What does exploit mean ? And the Sasser worm

1. Whatdoesexploitmean?And theSasserworm Seminar on Software Engineering, Short Presentation 07.02.2008 Christian Gruber

2. Definition • An exploit in computing is an attack on a computer system, that takes advantage of a particular vulnerability which the system offers to intruders. • Exploit can be in different forms: • a piece of software • sequence of commands • valid / bad input

3. Definition continued • Normally a single exploit takes advantage of a specific software vulnerability. • Exploits are normally designed to provide: -superuser-level access -privilege escalation -denial of service attack • It is also possible to use several exploits to gain access to resources. First to gain low-level access, then escalating privileges repeatedly until one reaches superuser-level.

4. Classification There are several ways of classifying exploits. The most common method is by how the exploit contacts the vulnerable software. • Local exploit • Remote exploit • Exploits against client applications

5. Zero-day exploit is an attack that takes place immediately after a security vulnerability is announced. • Usually used by “hackers/crackers” in order to cause unintended or unanticipated behavior to occur on computer software. • When an exploit is found, the vulnerability is fixed through a patch. After applying the patch exploit becomes obsolete.

6. Differentexploittypes Exploits can be categorized by the type vulnerability they exploit or the method of exploitation. • - Buffer overflow • - Heap overflow • - Stack buffer overflow • - Integer overflow • Return-to-libc attack • Format string attack - Race condition - Code injection - SQL injection - Cross-site scripting - Cross-site request forgery

7. Sasserworm • Sasser is a computer worm that affects computers which are running vulnerable versions of Microsoft´s operating systems Windows XP and Windows 2000. • Like other worms, Sasser spreads by exploiting the operating system through a vulnerable network port. • It can spread without the help of the user.

8. Sasser was first noticed and started spreading on April 30, 2004. This worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service) on the affected operating systems. • Sasser does not have a malicious payload, meaning it does not destroy or alter information within a computer.

9. Howitworks1/3 • Sasser takes advantage of a buffer overflow flaw in the Local Security Authority Subsystem (LSASS), which allows an attacker to gain control of infected systems. • Sasser adds a copy of itself to the Windows directory under the name: AVSERVE.EXE • It adds the following to the system Registry file: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve.exe = c:\Windows\avserve.exe

10. Howitworks2/3 • This change to the Registry allows the worm to run once the machine reboots. • Sasser starts an FTP server on TCP port 5554. Meanwhile, it uses TCP port 445 to search random chunks of the Internet for additional Windows 2000 and Windows XP that have not patched the LSASS flaw. Sasser launches 128 threads to scan the random IP addresses and listens on successive ports starting with TCP port 1068. Port 445 is used by the Windows file-sharing protocol.

11. Howitworks3/3 • If the Sasser worm finds a vulnerable machine on a local network or the Internet, the worm sends a specially crafted packet to cause a buffer-overflow in lsass.exe. The overflow contains instructions in a script file, cmd.ftp, on the newly infected machine to open TCP port 9996 and instructions to download a copy of itself from TCP port 5554 on the previously infected machine. • The file cmd.ftp is then erased. Sasser creates a win.log in the root directory of the newly infected machine that contains the number of remote systems currently infected and the IP address of the last infected system.

12. The extent of spread1/3 • Taiwan's national post office said 1,600 of its machines were hit by the virus which forced more than 400 of its 1200 branch offices to revert to pen and paper. • News agency Agence France-Presse (AFP) had all its satellite communications blocked for hours. • U.S. flight company Delta Air Lines had to cancel several trans-atlantic flights because its computer systems had been infected by the worm.

13. The extent of spread2/3 • The X-ray department at Lund University Hospital had all their four layer X-ray machines disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital. • Australia Westpac Bank staff were forced to use manual methods to record transactions as the virus made computers unusable.

14. The extent of spread3/3 • Security solutions supplier mi2g has claimed that the Sasser worm has caused enough damage to be considered one of the worst malware of all time. • All of the Sasser variants have reportedly caused between USD14.8bn and USD18.1bn worth of estimated damage worldwide.

15. Couldthishavebeenavoided? • A patch for the vulnerability Sasser exploits was first released on 13 April and then updated on 28 April. (Sasser was first found on the 30 April). • Specialists have speculated that the worm creator reverse-engineered the patch to discover the vulnerability.

16. References Search Security: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci553536,00.html CNET: http://reviews.cnet.com/4520-6600_7-5133023-1.html BBC News: http://news.bbc.co.uk/2/hi/technology/3682537.stm Wikipedia.org: http://www.wikipedia.org