An Overview of Malware Protection Approaches on Client Computers

Reviews
Shared by: Aladdin Dandis
Categories
Tags
Stats
views:
66
rating:
not rated
reviews:
0
posted:
11/11/2008
language:
English
pages:
0
An Overview of Malware Protection Approaches on Client Computers Johan Sandin Master Thesis1 Department of Computer and Systems Sciences Stockholm University / Royal Institute of Technology June 2005 1 This Thesis corresponds to 20 weeks of full-time work for the author Abstract Today most users of client computers in organisations and companies have Internet access in some form. The users often rely on this Internet connection in order to do their job. Increased connectivity and activity over networks has led to a high exposure to threats, such as malware and attacks. The most widely used protection on client computers against malware and attacks today, common antivirus software, does no longer provide sufficient protection for environments with a high demand for security. Especially, common antivirus software does not provide protection for software vulnerabilities. The purpose of this thesis is to give an understandable overview of existing methods and technologies that deal with current threats from malware and attacks. The primary goal of this overview is to understand the strengths and weaknesses of the different solutions. Alternative and complementary methods to common antivirus software are presented. The different approaches and methods are classified, explained and their advantages and disadvantages are discussed. Implementations of new approaches and methods that are available to the market are examined closer to get a practical understanding of how they function. Finally, the results of the research is discussed and put in a larger context. The result of the research is an overview of available methods for protection against malware and attacks. A key finding is that common antivirus software still plays an important role in client computer protection, but for environments with high security demands preventative security measures that provide additional security should be considered. The presented overview of available methods and approaches to fight malware and attacks can serve as a guideline for what to think about when considering a better security solution for client computers. I II Table of Contents 1 INTRODUCTION.........................................................................................................................1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 2 BACKGROUND ........................................................................................................................1 PROBLEM STATEMENT ............................................................................................................1 RESEARCH QUESTIONS ...........................................................................................................2 EXPECTED RESULTS ...............................................................................................................2 PURPOSE ................................................................................................................................3 METHOD ................................................................................................................................3 LIMITATIONS ..........................................................................................................................4 THEORETICAL FRAMEWORK ..............................................................................................5 2.1 TERMINOLOGY .......................................................................................................................5 2.2 COMPUTER SECURITY BASICS ................................................................................................5 2.2.1 Security Goals...................................................................................................................6 2.2.2 Threats, vulnerabilities and controls ................................................................................7 2.2.3 Harm and Risk ..................................................................................................................8 3 THREATS ...................................................................................................................................11 3.1 THREAT CATEGORIES ...........................................................................................................11 3.2 MALWARE ............................................................................................................................11 3.2.1 Classifying Malware.......................................................................................................12 3.2.2 Malware types.................................................................................................................13 3.3 ATTACKS..............................................................................................................................18 3.3.1 Attacking computer systems............................................................................................18 4 VULNERABILITIES .................................................................................................................21 4.1 4.2 4.2.1 4.2.2 4.2.3 4.3 4.3.1 4.3.2 4.3.3 4.4 CLIENT COMPUTER VULNERABILITIES .................................................................................21 FACTORS FOR SOFTWARE VULNERABILITIES .......................................................................21 Complexity ......................................................................................................................22 Extensibility ....................................................................................................................23 Connectivity ....................................................................................................................23 SOFTWARE VULNERABILITIES ..............................................................................................23 Common Software Vulnerabilities ..................................................................................24 Lifecycle of software vulnerabilities ...............................................................................25 The Window of Vulnerability ..........................................................................................25 IMPACT OF SOFTWARE VULNERABILITIES ............................................................................27 5 GENERAL COUNTERMEASURES........................................................................................29 5.1 TYPES OF COUNTERMEASURES .............................................................................................29 5.1.1 The Defence-in-Depth Security Model ...........................................................................29 5.2 CLASSIFYING ANTI-MALWARE MEASURES ...........................................................................31 5.2.1 Malware detection ..........................................................................................................32 5.2.2 Anomaly detection ..........................................................................................................32 5.2.3 Signature based detection...............................................................................................34 5.2.4 Integrity checking ...........................................................................................................35 5.2.5 Heuristic detection..........................................................................................................35 5.2.6 Software Restriction .......................................................................................................36 5.2.7 Software Patching...........................................................................................................37 5.3 ANTIVIRUS SOFTWARE .........................................................................................................38 5.3.1 A simple model of traditional antivirus software............................................................38 5.3.2 Scanning for viruses .......................................................................................................39 5.3.3 Testing antivirus detectors..............................................................................................40 6 COUNTERMEASURES IN MICROSOFT WINDOWS ........................................................43 6.1 SECURITY IN MICROSOFT WINDOWS ....................................................................................43 6.2 DATA EXECUTION PREVENTION (DEP)................................................................................44 6.2.1 How and why is DEP important? ...................................................................................44 6.2.2 Software-enforced DEP ..................................................................................................45 III 6.2.3 Hardware-enforced DEP................................................................................................45 6.3 SOFTWARE RESTRICTION IN WINDOWS ................................................................................46 6.3.1 Software Restriction Policies (SRP) ...............................................................................46 6.3.2 Computer Integrity System (CIS)....................................................................................50 6.3.3 Other Software Restriction Solutions .............................................................................52 7 CONCLUSIONS .........................................................................................................................53 7.1 7.2 7.3 7.3.1 7.4 8 8.1 8.2 8.3 8.4 RESULTS ..............................................................................................................................53 KEY FINDINGS ......................................................................................................................53 DISCUSSION .........................................................................................................................55 Encountered Problems....................................................................................................56 SUGGESTIONS FOR FUTURE WORK ........................................................................................56 BOOKS & PEER-REVIEWED ARTICLES ...................................................................................57 ACADEMIC PAPERS ..............................................................................................................58 INTERNET SOURCES .............................................................................................................58 RESOURCES ..........................................................................................................................59 REFERENCES............................................................................................................................57 IV 1 Introduction This chapter describes the background and introduces the reader to the research problem. The expected results, the purpose of the research and the method is described. Finally the limitations of the thesis are discussed. 1.1 Background About a decade ago the use of Internet had its breakthrough among common people with the introduction of the first graphical web-browser. Since then there has been a huge increase of computers that have access to the Internet among companies and private persons. Today the average office job in the western world requires Internet access in order for the employee to his or her job. There has been a huge increase in connectivity among computers. Along with this development we have experienced a tremendous increase in the presence of malware (malicious software). The increased connectivity among computer networks has made it much easier for malware to spread. Another very important reason to why we see this increase in malware activity is that we still have bad software that is full of bugs and errors. The problem with bad software is not likely to disappear either, since the trend in software is that it is becoming more and more complex and thus the bugs and errors increase. At the same time we have a parallel trend although it might be a slower one. This trend is that the assets that we find valuable in a company or an organisation have moved from being the buildings and the machines to be the information contained in computer systems and the knowledge of the employees. This is a change that has been going on since computer systems started to make their way into companies and organisations. Computer criminals and hackers have always been fast in adopting new technologies and the rapid development of new types of malware and attacks is a good example of this. To be able to protect vulnerable computer systems we continuously have to update our defence methods. There is a need for organisations to understand how vulnerable a computer system really is. There is a need to understand how little it takes for malware to infect a system. Traditionally much effort and resources in computer security has been spent on perimeter defences such as firewalls. It is time for organisations to reassess how and where they spend their resources for protection. 1.2 Problem statement Protection against malware and attacks can be applied at many different levels in a computer system. This thesis focuses on protection that is applied on the client computer level. 1 At the client computer level, antivirus software is probably the most well-known and commonly used type of protection. But there are problems with this type of protection. Antivirus software traditionally concentrates on malware that is already known to the antivirus vendors. Another problem is that antivirus software does not protect against vulnerabilities present in software applications that communicate with the Internet. Fausi Qattan and Fredrik Thernelius show that the protection provided by common modern antivirus software and host-based firewalls can easily be evaded and they provide a short overview of complementary and alternative measures to counter malware [Qat04]. In the paper “Testing Malware Detectors” [Chr04] it is shown that modern antivirus scanners resilience to obfuscated (=reordered) malicious code is very poor, i.e. an attacker can easily deceive the detection capabilities of the antivirus software. In the same paper [Chr04] it is also shown how antivirus signatures can be extracted from commercial antivirus scanners. The findings in these research papers show that there is a need to investigate other approaches and methods to protect client computers from malware and attacks. The main motivation for this thesis is that there is a need for an overview of the methods available in the fight against malware and attacks. Most research available in this research area focuses on more narrow and specific topics and will not provide a good overview. 1.3 Research Questions As mentioned above the research in this thesis will look at methods and alternative techniques for protecting client computers against malware and attacks. The research questions in this thesis that need to be answered are: • What current threats and vulnerabilities affect security of client computers? • What techniques and methods exist to prevent malware and attacks on client computers? • What are the advantages and disadvantages of using these different methods and techniques? • What solutions exist that implement these techniques and methods? 1.4 Expected Results The expected result from this research is an overview of malware protection for computer systems in general and in particular for client computers. The research questions presented above are also to be answered and discussed throughout the report. The thesis will include basic theory of computer security, malware and attacks in order to understand the problem better. A reader shall be able understand why client computers are at risk and how that can threaten the security of the whole computer system in an organisation. Knowing the limitations of traditional antivirus software is a part of this goal. 2 Some implementations of new approaches and methods that are available to the market are to be examined closer to get a practical understanding of how they function. Finally, the results of the research will be discussed and put in a larger context. 