CSCE 522 Lecture 12 Program Security Malicious Code

CSCE Farkas2 Reading Reading for this lecture: Required: – Pfleeger: Ch. 3 Recommended: – USC Technology Services – Antivirus Protection,

CSCE Farkas3 Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system

CSCE Farkas4 Security Flaws by Genesis Genesis – Intentional Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus Non-malicious – Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error

Secure Software Software provides functionality Functionality comes with certain risks Software security aims to manage risk Security is always a secondary concern Security achievement is hard to evaluate when nothing bad happens CSCE Farkas5

6 Application of Touchpoints Requirement and Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations

Web Applications Attacker: – Download the site’s code for offline study – Mapping the site  functionality and vulnerabilities – Experiment with site  response to supplied data Several vulnerabilities exist from corrupting sites, applications, servers, to other clients CSCE Farkas7

OWASP Top Vulnerabilities A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards _2013_Project _2013_Project CSCE Farkas8

Malware 9

10 Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. Propagates and performs some unwanted function. Viruses are not programs - they cannot run on their own. Bacteria: make copies of themselves to overwhelm a computer system's resources. Denying the user access to the resources.

CSCE Farkas11 Kinds of Malicious Code Worm: a program that propagates copies of itself through the network. Independent program. May carry other code, including programs and viruses. Trojan Horse: secret, undocumented routine embedded within a useful program. Execution of the program results in execution of secret code.

CSCE Farkas12 Kinds of Malicious Code Logic bomb, time bomb: programmed threats that lie dormant for an extended period of time until they are triggered. When triggered, malicious code is executed. Trapdoor: secret, undocumented entry point into a program, used to grant access without normal methods of access authentication. Dropper: Not a virus or infected file. When executed, it installs a virus into memory, on to the disk, or into a file.

CSCE Farkas13 Virus Virus lifecycle: 1. Dormant phase: the virus is idle. (not all viruses have this stage) 2. Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas. 3. Triggering phase: the virus is activated to perform the function for which it was created. 4. Execution phase: the function is performed. The function may be harmless or damaging.

CSCE Farkas14 Virus Types Parasitic virus: most common form. Attaches itself to a file and replicates when the infected program is executed. Memory resident virus: lodged in main memory as part of a resident system program. Virus may infect every program that executes.

CSCE Farkas15 Virus Types Boot Sector Viruses: – Infects the boot record and spreads when system is booted. – Gains control of machine before the virus detection tools. – Very hard to notice – Carrier files: AUTOEXEC.BAT, CONFIG.SYS,IO.SYS

CSCE Farkas16 Virus Types Stealth virus: a form of virus explicitly designed to hide from detection by antivirus software. Polymorphic virus: a virus that mutates with every infection making detection by the “signature” of the virus difficult.

CSCE Farkas17 How Viruses Append Original program virus Original program virus Virus appended to program +=

CSCE Farkas18 How Viruses Append Original program virus Original program Virus-1 Virus surrounding a program += Virus-2

CSCE Farkas19 How Viruses Append Original program virus Original program Virus-1 Virus integrated into program += Virus-2 Virus-3 Virus-4

CSCE Farkas20 How Viruses Gain Control Virus V has to be invoked instead of target T. – V overwrites T – V changes pointers from T to V High risk virus properties: – Hard to detect – Hard to destroy – Spread infection widely – Can re-infect – Easy to create – Machine independent

CSCE Farkas21 Antivirus Approaches Prevention: disallow the download/execution Detection: determine infection and locate the virus. Identification: identify the specific virus. Removal: remove the virus from all infected systems, so the disease cannot spread further. Recovery: restore the system to its original state.

CSCE Farkas22 Preventing Virus Infection Prevention: Good source of software installed Isolated testing phase Use virus detectors Limit damage: Make bootable diskette Make and retain backup copies important resources

CSCE Farkas23 Virus Detection 1. Virus Signature: needs constant update – Storage pattern Code always located on a specific address Increased file size – Execution pattern – Transmission pattern – Polymorphic Viruses

Virus Detection 2. Heuristics: monitoring files and how programs access these files – Suspicious access  alert Cloud-based detection: perform virus scanning remotely – Who do we trust? Firewall-based detection of abnormal activities – Not virus detection but abnormal communication patterns CSCE Farkas24

CSCE Farkas25 Worm Self-replicating (like virus) Objective: system penetration (intruder) Phases: dormant, propagation, triggering, and execution Propagation: – Searches for other systems to infect (e.g., host tables) – Establishes connection with remote system – Copies itself to remote system – Execute

Adware and Spyware Adware: a malware designed to display advertisements in the user’s software – Maybe harmless or harmful Spyware: a malware that spies on the user – information collected from the user’s computer and the usage – Generally creates a system performance degradatio CSCE Farkas26

Scareware Malware: – with malicious payloads, or of limited or no benefit – Intend to cause shock, anxiety, or the perception of a threat Rapidly increasing, high impact attacks Scareware warnings – look like actual warnings from your system – hard to close – designed to appear legitimate CSCE Farkas27

Scareware CSCE Farkas28 Copyright: FBI ‘Scareware’ Distributors Targeted,

Ransomware Holds a computer system, or the data it contains, hostage against its user by demanding a ransom. – Disable an essential system service or lock the display at system startup – Encrypt some of the user's personal files Victim has to – enter a code obtainable only after wiring payment to the attacker or sending an SMS message – buy a decryption or removal tool CSCE Farkas29

CryptoLocker Ransomware CSCE Farkas30 Copyright: FBI CryptoLocker Ransomware Encrypts Users' Files, encrypts-users-filesencrypts-users-files, Nov. 2013

CSCE Farkas31 Next Class Network Security