MS-Word Template for RUTCOR Research Reports V1.0

SOHO Operation Highlight Online - Security Threats

SO H O

OPERATION

HIGHLIGHT

ON L I N E

E-Learning Training Package on the

AS-level Computer Applications (ASCA) and

A-level Computer Studies (ALCS) Curricula

Email:

Web Site:

SECURITY THREATS

- 1 -

SOHO Operation Highlight Online - Security Threats

Contents

1Introduction

2The First Security Threat – Virus

2.1Introduction

2.2Replication Strategies

2.3Avoiding Detection (out of syllabus)

2.4Virus Example – CIH

2.5Solution – Anti-virus Software

3The Second Security Threat – Worm

3.1Introduction

3.2Replication Strategies

3.3Worm Example – Mydoom

3.4Solution

4The Third Security Threat –Trojan Horse

4.1Introduction

4.2Replication Strategies

4.3Trojan Horse Example - Sub7

4.4Solution

5The Fourth Security Threat – Spyware

5.1Introduction

5.2Replication Strategies

5.3Spyware Example - Bonzi Buddy

5.4Solution - Anti-spyware programs

6The Fifth Security Threat –Unauthorised Access

6.1Introduction

6.2Solution – Access and User Right Control

7The Sixth Security Threat – Interception

7.1Introduction

7.2Sniffer Example - Ace Password Sniffer

7.3Solution – IPSec, VPN and WEP (technical details are out-of-syllabus)

Author’s remarks

• Part of the materials in this set of handout is adapted from Wikipedia and Guide to Networking Essentials (2nd edition) published by Course Technology.
• This set of materials is essentially developed by Chung, C.F. Jeffrey.

1Introduction

In this reference, the common security threats toSOHO networks and some real examples which can cause security threats are introduced. Suggestions for protecting systems from these threats and data recovery will also be given.

As a SOHO network administrator, to keep the network safe andto keep thebusiness information and data with concerns to confidentiality, integrity and availabilityarehis/her main duties. Security threats not only damage computer hardware but also the most important asset of a business – the business information and personal data. The resulting business losscan be huge too.

2The First Security Threat – Virus

2.1Introduction

A computervirus is a type of program that can replicate itself by making (possibly modified) copies of it. The main criterion for classifying a piece of executable code as a virus is that it spreads itself by means of “hosts”. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or carrying it on a removable media. Additionally, viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer such as file server’s files. Viruses are sometimes confused with worms. A worm, however, can spread itself to other computers without needing to be transferred as part of a host.

A virus is a type of program created by some programmers called “virus writers”. Virus writers can have various reasons for creating and spreading viruses. Viruses have been written as research projects, pranks, vandalism, to attack the products of specific companies, to distribute political messages, and to obtain financial gain from identity theft or spyware. Some virus writers consider their creations to be works of art, and see virus writing as a creative hobby. Therefore the damages causes by virus are mainly depending on the virus writer’s skill and wish. Virus can damage computer files and systems, steal information from you and even damage your computer hardware.

Viruses can infect different types of hosts. The most common targets are executable files that contain application software or parts of the operating system. Viruses have also infected the executable boot sectors of floppy disks, script files of application programs, and documents that can contain macro scripts. Additionally, viruses can infect files in ways other than simply inserting a copy of their code into the code of the host program. For example, a virus can overwrite its host with the virus code, or it can use a trick to ensure that the virus program is executed when the user wants to execute the (unmodified) host program. Viruses have existed for many different operating systems, including MS-DOS, Mac OS and even Linux; however, the vast majority of viruses affect Microsoft Windows.

2.2Replication Strategies

In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user tries to start an infected program, the virus’ code may be executed first. Viruses can be divided into two types, on the basis of their behaviours when they get executed. Non-resident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.

Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.

Here is asample of viruses replicate task:

1. Locatean uncheckedexecutable file
2. Check if the executable file has already been infected (if it is, return to the finder module of the virus)
3. Append the virus code to the executable file
4. Save the executable’s starting point
5. Change the executable’s starting point so that it points to the start location of the newly copied virus code
6. Save the old start location to the virus in a way so that the virus branches to that location right after its execution.
7. Save the changes to the executable file
8. Close the infected file
9. Return to the finder so that it can find new files for the virus to infect.

Resident viruses contain a replication module that is similar to the one that is employed by non-resident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can get called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer.

2.3Avoiding Detection(out of syllabus)

In order to avoid detection by users, some viruses employ different kinds of obfuscation. Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool anti-virus software, however.

Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files had many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file.

Recent viruses avoid any kind of detection attempt by attempting to kill the tasks associated with the virus scanner before it can detect them.

Here are some other methods to avoid detection by users or antivirus program:

1. Stealth–Someviruses try to trick anti-virus software by intercepting its requests to the operating system. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is “clean”.
2. Self-modification– Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for called virus signatures. Some viruses employ techniques that make detection by means of signatures difficult or impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.
3. Encryption with a variable key– A more advanced method is the use of simple encryption to encode the virus. In this case, a virus scanner cannot directly detect the virus using signatures. Fortunately, virus scanner can still detect the decrypting module, which makes indirect detection of the virus possible.
4. Polymorphic code– Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses however, this decryption module is also modified on each infection.
5. Metamorphic code– To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic.

2.4Virus Example – CIH

CIH, also known as Chernobyl or Spacefiller, is a computer virus written by Chen Ing Hau of Taiwan. It is considered to be one of the most harmful widely circulated viruses, destroying all information on users’ systems and in some cases overwriting the system BIOS. To accomplish this, it overwrites the first megabyte (1024KB) of the hard drive with zeroes, beginning at sector 0. This often deletes the contents of the partition table, and may cause the machine to hang. Then it will try to overwrite the Flash BIOS with junk also.

