320 likes | 427 Views
Explore the damaging effects of worms, how they exploit system vulnerabilities, and historical incidents like Morris Worm and Code Red. Learn about system vulnerabilities like weak passwords and buffer overflows. Discover countermeasures to protect your system.
E N D
Internet Worms: Methods, Countermeasures and Famous Incidents Presented by: Tran To Brian Tully
Worms Are Bad! • Damages • Lost productivity • Compromised information • Lost Money • Total billions of dollars per year • Worms and viruses cost $8 billion in Jan. 2003 alone
Worms Exploit Vulnerabilities • Systems have faults • Orange Book – de facto standard that rates the security of operating systems • Windows has a class D rating – minimal protection • Unix has a class C1 rating – discretionary security protection
Goals • Examine system vulnerabilities • Weak passwords • Trap doors • Buffer overflows • Famous Incidents • Morris, Code Red, Blaster, Slammer, Sasser • Countermeasures
What is a Worm? • Necessary Criteria • Replication • Self-contained • Multi-tasking system • For network worms – replication across communication links
Two Major Classifications • Host computer worms • Entirely contained in computer it is running on • Uses network only to propagate • Network worms • Multiple segments on different hosts • Uses network for several communication purposes
Worms Are Not Really Bad?! • By definition worms are not malicious • Simply a program that replicates • First used for network management • Took advantage of system properties • Malicious worms do the same
History of Worms • Term coined by John Brunner • 1970s novel “The Shockwave Rider” • Xerox Palo Alto Research Center (PARC) • John Schoch and John Hepps use worms for distributed computations • Prove useful but managing worms is difficult • Night worm crashes systems • Possible malicious uses realized
System Vulnerabilities • Worms attack availability, confidentiality and integrity • Exploit flaws in OS to replicate • Weak passwords • Trap Doors • Gain access to user accounts • Buffer Overflow • Gain root access
Password Attack • Brute force • Time consuming • Worms take advantage of weak passwords • Dictionary attack • List of commonly used passwords
Backdoor Attack • Usually undocumented feature that sidesteps security mechanisms • debugging • Maintenance • Easy access to system once discovered
Buffer Overflow • Buffer – contiguous allotted chunk of memory, such as an array • In C and C++ there is no bounds checking • Can write past end of a buffer • Spill into user space or OS space • Functions sprintf(), scanf(), gets(), strcpy() • Do not check that destination buffer is large enough • Buffer overflow attacks exploit this
Stack Overflow Attack • Buffer put on a stack • Maintains pointers • Subroutine Call • Parameters and return address pushed on stack • By entering long unchecked parameters, attacker can manipulate return address
Stack Overflow Attack • Attacker has two options • Inject attack code into return address • Gain root privileges • Change return address • Alter the path to point to malicious code
Countermeasures • Choose hard to guess passwords • Do not build backdoors • Write secure code • Use strncpy() instead of strcpy() to limit the side of the buffer • Bound checking compilers
Famous Incidents • Christmas Tree Worm • Attacked IBM in Dec. 1987 • Chain letter and Trojan horse • Drew Christmas tree on display • Also forced computers to shut down
Morris Worm • Released Nov. 2, 1988 • Purpose was to propagate • Attacked mail servers • Exploited holes in Unix • Trap door in Sendmail • Buffer overflow Finger Daemon • Overwrote 512 character buffer with 536 • Extra 24 characters executed as commands • Password Cracker
Morris Worm • Affected 6,000 systems • Consumed excessive system resources • Morris confessed to creating the worm out of boredom?! (I sleep when I’m bored, I don’t terrorize the nation) • Convicted in 1990 of violating 1986 Computer Fraud and Abuse Act • Fined $10,000 • Three years probation
Code Red • Affected more than 250,000 servers in July 2001 • Web servers running Microsoft’s Internet Information Server (IIS) • Checked port 80 and sent HTTP GET request to propagate • Exploited buffer overflow vulnerability of idq.dll
Code Red • First nineteen days • Looked for servers to infect • Defaced web pages requested by servers • Days 20-27 • Launched DDOS attack against the White House web site • Day 28 • Worm slept • Affected 750,000 servers total costing $2 billion
Blaster Worm • Released Aug. 11, 2003 • Affected Windows XP and Win2K systems • Purpose was to launch a DDOS attack against Microsoft’s windowsupdate.com • Spread Fast • Filtered ISPs for vulnerable systems • Exploited buffer overflow in Microsoft’s interface between Windows Distributed Component Object Model (DCOM) and Remote Procedure Call (RPC) • Gained root privileges through TCP/IP RPC packets • Prevented users from downloading patches
Blaster Worm • Used Port Scanning • Port 135 used by RPC • Deposit Trojan horse • Execute remote shell • Initiate TFTP request to download worm • Computer is now unwilling participant in DDOS attack • 1.4 million computers affected • Patch had been released a month prior
Slammer Worm • Fastest spreading worm • Doubled in size every 8.5 seconds • Affected 75,000 computers in 10 mins • Used random scanning • Selected IP addresses at random to infect and eventually found all vulnerable hosts • Simple fast scanner
Slammer Worm • Goal was to DDOS attack various hosts and slow down the Internet in general • Exploited buffer overflow vulnerabilities in Microsoft’s SQL Server • Transmitted TCP-SYN packet • Patch was available for six months before attacks occurred
Sasser Worm • First noticed April 30, 2004 • Affected Windows XP and Win2K • Connected directly to open ports • Exploited buffer overflow in Microsoft’s local security authority subsystem service • Connected through TCP port 445 • Installed FTP server and transferred itself • Patch was available before release • Worm was possibly reverse-engineered from patch
Countermeasures • Update system • Download patches on a regular basis • Limit the amount of time a vulnerability can be exploited • Update anti-virus software on a regular basis • Latest software use heuristics • Identify code common to worms and variants • Configure firewall properly • Disable unnecessary services e.g. web and ftp servers • Build completely secure systems
Summary • Worms are here to stay • Individuals do not have much of a choice in systems • Security is dependent on developers of product • Forced to use insecure product knowing worms can attack it • Only solution is to not connect to the Internet, dig a hole and throw your router into the depths of the underworld
Possible Alternatives • With minimal effort a user can greatly increase the security of his or her inherently insecure system • Patches and updates • Minimal time between when vulnerability is discovered and when vulnerability is fixed • Firewall • Limit access to system so worms can’t get in to start • Simple procedures significantly reduce the extent to which worms can spread and cause damage