601 Assignment 9 & Discussion 9
khairul30
601Discussion9ComputerandNetworkSecurityThreats.pptx
Computer and Network Security Threats
This chapter provides an overview of security threats. We begin with a discussion
of what we mean by computer security. In essence, computer security deals with
computer-related assets that are subject to a variety of threats and for which various
measures are taken to protect those assets. The remainder of the chapter looks at
the two broad categories of computer and network security threats: intruders and
malicious software.
Cryptographic algorithms, such as encryption and hash functions, play a role
both in computer security threats and computer security techniques. Appendix J
provides an overview of these algorithms.
1
Computer Security Concepts
The NIST Computer Security Handbook [NIST95] defines the term computer security as:
“The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).”
The NIST Computer Security Handbook [NIST95] defines the term computer security
as follows:
Computer Security: The protection afforded to an automated information system
in order to attain the applicable objectives of preserving the integrity, availability,
and confidentiality of information system resources (includes hardware, software,
firmware, information/data, and telecommunications).
2
Computer Security Objectives
This definition introduces three key objectives that are at the heart of computer
security:
• Confidentiality: This term covers two related concepts:
— Data confidentiality: Assures that private or confidential information is
not made available or disclosed to unauthorized individuals
— Privacy: Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to whom that
information may be disclosed
• Integrity: This term covers two related concepts:
— Data integrity: Assures that information and programs are changed only in
a specified and authorized manner
— System integrity: Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system
• Availability: Assures that systems work promptly and service is not denied to
authorized users
3
Confidentiality
Data confidentiality assures that private or confidential information is not made available or disclosed to unauthorized individuals
Privacy assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed
Integrity
Data integrity assures that information and programs are changed only in a specified and authorized manner
System integrity assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system
Availability
Assures that systems work promptly and service is not denied to authorized users
The Security Requirements Triad
4
These three concepts form what is often referred to as the CIA triad
(Figure 18.1). The three concepts embody the fundamental security objectives both for
data and for information and computing services. For example, the NIST standard FIPS
199 (Standards for Security Categorization of Federal Information and Information
Systems ) lists confidentiality, integrity, and availability as the three security objectives
for information and for information systems. FIPS PUB 199 provides a useful characterization
of these three objectives in terms of requirements and the definition of a loss
of security in each category:
• Confidentiality: Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary information.
A loss of confidentiality is the unauthorized disclosure of information.
• Integrity: Guarding against improper information modification or destruction,
including ensuring information non-repudiation and authenticity. A loss of
integrity is the unauthorized modification or destruction of information.
• Availability: Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or an
information system.
Although the use of the CIA triad to define security objectives is well established,
some in the security field feel that additional concepts are needed to present
a complete picture. Two of the most commonly mentioned are as follows:
• Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message
originator. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
• Accountability: The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity. This supports non-repudiation,
deterrence, fault isolation, intrusion detection and prevention, and after-action
recovery and legal action. Because truly secure systems aren’t yet an
achievable goal, we must be able to trace a security breach to a responsible
party. Systems must keep records of their activities to permit later forensic
analysis to trace security breaches or to aid in transaction disputes.
Note that FIPS PUB 199 includes authenticity under integrity.
Table 18.1
Threat Consequences, and the Types of Threat Actions That Cause Each Consequence
(Based on RFC 2828)
Table 18.1, based on RFC 2828, describes four kinds of threat consequences and
lists the kinds of attacks that result in each consequence.
Unauthorized disclosure is a threat to confidentiality. The following types of
attacks can result in this threat consequence:
• Exposure: This can be deliberate, as when an insider intentionally releases
sensitive information, such as credit card numbers, to an outsider. It can also
be the result of a human, hardware, or software error, which results in an
entity gaining unauthorized knowledge of sensitive data. There have been
numerous instances of this, such as universities accidentally posting student
confidential information on the Web.
• Interception: Interception is a common attack in the context of communications.
On a shared local area network (LAN), such as a wireless LAN or a broadcast
Ethernet, any device attached to the LAN can receive a copy of packets intended
for another device. On the Internet, a determined hacker can gain access to
e-mail traffic and other data transfers. All of these situations create the potential
for unauthorized access to data.
• Inference: An example of inference is traffic analysis, in which an adversary
is able to gain information from observing the pattern of traffic on a network,
such as the amount of traffic between particular pairs of hosts on the network.
Another example is the inference of detailed information from a database by
a user who has only limited access; this is accomplished by repeated queries
whose combined results enable inference.
• Intrusion: An example of intrusion is an adversary gaining unauthorized access
to sensitive data by overcoming the system’s access control protections.
Deception is a threat to either system integrity or data integrity. The following
types of attacks can result in this threat consequence:
• Masquerade: One example of masquerade is an attempt by an unauthorized
user to gain access to a system by posing as an authorized user; this could happen
if the unauthorized user has learned another user’s logon ID and password.
Another example is malicious logic, such as a Trojan horse, that appears to
perform a useful or desirable function but actually gains unauthorized access to
system resources or tricks a user into executing other malicious logic.
• Falsification: This refers to the altering or replacing of valid data or the introduction
of false data into a file or database. For example, a student may alter his
or her grades on a school database.
• Repudiation: In this case, a user either denies sending data or a user denies
receiving or possessing the data.
Disruption is a threat to availability or system integrity. The following types of
attacks can result in this threat consequence:
• Incapacitation: This is an attack on system availability. This could occur as a
result of physical destruction of or damage to system hardware. More typically,
malicious software, such as Trojan horses, viruses, or worms, could operate in
such a way as to disable a system or some of its services.
• Corruption: This is an attack on system integrity. Malicious software in this
context could operate in such a way that system resources or services function
in an unintended manner. Or a user could gain unauthorized access to
a system and modify some of its functions. An example of the latter is a user
placing back door logic in the system to provide subsequent access to a system
and its resources by other than the usual procedure.
• Obstruction: One way to obstruct system operation is to interfere with communications
by disabling communication links or altering communication
control information. Another way is to overload the system by placing excess
burden on communication traffic or processing resources.
Usurpation is a threat to system integrity. The following types of attacks can
result in this threat consequence:
• Misappropriation: This can include theft of service. An example is a distributed
denial of service attack, when malicious software is installed on a number
of hosts to be used as platforms to launch traffic at a target host. In this case,
the malicious software makes unauthorized use of processor and operating
system resources.
• Misuse: Misuse can occur either by means of malicious logic or by a hacker that
has gained unauthorized access to a system. In either case, security functions
can be disabled or thwarted.
5
Scope of System Security
The assets of a computer system can be categorized as hardware, software, data,
and communication lines and networks. In this subsection, we briefly describe these
four categories and relate these to the concepts of integrity, confidentiality, and
availability introduced in Section 18.1 (see Figure 18.2 and Table 18.2).
6
Table 18.2
Computer and Network Assets, with Examples of Threats
A major threat to computer system hardware is the threat to availability.
Hardware is the most vulnerable to attack and the least susceptible to automated
controls. Threats include accidental and deliberate damage to equipment, as well as
theft. The proliferation of personal computers and workstations and the widespread
use of LANs increase the potential for losses in this area. Theft of CD-ROMs and
DVDs can lead to loss of confidentiality. Physical and administrative security measures
are needed to deal with these threats.
Software includes the operating system, utilities, and application
programs. A key threat to software is an attack on availability. Software, especially
application software, is often easy to delete. Software can also be altered or
damaged to render it useless. Careful software configuration management, which
includes making backups of the most recent version of software, can maintain
high availability. A more difficult problem to deal with is software modification
that results in a program that still functions but that behaves differently than
before, which is a threat to integrity/authenticity. Computer viruses and related
attacks fall into this category. A final problem is protection against software
piracy. Although certain countermeasures are available, by and large the problem
of unauthorized copying of software has not been solved.
Hardware and software security are typically concerns of computing
center professionals or individual concerns of personal computer users. A much
more widespread problem is data security, which involves files and other forms of
data controlled by individuals, groups, and business organizations.
