Transcript Internet Worms: Methods, Countermeasures and Famous Incidents

Internet Worms:
Methods,
Countermeasures and
Famous Incidents
Presented by:
Tran To
Brian Tully
Worms Are Bad!

Damages
 Lost
productivity
 Compromised information
 Lost Money
Total billions of dollars per year
 Worms and viruses cost $8 billion in Jan. 2003
alone

Worms Exploit Vulnerabilities

Systems have faults
Book – de facto standard that rates
the security of operating systems
 Orange
Windows has a class D rating – minimal protection
 Unix has a class C1 rating – discretionary security
protection

Goals

Examine system vulnerabilities
 Weak
passwords
 Trap doors
 Buffer overflows

Famous Incidents
 Morris,

Code Red, Blaster, Slammer, Sasser
Countermeasures
What is a Worm?

Necessary Criteria
 Replication
 Self-contained
 Multi-tasking
system
 For network worms – replication across
communication links
Two Major Classifications

Host computer worms
 Entirely
contained in computer it is running on
 Uses network only to propagate

Network worms
 Multiple
segments on different hosts
 Uses network for several communication
purposes
Worms Are Not Really Bad?!

By definition worms
are not malicious
 Simply
a program that
replicates
 First used for network
management
 Took advantage of
system properties

Malicious worms do the
same
History of Worms

Term coined by John Brunner
 1970s

novel “The Shockwave Rider”
Xerox Palo Alto Research Center (PARC)
 John
Schoch and John Hepps use worms for
distributed computations
Prove useful but managing worms is difficult
 Night worm crashes systems


Possible malicious uses realized
System Vulnerabilities
Worms attack availability, confidentiality
and integrity
 Exploit flaws in OS to replicate

 Weak
passwords
 Trap Doors

Gain access to user accounts
 Buffer

Overflow
Gain root access
Password Attack

Brute force
 Time

consuming
Worms take advantage of weak
passwords
 Dictionary
attack
 List of commonly used passwords
Backdoor Attack

Usually undocumented feature that
sidesteps security mechanisms
 debugging
 Maintenance

Easy access to system once discovered
Buffer Overflow


Buffer – contiguous allotted chunk of memory,
such as an array
In C and C++ there is no bounds checking
 Can

write past end of a buffer
Spill into user space or OS space
 Functions

sprintf(), scanf(), gets(), strcpy()
Do not check that destination buffer is large enough
 Buffer
overflow attacks exploit this
Stack Overflow Attack

Buffer put on a stack
 Maintains
pointers
 Subroutine Call
Parameters and return address pushed on stack
 By entering long unchecked parameters, attacker
can manipulate return address

Stack Overflow Attack

Attacker has two options
 Inject

attack code into return address
Gain root privileges
 Change

return address
Alter the path to point to malicious code
Countermeasures
Choose hard to guess passwords
 Do not build backdoors
 Write secure code

 Use
strncpy() instead of strcpy() to limit the
side of the buffer

Bound checking compilers
Famous Incidents

Christmas Tree Worm
 Attacked
IBM in Dec. 1987
 Chain letter and Trojan horse
 Drew Christmas tree on display 
 Also forced computers to shut down 
Morris Worm


Released Nov. 2, 1988
Purpose was to
propagate


Attacked mail servers
Exploited holes in Unix


Trap door in Sendmail
Buffer overflow Finger
Daemon



Overwrote 512 character
buffer with 536
Extra 24 characters
executed as commands
Password Cracker
Morris Worm

Affected 6,000 systems
 Consumed


excessive system resources
Morris confessed to creating the worm out of
boredom?! (I sleep when I’m bored, I don’t
terrorize the nation)
Convicted in 1990 of violating 1986 Computer
Fraud and Abuse Act
 Fined
$10,000
 Three years probation
Code Red

Affected more than 250,000 servers in
July 2001
 Web
servers running Microsoft’s Internet
Information Server (IIS)
Checked port 80 and sent HTTP GET request to
propagate
 Exploited buffer overflow vulnerability of idq.dll

Code Red

First nineteen days



Days 20-27


Launched DDOS attack
against the White House
web site
Day 28


Looked for servers to infect
Defaced web pages
requested by servers
Worm slept
Affected 750,000 servers
total costing $2 billion
Blaster Worm

Released Aug. 11, 2003
 Affected


Windows XP and Win2K systems
Purpose was to launch a DDOS attack against
Microsoft’s windowsupdate.com
Spread Fast
 Filtered
ISPs for vulnerable systems
 Exploited buffer overflow in Microsoft’s interface
between Windows Distributed Component Object
Model (DCOM) and Remote Procedure Call (RPC)


Gained root privileges through TCP/IP RPC packets
Prevented users from downloading patches
Blaster Worm

Used Port Scanning
 Port
135 used by RPC
 Deposit Trojan horse





Execute remote shell
Initiate TFTP request to download worm
Computer is now unwilling participant in DDOS attack
1.4 million computers affected
Patch had been released a month prior
Slammer Worm

Fastest spreading worm
 Doubled
in size every 8.5 seconds
 Affected 75,000 computers in 10 mins

Used random scanning
 Selected
IP addresses at random to infect and
eventually found all vulnerable hosts

Simple fast scanner
Slammer Worm
Goal was to DDOS attack various hosts
and slow down the Internet in general
 Exploited buffer overflow vulnerabilities in
Microsoft’s SQL Server

 Transmitted

TCP-SYN packet
Patch was available for six months before
attacks occurred
Before the Slammer Worm hit
Thirty minutes later …
Sasser Worm

First noticed April 30, 2004

Affected Windows XP and
Win2K
 Connected directly to open
ports

Exploited buffer overflow in
Microsoft’s local security
authority subsystem service

Connected through TCP port
445
 Installed FTP server and
transferred itself

Patch was available before
release

Worm was possibly reverseengineered from patch
Countermeasures

Update system
 Download

Limit the amount of time a vulnerability can be exploited
 Update


anti-virus software on a regular basis
Latest software use heuristics
Identify code common to worms and variants
 Configure


patches on a regular basis
firewall properly
Disable unnecessary services e.g. web and ftp servers
Build completely secure systems
Summary


Worms are here to stay
Individuals do not have much of a choice in
systems
 Security
is dependent on developers of product
 Forced to use insecure product knowing worms can
attack it

Only solution is to not connect to the Internet,
dig a hole and throw your router into the depths
of the underworld
Possible Alternatives

With minimal effort a user can greatly increase
the security of his or her inherently insecure
system
 Patches and updates
 Minimal time between when vulnerability is discovered and
when vulnerability is fixed
 Firewall
 Limit access to system so worms can’t get in to start

Simple procedures significantly reduce the
extent to which worms can spread and cause
damage
Questions?