How viruses work Virus detectors How worms work Example viruses/worms ! Melissa ! Morris ! My_SQL
• Lab discussion ECE 4883
2
Viruses • Propagates to other programs by modifying them • Copies the virus code to other programs • Viruses have to be activated to work • Attachment to programs/files by ! ! ! !
Hard to detect Hard to destroy/deactivate Spreads widely Can re-infect Easy to create Machine independent
ECE 4883
4
Locations of Viruses (1) • Boot sector ! placed in boot sector location ! moves bootstrap loader, chains to it
• Memory-resident ! TSR -- terminate and stay resident routine
• Application program • Libraries ECE 4883
5
Locations of Viruses (2) • Macros ! executable program inside a document ! platform independent ! infects documents, not executable files ! common propagation via email
ECE 4883
6
Tactics of Viruses • Polymorhpism ! change the signature ! increase difficulty of detection
• Stealth ! attributes that help hide the virus ! example: compress file so the size is the same as uninfected file
ECE 4883
7
Life-Cycle of Viruses • Dormant Phase (optional) ! virus is idle ! waits for trigger event
• Propagation Phase ! virus copies itself to other files
• Triggering Phase ! virus is activated by system event
• Execution Phase ! function of virus is performed ECE 4883
MS-DOS Example • ROM BIOS routines cannot be infected • master boot record (MBR) execution ! can be infected ! replace with virus that chains to orig. MBR
• boot sector code execution ! common target ! capture control of system before virus scanners operate ECE 4883
10
MS-DOS Example • IO.SYS, MSDOS.SYS execution ! can be infected
• CONFIG.SYS execution ! can be infected
• COMMAND.COM execution ! can be infected ! Lehigh virus
• AUTOEXEC.BAT execution ! can be infected
ECE 4883
11
Detection of Viruses • • • • •
Program’s functionality impaired File size changes Virus at beginning of code -or“Jump” instructions to location of virus Signatures
ECE 4883
12
Prevention • Use software from trusted sources • Use checksums to ensure downloaded software is the correct version • Test new/suspicious item on isolated machine • Make bootable disk • Backup copies of system files • Employ and update virus detectors • Disable macro execution ECE 4883
13
Virus Detector Examples • Norton Anti-virus (Symantec) • VirusScan (McAfee Security) • eTrust EZ Anti-virus (Computer Associates) • Protector Plus (Proland Software) • AVG Anti-virus (free version available)
Worms • Can run independently (don’t require program execution) • Propagates over network connections ! via electronic mail ! via remote execution capability ! via remote login capability
• Doesn’t have to alter programs • Can carry virus code that does ECE 4883
18
Worm Tactics • Determine where to spread (examine host tables or similar data of remote system addresses) • Establish connection and copy itself to other systems (can also determine if target system already infected) • Cause the copy to run • Remain hidden as best as possible ECE 4883
19
Defend Against Worms • Close any unused network services • Patch your system! • Use a properly configured firewall to help protect your system and help isolate the worm once your system is infected
ECE 4883
20
Example Viruses and Worms
Melissa Morris My_SQL 21
Melissa Virus • What is it? ! Microsoft Word macro virus ! Written in Visual Basic
• What does it do? ! Infects Microsoft Word 97 and 2000 docs ! Uses MS Outlook to email itself out to first 50 users
ECE 4883
22
Melissa Virus (cont) • Systems Affected ! Machines with Microsoft Word 97 or 00 ! Any mail handling system could experience performance issues or DoS as a result of propagation through email, but only from users with Microsoft Outlook ! MacOS not affected, however it can be stored on MacOS ECE 4883
23
Melissa Virus (cont) • Description ! Propagates through email ! Subject “Important Message From ” ! Body “Here is the document you asked for … don’t show anyone else ;-)” ! Attachment named list.doc or actual documents created by the victim
ECE 4883
24
Melissa Virus (cont) • Upon Execution ! Turns off macro detection ! Checks registry key for value of “… by Kwyjibo”
! If the key doesn’t exist or have that value, it propagates then changes the registry key ! Keeps the virus from repeatedly propagating every time an infected item is opened ECE 4883
25
Melissa Virus (cont) • Execution (cont) ! Infects Normal.doc template ! If (minute of the hour == day of the month) it inserts "Twenty-two points, plus tripleword-score, plus fifty points for using all my letters. Game's over. I'm outta here." into the current documents (Simpson’s quote)
ECE 4883
26
Melissa Virus (cont) • Impact ! Possible DoS on mail servers ! Users with macros enabled will effectively infect any new document they create