Security concerns with respect to data are broad, encompassing availability,
secrecy, and integrity. In the case of availability, the concern is with the destruction
of data files, which can occur either accidentally or maliciously.
The obvious concern with secrecy is the unauthorized reading of data files or
databases, and this area has been the subject of perhaps more research and effort
than any other area of computer security. A less obvious threat to secrecy involves
the analysis of data and manifests itself in the use of so-called statistical databases,
which provide summary or aggregate information. Presumably, the existence of
aggregate information does not threaten the privacy of the individuals involved.
However, as the use of statistical databases grows, there is an increasing potential
for disclosure of personal information. In essence, characteristics of constituent
individuals may be identified through careful analysis. For example, if one table
records the aggregate of the incomes of respondents A, B, C, and D and another
records the aggregate of the incomes of A, B, C, D, and E, the difference between
the two aggregates would be the income of E. This problem is exacerbated by the
increasing desire to combine data sets. In many cases, matching several sets of data
for consistency at different levels of aggregation requires access to individual units.
Thus, the individual units, which are the subject of privacy concerns, are available at
various stages in the processing of data sets.
Finally, data integrity is a major concern in most installations. Modifications
to data files can have consequences ranging from minor to disastrous.
7
Communication Lines and Networks
Passive attacks
Attempts to learn or make use of information from the system but does not affect system resources
Are in the nature of eavesdropping on, or monitoring of, transmissions
Goal of attacker is to obtain information that is being transmitted
Difficult to detect because they do not involve any alteration of the data
Emphasis is on prevention rather than detection
Two types:
Release of message contents
Prevent an opponent from learning the contents of a transmission
Traffic analysis
Encrypting the contents of a message so even if an opponent captures the message, they cannot extract the information
8
Network security attacks can be classified
as passive attacks and active attacks . A passive attack attempts to learn or make use
of information from the system but does not affect system resources. An active attack
attempts to alter system resources or affect their operation.
Passive attacks are in the nature of eavesdropping on, or monitoring of,
transmissions. The goal of the attacker is to obtain information that is being transmitted.
Two types of passive attacks are release of message contents and traffic
analysis.
The release of message contents is easily understood. A telephone conversation,
an electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the
contents of these transmissions.
A second type of passive attack, traffic analysis , is subtler. Suppose that we
had a way of masking the contents of messages or other information traffic so that
opponents, even if they captured the message, could not extract the information
from the message. The common technique for masking contents is encryption. If we
had encryption protection in place, an opponent might still be able to observe the
pattern of these messages. The opponent could determine the location and identity
of communicating hosts and could observe the frequency and length of messages
being exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
Passive attacks are very difficult to detect because they do not involve any
alteration of the data. Typically, the message traffic is sent and received in an
apparently normal fashion, and neither the sender nor receiver is aware that a third
party has read the messages or observed the traffic pattern. However, it is feasible
to prevent the success of these attacks, usually by means of encryption. Thus, the
emphasis in dealing with passive attacks is on prevention rather than detection.
Communication Lines and Networks
Active attacks
Involve some modification of the data stream or the creation of a false stream
Goal is to detect them and to recover from any disruption or delays
Four categories:
Replay
Masquerade
Modification of messages
Denial of service
9
Active attacks involve some modification of the data stream or the creation
of a false stream and can be subdivided into four categories: replay, masquerade,
modification of messages, and denial of service.
Replay involves the passive capture of a data unit and its subsequent retransmission
to produce an unauthorized effect.
A masquerade takes place when one entity pretends to be a different entity. A
masquerade attack usually includes one of the other forms of active attack. For example,
authentication sequences can be captured and replayed after a valid authentication
sequence has taken place, thus enabling an authorized entity with few privileges
to obtain extra privileges by impersonating an entity that has those privileges.
Modification of messages simply means that some portion of a legitimate
message is altered, or that messages are delayed or reordered, to produce an unauthorized
effect. For example, a message stating “Allow John Smith to read confidential
file accounts” is modified to say “Allow Fred Brown to read confidential file
accounts.”
The denial of service prevents or inhibits the normal use or management
of communications facilities. This attack may have a specific target; for example,
an entity may suppress all messages directed to a particular destination (e.g., the
security audit service). Another form of service denial is the disruption of an entire
network, either by disabling the network or by overloading it with messages so as to
degrade performance.
Active attacks present the opposite characteristics of passive attacks. Whereas
passive attacks are difficult to detect, measures are available to prevent their success.
On the other hand, it is quite difficult to prevent active attacks absolutely, because
to do so would require physical protection of all communications facilities and paths
at all times. Instead, the goal is to detect them and to recover from any disruption
or delays caused by them. Because the detection has a deterrent effect, it may also
contribute to prevention.
Replay
Involves the passive capture of a data unit and its subsequent re-transmission to produce an unauthorized effect
Masquerade
Takes place when one entity pretends to be a different entity
Usually includes one of the other forms of active attack
Modification of messages
Some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect
Denial of service
Prevents or inhibits the normal use or management of communications facilities
Disruption of an entire network, either by disabling the network or by overloading it with messages so as to degrade performance
Intruders
One of the two most publicized threats to security is the intruder (the other is viruses),
often referred to as a hacker or cracker. In an important early study of intrusion,
Anderson [ANDE80] identified three classes of intruders:
• Masquerader: An individual who is not authorized to use the computer and
who penetrates a system’s access controls to exploit a legitimate user’s account
• Misfeasor: A legitimate user who accesses data, programs, or resources for
which such access is not authorized, or who is authorized for such access but
misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the system
and uses this control to evade auditing and access controls or to suppress audit
Collection
The masquerader is likely to be an outsider; the misfeasor generally is an insider;
and the clandestine user can be either an outsider or an insider.
10
Masquerader
An individual not authorized to use the computer and penetrates a system’s access controls to exploit a legitimate user’s account
Likely to be an outsider
Misfeasor
Legitimate user who accesses data, programs, or resources for which such access is not authorized
Could also be someone who is authorized for access but misuses their privileges
Generally an insider
Clandestine user
An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection
Can be either an insider or an outsider
Intrusion Examples
Performing a remote root compromise of an e-mail server
Defacing a Web server
Guessing and cracking passwords
Copying a database containing credit card numbers
Viewing sensitive data without authorization
Running a packet sniffer on a workstation to capture usernames and passwords
Using a permission error on an anonymous FTP server to distribute pirated software and music files
Dialing into an unsecured modem and gaining internal network access
Posing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new password
Using an unattended, logged-in workstation without permission
Intruder attacks range from the benign to the serious. At the benign end of the
scale, there are many people who simply wish to explore internets and see what is
out there. At the serious end are individuals who are attempting to read privileged
data, perform unauthorized modifications to data, or disrupt the system.
The following are examples of intrusion:
• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information,
without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated
software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail
password, and learning the new password
• Using an unattended, logged-in workstation without permission
11
Intruder Behavior Patterns
Hackers
Organized group of intruders who hack into a computer for the thrill or for status
Criminals
Usually have specific targets or classes of targets in mind
Frequently Eastern European or Southeast Asian groups who do business on the Web
Once a site is penetrated, the attacker acts quickly, scooping up as much valuable information as possible and exiting
Insider Attacks
Difficult to detect and prevent
Employees have access to and knowledge of the structure and content of databases
Can be motivated by revenge or a feeling of entitlement
The techniques and behavior patterns of intruders are constantly shifting, to exploit
newly discovered weaknesses and to evade detection and countermeasures. Even
so, intruders typically follow one of a number of recognizable behavior patterns,
and these patterns typically differ from those of ordinary users. In the following, we
look at three broad examples of intruder behavior patterns to give the reader some
feel for the challenge facing the security administrator. Table 18.3 summarizes the
behavior.
Traditionally, those who hack into computers do so for the thrill of it or
for status. The hacking community is a strong meritocracy in which status is determined
by level of competence. Thus, attackers often look for targets of opportunity
and then share the information with others. A typical example is a break-in at a large
financial institution reported in [RADC04]. The intruder took advantage of the fact
that the corporate network was running unprotected services, some of which were not
even needed. In this case, the key to the break-in was the pcAnywhere application.
