings, or replacing/infecting system files (rootkit)

– Infect local/server/P2P documents, music, etc.• Malicious: disk corruption, or BIOS re-flash

Fall 2008


Payloads

• Zombie software install– Password cracker– Spambot or Distributed Denial of Service bot

• Trojans/Browser Help Objects installer– Adware/spyware install

• Typically, implemented as BHOs– Collect personal info, logins/passwords for financial

sites, files/data and send to attacker– Create popups and search redirects

Fall 2008


Fast Propagating Worm/Virus Side Effects

• Traffic floods network links– Slammer prevented admins from accessing servers

to shut them down/patch them– Affected the access links

• Border Gateway Protocol heartbeats monitor links• Timeouts caused links to drop, stopped worm traffic• Heartbeats get through, links come back up, worm

traffic flows again (repeat!)• Overwhelms servers (e-mail/other)

– Denial of service (sometimes intentional)

Fall 2008


Virus/Worm Toolkits

• Dozens of websites and downloadable toolkits for building worms/viruses

• Make it easy for script kiddies to create new threats

• But, most are built from common building blocks with the same polymorphic engines– Can create signatures for blocks and engines

• Encryption is a looming threat…

Fall 2008


Our Path





Fall 2008


Propagation Rates

• Classic theory– Function of # vulnerable hosts (N), initial

compromise rate (K), start time (T)• Logistics equation:

– a is the number of infected hosts

Fall 2008€

a = eK ( t−T )

1+ eK( t−T )


Code Red I Propagation

• Can’t easily count infected hosts– Count

scans instead

• Theory matches observed

Fall 2008


Propagation Rates (New Theory)

• Slammer• Doesn’t

apply to fast propagating worms– Links have

bandwidth / latency constraints

– No universal connectivity

Fall 2008


Other Factors

• TCP (3-way) versus UDP– Latency between attacker and victim has major

impact for TCP– Timeout delay when scanning

• Also, function of scan algorithm– PRN quality

• Broken algorithms mean missed hosts– Seed computation– Scan distribution (even or local bias?)

Fall 2008


Propagation Behavior

• More efficient scanning finds victims faster (< 1hr)• Even faster propagation is possible if you cheat

– Wasted effort scanning non-existent or non-vulnerable hosts

– Warhol: seed worm with a “hit list” of vulnerable hosts (15 mins)

Fall 2008


Virus Propagation Rates

• How to determine virus propagation rates?– Don’t have universal connectivity

• Small worlds effect: 6-degrees of separation– Have to account for queuing delays– Limited (delayed) by human interaction rate– Very hard to model analytically

• E-mail viruses tend to appear first in Asia, then Europe, finally North/South America– Follows business day/timezones

Fall 2008


Our Path





Fall 2008


Detection/Prevention Techniques

• File and host scanners and monitors– Signature-based scanners

• Have “zero” false negatives/positives• Significant human delay (hours to days)

– Heuristic-based scanners• Non-zero false negative/positive rates

• Network scanners• Firewalls• Throttling

Fall 2008


Signature Generation Requires Human Intervention

• Human element slows reaction times– Malcode collection can take hours– Signature generation can take hours to days– Signature distribution can take hours to days– Novel malcode propagates faster than signatures

• Signature methods are mired in an arms race– MyDoom.m and Netsky.b slipped through many mail

scanners– Malcode: polymorphic today, encrypted in future– Signature-based approach alone is insufficient

Fall 2008


File/Host Scanners and Monitors

• File– One-time/periodic “scan” or continuous real-time

monitor– Scan all files on read/write– Heuristic: look for code similarities (e.g., propagation

engines), not identical matches• Host scanner

– One-time/periodic “scan” or continuous real-time monitor

– Scan active processes, bios, registry, … for infections– Heuristic: examine process memory, look for

anomalous registry entries, …

Fall 2008


Network Scanners

• Place at network ingress point• Scan all incoming traffic, especially e-mail

– Uses signatures like file scanners– Also heuristic e-mail scanning (phishing, spam)

• Can also apply exfiltration scanning– Phishing attempts, viruses/worms that attempt to

transmit personal/sensitive/corporate data• Scaling and reliability issues

Fall 2008


Firewalls

• Usually deployed at network ingress points– Default deny all– Stops worm scans

• Except for public services, like web servers!• And, trusted servers/clients

– Can lead to complacency• Remember, network is only one propagation method• Laptops are a problem

• Partial solution: host-based firewalls– Now mandatory at many places– Still need signatures for detection

Fall 2008


Network Throttling• Heuristic approach: limit #connections/min

– Idea: slow down worm scans or outgoing virus e-mails

– Algorithm placed in routers• Limit outbound connections to slow down

worms• Can’t set a fixed limit, why?

