IT Beveiliging

Prof. Dr. ir Jan Devos

Universiteit Gent, Campus Kortrijk
Graaf Karel De Goedelaan 5
BE-8500 KORTRIJK - BELGIUM
T: +32 56 24 12 72 (rechtstreeks nr)
e-mail: jang.devos@ugent.be
linkedIn: www.linkedin.com/in/jangdevos
Blog: jangdevos.wordpress.org
twitter: @jangdevos

Jan Devos

pag. 1

Malicious Software
A program that is inserted into a system, usually
covertly, with the intent of compromising the
confidentiality, integrity or availability of the victims
data, applications, or operating system or
otherwise annoying or disrupting the victim.

Jan Devos

pag. 2

Malicious Software
programs exploiting system vulnerabilities
known as malicious software or malware
program fragments that need a host program
e.g. viruses, logic bombs, and backdoors
independent self-contained programs
e.g. worms, bots
replicating or not
sophisticated threat to computer systems
Jan Devos

pag. 3

Jan Devos

pag. 4

classified into two

broad categories:

also classified by:

based first on how it spreads or

propagates to reach the desired
targets

those that need a host program

(parasitic code such as viruses)

then on the actions or payloads it

performs once a target is reached

those that are independent, selfcontained programs (worms,

trojans, and bots)

malware that does not replicate

(trojans and spam e-mail)

malware that does replicate

(viruses and worms)
Jan Devos

pag. 5

propagation mechanisms include:

infection of existing content by viruses that is subsequently spread
to other systems
exploit of software vulnerabilities by worms or drive-bydownloads to allow the malware to replicate
social engineering attacks that convince users to bypass security
mechanisms to install Trojans or to respond to phishing attacks

payload actions performed by malware once

it reaches a target system can include:
corruption of system or data files
theft of service/make the system a zombie agent of attack
as part of a botnet
theft of information from the system/keylogging
stealthing/hiding its presence on the system

Jan Devos

pag. 6

Jan Devos

pag. 7

Backdoor / Trapdoor
Secret entry point into a program
Any mechanism that bypasses a normal security check

Legitimately: maintenance hook (CTRL-ALT-DEL)

Quit access to a program (by the developer)
Avoiding the authentication procedure

Threat:
difficult to prevent or detect
Control over the development
and maintenance activities
Jan Devos

pag. 8

Easter Eggs

http://www.eeggs.com

Examples:
WORD:
1.
2.
3.
4.

Open a new word document

Type "=rand(200,99)" (without the quotes)
Press enter
Wait a few second and see

FIREFOX
1.
2.

Type about:mozilla in address bar

Hit enter.
Jan Devos

pag. 9

Logic
Bomb

Jan Devos

pag. 10

Logic Bomb
Program inserted into software by an intruder
Dormant until a predefined condition is met
Unauthorized act
Case Study Tim Lloyd / Omega

Jan Devos

pag. 11

Trojan Horses
An apparently useful program containing hidden
code that performs some unwanted or harmful
function
Harmful functions:
Authorization for unauthorized users
Data destruction
Spyware

Techniques:
Modified compiler
Internet downloads
Jan Devos

pag. 12

Mobile Code
Programs that can be shipped unchanged to a
heterogeneous collections of platforms (e.g.
Windows) and execute with identical semantics
Mobile Code act as a mechanism for a virus,
worm or Trojan Horse to be transmitted
Examples of Mobile Code:

Java Applets
ActiveX controls
JavaScript
VB-Script

Jan Devos

pag. 13

Viruses
Malware that, when executed, tries to replicate
itself into other executable code.
First appearance in 1983 (after launching the
PC)

Fred Cohen
Jan Devos

pag. 14

Viruses
piece of software that infects programs
modifying them to include a copy of the virus
it executes secretly when host program is run

specific to operating system and hardware

taking advantage of their details and weaknesses

a typical virus goes through phases of:

infection / dormant / propagation / triggering / execution

Jan Devos

pag. 15

Viruses
components:
infection mechanism - enables replication
trigger - event that makes payload activate
payload - what it does, malicious or benign

prepended / postpended / embedded

when infected program invoked, executes virus
code then original program code
can block initial infection (difficult)
or propagation (with access controls)
Jan Devos

pag. 16

Virus Structure

Jan Devos

pag. 17

Jan Devos

pag. 18

Viruses Classification

boot sector
file infector
macro virus
encrypted virus: creates a Key and encrypts
itself (= another pattern)
stealth virus: hides itself from detection
polymorphic virus: virus mutates !
metamorphic virus: virus mutates + rewrites
itself
Jan Devos

pag. 19

Macro Viruses

very common in mid-1990s since

platform independent
infect documents
easily spread

exploit macro capability of office apps

executable program embedded in office doc
often a form of Basic

more recent releases include protection

recognized by many anti-virus programs
Jan Devos

pag. 20

E-Mail Viruses
more recent development
e.g. Melissa
exploits MS Word macro in attached doc
if attachment opened, macro activates
sends email to all on users address list
and does local damage

then saw versions triggered reading email

hence much faster propagation
Jan Devos

pag. 21

Virus Countermeasures
prevention - ideal solution but difficult
realistically need:
detection
identification
removal

