1. Programmed Threats Richard Newman

2. What is a Programmed Threat? Potential source of harm from computer code May be in form of - Executable program - Executable code attached to another program - Executable code pushed onto stack of running process - Standalone script - Commands run on startup of program - Commands embedded in “non-executable” file –JPEG –Postscript - Macros

3. Examples of Programmed Threats 1. Trojan Horse – Program that purports to do one thing but (also) does another 2. Virus – Embedded in another program/file (becomes Trojan) – Must get user or system to run program/open file – Infects other files/drives – Hitchhikes to other file systems on host file via removable media or email 3. Bacteria/Rabbits – Replicate so fast, use up all resources 4. Worm – Stand-alone program – Transfers itself to target system – Runs automatically on target system (generally)

4. More Programmed Threats 5. Buffer overflow attack – “Improper” parameters corrupts stack – Includes executable code – Return pointer in activation frame may be changed to point to code 6. SQL Injection – Interpretable commands included in SQL query – SQL engine executes malicious commands 7. Run command script – Malicious commands included in.rc (or similar) file – Commands executed when program is started5. Run command script 8. Back Door/Trap Door – “Secret” way to get access to system – May be included for field technicians or administrators – See http://cm.bell-labs.com/who/ken/trust.htmlhttp://cm.bell-labs.com/who/ken/trust.html – Often first goal of intruders

5. Viruses 1. History – Von Neumann's self-reproducing automata in 1960's – See http://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms http://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms – First seriously appeared in early 1980's – Elk Cloner, Brain – Big issue with PCs and floppy disks/bulletin boards 2. General MO – Infected program run – viral code runs first – Optionally takes measures to hide – Looks for new files/drives to infect, infects them – Does “other stuff” Logic Bomb Time Bomb Password cracking Install back door Wreak havoc – Returns control to original program

6. Viruses 3. Boot Sector Virus – Copies boot sector (small bootstrap program) to unused disk block – Overwrites boot sector with viral code – Intercepts calls to disk drive/TSR code – Redirects reads of boot sector to read copy in other location – Looks for new disk to infect whenever disk is accessed 4. Executable Virus – Adds viral code to executable program – May rewrite JUMP instruction to jump to viral code first, then issue JUMP to program code when done – May modify itself (code transformation) or modify where it is stored to evade detection (polymorphic virus)

7. Viruses 5. Macro Virus – Included in “non-executable” file with format supporting macros Spreadsheets Document preparation software Graphics editors – Copies macros into other files of same type – Modifies file contents to exercise macros 4. Stealth Techniques – Intercept system calls to modify (man-in-the-middle) – Modify system meta-information (File control block, process info) – Compress itself so file size does not change – Modify itself – Encrypt viral code

8. Worms 1. History – 1971 “Creeper virus” at BBN - “Reaper” to kill it – Name coined in Brunner's “The Shockwave Rider” scifi – Xerox PARC worm for using idle workstations (1982) – Enabled by network/LAN technology – Morris worm 1987 – Code Red, etc. 2. General MO – Standalone program – Looks for target host – Transfers loader (micro-FTP) to target host See http://www.wormblog.com/http://www.wormblog.com/

9. PARC Worm 3. Xerox PARC worm - 1982 – Users ran server pgm on W/S when idle – Worm “head” found idle workstations, sent work – “Segments” did work, reported to head – Head had backup segments also – Had to shut down all stations to get to stop! – See Shoch and Hupp, “The Worm Programs: Early Experience with a Distributed Computation,” Xerox Palo Alto Research Center, 1982. http://www.cs.berkeley.edu/~prabal/resources/osprelim/SH82.pdf

10. Morris Worm 4. Morris worm – Experiment by grad student at Cornell November 1988 – Looks for target host – random, /etc/hosts,.rhosts – Tried to get access Sendmail “feature” - debug mode Symmetry of trust Finger flaw – buffer overflow Password guessing – Transferred “grappling hook” to target host – Grappling hook got rest of worm, ran it – Overwhelmed hosts with processes – Overwhelmed networks

11. Morris Worm 4. Morris worm (con't) – Stealth techniques “encrypted” code (flipped MSB in ASCII) Changed process name to innocuous pgm Changed process ID periodically – short life per proc Died completely after short time – Sendmail access Back door, poor configuration, poor interface – Symmetry of trust Remote login without password required Host lists trusted hosts If a host B is on list of A, likely host A is on list of B spaf.cerias.purdue.edu/tech-reps/823.pdf

12. Code Red Worm 5. Code Red Worm – July 2001 – Attacked MS IIS Buffer overflow attack Patch had been available for a month – Spread Only 1 st – 19 th of month – look for other IIS servers Did not determine if IIS server was vulnerable first – Mischief Deface website - “Hacked by Chinese” Launch DoS attack 20 th -27 th of month vs. fixed IP addr

13. Code Red Worm 5. Code Red Worm IIS buffer overflow: GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNN %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

14. Code Red Worm 5. Code Red Worm – July 2001 – Attacked MS IIS Buffer overflow attack Patch had been available for a month – Spread Only 1 st – 19 th of month – look for other IIS servers Did not determine if IIS server was vulnerable first – Mischief Deface website - “Hacked by Chinese” Launch DoS attack 20 th -27 th of month vs. fixed IP addr