1 / 41

Malicious Code

Malicious Code. Program Flaws. Taxonomy of flaws: how (genesis) when (time) where (location) the flaw was introduced into the system. Security Flaws by Genesis. Genesis Intentional Inadvertent. Intentional Genesis. Malicious: Trojan Horse, Trapdoor, Logic Bomb, covert channels

salena
Download Presentation

Malicious Code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malicious Code

  2. Program Flaws Taxonomy of flaws: • how (genesis) • when (time) • where (location) the flaw was introduced into the system CSCE 522 - Farkas/Eastman -- Fall 2005

  3. Security Flaws by Genesis • Genesis • Intentional • Inadvertent CSCE 522 - Farkas/Eastman -- Fall 2005

  4. Intentional Genesis • Malicious: Trojan Horse, Trapdoor, Logic Bomb, covert channels • Non-malicious CSCE 522 - Farkas/Eastman -- Fall 2005

  5. Inadvertent Genesis • Validation error • Domain error • Serialization error • Identification/authentication error • Other error CSCE 522 - Farkas/Eastman -- Fall 2005

  6. Kinds of Malicious Codes • Virus • Rabbit (Bacteria) • Worm • Trojan horse • Logic bomb (Time bomb) • Trapdoor CSCE 522 - Farkas/Eastman -- Fall 2005

  7. Virus • A program that attaches copies of itself into other programs • Propagates and performs some unwanted function CSCE 522 - Farkas/Eastman -- Fall 2005

  8. Rabbit • Program that consumes system resources by replicating itself • Also known as bacteria • The Trouble with Tribbles (Star Trek) CSCE 522 - Farkas/Eastman -- Fall 2005

  9. Worm • A program that propagates copies of itself through the network • Usually performs some unwanted function • Does not attach to other programs CSCE 522 - Farkas/Eastman -- Fall 2005

  10. Trojan Horse • Secret, undocumented routine embedded within a useful program • Execution of the program results in execution of secret code. CSCE 522 - Farkas/Eastman -- Fall 2005

  11. Logic Bomb • Logic embedded in a program that checks for a certain set of conditions to be present in the system • When these conditions are present, some malicious code is executed • Also known as time bomb CSCE 522 - Farkas/Eastman -- Fall 2005

  12. Trapdoor • Secret, undocumented entry point into a program • Used to grant access without normal methods of access authentication CSCE 522 - Farkas/Eastman -- Fall 2005

  13. Virus Lifecycle • Dormant phase: the virus is idle • Propagation phase: the virus places an identical copy of itself into other programs • Triggering phase: virus is activated • Execution phase: the function is performed CSCE 522 - Farkas/Eastman -- Fall 2005

  14. Virus Types • Transient (parasitic) virus • Memory resident virus • Boot sector virus • Stealth virus • Polymorphic virus CSCE 522 - Farkas/Eastman -- Fall 2005

  15. Transient Virus • Most common form. • Attaches itself to a file • Replicates when the infected program is executed CSCE 522 - Farkas/Eastman -- Fall 2005

  16. Memory Resident Virus • Lodged in main memory as part of a resident system program • May infect every program that executes CSCE 522 - Farkas/Eastman -- Fall 2005

  17. Boot Sector Virus • Infects the boot record • Spreads when system is booted • Gains control of machine before the virus detection tools can act • Very hard to notice • Carrier files: AUTOEXEC.BAT, CONFIG.SYS,IO.SYS CSCE 522 - Farkas/Eastman -- Fall 2005

  18. Stealth Virus • A form of virus explicitly designed to hide from detection by antivirus software CSCE 522 - Farkas/Eastman -- Fall 2005

  19. Polymorphic Virus • Mutates with every infection • Detection by the “signature” of the virus difficult CSCE 522 - Farkas/Eastman -- Fall 2005

  20. How Viruses Attach • Append to file • Surround file • Integrate into file CSCE 522 - Farkas/Eastman -- Fall 2005

  21. Append to File + = virus virus Original program Original program Virus appended to program CSCE 522 - Farkas/Eastman -- Fall 2005

