naveen gudigantala 3-6-2003 os attacks including viruses
TRANSCRIPT
Naveen Gudigantala3-6-2003
OS ATTACKS INCLUDING VIRUSES
Outline of the presentation Preview Common OS attacks Defenses against attacks Viruses
PREVIEW
Sequence of actions leading to the OS attack
Attacker has done his home work to discover as much about their target as possible using many reconnaissance techniques
Next, the attacker scans the system to gather much more information about the target using variety of scanning tools
Gaining access using OS attacks
Approaches Script Kiddie Exploit Trolling Stack-Based Buffer Overflow
Attacks Password Attacks Web Application Attacks
Script Kiddie Exploit Trolling script kiddie writes (or more likely cuts and
pastes) code withouteither having or desiring to have a mental model of what the code does
Uses one of the websites offering database of exploits such as
www.securityfocus.com
http://www.ktwo.ca/nonexecstackversion.html
Script Kiddie attacks While a script kiddie utilizes these
internet searches to troll for canned exploits, a more sophisticated attacker will employ far more complex techniques to gain access
Here, the pragmatism, experience and the skill level of the attacker determines his success
Stack Based Buffer Overflow Any application or OS component
that is poorly written could have a stack-based buffer overflow
Exploiting this vulnerability, the attacker can execute arbitrary commands on the target machine, potentially taking over the entire machine
Normal Stack
Buffer (local variable 1)Saved frame PTR
Return Pointer
Function call arguments
Bottom of
Memory
Top of memory
Fill Direction
Sample code with function call
Void sample_function(void) 2.The flow transition
to the function here
{
Char Buffer[10]; 3.We now return to the main procedure
Printf(“Happy Happy! \n”);
Return;
Main( ) 1.execution starts here
{ sample_function();
Printf(“Hello world! \n”);
}
Buffer overflow sample program
Void sample_function (char *string)
{
Char Buffer[16]; 4.The local variable buffer can hold 16 characters
Strcpy(buffer,string); 5. The strcpy function will load character into buffer until it finds the end of the string..but the string is far longer than the buffer
Return;
}
Void main() 1.Make a buffer that can hold 256 characters
{
Char buffer[256];
Int I;
For (I=0; I<250;I++) 2.Shove the character ‘A’ into big_buffer 255 times!
Big_buffer[I]=‘A’;
Sample_function(big_buffer); 3.send the big buffer into the function
}
What happens next… After the program finishes execution, it will pop the local
variables and saved frame pointer off the stack, as well as the return pointer
The A characters will spill over the end of the buffer, running into saved frame pointer, and even into the return pointer
The return pointer is copied into the processor’s instruction pointer, and the machine tries to fetch the next instruction from a memory location that is the binary equivalent of a bunch of A’s
And the program crashes!!!!!!!!!!
What if you insert machine language code into the buffer, with commands that you want to execute!!!!
How to include the code ? On Unix, place the code on /bin/sh
stack (force the machine to run a command shell)
On windows NT/2000 systems, trigger a specific DLL to get the work on the target (eg: wininet.dll)
Once the stack is smashed..Now what? Creating a back door using Inetd Backdooring with TFTP and Netcat Shooting back Xterms
Stack based buffer overflow defenses for security administrators Keep the systems patched Must monitor various mailing lists, such as the
BugTraq, CERT and SANS mailing lists Test the newly patched systems Making sure that the publicly accessible
systems have configurations with a minimum number of necessary services and software extras
Control outgoing traffic from the network Configure the system with non executable
stacks
Stack based buffer overflow defenses for Developers Avoid using problematic functions with
know security vulnerabilities Use automated code-checking tools to
search for known problems Alter the way the stack functions Two tools, StackGuard and Stack Shield
can be invoked at compile time for Linux programs to create stacks that are more difficult to attack with buffer overflows
Password Attacks Many applications and OS have
built-in default passwords established by the vendors
Many administrators fail to remove the default passwords http://security.nerdnet.com
Password Guessing through Login scripting Write a script that runs on the
attacker’s machine and repeatedly tries to login to the target system across the network
Use toolswww.btinternet.com/~lithiumsoft/
http://kapheine.hypa.net/authforce/index.php
Password Attacks Password cracking is fantastic
because the cracking loop doesn’t have to run on the victim machine. If the attacker can steal the encrypted/ hashed password file, they can run the password cracking on their own systems in the comfort of their own homes or on any on their machines
Password-cracking tools L0phtCrack for Windows NT/2000www.l0pht.com John the Ripper for Unixwww.openwall.com/john Pandora for Novell Netwarewww.nmrc.org/pandora/
Defenses against Password cracking tools Strong password policy User Awareness Password Filtering Software Where possible, use authentication tools
other than Passwords Conduct your own regular password
cracking tests Protect your encrypted/ hashed
password files
Web Application Attacks Account Harvesting Using this technique, an attacker
can determine legitimate user IDs and passwords of a vulnerable application
http://www.chi-publishing.com/isb/backissues/ISB_2001/ISB0608/ISB0608ES.pdf
Defenses against Account Harvesting For all the web applications, use
consistent error messages when user types in incorrect user id or password
All accompanying information sent back to the browser must be completely consistent for the two scenarios, including the raw HTML, URL displayed in the browser, cookies, and any hidden form elements
Undermining Web Application Session Hacking
Session IDs are implemented using URL session tracking Hidden form elements Cookies
Attacking session tracking mechanisms An attacker may be able to establish a
session, get assigned a session Id, and alter the session ID in real time
If the attacker changes the session ID to a value currently assigned to another user, the application will think the attacker’s session belongs to that other user!