if detect but cant identify or remove, must

discard and replace infected program
Jan Devos

pag. 22

Virus Countermeasures
virus & antivirus tech have both evolved
early viruses simple code, easily removed
as become more complex, so must the
countermeasures
generations

first - signature scanners

second - heuristics
third - identify actions
fourth - combination packages
Jan Devos

pag. 23

Virus Countermeasures

first - signature scanners

Static
Signature-specific scanners
Detection of known viruses
Detection based on the length of the programs

second - heuristics
No specific signature
Heuristic rules
Fragments of code
Integrity checking (checksum check / hashing)
Jan Devos

pag. 24

Virus Countermeasures
third - identify actions
Memory-resident
Identification by its actions rather than structure

fourth - combination packages

Variety of antivirus techniques used in
conjunction
Scanning and activity trap
Jan Devos

pag. 25

Generic Decryption
runs executable files through GD scanner:
CPU emulator to interpret instructions
virus scanner to check known virus signatures
emulation control module to manage process

lets virus decrypt itself in interpreter

periodically scan for virus signatures
issue is long to interpret and scan
tradeoff chance of detection vs time delay
Jan Devos

pag. 26

Digital Immune System

Jan Devos

pag. 27

Behavior-Blocking Software

Jan Devos

pag. 28

Worms
replicating program that propagates over net
using email, remote exec, remote login

has phases like a virus:

dormant, propagation, triggering, execution
propagation phase: searches for other systems,
connects to it, copies self to it and runs

may disguise itself as a system process

concept seen in Brunners Shockwave Rider
implemented by Xerox Palo Alto labs in 1980s
Jan Devos

pag. 29

Morris Worm
one of best known worms
released by Robert Morris in 1988
various attacks on UNIX systems
cracking password file to use login/password to
logon to other systems
exploiting a bug in the finger protocol
exploiting a bug in sendmail

if succeed have remote shell access

sent bootstrap program to copy worm over
Jan Devos

pag. 30

Worm Propagation Model

Jan Devos

pag. 31

 Code Red
July 2001 exploiting MS IIS bug
probes random IP address, does DDoS attack (360,000
servers in 14 hours)
consumes significant net capacity when active

Code Red II variant includes backdoor

SQL Slammer
early 2003, attacks MS SQL Server
compact and very rapid spread

Mydoom
mass-mailing e-mail worm that appeared in 2004
installed remote access backdoor in infected systems
Jan Devos

pag. 32

multiplatform
multi-exploit
ultrafast spreading
polymorphic
metamorphic
transport vehicles
zero-day exploit
mobile phone worms (since 2004: BlueTooth, MMS)
Jan Devos

pag. 33

Worm Countermeasures

overlaps with anti-virus techniques

once worm on system AntiVirus can detect
worms also cause significant net activity
worm defense approaches include:
signature-based worm scan filtering
filter-based worm containment
payload-classification-based worm containment
threshold random walk scan detection
rate limiting and rate halting
Jan Devos

pag. 34

Proactive Worm Containment

Jan Devos

pag. 35

Network-Based Worm Defense

Jan Devos

pag. 36

(Ro)Bots

aka Zombies, Drones

program taking over other computers
to launch hard to trace attacks
if coordinated form a botnet
characteristics:
remote control facility (differs from worms)
via IRC/HTTP etc

spreading mechanism
attack software, vulnerability, scanning strategy

various counter-measures applicable

Jan Devos

pag. 37

Uses of (Ro)Bots

DDOS attacks
Spamming
Sniffing traffic
Keylogging: capturing keystrokes
Spreading new malware
Ad add-ons and BHO (Browser helper objects):
Generating clicks
Attacking IRC chat networks
Manipulating online polls and games
Jan Devos

pag. 38

Remote Controle Facilty

A bot is controlled by a RCF
The RCF is typically implemented via an
IRC server or via HTTP
Simplest form = issuing commands
Advanced form = update commands for
downloads and then execution
Jan Devos

pag. 39

Constructing a bot network

Software that carries out the attack
Run on a large number of machines
Conceal its existence
Able to communicate with the attacker or have
a time-triggered mechanism (e.g. Friday the 13th)

A vulnerability in a large number of systems

Scanning or fingerprinting = locating and
identifying vulnerable machines
Jan Devos

pag. 40

Constructing a bot network

Scanning or fingerprinting strategies
Random: each host probes random IP
addresses
Hit-list: a compiled list with potential vulnerable
machines
Topological: using information on the infected
victim machine
Local subnet: looking for victims behind the
firewall
Jan Devos

pag. 41

Countermeasures
IDS
Honeypots
DIS
Try to detect the botnet during its
construction phase

Jan Devos

pag. 42

Rootkits / Crimeware
set of programs installed for admin access
malicious and stealthy changes to host O/S
may hide its existence
subverting report mechanisms on processes, files, registry entries
etc

may be:
persisitent or memory-based
user or kernel mode

installed by user via trojan or intruder on system

range of countermeasures needed
Jan Devos

pag. 43

Rootkits

Jan Devos

pag. 44

DDOS

Jan Devos

pag. 45

DDOS

Jan Devos

pag. 46