The manufacturer, Symantec, advertises this program as a remote control solution
that enables secure connection to remote devices. But the attacker had an easy time
gaining access to pcAnywhere; the administrator used the same three-letter username
and password for the program. In this case, there was no intrusion detection
system on the 700-node corporate network. The intruder was only discovered when
a vice president walked into her office and saw the cursor moving files around on her
Windows workstation.
Benign intruders might be tolerable, although they do consume resources and
may slow performance for legitimate users. However, there is no way in advance
to know whether an intruder will be benign or malign. Consequently, even for systems
with no particularly sensitive resources, there is a motivation to control this
problem.
Intrusion detection systems (IDSs) and intrusion prevention systems
(IPSs), of the type described in Chapter 19, are designed to counter this type
of hacker threat. In addition to using such systems, organizations can consider
restricting remote logons to specific IP addresses and/or use virtual private
network technology.
One of the results of the growing awareness of the intruder problem has been
the establishment of a number of computer emergency response teams (CERTs).
These cooperative ventures collect information about system vulnerabilities and disseminate
it to systems managers. Hackers also routinely read CERT reports. Thus,
it is important for system administrators to quickly insert all software patches to
discovered vulnerabilities. Unfortunately, given the complexity of many IT systems
and the rate at which patches are released, this is increasingly difficult to achieve
without automated updating. Even then, there are problems caused by incompatibilities
resulting from the updated software (hence the need for multiple layers of
defense in managing security threats to IT systems).
Organized groups of hackers have become a widespread and common
threat to Internet-based systems. These groups can be in the employ of a corporation
or government but often are loosely affiliated gangs of hackers. Typically, these
gangs are young, often Eastern European, Russian, or Southeast Asian hackers who
do business on the Web [ANTE06]. They meet in underground forums with names
like DarkMarket.org and theftservices.com to trade tips and data and coordinate
attacks. A common target is a credit card file at an e-commerce server. Attackers
attempt to gain root access. The card numbers are used by organized crime gangs
to purchase expensive items and are then posted to carder sites, where others can
access and use the account numbers; this obscures usage patterns and complicates
investigation.
Whereas traditional hackers look for targets of opportunity, criminal hackers
usually have specific targets, or at least classes of targets in mind. Once a site is
penetrated, the attacker acts quickly, scooping up as much valuable information
as possible and exiting.
IDSs and IPSs can also be used for these types of attackers but may be less
effective because of the quick in-and-out nature of the attack. For e-commerce
sites, database encryption should be used for sensitive customer information,
especially credit cards. For hosted e-commerce sites (provided by an outsider
service), the e-commerce organization should make use of a dedicated server (not
used to support multiple customers) and closely monitor the provider’s security
services.
Attacks Insider attacks are among the most difficult to detect and
prevent. Employees already have access to and knowledge of the structure and
content of corporate databases. Insider attacks can be motivated by revenge or
simply a feeling of entitlement. An example of the former is the case of Kenneth
Patterson, fired from his position as data communications manager for American
Eagle Outfitters. Patterson disabled the company’s ability to process credit card
purchases during five days of the holiday season of 2002. As for a sense of entitlement,
there have always been many employees who felt entitled to take extra office
supplies for home use, but this now extends to corporate data. An example is that of
a vice president of sales for a stock analysis firm who resigned to go to a competitor.
Before she left, she copied the customer database to take with her. The offender
reported feeling no animus toward her former employee; she simply wanted the
data because it would be useful to her.
Although IDS and IPS facilities can be useful in countering insider attacks,
other more direct approaches are of higher priority. Examples include the following:
• Enforce least privilege, only allowing access to the resources employees need
to do their job.
• Set logs to see what users access and what commands they are entering.
• Protect sensitive resources with strong authentication.
• Upon termination, delete employee’s computer and network access.
• Upon termination, make a mirror image of employee’s hard drive before reissuing
it. That evidence might be needed if your company information turns up
at a competitor.
Intrusion Techniques
The objective of the intruder is to gain access to a system or to increase the range of
privileges accessible on a system. Most initial attacks use system or software vulnerabilities
that allow a user to execute code that opens a back door into the system.
Intruders can get access to a system by exploiting attacks such as buffer overflows
on a program that runs with certain privileges.
Alternatively, the intruder attempts to acquire information that should have
been protected. In some cases, this information is in the form of a user password.
With knowledge of some other user’s password, an intruder can log in to a system
and exercise all the privileges accorded to the legitimate user.
12
Malicious Software
Malware
Malicious software that exploits system vulnerabilities
Designed to cause damage to or use up the resources of a target computer
Frequently concealed within or masquerades as legitimate software
Two categories
Those that need a host program
Those that are independent (parasitic)
May or may not replicate
Perhaps the most sophisticated types of threats to computer systems are presented
by programs that exploit vulnerabilities in computing systems. Such threats are
referred to as malicious software , or malware . In this context, we are concerned
with application programs as well as utility programs, such as editors and compilers.
Malware is software designed to cause damage to or use up the resources of a target
computer. It is frequently concealed within or masquerades as legitimate software.
In some cases, it spreads itself to other computers via e-mail or infected discs.
The terminology in this area presents problems because of a lack of universal
agreement on all of the terms and because some of the categories overlap. Table 18.4
is a useful guide.
Malicious software can be divided into two categories: those that need a host
program, and those that are independent. The former, referred to as parasitic , are
essentially fragments of programs that cannot exist independently of some actual
application program, utility, or system program. Viruses, logic bombs, and back
doors are examples. The latter are self-contained programs that can be scheduled
and run by the operating system. Worms and bot programs are examples.
We can also differentiate between those software threats that do not replicate
and those that do. The former are programs or fragments of programs that are
activated by a trigger. Examples are logic bombs, back doors, and bot programs.
The latter consist of either a program fragment or an independent program that,
when executed, may produce one or more copies of itself to be activated later on the
same system or some other system. Viruses and worms are examples.
In the remainder of this section, we briefly survey some of the key categories
of malicious software, deferring discussion on the key topics of viruses, worms, and
bots until the following section.
13
Table 18.4 Terminology of Malicious Programs
(This table can be found in the textbook on page 523)
Table 18.4 Terminology of Malicious Programs
14
Malicious Programs
Back door (also known as a trap door)
Secret entry point into a program that allows someone who is aware of the back door to gain access without going through the usual security access procedures
A maintenance hook is a backdoor inserted by a programmer to aid in testing and debugging
Logic Bomb
One of the oldest types of program threats
Code embedded in some legitimate program that is set to “explode” when certain conditions are met
A back door , also known as a trap door , is a secret entry point into a program
that allows someone who is aware of the back door to gain access without going
through the usual security access procedures. Programmers have used back doors
legitimately for many years to debug and test programs; such a back door is called
a maintenance hook . This usually is done when the programmer is developing an
application that has an authentication procedure, or a long setup, requiring the user
to enter many different values to run the application. To debug the program, the
developer may wish to gain special privileges or to avoid all the necessary setup and
authentication. The programmer may also want to ensure that there is a method of
activating the program should something be wrong with the authentication procedure
that is being built into the application. The back door is code that recognizes
some special sequence of input or is triggered by being run from a certain user ID or
by an unlikely sequence of events.
Back doors become threats when unscrupulous programmers use them to
gain unauthorized access. The back door was the basic idea for the vulnerability
portrayed in the movie War Games . Another example is that during the development
of Multics, penetration tests were conducted by an Air Force “tiger team”
(simulating adversaries). One tactic employed was to send a bogus operating system
update to a site running Multics. The update contained a Trojan horse (described
later) that could be activated by a back door and that allowed the tiger team to gain
access. The threat was so well implemented that the Multics developers could not
find it, even after they were informed of its presence [ENGE80].
It is difficult to implement operating system controls for back doors. Security
measures must focus on the program development and software update activities.
