In previous
article we examined the Denial of Service attack. It is very common attack and
one that can easily to perpetrate. In this article you will continue your
examination of security threats by learning about several other types of
attacks. First, you will learn about virus outbreaks. Our discussion will focus
on important information on how and why virus attacks work, including their
deployment through Trojan horses. This article is not a “how to create your own
virus” tutorial, but rather an introduction to the concepts underlying these
attacks as well as an examination of some specific case studies.
This article
will also explore buffer overflow attacks, spyware & several other forms of
malware. Each of these brings a unique approach to an attack and each needs to
be considered when defending a system. Your ability to defend against such
attacks will be enhanced by expending your knowledge of how they work.
Viruses
According to the definition, a computer virus
is a self-replicated program. Generally, a virus will also have some other
unpleasant function, but the self-replication and rapid spread are the
hallmarks of virus. Often this growth, in and of itself, can be a problem for
an affected network. In previous article discussed the Slammer virus and the
effects of its rapid, high-volume scanning. Functionality and responsibility of
network is reduced by rapid spreading virus. Simply by exceeding the traffic
load that network was designed to carry, the network may be rendered
temporarily non-functional.
How A Virus Spreads
Usually, a
virus will primarily spread in one of two ways. The first is too simply scan
your computer for connections to a network, and then copy itself to other
machines on the network to which your computer has access. This method is
efficient way to spreading virus. However, in this method more programming
skills are required. The more common method is to read your e-mail address book
and e-mail itself to everyone in your address book. Programming this is a
trivial task, which explains why it is so common.
The latter
method is, by far, the most common method for virus propagation and Microsoft
Outlook may be the one e-mail program most often hit with such virus attacks. There
is no reason of Outlook security flaw because it is easy to work with Outlook.
All products of Microsoft is created for that purpose, a programmer creates an
application that he can deep access in the application & can create such
application which, integrate the application in Microsoft Office Suite. For
example, a programmer could write an application that would access a Word
document, import an Excel spreadsheet, & then use Outlook to automatically
e-mail the resulting document to interested parties. It is a good job by
Microsoft to make easy process for it usually, there is no need of programming
finishing the work. Using Outlook, it takes less than five lines of code to
reference Outlook and send out an e-mail. This means a program can literally
cause Outlook itself to send e-mail, unbeknownst to the user. On Internet,
there are several of code to show how to do this, free for the talking. There
is no need of programmer for access your Outlook address book and automatically
send e-mail. Essentially, the ease of programing Outlook is why there are so
many virus attacks that target Outlook.
While the
overwhelming majority of virus attacks spread by attaching themselves to the
victim’s existing e-mail software, some recent virus outbreaks have used other
methods for propagation method is to simply copy itself across the network.
Virus outbreaks that spread via multiple routes are becoming more common.
The delivery of
payload is very easy and it is depend on carelessness of end-user nor the
skills of programmer of the virus. Enticing users to go to Web sites or open
files they should not is a common method for delivering a virus and one that
requires no programming skill at all. Regardless that how virus is come to you
doorstep, when the virus is in your system that it tries to damage your system.
Once a virus is on your system, it cans anything that any legitimate program
can do. That means it could potentially delete files, change system setting or
cause other harm.
Recent Virus Examples
The threat from
virus attacks cannot be overstated. While there are many Web pages that give
virus information, in my opinion, there are only a handful of Web pages that
consistently give the latest, most reliable, most detailed information on virus
outbreaks. Any security professional will want to consult these sites on a
regular basis. You can read about any virus, past or current, at the following
websites:
· www.f-secure.com/virus-info/virus-news/
· www.cert.org/nav/index_red.html
· Securityresponse.symantec.com/
· Vil.nai.com/vil/
The sections
below will look at a few recent virus outbreaks and review how they operated
and what they did.
