Computer Security Prof. Sudip Bhattacharya IEM
Computer Viruses • A virus is a small piece of software that piggybacks on real programs • A virus might attach itself to a program such as a spreadsheet program • Each time the spreadsheet program runs, the virus runs, too • Chance to reproduce (by attaching to other programs) • E-mail virus travels as an attachment to e-mail messages • Replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book • Why do they do it? • Seems to be a thrill • Thrill of watching things blow up • Bragging rights - the thrill of doing it • Programmer who sees a security hole that could be exploited, might simply be compelled to exploit the hole
Computer Worms • A computer worm is a self-replicating computer program • Worm slow down Internet traffic when it began to replicate itself • A worm usually exploits some sort of security hole in a piece of software or the operating system • A worm called Code Red made huge headlines in 2001 • Each copy of the worm scanned the Internet for Windows NT or Windows 2000 servers that did not have the Microsoft security patch installed • Each time it found an unsecured server, the worm copied itself to that server • The new copy then scanned for other servers to infect • Depending on the number of unsecured servers, a worm could conceivably create hundreds of thousands of copies • The Code Red worm had instructions to do three things: • Replicate itself for the first 20 days of each month • Replace Web pages on infected servers with a page featuring the message "Hacked by Chinese" • Launch a concerted attack on the White House Web site in an attempt to overwhelm it • This attack would consist of the infected systems simultaneously sending 100 connections to port 80 of www.whitehouse.gov
Trojan Horse • Malware that appears to perform a desirable function but in fact performs undisclosed malicious functions. • A program named "waterfalls.scr" serves as a simple example of a Trojan Horse. The author claims it is a free waterfall screen saver. • Offer a seemingly useful system enhancement or a free game where a Trojan is attached or email attachment • Trojans usually consist of two parts, a Client and a Server • The server is run on the victim's machine and listens for connections from a Client used by the attacker Problems caused • Browse the user’s hard drive to locate valuables • Research papers • Credit card details • Passwords to restricted websites • Copy the data to his own hard drive • Delete system files, valuable data, format or destroy hard drive
Classes of Trojan Horse • Remote Access • Works in the Client Server mode – intruder establishes a link • Intruder can perform any action that a user can • Drag and drop the folder called ABC from the user's drive C onto his own • Mail Trojan • Works in server mode • Record keystrokes when passwords are typed, websites regularly visited, files in general • Send this information via email • FTP Trojans • Works in server mode • Can download and upload files at intruders whim
Classes of Trojan Horse Contd. • Telnet • Run in server mode – execute DOS command • Keylogger • Record keystroke input and then stores the information in a special log file • Fake • Display fake dialog boxes and bogus windows to show that the user has attempted to perform an illegal operation • Get the user enter user name and password – the information is stored in a file
Hacking • Transform computers into zombies by using small programs that exploit weaknesses in a computer's OS • Disguise the malicious program with a name and file extension so that the victim thinks he's getting something entirely different • Through e-mail, peer-to-peer N/Ws or even on a regular Web site • Pop-up ad that include a "No Thanks" button - Instead of dismissing the annoying pop-up ad, they activate a download of malicious software • Once the victim receives the program - user chooses to run the program, nothing seems to happen • Raises alarm bells and they immediately follow up with a flurry of virus and Spyware scanner activity. • Some users simply think they received a bad file and leave it at that • The activated program attaches itself to an element of the user's OS so that every time the user turns on computer, it activates • Don't always use same segment of an OSs initializing sequence
Phishing A method of online identity theft to steal personal and financial data • Phishers can infect computers with viruses and convince people to participate unwittingly in money laundering • e-mail messages that mimic banks, credit card companies or other business like Amazon and eBay. These messages look authentic and attempt to get victims to reveal their personal info. Steps in Phishing • Planning - business to target and determine how to get e-mail addresses for the customers of that business. They often use the same mass-mailing and address collection techniques as spammers • Setup - methods for delivering the message and collecting the data. • involves e-mail addresses and a web page. • Attack - Phisher sends a message that appears to be from a reputable source • Collection - Phishers record the info. victims enter into web pages or popup windows • The phishers use the info. they've gathered to make illegal purchases or otherwise commit fraud
Phishing – Establishing Trust • People won't reveal their bank account, credit card number or password • Deceptive attempt to get info. is called social engineering • Phishers often use real co.s • Copy legitimate e-mail messages • Replacing the links with ones that direct the victim to a fraudulent page • fake, e-mail addresses in the "From:" and "Reply-to • Disguise links to make them look legitimate • Prompt users to act first and think later • “Thank the victim for making a purchase he never made” • Since the victim doesn't want to lose money he didn't really spend, he follows the message's link • Winds up giving the phishers the information • People trust automatic processes, believing them to be free from human error • “Computerized audit or other automated process has revealed that something is amiss with the victim's account”
