CSS481 Spring 2003

1
Hacking Exploits and Malicious Code

• How people break into systems, and what they do
  once they get there.
• Questions we might ask
• why does somebody want to break in?
• what are the possible points of entry?
• what happens once they get in?

2
Motivations for Breaking In

• Often not discussed in the hacking literature,
  but important to know your enemy
• So why break in?
• for the fun of it
• to cause damage
• hurt the competition
• steal trade secrets (customers, designs, ...)
• collect email addresses
• use the resources
• hide identity
• ... more ... ?

3
Planning and Executing a Breakin

• Reconnaissance
• find your targets
• learn as much about them as possible
• Scanning
• look for vulnerabilities
• Application and Operating System Attacks
• Viruses and Other Replicating Programs

4
Reconnaissance

• Potential targets
• IP addresses
• Blocks of IP addresses
• Hosts with certain characteristics (banks,
  e-commerce sites, data warehouses)
• Information about a particular target
• people
• hosts
• information about infrastructure

5
Low-Tech Solutions

• Remember, people are a hackers best friend
• Make a phone call and ask for
• a password
• or a reference to another employee
• or some information about their workstation
• a voicemail box
• Common social engineering pretexts
• new employee calls help desk wanting information
  on how to do a task
• manager calls an employee demanding password, or
  a reset
• SA asks employee for a password
• employee calls another employee to get phone or
  personal information about an employee

6
Low-Tech Solutions (cont.)

• Why call, when a visit is so much more personal?
• grab some passwords
• bring a floppy and insert some code on the system
• grab a hard drive and take it out
• Its (not) surprisingly easy to do even in a
  fairly secure environment
• everybody opens doors for you
• not uncommon to be badgeless
• And dont forget to take out the trash
• notes with passwords
• design documents
• phone lists
• (and dont think that people actually use
  shredders)

7
The Internet is Your Friend

• A surprising amount of information is available
• Employee information
• many organizations refuse to give any information
  out about the employees
• but an employees signature file contains work
  phone number and email address
• and the email headers may reveal names of servers
  and other resources
• Corporate culture
• give yourself credibility when you visit
• Information about the infrastructure
• what database, web server, etc. is the company
  running
• Usenet groups are incredibly rich sources of
  information
• tech people are not typically very security
  conscious
• especially when dealing with other tech people

8
Internet Domain Names and Addresses

• Given a domain name, find out its primary IP
  address
• and vice versa
• Get contact information for the company
• Get IP address blocks
• Look at the Sam Spade tool

9
Summary of the Reconnaissance Phase

• What are you looking for?
• information about a specific organization
• information about a potential target
• In three basic categories
• information about people
• information about systems
• information about the organization itself
• Techniques
• low-tech approaches (personal, phone, dumpsters)
• information on the web
• information from the web itself

10
The Scanning Phase

• Suppose the attacker has a target and some
  preliminary information
• a few phone numbers
• domain names / IP addresses
• In scanning the attacker is looking for
  vulnerabilities that will allow access to
• information
• systems

11
The First Line of Attack Modems

• The victim desktop computer connected to modem
  for home use
• theyre there
• theyre insecure (often not even any password
  control!)
• they allow wide access
• Another nice find repeat dial tones
• allow free long distance
• affords anonymity
• War dialers give them a block of numbers, they
  give you
• which lines had carriers (and which are likely to
  be voice)
• what the server said (more information about the
  system on the other end) (nudges)
• (at a rate of about 100 numbers per hour,
  automatically)

12
Defense Against War Dialing

• Use a centralized modem pool, which can be
  monitored and audited more easily
• also hides information about the individual
  systems on the network
• Allow dial-out access only for phones physically
  connected to computers
• Attack your own site periodically

13
Mapping the Network

• Finding live hosts
• given a block of IP addresses
• send a PING to a host (whats a PING?)
• send messages to common services (HTTP, SMTP)
• Finding routers and network topology using
  traceroute
• And of course this can all be automated to build
  a network topology graph
• Defense against network scans use firewalls to
  allow only the traffic you really need
• no pings from the outside world (except external
  servers)
• filter ICMP time exceeded messages