The Sobig Virus:
The virus that
received the most media attention and perhaps caused the most harm in 2003 was
clearly the Sobig virus. The first interesting thing about this virus was how
it spread. It spread utilizing a multi-modal approach to spreading. This means
he used more than one mechanism to spread and infect new machines. It would
copy itself to any shared drives on your network and it would e-mail itself out
to everyone in your address book. For these reasons, this virus was
particularly virulent.
|
FYI: Virulent
Virus
|
|
|
The term
virulent means basically the same thing with respect to a computer virus as
it does with a biological virus.. It is a measure of how rapidly the
infection spreads and how easily it infect new targets.
|
In the case of
Sobig, if one person on a network was unfortunate enough to open an e-mail
containing the virus, not only would his machine be infected, but so would
every shared drive on that network to which this person had access. However,
Sobig, like most e-mail-distributed virus attacks, had tell-tale sign in the
e-mail subject or title that could be used to identify the e-mail as one
infected by a virus. The e-mail would have some enticing title such as “here is
the sample” or “the document” to encourage you to be curious enough to open the
attached file. The virus would then copy itself into the Windows system
directory.
This particular
virus spread so far and infected so many networks that just making multiple
copies of the virus was enough to shut down some networks. This virus did not
destroy files or damage the system, but it generated a great deal to traffic
that bogged down the networks infected by it. The virus itself was of mode3rate
sophistication. Once this was over, however, many different forms began to
emerge, complicating the situation further. One of the side effects of some
types of Sobeg was downloading files from the Internet that would then cause
printing problems. Some network printers just start printing garbage. start
printing junk. The Sobig.E variant would even write to the Windows registry,
causing itself to be in the computer startup (F-Secure, 2003) these complex
characteristics indicate that the creator knew how to access the Windows
registry, access shared drives, alter the Windows startup and access Outlook.
This brings up
the issue of virus variants and how they occur. In the case of a biological
virus, mutations in the genetic code cause new virus strains to appear and the
pressures of natural selections allow some of these stains to evolve into
entirely new species of viruses. Obviously, the biological method is not what
occurs with a computer virus. With a computer virus, what occurs is that some
intrepid programmer with malicious intent will get a copy of a virus (perhaps
her own machine becomes infected) and will then reverse-engineer it. Since many
virus attacks are in the form of a script attached to an e-mail, unlike
traditionally compiled programs, the source code of these attacks is readily
readable and alterable. The programmer in question then simply takes the
original virus code4 and introduces some change, then re-releases the variant.
Frequently, the people who are caught for virus creation are actually the
developers of the variant who lacked the skill of the original virus writer and
therefore were easily caught.
The Miamai Virus
The Mimail
virus did not receive as much media attention as Sobi, but it had its
intriguing characteristics. This virus not only collected e-mail addresses from
your address book, but also from other documents on your machine (Gudmundsson,
2004). Thus, if you had a word document on your hard drive and an e-mail
address was in that document, mimail would find it. This strategy meant that
Mimail would spread farther than many other viruses. Mimail had its own
build-in e-mail engine, so it did not have to “piggy back” off your e-mail
client. It could spread regardless of what e-mail software you used.
These two
variations from most virus attacks made Mimail interesting to people who study
computer viruses. There are variety of techniques that allow one of
programmatically open and process files on your computer; however, most virus
attacks don’t employ them. The scanning of the document for e-mail addresses
indicates a certain level of skill and creativity on the part of the virus
writer. In this author’s opinion, Mimail was not the work of an amateur, but
rather a person with professional-level programming skill.
The Bagle Virus
Another virus
that spread rapidly in the fourth quarter of 2003 was a Bagle virus. The e-mail
it sent claimed to be from your system administrator. It would tell you that
your e-mail account had been infected by a virus and that you should open the
attached file to get instructions. Once you opened the attached file, your
system was infected. This virus was particularly interesting for several
reasons. To begin with, it spread both through e-mail and copying itself to
shared folders. Secondly, it could also scan files on you PC looking for e-mail
addresses. Finally this virus took out your computer “immune system”. The
disabling of virus scanners is a new twist that indicates at least moderates
programming skills on the part of virus creator.
A Non – Virus Virus
Another new
type of virus has been gaining popularity in the past few years and that is the
“non-virus virus” or put simply, a hoax. Rather than actually writing a virus,
a hacker sends an e-mail to every address he has. The e-mail claims to be from
some well know antivirus center and warns of a new virus that is calculating.
