• A computer virus is a malicious piece of executable code that
propagates typically by attaching itself to a host document that
will generally be an executable file. [In the context of talking about viruses, the word
“host” means a document or a file. As you’ll recall from our earlier discussions, in the context of computer
networking protocols, a “host” is typically a digital device capable of communicating with other devices. Even
more specifically, in the context of networking protocols, a host is whatever is identified by a network address,
like the IP address.]
• Typical hosts for computer viruses are:
– Executable files (such as the ‘.exe’ files in Windows machines)
that may be sent around as email attachments
– Boot sectors of disk partitions
– Script files for system administration (such as the batch files
in Windows machines, shell script files in Unix, etc.)
– Documents that are allowed to contain macros (such as Microsoft Word documents, Excel spreadsheets, Access database
files, etc.)
• Any operating system that allows third-party programs to run
can support viruses.
• Because of the way permissions work in Unix/Linux systems, it
is more difficult for a virus to wreak havoc in such machines.
Let’s say that a virus embedded itself into one of your script files.
The virus code will execute only with the permissions that are
assigned to you. For example, if you do not have the permission
to read or modify a certain system file, the virus code will, in
general, be constrained by the same restriction. [Windows machines
also have a multi-level organization of permissions. For example, you can be an administrator with
all possible privileges or you can be just a user with more limited privileges. But it is fairly common
for the owners of Windows machines to leave them running in the “administrator” mode. That is,
most owners of Windows machines will have only one account on their machines and that will be the
account with administrator privileges. For various reasons that we do not want to go into here, this
does not happen in Unix/Linux machines.]
• At the least, a virus will duplicate itself when it attaches itself to
another host document, that is, to another executable file. But
the important thing to note is that this copy does
not have to be an exact replica of itself. In order to
make more difficult its detection by pattern matching, a virus
may alter itself when it propagates from host to host. In most
cases, the changes made to the virus code are simple, such as
rearrangement of the order independent instructions, etc. Viruses
that are capable of changing themselves are called mutating
viruses.
• Computer viruses need to know if a potential host is already
infected, since otherwise the size of an infected file could grow
without bounds through repeated infection. Viruses typically
place a signature (such as a string that is an impossible date) at
a specific location in the file for this purpose.
• Most commonly, the execution of a particular instance of a virus
(in a specific host file) will come to an end when the host file has
finished execution. However, it is possible for a more vicious virus
to create a continuously running program in the background.
• To escape detection, the more sophisticated viruses encrypt themselves with keys that change with each infection. What stays
constant in such viruses is the decryption routine.
• The payload part of a virus is that portion of the code that is
not related to propagation or concealment.
• The main difference between a virus and a worm is that a worm
does not need a host document. In other words, a worm does not
need to attach itself to another program. In that sense, a worm
is self-contained.
• On its own, a worm is able to send copies of itself to other machines over a network.
• Therefore, whereas a worm can harm a network and consume
network bandwidth, the damage caused by a virus is mostly local
to a machine.
• But note that a lot of people use the terms ‘virus’ and ‘worm’
synonymously. That is particularly the case with the vendors of
anti-virus software. A commercial anti-virus program is supposed
to catch both viruses and worms.
• Since, by definition, a worm is supposed to hop from machine to
machine on its own, it needs to come equipped with considerable
networking support.
• With regard to autonomous network hopping, the important
question to raise is: What does it mean for a program to
hop from machine to machine?
• A program may hop from one machine to another by a variety of
means that include:
– By using the remote shell facilities, as provided by, say, ssh,
rsh, rexec, etc., in Unix, to execute a command on the remote machine. If the target machine can be compromised in
this manner, the intruder could install a small bootstrap program on the target machine that could bring in the rest of the
malicious software.
– By cracking the passwords and logging in as a regular user
on a remote machine. Password crackers can take advantage
of the people’s tendency to keep their passwords as simple as
possible (under the prevailing policies concerning the length
and complexity of the words).
