Electronic Sabotage
From Edupage 12/14/94
"An Ernst & Young/Information Week magazine survey found 54% of companies
reported some form of financial loss over the past 24 months as a result of
computer problems such as malicious acts or system crashes, including 17%
reporting losses as high as $250,000. (Toronto Financial Post 12/15/94 p.6)"
- Something used to subvert an organization from within by abusing misplaced trust
- In computer jargon it means an unauthorized software segment placed in a trusted program (e.g. a word processor, operating system, compiler etc.)
Example: The Cookie Monster
- Signals its presence by announcing
"I want a cookie."
- Typing the word "cookie" will make the monster go away
- If ignored the monster will return with
"I really want a cookie!"
- The monster appears more and more frequently with increasingly insistent demands until it makes a serious threat:
"I'll remove some of your files if you don't give me a cookie."
- Many viruses and trojan horses contain a "logic bomb"
- On a certain date, or according to some other criteria, this time bomb is executed.
- Its effect may be
- displaying a message on the computer's screen
- erasing all the information in the hard disk or corrupting data files
- damaging computer's hardware
- Viruses are unauthorized software segments that copy themselves into other executable programs
- They move from computer to computer attached to files (e.g. on floppy disks, as part of a file attached to an email message, on files down loaded from bulletin boards or ftp servers)
- They perform unauthorized functions
- time-wasting
- sometimes destructive
- presence is not immediately obvious
- The first PC virus attack outside a test lab was in 1986. (Brain or Pakistani virus)
- There are now several hundred different known viruses. - Examples
- There are also a number of commercially available virus protection programs. Examples: F-PROT Virus Protection Tool and Virus Scan Software
- The virus code searches the user's files for one that is:
- an executable program (rather than a text or data file)
- writable by the user (permission to modify)
- not already infected
- The virus "infects" the file by putting a piece of code in the selected program file
- Shell Virus: The virus becomes the program with the original host program an internal subroutine of the viral code
- Add-on Virus: Viral code is added either to the beginning or the end of the host code. The start up information is altered so the virus code is executed before the host code.
- Intrusive Virus: Replace some or all of the original code with viral code. (e.g. replace a subroutine with the virus)
A single program can have more than one virus attached.
- "Ordinary" Virus
- When a program infected with a virus is run, the virus infecting it immediately takes command.
- The virus finds and infects another program somewhere in the computer's disk store, after which the virus returns control to the invoked program
- Memory Resident Virus
- A virus installs itself as a memory "resident" program
- the virus remains active even after the original infected program stops running
- infects subsequently executed programs until the computer is turned off or a hardware reset is done
- does its work so quickly that no immediate effect is likely to be noticed by the user
- Dormant Phase Virus
- Some viruses have a "dormant" phase before they begin propagating and/or
showing visible signs of their presence to hide the infection and attain wider distribution before they are discovered
- Implied Loader Virus
- Once the virus is active, clean application programs will become infected as
soon as they are executed. (Example - MBDFA)
- A virus is a relatively passive agent
- It relies on ordinary users for its activation and propagation
- Viruses are most likely to be found on small computers such as PCs and Macs, either stand-alone or networked.
- The propagation of viruses is largely dependent on the behavior of ordinary users, and many of the machines that can be affected are wholly the responsibility of such users.
- A virus can travel:
- from one file to another file on the same machine when a virus infected file is executed
- from machine memory to a file on a disk (this is why you should cold boot and virus check the machine before you start using it in the lab)
- on a disk that is carried from one machine to another
- on an executable file that is an attachment to an email message (note that it is not the message but the attachment that can carry a virus and your machine will not become infected unless you execute the file)
- over a modem or network on a file down loaded from a bulletin board of ftp server
- destroy the file allocation table (FAT) that keeps track of the specific locations on a disk of the segments of programs and data files thereby causing the user to lose everything on the disk
- lead to the entire system file becoming corrupted and an entire
reload of system software then having to be performed
- change the disk assignment so that data are written to the wrong disk, particularly upsetting when the data are directed to a RAM disk and lost when the system is shut off
- erase specific executable programs and/or data files on hard disks or on a floppy disk or both
- alter data in data files
- suppress the execution of RAM resident programs
- create bad sectors on a disk sometimes destroying parts of programs and data files (Brain does this)
- decrease the free space available on the disk by making extra copies of programs and/or data files but do not interfere with the working of the program
- write a volume label on a disk (Brain does this)
- format specific tracks on disks or format the entire disk
- overwrite the disk's directory with zeroes and ones
- hang the system so that it will not respond to any keyboard entry and require a cold
reboot
- cause programs to inexplicably crash when an item is
selected from the menu bar
Authors do not generally name or take credit for their work
Those who discover the virus name it based on:
- where it was first discovered or where a major infection occurred (Lehigh and Alameda)
- some definitive string or value used by the program (Brain)
- number of bytes by which they extend infected programs (1740 and 1280)
- software for which the virus shows an affinity - (dBase)
No way to prevent viruses that is both foolproof and practical - that is, is not counter productive in other ways.
