herbert g. mayer, psu cs status 6/25/2011 slides derived from prof. wu-chang feng
DESCRIPTION
Herbert G. Mayer, PSU CS status 6/25/2011 Slides derived from prof. Wu-Chang Feng. CS 305 Social, Ethical, and Legal Implications of Computing Chapter 6 Computer Networks and Security. Syllabus. Malware Virus Worms Examples Backdoor Troyan Horse Rootkit Botnet Hackers and Phreaks - PowerPoint PPT PresentationTRANSCRIPT
1
CS 305Social, Ethical, and Legal
Implications of Computing
Chapter 6Computer Networks and Security
Herbert G. Mayer, PSU CSHerbert G. Mayer, PSU CSstatus 6/25/2011status 6/25/2011
Slides derived from prof. Wu-Chang Feng Slides derived from prof. Wu-Chang Feng
2
Syllabus
Malware Virus Worms Examples Backdoor Troyan Horse Rootkit Botnet Hackers and Phreaks Enforcement OIn-Class Exercise
3
MalwareDef: Malware is unwanted SW attack, giving instructions Def: Malware is unwanted SW attack, giving instructions
to your computer to do something an attacker wants it to your computer to do something an attacker wants it to, such as:to, such as: Delete files to render your computer inoperable Infect other systems --worms, viruses Monitor activity --webcams, keystroke loggers Gather information on you, your habits, web sites you visit Provide unauthorized access --Trojans, backdoors Steal files, store illicit files Send spam or attack other systems Stepping stone to launder activity --frame you for a crime Hide activity --rootkits
4
Types of Malware
VirusesViruses
WormsWorms
TrojansTrojans
BackdoorsBackdoors
Rootkits (user & kernel level)Rootkits (user & kernel level)
5
What is a Virus?
Self-replicating piece of code that attaches itself to other Self-replicating piece of code that attaches itself to other programs; usually requires human interaction to programs; usually requires human interaction to propagatepropagate
6
Two Virus Components
PayloadPayload The malicious/anti-social thing that viruses & worms do that
make them highly irritating Examples: wiping your hard drive, deleting files, encrypting
files for blackmail purposes
Propagation mechanismPropagation mechanism How do viruses spread?
7
Virus Propagation
LocallyLocally Simplest method Write it to the file system
Local files, executables, documentsWrite it into the boot sector/operating system
Removable storageRemovable storage Initial viruses propagated through tapes and floppies Rarely target CDs specifically but
Chernobyl (CIH) on Yamaha CDR update CDNIMDA on Visual Studio .net in Korea
Modern mediaCompact Flash, SD, USB Keys
8
Virus Propagation
NetworkNetwork Most common currently
Email (Iloveyou)WebNewsgroups (Melissa)P2P Networks (Fastrack, Gnutella, IRC, Torrent)
» 2003 study showed 45% of executable files downloaded from KaZaA had viruses or Trojan horses
» Beware of Warez!NFS, Samba mountsSocial networks
9
Examples
BenignBenign Brain virus (1986)
Determine level of software piracy in Pakistan
MaliciousMalicious Michelangelo (1991)
Erased boot sector on March 6
Love bug (2000)Deleted filesCollected passwords and e-mailed themAuthor was a 23 year old Filipino CS studentNo hacking laws in Philippines so no prosecution
10
Worms
A worm is a self-replicating piece of code that spreads A worm is a self-replicating piece of code that spreads via networks; usually does not require human via networks; usually does not require human interaction to propagateinteraction to propagate
11
Virus vs. WormSimilaritiesSimilarities
Goal is to infect other machines Can contain a payload
VirusVirus Infects other files (must have executable sections) Transmitted via removable storage or network Require user interaction for propagation -- e.g. Open a file, boot from
floppy, launch an executable, click on e-mail attachment etc.
WormWorm Travels through the network only key May infect other files (might be cleared through reboot) Does not require human interaction Target misconfiguration or flaws/vulnerability in systems --buffer
overflows!
