New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

Networking & Security for Informatics

by: Tamia Bernhard

Networking & Security for Informatics 22C 086

Marketplace > University of Iowa > ComputerScienence > 22C 086 > Networking Security for Informatics
Tamia Bernhard
GPA 3.87

Eunjin Jung

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Eunjin Jung
Class Notes
25 ?




Popular in Course

Popular in ComputerScienence

This 46 page Class Notes was uploaded by Tamia Bernhard on Friday October 23, 2015. The Class Notes belongs to 22C 086 at University of Iowa taught by Eunjin Jung in Fall. Since its upload, it has received 30 views. For similar materials see /class/228047/22c-086-university-of-iowa in ComputerScienence at University of Iowa.


Reviews for Networking & Security for Informatics


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 10/23/15
Malicious Software 0 41609 EJ Jung Behaviorblocking software NQVW OF IOWA Q from Networkworldcom ow bohavinrhlocking sn ware works wqu 15minquot prnblem code by recognizing unacceptable behavlor o Benawornmcmg sullwars From a muscle an at me server lags code admmlslralur sets quotINCH urns um m be a acceptab e in am hybrid WDFIIL because L IS Ivehdwor 10hch and upluads the K El server Polxcms can a su he E 39 H Uploaded 0 desktops wurm to prevent n 1mm g r c r rylng on Sudan 7 MM worm Pullulas Server numlng Wm Admlnlsmw um I bahluun 0 and an mu Luun rman should be removed ar allowed m run Malicious Software O Malware malicious software that exploit system vulnerabilities Two categories those that need a host program and those that are independent parasitic 9 May or may not replicate Terminology Table l0l Terminology of Malicious Programs lnme Description Virus Attaches itself to it program and propagates copies of itself to other programs Worm Fragrant that propagates copies of itself to Other computers Logic bomb Triggers action when condition occurs Trojan horse Fragrant that contains unexpected additional functionality Backdoor trapdoor Program modi cation that allow unauthoriccd access to functionality Exploits Code speci c to a single 111nerability or set of ntlnerahilities Downloadcrs Program that installs other items on a machine that is under attack Usually a downloach is soul in an cmail Arnomater Malicious hacker tools med to break into new machines remotely Kit vim gcncralor Set of tools for gcncrdting new viruses automatically Spammer programs Used to send large volumes of unwanted email Hoodcrs Used to attack networked computer systems with a large volume of traf c to carry out a denial of sconce DOS attack Keyloggers Captures keystrokes on a compromised system Rootkit Set of hacker tools used after attacker has broken into a computer system and gained rootlevel access 39Zmnhie Program activated on an infected machine that is activated to launch attacks on other machines Malicious Programs O Backdoor secret entry point into a program that allows someone to gain access A maintenance hook is a backdoor inserted by a programmer to aid in testing and debugging 0 Logic Bomb code embedded in a program that is set to go off when certain conditions are met Malicious Programs OTrojan Horse use program or command procedure that contains hidden code that when invoked performs some unwanted or harmful procedure These may also be used for data destruction 9 Mobile Code programs that can be shipped unchanged to a heterogeneous collection of platforms and execute identical semantics Malicious Programs OViruses software that can infect other programs by modifying them The infection may be passed onto other programs OVirus has three parts Infection mechanism Trigger Payoad Virus Phases O Dormant Phase virus is idle O Propagation Phase virus places an identical copy of itself on other programs each program will then place a copy into other programs OTriggering Phase virus is activated to perform the function for which it was intended O Execution Phase the function is performed Virus Classifications 9 By Target 9 By Concealment Boot Sector Infector Strategy Fie Infector Encrypted Virus Macro Virus Steath Virus Poymorphic Virus Metamorphic Virus Eli Viruses UNikasnv OFlOWA OVirus propagates by infecting other programs 0 Automatically creates copies of itself but to propagate a human has to run an infected program Selfpropagating malicious programs are usually called worms