1 / 18

The Lifecycle of a Worm

The Lifecycle of a Worm. Bill Stearns and Bob Gray, Senior Research Engineers Institute for Security Technology Studies, Investigative Research for Infrastructure Assurance Dartmouth College. Request a web page GET /TECH/ HTTP/1.0. 2. Receive the web page <HTML><HEAD><TITLE>Sci-Tech ….

marge
Download Presentation

The Lifecycle of a Worm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Lifecycle of a Worm Bill Stearns and Bob Gray, Senior Research Engineers Institute for Security Technology Studies, Investigative Research for Infrastructure Assurance Dartmouth College FAIR

  2. Request a web page • GET /TECH/ HTTP/1.0 2.Receive the web page <HTML><HEAD><TITLE>Sci-Tech … www.cnn.com(server) Client-Server Applications Your Machine (client) FAIR

  3. Web Server GET /TECH/ HTTP/1.0 E C Request Buffer Rest of Program Buffer Overflows G E T T / • The programmer • Made the buffer too short, and … • Did not check the length of the request FAIR

  4. Insecure Programs • Redhat Linux 6.2 and 7.0 • 2 File sharing tools • 1 Print server • Exploitable programs but fixes available. FAIR

  5. The Cracker • Electronic graffiti artist to destructive criminal • Motivations • Fame, notoriety, money, revenge • Generally independent FAIR

  6. Hacker’s Machine Send the buffer overflow … R … and take control of the machine sleepy.dartmouth.edu (target) The Ramen Worm (I) Step 1: Infect the first machine • Break in using buffer overflows • Close holes behind itself • Stops reinfection • Morris worm tried, but failed • Modify the system • Email the cracker FAIR

  7. Vulnerable Vulnerable R R sneezy grumpy Vulnerable Vulnerable The Ramen Worm (II) sleepy.dartmouth.edu R Step 2: Automatically infect more machines • Scan for vulnerable machines • Infect vulnerable machines • Keep on going bashful dopey FAIR

  8. The System Administrator • The individual responsible for maintaining computers • Applies system upgrades FAIR

  9. Problem Reports • Sans GIAC • Spanish CERT FAIR

  10. The Analysts • ISTS staff, Volunteers, SANS and Cert • Max Vision, Dave Dittrich, Bill Stearns, Chris Brenton FAIR

  11. Analysis • Max Vision, Dave Dittrich, Bill Stearns • Analyze sensor information • Inspect files included in the worm • Determine their goals, actions, effects FAIR

  12. Ramenfind • Detects the worm • Stops the running programs • Removes the files from the system • Keeps a copy for later analysis FAIR

  13. Distribution • Sans, ISTS web site • Security Mailing lists • Packetstorm • News agencies and mailing lists FAIR

  14. Cracker develops a new, more elusive attack. Cracker Analyst Analyst develops an improved detection tool. Arms Race FAIR

  15. ISTS Response Team Looks like Ramen … State Police Computer Lab Training and Support • Training • Network Forensics (May 2001) • Advanced Forensic Tools (June 2001) • Support • Advanced Law Enforcement Response Team (ALERT) FAIR

  16. System Administrator Investigator Information Delivery Repository FAIR

  17. Tool Development • RamenFind • Finds and removes the Ramen worm • LionFind • Finds and removes the Lion worm • ShareFind • Finds file-sharing programs, such as Napster and Gnutella, that have been installed on Windows machines. FAIR

  18. Example: Internet Health Monitor Long Term Research Failing Link FAIR

More Related