Naveen Gudigantala3-6-2003

OS ATTACKS INCLUDING VIRUSES

Outline of the presentation Preview Common OS attacks Defenses against attacks Viruses

PREVIEW

Sequence of actions leading to the OS attack

Attacker has done his home work to discover as much about their target as possible using many reconnaissance techniques

Next, the attacker scans the system to gather much more information about the target using variety of scanning tools

Gaining access using OS attacks

Approaches Script Kiddie Exploit Trolling Stack-Based Buffer Overflow

Attacks Password Attacks Web Application Attacks

Script Kiddie Exploit Trolling script kiddie writes (or more likely cuts and

pastes) code withouteither having or desiring to have a mental model of what the code does

Uses one of the websites offering database of exploits such as

www.securityfocus.com

http://www.ktwo.ca/nonexecstackversion.html

Script Kiddie attacks While a script kiddie utilizes these

internet searches to troll for canned exploits, a more sophisticated attacker will employ far more complex techniques to gain access

Here, the pragmatism, experience and the skill level of the attacker determines his success

Stack Based Buffer Overflow Any application or OS component

that is poorly written could have a stack-based buffer overflow

Exploiting this vulnerability, the attacker can execute arbitrary commands on the target machine, potentially taking over the entire machine

Normal Stack

Buffer (local variable 1)Saved frame PTR

Return Pointer

Function call arguments

Bottom of

Memory

Top of memory

Fill Direction

Sample code with function call

Void sample_function(void) 2.The flow transition

to the function here

{

Char Buffer[10]; 3.We now return to the main procedure

Printf(“Happy Happy! \n”);

Return;

Main( ) 1.execution starts here

{ sample_function();

Printf(“Hello world! \n”);

}

Buffer overflow sample program

Void sample_function (char *string)

{

Char Buffer[16]; 4.The local variable buffer can hold 16 characters

Strcpy(buffer,string); 5. The strcpy function will load character into buffer until it finds the end of the string..but the string is far longer than the buffer

Return;

}

Void main() 1.Make a buffer that can hold 256 characters

{

Char buffer[256];

Int I;

For (I=0; I<250;I++) 2.Shove the character ‘A’ into big_buffer 255 times!

Big_buffer[I]=‘A’;

Sample_function(big_buffer); 3.send the big buffer into the function

}

What happens next… After the program finishes execution, it will pop the local

variables and saved frame pointer off the stack, as well as the return pointer

The A characters will spill over the end of the buffer, running into saved frame pointer, and even into the return pointer

The return pointer is copied into the processor’s instruction pointer, and the machine tries to fetch the next instruction from a memory location that is the binary equivalent of a bunch of A’s

And the program crashes!!!!!!!!!!

What if you insert machine language code into the buffer, with commands that you want to execute!!!!

How to include the code ? On Unix, place the code on /bin/sh

stack (force the machine to run a command shell)

On windows NT/2000 systems, trigger a specific DLL to get the work on the target (eg: wininet.dll)

Once the stack is smashed..Now what? Creating a back door using Inetd Backdooring with TFTP and Netcat Shooting back Xterms

Stack based buffer overflow defenses for security administrators Keep the systems patched Must monitor various mailing lists, such as the

BugTraq, CERT and SANS mailing lists Test the newly patched systems Making sure that the publicly accessible

systems have configurations with a minimum number of necessary services and software extras

Control outgoing traffic from the network Configure the system with non executable

stacks

Stack based buffer overflow defenses for Developers Avoid using problematic functions with

know security vulnerabilities Use automated code-checking tools to

search for known problems Alter the way the stack functions Two tools, StackGuard and Stack Shield

can be invoked at compile time for Linux programs to create stacks that are more difficult to attack with buffer overflows

Password Attacks Many applications and OS have

built-in default passwords established by the vendors

Many administrators fail to remove the default passwords http://security.nerdnet.com

Password Guessing through Login scripting Write a script that runs on the

attacker’s machine and repeatedly tries to login to the target system across the network

Use toolswww.btinternet.com/~lithiumsoft/

http://kapheine.hypa.net/authforce/index.php

Password Attacks Password cracking is fantastic

because the cracking loop doesn’t have to run on the victim machine. If the attacker can steal the encrypted/ hashed password file, they can run the password cracking on their own systems in the comfort of their own homes or on any on their machines

Password-cracking tools L0phtCrack for Windows NT/2000www.l0pht.com John the Ripper for Unixwww.openwall.com/john Pandora for Novell Netwarewww.nmrc.org/pandora/

Defenses against Password cracking tools Strong password policy User Awareness Password Filtering Software Where possible, use authentication tools

other than Passwords Conduct your own regular password

cracking tests Protect your encrypted/ hashed

password files

Web Application Attacks Account Harvesting Using this technique, an attacker

can determine legitimate user IDs and passwords of a vulnerable application

http://www.chi-publishing.com/isb/backissues/ISB_2001/ISB0608/ISB0608ES.pdf

Defenses against Account Harvesting For all the web applications, use

consistent error messages when user types in incorrect user id or password

All accompanying information sent back to the browser must be completely consistent for the two scenarios, including the raw HTML, URL displayed in the browser, cookies, and any hidden form elements

Undermining Web Application Session Hacking

Session IDs are implemented using URL session tracking Hidden form elements Cookies

Attacking session tracking mechanisms An attacker may be able to establish a

session, get assigned a session Id, and alter the session ID in real time

If the attacker changes the session ID to a value currently assigned to another user, the application will think the attacker’s session belongs to that other user!

