VULNERABILITIES MEETING
April 26, 1999
4:00 – 5:00pm
3085 ENG II
In attendance:
Matt Bishop (MB), Tuomas Aura (TA), Keith Herold (KH), Lauren and Charlie
TOPICS
-
Symbolic Links
-
Melissa Virus
-
Dissecting Melissa
-
How do you stop a virus like Melissa?
-
Other virus and/or Hoaxes
-
How do you register software code in practice?
Next Meeting Topics
-
Symbolic Links
-
In progress
-
Melissa Virus
-
Question of scale, target
-
Ethics of allowing virus to be downloadable off the internet.
-
Three of the largest anti-virus groups have a policy regarding release
of virus code
-
They can't publish any part of a virus or the virus itself
-
Exchange…
-
Ostracize people who publish the code.
-
Dissecting Melissa
-
Checks to keys in registries
-
Looks to see if Melissa is already installed
-
Looks for Microsoft Outlook
-
Disconnects, installs Melissa key - appears to work only once on system
-
Infection phase - template and active documents
-
Infects every open document with a macro
-
How do you stop a virus like Melissa?
-
Disable macros
-
Create sandbox around virus
-
Password protect macros
-
Do not allow macros to alter other macros (Karger's scheme) - should work
for Word, not for Excel?
-
TA: Makes it more difficult, but still possible. Must create file from
scratch or rename it.
-
Integrity checking
-
List of allowed macros
-
Modify macro with another macro
-
Other Virus and/or Hoaxes
-
Other hoaxes
-
ZD net hoax - PC has built in microphones that are always on. If you are
connected to the internet, they could theoretically record what you say.
-
Similar problems with camera that can't be disconnected.
-
FrameMaker
-
Competitor name "Interleaf" changed to "FrameMaker"
-
Adobe Acrobat 4.0
-
Anti-virus company claimed there was a virus on the distribution disk -
later proved false.
-
There was a sequence code that matched a known virus signature
-
How do you register software code in practice?
-
Can't install any software
-
Have a separate production and installation mode (Separation of duty principle)
-
Work in a controlled environment
-
Ultimately, you rely on the user to know the machine
-
Problems with installing software from the browser.
-
Next Meeting Topics
-
State of the Vulnerabilities Database
-
Signatures of Vulnerabilities/Attack Tools
-
Language to represent signature of attack tools
-
Look at similarities with CIDF