  22. Surround the File + = Virus-1 virus Original program Original program Virus-2 Virus surrounding a program CSCE 522 - Farkas/Eastman -- Fall 2005

  23. Virus-1 Virus-2 Virus-3 Virus-4 Integrate into File + = virus Original program Original program Virus integrated into program CSCE 522 - Farkas/Eastman -- Fall 2005

  24. How Viruses Spread • Executable code (exe) • Data files • Word documents • Databases • Presentations • File sharing CSCE 522 - Farkas/Eastman -- Fall 2005

  25. Assume that, if you can install or use it on your computer, it might have a virus CSCE 522 - Farkas/Eastman -- Fall 2005

  26. How Viruses Gain Control • Virus V has to be invoked instead of target T. • V overwrite T • V changes pointers from T to V CSCE 522 - Farkas/Eastman -- Fall 2005

  27. High Risk Virus Properties • Hard to detect • Hard to destroy • Spread infection widely • Can re-infect • Easy to create • Machine independent CSCE 522 - Farkas/Eastman -- Fall 2005

  28. Preventing Virus Infections Prevention: • Good source of software installed • Isolated testing phase • Use virus detectors Limit damage: • Make bootable diskette • Make and retain backup copies important resources CSCE 522 - Farkas/Eastman -- Fall 2005

  29. Antivirus Approaches • Detection: determine infection and locate the virus. • Identification: identify the specific virus. • Removal: remove the virus from all infected systems, so the disease cannot spread further. • Recovery: restore the system to its original state. CSCE 522 - Farkas/Eastman -- Fall 2005

  30. Virus Signatures • Storage pattern • Code always located at a specific address • Increased file size • Execution pattern • Transmission pattern • Polymorphic Viruses CSCE 522 - Farkas/Eastman -- Fall 2005

  31. Antivirus Programs • Look for virus signatures • Look for changes in file size • Need to be updated regularly as new viruses appear • Eliminate viruses found • Attempt to undo virus damage CSCE 522 - Farkas/Eastman -- Fall 2005

  32. More on Worms • Characteristics • Phases • Propagation CSCE 522 - Farkas/Eastman -- Fall 2005

  33. Worm Characteristics • Self-replicating (like virus) • Objective: system penetration (intruder) CSCE 522 - Farkas/Eastman -- Fall 2005

  34. Worm Phases • Dormancy • Propagation • Triggering • Execution CSCE 522 - Farkas/Eastman -- Fall 2005

  35. Worm Propagation • Searches for other systems to infect • Establishes connection with remote system • Copies itself to remote system • Executes CSCE 522 - Farkas/Eastman -- Fall 2005

  36. Some Examples • The Brain Virus • The Internet Worm • Code Red CSCE 522 - Farkas/Eastman -- Fall 2005

  37. The Brain Virus • Changes label of infected disk to Brain • Locates in upper memory and traps disk reads • Upon read to boot sector takes over • Marks its sectors faulty • Looks for uninfected disks to infect CSCE 522 - Farkas/Eastman -- Fall 2005

  38. The Internet Worm • Caused 6,000 installations to shut down or disconnect from the Internet • Created by Robert T. Morris at Cornell • Attacked Unix machines • Found new machines by password guessing, exploiting finger, and using a trapdoor in sendmail • Tried to remain undiscovered CSCE 522 - Farkas/Eastman -- Fall 2005

  39. Code Red • Infected more than 250,000 machines in nine hours • Attacked machines running Microsoft IIS software • Spread to random or target IP addresses • Dormant after infection phase CSCE 522 - Farkas/Eastman -- Fall 2005

  40. USC Security Measures • Gamecock, September 3, 2004 • Smart Enforcer • Checks for needed updates to OS (Microsoft) and antivirus programs (McAfee) before network access is allowed • Why? Students do not always make needed updates CSCE 522 - Farkas/Eastman -- Fall 2005

  41. A “Good” Parasite/Virus • Does not kill its host • Lives off host resources • Uses host resources to propagate itself • May change host behavior • May be dormant after infection phase • May enter into a symbiotic relationship • Many biological parallels CSCE 522 - Farkas/Eastman -- Fall 2005

More Related