17 Virus Part III

Hiteishi Diwanji

The Internet Worm:

Morris wanted to achieve following objectives by coding the Internet worm:

1) Establish where the code can spread

2) Spreading of infection

3) Stay undiscovered and undiscoverable

Effect – degradation of system performance

The major effect of worm was resource exhaustion.
The intention was the worm had to first check for infection in a target host. In case the target is infected, the worm has to terminate existing infection or stop the new infection. There code had security fault and many of the created new copies did not end. Hence, the infected machine got overloaded with numerous replication of the worm, those copies tried to extend the infection further.
Majority systems got disconnected from the internet as a secondary effect.

System administrators got detached from the Internet,

1) The already infected machines must not spread
2) The staff wanted to stop worm from infecting their machines.
This led to third effect called isolation and people were not able to perform necessary work.
The worm caused many systems to get disconnected for several days. Many systems were not available for users as they were disconnected. Damage caused ranged from $100,000 to $97 million.

The Internet Worm:

This was designed to infect UNIX machines and looked for user accounts.
Side by side, the worm used finger program and used a trapdoor in the sendmail mail handler.
The first security flaw the worm tried to guess passwords.
The password file in UNIX system stores password after performing encryption, but everyone can read the stored ciphertext.
The worm tried to crack passwords by encrypting all popular passwords and comparing the ciphertext with that stored in password file. Different passwords were tried by the worm such as the account name, the system name, and other 432 common passwords (such as “guest,” “password,” “help,” “coffee,” “coke” “aaa”).
If unsuccessful, the worm used the dictionary file maintained for spelling checking. When a match was found, the worm logged in to that account by entering the password in plaintext form. After obtaining access to this machine, the worm tried to search for other machines those can be accessed.
The second flaw was related to fingerd. This program constantly runs to reply to the requests by other computers to get the information regarding the system users. This kind of security loophole caused overflow in the given input buffer, overwriting the stack where return address is stored. On termination of finger call, the daemon process fingerd executed this overwritten instructions, the worm was connected to a remote shell.
The third flaw explored the sendmail program and found the trapdoor. The program runs in the backdrop, waits for signals from those who want to send mail to the system. Upon receiving this notification, sendmail obtains the destination address, verifies, and after that begins communication for receiving the message. While in debugging mode, the worm allowed sendmail to accept and execute a command in the form of the string in place of the address of the destination.

The Internet Worm – Spreading infection:

The worm tries to install a bootstrap loader on chosen target. This loader has C code with length of 99 lines that gets compiled and executed.
The bootstrap loader asks sending host to supply rest of the worm. With the remaining worm code, the worm also supplies a one-time password to the host. The host breaks the connection with the target if the password is not supplied assuming that the bootstrap is rogue.

The Internet Worm- Stay undiscovered and undiscoverable.

In case of transmission error while transferring the worm code, the loader drops operation and already fetched code gets deleted and the process exits.

Code Red:

Code Red, propagates to spread malicious infection on Internet Information Server (IIS) web server.
Code Red follows two steps: infection and propagation.
It causes buffer overflow in the idq.dll which is dynamic link library that resides in the memory of server.
For propagation, Code Red performs checking of IP address on port 80 of the machine and make sure that the web server is vulnerable.

Code Red – What Effect It Had:

The first version of Code Red defaced web sites with the following text: HELLO! Welcome to http://www.worm.com ! Hacked by Chinese!
According to the date, the original Code Red performed its activities. For a given month, consider day 1st to 19th, the worm forked 99 threads to scan other computers for vulnerability, started from the same IP address. Consider day 20th to 27th, the worm performed distributed denial-of-service attack and the target was www.whitehouse.gov web site belonging to the country United States. A denial-of-service attack floods the site with large numbers of messages so that the site either slows down or stops because the site cannot handle these many messages. From day 28, till the month end, the worm was silent, no action was performed.
The second variant became active in the end of July 2001. It did not ruin the web site, but random propagation. This version infected servers quickly.
A third variant – In this version Trojan horse got injected in the target which allowed attacker to execute any command on the server remotely. The worm checked the year for 2002 and month for October and stopped propagating. The worm caught hold of the server and rebooted it after 24 or 48 hours, got itself removed from memory. The Trojan horse was left at its place.