One of the oldest types of program threat, predating viruses and worms, is the logic
bomb. The logic bomb is code embedded in some legitimate program that is set to
“explode” when certain conditions are met. Examples of conditions that can be used
as triggers for a logic bomb are the presence or absence of certain files, a particular
day of the week or date, or a particular user running the application. Once triggered,
a bomb may alter or delete data or entire files, cause a machine halt, or do some
other damage. A striking example of how logic bombs can be employed was the
case of Tim Lloyd, who was convicted of setting a logic bomb that cost his employer,
Omega Engineering, more than + 10 million, derailed its corporate growth strategy,
and eventually led to the layoff of 80 workers [GAUD00]. Ultimately, Lloyd was
sentenced to 41 months in prison and ordered to pay + 2 million in restitution.
15
Malicious Programs
Trojan Horse
A useful, or apparently useful, program or command procedure containing hidden code that, when invoked, performs some unwanted or harmful function
Can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly
A Trojan horse is a useful, or apparently useful, program or command procedure
containing hidden code that, when invoked, performs some unwanted or harmful
function.
Trojan horse programs can be used to accomplish functions indirectly that an
unauthorized user could not accomplish directly. For example, to gain access to the
files of another user on a shared system, a user could create a Trojan horse program
that, when executed, changes the invoking user’s file permissions so that the files
are readable by any user. The author could then induce users to run the program by
placing it in a common directory and naming it such that it appears to be a useful
utility program or application. An example is a program that ostensibly produces
a listing of the user’s files in a desirable format. After another user has run the
program, the author of the program can then access the information in the user’s
files. An example of a Trojan horse program that would be difficult to detect is a
compiler that has been modified to insert additional code into certain programs as
they are compiled, such as a system login program. The code creates a back door
in the login program that permits the author to log on to the system using a special
password. This Trojan horse can never be discovered by reading the source code of
the login program.
Another common motivation for the Trojan horse is data destruction. The
program appears to be performing a useful function (e.g., a calculator program),
but it may also be quietly deleting the user’s files. For example, a CBS executive
was victimized by a Trojan horse that destroyed all information contained in his
computer’s memory [TIME90]. The Trojan horse was implanted in a graphics
routine offered on an electronic bulletin board system.
Trojan horses fit into one of three models:
• Continuing to perform the function of the original program and additionally
performing a separate malicious activity
• Continuing to perform the function of the original program but modifying the
function to perform malicious activity (e.g., a Trojan horse version of a login
program that collects passwords) or to disguise other malicious activity (e.g., a
Trojan horse version of a process listing program that does not display certain
processes that are malicious)
• Performing a malicious function that completely replaces the function of the
original program
16
Trojan horses fit into one of three models:
Continuing to perform the function of the original program and additionally performing a separate malicious activity
Continuing to perform the function of the original program but modifying the function to perform malicious activity or to disguise other malicious activity
Performing a malicious function that completely replaces the function of the original program
Malicious Programs
Mobile code refers to programs (e.g., script, macro, or other portable instruction) that
can be shipped unchanged to a heterogeneous collection of platforms and execute
with identical semantics. The term also applies to situations involving a large homogeneous
collection of platforms (e.g., Microsoft Windows).
Mobile code is transmitted from a remote system to a local system and
then executed on the local system without the user’s explicit instruction. Mobile
code often acts as a mechanism for a virus, worm, or Trojan horse to be transmitted
to the user’s workstation. In other cases, mobile code takes advantage
of vulnerabilities to perform its own exploits, such as unauthorized data access
or root compromise. Popular vehicles for mobile code include Java applets,
ActiveX, JavaScript, and VBScript. The most common ways of using mobile
code for malicious operations on local system are cross-site scripting, interactive
and dynamic Web sites, e-mail attachments, and downloads from untrusted sites
or of untrusted software.
Viruses and other malware may operate in multiple ways. The terminology is far
from uniform; this subsection gives a brief introduction to several related concepts
that could be considered multiple-threat malware.
A multipartite virus infects in multiple ways. Typically, the multipartite virus
is capable of infecting multiple types of files, so that virus eradication must deal with
all of the possible sites of infection.
A blended attack uses multiple methods of infection or transmission, to maximize
the speed of contagion and the severity of the attack. Some writers characterize
a blended attack as a package that includes multiple types of malware. An example
of a blended attack is the Nimda attack, erroneously referred to as simply a worm.
Nimda uses four distribution methods:
• E-mail: A user on a vulnerable host opens an infected e-mail attachment;
Nimda looks for e-mail addresses on the host and then sends copies of itself to
those addresses.
• Windows shares: Nimda scans hosts for unsecured Windows file shares; it can
then use NetBIOS86 as a transport mechanism to infect files on that host in
the hopes that a user will run an infected file, which will activate Nimda on
that host.
• Web servers: Nimda scans Web servers, looking for known vulnerabilities in
Microsoft IIS. If it finds a vulnerable server, it attempts to transfer a copy of
itself to the server and infect it and its files.
• Web clients: If a vulnerable Web client visits a Web server that has been infected
by Nimda, the client’s workstation will become infected.
Thus, Nimda has worm, virus, and mobile code characteristics. Blended attacks
may also spread through other services, such as instant messaging and peer-to-peer
file sharing.
17
Mobile code
Refers to programs that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics
Is transmitted from a remote system to a local system and then executed on the local system without the user’s explicit instruction
Multiple-threat malware
Multipartite
Infects in multiple ways
Blended attack
Uses multiple methods of infection or transmission to maximize the speed of contagion and the severity of the attack
Viruses
Software that can “infect” other programs by modifying them
The modification includes injecting the original program with a routine to make copies of the virus program, which can then go on to infect other programs
Virus has three parts:
Infection mechanism
The means by which a virus spreads, enabling it to replicate
Also referred to as the infection vector
Trigger
The event or condition that determines when the payload is activated or delivered
Payload
What the virus does, besides spreading
May involve damage or may involve benign but noticeable activity
A computer virus is a piece of software that can “infect” other programs by modifying
them; the modification includes injecting the original program with a routine to make
copies of the virus program, which can then go on to infect other programs.
Biological viruses are tiny scraps of genetic code—DNA or RNA—that can
take over the machinery of a living cell and trick it into making thousands of flawless
replicas of the original virus. Like its biological counterpart, a computer virus
carries in its instructional code the recipe for making perfect copies of itself. The
typical virus becomes embedded in a program on a computer. Then, whenever the
infected computer comes into contact with an uninfected piece of software, a fresh
copy of the virus passes into the new program. Thus, the infection can be spread
from computer to computer by unsuspecting users who either swap disks or send
programs to one another over a network. In a network environment, the ability
to access applications and system services on other computers provides a perfect
culture for the spread of a virus.
A virus can do anything that other programs do. The
only difference is that it attaches itself to another program and executes secretly
when the host program is run. Once a virus is executing, it can perform any function
that is allowed by the privileges of the current user, such as erasing files and
programs.
A computer virus has three parts:
• Infection mechanism: The means by which a virus spreads, enabling it to
replicate. The mechanism is also referred to as the infection vector .
• Trigger: The event or condition that determines when the payload is activated
or delivered.
• Payload: What the virus does, besides spreading. The payload may involve
damage or may involve benign but noticeable activity.
18
Virus Phases
During its lifetime, a typical virus goes through the following four phases:
• Dormant phase: The virus is idle. The virus will eventually be activated by
some event, such as a date, the presence of another program or file, or the
capacity of the disk exceeding some limit. Not all viruses have this stage.
• Propagation phase: The virus places an identical copy of itself into other programs
or into certain system areas on the disk. Each infected program will now
contain a clone of the virus, which will itself enter a propagation phase.
• Triggering phase: The virus is activated to perform the function for which it
was intended. As with the dormant phase, the triggering phase can be caused
by a variety of system events, including a count of the number of times that
this copy of the virus has made copies of itself.
• Execution phase: The function is performed. The function may be harmless,
such as a message on the screen, or damaging, such as the destruction of
programs and data files.
Most viruses carry out their work in a manner that is specific to a particular
operating system and, in some cases, specific to a particular hardware platform.
Thus, they are designed to take advantage of the details and weaknesses of particular
systems.
19
Dormant Phase
Virus is idle
Will eventually be activated by some event
Not all viruses have this stage
Propagation Phase
Virus places an identical copy of itself into other programs
Each infected program will now contain a clone of the virus, which will itself enter a propagation phase
Triggering Phase
Virus is activated to perform the function for which it was intended
Execution Phase
The function is performed
A Simple Virus
A virus can be prepended or postpended to an executable
program, or it can be embedded in some other fashion. The key to its operation is
that the infected program, when invoked, will first execute the virus code and then
execute the original code of the program.
A very general depiction of virus structure is shown in Figure 18.3 (based on
[COHE94]). In this case, the virus code, V, is prepended to infected programs, and
it is assumed that the entry point to the program, when invoked, is the first line of
the program.
The infected program begins with the virus code and works as follows. The first
line of code is a jump to the main virus program. The second line is a special marker
that is used by the virus to determine whether or not a potential victim program
has already been infected with this virus. When the program is invoked, control is
immediately transferred to the main virus program. The virus program may first
seek out uninfected executable files and infect them. Next, the virus may perform
some action, usually detrimental to the system. This action could be performed
every time the program is invoked, or it could be a logic bomb that triggers only
under certain conditions. Finally, the virus transfers control to the original program.
If the infection phase of the program is reasonably rapid, a user is unlikely to
notice any difference between the execution of an infected and an uninfected
program.
20
Logic for a Compression Virus
A virus such as the one just described is easily detected because an infected
version of a program is longer than the corresponding uninfected one. A way to
thwart such a simple means of detecting a virus is to compress the executable file
so that both the infected and uninfected versions are of identical length. Figure 18.4
shows in general terms the logic required. The important lines in this virus are
numbered.
In this example, the virus does nothing other than propagate. As previously
mentioned, the virus may include a logic bomb.
21
Virus Classifications by Target
Boot sector infector
Infects a master boot record and spreads when a system is booted from the disk containing the virus
File infector
Infects files that the operating system or shell considers to be executable
Macro virus
Infects files with macro code that is interpreted by an application
There has been a continuous arms race between virus
writers and writers of antivirus software since viruses first appeared. As effective
countermeasures are developed for existing types of viruses, newer types are
developed. There is no simple or universally agreed upon classification scheme
for viruses. In this section, we classify viruses along two orthogonal axes: the type
of target the virus tries to infect and the method the virus uses to conceal itself
from detection by users and antivirus software.
A virus classification by target includes the following categories:
• Boot sector infector: Infects a master boot record or boot record and spreads
when a system is booted from the disk containing the virus
• File infector: Infects files that the operating system or shell considers to be
executable
• Macro virus: Infects files with macro code that is interpreted by an application
22
Virus Classification by Concealment Strategy
A virus classification by concealment strategy includes the following categories:
• Encrypted virus: A typical approach is as follows: A portion of the virus creates
a random encryption key and encrypts the remainder of the virus. The key is
stored with the virus. When an infected program is invoked, the virus uses the
stored random key to decrypt the virus. When the virus replicates, a different
random key is selected. Because the bulk of the virus is encrypted with a different
key for each instance, there is no constant bit pattern to observe.
• Stealth virus: A form of virus explicitly designed to hide itself from detection
by antivirus software. Thus, the entire virus, not just a payload, is hidden.
• Polymorphic virus: A virus that mutates with every infection, making detection
by the “signature” of the virus impossible.
• Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates
with every infection. The difference is that a metamorphic virus rewrites itself
completely at each iteration, increasing the difficulty of detection. Metamorphic
viruses may change their behavior as well as their appearance.
One example of a stealth virus was discussed earlier: a virus that uses compression
so that the infected program is exactly of the same length as an uninfected
version. Far more sophisticated techniques are possible. For example, a virus can
place intercept logic in disk I/O routines, so that when there is an attempt to read
suspected portions of the disk using these routines, the virus will present back the
original, uninfected program. Thus, stealth is not a term that applies to a virus as
such but, rather, refers to a technique used by a virus to evade detection.
A polymorphic virus creates copies during replication that are functionally
equivalent but have distinctly different bit patterns. As with a stealth virus, the purpose
is to defeat programs that scan for viruses. In this case, the “signature” of the
virus will vary with each copy. To achieve this variation, the virus may randomly
insert superfluous instructions or interchange the order of independent instructions.
A more effective approach is to use encryption. The strategy of the encryption virus
is followed. The portion of the virus that is responsible for generating keys and performing
encryption/decryption is referred to as the mutation engine . The mutation
engine itself is altered with each use.
23
Encrypted virus
A portion of the virus creates a random encryption key and encrypts the remainder of the virus
The key is stored with the virus
Stealth virus
A form of virus explicitly designed to hide itself from detection by antivirus software
The entire virus, not just the payload, is hidden
Polymorphic virus
A virus that mutates with every infection, making detection by the “signature” of the virus impossible
Metamorphic virus
Mutates with every infection
Rewrites itself completely at each iteration, increasing the difficulty of detection
Virus Kits
Enables a relative novice to quickly create a number of different viruses
Tend to be less sophisticated than viruses designed from scratch
The sheer number of new viruses that can be generated using a toolkit creates a problem for antivirus schemes
Another weapon in the virus writers’ armory is the virus-creation
toolkit. Such a toolkit enables a relative novice to quickly create a number of different
viruses. Although viruses created with toolkits tend to be less sophisticated than
viruses designed from scratch, the sheer number of new viruses that can be generated
using a toolkit creates a problem for antivirus schemes.
24
Macro Viruses
In the mid 1990’s became by far the most prevalent type of virus
Threatening because:
A macro virus is platform independent
Macro viruses infect documents, not executable portions of code
Macro viruses are easily spread
Traditional file system access controls are of limited use in preventing their spread
Is an executable program embedded in a word processing document or other type of file
In the mid-1990s, macro viruses became by far the most prevalent
type of virus. Macro viruses are particularly threatening for a number of reasons:
1. A macro virus is platform independent. Many macro viruses infect Microsoft
Word documents or other Microsoft Office documents. Any hardware platform
and operating system that supports these applications can be infected.
2. Macro viruses infect documents, not executable portions of code. Most of the
information introduced onto a computer system is in the form of a document
rather than a program.
3. Macro viruses are easily spread. A very common method is by electronic mail.
4. Because macro viruses infect user documents rather than system programs, traditional
file system access controls are of limited use in preventing their spread.
Macro viruses take advantage of a feature found in Word and other office
applications such as Microsoft Excel—namely, the macro. In essence, a macro is
an executable program embedded in a word processing document or other type of
file. Typically, users employ macros to automate repetitive tasks and thereby save
keystrokes. The macro language is usually some form of the Basic programming
language. A user might define a sequence of keystrokes in a macro and set it up so
that the macro is invoked when a function key or special short combination of keys
is input.
Successive releases of MS Office products provide increased protection against
macro viruses. For example, Microsoft offers an optional Macro Virus Protection
tool that detects suspicious Word files and alerts the customer to the potential risk
of opening a file with macros. Various antivirus product vendors have also developed
tools to detect and correct macro viruses. As in other types of viruses, the arms
race continues in the field of macro viruses, but they no longer are the predominant
virus threat.
25
E-Mail Viruses
A more recent development in malicious software is the e-mail
virus. The first rapidly spreading e-mail viruses, such as Melissa, made use of a
Microsoft Word macro embedded in an attachment. If the recipient opens the
e-mail attachment, the Word macro is activated. Then the virus performs the
following two functions:
1. The e-mail virus sends itself to everyone on the mailing list in the user’s e-mail
package.
2. The virus does local damage on the user’s system.
In 1999, a more powerful version of the e-mail virus appeared. This newer
version can be activated merely by opening an e-mail that contains the virus rather
than opening an attachment. The virus uses the Visual Basic scripting language
supported by the e-mail package.
