CSED 431 Week 5 -- February 22
Networking
State exam
Viruses
Processes
An executing program runs as a process. Each process may, in turn, be composed of multiple independently running threads. All code execution that runs in non-kernel mode runs in some process; the many services under windows run as threads divided among several svchost.exe processes.
Demo: use ProcessExplorer to look at svchost.exe and threads
Demo: use ProcessExplorer to
view the "geneology" of processes: each process has a parent, etc. This
geneology can to some extent be "fooled"; if a process's parent exits,
the child process may move elsewhere.
Every process runs with a certain "security context"; generally speaking, this means that each process runs:
- under the ownership of some system or user account
- in addition, as a member of various groups
- with some designated NT privileges (eg the Debug privilege)
The security context determines what a process can do: the Debug privilege would let it access the memory allocated to other processes, for example. (Vista/Win7 introduced the idea of protected
processes, that cannot be peeked at by the debugger regardless of
privilege.) The ownership and groups determines what files a process is
able to read from and write to. A process running as a limited user,
for example, cannot write to any system files; members of the Power
Users group, on the other hand, have write access to many system files.
Viruses
A virus infection occurs when some malicious code is executed,
ie run in a process on the machine. Malicious code (we'll give
Microsoft this much credit) always comes from the outside. Most of the
time it comes in the form of an executable program that the user must
be "tricked" into running: perhaps as a document macro, or an email
attachment happypicture.jpg.exe, or something else. Tricking users into running something they should not is broadly known as social engineering.
Another infection category is that sometimes a nominally nonexecutable data file
is provided that exploits a bug in some standard application; when that
application attempts to open the file, it crashes and/or is tricked
into starting a malicious process. Often the data file does in fact contain some snippet of machine code, and uses a buffer overflow
or similar vulnerability of the application in question to arrange for
the bad code to be executed. Internet browsers are notorious for
this sort of thing: certain websites attempt to exploit
browser vulnerabilities to take over the machine.
Finally, there is the category of external worms that attack your
computer over the network using some vulnerability (most likely in one
of the service threads). These inject themselves into your machine without your doing anything to any files, or in fact doing anything at all.
When you run some code, it takes over the machine, in the sense that it
has full control of the CPU while it is running (subject to the
constraints of its security context). This applies to any code. Once the process has finished executing (eg because the system was rebooted), it will not restart unless it has inserted a command to restart itself automatically somewhere within the system (most likely in the registry).
The intentional or accidental damage that code can do to your machine
is limited by its authorization to write to files: if it runs as a user
with no permission to write to any system files, then it cannot modify
any system files. This is why doing general work via a "limited"
account is so important. Once a virus executes at the system level, it
can modify any system files to set itself up for permanent execution
and to conceal its tracks. It can even modify the win32 core libraries
so that you can no longer even see the relevant files. (Sysinternal's
RootkitRevealer looks for signs of such hidden files.)
Note, however, that even a limited account may have a bad effect on the user's own files.
Also, a virus running under a limited account may still attempt to
connect to and infect or attempt to infect other machines; this doesn't
damage or alter the machine it is running on, but it is still rather
disruptive. The MyDoom virus, for example, when run as a limited
account, will still attempt to read that user's email directory and
email all that user's contacts with an executable attachment, Note that
such a virus exists only as a process, and will go away
Running standard nonmalicious programs to view files (word documents,
email, etc) cannot launch a virus process (although Word documents can
contain malicious macros that are executed when the document is opened;
this is why disabling such macros is important). Viewing email, etc, is
generally safe.
A virus sandbox
Here are the steps we will take:
- Before starting the virus, take a snapshot
- disable outbound connections, except to DNS
- monitor outbound network traffic with WireShark
Tools for looking for virus evidence:
- MalwareRemovalTool
- Microsoft Malicious Software Removal utility
- SysInternals RootkitRevealer
Networks
See cs.luc.edu/pld/courses/netnotes.
Ethernet
Ethernet addresses
Brief review of IP addresses
IP addresses are 4 bytes
They are composed of a network part + host part.
Originally, this net/host division was based on the address class:
Class A: 1st bit is 0; one byte of net and three bytes of host
Class B: 1st two bits are 10; two bytes of net and two bytes of host
Class C: 1st three bits are 110; three bytes of net and one byte of host
A host distinguishes between local (eg direct ethernet) delivery and
router delivery by comparing the net part of the destination IP address
with the net part of its own IP address. If they match, the packet is
local. If they do not match, the packet is sent to the router.
Routers make this same distinction between local and nonlocal: the net portion of the destination IP address is compared to the net portions of all its IP interfaces. If there is a match, delivery is local; if there is no match, then the router looks up destnet in its routing table, consisting of ⟨dest,next_hop⟩ pairs. If a matching dest is found, the packet is forwarded to the neighboring router represented by the next_hop.