OViruses employ many propagation methods 0 Parasitic insert a copy into every executable COM EXE 0 Boot sector insert a copy into boot sectors of disks Stoned virus infected PCs booted from infected floppies stayed in memory and infected every floppy inserted into PC 0 Memoryresident infect TSR terminateandstay resident routines By infecting a common OS routine a virus can always stay in memory and infect all disks executables etc Virus Types OSteaIth viruses Infect 05 so that infected files appear normal to user O Macro viruses 0 A macro is an executable program embedded in a word processing document MS Word or spreadsheet Excel 0 When infected document is opened virus copies itself into global macro file and makes itself autoexecuting eg gets invoked whenever any document is opened 0 Polymorphic viruses Viruses that mutate andor encrypt parts of their code with a randomly generated key iii irus Structure fgoto main 1234567 subroutine infectexecutable Hoop le getrandomexecutable Ie il rstlineof le 1234567 then goto loop else prepend V to le 5 subroutine dodamage whatever damage is to be done subroutine triggercpulled return true if some condition holds main mainprogram infect executable il triggerpulled then do damage goto next next A Compression Virus L THE m UNIVERSITY f 01 lovm q I I I I I I I I Ill 1 P lllv I I I I I I I II I nU V 391 PV P 2 P m CV I Pl39 12 Henric Johnson Virus Protection Have a wellknown virus protection program configured to scan disks and downloads automatically for known viruses Do not execute programs or quotmacro39squot from unknown sources eg PS files Hypercard files MS Office documents Avoid the most common operating systems and email programs if possible Henric Johnson 10 Antivirus Approaches OWA lst Generation Scanners searched Files for any of a library of known virus signatures Checked executable files for length changes 2nd Generation Heuristic Scanners looks for more general signs than specific signatures code segments common to many viruses Checked files for checksum or hash changes 3rd Generation Activity Traps stay resident in memory and look for certain patterns of software behavior eg scanning files 4th Generation Full Featured combine the best of the techniques above Henric Johnson 15 AntiVirus Technologies OSimple antivirus scanners 0 Look for signatures fragments of known viruses 0 Heuristics for recognizing code associated with viruses For example polymorphic viruses often use decryption loops 0 Integrity checking to find modified files Record file sizes checksums MACs keyed hashes of contents OGeneric decryption and emulation scanners 0 Goal detect polymorphic viruses with known body 0 Emulate CPU execution for a few hundred instructions virus will eventually decrypt can recognize known body Does not work very well against metamorphic viruses and viruses not located near beginning of infected executable nag Advanced Antivirus Techniques or lOWA 1 Virus Infected i3 Virus f Cquotquotquot Client quot39 Administrative 5 Machine Machine Analyteirirus AnalySlS M h 1 behavior and at lnL Machine SIl39LIClLll39C Client E l l Private Machine X 21C Machine Derive Prescription Administrative Machine Other Client Private Network Individual User Figure 911 Digital Immune System Henric Johnson 17 Trusted Systems OF IOWA Trusted Systems 0 One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system Technology 9 Properties of Trusted Systems Protection of data and resources on the basis of levels of security eg military Users can be granted clearances to access certain categories of data Henric Johnson DaTa Access ConTrol 9 Through The user access conTro procedure log on a user can be idenTified To The sysTem O AssociaTed wiTh each user There can be a profile ThaT specifies permissible operaTions and file accesses O The operaTion sysTem can enforce rules based on The user profile Henric Johnson Da l39a Access Control OGener39al models of access con rr39ol Access maTrix Access confrol lis r Capabili ry lisT Henric Johnson Access Matrix 0 Basic elements of the model Subject An entity capable of accessing objects the concept of subject equates with that of process Object Anything to which access is controlled eg files programs Access right The way in which an object is accessed by a subject eg read write execute Program 0 SegmentA SegmentB Process Read Read Execute Write ProcessZ Read Capability IiS