Adware & Spyware • Freeware blocks features and functions of the software until we pay for it • Sponsored freeware. Most or all features are enabled • View sponsored advertisements while the s/w is used • Advertisement run in a small section of the software interface or as a pop up ad box. When the software is stopped, the ads disappear • The ads are disabled once the user registers and buy the s/w • Legitimate revenue source for cos. who offer their s/w for free Spyware • Track surfing habit to serve add related to you • Gather info. about e-mail address, passwords , credit card nos. • Monitor key strokes, scan files on hard drive, install other spyware programs • Constantly relay it to spyware author – use it for ad & marketing purpose • See pop-up ads. even when you are offline • Change browser homepage and search settings • Add new toolbar to your web browser • Takes longer than usual to complete certain tasks
Spam • Unsolicited bulk messages • Unsolicited Bulk Email (UBE) - practice of sending unwanted e-mail messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients • Outsource parts of their operations to countries where spamming will not get them into legal trouble • Spam doesn't even originate from the spammer - zombie networks • Millions of messages can be sent daily with little or no labor costs • Noncommercial spam - religious or political
Types of Spam • Email - open your e-mail and sort through dozens of junk mail • IM - requires scriptable software and the recipients' IM usernames • Mobile Phone – text messaging, fee may be charged per text message received in some markets • Online game messaging - online games allow players to contact each other via player-to-player messaging, chat rooms or public discussion areas • Spam target search engine – modify HTML pages to increase the chances of them being placed high on search engine relevancy lists • Use Black hat search engine optimization techniques to unfairly increase their rank in search engines • Search engines modified their search algorithms to try to exclude web pages utilizing spamdexing tactics. • Blog, Wiki & Guestbook -repeatedly place comments to various blogs that provide nothing more than a link to the spammer's commercial web site • Video sharing sites – post links to sites, most likely pornographic or dealing with online dating, on the comments section of random videos or people's profiles • Upload videos presented in an infomercial-like format selling their product which feature actors and paid testimonials
Spam Distribution • If spam came from one centralized source • relatively easy to track it down • Demand the corresponding ISP shut down that computer's access to the Internet • Charge the user for sending out illegal spam • Clients who wish to advertise their products pay the crackers to send out e-mail to thousands of people • Majority of e-mail recipients usually can't figure out where the spam is coming from • Might block one source only to receive the same spam from a different zombie in the botnet • If spam recipients write to complain about the junk mail • His own e-mail outbox is full of messages he didn't write
Distributed Denial of Service • Cracker tells all the computers on his botnet to contact a specific server or Web site repeatedly • Sudden increase in traffic can cause the site to load very slowly for legitimate users • Traffic is enough to shut the site down completely • The cracker sends the command to initiate the attack to his zombie army • Each computer within the army sends an electronic connection request to an innocent computer called a reflector • When the reflector receives the request, it looks like it originates not from the zombies, but from the ultimate victim of the attack • Microsoft suffered an attack from a DDoS called MyDoom,Amazon, CNN, Yahoo and eBay
Firewall • A program or hardware device that filters the info. coming through the Internet connection into your private network or computer system • A co. will place a firewall at every connection to the Internet • Set Rules - Out of the 500 computers inside this co., only one of them is permitted to receive public FTP traffic
How Firewall control traffic flowing in / out of the network? • Packet filtering - Packets (small chunks of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded • Proxy service – Info. from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa • Stateful inspection • Doesn't examine the contents of each packet • Compares certain key parts of packet to a database of trusted info. • Info. traveling from inside the firewall to the outside is monitored for specific defining characteristics • The incoming info. is compared to these characteristics. • If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.
Why Firewall Security? • Remote login - When someone is able to connect to your computer and control it in some form. This can range from being able to view or access your files to actually running programs on your computer • Application backdoors - Some programs have special features that allow for remote access. Others contain bugs that provide a backdoor, or hidden access, that provides some level of control of the program • SMTP session hijacking - SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited junk e-mail (spam) to thousands of users. This is done quite often by redirecting the e-mail through the SMTP server of an unsuspecting host, making the actual sender of the spam difficult to trace. • OS bugs - Like applications, some OSs have backdoors. Others provide remote access with insufficient security controls or have bugs that an experienced hacker can take advantage of.
Why Firewall Security? Contd. • Denial of service • E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages. • Macros - To simplify complicated procedures, many applications allow you to create a script of commands that the application can run. This script is known as a macro. Hackers have taken advantage of this to create their own macros that, depending on the application, can destroy your data or crash your computer • Viruses • Spam • Redirect bombs - Hackers can change (redirect) the path information takes by sending it to a different router. This is one of the ways that a denial of service attack is set up • Source routing - In most cases, the path a packet travels over the Internet (or any other network) is determined by the routers along that path. But the source providing the packet can arbitrarily specify the route that the packet should travel. Hackers sometimes take advantage of this to make information appear to come from a trusted source. Most firewall products disable source routing by default.