1.5 Purpose The purpose of this thesis is to give an overview of existing methods and technologies that deal with current threats from malware and attacks. The overview will try to show what these methods are capable of and what they’re not capable of. The research in this thesis can function as an introduction for organisations that are concerned about their protection against malware and attacks. Hopefully this thesis can be an eye-opener for organisations to realise the importance of having protection at several levels by showing how vulnerable a typical client computer can be. The intended audience for this thesis is organisations that are interested in securing their client computers. The reader of this thesis should know the basics of computer programming and computer architecture and wants to know the details about malware, attacks and the methods and approaches available to prevent them. An interest in computer security will probably help the reader to get through the thesis, but is not a prerequisite. 1.6 Method This report is a theoretical study of the approaches and methods that can be used in the fight against malware and attacks on computer systems in general, and on client computers in particular. The research method chosen for this thesis is a thorough literature review. The report starts with a theoretical framework that introduces the reader to basic computer security. Then the research in the report is structured around threats, vulnerabilities and controls (countermeasures). The literature review is therefore focused on several different parts; theoretical computer security, malware and attacks (threats), software vulnerabilities, general countermeasures and countermeasures specific to client computers using Microsoft Windows. Computer security is a relatively new science, especially research around malware, attacks and their countermeasures. There is of lot of information on these subjects, but often this information is not written by either recognized researchers or security professionals, and is therefore subject to misinterpretations. It is therefore very important to use known and recognised sources for the fundamental parts of the literature review. 3 1.7 Limitations The research done on alternative methods and techniques for protection against malware and attacks in this thesis will be limited to countermeasures for client computers. The countermeasures considered will not include network-based countermeasures, such as host-based firewalls. There are several reasons for having this limitation. The scope of the thesis would be to too big if countermeasures in the network-layer also were included. Additionally, the vulnerabilities discussed in this thesis are generally not protected by defences in the network-layer. But since the computer network is one of the main entrances for malware to enter a computer system, it will of course be touched upon, but the focus will remain on other types of countermeasures. When it comes to specific implementations of different anti-malware solutions this thesis will focus on the Microsoft Windows operating system, since it clearly is the most widespread client computer operating system. The techniques and methods for malware protection discussed in this thesis are often also available for other operating systems. However, Microsoft Windows is the dominating operating system and also the most targeted operating system for malware and attacks. 4 2 Theoretical framework This chapter will give an introduction to theory and terminology that will help the reader to understand this thesis. 2.1 Terminology A large problem within the science of computer security is the lack of a commonly accepted and widely used terminology. This lack of a common terminology is a big problem when communicating computer security to other people. The confusion in terminology causes misunderstandings which can lead to confusion among users, ITprofessionals and researchers. The problem with misunderstandings and confusion gets even worse when magazines and media in general seldom use a correct or consistent terminology. Karresand [Kar02] uses a striking analogy when he compares the computer security community of today with the American Wild West; there is no real law and order and there are a lot of new citizens. New members are continuously joining the research community and each new member brings his or her own vocabulary. The big problem with the terminology in computer security is that it is a constantly growing and fast evolving research area. There are constantly new threats, techniques and countermeasures introduced and the terminology in the community just doesn’t keep up with the phase. When it comes to the area of viruses or malicious software (malware) the lack of consistency in the terminology used is even more apparent. There are often several expressions for a certain type of malicious code. For example, malware terms such as trojan horse, virus and worm all have several different definitions for each term. As if these differences weren’t enough, the ways the terms relate to each other in classification schemes proposed by researchers also vary [Kar02]. A well defined terminology is a very good start if you want to be able to describe and analyse a problem. The inconsistency and the lack of a common terminology in these research areas is clearly a problem when writing a thesis in this research area. I will therefore do my best and try to define some of the terms that are essential for the understanding of this thesis work. I will also try to use this defined terminology throughout the thesis and hopefully this will make things a bit clearer. 2.2 Computer Security Basics As Pfleeger explains in [Pfl03] every computer-based system has three separate and valuable components or assets: hardware, software and data. These three assets must all function well together in order to have a working computer system. We can define Computer Security as protecting these three assets and making sure that they deliver what is expected from them. 5 There are also several different interpretations of computer security available and there may be several reasons for this. What is considered essential for the security of a certain system may vary between different applications and contexts. 2.2.1 Security Goals What do we mean when we say that a computer system is secure? There are three aspects of a computer system that are widely accepted among researchers as the cornerstones or goals of IT-security. The three aspects are [ITS91]: • • • Confidentiality Prevention of unauthorised disclosure of information. Integrity Prevention of unauthorised modification of information. Availability Prevention of unauthorised withholding of information or resources. These goals of IT-security are commonly known and abbreviated as CIA. These security goals can be applied to computer security since computer security must be considered a subset of IT-security. This definition is very broad and it can be necessary to specify each aspect more, depending on the context. Confidentiality is sometimes thought of as privacy of information. A computer system often stores information that is not intended for everyone. It might be personal information, medical records or other sensitive information. This information should only be accessed by those that are supposed to have access to it. Disclosure of such information affects the confidentiality of the system. Integrity in a computer system refers to the trustworthiness of data, software and other resources. It is often used in terms of preventing unauthorised changes to the system. Integrity includes data integrity (the content of the information) and origin integrity (the source of the data, often called authentication) [Bis04]. Availability of a computer system means that the system should be able to deliver the expected services on time. Legitimate users of the computer system should have access to the services they are authorised to use. Anything that comes in between the user and the expected service affects the availability of the system. A good example could be that the expected service is not available due to system maintenance in order to apply the latest security patches for a server. 6 Security Confidentiality Integrity Availability Figure 1 : Computer Security is the conjunction of Confidentiality, Integrity and Availability There are also other ways to define computer security. Gollmann [Gol99] uses the protective measures that are applied to assets as a way of defining computer security. The protective measures can be divided into three basic categories (often abbreviated as PDR): • Prevention Measures to prevent assets from being manipulated (or accessed without authorization). Detection Measures to detect attempts to manipulate assets (or unauthorised access). Reaction Measures that allow for recovery of assets after damage to the system. • • These three protective measures are also often complemented by the addition of survivability that is used to describe the ability of a component or system to recover from failures and security breaches [Gol99]. To sum up, we can say that a computer system is secure if we can provide confidentiality, integrity and availability through prevention, detection and reaction to our valuable assets hardware, software and data. 2.2.2 Threats, vulnerabilities and controls Each asset of a computer-based system is exposed to different types of threats. A threat is a set of circumstances that has the potential to cause loss or harm to the system [Pfl03]. 7 From a security point-of-view all computer systems have weaknesses. A vulnerability is a weakness in the security of a computer-based system that can be exploited to cause loss or harm. A vulnerability can for example originate from bad design of a systems security mechanisms. To address the problems that threats and vulnerabilities cause we use controls. A control is a protective measure that can be an action, a technique, a procedure or something else with the essence that it reduces a vulnerability. The relationship between the terms threat, control and vulnerability can be described by the following sentence [Pfl03]: “A threat is blocked by control of a vulnerability” To be able to choose the right controls and to apply them correctly we have to learn as much as possible about the threats and vulnerabilities that affect the system. Threats and vulnerabilities will be covered later in this thesis. 2.2.3 Harm and Risk Let us start with the two following definitions presented in [Pfl03]: “Harm occurs when a threat is realised against a vulnerability” “The possibility for harm to occur is called risk” In business terms harm means financial loss. This is what we ultimately are trying to avoid with computer security. We want to lower the possibility of harm to occur, i.e. we want to lower the risk. To lower the risk we have to be able to manage and assess the risks involved in a computer system or a business decision. To be able to measure risk in a certain system, the vulnerabilities must be identified [Hog04]. A basic problem with measuring risk in software is that software vulnerabilities mostly remain uncategorized and unidentified. By naming and categorising a vulnerability we can attribute a risk level to it. Using this risk level and putting estimates of the value of the affected assets, an organisation can calculate where budgets need to be allocated to reduce the risk. When considering the security of a complex and modern computer system, it is important to try to keep a holistic view over the things that really affects the security of the system and not go into details until there is a clear need to do so. A system is always most vulnerable at its weakest point. A burglar trying to break in to a house will probably not try to force the door locks at the main entrance. It is more likely that the burglar will try to open a window or a backdoor with poorer locks that requires less effort and at the same time is harder to discover for neighbours. This 8 reasoning is also true for computer systems, and is to be seen as one of the basic principles of IT-security. The principle is called the Principle of Easiest Penetration: “An intruder must be expected to use any available means of penetration. The penetration may not necessarily be by the most obvious means, nor is it necessarily the one against which the most solid defence has been installed.” [Pfleeger03] The implication of this principle is that a systematic and holistic approach to computer security is very important. Achieving a good overall security level should always be the main goal to have in mind before specific technical solutions are considered. If you don’t have a systematic and holistic approach when trying to achieve security in computer systems there is a large risk that important parts will be left out. If important parts are left out, an attacker will likely use that fact to his or her advantage. 9 10 3 Threats This chapter will discuss threats against client computers in an organisational context. 3.1 Threat Categories As we defined earlier, a threat is a set of circumstances that has the potential to cause loss or harm to the system. But a violation of security does not actually have to take place for there to be a threat. There will always be different kinds of threats present that will threaten the security of a system. According to [Bis04] threats can be categorised into four broad classes: • disclosure – unauthorized access to information • deception – acceptance of false data • disruption – interruption or prevention of correct operation • usurpation – unauthorized control of some part of a system Each of these four basic threat categories compromises one or more of our basic security goals; confidentiality, integrity and availability. The target of evaluation in this thesis is a typical client computer in an organisational network. In this context there are two categories of threats that encompass the mentioned threat classes: Malware and Attacks. 3.2 Malware In order to fight malware you got to know what malware is. It is therefore important to try to define malware and also discuss the problems that arise when trying to define it. The word malware is used frequently in media today and most people probably have their own perception of what malware is. However, defining malware is a nontrivial task, as we will see. The word ‘malware’ is an acronym that is short for ‘malicious software’ which means ‘software that is designed specifically do damage or disrupt a system’ [ResWeb]. There are also numerous other definitions but let us use this one as a starting point. So, having this definition of malware, what is really meant by the word malicious? The word malicious can be defined as follows: “ adjective characterized by malice; intending or intended to do harm “ [ResAsk] The interesting part here is that in the word malicious is an intention to do harm. According to Karresand [Kar02] most definitions of malware today involve intent, in one way or another. The problem with this definition is that it is very hard, if not to 11 say impossible, to correctly decide the intent behind the creation or use of software [Kar02]. The problem with defining malware is described by the following example in [InetFor]: “Dr. Ford has a program on his virus testing machine called qf.com. qf.com will format the hard drive of the machine it is executed on, and place a valid Master Boot Record and Partition Table on the machine. It displays no output, requests no user input, and exists as part of the automatic configuration scripts on the machine, allowing quick and easy restoration of a "known" state of the machine. Clearly, this is not malware. 1. If I take the executable, and give it to my wife, and tell her what it is, is it malware? 2. If I take the executable, and give it to my wife, and don't tell her what it is, is it malware? 3. If I mail the executable to my wife, and tell her it is a screen saver, is it malware? 4. If I post the executable to a newsgroup unlabelled is it malware? 5. If I post the executable to a newsgroup and label it as a screensaver is it malware? “ This example shows that it is not the software that is changing, it is rather the intentions and perceptions of the sender and the receiver that changes. Ford [InetFor] therefore argues that any definition of malware should address what the program is expected to do. The confusion among computer security terms in the area around malicious software (malware) is clearly a problem. In fact, there is no exact and commonly accepted definition of malware among computer antivirus researchers [He02]. This thesis will however not try to redefine malware. The discussion provided is here to make the reader aware of the problems that still do exist in this research area. Another term that often is used in the same context as malware is malicious code which practically has the same meaning as malware, but it rather refers to the actual code with malicious intentions. 