The most effective strategy is to combine:
- sensitize employees to the causes and consequences of viral infection
- anti-viral tools
- keep up to date on currently active viruses, what they do and how they are contracted
General guidelines regarding prevention of viral infection:
- Commercial software less likely to be infected than public domain software or software downloaded from bulletin-board systems.
- Be extremely careful downloading from bulletin-boards (what may happen if you are not - the MBDFA virus)
- Data files do not carry viruses, so they can be moved between machines with minimal exposure to possible infection with the following precautions
Cautions:
- Do not use bootable disks for data storage since there are boot sector viruses
Note: all formatted disks have a boot sector whether they are bootable or not and can carry a boot sector virus. The boot sector virus will not become active unless you attempt to boot from that disk.
- Some things users may think of as data files are actually executable (e.g. Paradox scripts, Lotus macros, Word macros)
A case in point is the Word Virus
- Write-protect executable files (MS/DOS machines: .COM .EXE .OVL)
This is by no means an absolute safeguard, since such protections are easily removed.
Unfortunately, some legitimate programs modify their executable file, for instance to store configuration information, so write-protecting those files is not always possible
1. Monitor the activities of executing programs
- Warns when attempts to write to an executable file occur
- Can result in false alarms which the typical user may not understand
- Terminate-and-stay-resident (TSR) programs can have unexpected and unpleasant interactions with other executing software.
- Use this sort of program only as part of a screening procedure for new software before it is installed
2. Monitors program files on disk
- Checks for and reports on modifications to files
- Can give false alarms on programs that modify their executable files
- Once such programs are identified, can be quite effective in discovering a viral infection
- Can not eliminate a virus
3. Identifies infection by specific viruses
- Can detect that a program has been infected by a virus, and can remove the virus
- These can be run on programs before they are installed on a system
- Disadvantage:
- Can only detect the viruses known when the antiviral program was developed or was last updated.
- Even when the developer has an aggressive update policy, there is an unavoidable lag between the time a new virus is introduced and the time programs to detect it become available.
- However, most viruses that infect systems are old viruses that are known and detectable by these programs.
Retroviruses - viruses that fight back
A Retrovirus is a computer virus that specifically tries to by-pass or hinder the operation of an anti-virus program
or programs.
- First appeared in the late 1980s
- The attack may be specific to a known product or a generic one
- May be able to install itself while several resident anti-virus monitors are running
- May prohibit anti-virus programs from running
- May by-pass integrity checking programs
For more detailed information on viruses see Virus FAQ - Frequently Asked Questions
Many uses of the term
- optical media: Write Once Read Many times (WORM drive)
- software: a program that will erase files or memory under certain conditions
- networks: several segments - each running on a separate network workstation. When a segment is lost (machine rebooted) other worm segments replace it on another workstation. (distributed computing)
A program written by a software publisher that will invoke a penalty if unauthorized use of the program is detected
- At best it only halts the protected program
- At worst it will cause a small amount of corruption each time it is run, eventually leading to a disk crash
- Can be activated accidentally
- Packages with worms do not sell well
A worm is an autonomous agent capable of propagating itself without the use of another program or any overt action by a person
Worms are found primarily on networks of computers that are capable of multitasking (running more than one program concurrently)
The prevention, detection, and eradication of unauthorized worms is the responsibility of the system and network support staff, rather than of the typical system user
- Example: Distributed Diagnostics
A combination of a central control machine and a multipart worm is a useful way to run diagnostics on many machines
- Example: World Wide Web Worm
A worm that searches the network for topics of interest.