– By using buffer overflow vulnerabilities in networking software. In networking with
sockets, a client socket initiates a communication link with a
server by sending a request to a server socket that is constantly
listening for such requests. If the server socket code is vulnerable to buffer overflow or other stack corruption possibilities,an attacker could manipulate that into the execution of certain system functions on the server machine that would allow
the attacker’s code to be downloaded into the server machine.
• In all cases, the extent of harm that a worm can carry out would
depend on the privileges accorded to the guise under which the
worm programs are executing. So if a worm manages to guess
someone’s password on a remote machine (and that someone does
not have superuser privileges), the extent of harm done might be
minimal.
• Nevertheless, even when no local “harm” is done, a propagating worm can bog down a network and, if the propagation is
fast enough, can cause a shutdown of the machines on the network. This can happen particularly when the worm is not smart
enough to keep a machine from getting reinfected repeatedly and
simultaneously. Machines can only support a certain maximum
number of processes running simultaneously.
• Thus, even “harmless” worms can cause a lot of harm by bringing
a network down to its knees.
• The Morris worm was the first really significant worm that effectively shut down the internet for several days in 1988. It is
named after its author Robert Morris.
• The Morris worm used the following three exploits to jump over
to a new machine:
– A bug in the popular sendmail program that is used as a
mail transfer agent by computers in a network. At the time when this
worm attack took place, it was possible to send a message
to the sendmail program running on a remote machine with
the name of an executable as the recipient of the message. The
sendmail program, if running in the debug mode, would then
try to execute the named file, the code for execution being the
contents of the message. The code that was executed stripped
off the headers of the email and used the rest to create a small
bootstrap program in C that pulled in the rest of the worm
code.
– A bug in the finger daemon of that era. The finger program
of that era suffered from the buffer overflow problem
presented in Lecture 21. As explained in Lecture 21, if an
executing program allocates memory for a buffer on the stack,
but does not carry out a range check on the data to make
sure that it will fit into the allocated space, you can easily
encounter a situation where the data overwrites the program
instructions on the stack. A malicious program can exploit
this feature to create fake stack frames and cause the rest of
the program execution to be not as originally intended.
– The worm used the remote shell program rsh to enter other
machines using passwords. It used various strategies to guess
people’s passwords. [This is akin to what is now commonly referred
to as the dictionary attack. Lecture 24 talks about such attacks in today’s networks.] When it was able to break into a user account, it
would harvest the addresses of the remote machines in their
‘.rhosts’ files.
• A detailed analysis of the Morris worm was carried out by Professor Eugene Spafford of Purdue University. The report written
by Professor Spafford is available from http://homes.cerias.purdue.edu/~spaf/tech-reps/823.pdf.
• The rest of this section is devoted to the Slammer Worm that hit the networks in early 2003.
• The Slammer Worm affected only the machines running Microsoft
SQL 2000 Servers. Microsoft SQL 2000 Server supports a directory service that allows a client to send in a UDP request to
quickly find a database. At the time the worm hit, this feature of
the Microsoft software suffered from the buffer overflow problem.
• Slammer just sent one UDP packet to a recipient. The SQL specs
say that the first byte of this UDP request should be 0x04 and the
remaining at most 16 bytes should name the online database being sought. The specs further say that this string must terminate
in the null character.
• In the UDP packet sent by the Slammer worm to a remote machine, the first byte 0x04 was followed a long string of bytes and
did not terminate in the null character. In fact, the byte 0x04
was followed by a long string of 0x01 bytes so the information
written into the stack would exceed the 128 bytes of memory
reserved for the SQL server request.
• It is in the overwrite portion that the Slammer executed its network hopping code. It created an IP address randomly for the
UDP request to be sent to another machine. This code was placed
in a loop so that the infected machine would constantly send out
UDP requests to remote machines selected at random.
