Trap Doors

1
Trap Doors Logic Bombs

• William Dotson

2
Overview

• Malware Taxonomy
• Definitions
• Historical Overview
• Protection Methods
• Ethical Issues

3
Malware Taxonomy
Malware
No Host
Needs Host
Trapdoor
Trojan Horse
Logic Bomb
Virus
Worm
Bacteria
4
Trap doors

• Method of bypassing normal authentication methods
• Remains hidden to casual inspection
• Can be a new program to be installed
• Can modify an existing program
• Also known as Back Doors

5
Logic Bombs

• Piece of code that executes itself when
  pre-defined conditions are met
• Logic Bombs that execute on certain days are
  known as Time Bombs
• Code performs some payload not expected by the
  user.
• Shareware that deactivates itself are not logic
  bombs.

6
Backdoor History

• Made famous in the movie War games
• 2003, an attempt was made to create a backdoor in
  the Linux Kernel
• Early versions of the Sobig Virus in 2003
  installed backdoors to send its spam.
• MyDoom virus in early 2004 created a backdoor on
  port 3127 to send spam

7
Backdoor History

• No one really knows often backdoors are inserted
  into software
• Some people speculate it is a prevalent practice
  in the industry
• Most backdoors are obvious and clumsy

8
Backdoor History

• The attempted Linux backdoor is more
  sophisticated
• if ((options (__WCLONE__WALL))
  (current-gtuid 0))retval -EINVAL
• Under casual inspection looks like it is just
  checking two flags, but actually setting the UID
  to root
• Required good knowledge of Linux Kernel
• Only caught because the part of code this line is
  contained in was modified manually rather than
  automatically as the section it was in was.
• Caught during a file integrity check near release

9
Logic Bomb History

• Some of the very first viruses had logic bombs
• Friday the 13th Virus duplicated itself every
  Friday of the month and on the 13th causing
  slowdown on networks
• Michelangelo Virus, one of the first viruses to
  get news coverage, execute itself on March 6th
  and tried to damage hard-disks

10
Logic Bomb History

• 1985 a programmer at a insurance firm in Texas
  wrote a logic bomb that modified a data retrieval
  function to rewrite part of main memory, rename
  itself, relocate itself, then power down the
  computer.
• 1992 a programmer at General Dynamics was fined
  5,000 Dollars that he was going to come back
  later and charge to remove.

11
Logic Bomb History

• Win32.Kriz.3862 virus in 1999 executed itself on
  Christmas Day and causes serious damage by
  overwriting massive amounts of data on the hard
  disk and rewriting the BIOS
• In 2000, a Deutsche Morgan Grenfell a securities
  trader who had initially been hired as a
  programmer was charged with inserting a logic
  bomb.

12
Protection

• Difficult to prevent truly determined hackers
• Requires thorough commitment to quality
  assurance, strict separation of programming
  duties, and strict security practices after
  deployment.

13
Protection Continued

• Segregate operations from programming and testing
• Have a carefully controlled process from for
  moving code into production
• Give only operations staff write-access to
  production code
• Lock down production code so that is as close to
  impossible for unauthorized people to modify
  programs
• Assign responsibility for specific production
  programs to named positions in operations
• Maintain a list of authorized programmers for
  authorized quality assurance officer before
  accepting changes to production
• Keep records of exactly which modifications were
  installed when and at whose request
• Keep audit trails running at all times and have
  them include a checksum not only be based on the
  record but the record that comes before it.

14
Protection Continued

• Some of these seem more obvious than others
• Not all of these practices are used
• Many companies are not willing or are not able to
  commit the resources needed for quality assurance
  and extensive security measures.

15
Hacking in Media

• Hackers are often glorified by the press and in
  the media
• Hackers that get caught are often young and
  written off as misguided youth
• Anti-Hacking Laws have been enacted that
  dramatically increase the penalties for anyone
  caught

16
Ethical Questions

• Should software producers be allowed to include
  Logic Bombs to ensure final payment?
• According to the governmentno.
• But how many do? Probably a lot.

17
Legitimate Logic Bombs

• Software openly time-limited
• Problems arise if company stops supporting this
  product
• Problems arise if a company goes out of business

18
Summary

• Trap Doors can provide access to a system for
  unauthorized procedures
• Logic Bombs execute malicious code at certain
  time
• Total Security is difficult
• How unethical are these practices, should they
  ever be legal?

19
Resources

• Protecting against program threats
  http//www.unix.org.ua/orelly/networking/puis/ch11
  _01.htm
• Conway, Richard. 2 Code hacking a developer's
  guide to network security 2004.
• A guide to protecting your computer systems from
  hackers. http//www.securitymanagement.com/library
  /Harden0201.html
• Logic Bombs. http//www.nwfusion.com/newsletters/s
  ec/2002/01514405.html
• Thwarted Linux backdoor hints at smarter hackers.
  http//www.securityfocus.com/news/7388
• Backdoor Wikipedia, the Free Encyclopedia.