1. Exploits we will look at
Web exploits
Harvesting user accounts
Phishing
Cross site scripting attacks (different flavors) (XSS or CSS)
Cross site request forgery (XSRF or CSRF)
Database exploits
SQL injection
General Software vulnerabilities
Buffer overflow (review)
Format String vulnerabilities
Malware (MALicious softWARE)
Viruses
Worms .
In this lecture we will cover two types of host-based Malware: viruses and worms. Other forms of Malware including: Trojans and rootkits will be covered in the topic “Backdoors”.

2. What is a computer virus?
Viruses.
What is a computer virus?
Don’t know? Ask your great-great grand parents… Viruses are the most famous form of malware and are almost synonymous with computer security. So why are we studying these? We will look a bit more in depth into computer viruses.

3. “A computer infection program is a simple or self-replicating program,
Virus definition
From the book: Computer Viruses: From Theory to Applications by Eric Filiol, Collection IRIS, Springer.
“A computer infection program is a simple or self-replicating program,
which discreetly installs itself in a data processing system, without users knowledge or consent, with a view to either endangering data confidentiality, data integrity and system availability or making sure that users to be framed for computer crime.”
While it is easy to develop a virus, not every malware can get membership at the “virus country club”. To get membership into the club, the malware has to be:
Usually self-replicating – simple ones (non-self replicating) will be considered for membership if they are really good at (3) below.
Be discreet. Malware with love for 100 W sub-woofers need not apply.
Have a malicious intent. Good natured malware need not apply.

4. What do you think is the root cause of any virus infestation?
Why do viruses spread?
What do you think is the root cause of any virus infestation?
Next: dissecting the parts of a virus.

5. Parts of a virus
From the defn. in the last slide: two key components of a virus program are:
It should be self-replicating
The output of the program should be itself.
Class exercise: how would you write a program that creates a copy of itself. Such a program is called Quine.
Discreet copy
For a program to be self-replicating it should be able to copy itself into another program. Once the infected program runs, the virus spreads by copying into another program and so on.
Can you write program that copies itself into another program? Its not as easy as it seems at a first glance, but it isn’t very difficult either. There is actually a name for it: Quine.

6. The following is summarized from the book:
Anatomy of a virus
The following is summarized from the book:
[1] Computer Viruses: From Theory to Applications by Eric Filliol, Collection IRIS, Springer, Page 86.
A “search routine”[1]:
Viruses search for a host program to infect.
“Copy routine”[1]
“An anti-detection routine”[1].
“Potential payload”[1](this is optional):
Every virus has three main parts:
Search routine: looks for a host program to infect. Host programs are selected based on some criteria:
Must be executable
Must not be already infected!
Must not be easy to detect. E.g., if a host program is limited to only 20 bytes and a virus is 20 bytes long – it will double the size of the host program making it easier to detect.
2. Copy routine: The virus executes this method in order to copy itself into a host program. How does this occur – we will discuss this in one of the next few slides.
Anti-detection routine: Viruses try to avoid detection by anti-virus software.
4. Potential payload that can cause damage.

7. Example of a virus
This is a simple virus written as a UNIX shell script. What does it do? It searches for all other shell scripts. For each shell script it first checks if the script contains a copy of itself (the virus). If it doesn’t then the virus goes ahead and copies itself into the new script. How does it copy itself? In the script: $0 allows the virus to refer to itself (current script). So,
The condition check if test “./$i” != “$0” is testing if the current (virus) script is the same as the one the virus is checking.
tail –n 5 $0 | cat >> $i : does two things. The first statement tail –n 5 $0 is going to output the last 6 lines of the current (virus) script. If you notice the virus script has 6 lines, so the statement simply outputs the entire virus script. Where does it output it to? To the “cat” program which is a concatanation program. The cat program then copies its input which is the 6 lines of the virus code into its second argument: the script being infected.
Source: Section 7.2, page 187, Computer Viruses: From Theory to Applications by Eric Filliol, Collection IRIS, Springer
Can you spot the search and copy routine? There is no anti-detection routine in this script. The virus was written as a UNIX script.