The e-mail instructs people to delete some file from their computer to get rid
of the virus. However, the file is not really a virus but a part of system. The
jdbgmgr.exe virus hoax used this scheme (Vmyths.com, 2002). It encouraged the
reader to delete a file that was actually needed by the system. Surprisingly, a
number of people followed this advice and not only deleted the file, but
promptly e-mailed their friends and colleagues to warn them to delete file from
their machines.
|
FYI: The
Morris Internet Worm
|
|
|
The Morris
worm was one of the first computer warms ever to be distributed over the
Internet. And it was certainly the first to gain any significant media
attention.
Robert
Tappan Morris, Jr., then a student of Cornel University, wrote this worm and
launched it from an MIT system on 2nd of November 1088. Morris originally
intend not to cause any damage with the worm. Instead, he wanted the worm to
reveal bugs in the programs he exploited to spread it. However, bugs in the
code allowed an individual computer to be infected multiple times and the
worm become a menace. Every additional ‘infection’ spawned a new process on
the infected system. At a certain point the high number of processes running
on an infected system slowed down the computer to the point of being
unusable. At least 5000 Unix machines
were infected with this worm.
Morris
was convicted of violating the 1986 Computer Fraud and Abuse Act and was
sentenced to a $10,000 fine, three years’ probation and 400 hours of community
service. But perhaps the greatest impact of this worm was that it led to the
creation of the Computer Emergency Response Team (CERT).
|
Rules for Avoiding Viruses
You should
notice a common theme with all virus attacks (except the hoax), which is that
they want you to open some kind of attachment. The most common way for a virus
to spread is as an e-mail attachment. Use a virus scanner, McAffee and Norton
are two of the most popular and used virus scanners.
§ Use a virus scanner, McAffee and Norton are the two most widely
accepted and used virus scanners. Each costs about 30$ per year to keep your
virus scanner updated. Do it.
§ If you are not sure about an attachment, do not open it.
§ Use a virus scanner, McAfee and Norton are two of the most popular
and used virus scanners.
§ Do not believe “security alerts” that are send to you. Microsoft
does not send out alerts in this manner. Check the Microsoft Web site
regularly, as well as one of this antivirus Web site.
These rules
will not make your system 100% virus proof, but they will go a long way towards
protecting your system.
Trojan Horses
A Trojan horse
is a term for a program that looks benign but actually has a malicious purpose.
You might receive or download a program that appears to be a harmless business
utility or game. More likely, the Trojan horse is just a script attached to a
benign-looking e-mail. When you run the program or open the attachment, it does
something else other than or in addition to what you thought it would. It
might:
§ Download harmful software from a Web site.
§ Install a key logger or other spyware on your machine.
§ Delete files.
§ Open a backdoor for a hacker to use.
It is common to
find combination virus plus Trojan horse attacks. In those scenarios, the
Trojan horse spreads like a virus. The MyDoom virus opened a port on your
machine that a later virus, doomjuice, would exploit, thus making MyDoom a
combination virus and Trojan horse.
A Trojan horse
could also be crafted especially for an individual. If a hacker wished to spy
on a certain individual, such as the company accountant, she could craft a
program specifically to attract that person’s attention. For example, if she
knew the accountant was an avid golfer courses. She would post that program on
a free Web server. She would then e-mail a number of people, including the
accountant, telling them about the free software. The software, once installed,
could check the name of currently logged-on person. If the logged-on name
matched the accountant’s name, the software could then go out, unknown to the
user and download a key logger or other monitoring application. If the software
did not damage files or replicate itself, then it would probably go undetected
for quite a long time.
|
FYI: Virus or
Worm?
|
|
|
There is
disagreement among the experts as to the distinction between a virus and a
worm. Some experts would call MyDoom a worm because it spread without human
intervention. For the purpose of this text, these malware will referred to as
viruses.
|
Such a program
could be within the skill set of virtually any moderately competent programmer.
This is one reason that many organization have rules against downloading ANY
software onto company machines. I am unaware of any actual incident of a Trojan
horse being custom-tailored in this fashion. However, it is important to
remember that those creating virus attacks tend to be innovative people.
Another
scenario to consider is one that would be quite devastating. Without divulging
programming details, the basic premise will be outlined here to illustrate the
grave dangers of Trojan horses. Imagine a small application that displays a
series of unflattering pictures of Osama Bin Laden. This application would
probably be popular with many people in the United States of America,
particularly people in the military, intelligence community or defense-related
industries. Now assume that this application simply sits dormant on the machine
for a period of time. It need not replicate like a virus because the computer
user will probably send it to many of his associates. On a certain date and
time, the software connects to any drive it can, including network drives and
begins deleting all files. If such a Trojan horse were released “in the wild”,
within 30 days it would probably be shipped to thousands, perhaps millions, of
people. Imagine the devastation when thousands of computers begin deleting
files and folders.
