Transcript worms - Winlab

Mobile Code and Worms
By
Mitun Sinha
Pandurang Kamat
04/16/2003
WORMS
What are network worms ?
Worms, formally known as “Automated Intrusion Agents”, are
software components that are capable of, using their own means,
for infecting a computer system and using it in an automated
fashion to infect another system.
A virus by contrast can’t
spread/infect on its own.
What can these “cute creatures” do ?
Infect and take over large number of
internet hosts…turn them into zombies.


These hosts can then be used to :
launch a massive Distributed Denial of
Service (DDOS) attack.

access sensitive information on the
hosts.

inject false or malicious information
into networks.


Worm-based attack model provides :

“ease” of automation.
penetration fuelled by speed and
aggressiveness.

Components of a worm

Reconnaissance capability

Attack capability

Command interface

Communication capability

Intelligence capability
Reconnaissance

Target identification

Active methods


scanning
Passive methods

OS fingerprinting

traffic analysis
Attacks

Exploits

buffer overflow, cgi-bin etc.

Generally involves privilege escalation

Two components

local

remote
Command Interface


Interface to compromised system

root/administrative shell

network client
Accepts commands

person

other worm siblings
Communications

Information transfer

network vulnerability information

commands and data etc.

Network clients to various services

Stealth issues

handled much the same way as “rootkits”
Intelligence

The worm system may maintain a list of infected nodes


centralized or distributed
Knowledge of other siblings
The infected machines can then be put to use by instructing them
through the command interface

Morris Worm (November 1988)

First malicious worm
In 1982 some worms were written at Xerox PARC for doing legitimate
networking tasks.

Exploits : sendmail (mal-formatted input) and finger daemon
(buffer-overflow) on Vax and Sun machines.


Used trust relationships amongst the hosts to spread

No command interface

Infected 6000 hosts (10 % of the Internet)
Code Red I (July 2001)

Began : July 12, 2001

Exploit : Microsoft IIS webservers (buffer overflow)

Named “Code Red” because :
the folks at eEye security worked through the night to identify and
analyze this worm drinking “code red” (mountain dew) to stay up.


the worm defaced some websites with the phrase “Hacked by Chinese”
Version 1 did not infect too many hosts due to use of static seed in
the random number generator. Version 2 came out on July 19th with
this “bug” fixed and spread rapidly.


The worm behavior each month:


1st to 19th --- spread by infection

20th to 28th --- launch DOS on www.whitehouse.gov

28th till end-of-month --- take rest.
Infected 359,000 hosts in under 14 hours.
Code Red I (July 2001)
Cumulative total of unique IP addresses infected by the first
outbreak of Code-Red-I v2.
(source: “Code-Red: a case study on the spread and victims of an internet
worm”. Moore et. al.)
Worms-2… The Next Generation

Warhol worms -- infecting most of the targets in under 15 min.

“In the future, everybody will be world-famous for 15 minutes.”
-- Andy Warhol
“How to 0wn the Internet in Your Spare Time”. Weaver et. al.
Usenix ’02 [Weav02].


Combination of “Hit-list” scanning and “permutation” scanning.
Source : [Weav02]
SQL Slammer (Jan 2003) – The future is NOW !

Began : January 25th. (Also known as “Sapphire”. )

Exploit : Microsoft SQL Server (buffer overflow)



contains a simple, fast scanner in a 376 byte worm inside a UDP packet.

all it did was send this packet to udp port 1434.
The first “Warhol” worm.

doubled in size every 8.5 seconds. (Code-Red doubled every 37 min.)

infected more than 90% of vulnerable hosts within 10 minutes.
No malicious payload but jammed networks worldwide with traffic.


affected businesses, ATM machines, grounded flights etc.
Flaws :
too aggressive in scanning; countered its own growth quickly by eating up
bandwidth.

error in random number generator caused elimination of quite a lot of
search space.

SQL Slammer (Jan 2003) -- “The worm that ate the Internet !”
Source: www.caida.org
Conclusion


Worms have been around for a while and are evolving constantly

increase in hiding tools

morphing worms

warhol worms

stealth worms
Defenses should evolve too

enforce fundamentals strictly : security patches, NIDS etc.

increase depth of defense, not just perimeter

rapid analysis and response (counter-attack)

changing strategies to detect dynamic worms