8. Analyzing this virus. This virus has a few characteristics:
It appends itself to the end of a host program. Usually most viruses append themselves at the end – not the beginning. Why?
The virus may infect a file that has already been infected before. This is not a desirable situation. Why not?
The virus can be easily detected. How? (so no anti-detection property)
Why do viruses append themselves to the end and not beginning? This is to avoid messing with memory references within the code. Remember, when we talk of code, we are talking of machine code. In machine code, instructions reference memory location. E.g., consider the program below. Everything in [] is the memory address.
[8] Add x, y, z; // Compute x + y and store in z.
[12] Subtract a, b, c; // compute c = a-b
[16] If condition goto 12 // check some condition, and if the condition holds jump to the instruction that is at memory address 12
[20] Else goto 8 // Jump to memory address 8.
If a virus appends itself to the front of the program, then clearly the memory addresses are shifted. Which means the entire code has to be updated to reflect the new shifted address– in techinical terms we call it “a pain”. Instead viruses append themselves to the bottom of a program – so nothing about the code has to be changed. This virus has a unique signature so it can be easily detected.
First it must not copy itself into a host program that has already been infected. This is called overinfestation. The word “overinfestation” is from the source mentioned below and refers to a virus copying itself into a host program that is already infected. Do you have any ideas on a how a virus can prevent itself from “overinfesting” a host program?
Second, the virus must not be easy to detect.
These two goals may be conflicting.
Source for the image and the material in this slide: Section 7.2, page 187, Computer Viruses: From Theory to Applications by Eric Filiol, Collection IRIS, Springer. The textual material is a summary of what appears in the book.

9. Preventing a virus from “overinfestation” (2)
A couple of ways to prevent “overinfestation”:
Viruses insert a signature. Think of it this way, when the virus appends itself to the program, it also includes a “constant” signature such as a string.
In such a case, before copying, it simply searches for that string in the host program. If the string is available, it doesn’t copy.
The main problem with this technique is that it the virus is easily detectable.
Another option: search for the entire set of lines of code of the virus. E.g., the virus we saw a few slides before had 6 lines of code. Can you write a program, that checks if those 6 lines of code are there in the host program or not? If the 6 lines are there, then the host program is already infected.
A good virus never gets stuck in an infinite loop. Once a virus infects a computer, to prevent simply taking up resources future viruses will not re-infect the same system. How do they do this -- a couple of ways: drop a signature. Before a virus infects a system, it checks if there is any other program with the same signature. Alternatively, a virus may simply search for its entire source code – when it finds any other program with the same source code (implying the system is already infected), it stops and exits. Why is this important: this feature of viruses make them easier to detect.
Source for the material in this slide: Chapter 7, Computer Viruses: From Theory to Applications by Eric Filiol, Collection IRIS, Springer. The textual material is a summary of what appears in the book.

10. Preventing a virus from being detected
Encryption: Some viruses encrypt their entire code, except the part which decrypts the code.
E.g., //decryption code
// encryption code
// virus code.
More powerful: Polymorphic viruses – change their code as they keep propagating. They can accomplish this in a few ways:
The lines of the code are moved around (without effecting the funcationality)
The code is changed somewhat.
To prevent detection, i.e., to hide their signature, viruses employ different obfuscation techniques including:
Encrypting themselves. Such viruses will have a decryption routine as part of their code. The decryption routine (or code) is not encrypted.
A more powerful virus is a polymorphic virus that changes its code as it keeps propagating. For instance, consider the following 3 lines of code:
a = b + c;
d = 2 * b;
c = a + b;
These three lines can be shuffled around without changing the semantics to:
a = b+c;
Source for the material in this slide: Chapter 7, Computer Viruses: From Theory to Applications by Eric Filiol, Collection IRIS, Springer. The textual material is a summary of what appears in the book.

11. Next: How viruses attach themselves.
So far we saw an example of a toy virus written by Eric Filiol. This virus simply appended itself to a program.
Next: we will see the different ways viruses attach themselves to a program.

12. Figure 3-5 Virus Surrounding a Program.
Viruses may surround a program, e.g., by adding a decryption routine to the top of a program and the actual malicious code at the bottom. Usually viruses add themselves to the bottom of a victim code with only a few instructions at the top. The few instructions at the top ensure that the virus starts executing first (note: when a program in a high level language such as Java is compiled, the main method (the first method that executes), is loaded at the top of the executable.
Figure 3-5  Virus Surrounding a Program.
Image source © Security in Computing, Pfleeger and Pfleeger, Addision-Wesley (recommended text)

13. Figure 3-6 Virus Integrated into a Program.
This slide is self-explanatory. . Note that where a virus adds itself to the code is not as important as how a virus obfuscates its code for instance by splitting itself into multiple parts and integrating itself with the code.
Figure 3-6  Virus Integrated into a Program.
Image source © Security in Computing, Pfleeger and Pfleeger

