e-PG Pathshala Information Technology Information security

Module 18:Virus Part III

The Internet Worm:
• Morris wanted to achieve following objectives by coding the Internet worm:

1) Establish where the code can spread

2) Spreading of infection

3) Stay undiscovered and undiscoverable

Effect – degradation of system performance

• The major effect of worm was resource exhaustion.

• The intention was the worm had to first check for infection in a target host. In
case the target is infected, the worm has to terminate existing infection or stop
the new infection. There code had security fault and many of the created new
copies did not end. Hence, the infected machine got overloaded with numerous
replication of the worm, those copies tried to extend the infection further.

• Majority systems got disconnected from the internet as a secondary effect.

• System administrators got detached from the Internet,

1) The already infected machines must not spread

2) The staff wanted to stop worm from infecting their machines.

• This led to third effect called isolation and people were not able to
perform necessary work.

• The worm caused many systems to get disconnected for several days.
Many systems were not available for users as they were disconnected.
Damage caused ranged from $100,000 to $97 million.

The Internet Worm:

• This was designed to infect UNIX machines and looked for user accounts.

• Side by side, the worm used finger program and used a trapdoor in
the sendmail mail handler.
e-PG Pathshala Information Technology Information security

• The first security flaw the worm tried to guess passwords.

• The password file in UNIX system stores password after performing encryption, but
everyone can read the stored ciphertext.

• The worm tried to crack passwords by encrypting all popular passwords and
comparing the ciphertext with that stored in password file. Different passwords
were tried by the worm such as the account name, the system name, and other 432
common passwords (such as "guest," "password," "help," "coffee," "coke" "aaa").

• If unsuccessful, the worm used the dictionary file maintained for spelling checking.
When a match was found, the worm logged in to that account by entering the
password in plaintext form. After obtaining access to this machine, the worm tried
to search for other machines those can be accessed.

• The second flaw was related to fingerd. This program constantly runs to reply to the
requests by other computers to get the information regarding the system users. This
kind of security loophole caused overflow in the given input buffer, overwriting the
stack where return address is stored. On termination of finger call, the daemon
process fingerd executed this overwritten instructions, the worm was connected to
a remote shell.

• The third flaw explored the sendmail program and found the trapdoor. The program
runs in the backdrop, waits for signals from those who want to send mail to the
system. Upon receiving this notification, sendmail obtains the destination address,
verifies, and after that begins communication for receiving the message. While in
debugging mode, the worm allowed sendmail to accept and execute a command in
the form of the string in place of the address of the destination.

The Internet Worm - Spreading infection:

• The worm tries to install a bootstrap loader on chosen target. This loader has C code
with length of 99 lines that gets compiled and executed.

• The bootstrap loader asks sending host to supply rest of the worm. With the
remaining worm code, the worm also supplies a one-time password to the host. The
host breaks the connection with the target if the password is not supplied assuming
that the bootstrap is rogue.

The Internet Worm- Stay undiscovered and undiscoverable.

e-PG Pathshala Information Technology Information security

• In case of transmission error while transferring the worm code, the loader drops
operation and already fetched code gets deleted and the process exits.

Code Red:
• Code Red, propagates to spread malicious infection on Internet Information Server (IIS)
web server.

• Code Red follows two steps: infection and propagation.

• It causes buffer overflow in the idq.dll which is dynamic link library that resides in the
memory of server.

• For propagation, Code Red performs checking of IP address on port 80 of the machine
and make sure that the web server is vulnerable.

Code Red - What Effect It Had:

• The first version of Code Red defaced web sites with the following text:
HELLO! Welcome to http://www.worm.com ! Hacked by Chinese!

• According to the date, the original Code Red performed its activities. For a given
month, consider day 1st to 19th, the worm forked 99 threads to scan other
computers for vulnerability, started from the same IP address. Consider day 20th to
27th, the worm performed distributed denial-of-service attack and the target was
www.whitehouse.gov web site belonging to the country United States. A denial-of-
service attack floods the site with large numbers of messages so that the site either
slows down or stops because the site cannot handle these many messages. From
day 28, till the month end, the worm was silent, no action was performed.

