CSED 431 Week 5 -- February 22


Networking
State exam
Viruses  

Processes

An executing program runs as a process. Each process may, in turn, be composed of multiple independently running threads. All code execution that runs in non-kernel mode runs in some process; the many services under windows run as threads divided among several svchost.exe processes.

Demo: use ProcessExplorer to look at svchost.exe and threads
Demo: use ProcessExplorer to view the "geneology" of processes: each process has a parent, etc. This geneology can to some extent be "fooled"; if a process's parent exits, the child process may move elsewhere.

Every process runs with a certain "security context"; generally speaking, this means that each process runs:
The security context determines what a process can do: the Debug privilege would let it access the memory allocated to other processes, for example. (Vista/Win7 introduced the idea of protected processes, that cannot be peeked at by the debugger regardless of privilege.) The ownership and groups determines what files a process is able to read from and write to. A process running as a limited user, for example, cannot write to any system files; members of the Power Users group, on the other hand, have write access to many system files.

Viruses

A virus infection occurs when some malicious code is executed, ie run in a process on the machine. Malicious code (we'll give Microsoft this much credit) always comes from the outside. Most of the time it comes in the form of an executable program that the user must be "tricked" into running: perhaps as a document macro, or an email attachment happypicture.jpg.exe, or something else. Tricking users into running something they should not is broadly known as social engineering.

Another infection category is that sometimes a nominally nonexecutable data file is provided that exploits a bug in some standard application; when that application attempts to open the file, it crashes and/or is tricked into starting a malicious process. Often the data file does in fact contain some snippet of machine code, and uses a buffer overflow or similar vulnerability of the application in question to arrange for the bad code to be executed. Internet browsers are notorious for this sort of thing: certain websites attempt to exploit browser vulnerabilities to take over the machine.

Finally, there is the category of external worms that attack your computer over the network using some vulnerability (most likely in one of the service threads). These inject themselves into your machine without your doing anything to any files, or in fact doing anything at all.

When you run some code, it takes over the machine, in the sense that it has full control of the CPU while it is running (subject to the constraints of its security context). This applies to any code. Once the process has finished executing (eg because the system was rebooted), it will not restart unless it has inserted a command to restart itself automatically somewhere within the system (most likely in the registry).

The intentional or accidental damage that code can do to your machine is limited by its authorization to write to files: if it runs as a user with no permission to write to any system files, then it cannot modify any system files. This is why doing general work via a "limited" account is so important. Once a virus executes at the system level, it can modify any system files to set itself up for permanent execution and to conceal its tracks. It can even modify the win32 core libraries so that you can no longer even see the relevant files. (Sysinternal's RootkitRevealer looks for signs of such hidden files.)

Note, however, that even a limited account may have a bad effect on the user's own files. Also, a virus running under a limited account may still attempt to connect to and infect or attempt to infect other machines; this doesn't damage or alter the machine it is running on, but it is still rather disruptive. The MyDoom virus, for example, when run as a limited account, will still attempt to read that user's email directory and email all that user's contacts with an executable attachment, Note that such a virus exists only as a process, and will go away

Running standard nonmalicious programs to view files (word documents, email, etc) cannot launch a virus process (although Word documents can contain malicious macros that are executed when the document is opened; this is why disabling such macros is important). Viewing email, etc, is generally safe.

A virus sandbox
Here are the steps we will take:
  1. Before starting the virus, take a snapshot
  2. disable outbound connections, except to DNS
  3. monitor outbound network traffic with WireShark
Tools for looking for virus evidence:




Networks

See cs.luc.edu/pld/courses/netnotes.

Ethernet
    Ethernet addresses

Brief review of IP addresses
    IP addresses are 4 bytes  
    They are composed of a network part + host part.
    Originally, this net/host division was based on the address class:
       Class A: 1st bit is 0; one byte of net and three bytes of host
       Class B: 1st two bits are 10; two bytes of net and two bytes of host
       Class C: 1st three bits are 110; three bytes of net and one byte of host

A host distinguishes between local (eg direct ethernet) delivery and router delivery by comparing the net part of the destination IP address with the net part of its own IP address. If they match, the packet is local. If they do not match, the packet is sent to the router.