This scenario
is mentioned precisely to frighten you a littles. Computer users, including
professionals who should know better, routinely download all sorts of things
from the Internet, such as amusing flash videos and cute games. Every time an
employee downloads something of this nature, there is a chance of downloading a
Trojan horse. One need not be a statistician to realise that if employees
continue that practice long enough, they will eventually downloading a Trojan
horse onto a company machine. If so, hopefully the virus will not be as vicious
as the theoretical one just outlined here.
The Buffer Overflow Attack
You have become
knowledgeable about a number of ways to attack a target system: Denial of
Service, virus and Trojan horse. While these attacks are probably the most
common, they are not the only methods. Another method of attacking a system is
called a buffer overflow (or buffer overrun) attack. A buffer
overflow attack happens when one tries to put more data in a buffer than it was
designed to hold (searchSecurity.com, 2004a). Any program that communicates
with the Internet or a private network must take in some data. This data is
stored, at least temporarily, in a space in memory called a buffer. If
the programmer who wrote the application was careful, when you try to place too
much information into a buffer, that information is then either simply truncated
or outright rejected. Given the number of applications that might be running on
a target system and the number of buffers in each application, the chances of
having at least one buffer that was not written properly are significant enough
to cause any prudent person some concern.
Someone who is
moderately skilled in programming can write a program that purposefully writes
more into the buffer than it can hold. For example, if the buffer can hold 1024
bytes of data and you try to fill it with 2048 bytes, the extra 24 bytes is
then simple loaded into memory. If that extra data is actually a malicious
program, then it has just been loaded into memory and is thus now running on
the target system. Or, perhaps the perpetrator simply want to flood the target
machine’s memory, thus overwriting other items that are currently in memory and
causing them to crash. Either way, the buffer overflow is a very serious
attack.
Fortunately,
buffer overflow attacks are a bit harder to execute than a DoS or simple
Microsoft Outlook script virus. To create a buffer overflow attack, you have a
good working knowledge of some programming language (C or C++ is often chosen)
and understand the target operating system / application well enough to know
whether it has a buffer overflow weakness and how that weakness might be
exploited.
The Sasser Virus
It should be
interesting to note that several major new virus outbreaks took place—most
notably, the Sasser virus. Sasser is a combination attack in that the virus (or
worm) spreads by exploiting a buffer overrun.
The Sasser
virus spreads by exploiting a known flaw in a Windows system program. Sasser
copies itself to the Windows directory as avserve.exe and creates a registry
key a load itself at startup. In that way, once your machine is infected, you
will start the virus every time you start the machine. This virus scans random
IP address, listing on successive TCP ports starting at 1068 for exploitable
systems---that is, systems that have not been patched to fix this flaw. When
one is found, the worm exploits the vulnerable system by overflowing a buffer
in LSASS.EXE, which is a file that is part of the Windows operating system.
That executable is build-in system file and is part of Windows. Sasser also
acts as an FTP server on TCP port 5554 and it creates a remote shell on TCP
port 9996. Next, Sasser creates an FTP script named cmd.ftp on the remote host
and executes that script. This FTP script instructs the target victim to
download and execute the worm from the infected host. The infected host accepts
this FTP traffic on TCP port 5554. The computer also creates a file named
win.log on the C: drive. This file contains the IP address of the localhost.
Copies of the virus are created in the Windows System directory as #_up.exe.
Examples are shown here:
·
C:\WINDOWS\system32\12553_up.exe
·
C:\WINDOWS\system32\17923_up.exe
·
C:\WINDOWS\system32\29679_up.exe
A side effect
of this virus is that it causes your machine to reboot. A machine that is
repeatedly rebooting without any other known cause may well be infected with
the Sasser virus.
