The Ken Thompson method of implanting malware was to use compilers put malware in the compiled code, which did not exist in the source code. Thus we can implement a compiler that always puts one malicious function (e.g. listener) into every executable.

 

Suppose an attacker has been successful in distributing such a compiler and some applications are affected. Describe how the attacker will now utilize the malware to download new code into infected machines.

 

-- assume every compiled code generated by the compiler has the malware and the applications have been compiled using this compiler.  (Note, you will have to describe how the compiler-generated malware works and how it is invoked and how it achieves the desired result).

 

------------

 

A word-processing program being used by Alice, has a overflow vulnerability, that is this program uses gets(buffer) to read a string into a small buffer that is on the stack. Bob sends Alice a file (via e-mail) that Alice opens using this word processor (and since Bob takes advantage of the vulnerability, the word processor gets a buffer overflow attack performed).

 

A] What is the simplest method to implant some malware using this buffer overflow on the victim’s machine?

 

B] What makes it difficult to download a binary program using the simple method in [1]?

 

C] What is the better method (instead of injecting a binary) to place a program on Alice’s machine that will run, probably in perpetuity?

 

-------------------

 

The “Tripwire” system calculates all the hashes for all executable files on a clean computer and then compares the hashes with the actual files, when the machine is scanned, to ensure nothing has changed and no malware is hiding as legitimate programs.

 

  1. What kind of attacks will not be detectable by such a scheme?
  2. What attack will render the above strategy useless (i.e. will not find infected files, even if they exist).