Thus we see a new generation of malware that arrives via e-mail and uses
e-mail software features to replicate itself across the Internet. The virus propagates
itself as soon as it is activated (either by opening an e-mail attachment or by opening
the e-mail) to all of the e-mail addresses known to the infected host. As a result,
whereas viruses used to take months or years to propagate, they now do so in hours.
This makes it very difficult for antivirus software to respond before much damage is
done. Ultimately, a greater degree of security must be built into Internet utility and
application software on PCs to counter the growing threat.
26
The first rapidly spreading e-mail viruses made use of a Microsoft Word macro embedded in an attachment
If the recipient opens the e-mail attachment the Word macro is activated
The virus sends itself to everyone on the mailing list in the user’s e-mail package
The virus does local damage on the user’s system
In 1999 a virus appeared that could be activated merely by opening an e-mail that contains the virus rather than opening an attachment
The virus uses the Visual Basic scripting language supported by the e-mail package
Malware arrives via e-mail and uses e-mail software features to replicate itself across the Internet
The virus propagates itself as soon as it is activated to all of the e-mail addresses known by the infected host
Worms
Programs that can replicate themselves and send copies from computer to computer across network connections
In addition to propagation the worm usually performs some unwanted function
Actively seek out more machines to infect and each machine that is infected serves as an automated launching pad for attacks on other machines
A network worm:
Exhibits the same characteristics as a computer virus
May attempt to determine if a system has previously been infected before copying itself
A worm is a program that can replicate itself and send copies from computer to computer
across network connections. Upon arrival, the worm may be activated to replicate
and propagate again. In addition to propagation, the worm usually performs some
unwanted function. An e-mail virus has some of the characteristics of a worm because
it propagates itself from system to system. However, we can still classify it as a virus
because it uses a document modified to contain viral macro content and requires
human action. A worm actively seeks out more machines to infect and each machine
that is infected serves as an automated launching pad for attacks on other machines.
Network worm programs use network connections to spread from system to
system. Once active within a system, a network worm can behave as a computer virus
or bacteria, or it could implant Trojan horse programs or perform any number of
disruptive or destructive actions.
To replicate itself, a network worm uses some sort of network vehicle.
Examples include the following:
• Electronic mail facility: A worm mails a copy of itself to other systems, so that
its code is run when the e-mail or an attachment is received or viewed.
• Remote execution capability: A worm executes a copy of itself on another
system, either by using an explicit remote execution facility or by exploiting a
program flaw in a network service to subvert its operations.
• Remote login capability: A worm logs onto a remote system as a user and
then uses commands to copy itself from one system to the other, where it then
executes.
The new copy of the worm program is then run on the remote system, where, in
addition to any functions that it performs at that system, it continues to spread in
the same fashion.
A network worm exhibits the same characteristics as a computer virus: a
dormant phase, a propagation phase, a triggering phase, and an execution phase.
Typically, a worm performs the following functions during the propagation phase:
1. Search for other systems to infect by examining host tables or similar repositories
of remote system addresses.
2. Establish a connection with a remote system.
3. Copy itself to the remote system and cause the copy to be run.
The network worm may also attempt to determine whether a system has previously
been infected before copying itself to the system. In a multiprogramming
system, it may also disguise its presence by naming itself as a system process or using
some other name that may not be noticed by a system operator.
As with viruses, network worms are difficult to counter.
The state of the art in worm technology includes the following:
• Multiplatform: Newer worms are not limited to Windows machines but can
attack a variety of platforms, especially the popular varieties of UNIX.
• Multi-exploit: New worms penetrate systems in a variety of ways, using exploits
against Web servers, browsers, e-mail, file sharing, and other network-based
applications.
• Ultrafast spreading: One technique to accelerate the spread of a worm is to
conduct a prior Internet scan to accumulate Internet addresses of vulnerable
machines.
• Polymorphic: To evade detection, skip past filters, and foil real-time analysis,
worms adopt the virus polymorphic technique. Each copy of the worm has
new code generated on the fly using functionally equivalent instructions and
encryption techniques.
• Metamorphic: In addition to changing their appearance, metamorphic worms
have a repertoire of behavior patterns that are unleashed at different stages of
propagation.
• Transport vehicles: Because worms can rapidly compromise a large number
of systems, they are ideal for spreading other distributed attack tools, such as
distributed denial-of-service bots.
• Zero-day exploit: To achieve maximum surprise and distribution, a worm
should exploit an unknown vulnerability that is only discovered by the general
network community when the worm is launched.
27
Bots
Also know as a zombie or drone
Program that secretly takes another Internet-attached computer, then uses it to launch attacks that are difficult to trace to the bot’s creator
A botnet is a collection of bots capable of coordinating attacks
A bot (robot), also known as a zombie or drone, is a program that secretly takes
over another Internet-attached computer and then uses that computer to launch
attacks that are difficult to trace to the bot’s creator. The bot is typically planted on
hundreds or thousands of computers belonging to unsuspecting third parties. The
collection of bots often is capable of acting in a coordinated manner; such a collection
is referred to as a botnet .
A botnet exhibits three characteristics: the bot functionality, a remote control
facility, and a spreading mechanism to propagate the bots and construct the botnet.
We examine each of these characteristics in turn.
28
Characteristics:
The bot functionality
A remote control facility
A spreading mechanism to propagate the bots and construct the botnet
Uses of Bots
Distributed denial-of-service attacks
Spamming
Sniffing traffic
Keylogging
Spreading new malware
Installing advertisement add-ons and browser helper objects (BHOs)
Attacking IRC chat networks
Manipulating online polls/games
The following are uses of bots:
• Distributed denial-of-service attacks: A DDoS attack is an attack on a computer
system or network that causes a loss of service to users.
• Spamming: With the help of a botnet and thousands of bots, an attacker is able
to send massive amounts of bulk e-mail (spam).
• Sniffing traffic: Bots can also use a packet sniffer to watch for interesting cleartext
data passing by a compromised machine. The sniffers are mostly used to
retrieve sensitive information like usernames and passwords.
• Keylogging: If the compromised machine uses encrypted communication
channels (e.g., HTTPS or POP3S), then just sniffing the network packets on
the victim’s computer is useless because the appropriate key to decrypt the
packets is missing. But by using a keylogger, which captures keystrokes on the
infected machine, an attacker can retrieve sensitive information. An implemented
filtering mechanism (e.g., “I am only interested in key sequences near
the keyword ‘paypal.com’ ”) further helps in stealing secret data.
• Spreading new malware: Botnets are used to spread new bots. This is very
easy since all bots implement mechanisms to download and execute a file via
HTTP or FTP. A botnet with 10,000 hosts that acts as the start base for a
worm or mail virus allows very fast spreading and thus causes more harm.
• Installing advertisement add-ons and browser helper objects (BHOs): Botnets
can also be used to gain financial advantages. This works by setting up a fake
Web site with some advertisements: The operator of this Web site negotiates a
deal with some hosting companies that pay for clicks on ads. With the help of
a botnet, these clicks can be “automated” so that instantly a few thousand bots
click on the pop-ups. This process can be further enhanced if the bot hijacks
the start page of a compromised machine so that the “clicks” are executed
each time the victim uses the browser.
• Attacking IRC chat networks: Botnets are also used for attacks against
Internet Relay Chat (IRC) networks. Popular among attackers is especially
the so-called clone attack: In this kind of attack, the controller orders each bot
to connect a large number of clones to the victim IRC network. The victim is
flooded by service requests from thousands of bots or thousands of channeljoins
by these cloned bots. In this way, the victim IRC network is brought
down, similar to a DDoS attack.
• Manipulating online polls/games: Online polls/games are getting more and
more attention, and it is rather easy to manipulate them with botnets. Since
every bot has a distinct IP address, every vote will have the same credibility as
a vote cast by a real person. Online games can be manipulated in a similar way.
29
Remote Control Facility
Is what distinguishes a bot from a worm
A worm propagates itself and activates itself, whereas a bot is controlled from some central facility
A typical means of implementation is on an IRC server
All bots join a specific channel on this server and treat incoming messages as commands
Once a communications path is established between a control module and the bots, the control module can activate the bots
The remote control facility is what distinguishes a
bot from a worm. A worm propagates itself and activates itself, whereas a bot is
controlled from some central facility, at least initially.