14
Identifying Services on a Machine Port Scanning

• There are 65535 possible ports for TCP services,
  and the same number available for UDP service

The latest IANA port assignments can be gotten
from http//www.iana.org/assignments/port-
numbers The Well Known Ports are those from 0
through 1023. The Registered Ports are those
from 1024 through 49151 The Dynamic and/or
Private Ports are those from 49152 through
65535 Each line describes one service, and is
of the form service-name port/protocol
aliases ... comment tcpmux
1/tcp TCP port
service multiplexer tcpmux 1/udp
TCP port service
multiplexer rje 5/tcp
Remote Job Entry rje
5/udp Remote Job
Entry echo 7/tcp echo 7/udp
15
Port Scanning

• Can look through common ports or through all
  ports
• Makes a service request and sees if anything
  responds
• If it does respond (and especially if its a
  well-known service), the scan can yield
  information about the responding service
• Next slide is output from SuperScan, probing
  cssgate

16
(No Transcript)
17
Ethical / Legal Implications of Using These Tools

• Please read and refer to the UW Computing
  Guidelines at
• http//www.washington.edu/computing/rules/guidelin
  es.html
• The following practices are prohibited
• Attempting to test security flaws yourself.
• Attempting to disrupt operation of any system or
  network.
• Altering any data, software, or directories other
  than your own without proper authorization.
• Probing or connecting to any computers without a
  legitimate reason to do so.
• Attempting to gain root access on any of the UW
  systems unless you have been given authorization
  by the system administrator.
• Using UW systems or networks as a staging ground
  to crack other systems or networks.

18
Different Types of Scans

• Polite the TCP connect
• recall the three-step handshake, the connect scan
  completes the handshake
• this will result in either a SYN-ACK response, no
  response, a RESET response, or an MCMP Port
  Unreachable response
• this might provide some additional information
• if you get a SYN-ACK, send the final ACK, then
  FIN
• its time consuming, and logged
• SYN scans
• just send the first SYN, and see if theres a
  response, but dont send the final ACK or FIN
• fast, not logged, and (arguably) a DoS attack
• Even more broken versions
• send a FIN initially to obey the protocol, a
  closed port should send a RESET, an open port
  should send nothing

19
Other Things to Look At

• UDP ports
• UDP is a lighter-weight protocol, not having the
  handshake, sequenced packets, etc.
• PING is the most common UDP service
• OS Fingerprint what operating system is
  running?
• this isnt generally available, but can be
  inferred
• sometimes the services will give it away
• otherwise, try to predict it from the way the OS
  responds to TCP requests
• the protocol specifies the response in the case
  of valid uses of the protocol, but not in the
  case of invalid uses (e.g. a NULL packet to begin
  a handshake)
• and as such, operating systems tend to respond in
  idiosyncratic ways

20
Intrusion Detection Systems

• IDSs sit on the LAN and collect packets, looking
  for attacks, and notifying an administrator if
  they think an attack is in progress
• The problem is how to infer an attack from a
  bunch of network traffic
• just traffic (DoS attack)
• certain patterns of activity (e.g. a port scan)
• Evading the IDS
• dont make the scan traffic like a pattern in the
  database
• dont flood the network
• or really flood the network (DoS on the IDS
  itself)

21
Protecting against Network Scans and Attacks

• Close down all ports not in use
• RPC ports and X windows for example
• Use firewalls to restrict packets in and out of
  the LAN to whatever extent possible
• Use most up-to-date version of IDS software
• Use both host-based and network-based IDS systems

22
Summary of the Scanning Phase

• What you know going in
• some cursory information about the site domain
  names and/or IP addresses
• What you want to know coming out
• all the machines and routers on the network
• what software each is running (operating system
  and services, including version)
• what services are provided by which machines, and
  which versions
• Tools
• network scanners (PINGing and tracing)
• port scanners
• IDEs
• What comes next
• knowing the system knowing the vulnerabilities
• identify vulnerable software and try to gain
  entry (penetration)

23
Application and OS Attacks

• This is the access phase. How do you get in,
  and what do you do when you get there?
• OS Attacks contrasted with
• network attacks (1 minute explanation)
• viruses (wait for it ...)
• The main attacks covered in the book are
• buffer overflow attacks
• SQL attacks
• password harvesting
• web application attacks (session hijacking)
• How are these similar and/or different from each
  other?