When the packet reaches the final router, that router will realize that
local delivery is called for, and will deliver the packet directly over
the LAN.
Bottom line: if there is disagreement somewhere as to where to divide an IP address into net and host portions, routing will fail.
Most hosts and routers no longer use the class-based method of net/host division; they use subnet masks
instead. Subnet masks represent a per-interface way of specifying the
division into net and host bits. The subnet mask itself is a 32-bit
quantity; where there is a 1 bit in the mask, that means the
corresponding bit position of any IP address is part of the net
portion; where there is a 0 bit in the mask, then the corresponding
position in the IP addresses is a host bit. For example, a common
subnet mask is 255.255.255.0; the decimal number 255 is eight 1-bits,
and so this means that the first three bytes of any IP address will be
interpreted as the network portion, and the last byte will be
interpreted as the host portion. This is sometimes denoted "/24",
because there are 24 network bits; it is the same as class C. Another
example is 255.255.240.0; here, you have to do some binary arithmetic
to realize that 240 is 1111 0000 in binary, and so IP addresses are
interpreted as having 8+8+4 = 20 network bits (and then 12 host bits).
This could also be denoted "/20".
The subnet mask is not sent with packets; it is assigned to an IP interface as part of the setup process. Note that, while it is applied to all packets, it really only matters for determining if a packet is
local or not. That is, if you apply your local subnet mask to
microsoft.com (207.46.197.32; a class-C) or 4.0.0.1 (a class A), there
is a good chance that it gives the "wrong" net/host division for one of
these. However, that won't matter, because they are both nonlocal, and as long as your local subnet mask tells you that then you're ok.
Brief review of DNS
basics of how lookup of, say, www.cs.luc.edu works, hierarchically.
edu
luc.edu
cs.luc.edu
www.cs.luc.edu
DNS caching
alice.cs.luc.edu and bob.cs.luc.edu do NOT need to have related IP addrs!
To bring up a machine on a local area network, so that it can connect to the internet, it must have:
- an IP address
- a subnet mask
- the IP address of the router it uses to reach the outside world
- the IP address of one or more DNS servers
Generally, all four of these (and often more as well) are handed out by the DHCP (Dynamic Host Configuration Protocol) server.
TCP and UDP
port numbers
To set up a lab, you need a router and a block
of IP addresses, or, more specifically, a subnet. What can you do if
you have only a single IP address? The standard solution is network address translation,
or NAT, which takes advantage of TCP connections and their port numbers
to handle the "demultiplexing". The usual situation is (potentially)
multiple machines inside, on a private IP subnet (eg 10.0.2.0/24), all
talking to a NAT router. It is easy for a router to replace the subnet
IP address of any machine with its own "outside" IP address; however,
that wouldn't allow return traffic. So the NAT router keeps track of
each TCP connection from the inside, by <IP,port>, and makes a
table. It then rewrites both the source IP address and the TCP port, in
such a way that the connection is reversible.
Example:
Inside:
10.0.2.5:2000 2000
10.0.2.5:2001 2001
10.0.2.7:3000 3000
10.0.2.5:3000 3001
An advantage of NAT is that it makes connections from
the outside very difficult. A disadvantage of NAT is that it makes
connections from the outside very difficult. It also gets in the way of
UDP; some UDP protocols by design answer from a different port, and NAT
doesn't have an entry for the new port.
Click here
to find what the CS Dept server thinks is your IP address. We could use
WireShark to tell what our "inside" port number was, versus the
NAT-altered outside port number.
Configuring networks
The usual tool is the Networks Control Panel applet. Demo.
Some things that can go wrong:
- insufficient bandwidth
- for downloads
- for realtime services (voice/video)
- bad configuration
- use ipconfig /all to try to figure out what is set incorrectly
- unplugged cables
- no ip address
- no router
- no DNS
Lab
Here are our viruses (the actual virus files will be in z:\viruses)
When running these, you should first:
- Take (or revert to) a clean snapshot of the minXP disk
- Make sure the firewall is in effect: try starting the browser. If you get a web page, the firewall is not active.
- Make sure the firewall is in effect: the command iptables --verbose --list should show:
- ACCEPT udp --
tap0 any
anywhere
anywhere
udp dpt:domain
- DROP
all -- tap0 any
anywhere
anywhere
- Run ProcessExplorer (sysinternals/procexp.exe) to monitor all system processes
- Run wireshark on the tap0 interface, filtering for tcp or dns packets only
- Look up the geographical location of some of the IP addresses to which access was attempted
After running each virus,
At the end of each virus, don't forget to revert to the uninfected disk!
Things to look for:
- TCP connection attempts
- use revlookup to try to convert the IP address to a name
- processes with legitimate-sounding names (eg "svchost.exe") that
don't have the correct geneology (as visible in ProcessExplorer) to be
a real svchost.exe.
- Files where the process lives