Unix. The world's first computer virus. - PowerPoint PPT Presentation


PPT – Unix. The world's first computer virus. PowerPoint presentation | free to download - id: 15eb3-YjQ5Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Unix. The world's first computer virus.


Threats may exploit weaknesses in. 1. operating system (W32,W95, ... Ref: For Loveletter virus for OUTLOOK (May 2000) http://all.net/journal/cohen0504-2.htm ... – PowerPoint PPT presentation

Number of Views:122
Avg rating:3.0/5.0
Slides: 99
Provided by: aksh5
Learn more at: http://web2.uwindsor.ca


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Unix. The world's first computer virus.

  • Unix.  The world's first computer virus.
  • title of Chapter 1 of
  • The Unix Haters Handbook,
  • written by serious computer scientists ISBN

Classification of Threats
  • Threats may exploit weaknesses in
  • 1. operating system (W32,W95, Linux, etc),
  • 2. applications they infect (W97M, WordPro,
    X97M, etc)
  • 3. language (HTML, VBS, JS, etc).
  • Delivery of malicious codes to a users machine
  • the most popular early methods of passing viruses
    by floppy disk.
  • Internet borne worms, that require no human
    intervention, once started.

Malware, security tools and toolkits
  • Malware any piece of malicious software.
  • Security tools and toolkits are designed to be
    used by security professionals to protect their
    sites. These can also be used by unauthorized
    individuals to probe for weaknesses. The
    purposes, not the approach, makes a program
  • Many of the programs that fall in the malware
    categories have benevolent uses also.

Benevolent Uses
  • Worms can be used to distribute computation on
    idle processors
  • Trap doors/ back doors are useful for debugging
  • A trapdoor a code that recognizes some
    special (unlikely) sequence of inputs or is
    triggered by being run from a special ID.
  • Some programs require special privileges and
    authentication to access it. Or they may require
    long setup (providing many initial values of
    variables) and authentication.

Benevolent Uses of Trap doors and Viruses
  • While debugging one may want to be able to open
    the program without going through these
  • A trapdoor allows one to activate the program
    even if something be wrong with the
    authentication procedure.
  • Viruses can be written to update source code and
    patch bugs.

Classification of Malicious programs
First Method
Malicious programs
Need Host programs
Trap doors Logic Bombs Trojan Horse Viruses
Zombie Worms
A Logic Bomb or a Trojan Horse may be part of a
Virus or Worm.
Classification of malicious programs
  • Programs that do not replicate consist of
    fragments of programs that are activated,
  • when the host program is invoked or
  • when in the host program, a specific function is
  • Programs that replicate consist of
  • a program fragment (Example Viruses) Or
  • an independent program (Example Worm or
  • that, when executed, may produce one or more
    copies of itself on the same system or some other

Classification of Malicious Program
The Second Method
Malicious Programs
Those that wont replicate
Those that replicate themselves
Trap Doors Logic Bombs Trojan Horses Viruses
Zombie Worms
Ref Fig 19.1 pp.599, Stallings 2003
Malicious Software
  • Malicious software runs under the users
    authority (without his knowledge and permission)
  • hence can do all that a user can himself do.
  • TYPES Back doors/ trap doors allow
    unauthorized access to your system.
  • Logic bombs programmed threats that lie dormant
    for an extended period of time until they are
    triggered at this point, they perform a function
    that is not the intended function of the program
    in which they are contained .

Triggers for logic Bombs
  • Logic bombs usually are embedded in programs
    by software developers who have legitimate access
    to the system.
  • Triggers for Logic Bombs
  • Presence or absence of certain files.
  • Particular day of the week or data.
  • Particular user running the application

Trojan horses
  • Trojan horses programs that appear to have one
    function but actually perform another function.
  • The modern day Trojan horses resemble a program
    that the user wishes to run a game, a
    spreadsheet, or an editor.
  • While the program appears to be doing what the
    user wants, it is also doing something else
    unrelated to its advertised purpose, and without
    the users knowledge.

Examples of Trojan horse attacks
  • Examples of Trojan horse attacks
  • A compiler was modified to insert additional code
    into certain programs as these are compiled.
  • The code creates a trapdoor in the login
    program that permits the author to log on to the
    system using a special word. Difficult to
    discover, by reading the source code of the
  • Ref THOM 84 from Stallings2003

Examples of Trojan horse attacks
  • Attach a program to the regular program for
    listing the users files in a particular format.
    The attached program may change the file
    permissions to make them readable by any user.
    After the program is executed, any one can read
    the files.