24
Basic Structure of Application Attacks

• If you can get your instructions into the
  application
• And you can get the application to execute it
• Then you can do some damage, depending on
• the language (machine code, SQL, VB, Javascript)
• the privilege level of the application
• The "OS" aspect is secondary you get some
  application to execute code for you, and it might
  or might not be the OS
• but some applications allow "escapes" to the OS
• and interacting with the OS gives you broader
  power

25
Stack Overflow Attacks

• Your instructions are written in the actual
  machine code of the host OS
• which means a certain lack of portability
• Getting it into the application is accomplished
  by
• providing longer input than the application
  expects (no bounds checking)
• the compiler / application allowing you to
  overflow a buffer
• Executing the machine code is accomplished by
• the fact that data and code can be mixed on the
  stack
• careful manipulation of the input so the
  operating system executes the first instruction
  in your code
• What you then can do
• you have the operating systems attention, so you
  have access to the file system, other processes
  and services, etc
• youre limited only by your privilege level (but
  many services run as root)

26
Stack/Buffer Overflow Attacks (cont.)

• This is more a means of access than a particular
  exploit
• The components
• a running service or daemon
• input from a client (read over a port)
• input exceeds declared array bounds, and program
  doesn't detect an error (bad programming!)
• accepting variable is stored on the stack
• therefore machine code gets inserted on the stack
• careful / lucky manipulation of the code causes a
  GOTO into the new code on the stack
• operating system allows executing code from the
  stack (can be turned off)
• Lots of examples various Linux services (FTP),
  various Windows services (IIS, SQL Server)

27
What To Do When You've Installed Your Code

• Just do some damage
• Exec an interactive shell or Xterm (so now the
  daemon is still serving your port, but now it's
  acting as a root-owned remote shell for you)
• Configuration changes that make subsequent
  entries possible (i.e. unlock the door from the
  inside)
• entries in rhosts, rusers
• Clean up log files to hide the attack
• Install client code that "reverses the direction"
  of the packets, with the hope that this will
  evade IDS systems

28
SQL Application Attacks

• (What was the example we heard about in class?)
• An application (e.g. web browser)
• accepts user input
• builds a SQL query from that input
• submits it to a SQL query engine
• The essence of the exploit is in
• unexpected user input
• careless checking of the input

29
SQL Attacks (cont.)

• Example, website search by product ID
• program is expecting at most 10 alphanumeric
  characters
• it constructs SELECT TITLE FROM PRODUCTS WHERE
  ID "id"
• this input would have some interesting side
  effects AAA" "" DELETE FROM PRODUCTS WHERE
  11
• What caused the problem here?
• bad input checking (that is not a valid product
  ID!)
• implicitly providing information about how the
  input is processed before being sent to the query
  engine
• maybe it's done on the client side (e.g. using
  Javascript), in which case you really have a
  goldmine on your hands!
• maybe it's implicitly available via error pages
  (web server allows web browser to surface SQL
  error messages)
• The lessons (here and elsewhere)
• input is your enemy
• be aware of and careful with error handling
  (control the information going from server to
  client)
• (these are simply good programming practices)

30
Password Attacks

• How/why are these fundamentally different from
  stack or SQL attacks?
• Rely on the fact that
• reconnaissance has provided you with some user
  IDs
• people choose predictable passwords
• Online versus offline attacks
• online just challenging the login process
  repeatedly
• time consuming, easy to detect
• offline get a copy of the password file, and
  challenge it repeatedly
• (And of course another line of attack is simply
  to try to get people to give you their passwords
  directly via web forms.)