12
Why are Worms Powerful?
Fast scalingFast scaling Can take over a vast number of machines, each of which will act as a
launch point to infect other machines
Goal: Infect 10,000 machineGoal: Infect 10,000 machine Serial example
Suppose an average of 1 hour per machine Includes time to find a vulnerable machine, as well as infecting it 10000 hours = 416 days > 1 year!
Worm example Again, suppose an average of 1 hour per machine, Infected machines will subsequently take an hour to infect another
» 1st hour: 1 infection» 2nd hour: 3 infections» 3rd hour: 7 infections» 14th hour: 16,383 infections = 714 times faster than serial
13
Anatomy of Worm
A worm is composed ofA worm is composed of Warhead Propagation Engine Target Selection Algorithm Scanning Engine Payload
14
Warhead
Warhead – the mechanism by which a worm gains entry Warhead – the mechanism by which a worm gains entry into a systeminto a system This is the part that we protect our systems against. The
warhead contains the exploit code Buffer overflow, copying into open file shares, password
attacks
15
Propagation Engine
Propagation Engine – How the worm transports a new Propagation Engine – How the worm transports a new copy of itself into another machinecopy of itself into another machine Often, warheads contain the entire worm, but not always Warhead code can download the rest of the worm code, e.g.
remote root shell exploit followed by an ftp
16
Target Selection Algorithm
Target Selection Algorithm – How a worm selects its Target Selection Algorithm – How a worm selects its next targetnext target Want to choose nearby targets. Nearby targets are much
faster to infect than far away targets IP address proximity, network neighborhood, e-mail address
books
17
Scanning Engine
Scanning Engine – Code that probes machines to Scanning Engine – Code that probes machines to determine if addresses generated by the targeting determine if addresses generated by the targeting algorithm are vulnerable.algorithm are vulnerable. Pretty simple usually – send probing packets (TCP SYN) to
targets, wait for response If successful in opening a socket, attempt to compromise
18
Payload
Payload – The malicious code that the worm actually Payload – The malicious code that the worm actually deliversdelivers Early worms often had no payload, just the mere act of
spreading itself around will damage the Internet Install a backdoor, Trojan, or rootkit Alter or destroy files (immediately, timed, on-demand) Encrypt your data, delete the originals, hold it for ransom Form a botnet (e-mail spam, search engine spam, phishing) Launch DoS attacks
19
Examples
The first few worms were “ethical” worms – worms that The first few worms were “ethical” worms – worms that tried to perform a useful servicetried to perform a useful service
CreeperCreeper First worm developed for the assistance of air traffic
controllers by Bob Thomas in 1971 Notified air traffic controllers when the controls of a plane
moved from one computer to another Traveled from one computer screen to the other on the
network showing the message, "I'm creeper! Catch me if you can!"
Did not reproduce itself
20
Examples
Xerox PARC wormsXerox PARC worms John Shock and Jon Hepps of Xerox PARC, early eighties Worms as efficient carriers of software
"town crier" worm posted announcements on all computers of network
More complex – activated only at night to consume unused CPU cycles
Escaped laboratory into Xerox’s networkOne morning the employees returned to find that all the
computers had crashed. When they tried to restart the computers, they crashed again
One of the worms malfunctioned and had created havoc in the network
A "vaccine" had to be created so as to deactivate the worm
21
Examples
The Internet worm (1988)The Internet worm (1988) Robert Morris (student at Cornell) discovers multiple security holes
in Unix (ftp, sendmail, and fingerd) Wanted to research whether one could create an automated means for
exploiting them Goal was to infect quickly, but do no other damage (i.e. files left alone) In the middle of the design, a patch was released for one vulnerability Morris quickly launched worm before it was completed
Released November 2, 1988 Brought down the Internet Morris suspended from Cornell and convicted of felony under U.S.