• The second variant became active in the end of July 2001. It did not ruin the web
site, but random propagation. This version infected servers quickly.

• A third variant – In this version Trojan horse got injected in the target which allowed
attacker to execute any command on the server remotely. The worm checked the
year for 2002 and month for October and stopped propagating. The worm caught
hold of the server and rebooted it after 24 or 48 hours, got itself removed from
memory. The Trojan horse was left at its place.

How It Worked - code red:

e-PG Pathshala Information Technology Information security

• The Code Red worm targeted personal computers on which Microsoft IIS
software is being executed.

• It used buffer overflow vulnerability. Servers running Windows NT crashed but

Windows 2000 systems run the code. The infected server got the trapdoors
created by the new versions of the worm and malicious users or programs could
attack.

• Code Red copied %windir%\cmd.exe to other four locations to form the

trapdoor:

c:\inetpub\scripts\root.ext
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.ext
d:\progra~1\common~1\system\MSADC\root.exe
• Code Red owned the file explorer.exe, placed it in the c: and d: drives. In place of
original file, Windows ran this infected copy. First the original non infected
explorer.exe was executed, later the system registry was modified and certain
file protection was disabled only ensuring that particular directories have read,
write, and execute permission. Virtual path set by the Trojan horse performed
such actions though explorer.exe was not running. The Trojan horse runs in
backdrop and resets the registry at the interval of 10 minutes. In case system
administrator observes the changes and undo the actions, the malevolent code
performed the changes again.

• The worm forked 300 threads or 600 threads and took 24 or 48 hours to stretch
across the machines. Then the system was forced to reboot, moved out the
traces of the worm from memory but still left the backdoor as well as Trojan
horse at its place.

• The work used nonblocking socket and enhanced its performance. The threads
did not slow down as an after effect of slow connection while scanning for
connection.

Trojan Horse:
• Trojan is different from viruses and worms. Trojan is neither self-replicating nor it copies
itself into other files.
e-PG Pathshala Information Technology Information security

• Infection is through opening an email attachment or downloading and running a file

from the Internet.

Types of Trojans:

• A Backdoor Trojan is one that is designed to circumvent authentication, giving

remote access to the hacker.

• A Trojan Ransom, also known as ransomware, can encrypt data or lock up system
until victim pays to the criminal.

• The Trojan Spy can log your keystrokes

• The Trojan Mailfinder can acquire email addresses from your computer’s address
book

• Trojan Banker, which is designed to steal online banking and credit card
information.

Zeus Trojan - Trojan Banker is Zeus(Zbot):

 The Zeus Trojan can add extra fields to a Web page with a form, like the pages
one might visit when doing their online banking.

• Actual bank’s Web page and not forged site, a few extra fields to fill might not seem
as suspicious to the user.

• The fields may be disguised as added security questions that could give the criminal
needed information to gain access to the account later on.

Zeus was being sold as a malware toolkit enabling less experienced cyber criminals
access to the technology. Until 2011 when the source code was made public, the Zeus
toolkit could cost up to $10,000.

Malicious Code related to Web: Web Bugs

• A web bug also named pixel tag, clear gif, one-by-one gif, invisible gif, or beacon gif.
HTML tags got displayed by the hidden image belonging to the document.

• Commercial.com, sells all types of household items through web having a web bug
attached for a marketing and advertising firm Market.com. The bug puts a file
named a cookie on the hard drive of the system of the victim. This cookie, is a
e-PG Pathshala Information Technology Information security

numeric identifier unique to machine. The cookie keeps track of victim’s surfing
habits and builds a demographic profile which directs victim to retailers that is of
interest to victim.

