Viruses and Related Threats - PowerPoint PPT Presentation

1 / 34

About This Presentation

Title:

Viruses and Related Threats

Description:

Recognize some special sequence of inputs, or special user ID. Logic Bomb ... Cliff Changchun Zou, Weibo Gong, Don Towsley. Univ. Massachusetts, Amherst. Motivation ... – PowerPoint PPT presentation

Number of Views:2394

Avg rating:3.0/5.0

Slides: 35

Provided by: ccGa

Category:

more less

Transcript and Presenter's Notes

Title: Viruses and Related Threats

1
Viruses and Related Threats
2
Malicious Programs

Needs host program
trap doors
logic bombs
Trojan horses
viruses
Independent
viruses
worms

3
Trap Doors

A secret entry point to a program or system
get in without the usual security access
procedures
Recognize some special sequence of inputs, or
special user ID

4
Logic Bomb

Embedded in some legitimate program
Explode when certain conditions are met

5
Trojan Horses

Hidden in an apparently useful host program
Perform some unwanted/harmful function when the
host program is executed

6
Worms and Bacteria

Worms
Use network connections to spread from system to
system
Bacteria
No explicitly damage, just replicate

7
Viruses

Infect a program by modifying it
Self-copied into the program to spread
Four stages
dormant phase
propagation phase
E.g., attachment to email
triggering phase
execution phase

8
Virus Structure

First line got to main of virus program
Second line a special mark (infected or not)
Main
find uninfected programs
infect and mark them
do something damaging to the system
now go to the first line of the original
program
appear to do the normal work
Avoid detection by looking at size of program
compress/decompress the original program

9
Types of Viruses

Parasitic virus
search and infect executable files
Memory-resident virus
infect running programs
Boot sector virus
spreads whenever the system is booted
Stealth virus
Polymorphic virus
encrypt part of the virus program using randomly
generated key

10
Macro Viruses

Macro
an executable program (e.g., opening a file,
starting an application) embedded in a word
processing document, e.g. MS Word
Common technique for spreading
A virus macro is attached to a Word document
Document is loaded and opened in the local system
When the macro executes, it copies itself to the
global macro file
The global macro can be activated/spread when new
documents are opened.

11
Truth and Misconceptions about Viruses

Can only infect Microsoft Windows
Can modify hidden and read-only files
Spread only on disks or in email
Cannot remain in memory after reboot
Cannot infect hardware
Can be malevolent, benign, or benevolent

12
Antivirus Approach

Prevention
Limit contact to outside world
Detection and identification
Removal
4 generations of antivirus software
simple scanners
use signatures of known viruses
heuristic scanners
integrity checking checksum, encrypted hash
activity traps
full-featured protection

13
Digital Immune System

Each PC is equipped with a monitoring program
Suspicious program is forwarded into an
administrative PC of the LAN
Administrative PC securely transmit the sample to
central virus analysis site
for emulation, analysis, prescription
The prescription is sent back to the
administrative PC, then all PCs in the LAN
to other LANs as well

14
The Internet Worm

What it did
Determine where it could spread
Spread its infection
Remain undiscovered and undiscoverable
Effect
Resource exhaustion repeated infection due to a
programming bug
Servers are disconnected from the Internet by sys
admin to stop infection

15
The Internet Worm

How it worked
Where to spread
Exploit security flaws
Guess password (encrypted passwd file readable)
fingerd buffer overflow
sendmail trapdoor (accepts shell commands)
Spread
Bootstrap loader to target machine, then fetch
rest of code (password authenticated)
Remain undiscoverable
Load code in memory, encrypt, remove file
Periodically changed name and process ID

16
The Internet Worm

What we learned
Security scanning and patching
Computer Emergency Response Team (CERT)

17
Code Red and Beyond

http//www.icir.org/vern/talks/vp-0wn-UCB.pdf

18
Code Red Worm Propagation Modeling and Analysis

Cliff Changchun Zou, Weibo Gong, Don Towsley
Univ. Massachusetts, Amherst

19
Motivation

Code Red worm incident of July 19th, 2001
Showed how fast a worm can spread.
more than 350,000 infected in less than one day.
A friendly worm?
No real damage to compromised computers.
Did not send out flooding traffic.
A good model can
Predict worm propagation and damage.
Understand the worm spreading characteristics.
Help to find effective mitigation technique.

20
Code Red worm background

Sent HTTP Get request to buffer overflow Win IIS
server.
It generated 100 threads to scan simultaneously
One reason for its fast spreading.
Huge scan traffic might have caused congestion.
Characteristics
Uniformly picked IP addresses to send scan
packets.

21
Epidemic modeling introduction

infectious hosts continuously infect others.
removed hosts in epidemic area
Recover and immune to the virus.
Dead because of the disease.
removed hosts in computer area
Patched computers that are clean and immune to
the worm.
Computers that are shut down or cut off from
worms circulation.

22
Epidemic modeling introduction

Homogeneous assumption
Any host has the equal probability to contact any
other hosts in the system.
Number of contacts ? I ? S
Code Red propagation has homogeneous property
Direct connect via IP
Uniformly IP scan

23
Deterministic epidemic models Simple epidemic
model

State transition
N population S(t) susceptible hosts I(t)
infectious hosts
dI(t)/dt ? S(t) I(t)
S(t) I(t) N

I(t) ? S(t) symmetric
Problems
Constant infection rate ?
No removed state.

24
Deterministic epidemic models Kermack-McKendrick
epidemic model

State transition
R(t) removed from infectious ? removal rate
dI(t)/dt ? S(t) I(t) dR(t)/dt
dR(t)/dt ?I(t) S(t) I(t) R(t) N

Epidemic threshold
No outbreak if S(0) lt ? / ?.
Problems
Constant infection rate ?
No

I(t)
t
25
Code Red modeling Consider human
countermeasures

Human countermeasures
Clean and patch download cleaning program,
patches.
Filter put filters on firewalls, gateways.
Disconnect computers.
Reasons for
Suppress most new viruses/worms from outbreak.
Eliminate virulent viruses/worms eventually.
Removal of both susceptible and infectious hosts.

26
Code Red modeling Consider human
countermeasures

Model (extended from KM model)
Q(t) removal from susceptible hosts.
R(t) removal from infectious hosts.
I(t) infectious hosts.
J(t) ? I(t)R(t) Number of infected hosts
hosts that have ever been infected
dS(t)/dt -? S(t) I(t) - dQ(t)/dt
dR(t)/dt ?I(t)
dQ(t)/dt ?S(t)J(t)
S(t) I(t) R(t) Q(t) N

27
Code Red modeling Two-factor worm model

Code Red worm may have caused congestion
Huge number of scan packets with unused IP
addresses.
Routing table cache misses. ( about 30 of IP
space is used)
Generation of ICMP (router error) in case of
invalid IP.
Possible BGP instability.
Effect slowing down of worm propagation rate ?
? ?(t)
Two-factor worm model
dS(t)/dt -?(t)S(t)I(t) - dQ(t)/dt
dR(t)/dt ?I(t)
dQ(t)/dt ?S(t)J(t)
?(t) ?0 1 - I(t)/N ?
S(t) I(t) R(t) Q(t) N

28
Validation of observed data on Code Red

Network monitor
record Code Red scan traffic into the local
network.
Code Red worm uniformly picked IP to scan.
of scans a cite received ? Size of the IP space
of the cite.
of scans a cite received at time t ? Overall
scans in Internet at t.
of infectious hosts sent scans to a cite at
time t ? Overall infectious hosts in Internet at
t.

Local observation preserves global worm
propagation pattern.

29
Observed data on Code Red worm

Two independent Class B networks x.x.0.0/16
(1/65536 of IP space)
Count of Code Red scan packets and source IPs
for each hour.
Corresponding to infectious hosts I(t) at each
hour, not infected hosts J(t)I(t)R(t).
Uniformly scan IP ? Two networks, same results.

30
Code Red worm modeling Simple epidemic
modeling