Computer Fraud and Abuse act. (Given probation) Went back to school at Princeton, now a professor at MIT
Ethics? Malicious or selfish?
22
Code Red (2001)
Targeted indexing service used in Windows IIS web Targeted indexing service used in Windows IIS web serverserver Spreads as a bad HTTP request (buffer overflow)
Infected server creates 99 threads to attack random IP addresseswindowsupdate.microsoft.com was infected too
Infection rateOver 20,000 infections in less than 10 minutesOver 250,000 infections in less than 9 hoursOver 975,000 total infections
PayloadDDoS attack against whitehouse.gov’s IP
23
Code Red (2001)
People don’t patchPeople don’t patch IIS vulnerability was fixed months before Code Red launched Infected machines observed years later
24
Santy (2004)
Attacks PHP Bulletin Board (phpBB) website software.Attacks PHP Bulletin Board (phpBB) website software. Exploit
URL descrambling error in PHP on input allows arbitrary PHP script to execute.
Novel target selection algorithm How do you find vulnerable phpBB2 software to attack?
» The same way you do. It Googles for it.
» 40000 phpBB2 servers hit Google eventually started blocking/censoring searches to slow down worm Result: New variant of Santy used AOL and Yahoo search engines
“Ethical” worm developed 1 week later Anti-Santy worm used same method Google used Defaced webpage: “viewtopic.php secured by Anti-Santy-Worm V4. Your
site is a bit safer, but upgrade to >= 2.0.11.”
25
Ethical WormsSuppose you create a worm that…Suppose you create a worm that…
Exploits the vulnerability Patches the system Removes itself Should you release it?
What if it spreads out of control? What if it spreads out of control?
What if it doesn’t work? What if it doesn’t work? Patching could bring about problems
E.g. Critical application depends on vulnerability to work correctly E.g. Application depends on a certain interpretation of the specification
Patches have to be tested thoroughly!
Are ethical worms an oxymoron?Are ethical worms an oxymoron? Perhaps not worth the trouble?
How would one analyze this using ethical frameworks?How would one analyze this using ethical frameworks?
26
Ethical Disclosure
Publishing zero-day exploitsPublishing zero-day exploits Zero-Day worms especially dangerous as they target brand new
exploits No patch available! (Have to hope that your system/network is
adequately hardened) Is it ethical to disclose such vulnerabilities? How long should one wait to disclose them?
Publishing better ways to design wormsPublishing better ways to design worms Staniford, Paxson, Weaver, “How to 0wn the Internet in your own
spare time”, in Usenix Secuirty 02 Warhol Worms/Flash Worms Infect the entire Internet in 15 minutes/30 seconds. (!) Is it ethical to disclose such techniques?
27
Backdoors
A backdoor is a program that allows attackers to bypass A backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access normal security controls on a system, gaining access on the attacker’s own termson the attacker’s own terms
28
Types of BackdoorsLocal escalation of privilegesLocal escalation of privileges
Allow attackers with account administrator privileges
Remote execution of individual commandsRemote execution of individual commands Remote attackers can send a message to a victim machine
that allows them to execute a single command on the victim machine
Remote command-line access (aka remote shell)Remote command-line access (aka remote shell) Remote attacker can type directly into a command prompt of
the victim machine across the network
Remote control of GUIRemote control of GUI Remote attacker controls the GUI of the victim machine
across the network
29
Trojan Horse
A Trojan horse is a program which appears to have A Trojan horse is a program which appears to have some useful or benign capability, but conceals some some useful or benign capability, but conceals some hidden, malicious functionalityhidden, malicious functionality
Origin of term: The ancient Greeks laying siege to Origin of term: The ancient Greeks laying siege to Troy…Troy…
30
Rootkits
Rootkits are Trojan backdoor tools that modify existing Rootkits are Trojan backdoor tools that modify existing operating system software so that attacker can keep operating system software so that attacker can keep access to and hide on a machineaccess to and hide on a machine
31
Botnets