• For example, Commercial.com provides a link to other sites, puts up a banner

advertisement to grab attention of users to its partner sites. This partner site
customizes the contents as per user requirements.

How They Work – Web bugs:

• Web bugs insert numeric data. They do not grab personal information, For
example, name and address of user.

• While purchasing an item from Commercial.com, it asks to feed personal

information.

• The web server can capture

1) Victim computer's IP address
2) The web browser used by the victim,
3) Victim computer monitor's resolution,
4) Other browser settings, such as Java technology enabled, time for which the
connection was held, previous cookie values and more.

• This information can be used to track from where and when victim referred the
site, what usually victim buys, or what is victim’s personal information.

• The web bug used the log files maintained by the web server and determine
victim’s IP address—to hack the system through this IP address.

TARGETED MALICIOUS CODE:

• Malicious code influences a specific system. It is pertaining to an application and its
intended effect is well determined.

Trapdoor:
• A trapdoor provides an entry point to a module that is undocumented.

• In the process of code development, the trapdoor gets inserted. The purpose is
testing the module; apply the further modifications or enhancements. In case
the module fails trapdoor has a way to access that module.
e-PG Pathshala Information Technology Information security

• Programmer accesses the program via Trapdoors after kept for use.

• To test a component as a single unit, the developer or tester has to write "stubs"
and "drivers". These routines insert data and take out results generated by the
components which are undergoing tests. For further testing, stubs and drivers
are replaced by the actual components.

• Unit and integration testing pinpoints the faults in components. The developer
inserts the debugging code that shows actions of components when they got
executed or when they communicate.

• For controlling stubs or invoking debugging code, control sequences are

introduced by the programmer in the design of the component for testing.

• For example, a component designed for text formatting system recognizes

commands such as .PAGE, .TITLE, and .SKIP.

• For testing purpose, the programmer uses a command of the type var = value in
the debugging code for various parameters to prove correctness of the
component.

• For testing, Command insertion is practiced. If these commands are not

removed, they cause problems. These commands are not documented and they
create side effects and further become trapdoors.

Poor error checking – another source of trapdoor:

The data value must be checked before use for following:

1) The data type is correct
2) The value is within acceptable bounds

• A component can be coded for desired outcomes; if output does not match with
these outcomes, it must recognize this as error. The developer applies a CASE
statement with options and looks for one out of these possibilities. A careless
programmer passes through all the options of the CASE, does not flag as an
error.

• The Morris worm exploits the fingerd flaw in this way: A C library having I/O
routine is used to get next character from the input buffer but it does not flush
the input buffer before getting new characters in the input buffer.
e-PG Pathshala Information Technology Information security

How trapdoors are created:

• Hardware processor design contributes in creating trapdoor. It uses binary
opcode but all these do not define machine instructions. There are undefined
opcodes which are assigned specialized instructions, for testing purpose or
because processor designer did not pay attention.

• Trapdoors help in locating security flaws.

• Documentation of Trapdoors must be done and controlled access must be

provided.

• Trapdoors when designed must be implemented with clarity of outcomes.

Causes of Trapdoors:
Trapdoors exist in programs because the program writers

• forget to remove them

• purposefully put them in the program so that testing can be performed

• Purposefully put them in the code for maintenance of the program, or

• Purposefully put them as a covert means of accessing the component once it

became integral part of the program.

Salami Attack:
• A salami attack focuses on insignificant data and generates powerful results.

• For example, programs pay no attention to small amounts of money in calculations,

such as fractional paisa in interest or tax calculation.

• Suppose bank decides to pay 4.5 percent interest on account. After the first month, user
has got Rs. 95.67 as a balance in account. For a month having 31 days, divide the
interest rate by 365 to get the daily rate, and then multiply by 31 to find the interest for
the month. Thus, the total interest for 31 days is 31/365*0.045*102.87 =
Rs.0.0197278856. Since banks deal only in full paisa, to round down if remaining is less
than fifty paisa and round up if a remaining is fifty paisa or more. The amount
Rs.0.019727 rounded down to Rs.0.01, instead of up to Rs.0.02.