l39 O Decomposition of The matrix by rows 0 A capabili ry Ticke r specifies auThorized objects and operations for a user 0 Each user have a number of Ticke rs Processl ProcessZ SegmentB Program SegmentA Read Read Execute Write E Capability List for Process Program Read Execute SegmentA ReatL Write Capability List for ProcessZ SegmentB Read Multilevel Secure Systems O Mul rilevel secur39i ry Definition of mulfiple categories or39 levels of do ro O A mul ri level secur39e sys rem mus r enforce No read up A subject can only read on objec r of less or39 equal security level Simple Securi ry Pr39oper39Ty No wr39i re down A subjec r can only write in ro an object of gr39eo rer39 or39 equal secur39i ry level Pr39oper39Ty Henric Johnson Reference Monitor O Mul rilevel secur39i ry for39 a dam processing sysTem Reference Monitor policy Objects U Subjects Subject security arm Object security clissm n on Henric Johnson Reference Monitor O Con rr39olling elemen r in The hardware and oper39a ring sys rem of a compuTer39 Tha r r39egula res The access of subjec rs To objec rs on basis of secur39i ry par39ame rer39s O The moni ror39 has access To a file secur39i ry ker39nel da rabase O The moni ror39 enfor39ces The secur39i ry r39ules no read up no wr39i re down Henric Johnson 10 No read up no write down 9 Simple security property 0 can only read from levels lt mine 0 read from my peers and those who work for me 9 Property 0 can only write into levels gt mine 0 report to my peers and superiors Properties of Reference Monitor O Comple re mediaTion Securi ry rules are enforced on every access 0 Isola rion The reference moni ror and do robose are profec red from unou rhorized modification 9 Verifiabili ry The reference moni ror39s correc rness mus r be provable mo rhemo rically Henric Johnson 12 Trojan Horse Defense Bob g Alice E quotTPEI7UKSquot Program Data le I 5 Backpacket ngram me Bob W T Alice RW Bob W T Bul Alice Program quot39PE l7KSquot Data file Prugram 39FCI Backpocket le Bob W IA Alice RW Bob W T Trojan Horse Defense no Monitor quotCPEl70KSquot Dela le Backpocket le Bob W T Alice RW Bob W Bob Aliu39 Progmm Monitor Ll39lil Iunb Data le Backpocket le Bob W Alice RW Bob W T use Viruses vs Worms or lowA VIRUS WORM O Propagates by infecting O Propagates automatically other programs by copying itself to target systems 9 Usually inserted into host 15 a Standalone Program code not a standalone program L Worms or IOWA OWorms replicate themselves and send copies from computer to computer across a network connection to perform some unwanted function 9A network worm may also attempt to determine if a system has previously been infected before copying itself Worm Propagation Model Number of infected hosts 5 5 gtltIO 05 Slow start Slow nish 4 phase Fast spread phase phase J I I I 100 200 300 Time t minutes 400 500 600 State of Worm Technology O Multiplatform O Multiexploit O Ultrafast spreading O Polymorphic O Metamorphic 0 Transport Vehicles 9 Zeroday exploit 20 uars i Morris Worm Redux or IOWA 01988 No malicious payload but bogged down infected machines by uncontrolled spawning o Infected 10 of all Internet hosts at the time OMultiple propagation vectors 0 Remote execution using rsh and cracked passwords Tried to crack passwords using small dictionary and publicly readable password file targeted hosts from etchostsequiv o Buffer overflow in fingerd on VAX Standard stack smashing exploit o DEBUG command in Sendmail In early Sendmail versions possible to execute a command on a remote machine by sending an SMTP mail transfer message Summer of 2001 from How to Own the Internet in Your Spare Time 20000 I Sep rs d Cade Red I v2 A Code Red Nimda Distinct Remote Hosts Anackzng LENL 5000 10000 Three major worm Days Since July 18 2001 outbreaks l dealt Code Red I or IOWA OJuIy 13 2001 First worm of the modern era OEproited buffer overflow in Microsoft s Internet Information Server IIS 0 1st through 20th of each month spread 0 Find new targets by random scan of IP address space Spawn 99 threads to generate addresses and look for 115 0 Creator forgot to seed the random number generator and every copy scanned the same set of addresses 921st through the end of each month attack 0 Deface websites with HELLO Welcome to http wwwwormcom Hacked by Chinese quot L urearlisturped Exception Handling In 118 OF IOWA See Chien and Szor Blended Attacksquot OOverflow in a rarely