• Solutions ! Block messages with virus signature at mail transfer agents ! Disable all macros in Microsoft Word ! Use Virus Scanning Utilities ECE 4883
27
Morris Worm • One of the earliest documented cases (Nov 2nd, 1988) • Systems ! Sun Microsystems Sun 3 ! DEC VAX systems
ECE 4883
28
Morris Worm • Two main parts: ! Bootstrap or Vector Program (Initialize) – Acts as a hook. It is injected first. Contacts the infected “server” and uploads the main program. – Then compiles and runs the main program
! Main Program (Doit) – Collected data on other networked machines to which the current machine could connect – Then used three main attacks to infect other systems with the bootstrap ECE 4883
29
Morris Worm (cont)
ECE 4883
30
Morris Worm (cont) • Fingerd and gets
! Overran the finger command input buffer – overwrote the stack ! On VAX machines this resulted in a remote shell for the worm via the TCP connection by overwriting part of the stack
• Sendmail
! Issued a DEBUG option often left usable by admins for testing the mail service. ! Gained access to mail server and onto the system, then continued with infection of system
ECE 4883
31
Morris Worm (cont) • Passwords ! Worm read through etc/hosts.equiv and /.rhosts to find names on other machines ! Also read /etc/passwd and .forward to account information ! Then attempted to crack passwords using several different methods
ECE 4883
32
Morris Worm (cont) • Passwords (cont) ! The worm first tried simple choices – Account, User Name, Tnuocca (acct backwards), etc. including lower case variations
! Next it tested the passwords against an internal dictionary of 432 words ! Finally, it tested the passwords against an online dictionary using upper and lower case variations ECE 4883
33
Morris Worm (cont) • Solution ! Worm halted because of informal communication between system admins and research community ! Prompted DARPA to create CERT (Computer Emergency Response Team)
ECE 4883
34
Morris Worm – Log of Events •
All the following events occurred on the evening of Nov. 2, 1988. ! ! ! ! ! ! ! ! ! !
•
!
6:00 PM At about this time the Worm is launched. 8:49 PM The Worm infects a VAX 8600 at the University of Utah (cs.utah.edu) 9:09 PM The Worm initiates the first of its attacks to infect other computers from the infected VAX 9:21 PM The load average on the system reaches 5. (Load average is a measure of how hard the computer system is working. At 9:30 at night, the load average of the VAX was usually 1. Any load average higher than 5 causes delays in data processing.) 9:41 PM The load average reaches 7 10:01 PM The load average reaches 16 10:06 PM At this point there are so many worms infecting the system that no new processes can be started. No users can use the system anymore. 10:20 PM The system administrator kills off the worms 10:41 PM The system is re-infected and the load average reaches 27 10:49 PM The system administrator shuts down the system. The system is subsequently restarted 11:21 PM Re-infestation causes the load average to reach 37.
In short, in under 90 minutes from the time of infection, the Worm had made the infected system unusable.
ECE 4883
35
My SQL Worm • What is it? ! Self-propagating code that exploits a vulnerability in MS SQL Server 2000 and MSDE 2000
• What does it do? ! Propagation caused varied levels of network degradation
ECE 4883
36
My SQL Worm (cont) • Systems Affected ! Microsoft SQL Server 2000 ! Microsoft Desktop Engine (MSDE) 2000
• Description ! Exploits a vulnerability that allows for execution of arbitrary code on the SQL Server due to a stack buffer overflow ! Once it compromises, it tries to propagate ECE 4883
37
My SQL Worm (cont) • Description (cont) ! Worm crafts 376-byte packets and sends them to randomly chosen IP addresses on port 1434/UDP ! If sent to a vulnerable machine, the machine will become infected and also begin to propagate ! Current variant has no other payload ECE 4883
38
My SQL Worm (cont) • Impact ! Compromise confirms that a system is vulnerable to allowing a remote attacker to execute arbitrary code as local SYSTEM user ! High volume of 1434/UDP traffic may lead to performance issues (including possible DoS)
ECE 4883
39
My SQL Worm (cont) • Solution ! Apply a patch ! Ingress/Egress filtering for messages on systems already infected ! Block port 1434/UDP
ECE 4883
40
References • http://www.cs.virginia.edu/~jones/cs551S/slides • http://www.cert.org/advisories/CA-1999-04.html • http://www.cert.org/advisories/CA-2003-04.html • “Security in Computing” by Charles Pfleeger • “Chapter 6: Computer Viruses” by Eugene Spafford • “Network Security Essentials” by William Stallings ECE 4883