The Internet Worm of November 1988 - come and gone in about a week
Source [Denning, 1990, pp. 191-281].
- November 2: in the evening Robert T. Morris released an unauthorized worm onto the Internet
- November 3: Within 8 hours between 2 and 3 thousand computers were infested. Computers began to shut down because worm programs reappeared over network connections faster than they could be deleted.
- By evening, system fixes were distributed that closed all the security holes used by the worm.
- November 4: Worm code was decompiled and it was confirmed that the worm did not modify existing files (thus it was not a virus)
- November 6: Most computers were reconnected to the Internet.
- November 10: Remaining few hosts were reconnected to the Internet.
- November 12: Mail backlog finally cleared.
What exactly did the worm do?
- The worm infested only computers running one particular UNIX operating system.
- Each worm began by creating a list of remote target machines from information found in the current host.
- In parallel the worm would:
- Attempt to find the passwords of user accounts by
trying permutations of the account name
checking a list of 432 passwords
checking all the words in a local dictionary
- Attempt to enter each target by
posing as a user (after cracking the user's password)
using a "bug" in the finger protocol
using a "trapdoor" in the debug option for processing e-mail
- When an attack worked the worm sent a short bootstrap program and the commands to compile and execute it then broke the connection.
- If the bootstrap worked the new computer called back the parent worm within 120 seconds and enciphered files containing the full worm code was sent to the new computer. The parent worm issued commands to construct and start the worm on the new machine.
- The worm also contained mechanisms to limit its own population on a single machine (did not work well) and camouflage its presence.
What was the impact of the Internet worm?
- 3,000 - 4,000 thousand computers were infested (about 5% of those attached to Internet)
- The worm caused a massive though short lived disruption of services.
- Thousands of person hours of work were used to analyze and destroy the worm.
- The direct and indirect costs have been estimated at over $98 million. [Magruder and Lewis, 1991]
- The worm did not delete or modify existing files, install Trojan horses, or transmit deciphered passwords; thus the damage was limited to computer down time and the time of those who worked to get rid of the worm.
Who is Morris and what happened to him?
- In 1988 Morris was a first year computer science graduate student at Cornell and the son of the chief scientist at the National Computer Security Center
- On July 26 1989 he was indicted under the 1986 Computer Fraud and Abuse Act
- In January 1990 Morris was tried and convicted
- Morris was sentenced to 3 years probation and 400 hours of community service, and was fined $10,000
An intruder is some entity accessing/using a system beyond their
authority. It may be human, or it may not.
A "cracker" is someone who persistently gets his/her kicks from
breaking into other peoples computer systems, for a variety of reasons. S/He may
pose some weak justification for doing this, usually along the lines of
"because it's possible", but most probably does it for the "buzz" of
doing something which is illicit/illegal, and to gain status amongst a
peer group.
- Particularly antisocial crackers have a vandalistic streak, and
delete filestores, crash machines, and trash running processes in
pursuit of their "kicks".
- The term is also widely used to describe a person who breaks copy
protection software in microcomputer applications software in order
to keep or distribute free copies.
- A "cracker" is not necessarily a "hacker" and most hackers are not crackers.
[Source: Alec Muffett, USENET Computer Security FAQ]
Example 1:
In 1986, an intruder broke into computers in the San Francisco area including:
- 9 - universities
- 15 - Silicon Valley companies
- 9 - ARPANET sites - Advanced Research Projects Agency Network
- 3 - government laboratories
The intruder left behind recompiled login programs to simplify his return
The goal was to achieve a high score on the number of systems cracked
Example 2:
In 1987, tracing an apparently innocuous 75 cent accounting error revealed an intruder who had given himself an account on the Lawrence Berkeley Lab's computer system
The account was traced to a West German programmer who was copying documents from military computers attached to the MILNET
The documents were sold to the KGB
Example 3
"CRACK JOB -The Gartner Group's William Malik says that one of his clients, a large manufacturing company lost a $900 million dollar to a competitor which had apparently cracked into the company's computers and learned about its bid. (Newsweek 2/6/95 p.36)"
Source: Edupage 1/31/95
For more information on Intruders see the Almost Everything you Wanted to Know about Security FAQ
An entry point into a computer system that bypasses the normal security measures
A hidden software or hardware mechanism that permits system protection
mechanisms to be circumvented. It
is activated in some non-apparent manner (e.g., special "random" key
sequence at a terminal) [Source: U.S. Department of Defense, "Trusted
Computer System Evaluation Criteria", Glossary, CSC-STD-001-83]
Trap doors are frequently exploited by intruders
A firewall is any one of several ways of protecting one network from
another untrusted network. The actual mechanism whereby this is
accomplished varies widely, but in principle, the firewall can be
thought of as a pair of mechanisms: one which exists to block traffic,
and the other which exists to permit traffic. Some firewalls place a
greater emphasis on blocking traffic, while others emphasize
permitting traffic.