3.2.1 Classifying Malware As it is hard to define malware in a proper way, it can also be difficult to classify malware into distinct categories. Malware is constantly evolving and is also combining different ideas and techniques. However, it does make sense to present a classification of malware since there are some very common types. There is also a need to understand the variety of different threats and techniques that you are up against when trying to fight malware. A good classification of malware provides an overview and also helps in understanding the field of research. Another reason to classify malware is the need for a common terminology. There are many types of software or code that usually is called malware. To get an overview over the malware-field a classification of the different types of malware would be of great help. 12 Helenius [He02] presents the following classification of harmful program code that, in turn, is partly based on Brunnsteins research [Bru99]: Harmful program code Unintentionally harmful program code Intentionally harmful program code = Malware Programming errors Compatibility problems Trojan horses Viruses Malicious toolkits Worms Figure 2 : Classification of Harmful Program Code Helenius also includes the categories “joke programs” and “others?” under the category “intentionally harmful program code”. I decided to exclude these from the classification above, since they were poorly defined and discussed. The classification presented defines malware as intentionally harmful program code, which means that the code has deliberately been made harmful. According to this classification scheme it hence is the intention of the programmer that is in focus. This thesis will not choose one of the mentioned definitions of malware as “the right one”. The purpose of showing these different definitions is to understand that there is a problem with defining malware. The word ‘malware’ will in this thesis be used as a comprehensive term that includes viruses, worms, trojans etc. in one word. Sometimes the text will demand a more specific term than the generalising word malware and then the terms virus, trojan etc. will be used. 3.2.2 Malware types The following description of different malware types is intended to give an overview of the types of malware that is most important for this thesis. It is not, by any means, a complete taxonomy of malware. Instead it focuses on the types of malware that are relevant for this thesis. Virus According to Helenius [Hel02] a virus is program code that has the capability to reproduce recursively by itself. As we can see in the former classification a virus also is intentionally harmful. Pfleeger has a slightly different definition in [Pfl03]: A virus is a program that can pass on malicious code to other non-malicious programs by modifying them. 13 The term virus comes from the similarities with biological viruses, as it infects a healthy subject and either destroys it or coexists with it. Today there is a wide flora of different types of viruses that can be classified by their characteristics or by the object it infects. Polymorphic virus A virus that is polymorphic changes every time it replicates – it’s a kind of chameleon-virus. It can use variable encryption, variable instruction order, variable instructions, do-nothing instructions or a combination of these methods [Hel02]. The changes in the virus are an attempt to evade detection by antivirus software. In the Wild & In the Zoo Viruses Computer viruses can be categorized in many ways. A common categorization is the distinction between viruses In the Wild (ITW) and viruses In the Zoo (ITZ). The following is a definition of viruses In the Wild: “For a virus to be considered In the Wild, it must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting users.” [InetWild] Vendors of Antivirus software focus on viruses that are In the Wild, since these viruses are ‘out there’ spreading, and therefore considered to be more of a real threat. Viruses classified as In the Zoo are the viruses that are not In the Wild for different reasons. To a large extent In the Zoo viruses are no longer spreading. They are contained in virus databases and most likely not known to other people than virus researchers. However, it happens that an In the Zoo virus infects more modern malware, e.g. a worm, and is therefore able to spread rapidly along with the worm. Worm A worm is an independent malicious program that has the capability of reproducing itself. A worm is independent in the sense that it does not need a host program to infect or replace with its own code [Hel02]. The worm uses some kind of computer network to look for new potential victims and replicate itself. The method of propagation is the main property that distinguishes the worm from a virus. During the last few years we have seen a tremendous increase of the impact of worms. Internet has made it possible for this type of malware to replicate to an extent that was not possible for traditional “old-school” malware (as for example file-viruses). Increased Internet connectivity has also lead to a much greater impact of a worm outbreak since the speed of replication has increased dramatically compared to other malware forms. Trojan Horse A Trojan horse is a self-standing program that performs, or aims to perform something useful. At the same time it intentionally performs, unknowingly to the user, some kind of destructive function. Self-standing means that, in distinction to a virus the Trojan horse does not have the capability to replicate by itself [Hel02]. 14 Another definition of a Trojan horse is [Bis04]: A Trojan horse is a program with an overt (documented or known) effect and a covert (undocumented or unexpected) effect. A Trojan horse that in is installed on the victim’s computer with the purpose of being remotely accessed by the attacker later is often called a Remote Access Trojan (commonly abbreviated RAT). A Trojan horse is often used in conjunction with other tools to attack computer systems [Bis04]. As with the definition of malware, there is a grey zone around what software that should be considered a Trojan horse, and what software should not. A lot of software has the same functionality as some Trojans, but still they are not recognized as one, since they “do what they are supposed to do” and consequently does not include the hidden or covert functionality. It is almost impossible for the user of a target computer (the victim) to know if some software does comply with its specification, or if it also has other intentions. A legitimate program that is used for remote controlling your computer, such as the VNC2 server, can easily be incorporated with other software to hide its presence. Software like the mentioned VNC is in a fuzzy grey zone between normal legitimate software and Trojans. It can be very difficult for an antivirus software provider to decide whether such software should be considered a Trojan horse (=malware) or not. If the antivirus company decides to consider it a Trojan, the producer of VNC will probably be upset, since VNC is a legitimate program used by for example system administrators. On the other hand, if they decide to consider VNC as legitimate, an attacker can use that fact to get through the defences of an antivirus-program. Spyware Spyware is a type of computer software that collects and reports information about a computer user without the user’s knowledge or consent. However, there is no commonly accepted definition of Spyware, and the term is often used in a broader context. The information that is collected can be anything from web-surfing habits to collecting passwords or credit-card numbers. Spyware can be considered to be a trojan horse, since Spyware often comes as a hidden part of a useful program. The program often hides this spying functionality from the user. The least harmful type of spyware is probably the one that collects surfing-habits for the purpose of displaying targeted ads. This is also sometimes called Adware. However, the user’s privacy is threatened by this type of software since the user lacks control of what information that really is collected and also where this information is sent. VNC is a program that consists of a server and a client. A client that connects to the server will get a remote desktop (as if he was sitting on the computer where the server is running) on the client computer. VNC can be found at http://www.realvnc.com 2 15 Spyware often comes integrated with ‘free’ software and has a couple of rows in the small print of the EULA (End-User Licence Agreement) that states that information about the user will be collected for some purposes. But most users probably never read these statements, and are therefore more or less deceived by using this software. Spyware is a quite new phenomenon and historically it has not been a problem, but during the last couple of years the occurrence of spyware has exploded. As with Trojan horses, spyware is also often in the grey zone between malware and not malware, and the antivirus companies are having the same difficulties when dealing with this type of software: what should be considered ok, and what is not ok? The lack of protection in antivirus software against spyware has opened a new market for privacy protecting software. Some of the most successful are Ad-Aware3 and Spybot Search & Destroy4. Rootkits A rootkit is an extremely powerful tool for a malicious attacker since it allows complete low-level control over the target computer. A good definition of a rootkit can be found in [Hog04]: “A rootkit is a program that allows access to (and manipulation of) low-level functionality on the target machine. Sophisticated rootkits run in such a way that they can’t be easily detected by other programs that usually monitor machine behaviour.” The word rootkit refers to the name of the administrator in UNIX systems called ‘root’. Becoming root is one of the major goals for an attacker since you as an administrator will have unrestricted access to the computer system. The rootkit is a program or a set of tools that is used by an attacker to maintain administrator access on the target machine. According to [Hog04] the first rootkits were in practice trojans attached to files opening backdoors to the attacker. Since these early rootkits were reliant of changing the size of the target executable, they could be detected by checking the integrity of the altered file. At the time of writing this thesis, the rootkits have become substantially more sophisticated. A more modern rootkit is installed as a part of the so-called trusted computing base (kernel-mode). In Windows or UNIX systems this usually means that the rootkit is installed as loadable module or as a device driver. A rootkit that uses this technique is often referred to as a Kernel Rootkit. 3 4 Ad-Aware can be found at http://www.lavasoftusa.com/software/adaware/ Spybot Search & Destroy can be found at http://www.safer-networking.org/en/download/ 16 The following figure shows software that is running on a computer with an installed Kernel Rootkit: User Application User Mode Kernel Mode Operating System Kernel User Application Rootkit Hardware Drivers Figure 3 : An installed Kernel Rootkit As the kernel rootkit functions as a part of the operating system the rootkit code will be completely trusted. This makes the possibilities for an attacker almost infinite since the rootkit now has complete access to hardware and software running on the system. A rootkit is often not malicious itself since it has no payload. Instead the rootkit is used as a tool or platform for launching malicious activity. A rootkit is often used together with a backdoor to make it possible for the attacker to remotely control the machine. A rootkit often uses some kind of stealth technique(s) to avoid detection. During my research I have found websites that sell undetectable (at least the author claims so) rootkits that are especially crafted to remain undetected by common detection software on the target computer. There are several tools based on different methods that try to detect an installed rootkit. However, the rootkit authors always seem to be one step ahead of these attempts of detecting an installed rootkit. There are rootkits available [InetRoot] that claim to evade all sorts of antivirus software and rootkit detection software. The author of the mentioned rootkit even offers an anti-detection service where anyone can order undetectable rootkits in exchange for money. The debate whether this is unethical or not is a completely different story and will not be discussed here. A recently published research paper [InetWan04] claims that they have a good way to detect an installed rootkit. The method presented in the paper takes advantage of the fact that a stealth rootkit tries to hide its files and processes. The method is reviewed and praised by the recognised security expert Bruce Schneier in [InetSch]. The problem with every type of approach trying to detect rootkits is that you first of all have to suspect that your computer has been compromised and that you have a rootkit installed on your computer. Without a suspicion that your computer has been compromised, you will probably never come up with the idea to scan for a rootkit. 17 Once a rootkit is installed on the target machine, the machine is considered owned, by the attacker. This means that the attacker has complete control over the machine, since the rootkit is operating at the same level as the operating system. The malicious attacker can for example hide processes (even from an administrator of the machine), tunnel network traffic through a commonly used port such as port 80 and then filter the traffic, making port-filtering firewalls useless. 3.3 Attacks When dealing with computer security it is important to realize that there is no such thing as a system that is 100% secure. There will always be ways to circumvent the security measures taken. A person who attempts to exploit a vulnerability in a system is said to perpetrate an attack on the system [Pfl03]. The attack is an attempt to compromise the confidentiality, integrity or availability of a resource or asset. Attackers do not necessarily have malicious intentions, but if they do, we call them malicious attackers. Acoording to Pfleeger [Pfl03] a malicious attacker must have three things to carry out an attack: a method, an opportunity and a motive. • • • The method is the skills, the knowledge and the tools necessary to pull off an attack. The opportunity refers to time and access to carry out the attack. The motive is the reasons for wanting to launch an attack against a system. The knowledge needed to perform hundreds of different types of attacks on computer systems is today widely available. There are even toolkits that have built-in and predefined attacks that help users with little technical knowledge to carry out attacks. This type of attacker is often called a script-kiddie. In most cases it will only be a matter of resources for an attacker to succeed. It is a good start to assume that a system will be attacked and to try and see the security measures taken from an attacker’s viewpoint: Where would I try to break in, if I were a malicious attacker? This approach is commonly used in so-called penetration-testing, commonly abbreviated as pen-testing. Using this method a company or an organisation usually hires professional “hackers” to try and break in to their systems. This approach will reveal weaknesses in the system that a malicious attacker is likely to use, but pentesting cannot replace a comprehensive evaluation of the overall security of a system. 3.3.1 Attacking computer systems A system is always most vulnerable at its weakest point and a malicious attacker will always try to find this weakness when attacking a system. A malicious attacker must 18 also be expected to use all existing means to penetrate the system as in the earlier mentioned principle-of-easiest-penetration. With the right knowledge of a system, attacks and malware can be tailor made to get through different types of defences. A computer system will never be stronger than its weakest link. It is also important to understand that malware or an attack doesn’t have to fit in one category alone. Malware or attacks that combine different types of attack vectors are often referred to as blended threats. This kind of attack can combine attacks against two or more vulnerabilities where each attack alone doesn’t pose a big threat, but when they are combined the attacker can comprise the security of the system. An attack on a computer system can be classified as either a local or a remote attack. A local attack usually means that the attacker has physical access to the target (victim) computer. If you have physical access to a computer it is usually easy to comprise the security of the system. Physical security is therefore also important to achieve a secure computer system. Remote attacks are mostly network based attacks. Remote attacks can also be launched over the telephone. A malicious attacker can call employees pretending to be a support technician and try to get them to reveal sensitive information, such as usernames and passwords as an example. Attacking a system from remote often means less danger to the attacker, since there are ways for the attacker to stay anonymous. A zero-day attack is an exploit of a vulnerability in software that is not yet known to the software vendor [Wil04]. It is therefore hard to protect a system against such an attack since there are no software patches to apply to fix the vulnerability. 