worms - Winlab
Download
Report
Transcript worms - Winlab
Mobile Code and Worms
By
Mitun Sinha
Pandurang Kamat
04/16/2003
WORMS
What are network worms ?
Worms, formally known as “Automated Intrusion Agents”, are
software components that are capable of, using their own means,
for infecting a computer system and using it in an automated
fashion to infect another system.
A virus by contrast can’t
spread/infect on its own.
What can these “cute creatures” do ?
Infect and take over large number of
internet hosts…turn them into zombies.
These hosts can then be used to :
launch a massive Distributed Denial of
Service (DDOS) attack.
access sensitive information on the
hosts.
inject false or malicious information
into networks.
Worm-based attack model provides :
“ease” of automation.
penetration fuelled by speed and
aggressiveness.
Components of a worm
Reconnaissance capability
Attack capability
Command interface
Communication capability
Intelligence capability
Reconnaissance
Target identification
Active methods
scanning
Passive methods
OS fingerprinting
traffic analysis
Attacks
Exploits
buffer overflow, cgi-bin etc.
Generally involves privilege escalation
Two components
local
remote
Command Interface
Interface to compromised system
root/administrative shell
network client
Accepts commands
person
other worm siblings
Communications
Information transfer
network vulnerability information
commands and data etc.
Network clients to various services
Stealth issues
handled much the same way as “rootkits”
Intelligence
The worm system may maintain a list of infected nodes
centralized or distributed
Knowledge of other siblings
The infected machines can then be put to use by instructing them
through the command interface
Morris Worm (November 1988)
First malicious worm
In 1982 some worms were written at Xerox PARC for doing legitimate
networking tasks.
Exploits : sendmail (mal-formatted input) and finger daemon
(buffer-overflow) on Vax and Sun machines.
Used trust relationships amongst the hosts to spread
No command interface
Infected 6000 hosts (10 % of the Internet)
Code Red I (July 2001)
Began : July 12, 2001
Exploit : Microsoft IIS webservers (buffer overflow)
Named “Code Red” because :
the folks at eEye security worked through the night to identify and
analyze this worm drinking “code red” (mountain dew) to stay up.
the worm defaced some websites with the phrase “Hacked by Chinese”
Version 1 did not infect too many hosts due to use of static seed in
the random number generator. Version 2 came out on July 19th with
this “bug” fixed and spread rapidly.
The worm behavior each month:
1st to 19th --- spread by infection
20th to 28th --- launch DOS on www.whitehouse.gov
28th till end-of-month --- take rest.
Infected 359,000 hosts in under 14 hours.
Code Red I (July 2001)
Cumulative total of unique IP addresses infected by the first
outbreak of Code-Red-I v2.
(source: “Code-Red: a case study on the spread and victims of an internet
worm”. Moore et. al.)
Worms-2… The Next Generation
Warhol worms -- infecting most of the targets in under 15 min.
“In the future, everybody will be world-famous for 15 minutes.”
-- Andy Warhol
“How to 0wn the Internet in Your Spare Time”. Weaver et. al.
Usenix ’02 [Weav02].
Combination of “Hit-list” scanning and “permutation” scanning.
Source : [Weav02]
SQL Slammer (Jan 2003) – The future is NOW !
Began : January 25th. (Also known as “Sapphire”. )
Exploit : Microsoft SQL Server (buffer overflow)
contains a simple, fast scanner in a 376 byte worm inside a UDP packet.
all it did was send this packet to udp port 1434.
The first “Warhol” worm.
doubled in size every 8.5 seconds. (Code-Red doubled every 37 min.)
infected more than 90% of vulnerable hosts within 10 minutes.
No malicious payload but jammed networks worldwide with traffic.
affected businesses, ATM machines, grounded flights etc.
Flaws :
too aggressive in scanning; countered its own growth quickly by eating up
bandwidth.
error in random number generator caused elimination of quite a lot of
search space.
SQL Slammer (Jan 2003) -- “The worm that ate the Internet !”
Source: www.caida.org
Conclusion
Worms have been around for a while and are evolving constantly
increase in hiding tools
morphing worms
warhol worms
stealth worms
Defenses should evolve too
enforce fundamentals strictly : security patches, NIDS etc.
increase depth of defense, not just perimeter
rapid analysis and response (counter-attack)
changing strategies to detect dynamic worms