How It Worked – code red:

The Code Red worm targeted personal computers on which Microsoft IIS software is being executed.
It used buffer overflow vulnerability. Servers running Windows NT crashed but Windows 2000 systems run the code. The infected server got the trapdoors created by the new versions of the worm and malicious users or programs could attack.
Code Red copied %windir%\cmd.exe to other four locations to form the trapdoor:c:\inetpub\scripts\root.ext c:\progra~1\common~1\system\MSADC\root.exe d:\inetpub\scripts\root.ext d:\progra~1\common~1\system\MSADC\root.exe
Code Red owned the file explorer.exe, placed it in the c: and d: drives. In place of original file, Windows ran this infected copy. First the original non infected explorer.exe was executed, later the system registry was modified and certain file protection was disabled only ensuring that particular directories have read, write, and execute permission. Virtual path set by the Trojan horse performed such actions though explorer.exe was not running. The Trojan horse runs in backdrop and resets the registry at the interval of 10 minutes. In case system administrator observes the changes and undo the actions, the malevolent code performed the changes again.
The worm forked 300 threads or 600 threads and took 24 or 48 hours to stretch across the machines. Then the system was forced to reboot, moved out the traces of the worm from memory but still left the backdoor as well as Trojan horse at its place.
The work used nonblocking socket and enhanced its performance. The threads did not slow down as an after effect of slow connection while scanning for connection.

Trojan Horse:

Trojan is different from viruses and worms. Trojan is neither self-replicating nor it copies itself into other files.
Infection is through opening an email attachment or downloading and running a file from the Internet.

Types of Trojans:

A Backdoor Trojan is one that is designed to circumvent authentication, giving remote access to the hacker.
A Trojan Ransom, also known as ransomware, can encrypt data or lock up system until victim pays to the criminal.
The Trojan Spy can log your keystrokes
The Trojan Mailfinder can acquire email addresses from your computer’s address book
Trojan Banker, which is designed to steal online banking and credit card information.

Zeus Trojan – Trojan Banker is Zeus(Zbot):

The Zeus Trojan can add extra fields to a Web page with a form, like the pages one might visit when doing their online banking.

Actual bank’s Web page and not forged site, a few extra fields to fill might not seem as suspicious to the user.
The fields may be disguised as added security questions that could give the criminal needed information to gain access to the account later on.

Zeus was being sold as a malware toolkit enabling less experienced cyber criminals access to the technology. Until 2011 when the source code was made public, the Zeus toolkit could cost up to $10,000.

Malicious Code related to Web: Web Bugs

A web bug also named pixel tag, clear gif, one-by-one gif, invisible gif, or beacon gif. HTML tags got displayed by the hidden image belonging to the document.
Commercial.com, sells all types of household items through web having a web bug attached for a marketing and advertising firm Market.com. The bug puts a file named a cookie on the hard drive of the system of the victim. This cookie, is a numeric identifier unique to machine. The cookie keeps track of victim’s surfing habits and builds a demographic profile which directs victim to retailers that is of interest to victim.
For example, Commercial.com provides a link to other sites, puts up a banner advertisement to grab attention of users to its partner sites. This partner site customizes the contents as per user requirements.

How They Work – Web bugs:

Web bugs insert numeric data. They do not grab personal information, For example, name and address of user.

While purchasing an item from Commercial.com, it asks to feed personal information.

The web server can capture

Victim computer’s IP address
The web browser used by the victim,
Victim computer monitor’s resolution,
Other browser settings, such as Java technology enabled, time for which the connection was held, previous cookie values and more.
This information can be used to track from where and when victim referred the site, what usually victim buys, or what is victim’s personal information.
The web bug used the log files maintained by the web server and determine victim’s IP address—to hack the system through this IP address.

TARGETED MALICIOUS CODE:

Malicious code influences a specific system. It is pertaining to an application and its intended effect is well determined.

Trapdoor:

A trapdoor provides an entry point to a module that is undocumented.
In the process of code development, the trapdoor gets inserted. The purpose is testing the module; apply the further modifications or enhancements. In case the module fails trapdoor has a way to access that module.
To test a component as a single unit, the developer or tester has to write “stubs” and “drivers”. These routines insert data and take out results generated by the components which are undergoing tests. For further testing, stubs and drivers are replaced by the actual components.
Unit and integration testing pinpoints the faults in components. The developer inserts the debugging code that shows actions of components when they got executed or when they communicate.
For controlling stubs or invoking debugging code, control sequences are introduced by the programmer in the design of the component for testing.
For example, a component designed for text formatting system recognizes commands such as .PAGE, .TITLE, and .SKIP.
For testing purpose, the programmer uses a command of the type var = value in the debugging code for various parameters to prove correctness of the component.
For testing, Command insertion is practiced. If these commands are not removed, they cause problems. These commands are not documented and they create side effects and further become trapdoors.