Routers make this same distinction between local and nonlocal: the net portion of the destination IP address is compared to the net portions of all its IP interfaces. If there is a match, delivery is local; if there is no match, then the router looks up destnet in its routing table, consisting of ⟨dest,next_hop⟩ pairs. If a matching dest is found, the packet is forwarded to the neighboring router represented by the next_hop. When the packet reaches the final router, that router will realize that local delivery is called for, and will deliver the packet directly over the LAN.

Bottom line: if there is disagreement somewhere as to where to divide an IP address into net and host portions, routing will fail.

Most hosts and routers no longer use the class-based method of net/host division; they use subnet masks instead. Subnet masks represent a per-interface way of specifying the division into net and host bits. The subnet mask itself is a 32-bit quantity; where there is a 1 bit in the mask, that means the corresponding bit position of any IP address is part of the net portion; where there is a 0 bit in the mask, then the corresponding position in the IP addresses is a host bit. For example, a common subnet mask is 255.255.255.0; the decimal number 255 is eight 1-bits, and so this means that the first three bytes of any IP address will be interpreted as the network portion, and the last byte will be interpreted as the host portion. This is sometimes denoted "/24", because there are 24 network bits; it is the same as class C. Another example is 255.255.240.0; here, you have to do some binary arithmetic to realize that 240 is 1111 0000 in binary, and so IP addresses are interpreted as having 8+8+4 = 20 network bits (and then 12 host bits). This could also be denoted "/20".

The subnet mask is not sent with packets; it is assigned to an IP interface as part of the setup process. Note that, while it is applied to all packets, it really only matters for determining if a packet is local or not. That is, if you apply your local subnet mask to microsoft.com (207.46.197.32; a class-C) or 4.0.0.1 (a class A), there is a good chance that it gives the "wrong" net/host division for one of these. However, that won't matter, because they are both nonlocal, and as long as your local subnet mask tells you that then you're ok.

Brief review of DNS
basics of how lookup of, say, www.cs.luc.edu works, hierarchically.
            edu
            luc.edu
            cs.luc.edu
            www.cs.luc.edu
DNS caching
alice.cs.luc.edu and bob.cs.luc.edu do NOT need to have related IP addrs!

To bring up a machine on a local area network, so that it can connect to the internet, it must have:
Generally, all four of these (and often more as well) are handed out by the DHCP (Dynamic Host Configuration Protocol) server.

TCP and UDP
    port numbers

To set up a lab, you need a router and a block of IP addresses, or, more specifically, a subnet. What can you do if you have only a single IP address? The standard solution is network address translation, or NAT, which takes advantage of TCP connections and their port numbers to handle the "demultiplexing". The usual situation is (potentially) multiple machines inside, on a private IP subnet (eg 10.0.2.0/24), all talking to a NAT router. It is easy for a router to replace the subnet IP address of any machine with its own "outside" IP address; however, that wouldn't allow return traffic. So the NAT router keeps track of each TCP connection from the inside, by <IP,port>, and makes a table. It then rewrites both the source IP address and the TCP port, in such a way that the connection is reversible.

Example:
Inside:
    10.0.2.5:2000          2000
    10.0.2.5:2001          2001
    10.0.2.7:3000          3000
    10.0.2.5:3000          3001

An advantage of NAT is that it makes connections from the outside very difficult. A disadvantage of NAT is that it makes connections from the outside very difficult. It also gets in the way of UDP; some UDP protocols by design answer from a different port, and NAT doesn't have an entry for the new port.
    
Click here to find what the CS Dept server thinks is your IP address. We could use WireShark to tell what our "inside" port number was, versus the NAT-altered outside port number.

Configuring networks

The usual tool is the Networks Control Panel applet. Demo.

Some things that can go wrong:


Lab

Here are our viruses (the actual virus files will be in z:\viruses)
When running these, you should first:
After running each virus,
At the end of each virus, don't forget to revert to the uninfected disk!

Things to look for: