Intruders and Viruses

1
Chapter 9

• Intruders and Viruses

//Modified by Prof. M. Singhal// Henric
Johnson Blekinge Institute of Technology,
Sweden http//www.its.bth.se/staff/hjo/ henric.joh
nson_at_bth.se
2
Outline

• Intruders
• Intrusion Techniques
• Password Protection
• Password Selection Strategies
• Intrusion Detection
• Viruses and Related Threats
• Malicious Programs
• The Nature of Viruses
• Antivirus Approaches
• Advanced Antivirus Techniques
• Recommended Reading and WEB Sites

3
Intruders

• Three classes of intruders (hackers or crackers)
• Masquerader, Misfeasor, and
  Clandestine user.
• Masquerader
• An unauthorized user who penetrates a computer
  systems access control and gains acccess to user
  accounts.

4
Intruders

• Misfeasor
• gtA legitimate user who accesses resources he is
  not authorized to access.
• gtWho is authorized such access but misuses his
  privileges.
• Clandestine user
• A user who seizes the supervisory control of the
  system and uses it to evade auditing and access
  control.

5
Intrusion Techniques

• Objective An intruder wants to gain access to a
  system.
• gtgtAccess is generally protected by passwds.
• System maintains a file that associates a
  password with each authorized user.
• Password file can be protected with
• One-way encryption and Access control

6
Intrusion Techniques

• One-way encryption
• gtA system stores passwds only in encrypted form.
• gtOne-way transformation
• //not invertible.//
• Access Control
• gtAccess to the passwd file is limited to very few
  people.

7
Intrusion Techniques

• Techniques for guessing passwords
• Try default passwords. (used with standard
  accounts that are shipped with systems.)
• Try all short words, 1 to 3 characters long.
• Try all the words in an electronic dictionary
  (60,000).
• Collect information about the users hobbies,
  family names, birthday, etc.

8
Intrusion Techniques

• Techniques for guessing passwords..
• Try users phone number, social security number,
  street address, etc.
• Try all license plate numbers (MUP103).
• Use a Trojan horse (to bypass restrictions on
  access).
• Tap the line between a remote user and the host
  system.
• Prevention Enforce good password selection
  (Ij4Gf4Sef)

9
UNIX Password Scheme

• Passwords are stored in crypted form.
• User selects a password of chars.
• This password serves as the key to an encryption
  routine.
• Encryption routine is a modified version of DES.
• 12 bit Salt is used for modification.
• Salt related to time the password is assigned.

10
UNIX Password Scheme

• Modified DES is used with data input as 64-bit
  block of zeros.
• This process is repeated 25 times.
• The resulting output is translated into an 11
  chars sequence. (cipher passwd)
• Ciphertext password is stored in the table
  together with Salt.

11
UNIX Password Scheme
Loading a new password
12
UNIX Password Scheme
Verifying a password file
13
Storing UNIX Passwords

• UNIX passwords were kept in a publicly readable
  file, etc/passwords.
• Now they are kept in a shadow directory and
  only visible to root.

14
Salt

• The salt serves three purposes
• Prevents duplicate passwords from being visible
  in the password file.
• //even if two users choose the same password,
  their ciphertexts will differ//
• Effectively increases the length of the password
  (by two chars).
• //makes password guessing difficult//
• Prevents the use of hardware implementations of
  DES.

15
Password Selecting Strategies

• Goal Eliminate guessable passwords while
  allowing users to select passwords that are
  memorable.
• 1. User education
• gtTold the importance of hard-to-guess passwds.
• gtProvided guidelines to select strong
  passwords.
• gtMany users ignore guidelines.

16
Password Selecting Strategies
2. Computer-generated passwords gtPasswords will
be random in nature and will be hard to
memorize. 3. Reactive password checking gtSystem
runs its own password checker to find guessable
passwords. gtUsers given a deadline to change
the password //account is cancelled or
frozen//
17
Password Selecting Strategies
4. Proactive password checking gtA user is
allowed to select his passwd. gtAt the time of
selection, the system checks to see if the passwd
is allowable. gtIt rejects the password if not
allowable. gtThe most promising approach.
18
Proactive Password Checking

• Problem How to efficiently and effectively check
  for passwords.
• gtIt is not practical to maintain a list of bad
  passwords and check it.
• gtTwo compact ways
• Markov model and Bloom filters.

19
Proactive Password Checking

• Markov model
• gtEach state represents a chars.
• gtThe current state denotes the most recent
  char/letter.
• gtTransition from a state to another state denotes
  the next char.
• gtTransitions have probability associated to them.