  • Viruses programs that modify other programs on
    a computer, inserting copies of themselves.
  • Viruses not distinct programs
  • need to have some host program, of which they
    are a part, executed to activate them
  • executes secretly, when the host program is run.
  • A typical virus, in a computer, takes control of
    its Disk Operating System. Whenever it comes in
    contact with any uninfected piece of software, a
    fresh copy of the virus is attached to the new
  • Reference A malicious program was called a Virus
    by Cohen. Cohen F.,Computer Viruses, Computer
    Security A Global Challenge, Elsevier Press,
    1984, p143-158

  • Worms programs that propagate from computer to
    computer on a network, without necessarily
    modifying other programs on the target machines.
  • Worms
  • can run independently
  • travel from machine to machine across network
  • may have portions of themselves running on many
    different machines.
  • Worms do not change other programs, although they
    may carry other code that does (for example, a
    true virus or a Trojan horse may be implanted by
    a worm).

Worms (continued)
  • To replicate itself, a worm uses some network
    vehicle. Examples
  • Electronic mail A worm may mail a copy of itself
    to another system.
  • Remote execution capability A worm may execute a
    copy of itself on another system.
  • Remote log-in capability A worm logs on another
    system as a user and then uses commands to copy
    itself to the remote system.
  • In a multiprogramming system, a worm may hide
    itself by naming itself as a system process.

Worms (continued)
  • A Worm may determine whether a host has been
    infected before copying itself.
  • It may examine the routing tables to locate the
    addresses of remote machines, to which it may
    connect, without any information to the owner of
    the local host.
  • Examples of Worms
  • Morris 1998 for unix systems,
  • Code Red (July 2001), Code Red II,
  • NIMDA (late 2001)

Phases of a virus and a worm
  • A worm as well as a virus have the following
  • Dormant phase
  • activated
  • on some Date or
  • by presence of some file or program or
  • some action like the data on disc exceeding
    certain limit.
  • Some viruses may not have this stage.

Phases of a virus and a worm (continued)
  • 2. Propagation phase Both a worm and a virus
    check whether the file/system is already
    infected. If not, they do the job.
  • 3. Triggering phase may be caused by some
    system event.
  • 4. Execution phase Performs a function
  • Benign function like showing a message on
  • Non-benign to damage/destroy certain files.
  • Viruses are designed to take advantage of the
  • weaknesses of the OS and/or a hardware platform.

Spreading Malware via the Internet
  • Trojan Horse vs Virus
  • Whereas a Trojan horse is delivered pre-built, a
    virus infects.
  • Propagation of Virus Malicious programs arrived
    via tapes and disks, and the spread of a virus
    around the world took many months.
  • Today, Trojan horses, and viruses are network
    deliverable as
  • E-mail, java applets, ActiveX controls,
    javaScripted pages, CGI-BIN scripts, or as
    self-extracting packages.
  • They could arrive as a part of a game or a
    useful utility, copied from some electronic
    bulletin board

Mobile program Systems
  • Mobile-program system Ex. java and ActiveX.
  • This technology became popular with Web servers
    and browsers, but it is now integrated (e,g, java
    into Lotus Notes, and ActiveX into Outlook) mail
  • Security Bugs in both java and ActiveX
  • A mobile program may act as the carrier of a
  • Any mechanism for sharing of files of programs,
    data, documents or images can transfer a virus

Structure of Viruses
  • In the infected binary, at a known byte location
    in the file, a virus inserts a signature byte,
    used to determine if a potential carrier program
    has been previously infected.
  • On invoking an infected program, it first
    transfers control to the virus part.
  • The virus part infects uninfected executable
  • Secondly it may damage the system in some way.
  • Or like a logic bomb, the damaging action may
    take place in response to some trigger.
  • Finally it transfers control to the original
  • Usually the first two steps may take so little
    time, that one may fail to notice any difference.

Normal .COM vs. Infected .COM
Structure of a virus program
  • V()
  • infectExecutable()
  • If (triggered())
  • Do Damage()
  • Jump to main of infected program

  • .