• By all accounts, this is certainly the most notorious worm that
has been unleashed on the internet in recent times. As reported
widely in the media, the worm was supposed to cause a major
breakdown of the internet on April 1, 2009, but, as you all know,
nothing happened. The current best speculation is that the worm
was let loose by one or more government organizations to test its
power to propagate using what is now known as the “MS08-67
vulnerability” of the Windows machines of that era. This speculation has been reinforced by the fact that another worm, Stuxnet,
which was let loose in 2010 shortly after Conficker started making
the rounds, shared several similarities with Conficker with regard
to how it broke into other machines. As was widely reported by
the media at the beginning of this decade, Stuxnet was used successfully to sabotage the nuclear program of a country. We will
talk about Stuxnet in Section 22.7.
• The Conficker worm infected a large number of machines around
the world, only not in the concerted manner people thought it
was going to. The worm infected only the Windows machines.
The infected machines exhibited the following symptoms:
– According to the Microsoft Security Bulletin MS08-067, at
the worst, an infected machine could be taken over by the
attacker, meaning by the human handlers of the worm.
– More commonly, though, the worm disabled the Automatic
Updates feature of the Window platform.
– The worm also made it impossible for the infected machine to
carry out DNS lookup for the hostnames that correspond to
anti-virus software vendors.
– The worm could also lock out certain user accounts. This was
made possible by the modifications the worm made to the
Windows registry.
• On the older Windows platforms, a machine would be infected
with the worm by any machine sending to it a specially crafted
packet disguised as an RPC (Remote Procedure Call). On the
newer Windows platforms, the infecting packet had to be received
from a user who could be authenticated by the victim machine.
• Here are some issues highly relevant to understanding the capabilities and the power of the worm:
1. How did the worm get to a computer? There were
at least three different ways for that to happen. These are
described in the (a), (b), and (c) bullets below:
(a) A machine running a pre-patched version of the Windows
Server Service svchost.exe could be infected because of
a vulnerability with regard to how it handled remote code
execution needed by the RPC requests coming in through
port 445. As mentioned in Section 16.2 of Lecture 16, this
port is assigned to the resource-sharing SMB protocol that
is used by clients to access networked disk drives on other
machines and other remote resources in a network. So if
a machine allowed for remote code execution in
a network — perhaps because it made some resources available to clients — it would be open
to infection through this mechanism. [RPC stands
for Remote Procedure Calls. With RPC, one machine can invoke a function in another machine without having to worry about the intervening transport mechanisms that carry the
commands in one direction and the results in the other direction.] When such
a machine received a specially crafted string on
its port 445, the machine would (1) download
a copy of the worm using the HTTP protocol
from another previously infected machine and
store it as a DLL file; (2) execute a command
to get a new instance of the svchost process to
host the worm DLL; (3) enter appropriate entries in the registry so that the worm DLL was
executed when the machine was rebooted; (4)
gave a randomly constructed name to the worm
file on the disk; and (5) then continued the propagation.
[As described in the “Know Your Enemy (KYE)” paper available from
https://www.honeynet.org/papers/conficker/, the problem was with the Windows API
function NetpwPathCanonicalize() that is exported by netapi32.dll over an SMB session
on TCP port 445. The purpose of this function is to canonicalize a string, i.e., convert a path
string like aaa\bbb\...\ccc into \aaa\ccc. When, in an SMB session, this function was
supplied with a specially crafted string by a remote host, it was possible to alter the function’s return address in the stack frame for the function being executed. The attacker then
used the redirected return address to invoke a function like URLDownloadToFile()
to pull in the worm file. Once the worm file had been pulled into the machine, it could
be launched in a separate process/thread as a new instance of svchost.exe by calling the
LoadLibrary() function whose sole argument was the name of the newly downloaded worm
file. The LoadLibrary command also copied the worm file into the system root.] This
was referred to as the MS08-067 mode of propagation for the worm.
(b) Once a machine was infected, the worm could drop a copy
of itself (usually under a different randomly constructed
name) in the hard disks on the other machines mapped in
the previously infected machine (I am referring to “network
shares” here). If it needed a password in order to drop
a copy of itself at these other locations, the worm came
equipped with a list of 240 commonly used passwords. If
it succeeded, the worm created a new folder at the root of
these other disks where it placed a copy of itself. This was
referred to as the NetBIOS Share Propagation
Mode for the worm.