19 20 4 Vulnerabilities This chapter will discuss the vulnerabilities that affect a computer system in general and a client computer in particular. 4.1 Client Computer Vulnerabilities As mentioned in the theoretical framework all computer systems consist of the three components; hardware, software and data. Due to the limitations of this study, I will only consider vulnerabilities that affect two of these components, the software and the data. The security of hardware assets is nonetheless also very important. But security of hardware assets has more to do with physical security and is therefore not considered in this chapter, since it is out of the scope for this thesis. The data that is stored in a computer system is always accessed through some kind of software. Therefore the security of the data component in a computer based system ultimately relies on this software. If you are able to exploit a vulnerability in the software component, you can get access to the data. The primary concern in this thesis is therefore the vulnerabilities in software. Apart from the software component, we also have to consider the security awareness of users of the system. Even though this report does not concentrate on users’ security awareness when it comes to controls, low security awareness among users must be considered as a vulnerability. Malicious attackers often use different types of social engineering to fool users into executing a malicious program or disclosing information. The average user of a computer system has low knowledge of security issues and many users would probably be surprised by how little it takes to get a client computer infected by some type of malware. Today, a click on a link that points to a malicious webpage can be enough to get infected. 4.2 Factors for Software Vulnerabilities As explained in [Hog04] there are three major factors that together make software risk management a major challenge today: • Complexity • Extensibility • Connectivity In [Hog04] these three factors are called the trinity of trouble, as all these factors lead to a vulnerable system. 21 4.2.1 Complexity Computer systems of are growing more and more complex. A common desktop computer (client computer) today is probably a lot more complex than a super expensive super-computer twenty years ago. This evolvement in complexity is also true for the software running on our computer systems of today. Flaws are introduced to the software during the development-phase. As you would expect the number of bugs in software varies from system to system and also depends on the programming language used, experience of software engineers etc. Much research has been done in the area of trying to measure and predict the quality of the software produced. LOC (Lines-Of-Code) is a simple metric that is widely used as a way of measuring or predicting the number of flaws in software. In fact LOC has proven to be a metric that correlates well with the number of flaws in software [Hog04]. The most common metric is: number of bugs per KLOC (1000 Lines-Of-Code). An estimate is that a programmer leaves 5-50 bugs / KLOC for normal software. Even a system that has had rigorous quality assurance testing will still have around five bugs per KLOC [Hog04]. Software that is only feature tested will have about 50 bugs / KLOC! This gives an idea of how many bugs a program with millions of LOC may house. As an example Windows XP has around 40 million LOC. We can se the historical development of complexity in different versions of Windows below [Hog04]: Windows Complexity 45 40 Million Lines of Code 35 30 25 20 15 10 5 0 Win Win NT 4.0 Win NT 5.0 Win Win Win XP (2000) 2k (1998) 98 95 NT 3.1 (2001) (2002) (1999) (1990) (1995) (1997) Figure 4 : Historic Development of Microsoft Windows Complexity On top of these figures we must also take into account that almost all software is becoming more and more complex. The increased complexity is not just an issue for 22 operating systems, software like e.g. web-browsers are also heading the same direction. To sum it up; Security of a client computer system relies on the operating system as well as the applications the user is running. The trend with increased complexity in software comprises the security of the whole system, since complexity goes hand in hand with bugs and flaws. 4.2.2 Extensibility Modern software is extensible. For example, most operating systems today support extensibility through loadable modules or device drivers. Large applications, such as Word and Excel, support scripting languages to make the applications more flexible and powerful. The Internet browsers of most computers support downloadable Javaapplets that execute inside the client computers virtual machines. Unfortunately, the increased extensibility of modern software has a negative impact on security. The extensibility opens up several new ways for malicious code and attacks. It is much harder to analyse the security of a computer system that is highly extensible. How can you be sure that the next applet you download will not cause you any harm? In fact, most malware can be considered as mobile code. How can we distinguish between harmless and hostile code? 4.2.3 Connectivity A modern computer system is almost useless without a network connecting the different parts of the system and the users of today’s desktop computers (and laptops) are principally required to have access to the Internet in order to do their job. The increased connectivity has lead to increased effectiveness in many organisations. Information and services are available to an extent that was impossible not long ago. But the increased connectivity comes to a cost, of course. The high degree of connectivity today will expose the vulnerabilities that exist in the systems to a very high extent. A software bug in an application that communicated with the Internet can make a whole computer system very vulnerable. 4.3 Software vulnerabilities Bad software is one of the major causes to why we spend so much time, money and effort on trying to secure our computer systems. A computer system that is built around bad software will never be secure, since the software is ultimately controlling all actions in a computer system. There are many different types of flaws and bugs in software that will affect the security of a computer system, some of them are more severe than others. Flaws and bugs that lead to vulnerabilities in software can be introduced in all phases of software lifecycle; during design, implementation or maintenance. 23 There are also several different frameworks that can be used to or classify vulnerabilities in software. A good presentation of these classification frameworks is presented in [Bis04]. However, this thesis will not aim to categorise these vulnerabilities, since this subject alone could be a thesis. This research will rather concentrate on characteristics of software vulnerabilities and the measures that can be taken to minimise software vulnerabilities that are exposed to malware and attackers. 4.3.1 Common Software Vulnerabilities The Buffer Overflow Vulnerability The buffer overflow5 vulnerability is probably one of the most discussed security problems in software that arise from the implementation phase. According to [Vie02] buffer overflows has been the cause to over 50% of all CERT security advisories over several years. There are many reasons why the problem with buffer overflows has gotten so big. First of all, the root of the problem with software vulnerable to buffer overflows is to a very large extent based on the programming language used. Software that has a high need for performance, such as operating systems and essential applications like webbrowsers etc. are almost always written in C or C++ for performance reasons. C and C++ are relatively old programming languages that were designed with performance as first priority. In these programming languages, it is up to the programmer to implement all necessary checks that will prevent these kinds of vulnerabilities. In other words; it is surprisingly easy for a programmer to create a program that is vulnerable to buffer overflows. All the programmer has to do is to leave out (=forget) boundary checks on a buffer in the program, or use vulnerable standard C functions like gets(), strcpy() or strcat() in their program. Modern programming languages like Java does not have this problem with buffer overflows since it was designed with this problem in mind. A more detailed explanation of all the issues around the problems with buffer overflows and programming languages can be found in [Vie02], [Hog04] and [Wil02]. Input, Output and Trust Many of the most common and severe vulnerabilities in software are related to insufficient validation of input- and output data for use in client or server applications. A malicious attacker that knows of such vulnerability can use specially crafted data to exploit the system. For a computer running a server application, it is crucial not to trust the users. Malicious users can craft server input data that takes advantage of vulnerabilities in server software. For software on client computers it is the other way around. A server can return specially crafted data that tries to exploit vulnerabilities in client computer software. Examples of client computer software that is susceptible to such attacks are webbrowsers, instant-messaging clients and other software with direct communication to external networks. 5 Buffer Overflows are sometimes also referred to as Buffer Overruns 24 Logical Errors Another class of software vulnerabilities are errors in program logic. An example of a logic error can be badly implemented error- or exception handling. If the program reaches this state it results in an error message that tells the user a little bit too much of the system. A malicious attacker might be able to use this information to attack the system. 4.3.2 Lifecycle of software vulnerabilities Vulnerabilities can go through different stages during its lifecycle: birth, discovery, disclosure, correction, publicity, scripting and death [Arb00]. Birth: When a flaw is produced, it is present in the system but no one has yet discovered it. It is not considered a vulnerability since nobody knows about it and it is not certain that it can be used to violate the security of a system. Discovery: When someone discovers the flaw and realizes that it can be used to violate the security. This is when it is considered to be a vulnerability to the system. If a flaw is intentionally planted in a product for malicious purposes the birth and discovery stage coincide. Disclosure: If a vulnerability is revealed to a wider audience it is disclosed. There are several websites and mailing lists where vulnerabilities are published, such as the Bugtraq mailing list or at the website of Secunia6. Correction: When the vendor of the product has released a program update that can be used to correct the underlying flaw, the vulnerability is considered to be corrected. Scripting: Even though a vulnerability is discovered it isn’t certain that anyone have been able to successfully exploit it yet. This often requires at least some amount of skill. When someone manages to do a successful exploit and creates a script that automates it, then it becomes available to a much wider population. By using the script an attacker with much less skills can exploit vulnerable systems. This stage is not necessarily a script; it can also be a detailed description of how to perform the exploit. In essence, someone can exploit the vulnerability without the initially required skill. Death: When the number of systems that has the vulnerability is reduced to insignificant numbers the vulnerability is considered to be dead. It may be because the systems have been patched, retired etc. 4.3.3 The Window of Vulnerability The Window of Vulnerability (WoV) represents the period of time that a system is at risk to exploits of a certain vulnerability. A WoV starts when a vulnerability is discovered and does not end until the system no longer can be exploited through that vulnerability. 6 Secunia’s website is found at http://www.secunia.com 25 The following figure presents a WoV-model based on the vulnerability life-cycle model presented in [Arb00]: Window of Vulnerability The vulnerability is only known to the discoverer Software vendor works on patch Customer is notified about the patch Customer patch testing Customer applies patch Discovery Disclosure Correction Patch aquired Patch tested Patch applied Figure 5: The window of vulnerability Software vulnerabilities are most often removed by applying a patch7 or disabling a service that is vulnerable. A problem is that the patches must be created by the vendor of the program that is vulnerable. Not all software vendors are security conscious, so it may take some time until a certain patch is released. Once the patch is released it also needs to be applied on the system. System administrators are often a bit cautious when applying a patch since it might add problems to their hopefully stable and functioning system. In a corporate environment a patch most often needs to be tested in order not to disrupt any functions in the existing system. All this time, from discovery until the removal of the vulnerability, the system is within the WoV. During the WoV the system is exposed to threats that exploit the vulnerability. There are security measures that can be used to protect the system until a patch is applied. Approximately 250 advisories concerning software vulnerabilities are published each month by the security company Secunia8. That gives an idea about the extent of the problem, since this also only covers the vulnerabilities that are publicly disclosed. No one really knows the amount of vulnerabilities that are discovered but never publicly disclosed. As an example to this problem we can take the well-known web-browser Internet Explorer 6. From February 2003 – May 2005 there have been no less than 64 advisories (at Secunia) regarding vulnerabilities. 14% of these advisories were considered “Extremely”-critical and 28% were considered “Highly”-critical. At the time of this writing (May 2005) 30% of the vulnerabilities present in Internet Explorer are still unpatched. Considering that around 80-90% of all Windows users are using Internet Explorer for browsing the Internet, this is quite alarming. The fact that there are several publicly A patch is an actual piece of object code that is inserted into (patched into) an executable program – http://www.webopedia.com 8 Secunia is a security company that monitors vulnerabilities in more than 4500 software products. http://www.secunia.com 7 26 available vulnerabilities with no patches to apply makes one feel uncomfortable when surfing the Internet. 4.4 Impact of Software Vulnerabilities In what way do all these software vulnerabilities affect the security of our computer systems? What are the consequences? The following figure from the security company Secunia shows the distribution of impacts of all publicly available software vulnerabilities discovered in 2003 – 2005. Figure 6: Impacts of vulnerabilities discovered 2003 -2005 The four most common impacts for exploits of these software vulnerabilities are: system access, DoS (denial of service), privilege escalation and exposure of sensitive info. System access: When access is granted to someone who is not supposed to have access to the system. This is often the most severe type impact, since it allows access to a possible malicious attacker or to malware. The level of system access can depend on the privilege level of the software process. This shows the importance of the principle of least privilege. Denial of Service (DoS): Refers to prevention of authorized access to a system resource or a delay of system operations and functions. This affects the availability of the system for its legitimate users and thus compromises the security of the system. DoS-attacks are generally targeting services provided by servers rather than client computers. Privilege escalation: A successful exploitation of the vulnerability will lead to increased privileges for the attacker, e.g. an attacker can use the vulnerability to increase his or her normal user privileges to receive administrator privileges. 