20
Markov Model
21
Markov Model

• Main problem Building the transition matrix.
• The Markov chain should reflect the structure of
  words in the dictionary.
• All strings generated by the MC denote bad
  passwords.
• A dictionary of guessable words is created.
• Transition matrix is computed as follows

22
Transition Matrix

• Determine the frequency matrix f, where f(i,j,k)
  is the number of occurrences of the trigram
  consisting of the ith, jth and kth character.
• Example Password firefly consists of the
  following trigrams fir, ire, ref, efl, fly.

23
Transition Matrix

• 2. For each bigram ij, calculate f(i,j, ) as the
  total number of trigrams beginning with ij.
• 3. Compute the entries of T as follows

24
Markov Model

• Checking for a bad password
• gtPasswords (strings) generated by the Markov
  model are rejected.
• gtFor a given password, transition probabilities
  of trigrams are looked up.
• gtStatistical tests are performed to see if this
  password is likely by the model.
• gtPasswords likely by the model are rejected.

25
Spafford (Bloom Filter)

• where

• The following procedure is then applied to the
  dictionary
• A hash table of N bits is defined, with all bits
  initially set to 0.
• For each password, its k hash values are
  calculated, and the responding bits in the hash
  table are set to 1

26
Bloom Filter

• False positive
• A password that is not in the dictionary but it
  produces a match in the table.
• Example hogan and bogan are present in the
  dictionary, but logan is not.
• H1(hogan)32, H1(bogan)76, H1(logan)45
• H2(hogan)45, H2(hogan)91, H2(logan)32
• gtFalse positive cause a valid password to be
  rejected.
• gtFalse positive should be minimized.

27
Spafford (Bloom Filter)

• Design the hash scheme to minimize false
  positive.
• Probability of false positive

28
Performance of Bloom Filter
29
The Stages of a Network Intrusion

• 1. Scan the network to
• locate which IP addresses are in use,
• what operating system is in use,
• what TCP or UDP ports are open (being
  listened to by Servers).
• 2. Run Exploit scripts against open ports
• 3. Get access to Shell program which is suid
  (has root privileges).
• 4. Download from Hacker Web site special versions
  of systems files that will let Cracker have free
  access in the future without his cpu time or disk
  storage space being noticed by auditing programs.
• 5. Use IRC (Internet Relay Chat) to invite
  friends to the feast.

29
30
Intusion Detection

• Intrusion prevent may fail and intrusion
  detection is the next best defense.
• Motivations
• If the intruder can be identified quickly enough,
  he can be ejected from the system and damage can
  be minimized.
• An effective intrusion detection can prevent
  intrusions.
• //can act as a deterrent//

31
Intusion Detection

• Motivations...
• Collection of information about intrusion
  techniques that can be used to strengthen the
  intrusion prevention facility.
• Intrusion detection basis
• The behavior of intruders differs from that of a
  legitimate user in a quantifiable way.

32
Profiles of Behavior of Intruders and Authorized
Users
33
Intrusion Detection

• There is likely to be some overlap in the
  behavior.
• Will generate false positives
• Some authorized users will be branded as
  intruders.
• gtIf false positives are completely eliminated,
  some intruders will go undetected.

34
Intrusion Detection

• Two approaches are used
• 1. Statistical anomaly detection
• gtHistory of legitimate users is collected and a
  user profile is built.
• gtStatistical tests are applied to the observed
  behavior to determine if it is an intrusion.
• --Two approaches are used.

35
Intrusion Detection

• Treshold detection
• Uses thresolds for the frquency of occurrence of
  various events.
• Profile based
• User profile is used to detect changes in the
  behavior of a user.
• 2. Rule based detection
• Defines a set of rules that can be used to decide
  if a behavior is that of an intruder.

36
Intrusion Detection

• 2. Rule based detection...
• gtTwo approaches.
• Anomaly detection
• Rules detect deviation from previous usage
  patterns.
• Penetration identification
• An expert system-based approach that searches for
  suspicious behavior.

37
Measures used for Intrusion Detection

• Login frequency by day and time.
• Frequency of login at different locations.
• Time since last login.
• Password failures at login.
• Execution frequency.
• Data transfers
• Read, write, create, delete frequency.
• Failure count for read, write, create and delete.