31
Web Attacks Session Spoofing

• The basic problem HTTP is a "stateless"
  protocol
• every HTTP request must communicate all relevant
  information to the server
• at the same time, most web sites want to provide
  continuity from page serve to page serve
• therefore each HTTP request must contain
  information identifying the user / session
• The exploit if you can discover somebody else's
  session ID, you can pretend to be them
• at least for a while
• at least for some class of operations

32
Session Spoofing (cont.)

• What you can and cannot do about it (in designing
  a website protocol)
• First, you don't have the luxury of keeping
  session IDs secret
• since they are transmitted over the network,
  somebody will see them
• Three things you can do
• make them unpredictable, so seeing your own ID
  doesn't provide too much information about
  others' IDs
• choose random numbers, encrypt or hash the values
• send only part of the session ID at every page
  serve (Amazon's UBID and session ID)
• require authentication every time session wants
  to do something dangerous (buy something, access
  account information)

33
Other Exploits Viruses, Worms, Trojan Horses

• What's a virus / worm / Trojan Horse, and how do
  they differ from the code we've already seen
• Virus
• infects another program
• replicates
• Worm
• replicates and spreads over a network
• not parasitic on another program
• Trojan Horse
• doesn't infect another program
• no provision for self-replication or spreading
• has some unexpected side-effect (doesn't do what
  it purports to do)
• One real difference is that this kind of Malware
  spreads automatically, as opposed to the exploits
  we've seen before which are directed by humans.
• this introduces several other technical issues
  like mutation / polymorphism and other methods
  for evading detection, which aids in the
  spreading process

34
The Main Structural Components of a Virus

• Infection how does the virus spread?
• Payload what does the virus do apart from
  replicate infect?
• Trigger what decides when the payload is
  delivered?
• Replication how does the virus get to other
  machines?

35
Means of Infection

• Buffer overflows and its friends
• we've already seen how a program can "get in" to
  a system through buffer overflow vulnerabilities
  and the like
• no reason that Malware can't use the same vector
• Inviting it in
• the classic a hyperlink in an email message
  that executes a program
• similarly macro-viruses in documents that are
  automatically executed when the document is
  opened
• Boot-sector viruses
• virus infects the boot sector of a floppy disc,
  which in turn infects the hard drive etc.

36
Payloads

• There isn't always a payload
• SQL Slammer infected the SQL server memory
  image, then aggressively sought to infect other
  servers. (DoS attack)
• From the annoying to the fatal
• display annoying popups
• freeze the system
• change the registry
• destroy permanent storage

37
Trigger

• Often triggers immediately, but at one point it
  was fashionable to trigger on a particular date
• Jerusalem virus on Friday the 13th
• caused concern for some years afterwards

38
Important Malware Through History

• Lehigh (1987)
• infected floppy disks through overwriting slack
  space at the end of COMMAND.COM
• triggered by DOS commands, and wrote the virus to
  other COMMAND.COM files
• after four infections, would overwrite some files
• no attempt to obscure itself
• CHRISTMA EXEC (1987)
• first virus transmitted through email? (social
  engineering)
• drew a Christmas tree on screen and mailed itself
  to everybody in the account holder's address book
• Morris Worm (1988)
• spread via vulnerabilities in Sendmail and Finger
• also tried some password cracking
• damage was (only) through degradation of service

39
Wave II Malware

• WM/Concept (1995)
• first widely disseminated macro virus (actually
  shipped in production documents)
• very little payload (displays a dialog box when
  an infected document is opened)
• but a very scary proof of concept
• ShareFun (1997)
• combination of macro virus and email transmission
• sent copies to three randomly selected entries in
  the user's address book

40
Wave III Malware

• Melissa
• PrettyPark (1999)
• spread via an executable in an email attachment
• mails copies to address-book entries
• publishes itself to some IRC servers
• installs itself first in the application
  execution order, making it harder to implement a
  "point and click disinfect" solution
• Love Bug (2000)
• attachment with name LOVE-LETTER-FOR-YOU .TXT.vbs
• installed copies in some system directories,
  which were executed on startup
• overwrote many image and audio files with copies
  of the virus
• use the address book to send copies
• tried to send password information to a web site
  in the Philippenes
• script file was widely modified and re-deployed
• SQL Slammer Worm (2003)
• most notable for its speed in replicating
  (doubling every 8.5 seconds)
• infected 90 of vulnerable hosts (100K) within
  10 minutes

41
Summary

• The main components
• infection
• payload
• trigger
• Many examples, but variations on a few themes
• boot-sector / floppies (less recently)
• payload stored in documents (macros) or
• transmission via chain letters through address
  books
• obfuscation via registry changes
• propagation via service vulnerabilities (more
  recently)