A typical means of implementing the remote control facility is on an IRC
server. All bots join a specific channel on this server and treat incoming messages
as commands. More recent botnets tend to avoid IRC mechanisms and use covert
communication channels via protocols such as HTTP. Distributed control mechanisms
are also used, to avoid a single point of failure.
Once a communications path is established between a control module and the
bots, the control module can activate the bots. In its simplest form, the control module
simply issues command to the bot that causes the bot to execute routines that
are already implemented in the bot. For greater flexibility, the control module can
issue update commands that instruct the bots to download a file from some Internet
location and execute it. The bot in this latter case becomes a more general-purpose
tool that can be used for multiple attacks.
30
Constructing a Network Attack
Software to carry out the attack must be able to run on a large number of machines and remain concealed
The attack must be aware of a vulnerability that many system administrators have failed to notice
A strategy for locating vulnerable machines must be implemented
This is known as scanning or fingerprinting
The first step in a botnet attack is for the
attacker to infect a number of machines with bot software that will ultimately be
used to carry out the attack. The essential ingredients in this phase of the attack are
the following:
1. Software that can carry out the attack. The software must be able to run on a
large number of machines, must be able to conceal its existence, must be able
to communicate with the attacker or have some sort of time-triggered mechanism,
and must be able to launch the intended attack toward the target.
2. A vulnerability in a large number of systems. The attacker must become aware
of a vulnerability that many system administrators and individual users have
failed to patch and that enables the attacker to install the bot software.
3. A strategy for locating and identifying vulnerable machines, a process known
as scanning or fingerprinting .
31
Scanning Strategies
In the scanning process, the attacker first seeks out a number of vulnerable
machines and infects them. Then, typically, the bot software that is installed in the
infected machines repeats the same scanning process, until a large distributed network
of infected machines is created. The following are types of scanning strategies:
• Random: Each compromised host probes random addresses in the IP address
space, using a different seed. This technique produces a high volume of Internet
traffic, which may cause generalized disruption even before the actual attack is
launched.
• Hit list: The attacker first compiles a long list of potential vulnerable machines.
This can be a slow process done over a long period to avoid detection that an
attack is underway. Once the list is compiled, the attacker begins infecting
machines on the list. Each infected machine is provided with a portion of the
list to scan. This strategy results in a very short scanning period, which may
make it difficult to detect that infection is taking place.
• Topological: This method uses information contained on an infected victim
machine to find more hosts to scan.
• Local subnet: If a host can be infected behind a firewall, that host then looks
for targets in its own local network. The host uses the subnet address structure
to find other hosts that would otherwise be protected by the firewall.
32
Random
Each compromised host probes random addresses in the IP address space, using a different seed
Hit List
The attacker first compiles a long list of potential vulnerable machines
Once the list is compiled the attacker begins infecting machines on the list
Topological
Uses information contained on an infected victim machine to find more hosts to scan
Local subnet
If a host can be infected behind a firewall, that host then looks for target in its own local network
Host uses the subnet address structure to find other hosts that would otherwise be protected by the firewall
Spam (Unsolicited Bulk) E-Mail
With the explosive growth of the Internet over the last few decades, the widespread
use of e-mail, and the extremely low cost required to send large volumes of e-mail,
has come the rise of unsolicited bulk e-mail, commonly known as spam. A number
of recent estimates suggest that spam e-mail may account for 90% or more of all
e-mail sent. This imposes significant costs both on the network infrastructure needed
to relay this traffic and on users who need to filter their legitimate e-mails out of this
flood. In response to this explosive growth, there has been the equally rapid growth
of the anti-spam industry that provides products to detect and filter spam e-mails.
This has led to an arms race between the spammers devising techniques to sneak
their content through and the defenders making efforts to block them.
While some spam is sent from legitimate mail servers, most recent spam is sent
by botnets using compromised user systems. A significant portion of spam e-mail
content is just advertising, trying to convince the recipient to purchase some product
online, such as pharmaceuticals, or used in scams, such as stock scams or money mule
job ads. But spam is also a significant carrier of malware. The e-mail may have an
attached document, which if opened, may exploit a software vulnerability to install
malware on the user’s system, as we discussed in the previous section. Or, it may
have an attached Trojan horse program or scripting code that, if run, also installs
malware on the user’s system. Some trojans avoid the need for user agreement by
exploiting a software vulnerability in order to install themselves, as we discuss next.
Finally the spam may be used in a phishing attack, typically directing the user either
to a fake Web site that mirrors some legitimate service, such as an online banking
site, where it attempts to capture the user’s login and password details; or to complete
some form with sufficient personal details to allow the attacker to impersonate
the user in an identity theft. All of these uses make spam e-mails a significant security
concern. However, in many cases it requires the user’s active choice to view the
e-mail and any attached document, or to permit the installation of some program, in
order for the compromise to occur.
33
The extremely low cost required to send large volumes of e-mail has led to the rise of unsolicited bulk e-mail, commonly known as spam
A number of recent estimates suggest that spam may account for 90% or more of all e-mail sent
This imposes significant costs both on the network infrastructure needed to relay this traffic and on users who need to filter out their legitimate e-mails
Is a significant carrier of malware
May be used in a phishing attack, typically directing the user to a fake Web site that mirrors some legitimate service and capturing the user’s personal information or logins and passwords
Credential Theft, Keyloggers, and Spyware
Keylogger
Captures keystrokes on the infected machine to allow an attacker to monitor this sensitive information
Spyware
Subverts the compromised machine to allow monitoring of a wide range of activity on the system
May include monitoring the history and content of browsing activity
Redirecting certain Web page request to fake sites controlled by the attacker
Dynamically modifying data exchanged between the browser and certain Web sites of interest
Typically, users send their login and password credentials to banking, gaming, and
related sites over encrypted communication channels (e.g., HTTPS or POP3S), which
protects them from capture by monitoring network packets. To bypass this, an attacker
can install a keylogger , which captures keystrokes on the infected machine to allow an
attacker to monitor this sensitive information. Since this would result in the attacker
receiving a copy of all text entered on the compromised machine, keyloggers typically
implement some form of filtering mechanism that only returns information close to
desired keywords (e.g., “login” or “password” or “paypal.com”).
In response to the use of keyloggers, some banking and other sites switched to
using a graphical applet to enter critical information, such as passwords. Since these do
not use text entered via the keyboard, traditional keyloggers do not capture this information.
In response attackers developed more general spyware payloads, which subvert
the compromised machine to allow monitoring of a wide range of activity on the
system. This may include monitoring the history and content of browsing activity, redirecting
certain Web page requests to fake sites controlled by the attacker, and dynamically
modifying data exchanged between the browser and certain Web sites of interest.
All of which can result in significant compromise of the user’s personal information.
The Zeus banking Trojan, created from its crimeware toolkit, is a prominent
example of such spyware that has been widely deployed in recent years [BINS10]. It
steals banking and financial credentials both by using a keylogger and by capturing
and possibly altering form data for certain Web sites. It is typically deployed either
using spam e-mails or via a compromised Web site in a “drive-by-download.”
34
Phishing and Identity Theft
Phishing
Exploits social engineering to leverage user’s trust by masquerading as communications from a trusted source
Spam e-mail may direct a user to a fake Web site controlled by the attacker, or to complete some enclosed form and return to an e-mail accessible to the attacker, which is used to gather a range of private, personal information on the user
Spear-phishing
E-mail claiming to be from a trusted source, however, the recipients are carefully researched by the attacker and each e-mail is carefully crafted to suit its recipient specifically, often quoting a range of information to convince them of its authenticity
Another approach used to capture a user’s login and password credentials is to
include a URL in a spam e-mail that links to a fake Web site controlled by the
attacker, but which mimics the login page of some banking, gaming, or similar site.
This is normally included in some message suggesting that urgent action is required
by the user to authenticate their account, to prevent it being locked. If users are
careless, and don’t realize that they are being conned, then following the link and
supplying the requested details will certainly result in the attackers exploiting their
account using the captured credentials.
