1. CSCE 522 Lecture 12 Program Security Malicious Code

2. CSCE 522 - Farkas2 Reading Reading for this lecture: Required: – Pfleeger: Ch. 3 Recommended: – USC Technology Services – Antivirus Protection, https://www.uts.sc.edu/itsecurity/antivirus.shtml https://www.uts.sc.edu/itsecurity/antivirus.shtml

3. CSCE 522 - Farkas3 Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system

4. CSCE 522 - Farkas4 Security Flaws by Genesis Genesis – Intentional Malicious: Trojan Horse, Trapdoor, Logic Bomb, Worms, Virus Non-malicious – Inadvertent Validation error Domain error Serialization error Identification/authentication error Other error

5. Secure Software Software provides functionality Functionality comes with certain risks Software security aims to manage risk Security is always a secondary concern Security achievement is hard to evaluate when nothing bad happens CSCE 522 - Farkas5

6. 6 Application of Touchpoints Requirement and Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations

7. Web Applications Attacker: – Download the site’s code for offline study – Mapping the site  functionality and vulnerabilities – Experiment with site  response to supplied data Several vulnerabilities exist from corrupting sites, applications, servers, to other clients CSCE 522 - Farkas7

8. OWASP Top 10 2013 Vulnerabilities A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards https://www.owasp.org/index.php/Category:OWASP_Top_Ten _2013_Project https://www.owasp.org/index.php/Category:OWASP_Top_Ten _2013_Project CSCE 522 - Farkas8

9. Malware 9

10. 10 Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. Propagates and performs some unwanted function. Viruses are not programs - they cannot run on their own. Bacteria: make copies of themselves to overwhelm a computer system's resources. Denying the user access to the resources.

11. CSCE 522 - Farkas11 Kinds of Malicious Code Worm: a program that propagates copies of itself through the network. Independent program. May carry other code, including programs and viruses. Trojan Horse: secret, undocumented routine embedded within a useful program. Execution of the program results in execution of secret code.

12. CSCE 522 - Farkas12 Kinds of Malicious Code Logic bomb, time bomb: programmed threats that lie dormant for an extended period of time until they are triggered. When triggered, malicious code is executed. Trapdoor: secret, undocumented entry point into a program, used to grant access without normal methods of access authentication. Dropper: Not a virus or infected file. When executed, it installs a virus into memory, on to the disk, or into a file.

13. CSCE 522 - Farkas13 Virus Virus lifecycle: 1. Dormant phase: the virus is idle. (not all viruses have this stage) 2. Propagation phase: the virus places an identical copy of itself into other programs of into certain system areas. 3. Triggering phase: the virus is activated to perform the function for which it was created. 4. Execution phase: the function is performed. The function may be harmless or damaging.

14. CSCE 522 - Farkas14 Virus Types Parasitic virus: most common form. Attaches itself to a file and replicates when the infected program is executed. Memory resident virus: lodged in main memory as part of a resident system program. Virus may infect every program that executes.

15. CSCE 522 - Farkas15 Virus Types Boot Sector Viruses: – Infects the boot record and spreads when system is booted. – Gains control of machine before the virus detection tools. – Very hard to notice – Carrier files: AUTOEXEC.BAT, CONFIG.SYS,IO.SYS

16. CSCE 522 - Farkas16 Virus Types Stealth virus: a form of virus explicitly designed to hide from detection by antivirus software. Polymorphic virus: a virus that mutates with every infection making detection by the “signature” of the virus difficult.

17. CSCE 522 - Farkas17 How Viruses Append Original program virus Original program virus Virus appended to program +=

18. CSCE 522 - Farkas18 How Viruses Append Original program virus Original program Virus-1 Virus surrounding a program += Virus-2

19. CSCE 522 - Farkas19 How Viruses Append Original program virus Original program Virus-1 Virus integrated into program += Virus-2 Virus-3 Virus-4

20. CSCE 522 - Farkas20 How Viruses Gain Control Virus V has to be invoked instead of target T. – V overwrites T – V changes pointers from T to V High risk virus properties: – Hard to detect – Hard to destroy – Spread infection widely – Can re-infect – Easy to create – Machine independent

21. CSCE 522 - Farkas21 Antivirus Approaches Prevention: disallow the download/execution Detection: determine infection and locate the virus. Identification: identify the specific virus. Removal: remove the virus from all infected systems, so the disease cannot spread further. Recovery: restore the system to its original state.

22. CSCE 522 - Farkas22 Preventing Virus Infection Prevention: Good source of software installed Isolated testing phase Use virus detectors Limit damage: Make bootable diskette Make and retain backup copies important resources

23. CSCE 522 - Farkas23 Virus Detection 1. Virus Signature: needs constant update – Storage pattern Code always located on a specific address Increased file size – Execution pattern – Transmission pattern – Polymorphic Viruses

24. Virus Detection 2. Heuristics: monitoring files and how programs access these files – Suspicious access  alert Cloud-based detection: perform virus scanning remotely – Who do we trust? Firewall-based detection of abnormal activities – Not virus detection but abnormal communication patterns CSCE 522 - Farkas24

25. CSCE 522 - Farkas25 Worm Self-replicating (like virus) Objective: system penetration (intruder) Phases: dormant, propagation, triggering, and execution Propagation: – Searches for other systems to infect (e.g., host tables) – Establishes connection with remote system – Copies itself to remote system – Execute

26. Adware and Spyware Adware: a malware designed to display advertisements in the user’s software – Maybe harmless or harmful Spyware: a malware that spies on the user – information collected from the user’s computer and the usage – Generally creates a system performance degradatio CSCE 522 - Farkas26

27. Scareware Malware: – with malicious payloads, or of limited or no benefit – Intend to cause shock, anxiety, or the perception of a threat Rapidly increasing, high impact attacks Scareware warnings – look like actual warnings from your system – hard to close – designed to appear legitimate CSCE 522 - Farkas27

28. Scareware CSCE 522 - Farkas28 Copyright: FBI ‘Scareware’ Distributors Targeted, http://www.fbi.gov/news/stories/2011/june/cyber_062211

29. Ransomware Holds a computer system, or the data it contains, hostage against its user by demanding a ransom. – Disable an essential system service or lock the display at system startup – Encrypt some of the user's personal files Victim has to – enter a code obtainable only after wiring payment to the attacker or sending an SMS message – buy a decryption or removal tool CSCE 522 - Farkas29

30. CryptoLocker Ransomware CSCE 522 - Farkas30 Copyright: FBI CryptoLocker Ransomware Encrypts Users' Files, http://www.fbi.gov/washingtondc/news-and-outreach/stories/cryptolocker-ransomware- encrypts-users-filesencrypts-users-files, Nov. 2013

31. CSCE 522 - Farkas31 Next Class Network Security