14. Overwriting or completely replacing viruses.
What will happen if a host program is overwritten by a virus.
Viruses may fully overwrite the victim. This is done in certain viruses such as boot-sector viruses (more on this later), which makes recovery very difficult. Note that where a virus adds itself to the code is not as important as how a virus obfuscates its code for instance by splitting itself into multiple parts and integrating itself with the code.
Figure 3-7  Virus Completely Replacing a Program.
Image source © Security in Computing, Pfleeger and Pfleeger

15. Finding a home for a virus.
Viruses are sometimes more effective when they live in certain parts of the disk:
bootsector viruses.
memory-resident viruses
Sometimes it may not get either of these two places…
Then it has to fend for itself.
Embedded within data files
As compressed files.
Viruses can be memory resident (most common) or reside as boot sector viruses (most dangerous). Memory resident viruses are simply like parasitic code that attach itself to a program. When the victim program executes, the virus executes too. Boot sector viruses are more dangerous. Recall what a boot sector is: it is the sector (the slice of the hard drive or the bootable media) which stores the boot loader. When you switch on a computer, its BIOS (basic input/output system) starts executing. The BIOS is a small OS whose main goals are to check that the main I/O devices: keyboard, monitor are working. It also checks which bootable media are present and boots the media that the users prefers. For instance, assume the BIOS boots up via the hard drive. It boots up by simply loading the boot loader into the memory and passing to the boot loader all control. The boot loader then loads the OS. Boot loaders can be accessed as normal files. E.g., on Linux, the boot loader is the a program whose configuration is in the file /boot/menu.lst. A boot sector virus will attack that file (menu.lst). When the BIOS hands control the boot loader, it is infact handing the control to the boot sector virus.
The virus can then control all the software including the OS.
Information source © Security in Computing, Pfleeger and Pfleeger

16. Figure 3-8 Boot Sector Virus Relocating Code.
This figure shows how a boot sector virus moves the boot loader and inserts itself first.
Figure 3-8  Boot Sector Virus Relocating Code.
Image source © Security in Computing, Pfleeger and Pfleeger

17. Finding a virus… Viruses are not completely invisible
Code must be stored somewhere
For execution code must be in memory
This is called a “signature”.
Example of a Code-Red worm
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
%u9090%u6858%ucbd3…
Recall: viruses have signatures…
Information source © Security in Computing, Pfleeger and Pfleeger

18. Figure 3-9 Recognizable Patterns in Viruses.
Virus detectors also look for recognizable patterns. For instance, strange loops.
Figure 3-9  Recognizable Patterns in Viruses.
Image source © Security in Computing, Pfleeger and Pfleeger

19. Myth or reality? Viruses can only effect Windows family of Oses.
Viruses cannot effect hardware.
Viruses can be benign and even benevolent!
Viruses can modify hidden or program files.
Viruses cannot remain after a complete power-off/power on.
Viruses can effect all Oses. They cannot effect hardware. Some researchers have floated the concept of a benevolent virus – a virus that does more good than harm. As an example, the ice cream virus that provides ice cream to all the victims – truly benevolent – just kidding. As an example, some researchers have looked at using viruses/benevolent worms to travel across the internet and apply security patches. Of course, when they checked with their legal departments they decided that perhaps they should do further research.
Information source © Security in Computing, Pfleeger and Pfleeger

20. Next: worms.
Worms are similar to viruses and operate similarly. The key difference is that they spread across the network.
Also, their main purpose so far seems to perform Denial of service type attacks.
Worms spread across the internet and for a long time they had a significant difference with viruses: they were not malicious. While they reduced network speeds, they did no other harm. All that changed ofcourse with a worm that did cause damage: stuxnet. Experts believe that in future worms will be used for targeted cyber attacks.

21. Anatomy of a worm. So what does the code for a worm look like?
The (usual) parts of a worm’s source code are:
Select a victim computer on a network.
Scan the victim for a specific vulnerability or certain configuration.
E.g., Scan to see if victim is executing Microsoft SQL Server (Conficker worm) with a known buffer overflow vulnerability (not patched).
If vulnerability found, exploit it and use it to inject malicious payload into the victim.
Payload (in some cases) contains original worm code – so the victim becomes the new worm launch-pad. Make it a botnet.We will study this in a few slides.
The slide is self-explanatory.

