電腦攻擊與防禦 The Attack and Defense of Computers Dr.許 富 皓
Malicious Software (Malware): • Security tools and toolkits • Back doors (trap doors) • Logic bombs • Viruses • Worms • Trojan Horses • Bacteria or rabbit programs. • Spyware • Rootkit • URL Injection • Dialers
Security Tools and toolkits • Automatically scan for computer security weaknesses. • Can be used by both security professionals and attackers. • E.g. Nessus, COPS, ISS, Tiger, … and so on. • There are also programs and tool sets whose only function is to attack computers. • Script kids • These tools may damage the systems that install them or may contain booby-trap that will compromise the systems that install them.
Logic Bombs • A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. • For example, a programmer may hide a piece of code that starts deleting files, should he ever leave the company (and the salary database). • Usually written by inner programmers.
Logic Bombs and Viruses and Worms • Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. • This technique can be used by a virus or worm to gain momentum and spread before being noticed. • Many viruses attack their host systems on specific dates, such as Friday the 13th or April Fool's Day. • Trojans that activate on certain dates are often called "time bombs".
Key Logger • A program or hardware device that captures every key depression on the computer. • Also known as "Keystroke Cops," they are used to monitor a user's activities by recording every keystroke the user makes, including typos, backspacing and retyping.
Security Concerns about Key Loggers • Keystroke logging can be achieved by both hardware and software means. • There is no easy way to prevent keylogging software being installed on your PC, as it is usually done by a method of stealth. • If you are using a home PC, then it is likely to be free on any keystroke logging hardware (but remember there may be keystroke logging software). • Try and avoid typing private details on public PCs, and always try and avoid visiting sites on public PCs that require you to enter your login details, e.g. An online banking account.
Example • Ardamax Keylogger
Dialers • A program that either replaces the phone number in a modern’s dial-up connection with a long distance number, often out of the country, in order to run up phone charges on pay-per-dial numbers, or dials out at night to send keylogger or other information to an attacker.
URL Injection • Change the URL submitted to a server belonging to some or all domains.
Bacteria and Rabbits • Bacteria (also known as rabbit programs) are a type of malware that create many instances of themselves, or run many times simultaneously, in order to consume large amounts of system resources. This creates a denial of service effect as legitimate programs may no longer be able to run, or at least may not run properly
Trojan Horse • In the context of computer software, a Trojan horse is a malicious program that is disguised as or embedded withinlegitimate software. • Trojans use false and fake names to trick users into executing them. These strategies are often collectively termed social engineering. In most cases the program performs other, undesired functions, but not always. The useful, or seemingly useful, functions serve as camouflage for these undesired functions. • A Trojan is designed to operate with functions unknown to the victim.
Execution of Trojan Horses • Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms. • Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims. • As such, if Trojans replicate and even distribute themselves, each new victim must run the program/trojan. • Due to the above reasons Trojan horses’ virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration.
Categories of Trojan Horses • There are two common types of Trojan horses. • One, is otherwise useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. • Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities. • The other type is a standalone program that masquerades as something else, like a game or image file (e.g. firework.jpg.exe in Windows), in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives.
Malware Parasitizes inside Trojan Horses • In practice, Trojan Horses in the wild often contain spying functions (such as a packet sniffer) or backdoor functions that allow a computer, unbeknownst to the owner, to be remotely controlled from the network, creating a zombie computer. • The Sony/BMGrootkit Trojan, distributed on millions of music CDs through 2005, did both of these things. Because Trojan horses often have these harmful behaviors, there often arises the misunderstanding that such functions define a Trojan Horse.
Example of a Simple Trojan Horse • A simple example of a trojan horse would be a program named waterfalls.scr.exe claiming to be a free waterfall screensaver which, when run, instead begins erasing all the files on the computer.
Example of a Somewhat Advanced Trojan Horse • On the Microsoft Windows platform, an attacker might attach a Trojan horse with an innocent-looking filename to an email message which entices the recipient into opening the file. • The Trojan horse itself would typically be a Windows executable program file, and thus must have an executable filename extension such as .exe, .com, .scr,.bat, or .pif. • Since Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse has an extension that might be "masked" by giving it a name such as Readme.txt.exe. With file extensions hidden, the user would only see Readme.txt and could mistake it for a harmless text file. • Icons can also be chosen to imitate the icon associated with a different and benign program, or file type.
Methods of Infection • Websites. • E-mails. • Downloaded Files.
Websites • You can be infected by visiting a rogue website. • Internet Explorer is most often targeted by makers of trojans and other pests, because it contains numerous bugs, some of which improperly handle data (such as HTML or images) by executing it as a legitimate program. (Attackers who find such vulnerabilities can then specially craft a bit of malformed data so that it contains a valid program to do their bidding.) • The more "features" a web browser has (for example ActiveX objects, and some older versions of Flash or Java), the higher your risk of having security holes that can be exploited by a trojan horse.
Example 2: Trojan Downloader [Microsoft] • When a user visits certain Web sites (containing malicious code as shown in the previous slides), a file named KVG.exe or keks.exe is automatically downloaded from the Web site to the user's Startup folder. • This file is detected as TrojanDownloader:Win32/Delf.DH. This Trojan downloader then downloads and runs another Trojan downloader every five minutes and saves it in the Windows system folder as all.exe. This file is detected as TrojanDownloader:Win32/Delf.AH.
Example 3: Trojan Horse Exploits Image Flaw [Declan McCullagh et al.] • EasyNews, a provider of Usenet newsgroups, said it has identified two JPEG images that take advantage of a previously identified flaw ( a heap-based buffer overflow [Michael Cobb] ) in the way Microsoft software handles graphics files. Windows users could have their computers infected merely by opening one of those Trojan horse images. • Attackers tried to use these JPEGs to download Trojan (horse programs) to vulnerable computers,
Emails and Trojan Horses • The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why you're not supposed to open unexpected attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or viurs.
Microsoft Outlook • If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. The same vulnerabilities exist since Outlook allows email to contain HTML and images (and actually uses much of the same code to process these as Internet Explorer). • Furthermore, an infected file can be included as an attachment. In some cases, an infected email will infect your system the moment it is opened in Outlook -- you don't even have to run the infected attachment.
Downloaded Files • The infected program doesn't have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk.
Precautions against Trojan Horses (1) • Trojan Horses are most commonly spread through an e-mail, much like other types of common viruses. The only difference being of course is that a Trojan Horse is hidden. The best ways to protect yourself and your company from Trojan Horses are as follows: • If you receive e-mail from someone that you do not know or you receive an unknown attachment never open it right away. • As an e-mail user you should confirm the source. • Some hackers have the ability to steal an address books so if you see e-mail from someone you know that does not necessarily make it safe.
Precautions against Trojan Horses (2) • When setting up your e-mail client make sure that you have the settings so that attachments do not open automatically. • Some e-mail clients come ready with an anti-virus program that scans any attachments before they are opened. If your client does not come with this it would be best to purchase on or download one for free. • Make sure your computer has an anti-virus program on it and make sure you update it regularly. If you have an auto-update option included in your anti-virus program you should turn it on, that way if you forget to update your software you can still be protected from threats
Precautions against Trojan Horses (3) • Operating systems offer patches to protect their users from certain threats and viruses, including Trojan Horses. • Software developers like Microsoft offer patches that in a sense “close the hole” that the Trojan horse or other virus would use to get through to your system. If you keep your system updated with these patches your computer is kept much safer. • Avoid using peer-2-peer or P2P sharing networks like Kazaa, Limewire, Ares, or Gnutella because those programs are generally unprotected from viruses and Trojan Horse viruses are especially easy to spread through these programs. • Some of these programs do offer some virus protection but often they are not strong enough.
Precautions against Trojan Horses (4) • NEVER download blindly from people or sites which you aren’t 100% sure about. • Even if the file comes form a friend, you still must be sure what the file is before opening it. (Ask your friend whether she/he sent the files to you.) • Beware of hidden file extensions (Under Windowssusie.jpg.exeis only shown assusie.jpg) • Never user features in your programs that automatically get or preview files (outlook, preview mode ). • Never blindly type commands that others tell you to type, or go to the web site mentioned by strangers.
Well-known Trojan Horses • Back Orifice • Back Orifice 2000 • Beast Trojan • NetBus • SubSeven • Downloader-EV
List of Trojan Horses • http://en.wikipedia.org/wiki/List_of_trojan_horses
Spyware • In simpler terms, spyware is a type of program that watches after what users do with their computer and then send this information to a hacker over the internet. • Spyware can collect many different types of information about a user. • More benign programs can attempt to track what types of websites a user visits and send this information to an advertisement agency. • More malicious versions can try to record what a user types to try to intercept passwords or credit card numbers. • Yet other versions simply launch pop-ups with advertisements.
OSes Where Spyware Resides • As of 2006, spyware has become one of the pre-eminent security threats to computer-systems running Microsoft Windows OSes (and especially to users of Internet Explorer because of that browser's collaboration with the Windows operating system). • Some malware on the Linux and Mac OS X platforms has behavior similar to Windows spyware, but to date has not become anywhere near as widespread.
Spyware Certification • International Charter now offers software developers a Spyware-Free Certification program.
Typical Tactics Adopted by Spyware • Delivery of unsolicited pop-up advertisements. • Monitoring of Web-browsing activity for marketing purposes. • Theft of personal information
Adware • The term adware frequently refers to any software which displays advertisements, whether or not it does so with the user's consent. • Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. • Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service.
Spyware and Pop-up Ads • Many of the programs frequently classified as spyware function as adware in a different sense: their chief observed behaviour consists of displaying advertising. • Claria Corporation's Gator Software and Exact Advertising's BargainBuddy provide examples of this sort of program. • Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user experiences a large number of pop-up advertisements.
Pop-under Ads • A variation on the pop-up window is the pop-under advertisement. This opens a new browser window, behind the active window. • Pop-unders interrupt the user less, but are not seen until the desired windows are closed, making it more difficult for the user to determine which Web site opened them.
Web Activity Monitor • Other spyware behavior, such as reporting on websites the user visits, frequently accompany the displaying of advertisements. • Monitoring web activity aims at building up a marketing profile on users in order to sell "targeted" advertisement impressions. • The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. • Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware (and some anti-spyware programs report it as such) although many users choose to install it.
Identity Theft and Fraud • One case has closely associated spyware with identity theft. • Spyware had used it to transmit • chat sessions, • user names, • passwords, • bank information, etc. • Spyware has principally become associated with identity theft in that keyloggers are routinely packaged with spyware. • John Bambenek, who researches information security, estimates that identity thieves have stolen over $24 billion US dollars of account information in the United States alone
Routes of Infection • Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. • Instead, spyware gets on a system • through deception of the user • or through exploitation of software vulnerabilities.