Internet Worms: Methods, Countermeasures and Famous Incidents

Presented by:Tran ToBrian Tully

Worms Are Bad!

DamagesLost productivityCompromised informationLost Money

Total billions of dollars per year Worms and viruses cost $8 billion in Jan. 2003

alone

Worms Exploit Vulnerabilities

Systems have faultsOrange Book – de facto standard that rates

the security of operating systems Windows has a class D rating – minimal protection Unix has a class C1 rating – discretionary security

protection

Goals

Examine system vulnerabilitiesWeak passwordsTrap doorsBuffer overflows

Famous IncidentsMorris, Code Red, Blaster, Slammer, Sasser

Countermeasures

What is a Worm?

Necessary CriteriaReplicationSelf-containedMulti-tasking systemFor network worms – replication across

communication links

Two Major Classifications

Host computer wormsEntirely contained in computer it is running onUses network only to propagate

Network wormsMultiple segments on different hostsUses network for several communication

purposes

Worms Are Not Really Bad?!

By definition worms are not malicious Simply a program that

replicates First used for network

management Took advantage of

system properties Malicious worms do the

same

History of Worms

Term coined by John Brunner1970s novel “The Shockwave Rider”

Xerox Palo Alto Research Center (PARC)John Schoch and John Hepps use worms for

distributed computations Prove useful but managing worms is difficult Night worm crashes systems

Possible malicious uses realized

System Vulnerabilities

Worms attack availability, confidentiality and integrity

Exploit flaws in OS to replicateWeak passwordsTrap Doors

Gain access to user accountsBuffer Overflow

Gain root access

Password Attack

Brute forceTime consuming

Worms take advantage of weak passwordsDictionary attackList of commonly used passwords

Backdoor Attack

Usually undocumented feature that sidesteps security mechanismsdebuggingMaintenance

Easy access to system once discovered

Buffer Overflow

Buffer – contiguous allotted chunk of memory, such as an array

In C and C++ there is no bounds checking Can write past end of a buffer

Spill into user space or OS space

Functions sprintf(), scanf(), gets(), strcpy() Do not check that destination buffer is large enough

Buffer overflow attacks exploit this

Stack Overflow Attack

Buffer put on a stackMaintains pointersSubroutine Call

Parameters and return address pushed on stack By entering long unchecked parameters, attacker

can manipulate return address

Stack Overflow Attack

Attacker has two options Inject attack code into return address

Gain root privileges

Change return address Alter the path to point to malicious code

Countermeasures

Choose hard to guess passwords Do not build backdoors Write secure code

Use strncpy() instead of strcpy() to limit the side of the buffer

Bound checking compilers

Famous Incidents

Christmas Tree WormAttacked IBM in Dec. 1987Chain letter and Trojan horseDrew Christmas tree on display Also forced computers to shut down

Morris Worm

Released Nov. 2, 1988 Purpose was to propagate

Attacked mail servers Exploited holes in Unix

Trap door in Sendmail Buffer overflow Finger

Daemon Overwrote 512 character

buffer with 536 Extra 24 characters

executed as commands Password Cracker

Morris Worm

Affected 6,000 systems Consumed excessive system resources

Morris confessed to creating the worm out of boredom?! (I sleep when I’m bored, I don’t terrorize the nation)

Convicted in 1990 of violating 1986 Computer Fraud and Abuse Act Fined $10,000 Three years probation

Code Red

Affected more than 250,000 servers in July 2001Web servers running Microsoft’s Internet

Information Server (IIS) Checked port 80 and sent HTTP GET request to

propagate Exploited buffer overflow vulnerability of idq.dll

Code Red

First nineteen days Looked for servers to infect Defaced web pages

requested by servers Days 20-27

Launched DDOS attack against the White House web site

Day 28 Worm slept

Affected 750,000 servers total costing $2 billion

Blaster Worm Released Aug. 11, 2003

Affected Windows XP and Win2K systems Purpose was to launch a DDOS attack against

Microsoft’s windowsupdate.com Spread Fast

Filtered ISPs for vulnerable systems Exploited buffer overflow in Microsoft’s interface between

Windows Distributed Component Object Model (DCOM) and Remote Procedure Call (RPC)

Gained root privileges through TCP/IP RPC packets

Prevented users from downloading patches

Blaster Worm

Used Port Scanning Port 135 used by RPC Deposit Trojan horse

Execute remote shell Initiate TFTP request to download worm Computer is now unwilling participant in DDOS attack

1.4 million computers affected Patch had been released a month prior

Slammer Worm

Fastest spreading wormDoubled in size every 8.5 secondsAffected 75,000 computers in 10 mins

Used random scanningSelected IP addresses at random to infect and

eventually found all vulnerable hosts Simple fast scanner

Slammer Worm

Goal was to DDOS attack various hosts and slow down the Internet in general

Exploited buffer overflow vulnerabilities in Microsoft’s SQL ServerTransmitted TCP-SYN packet

Patch was available for six months before attacks occurred

Before the Slammer Worm hit

Thirty minutes later …

Sasser Worm

First noticed April 30, 2004 Affected Windows XP and Win2K Connected directly to open ports

Exploited buffer overflow in Microsoft’s local security authority subsystem service Connected through TCP port 445 Installed FTP server and

transferred itself Patch was available before

release Worm was possibly reverse-

engineered from patch

Countermeasures

Update system Download patches on a regular basis

Limit the amount of time a vulnerability can be exploited

Update anti-virus software on a regular basis Latest software use heuristics Identify code common to worms and variants

Configure firewall properly Disable unnecessary services e.g. web and ftp servers

Build completely secure systems

Summary

Worms are here to stay Individuals do not have much of a choice in

systems Security is dependent on developers of product Forced to use insecure product knowing worms can

attack it Only solution is to not connect to the Internet,

dig a hole and throw your router into the depths of the underworld

Possible Alternatives

With minimal effort a user can greatly increase the security of his or her inherently insecure system Patches and updates

Minimal time between when vulnerability is discovered and when vulnerability is fixed

Firewall Limit access to system so worms can’t get in to start

Simple procedures significantly reduce the extent to which worms can spread and cause damage

Questions?