2.5Solution– Anti-virus Software

To protect our system from virus, we must install anti-virus software to our system. Anti-virus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software. To accomplish this, anti-virus software typically uses two different techniques:

1. Examining (scanning) the contents of the computer’s memory (its RAM, and boot sector) and the files stored on fixed or removable drives (hard drives, floppy drives), to look for known viruses matching definitions (e.g. virus signatures) in a virus dictionary
2. Identifying suspicious behaviours from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.

Some anti-virus softwarecan also warn a user if a file is likely to contain a virus based on the file type; some antivirus vendors also claim the effective use of other types of heuristic analysis. Some anti-virus programs are also able to scan opened files in addition to sent and received emails “on the fly” in a similar manner. This practice is known as “on-access scanning”.

Anti-virus software does not change the underlying capability of host software to transmit viruses. There have been attempts to do this but adoption of such anti-virus solutions can void the warranty for the host software. Users must therefore update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to gain knowledge about the latest threats and hoaxes.

Anti-virus software examples include Norton Antivirus, McAfee and Sophos.

3The Second Security Threat– Worm

3.1Introduction

A computerworm is a self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers.In addition to replication, a worm may be designed to do a number of things, such as delete files on a host system or send documents via email. More recent worms may be multi-headed and carry other executables as a payload. However, even in the absence of such a payload, a worm can cause havoc just with the network traffic generated by its reproduction. Advanced worm, for exampleMydoom, can even cause a noticeable worldwide Internet slowdown at the peak of its spread.

3.2Replication Strategies

In order to replicate itself,worm always install a backdoor in the infected computer, as was done by Mydoom. These zombie computers are used by spam senders for sending junk email or to cloak their website’s address. Spammers, person who sends “junk” e-mail messages, are thought to pay for the creation of such worms, and worm writers have been caught selling lists of IP addresses of infected machines,others try to blackmail companies with threatened denial-of-service (DoS) attacks. The backdoors can also be exploited by other worms, such as Doomjuice, which spreads using the backdoor opened by Mydoom.

3.3Worm Example –Mydoom

Mydoom, also known as Novarg, Mimail.R and Shimgapi, is a computer worm affecting Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest spreading email worm ever as of January 2004.

Mydoom is primarily transmitted via e-mail, appearing as a transmission error, with subject lines including "Error," "Mail Delivery System," "Test" or "Mail Transaction Failed" in different languages, including English and French. The mail contains an attachment that, if executed, resends the worm to email addresses found in local files such as a user’s address book.Mydoom also installs a backdoor on port 3127/tcp on the subverted PCto allow remote controlby hackers and establishes a denial of service attack against the website of the controversial company SCO Group, timed to commence 1 February 2004.

3.4Solution

Some commonly adopted measures to stop worms from spreading are as follows:

Anti-virus software– Anti-virussoftware can effectively identify, thwart and eliminate computer worms. Please refer to previous section for more information.

Patch–Worm make use of bugs to spread. Operating System such as Windows needs to be regularly patched in order to gain knowledge and fix the latest bugs.

Firewall– Firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy. Firewall is also called a packet filter which means it does not allow packets to pass through the firewall unless they match the rules. The firewall administrator may define the rules; or default built-in rules may apply. A more permissive setup could allow any packet to pass the filter as long as it does not match one or more “negative-rules”, or “deny rules”. Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, domain name of the source, and many other attributes.

Therefore, we can filter all the network packets and traffics which we don’t want including the network packets created by worm. Hence we can successfully block worm, Trojan horse, back door, unauthorised assess and DoS attack.

Examples of firewall are Norton Internet Security, ZoneAlarm.

4The Third Security Threat –Trojan Horse

4.1Introduction

Trojan horse, also known as Trojan, is a malicious program that is disguised as legitimate software. The term is derived from the classical myth of the Trojan horse. In the siege of Troy, the Greeks left a large wooden horse outside the city. The Trojans were convinced that it was a gift, and moved the horse to a place within the city walls. It turned out that the horse was hollow, containing Greek soldiers who opened the city gates of Troy at night, making it possible for the Greek army to pillage the city. Trojan horse programs work in a similar way: they may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.

Trojan horse programs cannot replicate themselves, in contrast to some other types of security threats, like viruses or worms. A Trojan horse can be deliberately attached to otherwise useful software by a cracker, or it can be spread by tricking users into believing that it is a useful program.Trojan Horses often contain spying functions, such as a packet sniffer, or backdoor functions that allow a computer, unknown to the owner, to be remotely controlled from the network by hackers, creating a “zombie computer”, resulting in data loss, data stolen and system damage.

It’s basic difference from computer viruses is that a Trojan horse is technically a normal computer program and does not possess the means to spread itself. Originally Trojan horses were not designed to spread themselves. They relied on fooling people to allow the program to perform actions that they would otherwise not have voluntarily performed. Trojans of recent times also contain functions and strategies that enable their spreading. This moves them closer to the definition of computer viruses, and it becomes difficult to clearly distinguish such mixed programs between Trojan horses and viruses.

4.2Replication Strategies

As mentioned, Trojan horse programs cannot replicate themselves. So how a computer can be infected? Here are some examples:

Websites: You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of Trojans and other pests. Even using a secure web browser, such as Mozilla's Firefox or Opera, if Java is enabled, your computer has the potential of receiving a Trojan horse.