This is another
case in which the infection can easily be prevented by several means. First, if
you update your system on a regular basis, your systems should not be
vulnerable to this flaw. Secondly, if your network’s routers or firewall block
traffic on the ports mentioned (9996 and 5554), you will then prevent most of
Sasser’s damage. Your firewall should only allow in traffic on specified ports,
all other ports should be shut down. In short, if you as the network
administrator are aware of security issues and are taking prudent steps to
protect the network, your network will be safe. The fact that so many networks
were affected by this virus should indicate that not enough administrators are
properly trained in computer security.
Spyware
Spyware was mention
as one of the threats to computer security. Using spyware, however, requires a
great deal more technical knowledge on the part of the perpetrator than some
other forms of malware. The perpetrator must be able to develop spyware for the
particular situation or customize existing spyware for his needs. He must then
be able to get the spyware on the target machine.
Spyware canbe
as simple as a cookie used by a Web site to record a few brief facts about your
visit to that Web site or spyware could be of a more insidious type, such as a
key logger. That key board; this spyware then logs your keystrokes to the spy’s
file. The most common use of a key logger is to capture usernames and
passwords. However, this method can capture every username and password you
enter and every document you type, as well as anything else you might type.
This data can be stored in a small file hidden in your system for later
extraction or sent out in TCP packets to some predetermined address. In some
cases, the software is even set to wait until after hours to upload this data
to some server or to use your own e-mail software to send the data to an
anonymous shots from your system, revealing anything that is open on your
computer. Whatever the specific mode of operation, spyware is software that
literally spies on your activities on a particular computer.
Legal Uses of Spyware
There are some
perfectly legal uses for spyware. Some employers have embraced such spyware as
a means of monitoring employee use of company technology. Many companies have
elected to monitor phone, e-mail or Web traffic within the organization. Keep
in mind that the computer, network & phone system are the property of the
company or organization, not of the employees. These technologies are
supposedly only used for work purposes; therefore, company monitoring might not
constitute any invasion of privacy. While courts have upheld this monitoring as
a company’s right, it is critical to consult an attorney before initiating this
level of employee morale.
Parents con
also elect to use this type of software on their home computer to monitor the
activities of their children on the Internet. The goal is usually a laudable
one—protecting their children from online predators. Yet, as with employees in
a company, the practice may illicit as strong negative reaction from the
parties being spied upon—namely, their children Parents have to weigh the risk
to their children versus what might be viewed as a breach of trust.
How is Spyware Delivered to a Target
System?
Clearly,
spyware programs can track all activity on a computer, and that information can
be retrieved by another party via a number of different methods. The real
question is this: How does spyware get onto a computer system in the first place?
The most common method is a Trojan horse. It is also possible that, when you
visit a certain Web site, spyware may download in the background while you are
simply perusing the Web site. Of course, if an employer (or parent) is
installing the spyware, it can then be installed non-covertly in the same way
that organization would installed any other application.
Obtaining Spyware Software
Given the many
other utilities and tools that have been mentioned as available from the
Internet, you probably will not be surprised to learn that you can obtain many
spyware products for free, or at very low cost, on the Internet. You can check
the Counter exploitation (www.sungi.org) web site, for a lengthy
list of known spyware products circulating on the Internet and for information
about methods one can use to remove them. The Spyware Guide Web site
(SpywareGuide,2004) (www.spywareguide.com) lists
spyware that you can get right off the Internet should you feel some compelling
reason to spy on someone’s computer activities. Several key logger applications
are listed on this site. These application s include well known key loggers
such as Absolute Keylogger, Tiny Keylogger and TypO. Most can be downloaded for
free or for a nominal charge from Internet.
Some well-known
Trojan horses are also listed at this site such as the 2nd Thought
application that downloads to a person’s personal computer (PC) and then blasts
it with advertisement. This particular piece of spyware is one that downloads
to your PC when you visit certain Web sites. It is benign in that it causes no
direct harm to your system or files, not does it gather sensitive information
from you PC. However, it is incredibly annoying as it inundates your machine
with unwanted ads. This sort of software is often referred to as adware.
Frequently, these ads cannot be stopped by normal protective pop-up blockers
because the pop-up windows are not generated by a Web site that you visit, but
rather by some rogue software running on your machine. Pop-up blockers only
work to stop sites you visit from opening new windows. Web sites use well-known
scripting techniques to cause your browser to open a window, and pop-up
blockers recognize thes4e techniques and prevent the ad window from opening. However,
if the adware launches a new browser instance, it bypasses the pop-up blocker’s
faction.