Transcript Networks and Security

CS 305
Social, Ethical, and Legal
Implications of Computing
Chapter 6
Computer Networks and Security
Herbert G. Mayer, PSU CS
status 6/25/2011
Slides derived from prof. Wu-Chang Feng
1
Syllabus











Malware
Virus
Worms
Examples
Backdoor
Troyan Horse
Rootkit
Botnet
Hackers and Phreaks
Enforcement
OIn-Class Exercise
2
Malware
Def: Malware is unwanted SW attack, giving instructions
to your computer to do something an attacker wants it
to, such as:

Delete files to render your computer inoperable

Infect other systems --worms, viruses

Monitor activity --webcams, keystroke loggers

Gather information on you, your habits, web sites you visit

Provide unauthorized access --Trojans, backdoors

Steal files, store illicit files

Send spam or attack other systems

Stepping stone to launder activity --frame you for a crime

Hide activity --rootkits
3
Types of Malware
Viruses
Worms
Trojans
Backdoors
Rootkits (user & kernel level)
4
What is a Virus?
Self-replicating piece of code that attaches itself to other
programs; usually requires human interaction to
propagate
5
Two Virus Components
Payload

The malicious/anti-social thing that viruses & worms do that
make them highly irritating

Examples: wiping your hard drive, deleting files, encrypting
files for blackmail purposes
Propagation mechanism

How do viruses spread?
6
Virus Propagation
Locally


Simplest method
Write it to the file system
 Local files, executables, documents
 Write it into the boot sector/operating system
Removable storage


Initial viruses propagated through tapes and floppies
Rarely target CDs specifically but
 Chernobyl (CIH) on Yamaha CDR update CD
 NIMDA on Visual Studio .net in Korea

Modern media
 Compact Flash, SD, USB Keys
7
Virus Propagation
Network

Most common currently
 Email (Iloveyou)
 Web
 Newsgroups (Melissa)
 P2P Networks (Fastrack, Gnutella, IRC, Torrent)
» 2003 study showed 45% of executable files downloaded from
KaZaA had viruses or Trojan horses
» Beware of Warez!
 NFS, Samba mounts
 Social networks
8
Examples
Benign

Brain virus (1986)
 Determine level of software piracy in Pakistan
Malicious

Michelangelo (1991)
 Erased boot sector on March 6

Love bug (2000)
 Deleted files
 Collected passwords and e-mailed them
 Author was a 23 year old Filipino CS student
 No hacking laws in Philippines so no prosecution
9
Worms
A worm is a self-replicating piece of code that spreads
via networks; usually does not require human
interaction to propagate
10
Virus vs. Worm
Similarities


Goal is to infect other machines
Can contain a payload
Virus



Infects other files (must have executable sections)
Transmitted via removable storage or network
Require user interaction for propagation -- e.g. Open a file, boot from
floppy, launch an executable, click on e-mail attachment etc.
Worm




Travels through the network only  key
May infect other files (might be cleared through reboot)
Does not require human interaction
Target misconfiguration or flaws/vulnerability in systems --buffer
overflows!
11
Why are Worms Powerful?
Fast scaling

Can take over a vast number of machines, each of which will act as a
launch point to infect other machines
Goal: Infect 10,000 machine

Serial example
 Suppose an average of 1 hour per machine
 Includes time to find a vulnerable machine, as well as infecting it
 10000 hours = 416 days > 1 year!

Worm example
 Again, suppose an average of 1 hour per machine,
 Infected machines will subsequently take an hour to infect another
»
»
»
»
1st hour: 1 infection
2nd hour: 3 infections
3rd hour: 7 infections
14th hour: 16,383 infections = 714 times faster than serial
12
Anatomy of Worm
A worm is composed of

Warhead

Propagation Engine

Target Selection Algorithm

Scanning Engine

Payload
13
Warhead
Warhead – the mechanism by which a worm gains entry
into a system

This is the part that we protect our systems against. The
warhead contains the exploit code

Buffer overflow, copying into open file shares, password
attacks
14
Propagation Engine
Propagation Engine – How the worm transports a new
copy of itself into another machine

Often, warheads contain the entire worm, but not always

Warhead code can download the rest of the worm code, e.g.
remote root shell exploit followed by an ftp
15
Target Selection Algorithm
Target Selection Algorithm – How a worm selects its
next target

Want to choose nearby targets. Nearby targets are much
faster to infect than far away targets

IP address proximity, network neighborhood, e-mail address
books
16
Scanning Engine
Scanning Engine – Code that probes machines to
determine if addresses generated by the targeting
algorithm are vulnerable.

