Chapter 9 Intruders and Viruses

Download 50.28 Kb.
Date conversion15.05.2016
Size50.28 Kb.

Chapter 9

Intruders and Viruses

Thanks H Johnson, modified by Clark Elliott



  • Three classes of intruders (hackers or crackers):

  • Masquerader – not authorized to be on

  • Misfeasor – right person, wrong access

  • Clandestine user – admin access, and do not know they are there.

Hacker Classes --ce

  • Two classes of hackers

  • The sophisticated elite with much expertise, but limited time

  • Footsoldiers who have the time, and case use the hacking software, but do not really understand it.

  • CERT Computer Emergency Response Teams – hackers have access information boards too!

Intrusion Techniques

  • System maintain a file that associates a password with each authorized user.

  • Password file can be protected with:

  • One-way encryption – compare after encryption only.

  • Access Control – use a ”setuid” system.

  • Download of pw file is typically essential

Setuid (unix)

  • setuid sets the effective user ID of the current process. If the effective userid of the caller is root, the real and saved user ID's are also set. [...] This allows a setuid (other than root) program to drop all of its user privileges, do some unprivileged work, and then re-engage the original effective user ID in a secure manner.

Intrusion Techniques

  • Techniques for guessing passwords:

  • Try default passwords.

  • Try all short words, 1 to 3 characters long.

  • Try all the words in an electronic dictionary(60,000).

  • Collect information about the user’s hobbies, family names, birthday, etc.

  • Try user’s phone number, social security number, street address, etc.

  • Try all license plate numbers (MUP103).

  • Use a Trojan horse

  • Tap the line between a remote user and the host system.

Prevention: Enforce good password selection (Ij4Gf4Se%f#)

UNIX Password Scheme

UNIX Password Scheme

Storing UNIX Passwords

  • UNIX passwords were kept in in a publicly readable file, etc/passwords.

  • Now they are kept in a “shadow” directory and only visible by “root”.


  • The salt serves three purposes:

  • Prevents duplicate passwords.

  • Effectively increases the length of the password (unix: by two characters) 4096

  • Prevents the use of hardware implementations of DES for cracking

Password Strategies

  • D. Klein, 1990: 25% of pw’s for 14,000 users guessed in an hour. Table 9.4

  • Even in 1993, 6.4 million encriptions per second – so PW must be obscure

Password Strategies

  • Old problem of “keeping secret” not reliable

  • Users often use the same PW on different systems.

  • Tradeoff: if pw is hard to remember then users will lose it, and/or write it down.

Password Selecting Strategies

  • User ducation

  • Computer-generated passwords

  • Reactive password checking

  • Proactive password checking – best idea is to force user to select a good pw that they generate. Best the second time around.

  • 30 Megabytes of bad passwords?

Markov Model

Transition Matrix

  • Determine the frequency matrix f, where f(i,j,k) is the number of occurrences of the trigram consisting of the ith, jth and kth character.

  • For each bigram ij, calculate f(i,j, ) as the total number of trigrams beginning with ij.

  • Compute the entries of T as follows:

Spafford (Bloom Filter)


Spafford (Bloom Filter)

  • Design the hash scheme to minimize false positive.

  • Probability of false positive:

Spafford (Bloom Filter)

  • Point is, I guess, to reject passwords, without having a copy of the input pw file available.

Performance of Bloom Filter

The Stages of a Network Intrusion

1. Scan the network to:

• locate which IP addresses are in use,

• what operating system is in use,

• what TCP or UDP ports are “open” (being listened to by Servers).

2. Run “Exploit” scripts against open ports

3. Get access to Shell program which is “suid” (has “root” privileges).

4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs.

5. Use IRC (Internet Relay Chat) to invite friends to the feast.

Intusion Detection

  • The intruder can be identified and ejected from the system.

  • An effective intrusion detection can prevent intrusions.

  • Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

Profiles of Behavior of Intruders and Authorized Users

Intrusion Detection Schemes

  • Statistical Anomaly – collect data on valid users and compare.

  • Threshold behavior for system

  • Profile for each user – like credit card companies

  • Rule-based detection

  • Deviation from profile patterns

  • Search for suspicious behavior

Intrusion Detection Tradeoffs

  • “Art” of intrusion detection is like the art of Spam detection.

  • Tradeoff of false positives and false negatives.