Structure of a virus program (continued)
  • Void infectExecutable()
  • file choose an uninfected executable file
  • Prepend V to file
  • Void doDamage()
  • .
  • int triggered()
  • Return (some test? 10)

Types of Viruses
  • Types of viruses
  • Parasitic Viruses
  • It attaches itself to executable files and
    replicates, when the infected program is
    executed, by finding other files to infect.
  • Memory resident virus
  • stays in main memory as a part of a system
    program. Then it infects every program that
    executes. (Like Terminate and Stay Resident
    TSR- programs )

Types of viruses (continued)
  • Boot sector virus
  • It infects a boot record and spreads when a
    system is booted from the disk containing the
  • Boot sector contains crucial files. Hence
    it is made invisible by the OS. ? boot-sector
    virus files will not show up in a normal listing
    of files.
  • Polymorphic virus
  • Creates copies that are functionally
    equivalent but have distinctly different bit
    patterns. Thus signature of each copy will vary
    and a virus scanner will find it difficult to
    locate it.

Methods used by Polymorphic Viruses
for variation in signature
  • Random insertion of superfluous instructions
  • To interchange the order of independent
  • Use of encryption The virus has a mutation
    engine which generates a random key and then the
    engine is altered the key is stored with the
    rest of the virus, which is encrypted.
  • When this virus infects another host, the altered
    mutation engine would generate a different key.
  • Thus every host would carry a different signature
    for the virus.

The Stealth Virus
  • There are two other types The Stealth virus and
    the Macro virus.
  • A stealth virus has code in it that seeks to
    conceal itself from discovery or defends itself
    against attempts to analyze or remove it.
  • The stealth virus adds itself to a file or boot
    sector but, when you examine, it appears normal
    and unchanged.

Methods used by Stealth Virus
  • The stealth virus performs this trickery by
    staying in memory after it is executed. From,
    there, it monitors and intercepts your system
  • When the system seeks to open an infected
    file, the stealth virus displays the uninfected
    version, thus hiding itself.
  • The four types of viruses, discussed in slides 32
    and 33, make an infected file longer than it was,
    making it easy to spot.
  • There are many techniques to leave the file
    length and even a check sum unchanged and yet

Stealth technique Keeping the file
length unchanged
  • For example, many executable files often contain
    long sequences of zero bytes, which can be
    replaced by the virus and re-generated.
  • It is also possible to compress the original
    executable code like the typical Zip programs do,
    and uncompress before execution and pad with
    bytes so that the check sum comes out to be what
    it was.

  • Macro languages are (often) equal in power to
    ordinary programming languages such as C.
  • A program written in a macro language is
    interpreted by the application.
  • Macro languages are conceptually no different
    from so-called scripting languages.
  • Gnu Emacs uses Lisp, most Microsoft applications
    use Visual Basic script as macro languages.
  • The typical use of a macro in applications, such
    as MS Word, is to extend the features of the

Macros (continued)
  • Can be used to define a sequence of key-strokes
    in a macro and to set it up so that when a
    function key is input, the whole of the sequence
    is invoked.
  • Some of these macros, know as auto-execute
    macros, are executed in response to some events,
    such as..
  • closing a file,
  • opening a file,
  • starting an application,
  • invoking a command such as FileSave or
  • pressing a certain key.

Auto-executing Macros in WORD
  • Three types of auto-executing Macros
  • 1.Start-up Auto-execute executed when WORD is
  • 2.Automacro executes when some event like
    opening/closing a document, creating a new
    document, quitting WORD
  • 3.Commandexecutes when a WORD command, like
    FileSave) is executed.
  • MS has developed a Macro Virus Protection Tool.
    It detects suspicious files and alerts the user
    to the risk of opening them.

Macro Viruses
  • Macro Viruses form a large majority of the total
    number of viruses today.
  • A macro virus is a piece of self-replicating code
    inserted into an auto-execute macro.
  • Once a macro is running, the virus copies
  • itself to other documents.
  • Another type of hazardous macro is one named for
    an existing command of an application.

Macro Viruses (continued)
  • Example If a macro named FileSave exists in the
    normal.dot template of MS Word, that macro is
    executed whenever you choose the Save command on
    the File menu.
  • Unfortunately, there is often no way to disable
    such features.
  • Such macro viruses may be carried in the command
    part of a text file, a database, a slide
    presentation or a spreadsheet. The user sees only
    the data part and not the command part. So he
    would not be able to see the malicious code.
  • Ref For Loveletter virus for OUTLOOK (May 2000)
  • http//all.net/journal/cohen0504-2.htm

Spread of Macro Viruses
  • Macro Viruses spread fast because
  • Macro viruses may be platform independent in that
    any hardware/software platform that supports the
    particular application can be infected.
  • Macro viruses affect documents and not executable
    portions of code.
  • Spread easily by e-mail.
  • Ex A virus, called Melissa, used a micro,
    embedded in a WORD document attached to an
    e-mail. .