In an online banking applications, the attacker could transfer funds or possibly write online checks. For online trading, the attacker could make trades on behalf of the user
Defending against web application session tracking attacks Digitally sign or hash session-tracking
information using a cryptographic algorithm Encrypt the information in the URL, hidden form
element, or cookie; don’t just rely on SSL Make sure your session IDs are long enough to
prevent accidental collision(at least 10 characters would be better)
Consider making session IDs dynamic, changing from page to page throughout the web application
Apply a timestamp within the session ID variable and encrypt it
SQL Piggybacking A weakness found in many web applications
involving problems with accepting user input and interacting with back-end databases
To accomplish SQL piggybacking attack, attackers find a user-supplied input string that they suspect will be part of a database query and command delimiter to the user data to see how the system reacts to the submitted information
http://www.chi-publishing.com/isb/backissues/ISB_2001/ISB0609/ISB0609ES.pdf
Defenses against SQL Piggybacking The application should be developed
carefully to filter user-supplied data. A numerical user input should really only be a number; all non-numerical characters must be filtered
In particular the application should filter out the scary characters like quotes, semicolons, asterisks, percents, underscores and all other kinds of meta characters
VIRUSES What is a virus ? Viruses are programs created by very evil and bad hackers or
programmers who then send them to information exchange networks or toss them to the computers of their acquaintances.
Virus can not sneak to your computer by itself - either it was hiding on diskettes or even on a CD, or you have accidentally downloaded it from a computer informational network, or maybe you had virus in your computer from the very beginning, or, worst of all, some hacker lives in your home
Timeline of computer virus 1949-Theories for self-replicating programs are first developed
1981-Apple Viruses 1, 2, and 3 are some of the first viruses "in the wild," or public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.
1983- Fred Cohen, while working on his dissertation, formally defines a computer virus as "a computer program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself.“
1988-One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus affects both .EXE and .COM files and deletes any programs run on that day.
1990-Symantec launches Norton Antiviurs, one of the first anti-virus programs developed by a large company
Timeline of computer virus1991-Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection
1992-1300 viruses are in existence, an increase of 420% from December of 1990.The Michelangelo scare predicts 5 million computers will crash on March 6. Only 5,000–10,000 actually go down
1994-Good Times email hoax tears through the computer community. The hoax warns of a malicious virus that will erase an entire hard drive just by opening an email with the subject line "Good Times." Though disproved, the hoaxresurfaces every six to twelve months.
1998-Currently harmless and yet to be found in the wild, StrangeBrew is the first virus to infect Java files. The virus modifies CLASS files to contain a copy of itself within the middle of the file's code and to begin execution from the virus section.
1999-The Melissa virus, W97M/Melissa, executes a macro in a document attached to an email, which forwards the document to 50 people in the user's Outlook address book. The virus also infects other Word documents and subsequently mails them out as attachments. Melissa spread faster than any other previous virus
2000-The Love Bug, also known as the ILOVEYOU virus, sends itself out via Outlook, much like Melissa. The virus comes as a VBS attachment and deletes files, including MP3, MP2, and JPG. It also sends usernames and passwords to the virus' author.
Timeline of computer virus 2001-The Anna Kournikova virus, also known as VBS/SST, which
masquerades as a picture of Tennis Star Anna Kournikova, operates in a similar manner to Melissa and The Love Bug. It spreads by sending copies of itself to the entire address book in Microsoft Outlook. It is believed that this virus was created with a so-called virus creation kit, a program which can enable even a novice programmer to create these malicious programs
In May, the Homepage email virus hit no more than 10,000 users of Microsoft Outlook. When opened, the virus redirected users to sexually explicit Web pages. Technically known as VBSWG.X, the virus spread quickly through Asia and Europe, but was mostly prevented in the U.S. because of lessons learned in earlier time zones. The author of the virus is said to live in Argentina, and have authored the Kournikova virus earlier in the year.
The Code Red I and II worms attacked computer networks in July and August. According to Computer Economics they affected over 700,000 computers and caused upwards of 2 billion in damages. A worm spreads through external and (then) internal computer networks, as opposed to a virus which infects computers via email and certain websites. Code Red took advantage of a vulnerability in Microsoft's Windows 2000 and Windows NT server software. Microsoft developed a patch to protect networks against the worm, and admits that they too were attacked. Other major companies affected include AT&T, and the AP.
An ounce of prevention Buy a very good virus protections software If you simply avoid programs from unknown sources (like the
Internet), and instead stick with commercial software purchased on CDs, you eliminate almost all of the risk from traditional viruses. In addition, you should disable floppy disk booting -- most computers now allow you to do this, and that will eliminate the risk of a boot sector virus coming in from a floppy disk accidentally left in the drive
You should make sure that Macro Virus Protection is enabled in all Microsoft applications, and you should NEVER run macros in a document unless you know what they do. There is seldom a good reason to add macros to a document, so avoiding all macros is a great policy
An ounce of prevention
•Open the Options dialog from the Tools menu in Microsoft Word and make sure that Macro Virus Protection is enabled, as
shown
An ounce of prevention In the case of the ILOVEYOU e-mail virus, the only defense is a
personal discipline. You should never double-click on an attachment that contains an executable that arrives as an e-mail attachment. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images (.GIF and .JPG), etc., are data files and they can do no damage (noting the macro virus problem in Word and Excel documents mentioned above). A file with an extension like EXE, COM or VBS is an executable, and an executable can do any sort of damage it wants. Once you run it, you have given it permission to do anything on your machine. The only defense is to never run executables that arrive via e-mail
Thank You