27 Exposure of sensitive information: Information that is supposed to be confidential is revealed to the attacker. All these mentioned impacts of vulnerabilities can be of varying severity. The severity also depends on what kind of system that is the target. A news website is probably more sensitive to a DoS attack than exposure of sensitive information for instance. 28 5 General Countermeasures This chapter will introduce the reader to general methods, approaches and traditional antivirus software that is used in different ways in the fight against malware and attacks. 5.1 Types of countermeasures What types of controls are available, and which of these controls do the best job in protecting our computer environment against malware and attacks? Let us return to the three basic categories of protective measures defined by Gollmann [Gol99]: Prevention, Detection and Reaction. These categories represent the main approaches to counter malware and attacks. These three approaches all have their advantages and disadvantages. The best way is of course to be able to prevent as much as possible of all malware and attacks, but we will never be able to do this completely. When we do not succeed with preventing malware and attacks, the other two approaches are very helpful. If our preventative measures fail, we want to be able to detect the attack and if we can detect the attack, we probably also want to react to it in some way. A combination of these three types of countermeasures will therefore provide the best protection. 5.1.1 The Defence-in-Depth Security Model The controls or countermeasures mentioned above can be present at several layers in an organisation. To get a simple overview of the organisation we are trying to protect, it is good to use some kind of model. Microsoft researchers present a security model that is similar to the well-known seven layered OSI model for computer networks: the Defence-in-Depth security model [Har04]. The Defence-in-Depth security model provides a good overview over where defences can be placed in a computer system. The Defence-in-Depth model therefore serves as a good starting point when organising defences against malware and attacks. 29 The following figure visualises the different layers in the Defence-in-Depth model as presented in [Har04]: Figure 7 : The Defence-in-Depth Security Model The Defence-in-Depth security model argues for the importance of having defences at several levels in an organisation. Having defences at as many different levels as possible will help to keep a good over-all protection against viruses and attacks. As we can see, the Defence-in-Depth security model distinguishes between client defences and server defences. This report will primarily focus on the client defences. According to [Har04] the best way to implement client defences is by applying the following steps: 1. Reduce the Attack Surface (remove or disable services and unwanted applications) 2. Apply Security Updates (apply patches) 3. Use a Host-Based Firewall 4. Use Antivirus Software 5. Test the system With Vulnerability Scanners 6. Use Least Privileges Policies (practice the principle of least privilege) 7. Restrict Unauthorized Applications (use Software Restricion) 30 As a last step this model also points out the importance of configuring e-mail clients, Office applications (think macro viruses), instant messaging applications, webbrowsers and peer-to-peer applications for security. The steps presented above provide a good overview of what we can do to protect a client computer. However, there will always be limitations to what kind of security each step will provide in reality. As an example, we have earlier discussed the problem with applying security updates for organisations. Many organisations will have a delay in applying these software patches, and thus that software will remain vulnerable. In this report we will have a closer look at the use of antivirus-software and restricting of unauthorised applications. 5.2 Classifying Anti-malware measures There are a variety of different security solutions using different techniques in the fight against malware and viruses. To be able to compare different anti-malware measures it is a good start to try to classify the solutions according to their behaviour and the techniques used. A classification or taxonomy of these anti-malware measures can be of great help when trying to understand the possibilities and limitations of a certain method or technique. A classification of antivirus programs is presented by Helenius [Hel02]. Helenius classifies the antivirus programs by using the criteria identifying/non-identifying and preventing/non-preventing: Identifying Scanners for known viruses Memory resident scanners for known viruses Non-Identifying Checksum calculation programs and heuristic scanners Behaviour blockers, memory resident checksum calculation programs and memory resident heuristic scanners Non-Preventing Preventing Figure 8 : Two-dimensional classification of antivirus programs Traditionally, the fight against viruses and most other types of malware has been concentrated to antivirus software that according to the classification above would be in the Identifying/Non-Preventing and Identifying/Preventing squares. Evolvement of 31 antivirus products has also lead to integration of Non-Identifying measures to be implemented in these products, as we will later. 5.2.1 Malware detection There are several problems that make it hard to detect malware in a successful way: The vague definition of malware is a large problem as we have discussed in the chapter about threats: • If you do not have an exact definition of what malware is, how can you distinguish between malware and not malware? • How do you know if something is possibly harmful or not? A potentially harmful program doesn’t have to be classified as malware. Just because a program is capable of doing things that cause potential harm doesn’t mean it should be classified as malware. An interesting issue when it comes to detecting malware is the game of obfuscation9 and deobfuscation that antivirus vendors and malware writers play against each other. It is a classic cat-and-mouse game where the antivirus vendors constantly are chasing the malware writers. The malware writers use different code obfuscators and other techniques to try to hide their malicious code from the antivirus vendor’s malware detection engines. The antivirus vendors then try to improve their detecting techniques. This game is becoming more and more advanced with for example polymorphic viruses that change their code every time they replicate. It is hard to say who will win this game, but the malware writers will always have a big advantage in this game; they will have the possibility to test if an antivirus program is able to detect their newest release of malware. 5.2.2 Anomaly detection An anomaly is something that diverges from a defined normal state. Anomaly detection means that you try to detect everything that is outside that defined normal state. Consequently, in order to use anomaly detection you must be able to define or model a normal state. Anomaly detection is a very general method that can be applied to many different scientific areas, not only computer security. However, the interest for anomalies in this thesis mainly covers the following areas: • Anomaly detection for network intrusion detection / prevention • Anomaly detection for host-based detection of anomalous system-calls / APIcalls In network security, anomaly detection is one of two fundamental approaches used for intrusion detection (ID) [Est04]. The other approach to intrusion detection is the socalled misuse-based detection, or signature-based detection as it also is referred to. In the area of client computer security, anomalies can be used to detect system-calls or API-calls that differ from what is defined as normal behaviour. The idea of code obfuscation is to transform the code in such a way that it becomes more difficult to read and understand [Viega 2002]. 9 32 The use of anomaly detection methods as a means to detect malware and malicious activity relies on a simple but fundamental hypothesis [Est04]: “Anomalous events are suspicious from a security point of view” This hypothesis is called the suspicion hypothesis. According to Estevez-Taipador in [Est04] this hypothesis is supported through studies and analyses of large amount of network attacks. Studies of hostile network traffic show that this traffic has some characteristics that make it possible to distinguish between hostile and normal communication. The following figure shows the possible outcomes for a detection of an event: False Positive Anomalous True Positive Successful detection of malicious behaviour DETECTION A harmless event is identified as anomalous. Also called false alarm. Normal True Negative Harmless events are labelled as normal. These events fit the model of normality. False Negative Malicious activity not detected since the behaviour is too similar to normal events. Harmless Attack EVENT NATURE Figure 9 : Possible outcomes when using Anomaly Detection The outcomes ‘true positive’ and ‘true negative’ correspond to correct behaviour of the detector, which means that a harmless event is successfully labelled as normal and an attack is labelled as malicious (according to the hypothesis). However, in case the detector model is not good enough or if the suspicion hypothesis is not true, you will receive false positives or false negatives. A false positive undermines the trust to the anomaly detection engine, since you will receive an alarm for something that is harmless. A false negative will compromise the security of the system since a malicious event is classified as harmless. Pros • Detection based on anomalies can be used to detect completely unknown malware. 33 Cons • It is often hard to specify and define the normal behaviour, which can lead to a large number of false alarms i.e. false positives. • Anomaly detection as a means to prevent malware is still an immature technology. 5.2.3 Signature based detection A signature is used to identify malware that is known to the vendor of the antivirus product. A signature can be seen as a kind of fingerprint of certain malware (though it is not to be mixed up with a “fingerprint” based on cryptographic hash-sums). When antivirus products are updated over the Internet, it is mostly signatures of new malware that are downloaded. Detection based on signatures is very effective when it comes to detect known malware and malware that is static (doesn’t change when it replicates). However, detection based on signatures is always a compromise between the ability to make correct detection of a certain malware type, the length of the signature and sensitiveness to changes in the malware code. In the paper [Chr04] researchers show how to extract signatures for a sample of Visual Basic script-viruses from modern antivirus detectors. The extracted signatures show that the practices of how signatures are used and defined vary a lot between different antivirus software solutions. For a given virus each antivirus software vendor use different signatures. For some viruses the whole virus body (=all code) is used as a signature, for others a short sample of the viral code is used. For example, McAfee’s signature for the “lucky2”-virus consists of the following sentences: • “Dim Melhacker, WshShell, FSO, VX, VirusLink” • “Melhacker = Wscript.ScriptFullName” • “VX = Left( Melhacker, InStrRev ( Melhacker, “\” ) )” • “FSO.CopyFile Melhacker, target.Name, 1” For the same virus the Sophos Antivirus scanner uses the whole body of the virus as signature. A longer signature will make the detection more exact in terms of detecting that we have found this specific virus. But a longer signature will also make it harder to detect new viruses that only have small changes in the viral code. A long signature will also cause the signature database to grow faster, which means slower performance for the antivirus detector. In [Chr04] the researchers discovered that for some antivirus scanners that used the whole viral body as a signature, it was enough to change one letter from uppercase to lowercase in order to fool the virus scanner. Signature based detection has many downsides. Yet, this technique is still the dominating approach used in common antivirus software to defend against malware. Pros • Good detection of specific known malware 34 Cons • Requires constant updating of signature database • Does not protect against unknown malware • It takes time for antivirus companies to create signatures, make them publicly available, and for users to download them • Does not detect malware that changes code during replication 5.2.4 Integrity checking Integrity checking is a method that is used to make sure that files, applications (executable files, boot records etc.) remain unchanged from a previous known state. This method can be used as a means to detect infections from viruses, since a virus mostly alter a file’s integrity. The basic idea behind Integrity checking is very simple and is based on calculating cryptographic hash sums on the files where you are concerned about integrity. Each file then has a cryptographic fingerprint that is unique to that file. These cryptographic fingerprints are then recalculated on some regular basis set by the administrator of the computer system. If the recalculated cryptographic fingerprints match the older ones, the integrity of the checked files is verified. If you suspect that the integrity of your computer has been compromised, you can recalculate the hash sums and compare the results with the first fingerprints. Even if only a single bit has changed in a file, the calculation will reveal this change. The technique of checking cryptographic hash-sums to ensure integrity of a computer system can be used both reactively (as in the example here) and proactively (as we will se later in the thesis). The probably most well known commercial product that uses Integrity checking is Tripwire10. Pros • Provides a reliable way to know whether the integrity of a computer system has been compromised Cons • The fingerprints (cryptographic hash sums) have to be recalculated every time you add or update files to the system • Reactive use only provides a way to check if the integrity already has been compromised. 5.2.5 Heuristic detection The word ‘heuristic’ originates from ‘heuriskein’, which is a Greek verb that means ‘to find’, or ‘to discover’. The perfect form of the verb Heuriskein is Heureka meaning ‘I have found [it]’. The Heuristic detection technique is implemented in many antivirus programs today and is used as a complement to signature based detection of malware or viruses. The 10 Tripwire is the name of the company as well as their product line for integrity checking. Tripwire is found at http://www.tripwire.com, where also evaluation versions of their products can be downloaded. 