  • On opening the WORD attachment of e-mail,
  • it damages the local machine and
  • it sends itself to all the addresses in the
    e-mail address book.
  • In 1999, new e-mail viruses appeared. These would
    be able to infect, as soon as one opens the
    carrier e-mail, and not by opening an attachment

Unix/Linux Viruses
  • The most famous of the security incidents in the
    last decade was the internet Worm incident which
    began from a Unix system.
  • Several Linux viruses have been discovered.
  • The Staog virus first appeared in 1996 and was
    written in assembly language by the VLAD virus
    writing group, the same group responsible for
    creating the first Windows 95 virus called Boza.
  • Like the Boza virus, the Staog virus is a
    proof-of-concept virus to demonstrate the
    potential of Linux virus writing without actually
    causing any real damage.

Unix/Linux Viruses (continued)
  • The second known Linux virus is called the Bliss
  • Unlike the Staog virus, the Bliss virus can not
    only spread in the wild, but also possesses a
    potentially dangerous payload that could wipe out

  • Zombie A program that takes over a computer,
    without any authorization and without informing
    the owner of the system.
  • The program originates from some other host.
  • It then uses the computer, that has been taken
    over, for attacking a victim.
  • Objectives To hide the originator of the attack
  • To attack the victim through a
    large number of zombie computers (as in a DDoS

Bacteria or rabbit
  • Bacteria, or rabbit program, replicates without
    bound to overwhelm a computer systems resources.
  • Bacteria do not explicitly damage any files.
    Their sole purpose is to replicate themselves.
  • A typical bacteria program may do nothing more
    than execute two copies of itself simultaneously
    on multiprogramming systems, or perhaps create
    two new files, each of which is a copy of the
    original source file of the bacteria program.

Bacteria continued
  • Both of those programs then may copy themselves
    twice, and so on. Bacteria reproduce
    exponentially, eventually taking up all the
    processor capacity, memory, or disk space,
    denying the user access to those resources.

  • A dropper a program that is not a virus, nor is
    it infected with a virus, but when the program is
    run, it installs a virus into memory, on to the
    disk, or into a file.
  • Droppers have been written sometimes as a
    convenient carrier for a virus, and sometimes as
    an act of sabotage.
  • Some anti-virus programs try to detect droppers.

Virus Detection
  • Virus is used, (in the following slides-for-
    detection-and-removal of viruses,) to stand for
    all types of malicious programs.
  • Virus detection programs analyze a suspect
    program for the presence of known viruses.
  • Fred Cohen has proven mathematically that
    perfect detection of unknown viruses is
    impossible no program can look at other program
    and say either a virus is present or no virus
    is present, and always be correct.

Virus Detection (continued)
  • Most new viruses are sufficiently like old
    viruses ? the scanning for old viruses may find
    the new ones.
  • There are a large number of heuristic tricks that
    anti-virus programs use to detect new viruses,
    based either on how they look, or what they do.
  • Since brand-new viruses are comparatively rare,
    these methods may suffice.
  • After detection of a virus, its identification
    and removal is required.

generations of virus scanners
  • The first generation virus scanners obtained a
    virus signature, a bit pattern, to detect a known
  • They record and check the length of all
  • The second generation scans executables with
    heuristic rules, looking for fragments of code
    associated with a typical virus.
  • They also do integrity checking by calculating
    a checksum of a program and storing somewhere
    else the encrypted checksum.

generations of virus scanners
  • Second generation (continued).A better method
    is storing a hash function rather than a
  • The encryption key is stored at a separate
  • The third generation use a memory resident
    program to monitor the execution behavior of
    programs to identify a virus by the types of
    action that the virus takes.
  • The fourth generation combines all the previous
    approaches and includes access control
    capabilities so that system penetration and
    access to files may be denied.

Advanced Anti virus Techniques
  • 1) Generic Decryption (GD) Technology
  • It uses the following components
  • a) CPU Emulator Consisting of a virtual computer
    with software versions of all registers and other
    processor hardware.
  • b) Virus signature scanner
  • c) Emulator control module
  • Virus elements are usually activated immediately
    after a program starts execution.
  • GD begins execution of an executable file in the
    CPU emulator. As each instruction is executed,
    the signature scanner tries to expose the virus.