(c) The worm could also drop a copy of itself as the autorun.inf
file in USB-based removable media such as memory sticks.
This allowed the worm copy to execute when the drive was
accessed (if Autorun was enabled). This was referred
to as the USB Propagation Mode for the worm.
2. Let’s say a machine had a pre-patch version of svchost.exe
and that an infected machine sent the machine a particular RPC on port 445 to exploit the MS08-067 vulnerability. For this RPC to be able to drop the worm DLL into
a system folder, the outsider trying to break in would need
certain write privileges on the victim machine. How did
the worm trying to break in acquire the needed
write privileges on a victim machine? As described
in the Microsoft MS08-067 bulletin, the worm first tried to use
the privileges of the user currently logged in. If that did not
succeed, it obtained a list of the user accounts on the target
machine and then it tried over a couple of hundred commonlyused passwords to gain write access. Therefore, an old
svchost.exe and weak passwords for the user accounts placed your machine at an increased risk of
being infected.
3. Once the worm had lodged itself in a computer,
how did it seek other computers to infect? We
are talking about computers that do not directly share any
resources with the previously infected machine either in a
LAN or a WAN. Another way of phrasing the same question
would be: What was the probability that a Windows machine at a particular IP address would be
targeted by an unrelated infected machine? Based
on the reports on the frequency with which honeypots were
infected, it would seem that a random machine connected
to the internet was highly likely to be infected.
4. It was suspected that the human handlers of the worm could
communicate with it. That raised the question: How did
these humans manage to do so without leaving a
trace as to who they were and where they were
located? Note that Microsoft had offered a $250,000 bounty
for apprehending the culprits.
5. Because of the various versions of the worm that were detected, it was believed the worm could update itself through its
peer-to-peer communication abilities. Could one imagine
that several of the infected peers working in concert could cause internet disruptions that could be
beyond the capabilities of the individual hosts? Obviously, spam, spyware, and other malware emanating from
thousands of randomly-activated hosts working collaboratively
would be much more difficult to suppress than when it is coming from a fixed location.
6. Once a machine was infected, could you get rid of
the worm with anti-virus software? We will see later
how the worm cleverly prevented an automatic download of
the latest virus signatures from the anti-virus software vendors
by altering the DNS software on the infected machine. When a
machine could not be disinfected through automatic methods,
you had to resort to a more manual intervention consisting of
downloading the anti-virus tool on a separate clean machine,
possibly burning a CD with it, and, finally, installing and
running the tool on the infected machine.
7. It was an important question of the day whether
an infected machine could be restored to good
health by simply rolling back the software state
to a previously stored system restore point? Since
the worm was capable of resetting the system restore points,
that rendered this approach impossible for system recovery.
8. The Conficker worm is also known by a number of other names
that include Downadup and Kido.
• This worm made a big splash in July 2010.
• As computer worms go, Stuxnet is in a category unto itself. As
you now know, worms have generally been programmed to attack personal computers, particularly the computers running the
Windows operating systems, for such nefarious purposes as stealing credit-card or bank information, sending out spam, mounting
coordinated denial-of-service attacks on enterprise machines, etc.
Stuxnet, on the other hand, was designed specifically to attack a
particular piece of industrial software known as SCADA. [SCADA
stands for Supervisory Control and Data Acquisition. It is a key piece of software that has allowed for much
factory and process control automation. With SCADA, a small team of operators can monitor an entire production process from a control room and, when so needed, make adjustments to the parameters in order to
optimize the production. As to what parameters can be monitored, the list is endless — it depends on what
type of process is being monitored by SCADA. In discrete parts manufacturing, the parameters could be the
speeds of the conveyor belts, calibration parameters of production devices, parameters related to the optimized
operation of key equipment, parameters related to emissions into the environment, etc. Here is a brief list
of where SCADA is used: climate control in large interiors, nuclear power plants, monitoring and control of
mass transit systems, water management systems, digital pager alarm systems, monitoring of space flights and
satellite systems, etc. With web based SCADA, you could monitor and control a process that is geographically
distributed over a wide area.] It has been conjectured in the news media that the purpose of Stuxnet was to harm the processes related to
the production of nuclear materials in certain countries.