Pretty simple usually – send probing packets (TCP SYN) to
targets, wait for response

If successful in opening a socket, attempt to compromise
17
Payload
Payload – The malicious code that the worm actually
delivers

Early worms often had no payload, just the mere act of
spreading itself around will damage the Internet

Install a backdoor, Trojan, or rootkit

Alter or destroy files (immediately, timed, on-demand)

Encrypt your data, delete the originals, hold it for ransom

Form a botnet (e-mail spam, search engine spam, phishing)

Launch DoS attacks
18
Examples
The first few worms were “ethical” worms – worms that
tried to perform a useful service
Creeper

First worm developed for the assistance of air traffic
controllers by Bob Thomas in 1971

Notified air traffic controllers when the controls of a plane
moved from one computer to another

Traveled from one computer screen to the other on the
network showing the message, "I'm creeper! Catch me if you
can!"

Did not reproduce itself
19
Examples
Xerox PARC worms

John Shock and Jon Hepps of Xerox PARC, early eighties

Worms as efficient carriers of software
 "town crier" worm posted announcements on all computers of
network
 More complex – activated only at night to consume unused CPU
cycles

Escaped laboratory into Xerox’s network
 One morning the employees returned to find that all the
computers had crashed. When they tried to restart the
computers, they crashed again
 One of the worms malfunctioned and had created havoc in the
network
 A "vaccine" had to be created so as to deactivate the worm
20
Examples
The Internet worm (1988)

Robert Morris (student at Cornell) discovers multiple security holes
in Unix (ftp, sendmail, and fingerd)
 Wanted to research whether one could create an automated means for
exploiting them
 Goal was to infect quickly, but do no other damage (i.e. files left alone)
 In the middle of the design, a patch was released for one vulnerability
 Morris quickly launched worm before it was completed

Released November 2, 1988
 Brought down the Internet
 Morris suspended from Cornell and convicted of felony under U.S.
Computer Fraud and Abuse act. (Given probation)
 Went back to school at Princeton, now a professor at MIT

Ethics?
 Malicious or selfish?
21
Code Red (2001)
Targeted indexing service used in Windows IIS web
server

Spreads as a bad HTTP request (buffer overflow)
 Infected server creates 99 threads to attack random IP addresses
 windowsupdate.microsoft.com was infected too

Infection rate
 Over 20,000 infections in less than 10 minutes
 Over 250,000 infections in less than 9 hours
 Over 975,000 total infections

Payload
 DDoS attack against whitehouse.gov’s IP
22
Code Red (2001)
People don’t patch

IIS vulnerability was fixed months before Code Red launched

Infected machines observed years later
23
Santy (2004)
Attacks PHP Bulletin Board (phpBB) website software.

Exploit
 URL descrambling error in PHP on input allows arbitrary PHP script to
execute.

Novel target selection algorithm
 How do you find vulnerable phpBB2 software to attack?
» The same way you do. It Googles for it.
» 40000 phpBB2 servers hit
 Google eventually started blocking/censoring searches to slow down worm
 Result: New variant of Santy used AOL and Yahoo search engines

“Ethical” worm developed 1 week later
 Anti-Santy worm used same method Google used
 Defaced webpage: “viewtopic.php secured by Anti-Santy-Worm V4. Your
site is a bit safer, but upgrade to >= 2.0.11.”
24
Ethical Worms
Suppose you create a worm that…




Exploits the vulnerability
Patches the system
Removes itself
Should you release it?
What if it spreads out of control?
What if it doesn’t work?

Patching could bring about problems
 E.g. Critical application depends on vulnerability to work correctly
 E.g. Application depends on a certain interpretation of the specification

Patches have to be tested thoroughly!
Are ethical worms an oxymoron?