Advanced Anti virus Techniques Generic
Decryption (GD) Technology
  • A polymorphic virus would decrypt itself and be
    recognized by the signature scanner.
  • This process does not affect the computer, since
    the CPU emulator provides a safe and controlled
  • Difficulties
  • How many instruction may be interpreted through
    the emulator ? - is a design issue
  • The user would complain if the GD scanner uses a
    great deal of computer resources and these are
    not available to the user.

Advanced Anti virus Techniques
IBMs Digital Immune System
  • 2) IBMs Digital Immune System (DIS)
  • Since the viruses spread through e-mail, internet
    and mobile code, IBM has developed the system for
    fast response.
  • When a new virus enters the system of an
    organization, DIS captures it, analyzes it, adds
    detection and shielding for it, removes it and
    informs other systems running IBM anti-virus
    about it

Components of DIS
  • 1) Monitoring Program - on each PC - uses
    heuristics based on
  • system behaviour
  • changes to programs
  • virus signatures
  • to monitor the presence of a virus in a program.
  • Such an infected program is sent to an
    Administrative Machine in the organization

Components of DIS continued
  • 2) Administrative Machines one machines located
    at each site
  • It encrypts suspect program received for any PC.
  • It sends the encrypted suspect program to the
    Central Virus Analysis machine.
  • 3) Central Virus Analysis machine
  • It provides a safe environment for running the
    suspect program (like the CPU emulator and
    Emulation Control module of the GD scanner).

Components of DIS continued
  • 3) Central Virus Analysis machine
  • continued..
  • It generates a prescription for identifying and
    removing the virus.
  • The prescription is sent to all the clients in
    the world through their Administrative Machines.

Advanced Anti virus Techniques
Behavior Blocking Software
  • 3) Behavior Blocking Software monitors and
    blocks malicious actions like
  • Attempts to open, view, delete or modify files
  • Attempt to format a disk or other non-recoverable
    disk operations.
  • Modifying logic of executable files or macros
  • Modification of critical settings like start-up
  • Initiation of network communication
  • sending executable content through e-mail or
    instant messaging.

Behavior Blocking Software continued
  • Irrespective of complexity of a virus, this
    real-time blocking of malicious request can keep
    the system safe.
  • However even a behavior, which may look normal,
    may be problematic, thus shuffling of files may
    make them unusable. So if shuffling of files is
    not blocked, a virus may still succeed in making
    the system unusable.
  • But can we/ should we block shuffling of

Prevention, Detection Removal of Viruses
  • Use software acquired from reliable vendors only
  • Test all new software on isolated computers
  • with no hard disk and
  • not connected to a network and
  • with boot disk removed
  • Check for any unexpected behavior.
  • Scan with an up-to-date virus scanner, which
    should have been installed before running the new

Prevention, Detection Removal of Viruses
  • Open an attachment only if it is safe.
  • When the system is known to be virus free,
    prepare a recoverable system image and store it
    safely in a write-protected medium
  • Prepare and store safely back-up copies of
    executable system files
  • Use virus scanners and update them regularly.

Prevention, Detection Removal of Viruses
  • Removal of a virus possible only if it is
    detected and eliminated faster than it spreads
  • A resident virus may disable system calls, used
    for deleting it.
  • A virus may be hidden in a variety of files -
    even in normally hidden system files.

Example of Viruses
  • Brain It locates itself in the upper part of
  • Traps interrupt 19 (used in PCs for disk-read) by
    resetting the interrupt address table to point to
  • Uses interrupt 6 (unused in PCs) to point to the
    former address of interrupt 19
  • Thus it receives all disk read calls and shows
    only the original uninfected boot sector to a
    user (thus hiding itself.)

Example of Viruses Brain
  • It uses the boot sector and 6 other sectors on
    the disk.
  • The brain virus splits itself into 3 parts.
    The first part is in the boot sector. The other 2
    parts are in the two other sector of the disk.
  • The 3rd sector of the disk contains the original
    boot sector code.
  • Another copy of the virus is stored in the
    remaining 3 sectors on the disk

Example of Viruses Brain
  • The virus marks the six disk sectors as faulty,
    so that OS may not use them.
  • Signature in 5th and 6th bytes of the file, it
    stores 1234 ( HEX ).
  • Action with every disk read, it examines the
    file for its signature. If it is not there, it
    infects the file.
  • Name It changes the label of any disk it attacks
    to the word BRAIN.

