Internet worms methods countermeasures and famous incidents
This presentation is the property of its rightful owner.
Sponsored Links
1 / 32

Internet Worms: Methods, Countermeasures and Famous Incidents PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Internet Worms: Methods, Countermeasures and Famous Incidents. Presented by: Tran To Brian Tully. Worms Are Bad!. Damages Lost productivity Compromised information Lost Money Total billions of dollars per year Worms and viruses cost $8 billion in Jan. 2003 alone.

Download Presentation

Internet Worms: Methods, Countermeasures and Famous Incidents

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Internet worms methods countermeasures and famous incidents

Internet Worms: Methods, Countermeasures and Famous Incidents

Presented by:

Tran To

Brian Tully

Worms are bad

Worms Are Bad!

  • Damages

    • Lost productivity

    • Compromised information

    • Lost Money

      • Total billions of dollars per year

      • Worms and viruses cost $8 billion in Jan. 2003 alone

Worms exploit vulnerabilities

Worms Exploit Vulnerabilities

  • Systems have faults

    • Orange Book – de facto standard that rates the security of operating systems

      • Windows has a class D rating – minimal protection

      • Unix has a class C1 rating – discretionary security protection



  • Examine system vulnerabilities

    • Weak passwords

    • Trap doors

    • Buffer overflows

  • Famous Incidents

    • Morris, Code Red, Blaster, Slammer, Sasser

  • Countermeasures

What is a worm

What is a Worm?

  • Necessary Criteria

    • Replication

    • Self-contained

    • Multi-tasking system

    • For network worms – replication across communication links

Two major classifications

Two Major Classifications

  • Host computer worms

    • Entirely contained in computer it is running on

    • Uses network only to propagate

  • Network worms

    • Multiple segments on different hosts

    • Uses network for several communication purposes

Worms are not really bad

Worms Are Not Really Bad?!

  • By definition worms are not malicious

    • Simply a program that replicates

    • First used for network management

    • Took advantage of system properties

      • Malicious worms do the same

History of worms

History of Worms

  • Term coined by John Brunner

    • 1970s novel “The Shockwave Rider”

  • Xerox Palo Alto Research Center (PARC)

    • John Schoch and John Hepps use worms for distributed computations

      • Prove useful but managing worms is difficult

      • Night worm crashes systems

        • Possible malicious uses realized

System vulnerabilities

System Vulnerabilities

  • Worms attack availability, confidentiality and integrity

  • Exploit flaws in OS to replicate

    • Weak passwords

    • Trap Doors

      • Gain access to user accounts

    • Buffer Overflow

      • Gain root access

Password attack

Password Attack

  • Brute force

    • Time consuming

  • Worms take advantage of weak passwords

    • Dictionary attack

    • List of commonly used passwords

Backdoor attack

Backdoor Attack

  • Usually undocumented feature that sidesteps security mechanisms

    • debugging

    • Maintenance

  • Easy access to system once discovered

Buffer overflow

Buffer Overflow

  • Buffer – contiguous allotted chunk of memory, such as an array

  • In C and C++ there is no bounds checking

    • Can write past end of a buffer

      • Spill into user space or OS space

    • Functions sprintf(), scanf(), gets(), strcpy()

      • Do not check that destination buffer is large enough

    • Buffer overflow attacks exploit this

Stack overflow attack

Stack Overflow Attack

  • Buffer put on a stack

    • Maintains pointers

    • Subroutine Call

      • Parameters and return address pushed on stack

      • By entering long unchecked parameters, attacker can manipulate return address

Stack overflow attack1

Stack Overflow Attack

  • Attacker has two options

    • Inject attack code into return address

      • Gain root privileges

    • Change return address

      • Alter the path to point to malicious code



  • Choose hard to guess passwords

  • Do not build backdoors

  • Write secure code

    • Use strncpy() instead of strcpy() to limit the side of the buffer

  • Bound checking compilers

Famous incidents

Famous Incidents

  • Christmas Tree Worm

    • Attacked IBM in Dec. 1987

    • Chain letter and Trojan horse

    • Drew Christmas tree on display 

    • Also forced computers to shut down 

Morris worm

Morris Worm

  • Released Nov. 2, 1988

  • Purpose was to propagate

    • Attacked mail servers

  • Exploited holes in Unix

    • Trap door in Sendmail

    • Buffer overflow Finger Daemon

      • Overwrote 512 character buffer with 536

      • Extra 24 characters executed as commands

    • Password Cracker

Morris worm1

Morris Worm

  • Affected 6,000 systems

    • Consumed excessive system resources

  • Morris confessed to creating the worm out of boredom?! (I sleep when I’m bored, I don’t terrorize the nation)