35 purpose is to detect new and unknown viruses that cannot be detected by signature based scanners. Instead of comparing against preset virus signatures, heuristic detection scans program code for virus-like characteristics. Heuristic detection does use a type of signatures, but not in the same way that a traditional signature based scanner does. Heuristic detection does not search for a specific virus instead it searches for small code fragments that are considered virus-like behaviour. These fragments can be instructions such as clearing the registry, writing and reading files etc. The heuristic scanner considers the impact of these instructions when they are put together in a sequence. When the scanner finds a sequence that it recognizes as viral it adds a weighted score to a scorecard for the scanned file. If the total score exceeds a threshold value it is considered to be a virus. The value is something that needs to be tuned. If it is set too low it will trigger too often and probably give a lot of false positives. If it is set too high it will fail to detect viruses. This makes it virtually impossible to make a heuristic scanner 100% accurate. There are two main approaches to heuristic detection: static and dynamic detection. Static heuristic detection Much like a signature based scanner has a set of signatures, a static heuristic scanner has a preset of instruction sequences that it hold as virus-like. The instruction sequences can however often be rewritten or reorganized (obfuscated) in many different ways, and the effective behaviour still does not change. This is a problem to static heuristic since it is impossible to predict all these combinations. Dynamic heuristic detection A dynamic heuristic scanner does not have a preset of instruction sequences. Instead it emulates the target program in a virtual environment and examines the effective behaviour of it. This is effective against polymorphic and encrypting viruses that encrypt itself in different ways each time it infects a new victim. By making the virus believe that it is executing on the target machine it decrypts itself and thereby making it possible to scan. A dynamic heuristic scanner does not need to have a catalogue with every permutation as the statistic scanner has. 5.2.6 Software Restriction Ultimately every computer is completely controlled by software. Without software you should not be able to do anything with a computer system. The basic idea with restriction of software is to limit the software that should be able to execute (run) on top of the operating system. Traditional antivirus software focuses on detecting software that is labelled malicious by an antivirus company. As opposed to this traditional approach, software restriction focuses on the software that should be allowed to execute on a computer. Considering the large amount of viruses and malware that is released every day, this approach is not a bad idea. 36 There are several ways and methods to accomplish and enforce some type of software restriction and the chosen method will of course have implications on the security of the solution. An approach that can be used when restricting software is the “default deny”approach. With this approach you deny all software that is not explicitly allowed. This approach is commonly used in firewalls, as it is not meaningful to open up a firewall more than needed. Restricting network access Some antivirus software and software firewalls can specify what software that should be allowed to access the network. This approach of trying to restrict software is often applied on the process level, i.e. the firewall or antivirus software can control which processes that have access to the network. However, there are malware available today that is capable of infecting the memory of a running process and thus pretend that they are a part of for example Internet Explorer. Since Internet Explorer most likely has access to the Internet, the infecting malware will get the same privileges as Internet Explorer and hence also Internet access. 5.2.7 Software Patching Obviously, one of the best ways to protect a computer system that contains software with known vulnerabilities is to update the software with patches that removes these vulnerabilities. But, applying patches can also cause problems. As mentioned earlier, large organisations often want to test patches before they are applied since there is no guarantee that other software that must be able to run on the systems will work after the new patches are applied. This is especially important in environments where availability is of great importance, e.g. consider computers running financial trading applications. Requiring testing of patches will prolong the Window-of-Vulerability discussed earlier even more. Applying patches to vulnerable software can be seen as a reactive measure. The vulnerabilities that we are about to patch have probably existed for a long time, and no one really knows how long a potential attacker could have had this information. Patching can also be seen as a preventative measure. If you are able to apply the appropriate patches that removes a certain vulnerability before a publicly known exploit is available, you can consider it a preventative measure. 37 5.3 Antivirus software One of the aims of this thesis is to get an overview of the methods and tools that can be used in the fight against malware. Software that uses signatures and heuristics to protect against malware is traditionally called antivirus software. This can be quite confusing since modern antivirus software also often aims to protect against other types of malware than just viruses. It would probably be more accurate to talk about anti-malware products but the term ‘antivirus’ is so commonly accepted and widely used that this report will stick with the expression “antivirus software”. 5.3.1 A simple model of traditional antivirus software Today there are many types of antivirus products on the market. Antivirus software can be implemented at several layers in an organisations network. A common combination is to have antivirus software installed on client (desktop) computers and on specific servers such as e-mail servers to scan all incoming (and outgoing) mailattachments. When it comes to detecting viruses (malware) there are two general approaches for an antivirus program to do this: specific methods and generic methods [Mut00]. A specific method is good at identifying exact variants of a virus [Mut00]. A virus is often modified by different malware writers after the first variant of a new virus has been found. A specific method can identify these, often small changes, and distinguish between these viruses. A specific method, is however not good at detecting new or variants of a certain virus or malware. Generic and heuristic methods, on the other hand, are good at detecting new variants of viruses, but they are not good at sorting out and specifying a certain virus. Modern antivirus software often combines the use of both these methods, since the methods solve different problems. The typical antivirus software is built around two components: a virus detection engine and a database [Mut00]. Virus Detection Engine Database Figure 10 : A simple model of antivirus software The detection engine contains implementations of the different detection methods implemented as algorithms. The database holds the data needed for the algorithms to detect a virus. The data needed to identify or detect a virus is called a signature. To keep up with the high pace of new viruses and malware, the database needs to be updated frequently. This is one of the major drawbacks of common antivirus software 38 since the user of such software will have to depend on the releases of new signatures from the antivirus software vendor. One aspect that is often missed when discussing the problems with antivirus software is that the virus detection engine also needs to be updated in order to detect new types of malware. 5.3.2 Scanning for viruses Modern client antivirus software has two fundamental modes of operation (scanning). These are commonly called on-demand scanning and on-access scanning. On-demand scanning The on-demand mode relies on an active action from the user. Thus the user must have a reason for wanting to scan the computer for viruses. On-demand scanning is therefore often implemented as a scheduled task that is performed maybe once a week. To face more and more complicated malware such as encrypted or polymorphic viruses and worms new techniques have been developed. Two of these techniques are X-raying and emulation [Mut00]. • • X-raying is a brute-force decryption of the virus body based on the knowledge of the encrypted plain text. Emulation is a simulated execution of the malicious code. The more complicated malware gets, the more complicated scanning techniques have to be used in order to detect a virus. This development will affect the performance of the scanner. Performance is of big importance for the on-demand scanner. Consider that a modern virus-database must hold data about a hundred thousand different types of malware and that each file that is scanned should try to match any of these. On the top of that you also often scan an entire hard disk containing thousands of files when using a ondemand scanner. A downside of on-demand scanning is that it will only detect malware that already is present on the system, not prevent it from entering the system. On-demand scanning can only be used as a preventative measure if you scan all sorts of possibly executable code that comes to the computer. If you have reason to believe that your system is infected by malware, then On-demand scanning is the way to go. On-access scanning On-access scanning is performed when a user is accessing a resource on the computer. The on-access part of the scanning engine is always up and running. Performance is a big issue for on-access scanning since the user does not want the antivirus program to slow down the performance of the computer when accessing different resources. This need for very high performance will lead to poorer detection abilities for the on-access 39 scanner compared to the on-demand scanner that can spend significantly more computational resources during the detection phase. 5.3.3 Testing antivirus detectors To be able to choose between different antivirus software and an anti-malware solution you probably want to know how the different solutions compare to each other. For the parts of antivirus software that scans for known malware it is possible to test the solution against a well chosen set of known malware and to get a measurable result. Certification There are independent laboratories that offer certification for vendors of anti-virus software. Certifications are often used in marketing as a means of saying that a product live up to a certain criteria. One of the most common certifications is made by ICSA labs11. But what does this certification really mean? To pass the ICSA certification the antivirus solution must comply with certain criteria defined by ICSA. For example, the criteria for on-demand scanner software for desktop computers are the following12: “Product to receive the ICSA Labs Certified mark must: • Detect 100% viruses listed on the current In The Wild List. • Detect 100% viruses listed in the ICSA Labs Common Infectors Test Suite • Detect 100% of ICSA Labs Polymorphic Test Suite • Detect 90% of the ICSA Labs Virus Collection • Products achieving ICSA Labs certification will not cause any false alarms. The False Alarm tests will be conducted against the ICSA Labs False Positive Test Suite.” These certification criteria may sound rigorous at first sight, but today there are other aspects of antivirus software that might be more interesting. Having that said this certification definitely fulfils the purpose to say that an antivirus solution live up to a certain standard when it comes to detecting known malware. But today almost all major antivirus products on the market have some sort of certification. So, what are the other aspects that are interesting? ICSA’s criteria for certification do not include detection of unknown or new malware or viruses (probably since this is hard to measure). Thus the certification doesn’t tell you everything about an antivirus scanner’s capabilities. There are at least two more very important factors that are of interest: • The capability to detect unknown malware and viruses • The vendor’s response-time to new malware outbreaks 11 ICSA Labs is a division of the Cybertrust Corporation. ICSA Labs can be found at http://www.icsalabs.com 12 http://www.icsalabs.com/html/communities/antivirus/certification/avscancrit.shtml 40 Retrospective Testing Even if the earlier mentioned certification doesn’t include tests of new or unknown viruses, there is a way to test some of the capabilities to detect unknown or new malware. This type of test is called a retrospective test. The basic idea behind this test is to take an antivirus engine and database that is slightly out of date, and test it against a well-chosen set of the most recent malware. When using this test method the antivirus software has to use its heuristic functions in order to detect the new and unknown malware. A retrospective test will therefore show how good the slightly outdated antivirus software’s heuristic capabilities are to detect unknown malware. A set of 100 In-the-Wild malware were tested by AV-test.org [Mar04] on antivirus detectors with a signature database that was four months old. The best antivirus scanner was able to detect 39% of the malware and the worst scanner was not able to detect any malware! Response Time Testing Another interesting test of antivirus software that is presented by the independent workgroup AV-test13 is testing of outbreak response time. This type of test takes up an important factor for the security of an antivirus solution: • How long does it take until signature updates from different antivirus companies are publicly available (read: not just available to the vendors, but available for download to the customer from the predefined server) in cases of major worm outbreaks? Tests performed by AV-test.org [Mar04] show that the average response time for 45 real malware outbreaks during 2004 was 10 hours before signature updates were publicly available. Keep in mind that reaction times are always a trade-off between a fast response and reliability [Mar04]. A fast response time can imply false positives, a non-working update or even an update that crashes the computer. Conclusions for Antivirus Software When considering the fast spread of recent malware worms like Code Red, SQL Slammer, Blaster etc. one realises that the protection provided by common antivirus software against these type of fast-replicating threats is low. The retrospective testing performed by AV-test.org clearly shows that the protection against unknown malware by modern antivirus software is not very good. Other approaches are needed. Updating antivirus-signatures may cause instability to a computer system. Therefore testing of these signatures may be required before they are applied to computer systems with high demands on availability. This fact makes these computer systems 13 The website of AV-test is found at www.av-test.org (last checked 2005-05-01) 41 even more vulnerable, since they might have to wait for an administrator to test the latest signatures before they are applied. 42 6 Countermeasures in Microsoft Windows This chapter will go through countermeasures (controls) that are specific to Microsoft Windows and look at their pros and cons. 6.1 Security in Microsoft Windows When considering alternatives or complimentary solutions to traditional antivirus software, we have to include the operating system context for this thesis, Microsoft Windows. Microsoft Windows is the completely dominating operating system software used on computers in both organisations and homes today. Other operating systems such as Linux have taken market shares lately, especially on the server market. However, Windows is still completely dominating on the client computers and an overview of some security solutions for Windows is therefore of interest. Microsoft does not have a history of giving security issues in their operating systems a high priority. Microsoft’s domination on the market has also made the Windows operating system an attractive target for attackers and malware writers. However, during the last couple of years Microsoft has put in much effort on security issues in their software in an attempt to meet the demand of better security from the market. The changes in priorities for Microsoft are confirmed by Bill Gates in [InetGat02]: “… we've historically made our software and services more compelling for users primarily by adding new features and functionality. While we are continuing to invest significantly in delivering new capabilities that customers ask for, we are now making security improvements an even higher priority than adding features.” There are a whole variety of different security mechanisms present in the Microsoft Windows operating systems of today. These mechanisms should be able to handle authorisation of users, user privileges, deployment of user groups, administration, remote access etc. Correct configuration of these security mechanisms is very important for the security of a certain computer system. However, such configuration has more to do with an organisation’s security policy than with methods and techniques for fighting malware and attacks. Discussing best practices for the configuration of these security mechanisms is therefore out of the scope for this thesis. This part of the thesis will focus on two techniques included in the latest available Windows platform that is very interesting from a security perspective when it comes to prevention of attacks and malware: • Data Execution Prevetion (DEP) that is included in the latest Service Pack upgrades for Windows (in SP2 for Windows XP and in SP1 for Windows 2003 Server) • Software Restriction Policies (SRP) included in Windows XP and Windows Server 2003 43 In addition to this a commercial solution implementing a Software Restriction similar to Software Restriction Policies will be examined. 