• The Stuxnet worm was designed to attack the SCADA systems
used in the industrial gear supplied by Siemens for process control — presumably because it was believed that such industrial
equipment was used by the nuclear development industry in certain countries.
• A German engineer, Ralph Langner, who was the first to analyze
the worm, has stated that the worm was designed to jump from
personal computers to the Siemens computers used for SCADAbased process control. Once it had infiltrated SCADA, it could
fake the data sent by the sensors to the central monitors so that
the human operators would not suspect that anything was awry,
while at the same time creating potentially destructive malfunction in the operation of the centrifuges used for uranium enrichment. More specifically, the worm caused the frequency converters used to control the centrifuge speeds to raise their frequencies
to a level that would cause the centrifuges to rotate at too high
a speed and to eventually self-destruct.
• If all of the media reports about Stuxnet are to be believed, this
is possibly the first successful demonstration of one country attacking another through computer networks and causing serious
harm.
• Apart from its focus on a specific implementation of the SCADA
software and, within SCADA, its focus on particular parameters
related to specific industrial gear, there exist several similarities
between the Conficker work and the Stuxnet worm. At the least,
one of the three vulnerabilities exploited by the Stuxnet worm is
the same as that by the Conficker work, as explained in the rest
of this section.
• For a detailed analysis of the Stuxnet worm, see the report by
the security company Trend Micro at http://threatinfo.trendmicro.com/
vinfo/web_attacks/Stuxnet%20Malware%20Targeting%20SCADA%20Systems.html Trend Micro also makes available a tool that can scan your disk files to see
if your system is infected with this worm: http://blog.trendmicro.com/
stuxnet-scanner-a-forensic-tool/
• The Stuxnet worm exploits the following vulnerabilities in the
Windows operation system:
– Propagation of the worm is facilitated by the MS10-061 vulnerability related to the print spooler service in the Windows
platforms. This allows the worm to spread in a network of
computers that share printer services.
– The propagation and local execution of the worm is enabled by
the same Windows MS08-067 vulnerability related to remote
code execution that we described earlier in Section 22.6. As
you will recall from Section 22.6, if a machine is running a prepatched version of the Windows Server Service svchost.exe
and you send it a specially crafted string on its port 445, you
can get the machine to download a copy of malicious code
using the HTTP protocol from another previously infected
machine and store it as a DLL, etc. See Section 22.6 for
further details.
– The worm can also propagate via removable disk drives through
the MS10-046 vulnerability in the Windows shell. As stated in
the Microsoft bulletin related to this vulnerability, it allows for
remote code execution if a user clicks on the icon of a specially
crafted shortcut that is displayed on the screen. MS10-046 is
also referred to as the Windows shortcut vulnerability as it
relates to the .LNK suffixed link files that serve as pointers to
actual .exe files.
• The short answer is: very afraid. Viruses and worms can
certainly clog up your machine, steal your information, and cause
your machine to serve as a zombie in a network of such machines
controlled by bad guys to provide illegal services, spew out spam,
spyware, and such.