Intrusion Detection

  • Statistical anomaly detection

  • Treshold detection

  • Profile based

  • Rule based detection

  • Anomaly detection

  • Penetration identidication

Measures used for Intrusion Detection

  • Login frequency by day and time.

  • Frequency of login at different locations.

  • Time since last login.

  • Password failures at login.

  • Execution frequency.

  • Execution denials.

  • Read, write, create, delete frequency.

  • Failure count for read, write, create and delete.

Distributed Intrusion Detection

Distributed Intrusion Detection Agent

  • Native audit input – apply filter

  • Produce a canonical host audit record

  • Apply logic using match w/ templates

  • Suspicious events like file access

  • Attack patterns

  • Historical profiles of users

  • Send alerts to Central manager

Distributed Intrusion Detection

Base-Rate Fallacy

  • One person in 10,000 has Framistat’s disease

  • Test is 99% accurate for positive and negative.

  • 1% inaccurate

  • 99% false alarm rate.


  • Divert opponent to decoy machine

  • Collect information about opponent

  • Encourage opponent to stay on the system as long as possible -- spies

  • Fabricated information – spies. Enigma machine problem.

  • Honeypot networks.

IETF data interchange

  • IETF Detection Exchange Format


IETFWorking Group

  • “Intrusion detection is an area of increasing concern in the Internet community. In response to this, many automated intrusion detection systems have been developed. However, there is no standardized way for them to communicate. To remedy this, the Intrusion DetectionWorking Group was chartered under the auspices of the Internet Engineering Task Force.

  • This paper gives an overview of the working group and the task it faces. The paper then describes attempts to define and implement a transport protocol for intrusion detection alerts.[…]”

Viruses and ”Malicious Programs”

  • Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”).

  • Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).

Taxanomy of Malicious Programs

Hoax attack

  • Many dedicated, generous, people exist. Also good business to provide products for free

  • Hoaxes can scare people away from legitimate products

  • Legal “hoaxes” as well.


  • Virus - code that copies itself into other programs.

  • A “Bacteria” replicates until it fills all disk space, or CPU cycles.

  • Payload - harmful things the malicious program does, after it has had time to spread.

  • Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses).


  • Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net).

  • Logic Bomb - malicious code that activates on an event (e.g., date).

  • Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users.

  • Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.

  • Zombies – do the evil bidding of another – DOS from hundreds of sources?

Virus Phases

  • Dormant phase - the virus is idle

  • Propagation phase - the virus places an identical copy of itself into other programs

  • Triggering phase – the virus is activated to perform the function for which it was intended

  • Execution phase – the function is performed

Virus Protection

Virus Structure

A Compression Virus

Types of Viruses

  • Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs.

  • Memory-resident Virus - Lodges in main memory as part of the residual operating system.

  • Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).

  • Stealth Virus - explicitly designed to hide from Virus Scanning programs.

  • Polymorphic Virus - mutates with every new host to prevent signature detection.

Macro Viruses

  • Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File).

  • Platform independent.

  • Infect documents, delete files, generate email and edit letters.

Virus Constructors


  • “Constructor is a virus or trojan creation toolkit. A constructor allows its user to create a malware by only choosing its features, it's very easy to use. A user doesn't need to know any programming language to create a virus or a trojan. Some constructors allow to create quite complex viruses and then to add a polymorphic engine to them. Once some person created more than 15000 viruses using a constructor and sent them to anti-virus companies. Constructor-based viruses are usually detected generically as they are built from ready 'blocks' and known polymorphic engines.

  • Most famous constructors: VCL, SennaSpy, BWG, PS-MPC, TPPE, IVP”

Antivirus Approaches

1st Generation, Scanners: searched files for any of a library of known virus “signatures.” Checked executable files for length changes.

2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes.

3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files).

4th Generation, Full Featured: combine the best of the techniques above.

Advanced Antivirus Techniques

  • Generic Decryption (GD)

  • CPU Emulator

  • Virus Signature Scanner

  • Emulation Control Module

  • For how long should a GD scanner run each interpretation?

Privacy Issues

  • What happens when a digital immune system agent triggers the forwarding of suspected email to a reviewer?

  • Do all systems people also have authority to view all data on the computer?

Advanced Antivirus Techniques

Behavior Blocking

  • Users hate this, but can be very useful --- especially just asking the user, or delaying gratification.

Recommended Reading and WEB Sites

  • Denning, P. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990

  • CERT Coordination Center (WEB Site)

  • AntiVirus Online (IBM’s site)

The database is protected by copyright © 2016
send message

    Main page