Download - Chapter 8
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8
The Art of Anti Malicious Software
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline
8.1 Viruses 8.2 Worms 8.3 Virus Defense 8.4 Trojan Horses 8.5 Hoaxes 8.6 Peer-to-Peer Security 8.7 Web Security 8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
A computer virus is a piece of code hiding in a program that can automatically copy itself or embed a mutation of itself in other programs Cannot spread on their own Often require a host program to live in Infected program: a host program with virus Uninfected program (healthy program): a program cleared of all viruses Disinfected program: a program once infected but now cleared of viruses
Specific to particular types of file systems, file formats, and operating systems Particular types of architecture, CPU, languages, macros, scripts,
debuggers, and every other form of programming or system environment
Viruses
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Types
Classified based on host programs: Boot Virus:
Infect the boot program in the boot sector Use the boot sequence to activate itself Modify the operating system to intercept disk access and infect other disks May also infect an updatable BIOS of a PC computer
File-System Virus: Overwrite table entries and spread itself through file systems File system maintains a table of pointers pointing to the first cluster of a file
File-Format Virus: Infect individual files
Macro Virus: Infect documents containing macro codes
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Script Virus: Infect script files Replicate themselves in the form of email attachments, office and Web
documents
Registry Virus: Infect Microsoft Windows registry
Memory-Resident Virus: Infect programs loaded in the main memory for execution
Classified based on embedded forms: Stealth virus:
Usually uses compression to mask itself
Polymorphic virus: May change instruction orderings or encrypt itself into different forms
Metamorphic virus: Can be rewritten automatically during transmission
Virus Types (cont.)
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Infection Schemes
Overwrite a segment of an existing program Insert itself at the beginning, in the middle, or at the end of an
uninfected host program Break itself into segments and insert each segment in a different
location of host program Virus has the same access rights as the host program
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Infection Schemes (Diagram)
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Structure
Consists of 4 main subroutines Infect
Search for host programs and check if infected
Infection-Condition Check for certain conditions to
launch infect subroutine Break-Out
Carry out the actual damage work
Breakout-Condition Check for certain conditions to
launch breakout subroutine
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Compressor Viruses
An infected host file will often show a change in size before and after infection
Compressor viruses attempt to hide that change Compress the host file during the
infection period
Decompress the host file during the breakout period
May add padding if the compressed host + viral code is smaller than the original size
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Viruses Disseminations
Spread through portable storage devices (traditional): floppy disks, CDs, flash memory sticks
Spread through email attachments, downloaded programs (contemporary): Email is a significant vector because many
email programs and users usually blindly open attachments
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Win32 Virus Infection
Dissection Win32 viruses exploit Microsoft’s
Portable Executable (PE) format for infection
A PE file contains: PE sections:
Modules of code, data, resources, import tables, and export tables
PE headers: Provide crucial information of
executable image Natural targets of Win32 viruses
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline
8.1 Viruses 8.2 Worms 8.3 Virus Defense 8.4 Trojan Horses 8.5 Hoaxes 8.6 Peer-to-Peer Security 8.7 Web Security 8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Worms
A worm is a standalone program that can replicate itself and spread through networks May be viewed as network viruses
Can execute itself automatically on a remote host May still need a host file for spreading
Most worms consist of Target locator subroutine: find new targets Infection propagator subroutine: transfer itself to a new
computer
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Common Worm Types
Mass Mailers Usually attach “@mm” after the worm’s name
Reproduces themselves through email attachments
Rabbits Rapidly replicate themselves until the system crashes
due to the resource load
Often hidden in a file directory or disguised with normal file names
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Worm Examples
Morris worm Exploit implementation flaws of
sendmail, finger and rsh/rexec
To infect other computers AQAP
Melissa worm A macro virus targeted at
Microsoft products
Spread via email attachments
Spread fast, creating a huge amount of email traffic
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Email Attachments
Email attachments can be classified (roughly) into 3 categories Safe
Non-executable, no macros To-Be-Cautious
Contain macros or executable codes, depend on the sender
Perilous Should not be opened at all
J. Wang. Computer Network Security Theory and Practice. Springer 2008
The Code Red Worm
Released in July 2001, it infected about 300K computers within the first 24 hours of its release
It exploited a buffer overflow in Microsoft’s IIS It arrived as a GET /default.ida request (with 224 N’s)
This request starts the worm code execution
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline
8.1 Viruses 8.2 Worms 8.3 Virus Defense 8.4 Trojan Horses 8.5 Hoaxes 8.6 Peer-to-Peer Security 8.7 Web Security 8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Defense
Prevention: Block viruses from getting into a healthy system
Install software patches in time Do not download software from untrusted Web sites Do not open “To-Be-Cautious” email attachments from
unknown senders Do not open perilous email attachments
Restoration: Disinfect infected systems Scan files with a virus scanner Keep a backup of system and user files
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Standard Scanning Methods
Basic Scanning Search for signatures of known viruses in hostable files Check the size of system files
Heuristic Scanning Search for suspicious code fragments in executable files
ICV Scanning Compute ICV for each uninfected executable file then check
against that value later on
Behavior Monitoring Evaluate the behavior of executing programs
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Some Common Anti-Virus Software Products
McAfee VirusScan http://www.mcafee.com
Norton AntiVirus http://www.symantec.com
Avast! AntiVirus http://www.avast.com
AVG http://www.grisoft.com
…
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Virus Emulator
Isolated hardware and software to evaluate suspicious programs May create a large
amount of computational overhead
Helps to prevent suspicious programs from causing damage to critical systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline
8.1 Viruses 8.2 Worms 8.3 Virus Defense 8.4 Trojan Horses 8.5 Hoaxes 8.6 Peer-to-Peer Security 8.7 Web Security 8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Trojan Horses
A program that appears to have some useful functions but contains a malicious payload (a.k.a. warrior code) Cannot replicate itself automatically Require direct user intervention to run
May inflict following types of damages: Install backdoor or Zombieware for DDoS attack Install spyware Look for users’ bank account numbers and private info. Install viruses or other malicious code to other hosts Modify or delete user files
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline
8.1 Viruses 8.2 Worms 8.3 Virus Defense 8.4 Trojan Horses 8.5 Hoaxes 8.6 Peer-to-Peer Security 8.7 Web Security 8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Hoaxes
Hoaxes trick users to do something they would normally not do.
