1 / 49

Decoding and Understanding Internet Worms

Decoding and Understanding Internet Worms. Presented by Ryan Permeh & Dale Coddington. Course Overview. Basic overview / history of worms Worm analysis techniques Worms – under the hood Worm defense techniques The future of worms Questions and answers. Basic Overview / History of Worms.

kapono
Download Presentation

Decoding and Understanding Internet Worms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington

  2. Course Overview • Basic overview / history of worms • Worm analysis techniques • Worms – under the hood • Worm defense techniques • The future of worms • Questions and answers

  3. Basic Overview / History of Worms

  4. Internet Worms-Defined A worm is a self propagating piece of malicious software. It attacks vulnerable hosts, infects them, then uses them to attack other vulnerable hosts

  5. Internet Worms-Who Writes Them • Hacker/Crackers • Researchers • Virus Writers

  6. Internet Worms-Worms vs. Viruses • Viruses require interaction • Worms act on their own • Viruses use social attacks • Worms use technical attacks

  7. Internet Worms-History • Morris Internet Worm • Released in 1998 • Overloaded VAX and Sun machines with invisible processes • 99 line program written by 23 year old Robert Tappan Morris • Exploit xyz

  8. Internet Worms-History • First worms were actually designed and released in the 1980’s • Worms were non-destructive and generally were released to perform helpful network tasks • Vampire worm: idle during the day, at night would use spare CPU cycles to perform complex tasks that required the extra computing power

  9. Internet Worms-History • Eventually negative aspects of worms came to light • An internal Xerox worm had crashed all the computers in a particular research center • When machines were restarted the worm re-propagted and crashed the machines again

  10. Worm Analysis Techniques

  11. Worm Analysis Techniques-Capture: Capturing from the Network • Sniffers • IDS • Netcat Listeners • Specialized Servers (earlybird, etc)

  12. Worm Analysis Techniques-Capture: Capturing from Memory • Memory Dumps • Memory Searches • Crashing to preserve memory

  13. Worm Analysis Techniques-Capture: Capturing from Disk • File searches • File monitoring • Open handles • Email • Replicated/Infected files

  14. Worm Analysis Techniques-Dissection / Disassembly: Loading • Loading files in ida • Initial Settings • Trojans vs. Exploit Style worms • Trojans load as programs • Exploits load as baseless code

  15. Worm Analysis Techniques-Dissection / Disassembly: Defining • Setting variables • Examining functions • Examining imports • Examining Strings • Define flow of code

  16. Worm Analysis Techniques-Dissection / Disassembly: Drilling • Finding important code • Via imports • Via calls • Via strings

  17. Worm Analysis Techniques-Debugging as a Disassembly Aid • Examining in memory constructs • Runtime factors • decryption/decoding • Variable sets, variable data • External factors, not in a void

  18. Worm Analysis Techniques-Attaching to Worm Infected Processes • Attach to process • Debugging running processes • Finding worm code in process • Forcing breaks in worm code

  19. Worm Analysis Techniques-Sacrificial Goats / Goatnets: Isolation • Disconnected • Replicate important services • Attempt to simulate real environment

  20. Worm Analysis Techniques-Sacrificial Goats / Goatnets: Infection • Netcat injection • Poison servers/clients • Turn off AV, turn on tools

  21. Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis • Debuggers • VC6 debugger • Softice • Windbg • Dissassemblers • IDA

  22. Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis • Filemon • Regmon • TCPView Pro • Procdump

  23. Worms – Under the Hood

  24. Worms Under the Hood-Code Red I: Infection • IDA vulnerability • Sent entire copy in HTTP GET data • Static worm

  25. Worms Under the Hood-Code Red I: Propagation • 100 threads of propagation • HTTP spread • Use in-memory copy

  26. Worms Under the Hood-Code Red I: Payload • Attack whitehouse.gov • Hook web page delivery

  27. Worms Under the Hood-Code Red II: Infection • Ida vulnerability • Similar to code red I • Leaves a trojan

  28. Worms Under the Hood-Code Red II: Propagation • Statistical distribution of random address, favoring topologically closer hosts

  29. Worms Under the Hood-Code Red II: Payload • Trojan Horse • Trojan embedded in worm • Simple compression • Modifies web dirs • Multiple system weakenings • Adds cmd.exe in web roots

  30. Worms Under the Hood-Nimda: Infection • Outlook/IE vulnerability • Unicode • Double Decode • Open shares

  31. Worms Under the Hood-Nimda: Propagation • Email • Open shares • Web servers

  32. Worms Under the Hood-Nimda: Payload • Opens guest share • Infects system binaries • Adds Registry keys • Adds itself to system startup

  33. Worm Defense Techniques

  34. Global Alerts / Dissemination-Standard Reporting Mechanisms There is a need for a common reporting mechanism. This would serve to qualitatively correlate incidents regardless of reporter or reporting agency

  35. Global Alerts / Dissemination-Data Sharing • Individual Network sensors sharing data with a central network console • Network consoles sharing data with a reporting agency, like ARIS, CERT or SANS • Sharing data between stores at ARIS,CERT,SANS and others

  36. Global Alerts / Dissemination-Statistical Analysis • Having All the data poses new problems • Reduction of duplicate datasets • Large scale statistical analysis • Storage, processing, and network resources can be large • Worms have distinct statistical signatures

  37. Environment-Modifying Aspects of a Worms Environment • Lysine Deficiencies • Monoculture • Assumptions • Network addresses • Memory locations • Architecture

  38. Counter Worms-Using Aspects of a Worm to stop the Spread • Using same propagation • Contains a fix, or code needed to identify • Should contain extreme limits • Generally not well regarded

  39. The Future of Worms

  40. Multiple Attack Vectors-Client and Server-Side Flaws • Buffer overflows • Format string attacks • Design flaws • Open shares • Misconfigurations

  41. Encryption/Obfuscation/Polymorphism-Covert Channel / Stealth Worms • Hiding in plain sight • ICMP • Encoding in normal data stream • Nonstandard

  42. Encryption/Obfuscation/Polymorphism-Keyed Payloads • Keying a worm before sending, requiring the worm to “call back” to decode itself. • Clear text worm never transmits • Higher chance of missing key transmissions, less likely to get a worm to disassemble

  43. Encryption/Obfuscation/Polymorphism-Standard Polymorphic/Mutation Techniques • Worms meet viruses • Continuously changing itself • Brute forcing new offsets • Adapting to the environment to become “more fit”

  44. Bigger Scope-Flash Worms • Faster, more accurate spread • Complete spread of all possible targets in 5-20 minutes • Very low false positive rate • Too fast to analyze/disseminate information

  45. Bigger Scope-Intelligent Worms • Worms meet AI • Worm infected hosts communicating in a p2p method • Exchanging information on targeting, propagation, or new infection methods • Agent-like behavior

  46. Bigger Scope-Multi-Platform / OS Worms • Multi-OS shell code • Attacking multiple different vulnerabilities on multiple platforms • Single worm code, large attackable base

  47. Questions and Answers?

  48. References • eEye Code Red I Analysis / Advisory: http://www.eeye.com/html/Research/Advisories/AL20010717.html • eEye Code Red II Analysis / Advisory: http://www.eeye.com/html/Research/Advisories/AL20010804.html

  49. Contact Information • Ryan Permeh- ryan@eEye.com • Dale Coddington dalec@eEye.com

More Related