22. Anatomy of a worm (2). Select a victim computer on a network.
How does a worm select a victim. Several strategies:
Randomly generate an IP. E.g., Code Red.
Provide a range of IP addresses (if worm is targeted towards a specific victim).
Scan the current computer for and target the IP addresses of the senders. (again for a targeted attack).
One of the key parts of a worm is selecting a victim. There are many techniques:
Start with an IP, look for its neighbors and keep spreading – this technique is fairly slow.
The SQL slammer worm made a small change to how it found its victims – and this allowed it to spread very fast: it randomly generated the IP. This allowed it to spread to multiple victims (without first checking if they were neighbors etc.).
Another technique is called Flash-Warhol technique: here the worm first populates a list in its code with a set of IP addresses. It then attacks all those IPs at one time (think flash mob). Once the set of IPs are victims –t he worms on those machines wait for a while as they populate their lists and then suddenly attack all the lists at once. This technique ensures that the worm spreads in sudden bursts to a large number of machines.

23. Anatomy of a worm.
2. Scan the victim for a specific vulnerability or certain configuration.
Scan to see if a specific software (and specific version) on the victim.
This is usually the case when the worm is trying to exploit a specific vulnerability on the victim. E.g., a buffer overflow.
Most known worms are based on this concept.
E.g., Conficker worm: exploited vulnerability in MS SQL Server. Read this article:
Scan for specific hardware configuration.
Example: Stuxnet worm, read this article on Wikipedia:
Note: one of the best ways to prevent worms is to patch the software with the latest updates. However, these days new types of exploits called zero-day exploits are becoming prevalent.
Self – explanatory.

24. Digression: zero-day exploits.
Usually the way things would work in the security world was that:
A vulnerability that can be exploited by a worm would be discovered in a software.
In a few days, the software company will release a patch (update) to fix the vulnerability.
These days, several worms are using exploits the day the exploits are discovered – before the software company has a chance to develop the patch. Such exploits are called zero-day exploits.
E.g., stuxnet is supposed to have about 20 zero-day exploits [source: Anatomy of a computer virus by Patrick Clair]

25. Anatomy of a worm (3).
If vulnerability found, exploit it and use it to inject malicious payload into the victim.
Payload (in some cases) contains original worm code – so the victim becomes the new worm launch-pad. Make it a botnet.
botnet:
When a computer becomes a victim of a worm, the worm replicates itself on the computer.
The victim computer now starts spreading the worm to other computers and hence it becomes a “bot” controlled by the worm.
A network of such “bot”’s is called as a botnet.
How is a malicious payload injected: buffer overflow or format string vulnerabilities.
Botnets are fairly common. Usually once a worm attacks a computer and injects itself, the new computer now (along with the culprit) become the new worm launch pads.

26. Next:
Examples of some worms

27. The classic worm: Morris Worm
best known classic worm
released by Robert Morris in 1988
targeted Unix systems
using several propagation techniques
simple password cracking of local password file and use rexec
exploit buffer overflow in finger daemon
exploit debug trapdoor in sendmail daemon
if any attack succeeds then replicate itself
This is the worm that started all. Robert Morris wanted to count the number of computers on the Internet. In 1988, that was clearly a doable task. So the worm spread from system to system counting – except due to a flaw, it failed to prevent re-infection (so the same system would be infected multiple times), congesting the network and drawing un-necessary attention to itself. Even worm writers are humans who make mistakes. It exploited various vulnerabilities on network based programs to spread. E.g., a program called finger is always there on UNIX systems. This program is the original “status” button – if you wanted to check if a particular person was on a computer – say at Radford, you could do : finger This program had a buffer overflow – and presto the worm injected itself.
Information source © Security in Computing, Pfleeger and Pfleeger

28. Morris Worm, lessons learned and creation of CERT
Morris worm taught a lot of lessons:
Programs must be simple and not huge.
E.g., sendmail is a huge software.
Simply secure programming is not enough.
Sendmail programmers tried removing buffer overflows etc.. .but still failed.
Separate functionality.
Diversity in defense principle: having the same UNIX OS with same vulnerabilities allowed the Morris worm to spread.
CERT (Computer Emergency Response Team) was created by U.S govt. immediately after the Morris worm.
The famous CERT was created as a direct consequence of the Morris worm.
Information source © Security in Computing, Pfleeger and Pfleeger

29. Code Red: Hello! Welcome to www.worm.com. Hacked by Chinese!
new spate of attacks from mid-2001
Code Red
exploited bug in MS IIS to penetrate & spread
probes random IPs for systems running IIS
had trigger time for denial-of-service attack
2nd wave infected servers in 14 hours
Code red was smart: it did not write anything to the disk. Why not?
However, Code Red was easy to detect by humans: it kept defacing web-pages (see title).
Code Red 2
had backdoor installed to allow remote control
Self explanatory.
Information source © Security in Computing, Pfleeger and Pfleeger

