Mobile Code and Worms - PowerPoint PPT Presentation

About This Presentation
Title:

Mobile Code and Worms

Description:

Warhol worms -- infecting most of the targets in under 15 min. ... Andy Warhol 'How to 0wn the Internet in Your Spare Time'. Weaver et. al. Usenix '02 [Weav02] ... – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 18
Provided by: non856
Category:
Tags: andy | code | mobile | warhol | worms

less

Transcript and Presenter's Notes

Title: Mobile Code and Worms


1
Mobile Code and Worms By Mitun Sinha Pandurang
Kamat 04/16/2003
2
WORMS
3
What are network worms ?
  • Worms, formally known as Automated Intrusion
    Agents, are software components that are capable
    of, using their own means, for infecting a
    computer system and using it in an automated
    fashion to infect another system.

A virus by contrast cant spread/infect on its
own.
4
What can these cute creatures do ?
  • Infect and take over large number of internet
    hoststurn them into zombies.
  • These hosts can then be used to
  • launch a massive Distributed Denial of Service
    (DDOS) attack.
  • access sensitive information on the hosts.
  • inject false or malicious information into
    networks.
  • Worm-based attack model provides
  • ease of automation.
  • penetration fuelled by speed and aggressiveness.

5
Components of a worm
  • Reconnaissance capability
  • Attack capability
  • Command interface
  • Communication capability
  • Intelligence capability

6
Reconnaissance
  • Target identification
  • Active methods
  • scanning
  • Passive methods
  • OS fingerprinting
  • traffic analysis

7
Attacks
  • Exploits
  • buffer overflow, cgi-bin etc.
  • Generally involves privilege escalation
  • Two components
  • local
  • remote

8
Command Interface
  • Interface to compromised system
  • root/administrative shell
  • network client
  • Accepts commands
  • person
  • other worm siblings

9
Communications
  • Information transfer
  • network vulnerability information
  • commands and data etc.
  • Network clients to various services
  • Stealth issues
  • handled much the same way as rootkits

10
Intelligence
  • The worm system may maintain a list of infected
    nodes
  • centralized or distributed
  • Knowledge of other siblings
  • The infected machines can then be put to use by
    instructing them through the command interface

11
Morris Worm (November 1988)
  • First malicious worm
  • In 1982 some worms were written at Xerox PARC
    for doing legitimate networking tasks.
  • Exploits sendmail (mal-formatted input) and
    finger daemon (buffer-overflow) on Vax and Sun
    machines.
  • Used trust relationships amongst the hosts to
    spread
  • No command interface
  • Infected 6000 hosts (10 of the Internet)

12
Code Red I (July 2001)
  • Began July 12, 2001
  • Exploit Microsoft IIS webservers (buffer
    overflow)
  • Named Code Red because
  • the folks at eEye security worked through the
    night to identify and analyze this worm drinking
    code red (mountain dew) to stay up.
  • the worm defaced some websites with the phrase
    Hacked by Chinese
  • Version 1 did not infect too many hosts due to
    use of static seed in the random number
    generator. Version 2 came out on July 19th with
    this bug fixed and spread rapidly.
  • The worm behavior each month
  • 1st to 19th --- spread by infection
  • 20th to 28th --- launch DOS on
    www.whitehouse.gov
  • 28th till end-of-month --- take rest.
  • Infected 359,000 hosts in under 14 hours.

13
Code Red I (July 2001)
Cumulative total of unique IP addresses infected
by the first outbreak of Code-Red-I v2. (source
Code-Red a case study on the spread and victims
of an internet worm. Moore et. al.)
14
Worms-2 The Next Generation
  • Warhol worms -- infecting most of the targets
    in under 15 min.
  • In the future, everybody will be world-famous
    for 15 minutes.
  • -- Andy Warhol
  • How to 0wn the Internet in Your Spare Time.
    Weaver et. al. Usenix 02 Weav02.
  • Combination of Hit-list scanning and
    permutation scanning.

Source Weav02
15
SQL Slammer (Jan 2003) The future is NOW !
  • Began January 25th. (Also known as
    Sapphire. )
  • Exploit Microsoft SQL Server (buffer overflow)
  • contains a simple, fast scanner in a 376 byte
    worm inside a UDP packet.
  • all it did was send this packet to udp port
    1434.
  • The first Warhol worm.
  • doubled in size every 8.5 seconds. (Code-Red
    doubled every 37 min.)
  • infected more than 90 of vulnerable hosts
    within 10 minutes.
  • No malicious payload but jammed networks
    worldwide with traffic.
  • affected businesses, ATM machines, grounded
    flights etc.
  • Flaws
  • too aggressive in scanning countered its own
    growth quickly by eating up bandwidth.
  • error in random number generator caused
    elimination of quite a lot of search space.

16
SQL Slammer (Jan 2003) -- The worm that ate the
Internet !
Source www.caida.org
17
Conclusion
  • Worms have been around for a while and are
    evolving constantly
  • increase in hiding tools
  • morphing worms
  • warhol worms
  • stealth worms
  • Defenses should evolve too
  • enforce fundamentals strictly security
    patches, NIDS etc.
  • increase depth of defense, not just perimeter
  • rapid analysis and response (counter-attack)
  • changing strategies to detect dynamic worms
Write a Comment
User Comments (0)
About PowerShow.com