1 / 24

Crisis And Aftermath

Crisis And Aftermath. Reviewed by Yunkyu Sung merius@kdb.snu.ac.kr. Contents. Introduction Worm vs. Virus Worm History example How the worm operated Crisis Aftermath. Worm vs. Virus. Worm History. 1975 John Brunner’s Science fiction 1981 Xerox PARC experimented 1988 Worm Started *

luella
Download Presentation

Crisis And Aftermath

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Crisis And Aftermath Reviewed by Yunkyu Sung merius@kdb.snu.ac.kr

  2. Contents • Introduction • Worm vs. Virus • Worm History • example • How the worm operated • Crisis • Aftermath

  3. Worm vs. Virus

  4. Worm History • 1975 John Brunner’s Science fiction • 1981 Xerox PARC experimented • 1988 Worm Started* … • 2003 SQL Slammer worm (1.25 인터넷대란)

  5. 03’ 1.25 인터넷 대란 • 2003년 1월 25일 Microsoft SQL server를 대상으로 하는 slammer worm 활동 • 404bytes를 1434/udp (SQL Server Resolution Service Port)로 전송

  6. finger • finger : allows user to obtain information about other user over TPC/IP • Common Unix systems run a demon of finger (fingerd) • The worm broke fingerd program by “buffer overrun” • The worm exploited gets() call

  7. finger Example) in gets(), we set a buffer as 10. (ex. char buff[10]; ) Type over 11 characters  buffer overflow • When buffer overflow error occurred, • Normal cases : core dumped and exit • But, the worm : overwriting stack info and causes returning to worm program code. So worm can run alone.

  8. sendmail • sendmail is mailer program to route mail in a heterogeneous network. • By debug option, tester can run programs to display the state of the mail system without sending mail or establishing a separate login connection. • Worm use debug option to invoke set of commands instead of user address

  9. password • Password mechanism in UNIX system • Insert password • “Encryption standard algorithm” encrypted • Compare with Previously encrypted password • If it is same, we get a accessibility • Trusted logins to avoid having to repeatedly type Passwords • rlogin runs without password checking

  10. How worm operated • Main Program : collect information on other machines in the network • Vector Program : try to infect other machines with information obtained

  11. How worm operated (cont’d) • How it works • Connect to target • Transfer source code of each part • Compile it • Run it • Collect information • Try to connect to other machines

  12. Step 1, 2 : Connection & Send • A socket established between vector and infecting machine • Vector tries one of two methods • Using TCP connection to /bin/sh • Using SMTP

  13. Step 2 : Connection (cont’d)

  14. Step 3 : file transfer • Vector connected to the ‘server’ • Transfer 3 files • Sun3, VAX binary version of worm • Source code of Vector • Vector became a shell with its input, output still connected to the server • Using execl

  15. Step 4 : Infect Host • Server sent the command streamto the connected shellPATH=/bin:/usr/bin:/usr/ucbrm –f shif [ -f sh ]then p=x1448190else p=shfi • Then for each binarycc –o $P x14481910,sun3.o./$P –p $$ x14481910,sun3.o x14481910,vax.o x14481910,11.crm –f $P

  16. Step 5 : Hide Worm • New worm hides itself • Obscuring its argument vector • Unlinking the binary version of itself • Killing its parent • Read worm binary into memory and encrypt • And delete file from disk

  17. Step 6 : Information gathering • The worm gathers information about • Network interface • Hosts to which the local machines was connected • Using ioctl, netstat • It built lists of these in memory

  18. Step 7 : reachability • Connected status • Directly connected? • Host type? (gateway or local host) • Try to connect using telnet, rexec

  19. Step 8 : Infection Attempts • Attack via rsh • /usr/bin/rsh, /bin/rsh • Can be used without password checking • If successful, go to step 1 and step 2.1 • Finger • Stack overflow attacking • Return stack frame for main routing changed to execve(“/bin/sh”, 0 , 0)If successful, go to step 1 and step 2.1 • Connection to SMTP • Step 2.2

  20. Step 9 : infected machine information • Collect info • /etc/hosts.equiv and /.rhosts • /etc/passwd • .forward • Cracking passwd using simple choices • Cracking passwd with an internal dictionary of words • Cracking passwd with /usr/dict/words • Loop forever trying to infect hosts in its internal tables

  21. Step 10 • Break into remote machines • Read .forward , .rhosts for user accounts • Create the remote shell • Remote rexec service • rexec to the current host • rsh to the remote host • .rhosts or host.equiv file on remote server

  22. Characteristics • Check for other worms running • One of 7 worms become immortal • Fork itself and kill parent • Re-infect the same machine every 12 hours • There are no stop code

  23. Aftermath • First worm • Around 6000 major UNIX machines were infected ( 10% of the network at that time) • Important nation-wide gateways were shutdown • Topic debated • punishment

  24. Then … • Robert T. Morris arrested • He just want to make a tool to gauge the size of the internet • 3 years probation, fine, community service • Computer Emergency Response Team was established

More Related