  • Convicted in 1990 of violating 1986 Computer Fraud and Abuse Act

    • Fined $10,000

    • Three years probation

Code red

Code Red

  • Affected more than 250,000 servers in July 2001

    • Web servers running Microsoft’s Internet Information Server (IIS)

      • Checked port 80 and sent HTTP GET request to propagate

      • Exploited buffer overflow vulnerability of idq.dll

Code red1

Code Red

  • First nineteen days

    • Looked for servers to infect

    • Defaced web pages requested by servers

  • Days 20-27

    • Launched DDOS attack against the White House web site

  • Day 28

    • Worm slept

  • Affected 750,000 servers total costing $2 billion

Blaster worm

Blaster Worm

  • Released Aug. 11, 2003

    • Affected Windows XP and Win2K systems

  • Purpose was to launch a DDOS attack against Microsoft’s

  • Spread Fast

    • Filtered ISPs for vulnerable systems

    • Exploited buffer overflow in Microsoft’s interface between Windows Distributed Component Object Model (DCOM) and Remote Procedure Call (RPC)

      • Gained root privileges through TCP/IP RPC packets

  • Prevented users from downloading patches

Blaster worm1

Blaster Worm

  • Used Port Scanning

    • Port 135 used by RPC

    • Deposit Trojan horse

      • Execute remote shell

      • Initiate TFTP request to download worm

      • Computer is now unwilling participant in DDOS attack

  • 1.4 million computers affected

  • Patch had been released a month prior

Slammer worm

Slammer Worm

  • Fastest spreading worm

    • Doubled in size every 8.5 seconds

    • Affected 75,000 computers in 10 mins

  • Used random scanning

    • Selected IP addresses at random to infect and eventually found all vulnerable hosts

  • Simple fast scanner

Slammer worm1

Slammer Worm

  • Goal was to DDOS attack various hosts and slow down the Internet in general

  • Exploited buffer overflow vulnerabilities in Microsoft’s SQL Server

    • Transmitted TCP-SYN packet

  • Patch was available for six months before attacks occurred

Before the slammer worm hit

Before the Slammer Worm hit

Thirty minutes later

Thirty minutes later …

Sasser worm

Sasser Worm

  • First noticed April 30, 2004

    • Affected Windows XP and Win2K

    • Connected directly to open ports

  • Exploited buffer overflow in Microsoft’s local security authority subsystem service

    • Connected through TCP port 445

    • Installed FTP server and transferred itself

  • Patch was available before release

    • Worm was possibly reverse-engineered from patch



  • Update system

    • Download patches on a regular basis

      • Limit the amount of time a vulnerability can be exploited

    • Update anti-virus software on a regular basis

      • Latest software use heuristics

      • Identify code common to worms and variants

    • Configure firewall properly

      • Disable unnecessary services e.g. web and ftp servers

  • Build completely secure systems



  • Worms are here to stay

  • Individuals do not have much of a choice in systems

    • Security is dependent on developers of product

    • Forced to use insecure product knowing worms can attack it

  • Only solution is to not connect to the Internet, dig a hole and throw your router into the depths of the underworld

Possible alternatives

Possible Alternatives

  • With minimal effort a user can greatly increase the security of his or her inherently insecure system

    • Patches and updates

      • Minimal time between when vulnerability is discovered and when vulnerability is fixed

    • Firewall

      • Limit access to system so worms can’t get in to start

  • Simple procedures significantly reduce the extent to which worms can spread and cause damage



  • Login