6.2 Data Execution Prevention (DEP) Data Execution Prevention is a fairly new security mechanism in Windows for memory protection that is very interesting as a countermeasure against some malware and attacks. Data Execution Prevention was introduced with the Service Pack 2 (SP2) update for Windows XP (and SP1 for Windows 2003) that became available during 2004. Data Execution Prevention is defined in [InetMSb] as: “Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system” 6.2.1 How and why is DEP important? The aim of the memory protection technique DEP is to prevent one of the most common exploits of vulnerable software: the buffer overflow. The buffer overflow attack is one of the most serious threats to computer security today. The vulnerabilities that make the attack possible are very common and the consequences of a successful buffer overflow attack are often administrator privileges on the target machine. Greg Hoglund and Gary McGraw [Hog04], recognized security experts, put it this way: “The buffer overflow remains the crown jewel of attacks, and it is likely to remain so for years to come. Part of this has to do with the common existence of vulnerabilities leading to buffer overflow. If holes are there, they will be exploited. Languages that have out-ofdate memory management capability such as C and C++ make buffer overflows more common than they should be.” To fully understand what DEP does, one has to have an in-depth understanding of buffer overflows, memory management, processor hardware and heaps and stacks. This thesis will not go into detail in explaining these areas since that could be a thesis alone. Nevertheless this report will try to give an overview over the functionality of DEP and the protection it offers. Very much simplified, computer memory can hold two types of information: executable instructions and data. The buffer overflow attack technique commonly exploits vulnerable software by injecting executable instructions into memory pages where only data is supposed to be. The attacker then tricks the CPU to execute these injected and executable instructions. The severity with this type of attack is that the attacker changes the flow of control (takes control over the CPU’s execution of code) on the victim computer and is often able to execute arbitrary code on the victim computer. Data Execution Prevention comes in two variants: the hardware-enforced and the software-enforced variant. 44 6.2.2 Software-enforced DEP Software-enforced DEP is designed to prevent malware that takes advantage of exception-handling mechanisms in Windows. By default, software-enforced DEP only protects a limited number of system binaries. Software-enforced DEP runs on any CPU that can run Windows SP2 (or SP1 for Win 2k3). The information available from Microsoft on the methods behind software-enforced DEP is limited. It is therefore difficult to evaluate the functionality and reliability of software-enforced DEP. 6.2.3 Hardware-enforced DEP Hardware-enforced Data Execution Prevention marks all memory locations in a process as non-executable unless the location explicitly contains usable code [InetMSb]. An attack that tries to exploit a software vulnerability to execute code in protected memory areas will raise an exception when execution is attempted. If this exception is unhandled the process will terminate. This means that an application that is vulnerable to attacks will stop if the exception is unhandled. To be able to take full benefits from the protection that hardware-enforced DEP provides, the software must be modified to handle this type of exception. To be able to use hardware-enforced DEP you have to have a processor (CPU) with support to mark memory pages with an attribute that tells whether execution of code in that specific memory page is allowed or not. The marking is typically done by changing a bit in the page table entry (PTE) in the virtual memory address space. Presently there are only a few desktop CPUs available on the market that support the features required for hardware-enforced DEP. as for example AMD’s Athlon 64 and Sempron chips. Currently the features required • The no-execute page-protection (NX) processor feature as defined by AMD. • The Execute Disable Bit (XD) feature as defined by Intel. This will most likely change over time and it will probably not take long before this functionality is implemented in most new CPUs on the market. Despite this, hardware-enforced DEP must be seen as a feature for the long run for most organisations. It will most likely take several years before most CPUs within organisations and other end-users have this feature installed. Pros • DEP mitigates one of the most commonly exploited and severe attack techniques against vulnerable software; the buffer overflow attack. Cons • Only protects against one class of software vulnerability; the buffer overflow vulnerability. There are still other types of vulnerabilities in software that can be exploited. • Hardware-enforced DEP needs a CPU that has support for this, and only some of the latest CPUs on the market have this feature. 45 • • • DEP can cause compatibility problems with older software that is not adjusted to these techniques. This will require companies to do extensive testing on these features before rolling out these features. Applications that use dynamic code generation or just-in-time (JIT) code generation (such as Java applications) and do not explicitly mark the generated code as executable might experience compatibility issues [InetMSa]. There is a publicly available and exploitable weakness in the softwareenforced DEP implementation [InetAns05]. 6.3 Software Restriction in Windows A large problem with computer security in organisations is that there is often little or no control over the software that the users are running on their desktop computers. The basic idea with Software Restriction is to take control over and limit the software that should be allowed to run on a computer system. Thus the decision whether a certain application should be considered legitimate software or not is now taken by the organisation and not by someone else (e.g. the client computer user or an antivirus software vendor). There are some very interesting solutions on the market that implements Software Restriction. Let us start with the solution for software restriction that is integrated in Windows. 6.3.1 Software Restriction Policies (SRP) Software Restriction Policies is a feature in Windows XP and Windows Server 2003 that prevents unwanted software from executing on a computer system. To be able to provide this protection Software Restriction Policies has ways to identify software as trusted or untrusted. This approach is called a binary trust model [Lam02]. A policy consists of a default security level and rules that define exceptions to the default security level. The options available for the default security level is the slightly confusing Unrestricted or Disallowed, which essentially means run or don’t run. There are two ways to use Software Restriction Policies [Lam02]: 1. If all the software that should run is known, a policy can be applied to control execution to a list of trusted applications. 2. If all software is not known, an administrator can restrict unwanted applications or filetypes. The software that should be allowed or disallowed to execute must be identified and specified in the policy in some way. This is done through a set of different types of rules: The Hash Rule The software is identified through a cryptographic hash-sum that functions as a fingerprint for a specific file. The filename or where it is located on the disk does not matter since the cryptographic hash-sum will remain the same. 46 Certificate Rule The software is identified by a software publisher certificate. The certificate can be issued by a commercial certificate authority (CA) or it can be a self-signed certificate. The certificate rule is a strong way to identify software because it uses signed hashes contained in the signature of the signed file to match files, regardless of filename or location [Lam02]. Path Rule The software is identified by where the software is located in the file system. A path rule can include wildcards such as * or ? which allows for rules like *.vbs in order to match Visual Basic files. Zone Rule The zone rule is connected to the zones defined in Internet Explorer. For some reason it only applies to Windows Installer packages (*.msi files). The zone rule does not apply to software downloaded through Internet Explorer. To make it even more complicated, the rules mentioned above can be combined in all types of combinations. Since a certain file can match several rules the rules need to be prioritised to be able to tell which rule that does apply. The rules are therefore evaluated in the following order (highest priority first): 1. Hash rule 2. Certificate rule 3. Path rule 4. Internet zone rule 5. Default rule (the default security level) 47 A policy is created using the MMC14 Group-Policy snap-in that looks like this: Figure 11 : Administrative interface to Software Restrition Policies A policy can be configured on a per-machine basis, or it can be distributed through a Group Policy. By using group policies different users can have different SRP settings that match their needs. 14 MMC = Microsoft Management Console, an administrative application in Windows. 48 The following figure shows the workflow of applying Software Restriction Policies through a Group Policy: Figure 12 : Workflow of applying Software Restriction Policies through Group Policy A user that tries to execute software that is not allowed by the settings in a Software Restriction Policy will get a message that looks like the following: Figure 13 : The message received when trying to execute software that is not allowed Software Restriction Policies is a very powerful feature and you have to be careful when applying it. By just experimenting with the settings you can easily exclude yourself from the rights to change the settings back again! Pros • • Software Restriction Policies are very powerful in preventing unauthorized software from executing. It is included in Windows XP and Windows 2003 Server and thus “free”. Cons • The administrative interface to Software Restriction Policies is not very intuitive, and the effects when combining several rules can be hard to grasp. It is easy to make mistakes. 49 • • • Software Restriction Policies does not apply to drivers and kernel mode components. They also do not apply to services or macros inside Office documents. By default, Software Restriction Policies do not apply to dynamic link libraries (Windows DLL-files). It is possible to configure Software Restriction Policies to restrict dynamical link libraries, but in practice it would be very difficult to maintain such a policy since the administrative interface is poor. Software Restriction Policies is not implemented under Windows NT 4.0 or Windows 2000. Windows XP or Windows 2003 Server is needed. A good article that presents things to consider when thinking about implementing Software Restriction Policies is “14 Reasons To Reconsider Software Restrictions” by Roberta Bragg [InetBra04]. 6.3.2 Computer Integrity System (CIS) Another product for restricting the software that should be able to execute on your computer systems is Computer Integrity System (CIS), developed by the Swedish company SE46. CIS is a commercial product that recently has got attention in Swedish media [InetSE46a, b]. The solution is based on the simple idea of keeping a list of the applications that should be allowed to run (execute) on a computer system and deny everything that is not allowed, i.e. we have a binary access model to the software. This means that you either have the right to execute a certain application, or you don’t. There are no positions in between these two. The CIS solution has much in common with Software Restriction Policies, but CIS has focused on the use of certificates to manage the allowed software. The CIS software solution is built around three components: • Certificate Studio (CS) • Computer Integrity Agent (CIA) • Lookup and Logging Server (LLS) Certificate Studio (CS) The Certificate Studio is an administrative application that is used to create and sign application certificates that identify the software that should be allowed to run on the target computers. CS helps you to analyse which files that belongs to a specific application and categorise the different applications. The Certificate Studio also lets you sign policy certificates (rules) that regulate how the application certificates shall be used. Computer Integrity Agent (CIA) The Computer Interity Agent is the component that is installed on the computers that are to be protected by CIS. CIA is a quiet agent that checks every attempt to execute software against the certificates signed by CS. Everything that is not specifically signed and allowed by these certificates will be blocked, and a message will be shown to the user (as with software restriction policies). 50 Lookup and Logging Server (LLS) The LLS main responsibilities are to store and distribute application- and policycertificates. The server can also be used for logging the use of certain applications, but that functionality is a bit out of the scope for this thesis. The following figure15 shows the workflow of the CIS-solution: Figure 14 : Schematic view on the workflow of the CIS 1. The Certificate Studio (CS) is used to identify the legitimate software that should be allowed to execute on the protected computers. All potentially executable files belonging to the application(s) are fingerprinted (hashed). 2. Using CS an administrator signs application certificates and policy certificates and sends them to the Lookup and Logging Server (LLS) for distribution. The distribution of certificates can also be done through Windows Active Directory service. 3. The computers that are to be protected contact the server for distribution of certificates. The application- and policy-certificates are installed on the target computers. Protection is enforced on the target computers through the Computer Integrity Agent (CIA) that calculates the fingerprint of any executable file and compares it to the fingerprint in the certificate. (Step 4 in the figure is only for logging of application usage, and is not of interest here.) 15 The source of the figure is SE46’s website: http://www.se46.se 51 Pros • • • • Prevents all executable software that is not explicitly allowed (signed by an administrator) No need for signature updates, since there are no signatures. The signer of the certificates will have complete control over all executable software Also works in offline environments (notebooks) Cons • Cannot sign all types of executable code, such as scripts using the windows scripting engine (Scripts in Office etc.), java-applets etc. • Security options are binary (doesn’t suit everyone) – either you can execute an application or you can not. • Adds administrative procedures in order to be able to execute new or updated software 6.3.3 Other Software Restriction Solutions There are also some other solutions on the market that are similar to Software Restriction Policies (SRP) and SE46’s CIS. The other commercial solutions I have found during my research on the subject are: • Abtrusion Protector by Abtrusion Security16 • Officeware by SeventhKnight17 The three Software Restriction solutions CIS, Abtrusion Protector and Officeware all use very similar technology to achieve their protection against malware. Since all these solutions are commercial, the available information about them is limited. A more in-depth analysis of these solutions would require more knowledge of the actual implementations and also evaluation copies of the software. For personal use Abtrusion Protector is available free of charge, but that solution does not include the administrative part that is interesting from an organisational point of view. 16 17 http://www.abtrusion.com/ http://www.seventhknight.com/ 52 7 Conclusions This chapter will summarise the research findings, provide a discussion and propose future research areas. 7.1 Results This thesis is a theoretical research study and the result from the research is thus this report that serves as an overview of the protective approaches that are available to fight malware and attacks on client computers. In the introduction chapter there were four research questions that were to be answered throughout this thesis: • What current threats and vulnerabilities affect security of client computers? • What techniques and methods exist to prevent malware and attacks on client computers? • What are the advantages and disadvantages of using these different methods and techniques? • What solutions exist that implements these techniques and methods? These research questions have been answered throughout the report in chapters 3-6: Chapter 3 presents the main different types of threats related to malware and attacks in order to understand “the enemy”. Definitions and classification schemes of the threats are presented and the problem with defining malware is discussed. In Chapter 4 vulnerabilities that affect client computers are presented and discussed. The focus lies on software vulnerabilities. In Chapter 5 general methods and approaches that can be used in the fight against malware and attacks are presented. A simple model of common Antivirus software is presented and discussed in order to understand its limitations. In Chapter 6 existing solutions that implement some of the techniques and methods in chapter 5 are presented. Naturally, this chapter can not cover all existing solutions, but a few promising solutions are described. 