Poor error checking – another source of trapdoor:

The data value must be checked before use for following:

1) The data type is correct
2) The value is within acceptable bounds
A component can be coded for desired outcomes; if output does not match with these outcomes, it must recognize this as error. The developer applies a CASE statement with options and looks for one out of these possibilities. A careless programmer passes through all the options of the CASE, does not flag as an error.
The Morris worm exploits the fingerd flaw in this way: A C library having I/O routine is used to get next character from the input buffer but it does not flush the input buffer before getting new characters in the input buffer.

How trapdoors are created:

Hardware processor design contributes in creating trapdoor. It uses binary opcode but all these do not define machine instructions. There are undefined opcodes which are assigned specialized instructions, for testing purpose or because processor designer did not pay attention.
Trapdoors help in locating security flaws.
Documentation of Trapdoors must be done and controlled access must be provided.
Trapdoors when designed must be implemented with clarity of outcomes.

Causes of Trapdoors:

Trapdoors exist in programs because the program writers

forget to remove them
purposefully put them in the program so that testing can be performed
Purposefully put them in the code for maintenance of the program, or
Purposefully put them as a covert means of accessing the component once it became integral part of the program.

Salami Attack:

A salami attack focuses on insignificant data and generates powerful results.
For example, programs pay no attention to small amounts of money in calculations, such as fractional paisa in interest or tax calculation.
Suppose bank decides to pay 4.5 percent interest on account. After the first month, user has got Rs. 95.67 as a balance in account. For a month having 31 days, divide the interest rate by 365 to get the daily rate, and then multiply by 31 to find the interest for the month. Thus, the total interest for 31 days is 31/365*0.045*102.87 = Rs.0.0197278856. Since banks deal only in full paisa, to round down if remaining is less than fifty paisa and round up if a remaining is fifty paisa or more. The amount Rs.0.019727 rounded down to Rs.0.01, instead of up to Rs.0.02.

Why Salami Attacks Persist:

Round or truncate leaves errors in computations done by computers. This is visible when computations are performed between large numbers and small ones.
A minute error is natural and unavoidable.
Error corrections are applied to reconcile accounts after computations.
rrections are not audited properly Salami attack is caused.

Covert Channels: Programs That Leak Information:

A “service program” containing a Trojan horse. This attempts to create duplication of information from a genuine user (access is permitted) to a “spy” (access not permitted).

The genuine user is unaware of Trojan horse

Covert Channel Overview:

Programmer must not have permission to access sensitive data once the program is kept in operation. Programmer wants a program to pass some data secretly to his program.
The programmer is called the “spy,” and one who runs the program is the “user”.

Creating Covert channels:

In printing, the programmer applies various formats to the data, sets the number of characters in each line, or prints or omits particular values.
For example, in the heading the word “TOTAL” changes to “TOTALS” goes unnoticed, but 1-bit covert channel gets created. The absence or presence of the ‘S’ passes one bit of information.
Covert channels can be called storage channels because they deal with objects related to storage. The information is related to the objects in storage announcing their presence or absence.
Example is the file lock channel concerning to storage covert channel.
Two persons are not allowed to write to the same file at the same time in multiuser systems. Hence files are “locked”.
Whether a file is locked or not, accordingly a covert channel passes signal in one bit.

To signal information for more than one bit, time interval is allocated to the service program and the spy program. One bit of information is transferred in each time interval.

Timing Channels:

A service program uses a timing channel to convey information. It simply signals whether it uses an assigned amount of computing time.
Assume that a multiprogrammed system has two user processes. This multiprogrammed system divides time into slots and allocates this slots to two processes in alternate manner.
A process is offered the time slot. Since the current process wants some event to occur and right now cannot do processing, rejects the time slot.
The service process in case uses its slot (to signal a 1) or rejects its slot (to signal a 0).

In the first case study, the service process and the spy’s process utilizes time slots in an alternate manner. So the service process communicates the string 101 to the spy’s process.
In the second case, the service program does not want to use the third time slot, hence signals 0 in the third time slot. It will utilize only part of the time slot to determine and sends a 0 and then pauses. The spy process then gets control of the remaining time slot.

Identifying Potential Covert Channels

Shared Resource Matrix

A matrix with rows as resources and processes as columns is constructed.
The matrix has entries called ‘R’ and ‘M’. R means “can read (or observe) the resource” and M means “can set (or modify, create, delete) the resource.”
For example, the file lock channel maintains the following matrix

	Service Process	Spy’s Process

Locked	R,M	R,M

Confidential data	R

Check for the following pattern:

		Processes

Resources	M		R
	R
		Processes

Resources	M		R
	R		R

This pattern identifies two resources and two processes such that the second process is not allowed to read from the second resource.
The first process can pass the information to the second by reading from the second resource and signaling the data through the first resource.

you can view video on Virus Part III

Suggested Reading:

Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
www.snort.org
https://nmap.org