In an online banking applications, the attacker could transfer funds or possibly write online checks. For online trading, the attacker could make trades on behalf of the user

Defending against web application session tracking attacks Digitally sign or hash session-tracking

information using a cryptographic algorithm Encrypt the information in the URL, hidden form

element, or cookie; don’t just rely on SSL Make sure your session IDs are long enough to

prevent accidental collision(at least 10 characters would be better)

Consider making session IDs dynamic, changing from page to page throughout the web application

Apply a timestamp within the session ID variable and encrypt it

SQL Piggybacking A weakness found in many web applications

involving problems with accepting user input and interacting with back-end databases

To accomplish SQL piggybacking attack, attackers find a user-supplied input string that they suspect will be part of a database query and command delimiter to the user data to see how the system reacts to the submitted information

http://www.chi-publishing.com/isb/backissues/ISB_2001/ISB0609/ISB0609ES.pdf

Defenses against SQL Piggybacking The application should be developed

carefully to filter user-supplied data. A numerical user input should really only be a number; all non-numerical characters must be filtered

In particular the application should filter out the scary characters like quotes, semicolons, asterisks, percents, underscores and all other kinds of meta characters

VIRUSES What is a virus ? Viruses are programs created by very evil and bad hackers or

programmers who then send them to information exchange networks or toss them to the computers of their acquaintances.

Virus can not sneak to your computer by itself - either it was hiding on diskettes or even on a CD, or you have accidentally downloaded it from a computer informational network, or maybe you had virus in your computer from the very beginning, or, worst of all, some hacker lives in your home

Timeline of computer virus 1949-Theories for self-replicating programs are first developed

1981-Apple Viruses 1, 2, and 3 are some of the first viruses "in the wild," or public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.

1983- Fred Cohen, while working on his dissertation, formally defines a computer virus as "a computer program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself.“

1988-One of the most common viruses, Jerusalem, is unleashed. Activated every Friday the 13th, the virus affects both .EXE and .COM files and deletes any programs run on that day.

1990-Symantec launches Norton Antiviurs, one of the first anti-virus programs developed by a large company

Timeline of computer virus1991-Tequila is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection

1992-1300 viruses are in existence, an increase of 420% from December of 1990.The Michelangelo scare predicts 5 million computers will crash on March 6. Only 5,000–10,000 actually go down

1994-Good Times email hoax tears through the computer community. The hoax warns of a malicious virus that will erase an entire hard drive just by opening an email with the subject line "Good Times." Though disproved, the hoaxresurfaces every six to twelve months.

1998-Currently harmless and yet to be found in the wild, StrangeBrew is the first virus to infect Java files. The virus modifies CLASS files to contain a copy of itself within the middle of the file's code and to begin execution from the virus section.

1999-The Melissa virus, W97M/Melissa, executes a macro in a document attached to an email, which forwards the document to 50 people in the user's Outlook address book. The virus also infects other Word documents and subsequently mails them out as attachments. Melissa spread faster than any other previous virus

2000-The Love Bug, also known as the ILOVEYOU virus, sends itself out via Outlook, much like Melissa. The virus comes as a VBS attachment and deletes files, including MP3, MP2, and JPG. It also sends usernames and passwords to the virus' author.

Timeline of computer virus 2001-The Anna Kournikova virus, also known as VBS/SST, which

masquerades as a picture of Tennis Star Anna Kournikova, operates in a similar manner to Melissa and The Love Bug. It spreads by sending copies of itself to the entire address book in Microsoft Outlook. It is believed that this virus was created with a so-called virus creation kit, a program which can enable even a novice programmer to create these malicious programs

In May, the Homepage email virus hit no more than 10,000 users of Microsoft Outlook. When opened, the virus redirected users to sexually explicit Web pages. Technically known as VBSWG.X, the virus spread quickly through Asia and Europe, but was mostly prevented in the U.S. because of lessons learned in earlier time zones. The author of the virus is said to live in Argentina, and have authored the Kournikova virus earlier in the year.

The Code Red I and II worms attacked computer networks in July and August. According to Computer Economics they affected over 700,000 computers and caused upwards of 2 billion in damages. A worm spreads through external and (then) internal computer networks, as opposed to a virus which infects computers via email and certain websites. Code Red took advantage of a vulnerability in Microsoft's Windows 2000 and Windows NT server software. Microsoft developed a patch to protect networks against the worm, and admits that they too were attacked. Other major companies affected include AT&T, and the AP.

An ounce of prevention Buy a very good virus protections software If you simply avoid programs from unknown sources (like the

Internet), and instead stick with commercial software purchased on CDs, you eliminate almost all of the risk from traditional viruses. In addition, you should disable floppy disk booting -- most computers now allow you to do this, and that will eliminate the risk of a boot sector virus coming in from a floppy disk accidentally left in the drive

You should make sure that Macro Virus Protection is enabled in all Microsoft applications, and you should NEVER run macros in a document unless you know what they do. There is seldom a good reason to add macros to a document, so avoiding all macros is a great policy

An ounce of prevention

•Open the Options dialog from the Tools menu in Microsoft Word and make sure that Macro Virus Protection is enabled, as

shown

An ounce of prevention In the case of the ILOVEYOU e-mail virus, the only defense is a

personal discipline. You should never double-click on an attachment that contains an executable that arrives as an e-mail attachment. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images (.GIF and .JPG), etc., are data files and they can do no damage (noting the macro virus problem in Word and Excel documents mentioned above). A file with an extension like EXE, COM or VBS is an executable, and an executable can do any sort of damage it wants. Once you run it, you have given it permission to do anything on your machine. The only defense is to never run executables that arrive via e-mail

Thank You