A bot is a software program that responds to commands A bot is a software program that responds to commands sent by a command-and-control program located on sent by a command-and-control program located on an external computeran external computer
Botnets are coordinated collections of bots under a Botnets are coordinated collections of bots under a single central controlsingle central control Launch denial-of-service attacks Send spam Host phishing sites
32
Hackers and Phreaks
Hackers – two definitions: good and badHackers – two definitions: good and bad Someone highly skilled in programming and use of computer
systems (sign of respect in some circles) Someone that breaks into computer systems (sign of bad
behavior in public circles)
Phone phreak – someone that manipulates the Phone phreak – someone that manipulates the telephone system in order to communicate with telephone system in order to communicate with others without payingothers without paying Stealing access codes, using outlawed hardware
33
Early Hacking Incidents
PDP-11PDP-11 Programmable minicomputer shared by many students at MIT Students forbidden to modify hardware Stewart Nelson (1960s)
Added a new hardware instruction in the middle of the night to “improve” performance
Also did it to demonstrate his skills
Ethical evaluationDoes it depend on the outcome?What good is an ethical framework if you can only tell afterwards
if an action is right or wrong?
34
U.S. Law on HackingComputer Fraud and Abuse ActComputer Fraud and Abuse Act
Transmitting code that causes damage to a computer system Accessing without authorization any computer connected to
the Internet Transmitting classified government information Trafficking in computer passwords Computer fraud Computer extortion Maximum penalty – 20 years and $250k fine
Other acts that can be applied to Internet-based crimeOther acts that can be applied to Internet-based crime Wire Fraud Act National Stolen Property ace Identity Theft and Assumption Deterrence Act
35
Recent Enforcement
Ancheta (2005)Ancheta (2005) Created botnet of hundreds of thousands of machines
Some within the DoD Used to spam
Arrested and convicted under Computer Fraud Abuse act and CAN-SPAM act in May 2005
57 months in prison, $15,000 in restitution to US government Forfeiture of illegal proceeds and computer equipment
Gonzalez (2009)Gonzalez (2009) With Russian co-conspirators, obtained 130 million credit/debit card
numbers Indicted
Success of enforcement few and far between due to stealth Success of enforcement few and far between due to stealth measures that are easy to implementmeasures that are easy to implement
36
Blue Security
Fighting bots with botsFighting bots with bots Users sign up for Blue Security service Whenever they mark a message as spam, inform
BlueSecurity service Blue Security bot automatically sends opt-out message to
spammer Spammers target Blue Security and its users with enormous
volume of spam Service discontinued
37
In-Class Exercise
Oberlin College in Ohio requires that every computer Oberlin College in Ohio requires that every computer brought to campus by a student be inspected for brought to campus by a student be inspected for viruses. System administrators remove all viruses viruses. System administrators remove all viruses from the students’ computers. Students whose from the students’ computers. Students whose computers subsequently pick up and spread a virus computers subsequently pick up and spread a virus may be fined $25, whether they knew about the virus may be fined $25, whether they knew about the virus or not. Is this a morally justifiable policy?or not. Is this a morally justifiable policy?
38
In-Class Exercise
SATAN hacker toolkitSATAN hacker toolkit Security Administrator Tool for Analyzing Networks Probe computers for security weaknesses Could be used for good and evil Morality of publishing SATAN using ethical frameworks?
39
In-Class Exercise
On-line votingOn-line voting Used in many countries to render elections cheap, easily accessible
Local elections in the UK (since 2001) U.S. primary elections in Alaska and Arizona (2000)
Controversial Election goals
Tamper-resistance» One vote per person» Prevent vote trading/selling» Audit trail to ensure proper tallying» Authenticating both the voter and the election service
Privacy Ease of use to avoid voter disenfranchisement (e.g. “Butterfly” ballot of
2000) Ethical evaluation?