• For a long answer, it depends on your computing habits. To offer
myself as a case study:
My Windows computers at home do not have anti-virus
software installed (intentionally), yet none has been infected so far (knock on wood!!). This is NOT a recommendation against anti-virus tools on your
computer. My computers have probably been spared
because of my personal computing habits: (1) My email host
is a Unix machine at Purdue; (2) I have a very powerful spam filter (of my
own creation) on this machine that gets rid of practically all of the unsolicited
junk; (3) The laptop on which I read my email is a Linux (Ubuntu) machine;
(4) The several Windows machines that I have at home are meant for the Windows Office suite of software utilities and for amusement and entertainment;
(5) When I reach out to the internet from the Windows machines, I generally
find myself visiting the same newspaper and other such sites every day; (6)
Yes, it is true that Googling can sometimes take me into unfamiliar spaces on
the internet, but, except for occasionally searching for the lyrics of a song that
has caught my fancy, I am unlikely to enter malicious sites (the same can be
said about the rest of my family); and, finally — and probably most importantly — (7) my home network is behind a router and therefore benefits from
a generic firewall in the router. What that means is that there is not a high
chance of malware landing in my Windows machines from the internet. The
point I am making is that even the most sinister worm cannot magically take a
leap into your machine just because your machine is connected to the internet
provided you are careful about sharing resources with other machines, about
how you process your email (especially with regard to clicking on attachments
in unsolicited or spoofed email), what sites you visit on the internet, etc
• You must also bear in mind the false sense of security
that can be engendered by the anti-virus software. If
my life’s calling was creating new viruses and worms, don’t you
think that each time I created a new virus or a worm, I would first
check it against all the malware signatures contained in the latest
versions of the anti-virus tools out there? Obviously, I’d unleash
my malware only if it cannot be detected by the latest signatures.
[It is easy to check a new virus against the signatures known to anti-virus
vendors by uploading the virus file to a web site such as www.virustotal.com.
Such sites send back a report — free of charge — that tells you which
vendor’s anti-virus software recognized the virus and, if it did, under what
signature.] What that means is that I would be able to cause a lot
of damage out there before the software companies start sending
out their patches and the anti-virus companies start including the
new signature in their tools. Additionally, if I selectively target
my malware, that is, infect the machines only within a certain
IP address block, the purveyors of anti-virus tools may not even
find out about my malware for a long time and, in the meantime,
I could steal a lot of information from the machines in that IP
block.
• Additionally, if you are a virus writer based in a country where
you are not likely to be hunted down by the law, you could write
a script that automatically spits out (every hour or so) a new
variant of the same virus by injecting dummy code into it (which
would change the signature of the virus). It would be impossible
for the anti-virus folks to keep up with the changing signatures.
• Another serious shortcoming of anti-virus software is that it only
scans the files that are written out to your disk for any malicious
code. Now consider the case when an adversary attacks your
machine with a new worm-bearing payload crafted with the help
of the powerful Metasploit Framework [See Lecture 23 for the Metasploit
Framework.] with the intention of depositing in the fast memory
of your machine a piece of code that will scan your disk files for
information related to your credit cards and bank account. The
adversary has no desire for this malicious code to be stored as
a disk file in your computer. It is just a one-time attack,
but a potentially dangerous one. An anti-virus tool that only scans the disk files will not be able to catch this kind of an
attack. [Obviously, such malware can be cleaned up by just rebooting the machine. However, should
an adversary decide to scan/spam your machine frequently, a reboot would give you only a temporary reprieve
from the malware.]
• Considering all of these shortcomings of anti-virus software, what
can a computer user do to better protect his/her machine against
malware? At the very least, you should place all of your passwords (and these days who does not have zillions of passwords)
and other personal and financial information in an encrypted file.
It is so ridiculously easy to use something like a GPG
encrypted file that is integrated seamlessly with all
major text editors. That is, when you open a “.gpg” file
with an editor like emacs (my favorite editor), it is no different
from opening any other text file — except for the password you’ll
have to supply. With this approach, you have to remember only
one master password and you can place all others in a “.gpg”
file. GPG stands for the Gnu Privacy Guard. I should also mention that for emacs to work with the “.gpg” files in the manner
I have described, you do have to insert some extra code in your
.emacs file. This addition to your .emacs is easily available on
the web.
• For enterprise level security against viruses and worms, if your
machine contains information that is confidential, at the least you
would also need an IDS engine in addition to the anti-virus software. [IDS, as mentioned in Lecture 23, stands for Intrusion Detection System. Such a system can be programmed to alert you whenever there is an attempt to access certain
designated resources (ports, files, etc.) in your machine.] You could also use
IPS (which stands for Intrusion Prevention System) for filtering
out designated payloads before they have a chance to harm your
system and encryption in order to guard the information that is
not meant to leave your machine in a manner unbeknownst to
you or, if it does leave your machine, that would be gibberish to
whomsoever gets hold of it. Obviously, all of these tools meant
to augment the protection provided by anti-virus software create
additional workload for a computer user (and, as some would say,
take the fun out of using a computer).