More generally, such a spam e-mail may direct a user to a fake Web site
controlled by the attacker, or to complete some enclosed form and return to an
e-mail accessible to the attacker, which is used to gather a range of private,
personal information on the user. Given sufficient details, the attacker can then
“assume” the user’s identity for the purpose of obtaining credit, or sensitive access to
other resources. This is known as a phishing attack and exploits social engineering
to leverage user’s trust by masquerading as communications from a trusted source
[GOLD10].
Such general spam e-mails are typically widely distributed to very large numbers
of users, often via a botnet. While the content will not match appropriate
trusted sources for a significant fraction of the recipients, the attackers rely on it
reaching sufficient users of the named trusted source, a gullible portion of whom
will respond, for it to be profitable.
A more dangerous variant of this is the spear-phishing attack. This again is
an e-mail claiming to be from a trusted source. However, the recipients are carefully
researched by the attacker, and each e-mail is carefully crafted to suit its
recipient specifically, often quoting a range of information to convince them of its
authenticity. This greatly increases the likelihood of the recipient responding as
desired by the attacker.
35
Types of Attacks Experienced
In order to assess the relative severity of various threats and the relative importance
of various approaches to computer security, it is useful to look at the experience of
organizations. A useful view is provided by the CSI Computer Crime and Security
Survey for 2010/2011, conducted by the Computer Security Institute [CSI10]. The
respondents consisted of over 350 U.S.-based companies, nonprofit organizations,
and public sector organizations.
Figure 18.5 shows the types of attacks experienced by respondents in nine
major categories.2 Most noteworthy is the large and growing prevalence of malicious
software (malware) attacks. It is also worth noting that most categories of attack
exhibit a somewhat downward trend. The CSI report speculates that this is due in
large part to improved security techniques by organizations.
36
Security Technologies Used
Figure 18.6 indicates the types of security technology used by organizations to
counter threats. Both firewalls and antivirus software are used almost universally.
This popularity reflects a number of factors:
• The maturity of these technologies means that security administrators are
very familiar with the products and are confident of their effectiveness.
• Because these technologies are mature and there are a number of vendors,
costs tend to be quite reasonable and user-friendly interfaces are available.
• The threats countered by these technologies are among the most significant
facing security administrators.
37
Summary
Computer security concepts
Threats and attacks
Threats and assets
Intruder behavior patterns
Intrusion techniques
Viruses
Worms
Bots
Spam
Computer security trends
Chapter 18: Computer and Network Security Threats
Malicious software
Back door
Logic bomb
Trojan horse
Mobile code
Multiple-threat malware
Credential theft, keyloggers, and spyware
Phishing and identity theft
Reconnaissance and espionage
Chapter 18 summary.
38
C on
fid en
tia lit
y
Data and
services
Figure 18.1 The Security Requirements Triad
Integrity
Availability
Threat Consequence Threat Action (attack) Unauthorized Disclosure A circumstance or
event whereby an entity gains access to data for which the entity is not authorized.
Exposure: Sensitive data are directly released to an unauthorized entity.
Interception: An unauthorized entity directly accesses sensitive data traveling between authorized sources and destinations.
Inference: A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or byproducts of communications.
Intrusion: An unauthorized entity gains access to sensitive data by circumventing a system's security protections.
Deception A circumstance or event that may result in an authorized entity receiving false data and believing it to be true.
Masquerade: An unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity.
Falsification: False data deceive an authorized entity. Repudiation: An entity deceives another by falsely denying
responsibility for an act.
Disruption A circumstance or
event that interrupts or prevents the correct operation of system services and functions.
Incapacitation: Prevents or interrupts system operation by disabling a system component.
Corruption: Undesirably alters system operation by adversely modifying system functions or data.
Obstruction: A threat action that interrupts delivery of system services by hindering system operation.
Usurpation A circumstance or event that results in control of system services or functions by an unauthorized entity.
Misappropriation: An entity assumes unauthorized logical or physical control of a system resource.
Misuse: Causes a system component to perform a function or service that is detrimental to system security.
Guard
Data
Computer System Computer System
Processes representing users
1 Access to the data must be controlled
(protection)
Guard
Data
Processes representing users
2 Access to the computer facility must be controlled
(user authentication)
3 Data must be securely transmitted
through networks (network security)
4 Sensitive files must be secure (file security)
Users making requests
Figure 18.2 Scope of System Security
Availability Confidentiality Integrity
Hardware Equipment is stolen or disabled, thus denying service.
Software Programs are deleted, denying access to users. An unauthorized copy of software is made.
A working program is modified, either to cause it to fail during execution or to cause it to do some unintended task.
Data Files are deleted, denying access to users.
An unauthorized read of data is performed. An analysis of statistical data reveals underlying data.
Existing files are modified or new files are fabricated.
Communication Lines
Messages are destroyed or deleted. Communication lines or networks are rendered unavailable.
Messages are read. The traffic pattern of messages is observed.
Messages are modified, delayed, reordered, or duplicated. False messages are fabricated.
Name Description Virus Malware that, when executed, tries to replicate itself into
other executable code; when it succeeds the code is said to be infected. When the infected code is executed, the virus also executes.
Worm A computer program that can run independently and can propagate a complete working version of itself onto other hosts on a network.
Logic bomb A program inserted into software by an intruder. A logic bomb lies dormant until a predefined condition is met; the program then triggers an unauthorized act.
Trojan horse A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the Trojan horse program.
Backdoor (trapdoor) Any mechanisms that bypasses a normal security check; it may allow unauthorized access to functionality.
Mobile code Software (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics.
Exploits Code specific to a single vulnerability or set of vulnerabilities. Downloaders Program that installs other items on a machine that is under attack.
Usually, a downloader is sent in an e-mail. Auto-rooter Malicious hacker tools used to break into new machines remotely.
Kit (virus generator) Set of tools for generating new viruses automatically. Spammer programs Used to send large volumes of unwanted e-mail. Flooders Used to attack networked computer systems with a large volume of
traffic to carry out a denial-of-service (DoS) attack.
Keyloggers Captures keystrokes on a compromised system. Rootkit Set of hacker tools used after attacker has broken into a computer
system and gained root-level access. Zombie, bot Program activated on an infected machine that is activated to launch
attacks on other machines. Spyware Software that collects information from a computer and transmits it to
another system.
Adware Advertising that is integrated into software. It can result in pop-up ads or redirection of a browser to a commercial site.
program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if some condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next: }
Figure 18.3 A Simple Virus
program CV := {goto main; 01234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 01234567) then goto loop; (1) compress file; (2) prepend CV to file; } main: main-program := {if ask-permission then infect-executable; (3) uncompress rest-of-file; (4) run uncompressed file;} }
Figure 18.4 Logic for a Compression Virus
0
10
20
30
40
50
Malwar e
infectio n
Laptop/mobile device theftInsider abuse of
net access or email Phis
hing
Denial of service
Bots on network
Financia l fraud
Password sniffing
Exploit ofwireless networks
60
70
80
0
10
20
30
40
50
60
70
80
20 06
20 07
20 08
20 09
Source: Computer Security Institute 2010/2011 Computer Crime and Security Survey
Figure 18.5 Types of Attacks Experienced (by percent of respondents)
Anti-virus software
Firewall
Anti-spyware software
Virtual private network (VPN)
Vulnerability/Patch Management
Encryption of data in transit
Intrusion detection system (IDS)
Encryption of data at rest
(in storage)
Web/URL filtering
Application firewall
Intrusion prevention system (IPS)
Log management software
Endpoint security software
Data loss prevention/
content monitoring
Server-based access control list
Forensic tool
Static account logins/passwords
Public key infrastructure (PKI)
Smart cards and other
one-time tokens
Specialized wireless security
Virtualization-specific tools
Biometrics
Other
Source: Computer Security Institute 2010/2011 Computer Crime and Security Survey
0% 20% 40% 60% 80% 100%
Percent of respondents
Figure 18.6 Security Technologies Used