30. Code Red 2: The sequel! Code Red 2: Code Red 2
Code red with a trapdoor/backdoor.
Allowed the attacker to remote control the machine.
What did it do?
Copied the file cmd.exe to four locations …
Code Red 2
had backdoor installed to allow remote control
Information source © Security in Computing, Pfleeger and Pfleeger

31. Nimda Nimda used multiple infection mechanisms
, shares, web client, IIS, Code Red 2 backdoor
Unlike Code Red, it was not confined to only Web server to web server. It spread through web-clients as well!
Information source © Security in Computing, Pfleeger and Pfleeger

32. Adware: Shows ads to users (often comes with free software).
Web Bug…
Botnets: Controlling large number of victim computers – and using them as robots to attack other systems.
Adware: Shows ads to users (often comes with free software).
Click bots
Rootkits: this is a fake collection of useful OS tools…
Example: if you visit the jewellery store it downloads a one by one pixel image from Avenue A – a marketing agency (web beacon)
Tracks your web movement.
Web beacon or bugs are small images (transparent to the human eye), that reside on websites. The same company (domain) may place web-bugs on various websites. When a user visits all of those, their movements can now easily be tracked.
Information source © Security in Computing, Pfleeger and Pfleeger

33. Information on the following slides on stuxnet worm is based on:
The stuxnet worm.
Information on the following slides on stuxnet worm is based on:
W32.Stuxnet Dossier version 1.4 (February 2011) by Nicolas Falliere, Liam O Murchu and Eric Chien.
Notes for stuxnet are not being provided as there are several external resources including the link quoted in the slide.

34. Stuxnet (2) Main target: Industrial Control System (ICS)
ICSs are computing equipment that are specialized for certain applications.
Stuxnet targeted a Siemens Simatic S7-300.
Typically used for automation.
ICSs don’t have traditional general purpose operating systems.
Instead, they have what is called as a programmable logic controller (PLC).
PLCs are mostly in assembly.
They are not connected to the internet (typically).
PLCs are programmed and configured on Windows Oses.

35. Stuxnet (3): How did stuxnet work?
Victim was very specific
Siemens S7-300, S7-400 PLC models
running Step7 software (Siemens developed)
Certain specific attributes of the software [Source: Stuxnet- Infecting Industrial Control Systems, by Omurchu, Slide 5 – notes mostly verbatim]
PLC configuration is stored in what is called as the System Data Blocks (SDBs)
Targets PLC with a specific signature:
SDBs with certain magic bytes (2C CB 00 01) at offset 50h
Implies that there is a specific network card attached.
Must have hexadecimal code 7050h and 9500h repeating 33 times!
[Source: Stuxnet- Infecting Industrial Control Systems, by Omurchu, Slide 5 – notes mostly verbatim]

36. Stuxnet (3) How stuxnet enters the PLC
Stuxnet like a worm spreads over the network to windows machines.
Uses the following vulnerabilities to reach machines running Windows OS:
Self-replication through an auto-execution vulnerability (Microsoft Windows Shortcut LNK/PIF files automatic file execution vulnerability
Windows print spooler vulnerability.
Network shares
Copies into computers running WinCC database server.
Uses P2P in a LAN.
Exploits 4 zero-day Microsoft vulnerabilities.
Contacts a control and command center for instructions.
Can bypass anti-virus and intrusion detection systems.
Hides itself using a rootkit.
Finally loads itself into the PLC when Step7 software is being configured.
[Source for image and text on this slide: Stuxnet- Infecting Industrial Control Systems, by Omurchu, Slide 5 – notes mostly verbatim] and text from: W32.stuxnet dossier (citation given in an earlier slide).
[Source: Stuxnet- Infecting Industrial Control Systems, by Omurchu, Slide 5 – notes mostly verbatim]

37. Stuxnet(4) Before: Original working of Step7 PLC
[Source for images: Explanations derived from this source.
Stuxnet(4)
Before: Original working of Step7 PLC
After: stuxnet renames the original s7otbxdx.dll and gives itself that name. So it can now intercept all the calls in the PLC

38. Stuxnet (5) The stuxnet code overview:
Stuxnet is packaged as a DLL file.
DLLs (dynamic linked libraries) in windows are:
Programs (library methods) that are packaged together. Library methods can be executed.
These methods are called exports
Analogy from java: In Java programs there are private and public methods.
Public methods can be called from other classes.
Similarly in DLLs, methods or programs that are exports can be used by other programs.
Stuxnet DLL contained 19 exports (see next slide)

39. Stuxnet (6)
Stuxnet DLL exports.
Source: W32.Stuxnet
Dossier