7.2 Key Findings Vulnerable software on client computers residing in an organisation’s internal network does expose the whole computer system to big risks. Both malware and targeted attacks can use these vulnerabilities in software to infect client computers. Since most client computers reside on the internal network, they make an excellent platform for further attacks. There is often a higher level of trust for computers residing on the “right side” of the network’s perimeter defences. Applying the latest software patches to software with publicly known and exploitable vulnerabilities must be prioritised in order to avoid malware and attacks. Automatic 53 patch updates in Windows should be considered as an option even for large organisations. The risk that targeted attacks or malware might exploit vulnerable software to compromise the system must be weighted and compared to the risk that a certain patch potentially can crash the computer. For critical servers with high availability demands testing of patches before they are applied is probably a good idea. But for client computers with lower availability demands, automatic updates of patches might be considered as an option. Either way, a good patch management strategy is needed in order to minimise the Window-of-Vulnerability18. Even though common antivirus software has many weaknesses, this type of protection does fill an important role in protecting against malware and attacks. Antivirus software is good at detecting known malware, and often also has capabilities to remove or at least isolate the infected files on a computer. For organisational environments where security is of higher importance, proactive (preventative) security controls are necessary to minimise the risks. Among the dangers are new (previously unknown) fast-spreading malware types such as worms that can spread around the globe in just a few hours. Traditional antivirus software only offers limited protection against such threats. The perhaps most serious threat is attacks that are specifically targeted at an organisation. A malicious attacker or malware writer can easily craft malicious code that traditional antivirus-software doesn’t detect. If such malicious software is executed on target computers, there is virtually no end to the possibilities for the attacker. Well inside the system a skilled attacker can hide through the use of rootkits or other stealth malware. Communication to a compromised system can be done over encrypted connections such as SSL in order to avoid detection. While targeted attacks can be very hard to counter since the attacker often has some knowledge of the system, there are still things that can be done. The Software Restriction approach implemented in Windows Software Restriction Policies (SRP) and SE46’s Computer Integrity System (CIS) limits the software that is allowed to execute on the computer and is a very promising approach to fight most kinds of unwanted software. However, correct configuration and an understanding of the method’s limitations is indeed necessary for successful deployment. As an example, most Software Restriction solutions do not protect against script viruses or other malicious code that runs on top of other software. The only way to protect against such threats is to apply correct configuration (hardening) of the underlying software. If it is possible to identify all software that an employee in a certain position in an organisation will need, it is a good idea to consider some sort of Software Restriction. The Software Restriction approach does a good job protecting against unwanted software, but it does not protect against attacks targeted at vulnerable software. The probably most exploited software vulnerability is the common buffer-overflow vulnerability. 18 The Window-of-Vulnerability is discussed in chapter 4.3.3 54 Hardware-enforced Data Execution Prevention (DEP) is a good way to counter most buffer-overflow attacks. However, this solution requires new hardware as mentioned in chapter 6.2.3. The best protection is achieved if you can combine these solutions. If you combine good patch management procedures, common antivirus software, a correctly configured implementation of Software Restriction (such as CIS or SRP) and hardware based Data Execution Prevention your client computer will have a good protection against malware and attacks. However, one must not forget that no system is more secure than its weakest link. A badly chosen password is often sufficient to put a system at risk. 7.3 Discussion One of the most fundamental problems in IT-security is that an attacker always will have a big advantage over the organisation he or she chooses to target. For a skilled attacker it is often enough to find one exploitable weakness in the organisations security architecture. The organisation on the other hand must try to foresee every possible weakness in their system. A high degree of security for a given computer system will often affect the usability of the system negatively. For an organisation this is often an act of balancing, since the natural goal is to have both a high degree of security and good usability. If the usability of a computer system goes down by implementing new security measures, it might be better find another solution. Forcing employees to comply with company security policies can be considered a security risk. For example, if you implement Software Restriction Policies that make it impossible for employees to execute their favourite music-player software without informing them on beforehand, you might end up with angry or upset employees. There are many factors to consider for an organisation when choosing a solution for protection against malware and attacks on client computer. What method will serve the organisations needs best in terms of protection, flexibility, cost, administration and future upgrades? Will the company that produces a certain solution be in business in 2, 5 or even ten years? Selecting a malware protection method is not only about selecting the best method from a technical perspective. The best technical solution is not always the solution that gives the best ROI (Return-On-Investment). And since profit is what matters to most organisations in the end, they will choose the solution that gives the highest ROI. When applying security measures at a large scale in an organisation there are several organisational factors that must be taken into consideration: • Does the selected solution require new administrative procedures? • Does it affect the usability of the computer system? • Will the solution require user training? • etc. 55 Each of these factors will affect the efficiency of the chosen security solution, and in the end this will affect the costs. Personally I strongly believe in Software Restriction as one of the best technical countermeasures for client computers to prevent infection from malware and also to some extent prevent attacks that exploit vulnerable software. Yet, one has to keep in mind that Software Restriction is just one of many tools and is only to be seen as a part of a holistic view on security measures. Furthermore, Software Restriction is not suitable for everyone. For most Software developers, applying strict Software Restriction would probably not be an option, since they are constantly using new software and there would simply be too much administration. Instead the ideal environment for implementing Software Restriction is an organisation with a large number of computers using almost the same software with little or no change in the software that should be executable. This thesis does not try to “solve” the problem with malware or attacks, since there are no simple solutions to this problem. But my hope is that the report might give the reader new angles and tools of how to approach and fight malware and attacks. 7.3.1 Encountered Problems A problem that has been encountered during the writing of this report is the problem of finding unbiased information. IT-security is a fast expanding business area today and there any many companies competing to sell their solutions. Much information about different solutions is therefore aimed at selling the solution and the value of that type of information is therefore highly questionable. It has also been hard to find information about the methods and approaches used in commercial anti-malware products since it is often not in the interest of the software vendor to reveal this kind of information. The lack of information of the methods that are implemented in these commercial products does also affect the possibilities for potential customers to do an unbiased evaluation. Often the only available information is sales material, and to build security in an organisation with such basis of information is not a good idea. 7.4 Suggestions for future work A thorough evaluation of the commercially available products for Software Restriction, would be very interesting. A problem with doing such an evaluation is that you probably would have to buy these products in order to evaluate them, and thus it would be very costly. Another interesting area for future research is the future of common antivirus software. What role will such software have in future protection of computer systems? Will the companies behind common antivirus software integrate more functionality in these products, or will they become more specialised? 56 8 References 8.1 Books & Peer-reviewed articles [Arb00] William A. Arbaugh, William L. Fithen, John McHugh, “Windows of Vulnerability: A Case Study Analysis”, 2000 IEEE Computer (Vol. 13, No. 12) Matt Bishop, “Introduction to Computer Security”, (2004) Prentice Hall, ISBN 0-321-24744-2 Klaus Brunnstein, “From AntiVirus to AntiMalware Software and Beyond: Another Approach to the Protection of Customers from Dysfunctional Behaviour”, 1999, University of Hamburg Mihai Christodorescu, Somesh Jha, “Testing Malware Detectors”, 2004 ACM, ISSN 0163-5948 Juan M. Estevez-Taipador, Pedro Garcia-Teodoro, Jesus E. DiazVerdejo, “Anomaly detection methods in wired networks: a survey and taxonomy”, Computer Communications 27, 2004 Dieter Gollmann, “Computer Security”, John Wiley & Sons, 1999, ISBN 0-471-97844-2 Richard Harrison, “The Antivirus Defence-in-Depth guide”, Microsoft 2004, ISBN 0-7356-2155-1 Marko Helenius, ”A system to support the Analysis of Antivirus Products’ Virus Detection Capabilities”, 2002, ISBN 951-44-5370-0, Available at: http://acta.uta.fi/pdf/951-44-5394-8.pdf (Last visited 2005-04-26) Greg Hoglund, Gary McGraw, “Exploiting Software – How to break code”, 2004 Addison Wesley, ISBN 0-201-78695-8 ITSEC, “Information Technology Security Evaluation Criteria”, (1991) Commission of the European Communities, ISBN 92-8263004-8, Available at: http://www.ssi.gouv.fr/site_documents/ITSEC/ITSEC-uk.pdf (Last visited 2005-04-26) John Lambert, “Software Restriction Policies in Windows XP”, 2002 Virus Bulletin Conference [Bis04] [Bru99] [Chr04] [Est04] [Gol99] [Har04] [Hel02] [Hog04] [ITS91] [Lam02] 57 [Mar04] Andreas Marx, “Antivirus outbreak response testing and impact”, Virus Bulletin 2004-09, Available at: http://www.av-test.org/down/papers/2004-09_vb_2004.zip (Last checked 2005-05-15) Igor Muttik, “Stripping down an AV engine”, Virus Bulletin Conference 59-68, September 2000 Charles P. Pfleeger, Shari Lawrence Pfleeger, “Security in Computing” third edition, Prentice Hall 2003, ISBN: 0-13-035548-8 John Viega, Gary McGraw, “Building Secure Software”, 2002 Addison Wesley, ISBN 0-201-72152-X David Williamson – “Deconstructing malware: what it is and how to stop it”, 2004 [Mut00] [Pfl03] [Vie02] [Wil04] 8.2 Academic Papers [Kar02] [Qat04] Martin Karresand, “A proposed taxonomy of software weapons”, Master thesis, 2002 University of Linköping Fausi Qattan and Fredrik Thernelius, “Deficiencies in Current Software Protection Mechanisms and Alternatives for Securing Computer Integrity”, Master thesis, 2004 Stockholm University John Wilander, “Security Intrusions and Intrusion Prevention”, Master thesis, 2002 University of Linköping [Wil02] 8.3 Internet Sources [InetAns05] Alexander Anisimov, “Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass”, http://www.maxpatrol.com/defeatingxpsp2-heap-protection.pdf, Positive Technologies 2005 (Last visited 2005-04-21) Roberta Bragg, “14 Reasons To Reconsider Software Restrictions”, 2004, http://redmondmag.com/columns/article.asp?EditorialsID=690 (Last visited 2005-05-15) Richard Ford, “Malware”, http://www.malware.org/malware.htm (Last visited 2005-05-02) Bill Gates, “Trustworthy Computing “, 2002 Microsoft, http://www.microsoft.com/mscorp/execmail/2002/07-18twc.asp (Last visited 2005-05-13) “Changes to Functionality in Microsoft Windows XP Service Pack 2”, Microsoft 2004, http://go.microsoft.com/fwlink/?LinkId=28022 (Last visited 2005-04-21) [InetBra04] [InetFor] [InetGat02] [InetMSa] 58 [InetMSb] “A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2 and Windows XP Tablet PC Edition 2005”, Microsoft 2004, http://support.microsoft.com/default.aspx?scid=kb;en-us;875352 (Last visited 2005-04-21) “Hacker Defender – NT Rootkit”, http://hxdef.czweb.org/antidetection.php, (Last visited 2005-05-10) News Article (in Swedish), http://www.nyteknik.se/art/36022, (Last visited 2005-05-12) News Article (in Swedish), http://arkiv.idg.se/transfer/?aid=14001, (Last visited 2005-05-12) Bruce Schneier, “Schneier on security”, http://www.schneier.com/blog/archives/2005/02/ghostbuster.html (Last visited 2005-05-12) [InetRoot] [InetSE46a] [InetSE46b] [InetSch] [InetWan04] Yi-Min Wang et al, “Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files”, Microsoft Research 2004 (Last visited 2005-05-02) [InetWild] The WildList Organization International, http://www.wildlist.org (Last visited 2005-04-21) 8.4 Resources [ResAsk] [ResWeb] “Oxford dictionary”, http://www.askoxford.com (Last visited 200505-02) “Online Computer Dictionary for Computer and Internet Terms and Definitions”, http://www.webopedia.com (Last visited 2005-05-02) 59

Related docs
A Practical Understanding of Malware Security
Views: 158  |  Downloads: 9
Fresh Approaches to Solving the Malware Problem
Views: 120  |  Downloads: 6
Automated Classification and Analysis of Internet Malware
Views: 79  |  Downloads: 6
Define Malware
Views: 74  |  Downloads: 0
The 10 faces of computer malware
Views: 34  |  Downloads: 2
The Ghost In The Browser Analysis of Web-based Malware
Views: 381  |  Downloads: 5
Guide to Malware Incident Prevention and Handling
Views: 147  |  Downloads: 4
Malware Blocking
Views: 112  |  Downloads: 5
Malware Infections in Systems
Views: 63  |  Downloads: 2
On the Impact of Malware on Internet Voting
Views: 0  |  Downloads: 0
Malware on Mac OS X
Views: 190  |  Downloads: 9
Do-It-Yourself Guide to Cell Phone Malware
Views: 46  |  Downloads: 0
What is Malware Malwarethe usual suspects
Views: 6  |  Downloads: 0
premium docs
Website Development Agreement$19.95
Website Design Non Disclosure$14.95
Web Hosting Agreement$14.95
Website Vendor Evaluation Matrix$19.95
Website Design RFP Template$49.95
Web Audit Report Tool$19.95
Web Metrics Reporting Tool$19.95
Other docs by Aladdin Dandis
Integrating Information Assurance
Views: 16  |  Downloads: 0
Information Assurance Security in the Information Environment
Views: 431  |  Downloads: 54
e-Government framework for Information Assurance
Views: 379  |  Downloads: 17
Building a Global Information Assurance Program
Views: 237  |  Downloads: 25
BOOK Information Security Business Assurance Guidlines
Views: 258  |  Downloads: 58
BOOK Assurance Book
Views: 105  |  Downloads: 14
Application Security_ Information Assurance_s Neglected
Views: 109  |  Downloads: 9
Evaluating IT security performance with quantifiable metrics
Views: 1135  |  Downloads: 89
Do the changes made in ASP .NET_ from version 1.X to 2.0_ improve the security
Views: 1072  |  Downloads: 12
Distributed Physical Access Control A Constrained Resource Solution
Views: 642  |  Downloads: 15
DISCOVERING INFORMATION SECURITY MANAGEMENT
Views: 965  |  Downloads: 51
Detection and Prevention of Malicious Content for Web Application
Views: 48  |  Downloads: 6
Declassification Dimensions and Principles
Views: 61  |  Downloads: 0
Fighting Social Engineering
Views: 61  |  Downloads: 6
Changing Homeland Security Ten Essential Homeland Security Books
Views: 87  |  Downloads: 4