Morris Worm
  • Released on Internet in the evening of Nov 2,
    1988 by Robert T. Morris Jr., a grad student of
  • In 1990 he was sentenced to a fine of 10,000, a
    suspended 3 year jail and 400 hours of community
  • Morris exploited three flaws
  • 1. Unix Password file is stored in encrypted
  • But any one can read the ciphertext.

Morris Worm the first flaw
  • To connect to a remote system, it tries to crack
    the local password file by trying the following
  • the 432 words (like password, guest, coffee,
    coke, aaa etc) included in the worm,
  • all the words in the dictionary file stored on
    the system for spell-check.

Morris Worm the second flaw
  • 2.) the second flaw- in fingered
  • fingered continuously runs to service requests,
    from other computers, about system users.
  • Security flaw in fingered overflow of input
    buffer spills in to the return address stack
  • when a fingered call terminates, it may execute
    instructions, pushed through buffer overflow.
    This may cause the worm to connect to a remote

Morris Worm the third flaw
  • 3) the third flaw --- in sendmail - in debug
  • Normally sendmail runs in the background. It
    receives a send instruction along with dest
  • However in debug mode the worm can send a
    command string, in place of dest address. Then
    this command string may be executed.
  • Assume that the Worm has been able to enter a
    host (without its knowledge or permission.)

Morris Worm action
  • It examines the following lists on the host
  • tables giving lists of trusted machines,
  • mail forwarding lists,
  • tables stating the access rights of the local
    host on remote machine
  • status of network connections
  • It selects a suitable target.
  • Uses - one of the three flaws - to send a
    bootstrap program of 99 lines of C code.
  • Through the host, it sends a command to execute
    the program on the target machine.
  • Then the host logs off.

Morris Worm action continued
  • The bootstraps-on-target now connects to the host
    to get the rest of the worm.
  • The bootstrap authenticates by sending a password
    (so that a system admin should not be able to get
    the rest of the worm)
  • The host sends the rest of the worm
  • Efforts at stealth
  • if any transmission error occurs while
    transferring, the bootstrap deletes all record,
    received till then.

Morris Worm Efforts at Stealth
  • After receiving the full code of the worm, it is
    encrypted. The original copies are deleted from
    the target.
  • It changes its name and identifier periodically
  • Because of a flaw in the code of Morris, it
    created many copies of the worm on the same
    machine, thereby degrading its performance to
    normal tasks.
  • After Morris, a Computer Emergency Response Team
    was set up in Carnegie - Mellon University.

Code Red
  • Uses a security hole in MS Internet Information
    Server (IIS).
  • On July 12, one in 8 of the 6 million IIS servers
    were affected.
  • The first version shows the following text on the
  • Hello!
  • Welcome to http//www.worm.com !
  • Hacked by Chinese !

Code Red Action
  • Day 1 to 19th, spawns 99 parallel threads scans
    for other computers for infecting them
  • day 20-27 it attacked www.whitehouse.gov by DDoS
  • from day 28 to end of month it lies dormant.
  • It disables the system File Checker in windows.
  • It uses random IP addresses to spread to other

Code Red Action continued
  • It suspends its activities periodically and then
  • Code Red II also installs a backdoor to permit a
    hacker to be able to use the victim machines.
  • It would automatically stop after Oct 2002.
  • Finally it reboots after 24/48 hours, wipes
    itself from memory but leaves the Trojan in place.

Code Red Technique continued
  • Vulnerability in IIS buffer overflow in dynamic
    link library called idq.dll
  • Code red II creates a trapdoor by copying
    windir\cmd.exe to 4 locations
  • C\inetpub\scripts\root.txt
  • C\progra1\common1\system\MSADC\root.exe
  • d \inetpub\scripts\root.ext
  • d\program1\common1\sytem\MSADC\root.exe

Code Red Technique continued
  • Code red also includes its own copy of
    explorer.exe on c and d drives.
  • It modifies system registry to allocate Read,
    Write and execute permission in some directories
    to every one.
  • The Trojan horse continues to run in the
    background, resetting the registry every 10
  • Thus even if a system admin notices the changes
    in the registry and removes them, the Trojan will
    again create changes.
  • Code red may be beta test for information war

Two more well-known viruses
  • NIMDA It had multiple spread modes
  • e-mail
  • client-to-client through open network connection
  • web-server to client
  • client to web-server
  • by using backdoor left by Code Red II
  • It modifies html files and some executable files.
    It creates numerous copies under various names.

