CSE331:Introduction to Networksand Security

Lecture 32

Fall 2002

CSE331 Fall 2002 2

Recap

• Malicious Programs– Viruses– Boot Viruses, Memory Resident, Macros

• Today:– Computer Virus Defenses– Computer Worms

CSE331 Fall 2002 3

“I Love You” Virus/Worm

• Infection Rate– At 5:00 pm EDT(GMT-4) May 8, 2000, CERT had

received reports from more than 650 sites – > 500,000 individual systems

• VBScript• Propagation

– Email, Windows file sharing, IRC, USENET news

CSE331 Fall 2002 4

Love Bug

• Signature– An attachment named

"LOVE-LETTER-FOR-YOU.TXT.VBS" – A subject of "ILOVEYOU" – Message body: "kindly check the attached

LOVELETTER coming from me."

CSE331 Fall 2002 5

Love Bug Behavior

• Replaced certain files with copies of itself– Based on file extension (e.g. .vbs, .js, .hta, etc)

• Changed Internet Explorer start page– Pointed the browser to infected web pages

• Mailed copies of itself

• Changed registry keys

CSE331 Fall 2002 6

Detecting Viruses

• Scanning• Integrity checking• Heuristic detection

CSE331 Fall 2002 7

Virus Signatures

• Viruses can’t be completely invisible:– Code must be stored somewhere– Virus must do something when it runs

• Fragments of the virus code itself – Strings “kindly check the attached LOVELETTER”

• Effects on the computing environment– Changes to the Windows registry

• Propagation Behavior– Copying/modifying system files.

CSE331 Fall 2002 8

Virus Scanners

• Search the system for virus signatures– Main memory– All files in file system– Should also check boot sector

• When to scan?– On access (when a program is run)– On demand (at user’s request, or scheduled)– When e-mail is received?– Before web content is displayed?

CSE331 Fall 2002 9

Virus Scanning: Pros & Cons

• Pros– Effectively detects known viruses before they can

cause harm– Few false alarms

• Cons– Can detect only viruses with known signatures– Signature set must be kept up to date– Virus writers can easily change virus signatures

CSE331 Fall 2002 10

Integrity Checks

• Virus scanner computes hash or checksum of executable files– Assumed to be virus free!– Stores the hash information

• Verifies new hash vs. saved one during scan

CSE331 Fall 2002 11

Integrity Checks: Pros & Cons

• Pros– Can detect corruption of executables too– Reliable– Doesn’t require virus signatures

• Cons– False positives (i.e. recompilation)– Can’t use it on documents (they change too often)– Not supported by most vedors

CSE331 Fall 2002 12

Heuristic Detection

• Collection of ad hoc rules that identifies virus behavior or virus-like programs– Modification of system executables– Modification of “template documents” like

normal.doc– Self-modifying and self-referential code– …

CSE331 Fall 2002 13

Heuristics: Pros & Cons

• Pros– Perhaps able to detect unknown viruses

• Cons– Heuristics are hard to develop– Too may false positives

CSE331 Fall 2002 14

Polymorphic Viruses

• Virus writers know that virus signatures are the most effective way to detect viruses

• Polymorphic viruses mutate themselves during replication to prevent detection– Virus should be capable of generating many

different descendents– Simply embedding random numbers into virus

code is not enough

CSE331 Fall 2002 15

Strategies for Polymorphic Viruses

• Change data:– Use different subject lines in e-mail

• Encrypt most of the virus with a random key– Virus first decrypts main body using random key– Jumps to the code it decrypted– When replicating, generate a new key and encrypt

the main part of the replica

• Still possible to detect decryption portion of the virus using virus signatures

CSE331 Fall 2002 16

Advanced Polymorphic Viruses

• Randomly modify the decryption portion of the virus by:– Inserting no-op instructions: subtract 0, move

value to itself– Reordering independent instructions– Using different variable/register names– Using equivalent instruction sequences

y = x + x vs. y = 2 * x

CSE331 Fall 2002 17

CERT Advice 1

• Use virus protection software• Use a firewall• Don't open unknown email attachments• Don't run programs of unknown origin• Disable hidden filename extensions• Keep all applications, including your

operating system, patched

CSE331 Fall 2002 18

Cert Advice 2

• Turn off your computer or disconnect from the network when not in use

• Disable Java, JavaScript, and ActiveX if possible

• Disable scripting features in email programs• Make regular backups of critical data• Make a boot disk in case your computer is

damaged or compromised

CSE331 Fall 2002 19

Internet Worms

• November 2, 1988• Robert T. Morris Jr. unleashed Internet worm

– Graduate student at Cornell University– Convicted in 1990 of violating Computer Fraud

and Abuse Act– $10,000 fine, 3 yr. Suspended jail sentence, 400

hours of community service

– Son of the chief scientist at the National Computer Security Center -- part of the National Security Agency

– Today he’s a professor at MIT

CSE331 Fall 2002 20

Morris Worm Transmission

• Find user accounts on the target machine– Dictionary attack on /etc/passwd– If it found a match, it would log in and try the same

username/password on other local machines

• Exploit bug in fingerd– Classic buffer overflow attack

• Exploit trapdoor in sendmail– Programmer left DEBUG mode in sendmail, which allowed

sendmail to execute an arbitrary shell command string.

CSE331 Fall 2002 21

Morris Worm Infection

• Sent a small loader to target machine– 99 lines of C code– It was compiled on the remote platform (cross

platform compatibility)– The loader program transferred the rest of the

worm from the infected host to the new target.– Used authentication! To prevent sys admins from

tampering with loaded code.– If there was a transmission error, the loader would

erase its tracks and exit.

CSE331 Fall 2002 22

Morris Worm Stealth

• When loader obtained full code– It put into main memory and encrypted– Original copies were deleted from disk– (Even memory dump wouldn’t expose worm)

• Worm periodically changed its name and process ID

CSE331 Fall 2002 23

Effects

• Resource exhaustion– Denial of service– There was a bug in the loader program that

caused many copies of the worm to be spawned per host

• System administrators cut their network connections– Couldn’t use internet to exchange fixes!

• 6,000 networks were shut down or disconnected– Down for several days– Damage estimates: $100,000 — $97 Million