Upload
erik-hudson
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Internet Worms: Methods, Countermeasures and Famous Incidents
Presented by:Tran ToBrian Tully
Worms Are Bad!
DamagesLost productivityCompromised informationLost Money
Total billions of dollars per year Worms and viruses cost $8 billion in Jan. 2003
alone
Worms Exploit Vulnerabilities
Systems have faultsOrange Book – de facto standard that rates
the security of operating systems Windows has a class D rating – minimal protection Unix has a class C1 rating – discretionary security
protection
Goals
Examine system vulnerabilitiesWeak passwordsTrap doorsBuffer overflows
Famous IncidentsMorris, Code Red, Blaster, Slammer, Sasser
Countermeasures
What is a Worm?
Necessary CriteriaReplicationSelf-containedMulti-tasking systemFor network worms – replication across
communication links
Two Major Classifications
Host computer wormsEntirely contained in computer it is running onUses network only to propagate
Network wormsMultiple segments on different hostsUses network for several communication
purposes
Worms Are Not Really Bad?!
By definition worms are not malicious Simply a program that
replicates First used for network
management Took advantage of
system properties Malicious worms do the
same
History of Worms
Term coined by John Brunner1970s novel “The Shockwave Rider”
Xerox Palo Alto Research Center (PARC)John Schoch and John Hepps use worms for
distributed computations Prove useful but managing worms is difficult Night worm crashes systems
Possible malicious uses realized
System Vulnerabilities
Worms attack availability, confidentiality and integrity
Exploit flaws in OS to replicateWeak passwordsTrap Doors
Gain access to user accountsBuffer Overflow
Gain root access
Password Attack
Brute forceTime consuming
Worms take advantage of weak passwordsDictionary attackList of commonly used passwords
Backdoor Attack
Usually undocumented feature that sidesteps security mechanismsdebuggingMaintenance
Easy access to system once discovered
Buffer Overflow
Buffer – contiguous allotted chunk of memory, such as an array
In C and C++ there is no bounds checking Can write past end of a buffer
Spill into user space or OS space
Functions sprintf(), scanf(), gets(), strcpy() Do not check that destination buffer is large enough
Buffer overflow attacks exploit this
Stack Overflow Attack
Buffer put on a stackMaintains pointersSubroutine Call
Parameters and return address pushed on stack By entering long unchecked parameters, attacker
can manipulate return address
Stack Overflow Attack
Attacker has two options Inject attack code into return address
Gain root privileges
Change return address Alter the path to point to malicious code
Countermeasures
Choose hard to guess passwords Do not build backdoors Write secure code
Use strncpy() instead of strcpy() to limit the side of the buffer
Bound checking compilers
Famous Incidents
Christmas Tree WormAttacked IBM in Dec. 1987Chain letter and Trojan horseDrew Christmas tree on display Also forced computers to shut down
Morris Worm
Released Nov. 2, 1988 Purpose was to propagate
Attacked mail servers Exploited holes in Unix
Trap door in Sendmail Buffer overflow Finger
Daemon Overwrote 512 character
buffer with 536 Extra 24 characters
executed as commands Password Cracker
Morris Worm
Affected 6,000 systems Consumed excessive system resources
Morris confessed to creating the worm out of boredom?! (I sleep when I’m bored, I don’t terrorize the nation)
Convicted in 1990 of violating 1986 Computer Fraud and Abuse Act Fined $10,000 Three years probation
Code Red
Affected more than 250,000 servers in July 2001Web servers running Microsoft’s Internet
Information Server (IIS) Checked port 80 and sent HTTP GET request to
propagate Exploited buffer overflow vulnerability of idq.dll
Code Red
First nineteen days Looked for servers to infect Defaced web pages
requested by servers Days 20-27
Launched DDOS attack against the White House web site
Day 28 Worm slept
Affected 750,000 servers total costing $2 billion
Blaster Worm Released Aug. 11, 2003
Affected Windows XP and Win2K systems Purpose was to launch a DDOS attack against
Microsoft’s windowsupdate.com Spread Fast
Filtered ISPs for vulnerable systems Exploited buffer overflow in Microsoft’s interface between
Windows Distributed Component Object Model (DCOM) and Remote Procedure Call (RPC)
Gained root privileges through TCP/IP RPC packets
Prevented users from downloading patches
Blaster Worm
Used Port Scanning Port 135 used by RPC Deposit Trojan horse
Execute remote shell Initiate TFTP request to download worm Computer is now unwilling participant in DDOS attack
1.4 million computers affected Patch had been released a month prior
Slammer Worm
Fastest spreading wormDoubled in size every 8.5 secondsAffected 75,000 computers in 10 mins
Used random scanningSelected IP addresses at random to infect and
eventually found all vulnerable hosts Simple fast scanner
Slammer Worm
Goal was to DDOS attack various hosts and slow down the Internet in general
Exploited buffer overflow vulnerabilities in Microsoft’s SQL ServerTransmitted TCP-SYN packet
Patch was available for six months before attacks occurred
Before the Slammer Worm hit
Thirty minutes later …
Sasser Worm
First noticed April 30, 2004 Affected Windows XP and Win2K Connected directly to open ports
Exploited buffer overflow in Microsoft’s local security authority subsystem service Connected through TCP port 445 Installed FTP server and
transferred itself Patch was available before
release Worm was possibly reverse-
engineered from patch
Countermeasures
Update system Download patches on a regular basis
Limit the amount of time a vulnerability can be exploited
Update anti-virus software on a regular basis Latest software use heuristics Identify code common to worms and variants
Configure firewall properly Disable unnecessary services e.g. web and ftp servers
Build completely secure systems
Summary
Worms are here to stay Individuals do not have much of a choice in
systems Security is dependent on developers of product Forced to use insecure product knowing worms can
attack it Only solution is to not connect to the Internet,
dig a hole and throw your router into the depths of the underworld
Possible Alternatives
With minimal effort a user can greatly increase the security of his or her inherently insecure system Patches and updates
Minimal time between when vulnerability is discovered and when vulnerability is fixed
Firewall Limit access to system so worms can’t get in to start
Simple procedures significantly reduce the extent to which worms can spread and cause damage
Questions?