• On account of the shortcomings that are inherent to the anti-virus
software, security researchers are also looking at alternative approaches to keep your computer from executing malware. These
new methods fall in two categories: (1) white listing and (2) behavior blocking.
• On a Windows machine, an anti-malware defense based on whitelisting implies constructing a list of the DLLs that are allowed to
be executed on the machine. One of the problems with this approach is that every time you download, say, a legitimate patch
for some legal software on your machine, you may have to modify
the white list since the patch may call for executing new DLLs.
It is not clear if a non-expert user of a PC would have the competence — let alone the patience — to do that.
• Anti-malware defense based on behavior blocking uses a large
number of attributes to characterize the behavior of executable
code. These attributes could be measured automatically by executing the code in, say, a chroot jail (See Lecture 17 for what that
means) on your machine so that no harm is done. Subsequently,
any code could be barred from execution should its attributes
turn out to be suspect.
1. The best tools against malware are built by those good guys who
have the ability to think like the bad guys. [One reason why it is so easy
to do bad deeds on the internet is that its foundational protocols were designed by genuinely good people who
could never have imagined that there would be people out there who might want to make their living through
identity theft, credit-card theft, incessant spamming, etc.] So think about how you
can modify the code in FooVirus.pl and AbraWorm.pl to turn
these scripts into truly dangerous tools.
2. What is the relationship between the svchost.exe program and the
DLLs in your Windows machine? What is the role of the svchost
process at the system boot time?
3. What is it about the svchost.exe program in a Windows machine
that makes its vulnerabilities particularly deadly?
4. Describe briefly the three principal propagation mechanisms for
the Conficker worm?
5. How does the Conficker worm drop a copy of itself in the hard
disks of the other computers that are mapped in your computer?
More to the point, how does the worm get the permissions it needs
in order to be able to write to the memory disks that belong to
the other machines in the network?
6. What is a honeypot in network security research? And, what is
a honeynet?
7. Programming Assignment:
Taking cues from the code shown for AbraWorm.pl in Section
22.4, turn the FooVirus virus of Section 22.2 into a worm by incorporating networking code in it. The resulting worm will still
infect only the ‘.foo’ files, but it will also have the ability to hop
into other machines.
8. Programming Assignment:
Modify the code AbraWorm.pl code in Section 22.4 so that no
two copies of the worm are exactly the same in all of the infected
hosts at any given time. One way to accomplish this would be
by inserting worm alteration code after the comment line
# Finally, deposit a copy of AbraWorm.pl at the target host:
that you see near the end of the main infinite loop in the script.
This additional code in the worm could insert some extra newline characters between a randomly chosen set of lines, some extra randomly selected characters in the comment blocks, some
extra white space between the identifiers in each statement at randomly chosen places, and so on. And if you are ambitious,
you can get the worm to modify the code in more significant
ways (without altering its overall logic) before depositing a copy
of itself in a target host. For example, since you can use different
control structures for infinite loops, you could randomly choose
from amongst a given set of possibilities for each new version of
the worm. The net result of all these changes on the fly will be
that you will make it much harder for the worm to be recognized
with simple signature based recognition algorithms. 9. Programming Assignment:
If you examine the code in the worm script AbraWorm.pl in
Section 22.4, you’ll notice that, after the worm has broken into a
machine, it examines only the top-level directory of the username
for the files containing the magic string “abracadabra.” Extend
the worm code so that it descends down the directory structure
and examines the files at every level. If you are unfamiliar with
how to write scripts for directory scanning, you will see Perl examples for that in Section 2.16 of Chapter 2 and Python examples
in Section 3.14 of Chapter 3 in my book “Scripting with Objects.”