38
Distributed Intrusion Detection

• Early IDSs were for single-stand alone systems
  (centralized IDS).
• A more effective defense can be achieved by
  cooperation among several intrusion detection
  systems across the network.
• gtA diagram of such system (next slide)

39
Distributed Intrusion Detection
Developed at University of California at Davis
40
Distributed ID

• Consists of three components
• 1. Host agent module
• Collects data on security related events on the
  host and passes them to the central manager.
• 2. LAN Monitor agent module
• It analyzes LAN traffic and reports results to
  the central manager.
• (host-host connections, services used, volume of
  traffic, rlogin activity, etc.)

41
Distributed ID

• 3. Central Manager module
• gtReceives reports from host agents and LAN
  monitor.
• gtProcesses and correlates the reports to detect
  intrusions.
• gtTypically includes an expert system that draws
  inferences from the received data.

42
Distributed Intrusion Detection
43
Viruses and Malicious Programs

• Computer Viruses and related programs have the
  ability to replicate themselves on an ever
  increasing number of computers. They originally
  spread by people sharing floppy disks. Now they
  spread primarily over the Internet (a Worm).
• Other Malicious Programs may be installed by
  hand on a single machine. They may also be built
  into widely distributed commercial software
  packages. These are very hard to detect before
  the payload activates (Trojan Horses, Trap Doors,
  and Logic Bombs).

44
Taxanomy of Malicious Programs
Malicious Programs
Need Host Program
Independent
Trapdoors
Logic Bombs
Trojan Horses
Viruses
Bacteria
Worms
45
Definitions

• Virus - code that copies itself into other
  programs.
• A Bacteria replicates until it fills all disk
  space, or CPU cycles.
• Payload - harmful things the malicious program
  does, after it has had time to spread.
• Worm - a program that replicates itself across
  the network (usually riding on email messages or
  attached documents (e.g., macro viruses).

46
Definitions

• Trojan Horse - instructions in an otherwise good
  program that cause bad things to happen (sending
  your data or password to an attacker over the
  net).
• Logic Bomb - malicious code that activates on an
  event (e.g., date).
• Trap Door (or Back Door) - undocumented entry
  point written into code for debugging that can
  allow unwanted users.
• Easter Egg - extraneous code that does something
  cool. A way for programmers to show that they
  control the product.

47
Virus Phases

• Dormant phase - the virus is idle
• Propagation phase - the virus places an identical
  copy of itself into other programs
• Triggering phase the virus is activated to
  perform the function for which it was intended
• Execution phase the function is performed

48
Virus Protection
Have a well-known virus protection program,
configured to
scan disks and downloads automatically for known
viruses.
Do not execute programs (or "macro's") from
unknown
sources (e.g., PS files, Hypercard files, MS
Office documents,
Avoid the most common operating systems and email
programs, if possible.
49
Virus Structure
50
A Compression Virus
51
Types of Viruses

• Parasitic Virus - attaches itself to executable
  files as part of their code. Runs whenever the
  host program runs.
• Memory-resident Virus - Lodges in main memory as
  part of the residual operating system.
• Boot Sector Virus - infects the boot sector of a
  disk, and spreads when the operating system boots
  up (original DOS viruses).
• Stealth Virus - explicitly designed to hide from
  Virus Scanning programs.
• Polymorphic Virus - mutates with every new host
  to prevent signature detection.

52
Macro Viruses

• Microsoft Office applications allow macros to
  be part of the document. The macro could run
  whenever the document is opened, or when a
  certain command is selected (Save File).
• Platform independent.
• Infect documents, delete files, generate email
  and edit letters.

53
Antivirus Approaches

• 1st Generation, Scanners searched files for any
  of a library of known virus signatures. Checked
  executable files for length changes.
• 2nd Generation, Heuristic Scanners looks for
  more general signs than specific signatures (code
  segments common to many viruses). Checked files
  for checksum or hash changes.
• 3rd Generation, Activity Traps stay resident in
  memory and look for certain patterns of software
  behavior (e.g., scanning files).
• 4th Generation, Full Featured combine the best
  of the techniques above.

54
Advanced Antivirus Techniques

• Generic Decryption (GD)
• CPU Emulator
• Virus Signature Scanner
• Emulation Control Module
• For how long should a GD scanner run each
  interpretation?

55
Advanced Antivirus Techniques
56
Recommended Reading and WEB Sites

• Denning, P. Computers Under Attack Intruders,
  Worms, and Viruses. Addison-Wesley, 1990
• CERT Coordination Center (WEB Site)
• AntiVirus Online (IBMs site)