Perhaps not worth the trouble?
How would one analyze this using ethical frameworks?
25
Ethical Disclosure
Publishing zero-day exploits




Zero-Day worms especially dangerous as they target brand new
exploits
No patch available! (Have to hope that your system/network is
adequately hardened)
Is it ethical to disclose such vulnerabilities?
How long should one wait to disclose them?
Publishing better ways to design worms




Staniford, Paxson, Weaver, “How to 0wn the Internet in your own
spare time”, in Usenix Secuirty 02
Warhol Worms/Flash Worms
Infect the entire Internet in 15 minutes/30 seconds. (!)
Is it ethical to disclose such techniques?
26
Backdoors
A backdoor is a program that allows attackers to bypass
normal security controls on a system, gaining access
on the attacker’s own terms
27
Types of Backdoors
Local escalation of privileges

Allow attackers with account administrator privileges
Remote execution of individual commands

Remote attackers can send a message to a victim machine
that allows them to execute a single command on the victim
machine
Remote command-line access (aka remote shell)

Remote attacker can type directly into a command prompt of
the victim machine across the network
Remote control of GUI

Remote attacker controls the GUI of the victim machine
across the network
28
Trojan Horse
A Trojan horse is a program which appears to have
some useful or benign capability, but conceals some
hidden, malicious functionality
Origin of term: The ancient Greeks laying siege to
Troy…
29
Rootkits
Rootkits are Trojan backdoor tools that modify existing
operating system software so that attacker can keep
access to and hide on a machine
30
Botnets
A bot is a software program that responds to commands
sent by a command-and-control program located on
an external computer
Botnets are coordinated collections of bots under a
single central control

Launch denial-of-service attacks

Send spam

Host phishing sites
31
Hackers and Phreaks
Hackers – two definitions: good and bad

Someone highly skilled in programming and use of computer
systems (sign of respect in some circles)

Someone that breaks into computer systems (sign of bad
behavior in public circles)
Phone phreak – someone that manipulates the
telephone system in order to communicate with
others without paying

Stealing access codes, using outlawed hardware
32
Early Hacking Incidents
PDP-11

Programmable minicomputer shared by many students at MIT

Students forbidden to modify hardware

Stewart Nelson (1960s)
 Added a new hardware instruction in the middle of the night to
“improve” performance
 Also did it to demonstrate his skills

Ethical evaluation
 Does it depend on the outcome?
 What good is an ethical framework if you can only tell afterwards
if an action is right or wrong?
33
U.S. Law on Hacking
Computer Fraud and Abuse Act







Transmitting code that causes damage to a computer system
Accessing without authorization any computer connected to
the Internet
Transmitting classified government information
Trafficking in computer passwords
Computer fraud
Computer extortion
Maximum penalty – 20 years and $250k fine
Other acts that can be applied to Internet-based crime



Wire Fraud Act
National Stolen Property ace
Identity Theft and Assumption Deterrence Act
34
Recent Enforcement
Ancheta (2005)

Created botnet of hundreds of thousands of machines
 Some within the DoD
 Used to spam

Arrested and convicted under Computer Fraud Abuse act and CANSPAM act in May 2005
 57 months in prison, $15,000 in restitution to US government
 Forfeiture of illegal proceeds and computer equipment
Gonzalez (2009)

With Russian co-conspirators, obtained 130 million credit/debit card
numbers

Indicted
Success of enforcement few and far between due to stealth
measures that are easy to implement
35
Blue Security
Fighting bots with bots

Users sign up for Blue Security service

Whenever they mark a message as spam, inform
BlueSecurity service

Blue Security bot automatically sends opt-out message to
spammer

Spammers target Blue Security and its users with enormous
volume of spam

Service discontinued
36
In-Class Exercise
Oberlin College in Ohio requires that every computer
brought to campus by a student be inspected for
viruses. System administrators remove all viruses
from the students’ computers. Students whose
computers subsequently pick up and spread a virus
may be fined $25, whether they knew about the virus
or not. Is this a morally justifiable policy?
37
In-Class Exercise
SATAN hacker toolkit

Security Administrator Tool for Analyzing Networks

Probe computers for security weaknesses

Could be used for good and evil

Morality of publishing SATAN using ethical frameworks?
38
In-Class Exercise
On-line voting

Used in many countries to render elections cheap, easily accessible
 Local elections in the UK (since 2001)
 U.S. primary elections in Alaska and Arizona (2000)


Controversial
Election goals
 Tamper-resistance
» One vote per person
» Prevent vote trading/selling
» Audit trail to ensure proper tallying
» Authenticating both the voter and the election service
 Privacy
 Ease of use to avoid voter disenfranchisement (e.g. “Butterfly” ballot of
2000)

Ethical evaluation?
39