Often in the form of email messages Example: “You’ve Got Virus!” hoax The countermeasure of hoaxes is to ignore
them There is no free lunch !!
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline
8.1 Viruses 8.2 Worms 8.3 Virus Defense 8.4 Trojan Horses 8.5 Hoaxes 8.6 Peer-to-Peer Security 8.7 Web Security 8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Peer-to-Peer Security
Client-server topology: A small number of servers provide
services to a large number of clients
P2P topology:Ad hoc network, each computer acts both
as a client and a server
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Peer-to-Peer Security
Security vulnerabilities: Copyright infringement Consume too much bandwidth and local disk storage
DoS attack P2P application opens a specific port to share files with
unknown users, which may opens a door for Trojan horses, viruses, malicious software
Security measures: Install only official P2P software Scan the downloaded file before opening it Disallow P2P software in company
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline
8.1 Viruses 8.2 Worms 8.3 Virus Defense 8.4 Trojan Horses 8.5 Hoaxes 8.6 Peer-to-Peer Security 8.7 Web Security 8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Web Security
Basic types of Web documents: Static documents:
A Web document without executable codes Safe to download
Dynamic documents: A Web document containing executable codes CGI executed on the server computer Download resulting document to client
Active documents: Also contain executable codes, but run on the client computer Download entire document to client for execution
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Security of Web Documents
Server-side: May be attacked by
exploiting loopholes in dynamic documents and Web server programs
Security measures: Update to newest version of
Web server programs Manage rigorously CGI
programs and their directories
Only designated person can post CGI at Web server
Client-side: May be attacked by
exploiting loopholes in active documents and Web browser programs
Security measures: Install browser patches Disable JavaScript of
browser Disable Java applets of
browser
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Cookies
Web browser is stateless A new connection with a Web server for each URL request Different, unrelated TCP connections have to be established for
subsequent pages
Cookie stores the user information and passes it to the user’s browser
Browser sends the cookie along with user’s request for visiting subsequent pages
Server: must ensure cookies not be used for malicious purposes
Client: remove stored cookies frequently
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Spyware
Malicious software installed as a plugin module in Web browser without user’s consent
Spyware may Collect user’s information and send to the attacker Monitor user’s Web surfing activities and pop up ad Modify default settings of browser and redirect to a certain
Webpage
Countermeasures of spyware: Set up a firewall to prevent attackers from embedding spyware Install software patches in time Install anti-spyware software
J. Wang. Computer Network Security Theory and Practice. Springer 2008
AJAX Security
Asynchronous JavaScript and XML (AJAX)
AJAX achieves asynchronous interactions to make smooth surfing
Examples: Google Maps Face the same security problems
as traditional Web applications Cross-site scripting attack Silent calls and cookies
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Safe Web Surfing
Download software only from trusted Web sites Do not click any button on a popup window Read privacy statements, license statements
and security warnings to find out the risks you may take if you install and run the software
Do not visit other sites with different addresses from the password-protected site
Do not visit suspicious Web sites
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Chapter 8 Outline
8.1 Viruses 8.2 Worms 8.3 Virus Defense 8.4 Trojan Horses 8.5 Hoaxes 8.6 Peer-to-Peer Security 8.7 Web Security 8.8 Distributed Denial of Service Attacks
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Master-slave DDoS attack
J. Wang. Computer Network Security Theory and Practice. Springer 2008
Master-Slave-Reflector DDoS Attack
J. Wang. Computer Network Security Theory and Practice. Springer 2008
DDoS Attack Countermeasures
Reduce the number of vulnerable computers Improve security management of networked computers Set up a backup system Distribute resources appropriately Construct a DDoS monitoring and responding system Keep a complete system log to help trace sources
Make it hard for attackers to find vulnerable computers Close all unnecessary ports to defy IP scans Disconnect network connection when user’s computer is no
longer in use Detect and remove zombieware