The "Slammer" virus
  • The "Slammer" virus ( also known as the "SQL" or
    "Sapphire" worm)
  • launched at midnight ET on Saturday in Jan 2003,
    shut down MS IIS based web-servers worldwide.
  • By Sunday morning, about 150,000 to 200,000
    servers had been compromised.
  • By quickly copying itself and seeking to spread
    to the computers that manage Internet traffic,
    the worm overwhelmed networks worldwide,
  • causing probably the most damaging attack in a
    year and a half.

  • Malware payloads have been boring..
  • Payloads can be malign and I expect that
  • well see more devious payloads over the
  • next few years.
  • - Bruce Schneier
  • author of Applied Cryptography

Types of Security Threats Additions
  • Denial of service
  • Illegitimate use
  • Authentication
  • IP spoofing
  • Sniffing the password
  • Playback Attack
  • Bucket-brigade attack
  • Generic threats Backdoors, Trojan horses,
    viruses etc

Types of Attack A Revision
  • Most Internet security problems are
  • access control or
  • authentication ones
  • Denial of service is also popular, but mostly an
  • Types of Attack
  • A Passive attack can only observe communications
    or data
  • An Active attack can actively modify
    communications or data
  • Often difficult to perform, but very
  • Mail forgery/modification
  • TCP/IP spoofing/session hijacking

Security Services A Revision
  • Security Services
  • From the OSI definition
  • Access control Protects against
    unauthorized use.
  • Authentication Provides assurance of
    someone's identity.
  • Confidentiality Protects against
    disclosure to unauthorized
  • identities.
  • Integrity Protects from unauthorized data
  • Non-repudiation Protects against
    originator of
  • communications later denying it.
  • Virus detection and cleaning of the files are
    additional services,
  • required in a networked system.

Security Mechanisms
  • Security Mechanisms
  • Three basic building blocks are used
  • Encryption is used to provide
  • can also provide authentication and
    integrity protection
  • Digital signatures are used to provide
    authentication, integrity protection, and
  • Checksums/hash algorithms are used to
    provide integrity
  • protection, can provide authentication
  • One or more security mechanisms are combined to
  • a security service

Services, Mechanisms, Algorithms
  • Services, Mechanisms, Algorithms
  • A typical security protocol provides one or
    more services

Services in a security protocol
Services are built from mechanisms Mechanisms
are implemented using algorithms
Security Protocol Layers
  • Security Protocol Layers

E commerce protocols
SSL, TLS, SSH Kerberos
Higher level
Higher level
IP Sec
Data Link
Hardware encryption
Data Link
Security Protocol Layers (continued)
  • The further down you go, the more transparent it
    is the
  • further up you go, the easier it is to deploy.
  • Link level security If security is provided at
    the link level, all the frames over the link will
    receive the security services.
  • Network layer security Both TCP segments and UDP
    datagrams will benefit from the host to host
    security service. (Chapter 13)
  • Transport protocol security All applications
    that use the protocol will enjoy the security
    services of the protocol. (Chapter 14)
  • Application security The application protocol
    can be provided with services like
    authentication, data integrity etc. (Example
    e-mail security Chapter 12)

Security at Network Layer only?
  • Security at network layer
  • can encrypt all the data, and it
  • can authenticate the IP addresses.
  • But it cannot provide user-level security
  • services like user authentication.
  • Thus security functions are required to be built
  • into the higher layer applications, in addition
  • the provision of blanket coverage at network
  • layer.

Ease of deployment
  • It is easy to deploy security functionality
  • at higher layers.
  • Thus PGP has come to be used widely for
  • providing e-mail security, while IPSec is
  • yet to be rolled out on the Internet.
  • An effective security system can be built
  • by carefully choosing an appropriate
  • combination of protocols and algorithms

Multi-pronged approach
  • Attacks from various fronts.
  • So security has also to be multi-faceted.
  • Example A mobile user A, who may be a salesman,
  • may be allowed to access a company network,
  • protected by a firewall.
  • A may have a wireless network at home, which may
  • connected to the company network.
  • A malicious user, who may be a neighbor or even a
  • computer, in a parked vehicle near As home,
    could in
  • turn become a part of the wireless network.
  • Thus firewall alone may not be able to provide a
  • protection from such a malicious user.

