Professional Documents
Culture Documents
Virus 3
Virus 3
2) Spreading of infection
• The intention was the worm had to first check for infection in a target host. In
case the target is infected, the worm has to terminate existing infection or stop
the new infection. There code had security fault and many of the created new
copies did not end. Hence, the infected machine got overloaded with numerous
replication of the worm, those copies tried to extend the infection further.
• This led to third effect called isolation and people were not able to
perform necessary work.
• The worm caused many systems to get disconnected for several days.
Many systems were not available for users as they were disconnected.
Damage caused ranged from $100,000 to $97 million.
• This was designed to infect UNIX machines and looked for user accounts.
• Side by side, the worm used finger program and used a trapdoor in
the sendmail mail handler.
e-PG Pathshala Information Technology Information security
• The password file in UNIX system stores password after performing encryption, but
everyone can read the stored ciphertext.
• The worm tried to crack passwords by encrypting all popular passwords and
comparing the ciphertext with that stored in password file. Different passwords
were tried by the worm such as the account name, the system name, and other 432
common passwords (such as "guest," "password," "help," "coffee," "coke" "aaa").
• If unsuccessful, the worm used the dictionary file maintained for spelling checking.
When a match was found, the worm logged in to that account by entering the
password in plaintext form. After obtaining access to this machine, the worm tried
to search for other machines those can be accessed.
• The second flaw was related to fingerd. This program constantly runs to reply to the
requests by other computers to get the information regarding the system users. This
kind of security loophole caused overflow in the given input buffer, overwriting the
stack where return address is stored. On termination of finger call, the daemon
process fingerd executed this overwritten instructions, the worm was connected to
a remote shell.
• The third flaw explored the sendmail program and found the trapdoor. The program
runs in the backdrop, waits for signals from those who want to send mail to the
system. Upon receiving this notification, sendmail obtains the destination address,
verifies, and after that begins communication for receiving the message. While in
debugging mode, the worm allowed sendmail to accept and execute a command in
the form of the string in place of the address of the destination.
• The worm tries to install a bootstrap loader on chosen target. This loader has C code
with length of 99 lines that gets compiled and executed.
• The bootstrap loader asks sending host to supply rest of the worm. With the
remaining worm code, the worm also supplies a one-time password to the host. The
host breaks the connection with the target if the password is not supplied assuming
that the bootstrap is rogue.
• In case of transmission error while transferring the worm code, the loader drops
operation and already fetched code gets deleted and the process exits.
Code Red:
• Code Red, propagates to spread malicious infection on Internet Information Server (IIS)
web server.
• It causes buffer overflow in the idq.dll which is dynamic link library that resides in the
memory of server.
• For propagation, Code Red performs checking of IP address on port 80 of the machine
and make sure that the web server is vulnerable.
• The first version of Code Red defaced web sites with the following text:
HELLO! Welcome to http://www.worm.com ! Hacked by Chinese!
• According to the date, the original Code Red performed its activities. For a given
month, consider day 1st to 19th, the worm forked 99 threads to scan other
computers for vulnerability, started from the same IP address. Consider day 20th to
27th, the worm performed distributed denial-of-service attack and the target was
www.whitehouse.gov web site belonging to the country United States. A denial-of-
service attack floods the site with large numbers of messages so that the site either
slows down or stops because the site cannot handle these many messages. From
day 28, till the month end, the worm was silent, no action was performed.
• The second variant became active in the end of July 2001. It did not ruin the web
site, but random propagation. This version infected servers quickly.
• A third variant – In this version Trojan horse got injected in the target which allowed
attacker to execute any command on the server remotely. The worm checked the
year for 2002 and month for October and stopped propagating. The worm caught
hold of the server and rebooted it after 24 or 48 hours, got itself removed from
memory. The Trojan horse was left at its place.
• The Code Red worm targeted personal computers on which Microsoft IIS
software is being executed.
c:\inetpub\scripts\root.ext
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.ext
d:\progra~1\common~1\system\MSADC\root.exe
• Code Red owned the file explorer.exe, placed it in the c: and d: drives. In place of
original file, Windows ran this infected copy. First the original non infected
explorer.exe was executed, later the system registry was modified and certain
file protection was disabled only ensuring that particular directories have read,
write, and execute permission. Virtual path set by the Trojan horse performed
such actions though explorer.exe was not running. The Trojan horse runs in
backdrop and resets the registry at the interval of 10 minutes. In case system
administrator observes the changes and undo the actions, the malevolent code
performed the changes again.
• The worm forked 300 threads or 600 threads and took 24 or 48 hours to stretch
across the machines. Then the system was forced to reboot, moved out the
traces of the worm from memory but still left the backdoor as well as Trojan
horse at its place.
• The work used nonblocking socket and enhanced its performance. The threads
did not slow down as an after effect of slow connection while scanning for
connection.
Trojan Horse:
• Trojan is different from viruses and worms. Trojan is neither self-replicating nor it copies
itself into other files.
e-PG Pathshala Information Technology Information security
Types of Trojans:
• A Trojan Ransom, also known as ransomware, can encrypt data or lock up system
until victim pays to the criminal.