used URL decoding routine 0 A malformed URL is supplied to vulnerable routine 0 another routine notices that stack has been smashed and raises an exception Exception handler is invoked o the pointer to exception handler is located on stack It has been overwritten to point to a certain instruction inside the routine that noticed the over ow o that instruction is CALL EBX At that moment EBX is pointing into the overwritten buffer the buffer contains the code that finds the worm s main body on the heap and executes it Code Red I v2 OJuly 19 2001 Same codebase as Code Red I but fixed the bug in random IP address generation 0 Compromised all vulnerable IIS servers on the Internet 0 Large vulnerable population meant fast worm spread Scanned address space grew exponentially 350000 hosts infected in 14 hours OPaonad distributed packet flooding denial of service attack on wwwwhitehousegov o Coding bug causes it to die on the 20th of each month but if victim s clock is wrong resurrects on the 15 OStiII alive in the wild Code Red II OAugust 4 2001 Same IIS vulnerability completely different code kills Code Red I 0 Known as Code Red 11 because of comment in code 0 Worked only on Windows 2000 crashed NT OScanning algorithm preferred nearby addresses 0 Chose addresses from same class A with probability 12 same class B with probability 38 and randomly from the entire Internet with probability 18 OPayload installed root backdoor in IIS servers for unrestricted remote access ODied by design on October 1 2001 l Nimda OSeptember 18 2001 Multimodal worm using several propagation vectors 0 Exploit same 115 buffer overflow as Code Red I and II Bulkemail itself as an attachment to email addresses harvested from infected machines 0 Copy itself across open network shares 0 Add exploit code to Web pages on compromised sites to infect visiting browsers 0 Scan for backdoors left by Code Red II OPayload turnedoff code deleting all data on hard drives of infected machines SignatureBased Defenses Don t Help ONimda leaped firewalls OMany firewalls pass mail untouched relying on mail servers to filter out infections 0 Most filters simply scan attachments for signatures code snippets of known viruses and worms ONimda was a brandnew infection with unknown signature and scanners could not detect it OBig challenge detection of zeroday attacks 0 When a worm first appears in the wild signature is not extracted until minutes or hours later Code RECI I and II due to Vern Paxson N O D C C N N to E 3 Ln 7 to no 2 to m 4 O 1 O gt u E D u gt C a 8 2 8 g m E Q g a a o i Nimda 6 8 7 Code Red 1 u N g 0 7 Code Red 2 8 7 A A With its 0 f 0 Code Red dies off predator gone 5 8 7 as pro rammed Code Redl E comes back stlll exhibiting 5 montth D 7 pattern JV o 50 100 150 200 250 300 Days Since Sept 20 2001 Slammer Sapphire Worm OJanuary 2425 2003 UDP worm exploiting buffer overflow in Microsoft s SQL Server 0 Overflow was already known and patched by Microsoft but not everybody installed the patch OEntire code fits into a single 404byte UDP packet o Worm binary followed by overflow pointer back to itself OClassic buffer overflow combined with random scanning once control is passed to worm code it randomly generates IP addresses and attempts to send a copy of itself to port 1434 o MSSQL listens at port 1434 r IOWA uags Slammer Propagation OScan rate of 55000000 addresses per second 0 Scan rate rate at which worm generates IP addresses of potential targets 0 Up to 30000 singlepacket worm copies per second OInitiaI infection was doubling in 85 seconds l o Doubling time of Code Red was 37 minutes OWormgenerated packets saturated carrying capacitx of the Internet in 10 minutes 0 75000 SQL servers compromised 0 And that s in spite of broken pseudorandom number generator used for IP address generation 052900 UTC January 25 2003 OF IOWA from Moore et al The Sm ead of the Sapphiu eS ammer Wonm


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."

Kyle Maynard Purdue

"When you're taking detailed notes and trying to help everyone else out in the class, it really helps you learn and understand the I made $280 on my first study guide!"

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"


"Their 'Elite Notetakers' are making over $1,200/month in sales by creating high quality content that helps their classmates in a time of need."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.