Outline Malicious Code • Introduction CS 239 • Viruses • Trojan horses Security for Networks and • Trap doors System Software • Logic bombs May 12, 2002 • Worms • Examples Lecture 11 Lecture 11 Page 1 Page 2 CS 239, Spring 2002 CS 239, Spring 2002 Where Does Malicious Code Introduction Come From? • Most typically, it’s willingly (but Clever programmers can get software to unwittingly) imported into the system do their dirty work for them – Electronic mail (most common today) Programs have several advantages for – Floppy disks these purposes – Downloaded executables –Speed – Sometimes shrinkwrapped software –Mutability • Sometimes it breaks in –Anonymity • Sometimes an insider intentionally introduces it Lecture 11 Lecture 11 Page 3 Page 4 CS 239, Spring 2002 CS 239, Spring 2002 Is Malicious Code Really a More Alarming Statistics Problem? • Considering viruses only, by 1994 there • In 1992, there were around 2000 were over 1,000,000 annual infections unique viruses known • Recently, a company discovered that 1 in • Today, McAfee’s databases of viruses 325 incoming email messages carried a includes 57,000+ entries 1 malicious attachment • 2002 FBI report shows ~75% of survey • The numbers continue to grow respondents had financial losses due to malicious code 1 http://vil.mcafee.com Lecture 11 Lecture 11 Page 5 Page 6 CS 239, Spring 2002 CS 239, Spring 2002
But Don’t Get too Alarmed How Much Do Viruses Cost? • The recent Code Red virus estimated to • Most viruses are never found “in the have cost companies $2.6 billion wild” – $1.1 billion to clean up • Most viruses die out quickly – $1.5 billion in losses in productivity, etc. • The Wild List 1 shows 203 active • Even if it’s two orders of magnitude off, viruses worldwide that’s serious money • Computer Economics estimates economic –With another 400 or so with only a impact of viruses in 2001 ~ $13.2 billion single incident reported – But many folks think CE is full of it 1 www.wildlist.org Lecture 11 Lecture 11 Page 7 Page 8 CS 239, Spring 2002 CS 239, Spring 2002 But Do I Really Have to Worry Viruses About Viruses? • “Self-replicating programs containing code • “After all, I run Linux/Mac that explicitly copies itself and that can OS/Solaris/BSD” ‘infect’ other programs by modifying them • “Aren’t all viruses for Windows?” or their environment” • Mostly true in practice • Typically attached to some other program – Definitely not true in theory – When that program runs, the virus becomes active and infects others • Anyone, at any time, can write and release a virus that can clobber your machine, • Not all malicious codes are viruses regardless of what OS you run Lecture 11 Lecture 11 Page 9 Page 10 CS 239, Spring 2002 CS 239, Spring 2002 How Do Viruses Work? Typical Virus Actions • When a program is run, it typically has 1). Find uninfected writable programs the full privileges of its running user 2). Modify those programs • Including write privileges for some 3). Perform normal actions of infected other programs program • A virus can use those privileges to 4). Do whatever other damage is desired replace those programs with infected versions Lecture 11 Lecture 11 Page 11 Page 12 CS 239, Spring 2002 CS 239, Spring 2002
Before the Infected Program The Infected Program Runs Runs Virus Code Virus Code Infected Uninfected Infected Uninfected Program Program Program Program Lecture 11 Lecture 11 Page 13 Page 14 CS 239, Spring 2002 CS 239, Spring 2002 Infecting the Other Program A Taxonomy of Viruses • File infectors Virus Code Virus Code –Direct-action –Resident Infected Infected Uninfected Program Program • System or boot infectors Program • Macro and attachment viruses Lecture 11 Lecture 11 Page 15 Page 16 CS 239, Spring 2002 CS 239, Spring 2002 File Infectors Direct-Action File Infectors • The most basic kind of virus • File infector viruses attach themselves to ordinary files • When an infected program runs, it infects a previously uninfected target –Most typically executables –Or possibly several –But source code viruses have been • Activated only when an infected discovered program is executed • E.g., the Vienna virus Lecture 11 Lecture 11 Page 17 Page 18 CS 239, Spring 2002 CS 239, Spring 2002
Resident File Infectors System Infectors • Also known as boot section infectors • The first time a resident file infector is run, it leaves a daemon running • Rather than living in programs, they live in the boot sectors of disks –Or some other persistent and useful • Typically memory resident RAM entity • Typically infect any disk exposed to them • Whenever any other program is run, • E.g., the Michelangelo virus the daemon infects it • Multipartite viruses can live in both • E.g., the Jerusalem virus programs and boot sectors Lecture 11 Lecture 11 Page 19 Page 20 CS 239, Spring 2002 CS 239, Spring 2002 Macro and Attachment Viruses Virus Toolkits • At first, viruses only attacked executables • Helpful hackers have written toolkits • But sophisticated modern data files often that make it easy to create viruses contain executable components • A typical smart high school student can – Macros easily create a virus given a toolkit – Email attachments • Generally easy to detect viruses – Ability to run arbitrary executables from generated by toolkits many applications, embedded in data –But we may see “smarter” toolkits • Easily the most popular form of new viruses – Requires less sophistication to get right Lecture 11 Lecture 11 Page 21 Page 22 CS 239, Spring 2002 CS 239, Spring 2002 How To Find Viruses Precautions to Avoid Viruses • Don’t import untrusted programs • Basic precautions – But who can you trust? • Looking for changes in file sizes • Viruses have been found in commercial • Scan for signatures of viruses shrink-wrap software • TSR monitoring • The hackers who released Back Orifice were embarrassed to find a virus on their • Multi-level generic detection CD release • Trusting someone means not just trusting their honesty, but also their caution Lecture 11 Lecture 11 Page 23 Page 24 CS 239, Spring 2002 CS 239, Spring 2002
Other Precautionary Measures Containment • Scan incoming programs for viruses • Run suspect programs in an –Some viruses are designed to hide encapsulated environment • Limit the targets viruses can reach –Limiting their forms of access to • Monitor updates to executables prevent virus spread carefully • Requires versatile security model and –Requires a broad definition of strong protection guarantees “executable” Lecture 11 Lecture 11 Page 25 Page 26 CS 239, Spring 2002 CS 239, Spring 2002 Problems With Size Checking for Viruses and File Sizes Virus Detection • Typically, a virus tries to hide • Requires keeping carefully protected records of valid file sizes • So it doesn’t disable the infected program • Won’t work for files whose sizes typically • Instead, extra code is added change • But if it’s added naively, the size of the file – E.g., Word files with possibly infected grows macros • Virus detectors can look for this growth • Clever viruses find ways around it – E.g., cavity viruses that fit themselves into “holes” in programs Lecture 11 Lecture 11 Page 27 Page 28 CS 239, Spring 2002 CS 239, Spring 2002 Signature Scanning How To Scan For Signatures • If a virus lives in code, it must leave • Create a database of known virus some traces signatures • In early and unsophisticated viruses, • Read every file in the system and look these traces were essentially for matches in its contents characteristic code patterns • Also check every newly imported file • Find the virus by looking for the • Also scan boot sectors and other signature interesting places Lecture 11 Lecture 11 Page 29 Page 30 CS 239, Spring 2002 CS 239, Spring 2002
Recommend
More recommend