Why would I want a firewall?
- to keep intruders out of your
network while still letting you get your job done
- it helps convince management that it is safe to connect to the Internet
- it can act as a corporate "ambassador" to the
Internet - being used as a place to store public information about corporate products and services, files
to download, etc
What can a firewall protect against?
- generally, firewalls are configured to protect against unauthenticated
interactive logins from the "outside" world
What can't a firewall protect against?
- firewalls cannot protect against attacks that don't go through the
firewall
- firewalls cannot protect very well against viruses
- firewalls cannot protect against a data-driven attack -- attacks in which something is
mailed or copied to an internal host where it is then executed
[Source: Fwalls-FAQ@tis.com]
CERT - Computer Emergency Response Team
- CERT Coordination Center established in 1988 by the Advanced Research Projects Agency (ARPA)
- Located at the Software Engineering Institute at Carnegie Mellon University
- In 1993 CERT handled 1,334 incidents (a 73% increase from 1992)
Source: [Fithen and Fraser, 1994]
- The Other Side of The Coin - Computer Crime and Responsibility (part of "Extended Guide to the Internet")
- [Denning, 1990] Denning, Peter J. editor (1990) Computers Under Attack: Intruders, Worms and Viruses, Addison-Wesley.
Sections include: [Part I: The Worldwide Network of Computers], [Part II: Intruders],
[Part III: Worms], [Part IV: Viruses], [Part V: Countercultures], [Part VI: Social Legal, and Ethical Implications]
- [Fithen and Fraser, 1994] Fithen, Katherine; Fraser, Barbara (1994) "CERT incident response and the Internet" Communications of the ACM, 37(8) 108-113.
- [Helsing, 987] Computer Users Guide to the Protection of Information Resources
- [Magruder and Lewis, 1991]Magruder, Scott; Lewis, Stanley X., Jr (1991) "The Economic Costs of Computer Viruses" Arkansas Business & Economic Review, 24(4) 11-14.
- Network Computer Security Technology
- [Reid, 1987] Reid, Brian (1987) "Reflections on Some Recent Widespread Computer Break-Ins" Communications of the ACM, 30(2) 103-105.
- [Sterling, 1992a] Sterling, Bruce, (1992)The Hacker Crackdown: Law and Disorder at the Electronic Frontier, Viking, London. [also Bantam Books paperback].
- [Sterling, 1992b] Sterling, Bruce "A Statement of Principle"
- [Stoll, 1989] Stoll, Clifford (1989) The Cuckoo's Egg, Doubleday.
- [Whiteside, 1978] Whiteside, Thomas (1978) Computer Capers: Tales of Electronic Thievery, Embezzlement and Fraud, Thomas Y. Crowell Company. [also New American Library Inc. paperback 1979]
This page is being written and maintained as part of an experiment into the use of World Wide Web as a source of educational material. Please email us with your thoughts.
Prepared and maintained by:
Carol E. Brown
(brownc@bus.orst.edu)
and
Alan Sangster
(a.sangster@abdn.ac.uk)
Page last updated January 8th, 1995.
Although we will attempt to keep this information accurate, we can not guarantee the accuracy of the information provided.
Prepared and maintained by:
Carol E. Brown
(brownc@bus.orst.edu)
and
Alan Sangster
(a.sangster@abdn.ac.uk)
Page last updated February 10th, 1995.