• The Trojan Mailfinder can acquire email addresses from your computer’s address
book
• Trojan Banker, which is designed to steal online banking and credit card
information.
The Zeus Trojan can add extra fields to a Web page with a form, like the pages
one might visit when doing their online banking.
• Actual bank’s Web page and not forged site, a few extra fields to fill might not seem
as suspicious to the user.
• The fields may be disguised as added security questions that could give the criminal
needed information to gain access to the account later on.
Zeus was being sold as a malware toolkit enabling less experienced cyber criminals
access to the technology. Until 2011 when the source code was made public, the Zeus
toolkit could cost up to $10,000.
• Commercial.com, sells all types of household items through web having a web bug
attached for a marketing and advertising firm Market.com. The bug puts a file
named a cookie on the hard drive of the system of the victim. This cookie, is a
e-PG Pathshala Information Technology Information security
numeric identifier unique to machine. The cookie keeps track of victim’s surfing
habits and builds a demographic profile which directs victim to retailers that is of
interest to victim.
• This information can be used to track from where and when victim referred the
site, what usually victim buys, or what is victim’s personal information.
• The web bug used the log files maintained by the web server and determine
victim’s IP address—to hack the system through this IP address.
Trapdoor:
• A trapdoor provides an entry point to a module that is undocumented.
• In the process of code development, the trapdoor gets inserted. The purpose is
testing the module; apply the further modifications or enhancements. In case
the module fails trapdoor has a way to access that module.
e-PG Pathshala Information Technology Information security
• Programmer accesses the program via Trapdoors after kept for use.
• To test a component as a single unit, the developer or tester has to write "stubs"
and "drivers". These routines insert data and take out results generated by the
components which are undergoing tests. For further testing, stubs and drivers
are replaced by the actual components.
• Unit and integration testing pinpoints the faults in components. The developer
inserts the debugging code that shows actions of components when they got
executed or when they communicate.
• For testing purpose, the programmer uses a command of the type var = value in
the debugging code for various parameters to prove correctness of the
component.
• A component can be coded for desired outcomes; if output does not match with
these outcomes, it must recognize this as error. The developer applies a CASE
statement with options and looks for one out of these possibilities. A careless
programmer passes through all the options of the CASE, does not flag as an
error.
• The Morris worm exploits the fingerd flaw in this way: A C library having I/O
routine is used to get next character from the input buffer but it does not flush
the input buffer before getting new characters in the input buffer.
e-PG Pathshala Information Technology Information security
Causes of Trapdoors:
Trapdoors exist in programs because the program writers
Salami Attack:
• A salami attack focuses on insignificant data and generates powerful results.
• Suppose bank decides to pay 4.5 percent interest on account. After the first month, user
has got Rs. 95.67 as a balance in account. For a month having 31 days, divide the
interest rate by 365 to get the daily rate, and then multiply by 31 to find the interest for
the month. Thus, the total interest for 31 days is 31/365*0.045*102.87 =
Rs.0.0197278856. Since banks deal only in full paisa, to round down if remaining is less
than fifty paisa and round up if a remaining is fifty paisa or more. The amount
Rs.0.019727 rounded down to Rs.0.01, instead of up to Rs.0.02.
Legitimate user
Protected data
• The programmer is called the "spy," and one who runs the program is the
"user".
• For example, in the heading the word "TOTAL" changes to "TOTALS" goes
unnoticed, but 1-bit covert channel gets created. The absence or presence of
the ‘S’ passes one bit of information.
• Covert channels can be called storage channels because they deal with
objects related to storage. The information is related to the objects in
storage announcing their presence or absence.
• Two persons are not allowed to write to the same file at the same time in
multiuser systems. Hence files are "locked".
No : 0
Protected
data
e-PG Pathshala Information Technology Information security
• To signal information for more than one bit, time interval is allocated to the
service program and the spy program. One bit of information is transferred in
each time interval.
Exists?
service program Create(1)
Yes:1
Spy’s program
File
Timing Channels:
• A service program uses a timing channel to convey information. It simply signals
whether it uses an assigned amount of computing time.
• A process is offered the time slot. Since the current process wants some event to
occur and right now cannot do processing, rejects the time slot.
• The service process in case uses its slot (to signal a 1) or rejects its slot (to signal
a 0).
Normal scheduling
• In the first case study, the service process and the spy's process utilizes time
slots in an alternate manner. So the service process communicates the string 101 to
the spy's process.
• In the second case, the service program does not want to use the third time slot,
hence signals 0 in the third time slot. It will utilize only part of the time slot to
determine and sends a 0 and then pauses. The spy process then gets control of the
remaining time slot.
• The matrix has entries called ‘R’ and ‘M’. R means "can read (or observe) the resource"
and M means "can set (or modify, create, delete) the resource."
• For example, the file lock channel maintains the following matrix
Confidential data R
Processes
Resources M R
Processes
Resources M R
R R
• This pattern identifies two resources and two processes such that the second
process is not allowed to read from the second resource.
• The first process can pass the information to the second by reading from the second
resource and signaling the data through the first resource.