Why Salami Attacks Persist:

e-PG Pathshala Information Technology Information security

• Round or truncate leaves errors in computations done by computers. This is visible

when computations are performed between large numbers and small ones.

• A minute error is natural and unavoidable.

• Error corrections are applied to reconcile accounts after computations.

• If corrections are not audited properly Salami attack is caused.

Covert Channels: Programs That Leak Information:

• A "service program" containing a Trojan horse. This attempts to create duplication of
information from a genuine user (access is permitted) to a "spy" (access not
permitted).

• The genuine user is unaware of Trojan horse.

Legitimate user

Service program spy

Protected data

Covert Channel Overview:

• Programmer must not have permission to access sensitive data once the
program is kept in operation. Programmer wants a program to pass some
data secretly to his program.
e-PG Pathshala Information Technology Information security

• The programmer is called the "spy," and one who runs the program is the
"user".

Creating Covert channels:

• In printing, the programmer applies various formats to the data, sets the
number of characters in each line, or prints or omits particular values.

• For example, in the heading the word "TOTAL" changes to "TOTALS" goes
unnoticed, but 1-bit covert channel gets created. The absence or presence of
the ‘S’ passes one bit of information.

• Covert channels can be called storage channels because they deal with
objects related to storage. The information is related to the objects in
storage announcing their presence or absence.

• Example is the file lock channel concerning to storage covert channel.

• Two persons are not allowed to write to the same file at the same time in
multiuser systems. Hence files are "locked".

• Whether a file is locked or not, accordingly a covert channel passes signal in

one bit.

Service Lock(1) locked?

FILE
program Spy checks
Unlock(0)
Yes : 1

No : 0

Protected
data
e-PG Pathshala Information Technology Information security

• To signal information for more than one bit, time interval is allocated to the
service program and the spy program. One bit of information is transferred in
each time interval.

Exists?
service program Create(1)
Yes:1
Spy’s program
File

Time Interval 1 Exists?

Spy’s program
Delete(0)
File No:0
service program
Time Interval 2

Timing Channels:
• A service program uses a timing channel to convey information. It simply signals
whether it uses an assigned amount of computing time.

• Assume that a multiprogrammed system has two user processes. This

multiprogrammed system divides time into slots and allocates this slots to two
processes in alternate manner.

• A process is offered the time slot. Since the current process wants some event to
occur and right now cannot do processing, rejects the time slot.

• The service process in case uses its slot (to signal a 1) or rejects its slot (to signal
a 0).

Service Spy Service Spy Service Spy

program program program program program program

Normal scheduling

Service Spy Spy Service Service Spy

e-PG Pathshala Information Technology Information security

program program program program program program

Service program communicating 100

• In the first case study, the service process and the spy's process utilizes time
slots in an alternate manner. So the service process communicates the string 101 to
the spy's process.

• In the second case, the service program does not want to use the third time slot,
hence signals 0 in the third time slot. It will utilize only part of the time slot to
determine and sends a 0 and then pauses. The spy process then gets control of the
remaining time slot.

Identifying Potential Covert Channels

Shared Resource Matrix
• A matrix with rows as resources and processes as columns is constructed.

• The matrix has entries called ‘R’ and ‘M’. R means "can read (or observe) the resource"
and M means "can set (or modify, create, delete) the resource."

• For example, the file lock channel maintains the following matrix

Service Process Spy's Process

Locked R,M R,M

Confidential data R

Check for the following pattern:

e-PG Pathshala Information Technology Information security

Processes

Resources M R

Processes

Resources M R

R R

• This pattern identifies two resources and two processes such that the second
process is not allowed to read from the second resource.

• The first process can pass the information to the second by reading from the second
resource and signaling the data through the first resource.