– Users have different sending rates, servers, …• Inverse throttling

– Tarpits– Delay connections to non-existent/protected hosts– Consumes precious OS resources on worm machine

Fall 2008


Our Path



– File scanners, host scanners, network scanners

– Host monitors• Targeted Worms and Viruses

Fall 2008


Example Scenario• You arrive at work and start reading e-mail• In your inbox is a business proposal from your

biggest competitor• You’re curious so you open and read the

proposal• You decide to ignore it and continue on with

your work• Two weeks later you lose your biggest clients

to the competitor, they lowball you on a bid, announce a better version of your planned killer product, …

• Fact or fiction?

Fall 2008


Fact!

• You’re the victim of a targeted attack• Opening the proposal secretly installed a

Trojan horse program– The Trojan searched your hard drives and network

shares for confidential documents and e-mail messages

– Then, it sent them out to a server run by your competitor

• Custom attacks are hard to detect– One-of nature means no signatures

Fall 2008


Targeted Attacks

• Israel (May 19, 2005)– 7 businessmen and 11 private detectives arrested for

using Trojan horse for cyber industrial espionage• Satellite TV, cell phone, auto import business

• Trojan designed by husband-wife pair in Britain– Named Rona (variant of Hotword Trojan)

• Caught because husband installed it on father- in-law’s computer and it posted copies of a private manuscript online

Fall 2008


Designing a Targeted Attack

• How to profile target to identify OS, SW?– Send an e-mail message and examine reply!

• User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007

– More work to determine OS/SW patch levels• Then craft an attack:

– HTML script vulnerabilities– Embedded/remote images– Web site exploits– Office documents (macros, scripts, …)– Other document types (PDF, PS, …)

Fall 2008


Worm/Virus Summary

• Arms race between creators and protectors• Existing signature approaches are limited• Financial motive poses growing threat• High risk from Warhol worms• Viruses are still a critical threat

– FBI survey of 269 companies in 2004 found that viruses caused ~$55 million in damages

Fall 2008

CS 395: Computer Security 89Fall 2006

An aside: User Authentication

E.g., How can a system tell you’re you? Unlike “real world” authentication (e.g., you recognize someone’s voice over the

phone) computer can’t “recognize” someone (well, not in the same way).


The Basics

• Three quantities used to confirm user’s identity– Something the user knows

• Passwords, PIN numbers, secret handshake, mother’s maiden name

– Something the user has• Identity badge, physical key, driver’s license, uniform

– Something the user is• Biometrics: based on physical characteristics of user (e.g.,

fingerprint, pattern of person’s voice, picture of face).• These three can be combined• Password is the most common means of user

authentication to OS


Passwords• Although secure in theory, human practice

often degrades quality of this means of authentication

• Must handle:– Loss: depending on implementation, it is possible

that no one will be able to restore a lost password.– Use: Supplying password for each file access can be

inconvenient and time consuming.– Disclosure: If password disclosed to unauthorized

individual, file becomes immediately accessible. If password is then changed, all other legitimate users must be notified.

– Revocation: To revoke one user’s access rights to a file, someone must change the password, causing same problems as disclosure.


Aside: Multifactor Authentication

• This is fancy name for use of additional authentication information

• E.g., log in allowed only if password check is valid and– Log in request received from specific IP address

and/or port AND– Log in request received during specific time period

(say between 8 a.m. and 5 p.m.


Aside: Multifactor Authentication

• Two forms if authentication (two-factor authentication) better than one if both are strong– But as number of forms increase, so does

inconvenience– AND each authentication factor requires system to

manage more security info (which, in addition to increased protection resources) may also increase complexity of implementation


Attacks on Passwords• Passwords limited as protection devices

because of the relatively small number of bits of info they contain

• Ways to obtain user’s password (in decreasing order of difficulty)– Try them all– Try frequently used passwords– Try passwords likely for the particular user– Search for system list of passwords– Ask the user

• Systems don’t help here, as they often provide attacker with partial information.


Loose-Lipped Systems

• Note password authentication is based on premise that user knows nothing of the system. But systems often help an attacker

• Consider system messages look like above (uppercase is system message, lowercase is user)– System is identified, and attacker knows adams is

not a valid user name. Intruder can use this with common surnames to build a list of authorized users.



• Better: User is not told whether it is the username or the password that is bad

• But message still provides name of the system.



• Best: adversary receives no information until after successful authentication. – After all, legitimate user should know the name of the

system, so why provide it beforehand?


Exhaustive Attack• A.k.a. brute-force attack, is when attacker tries

all passwords (usually in an automated fashion) until correct one is found

• Difficulty depends on implementation (how long are passwords, etc)


Exhaustive Attack• Example: Assume passwords consist of 26

characters from A-Z, and can have length from 1 to 8 characters.– Num. Passwords = 261 + 262 + 263 +…+ 268 = 269 -1

≈ 5 x 1012

– At one password/millisecond, takes 150 years– At on password/microsecond, takes two months!

