Clandestine user – admin access, and do not know they are there.
Hacker Classes --ce
Two classes of hackers
The sophisticated elite with much expertise, but limited time
Footsoldiers who have the time, and case use the hacking software, but do not really understand it.
CERT Computer Emergency Response Teams – hackers have access information boards too!
System maintain a file that associates a password with each authorized user.
Password file can be protected with:
One-way encryption – compare after encryption only.
Access Control – use a ”setuid” system.
Download of pw file is typically essential
setuid sets the effective user ID of the current process. If the effective userid of the caller is root, the real and saved user ID's are also set. [...] This allows a setuid (other than root) program to drop all of its user privileges, do some unprivileged work, and then re-engage the original effective user ID in a secure manner.
Techniques for guessing passwords:
Try default passwords.
Try all short words, 1 to 3 characters long.
Try all the words in an electronic dictionary(60,000).
Collect information about the user’s hobbies, family names, birthday, etc.
Try user’s phone number, social security number, street address, etc.
“Intrusion detection is an area of increasing concern in the Internet community. In response to this, many automated intrusion detection systems have been developed. However, there is no standardized way for them to communicate. To remedy this, the Intrusion DetectionWorking Group was chartered under the auspices of the Internet Engineering Task Force.
This paper gives an overview of the working group and the task it faces. The paper then describes attempts to define and implement a transport protocol for intrusion detection alerts.[…]”
Viruses and ”Malicious Programs”
Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”).
Other “Malicious Programs” may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).
Propagation phase - the virus places an identical copy of itself into other programs
Triggering phase – the virus is activated to perform the function for which it was intended
Execution phase – the function is performed
A Compression Virus
Types of Viruses
Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs.
Memory-resident Virus - Lodges in main memory as part of the residual operating system.
Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).
Stealth Virus - explicitly designed to hide from Virus Scanning programs.
Polymorphic Virus - mutates with every new host to prevent signature detection.
Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File).
Infect documents, delete files, generate email and edit letters.
“Constructor is a virus or trojan creation toolkit. A constructor allows its user to create a malware by only choosing its features, it's very easy to use. A user doesn't need to know any programming language to create a virus or a trojan. Some constructors allow to create quite complex viruses and then to add a polymorphic engine to them. Once some person created more than 15000 viruses using a constructor and sent them to anti-virus companies. Constructor-based viruses are usually detected generically as they are built from ready 'blocks' and known polymorphic engines.
Most famous constructors: VCL, SennaSpy, BWG, PS-MPC, TPPE, IVP”
1st Generation, Scanners: searched files for any of a library of known virus “signatures.” Checked executable files for length changes.
2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes.
3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files).
4th Generation, Full Featured: combine the best of the techniques above.
Advanced Antivirus Techniques
Generic Decryption (GD)
Virus Signature Scanner
Emulation Control Module
For how long should a GD scanner run each interpretation?
What happens when a digital immune system agent triggers the forwarding of suspected email to a reviewer?
Do all systems people also have authority to view all data on the computer?
Advanced Antivirus Techniques
Users hate this, but can be very useful --- especially just asking the user, or delaying gratification.
Recommended Reading and WEB Sites
Denning, P. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990