Multi Pronged Protection Systems
  • Based on Behavior Blocking Software idea of slide
  • MPPS
  • monitor traffic characteristics.
  • Use anomalies to develop real time warning and
    defensive actions.
  • During an attack, MPPS determines the
    characteristics of malicious attack traffic by
    tracking various attributes of packets including
  • Source and destination socket addresses
  • IP TTL
  • protocol
  • Packet length

Multi Pronged Protection Systems
  • Characterization of the malicious traffic by
    identifying the highest volume values for each
    packet attribute and comparing current
    distributions of the attribute values to normal
  • Two types of Triggers
  • Bandwidth triggers based on packet and byte
    rates. They indicate attempts to flood a network
    and consume its bandwidth.
  • Suspicious traffic triggers based on packets
    that target resources on the network, such as TCP
    SYN flood attack packets.

  • Once an attack is detected, there are two
    solution approaches
  • Black-hole routing allows the administrator to
    take all malicious traffic and route it to a null
    IP address or drop it.
  • Sinkhole routing The malicious traffic is sent to
    an IP address where it can be examined.

Multi Pronged Protection Systems
  • Both Black-hole and Sink-hole routing can be used
  • at the enterprise level. Or
  • at the ISP level, who can prevent the malicious
    traffic from reaching the customer's network.
    (Most ISPs have some level of DDoS traffic
    crossing their networks virtually all the time.
    This costs them money in terms of bandwidth and
    annoys customers.)
  • DISADVANTAGE of using Filtering at ISP the
    possibility of catching legitimate traffic as

To end
  • three news-item on security
  • one on ticking time-bombs in the weakest link
    the PCs
  • and
  • two on 1st April pranks by security companies

A honey-pot is added
  • Bill McCarty, an Associate Professor of Web and
    Information Technology at Azusa Pacific
    University, Calif., said a Windows 2000 "honey
    pot" machine that he runs has been added to
    several bot networks, or botnets reportedly
    many hundreds of thousand strong as of now.
  • (A honey pot is a machine connected to the
    Internet and left defenseless so that security
    experts can observe hackers' activities or

Two pranks of April 1, 2003
  • A news-item in the Register, a U.K. IT news Web
    site Availability of an Intruder Retaliation
    Systems (IRS) by a new (fake) security company.
    The first IRS, called the Payback 1.0 an
    application that
  • instantly and dynamically 'traces' the IP source
    addressno matter how well maskedof the network
    attack/infection and
  • responds by launching either a Domain Name or
    mail server flood attack in the direction of the

The second prankAn advisory posted to BugTraq
(by an Internet security company
but not on Internet security)
  • A (fake) company called S.E.L.L.warns that "a
    DDoS condition is present in the election system
    in many polypartisan democratic countries. A
    group of determined but unskilled and not
    equipped low-income individuals, usually between
    0.05 and 2 of the overall population of the
    country, can cause serious disruptions or even a
    complete downfall of the democratic system and
    its institutions.
  • The fix for this vulnerability for affected
    parliaments to either "establish a convenient
    dictatorship or a monarchy, or become the 51st

  • IPSec IP Sec protocol
  • SSL Secure Socket layer
  • TLS Transport Level Security
  • SSH Secure SHell
  • KerberosProject Athenas Authentication Service
  • SHA Secure Hash Algorithm
  • DSA Digital Signature Algorithm
  • RSA RSA Laboratories named after its founders
    Ron Rivest, Adi Shamir, Leonard Adelman
  • DES Data Encryption Standard
  • MD Message Digest

  • 1.To study the details of a scanner
  • Sandeep Kumar, and Gene Spafford, A Generic
    Virus Scanner in C, Proceedings of the 8th
    Computer Security Applications Conference, IEEE
    Press, Piscataway, NJ pp.210-219, 2-4 Dec 1992
  • 2.For a complete list of known viruses
  • www.cai.com/virusinfo/encyclopedia/
  • 3.For cryptography
  • G.C.Kessler, An Overview of Cryptography
  • http//www.hill.com/library/staffpubs/crypto.
  • RSA Laboratories, RSALabs FAQ,
  • http//www.rsasecurity.com/rsalabs/faq/

References continued
  • 4.For MPPS
  • http//www.mazunetworks.com/products/enforcer.html
  • http//www.intruvert.com/resources/index.htm
  • http//www.okena.com/areas/products/products_liter
About PowerShow.com