• Reasonable time if reward is large enough (e.g. password protecting file of credit card numbers)

– And expected search times, if all passwords random, is half these times


Probable Passwords• Reduce search space significantly!• When humans choose words at random, they

tend to choose words that are short, common, and easy to spell and pronounce.

• Attackers use this info:– Search passwords from shortest to longest

• All passwords 5 chars or less can be searched in under 4 hours.

• Time given assumes people choose all passwords with equal probability (e.g. hdlzm, ehlzx are chosen as often as pizza and beer)

– Spell-checkers often have dictionaries of commonly used words • One of these contains 80,000 words. Trying all of them

takes only 80 seconds.


Passwords Likely for a User

• Usually meaningful to the person– Name of spouse, child, brother, sister, pet, street

name, or something memorable or familiar– List of these things is often only a few hundred

entries long at most. Can be checked in under a second!


Distribution of Actual Passwords

• 1979 study by Morris and Thompson– Considered 3,289 passwords

• Results:– 15 were single ASCII characters– 72 were two ASCII characters– 464 were three ASCII characters– 477 were four alphabetic letters– 706 were five alphabetic letters, all same case– 605 were six lowercase alphabetic letters– 492 were words in dictionaries or lists of names

• Total: 2831 (86%) contained in this list!


Figures are Not Dated• 1990: Klein collected appx 15,000 passwords

– 2.7% guessed within 15 minutes, 21% within one week

• 1992: Spafford collected appx 15,000 passwords– Average length 6.8 characters– 28.9% consisted of only lowercase alphabetic

characters


Figures are Not Dated• 2002: British online bank Egg finds 50% of

passwords for online banking service were family members’ names:– 23% children’s names– 19% spouse or partner– 9% their own name– 8% pet names– 9% each for celebrity and soccer star’s names


Still Worse• 1998: Knight and Hartley report appx 35% of passwords

derived from syllables and initials of account owner’s name.

• Several articles claim that God, sex, love, and money are four most common passwords

• Lists of common passwords posted online– http://www.geodsoft.com/howto/password/common.htm– http://www.phenoelit.de/dpl/dpl.html– Also sites that post dictionaries of phrases, science fiction

characters, places, mythological names, Chinese words, Yiddish words, and several other specialized lists

• Sysadmin utilities such as SATAN, COPS, and Crack allow administrators to check for weak passwords. They also allow attackers to do the same.

• Changing letters to numbers (e.g., 0 for letter O, 1 for lowercase L, etc): been done, and the attackers know it.

http://www.geodsoft.com/howto/password/common.htm

http://www.phenoelit.de/dpl/dpl.html


Knight and Hartley 12 Password Guessing Steps

• No password• The same as the user ID• Is, or is derived from, the user name• Common word list (e.g., password, secret) plus common

names and patterns (e.g., asdfg, aaaaaa)• Short college dictionary• Complete English word list• Common non-English language dictionaries• Short college dictionary with capitalizations (PaSsWorD) and

substitutions (0 for O, etc)• Complete English with capitalizations and substitutions• Common non-English dictionaries with capitalizations and

substitutions• Brute force, lowercase alphabetic characters• Brute force, full character set


Plaintext System Password List• Not a good idea• Even if protected via access control (e.g., only

OS level functions can access it) it’s not good– Many OS functions never need to read the file, and

opening it to all OS functions means that if even one of these functions is compromised, password list is compromised as well

• System backups often lack protection mechanisms (physical security and access control to the backup tapes themselves are only security for these).

• Password file is stored on a disk, so anyone who can overcome file restrictions or have access to disk can obtain password file.


Encrypted Password File• Password table entries are encrypted using a one way function

(e.g. hash) and then stored.• One log in, hash of user password is checked with entry in the

password file. • A problem: two users who pick same password will notice that

they have the same password hash• Salt: A small number formed from other info, and appended to

password– Password + salt is what is hashed– Salt stored in plaintext. On authentication attempt, OS

appends salt to the password and hashes the extended password to check against password file.

– E.g., Unix salt is a 12-bit number formed from system time and process ID.

• Still a good idea to limit access to password file (even if encrypted)


Indiscreet Users

• Tape password to side of terminal or write it down on card just inside top desk drawer

• Users sharing files share passwords “my password is x, just get the file yourself”

• Verisign (2005) in unscientific poll found that 2/3 of people approached on street volunteered to disclose their password in exchange for coupon good for a cup of coffee. 79% admitted they use same password for multiple systems or sites.

Malicious Logic

Documents

Transcript of Malicious Logic