Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....

DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....

  • Login to see the comments

  • Be the first to like this

DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....

  1. 1. Release Your BetWorm on Your Infrastructure Source Code Link is available on last slide
  2. 2. Agenda Facts – Age of Malware Quick look on Worms History Worst Worms Ever Petty Worm PLZ The Name is: BetWorm BetWorm: on the Future Questions
  3. 3. The Famous - Who Am I Today ?!!! * Penetration Tester Specialist and Security Researcher at DTS-Solution * Certified a lot of things (Would there be a difference? ) * Author of WeBzY and XSSYA Tools * Experienced in Penetration Testing, SE Assessment, Physical SEC over 8 years * Bug Hunter in my Spare Time – Coding Malicious Stuff just for me 
  4. 4. Facts – Age of Malware
  5. 5. Worms History 1- Jerusalem (also known as BlackBox): Discovered in 1987, deleting files that are executed on each Friday the 13th 2- Storm Worm: Discovered in 2007 an estimated 1 million to 10 million computers were still part of this botnet 3- MSBlast : Discovered in 2003 When MSBlast hit, it installed a TFTP (Trivial File Transfer Protocol) server and downloaded code onto the infected host. over 25 million hosts were known to be infected. 4- Melissa: Discovered In 1999,Melissa spread through Microsoft Word 97 and Word 2000, The Melissa worm caused $1 billion in damages. 5- Code Red: Discovered in 2001, The worm took advantage of a buffer overflow vulnerability in Microsoft IIS servers and damages estimated at $2 billion.
  6. 6. Worst Worms Ever * We will have a quick look of Worst worms Ever? Note: This is not Worm Analysis Talk
  7. 7. MyDoom When Executed -> open Notepad with garbage data in it When Spreading -> the infections e-mail used to distribute the worm copies use variable subjects, bodies and attachment names Further actions -> Open up a backdoor to infected computers lunching DLL file as a child process of Explorer.EXE Collection -> worm collects addresses where to send it self from windows Address Book and from file with extension (dbx - htm - txt -php)
  8. 8. Conficker What does? * Disable important system services and security products, such as ( Windows Defender, Microsoft Security Essentials, or Windows Update.) * Download arbitrary files. * Prevent you from visiting websites, including those that allow you to download security updates. How does the Conficker worm spread? The Conficker worm spreads by copying itself to the Windows system folder. Spread through file sharing and through removable drives, such as USB drives, especially those with weak passwords
  9. 9. Sasser What does? * It creates a copy of itself in the Windows Directory as 'avserve.exe'. This copy is added to the Registry * Exploits the MS04-011 (LSASS) vulnerability to gain access. * The worm starts 128 scanning threads that try to find vulnerable systems on random IP addresses. Computers are probed on port 445 which is the default port for Windows SMB communication on NT-based systems. Summary of TCP ports used by the worm: 445/TCP: The worm attacks through this port 9996/TCP: Remote shell opened by the exploit on the vulnerable hosts
  10. 10. So What is the Common? It’s obvious the common functions that all harmful Worms share !! Spread: By exploiting operating system vulnerabilities. Harm: Networks by consuming bandwidth & overloading web servers. Hold: “Payloads” that damage host computers. or hold backdoors. replicate: Computer worms have the ability to self-replicate.
  11. 11. Petty Worm * We have Create a lot defense to protect ourselves against harmful worms, implement AV’s, Firewalls, IPS, IDS ..etc – we implement offensive tasks to measure our security effectiveness. *But we never think to use Worms as a Defense !
  12. 12. Petty Worm *Worms Are good but people are bad So What Next? I Reverse Worm Intentions ! Creating Petty Worm 
  13. 13. PLZ The Name: BetWorm BetWorm *Use the offensive mechanism for defensive solution. *Use the common functions of harmful Worm but in Reverse. Spread: By Authentication to host computers in same LAN . Safe: Not consuming bandwidth and overloading web servers. Cure: By collect all possible weakness that might be used by attackers Controllable: It can’t be spread outside your network.
  14. 14. PLZ The Name: BetWorm BetWorm * BetWorm wrote on Python * Defensive & Offensive worm: End Point Security? Attacker Perspective * Worm only run on limited privilege user * Compatible with Linux Environment (First Stage on the Project) * It’s about online scripts + modifying + my Own Script
  15. 15. PLZ The Name: BetWorm What Have Been Finished ?
  16. 16. PLZ The Name: BetWorm So What Actually BetWorm do? !Spreading! * It scan an entire range you specify  up and running SSH * Connect through Credentials you specify (Limited User) * Drop BetWorm (/tmp/) – or any path of your choice.
  17. 17. PLZ The Name: BetWorm
  18. 18. PLZ The Name: BetWorm So What Actually BetWorm do? Who is the Target?! * Give you all system information (Kernel , hostname – OS – Logged in Users – Environment) * Running Application - All current users * First Stage of any attack (know your target)
  19. 19. PLZ The Name: BetWorm
  20. 20. PLZ The Name: BetWorm So What Actually BetWorm do? How far the Target is Vulnerable ?! * Analyze all attacking points - Client Side Attack * Outdated Application - Process (Privilege escalation) * You get a shell (Case)
  21. 21. PLZ The Name: BetWorm
  22. 22. PLZ The Name: BetWorm So What Actually BetWorm do? Is the target have a malicious connections?! *Detecting Live connections on target machine * Check if the user have active connections to malicious domains * Based on Comparison *Self Deleted
  23. 23. PLZ The Name: BetWorm
  24. 24. PLZ The Name: BetWorm
  25. 25. BetWorm on the Future ! What BetWorm will do? *BetWrom – is a very new project  Open Source *BetWrom will have the ability to check spread more faster *Will have the ability to collect all weakness and save it as HTML and send back to Petty command and control server
  26. 26. BetWorm on the Future ! What BetWorm will do? *it Will have it’s own Local Webserver *BetWrom – will be compatible with Linux and Windows *GUI – so you only full empty fields  Hit and Run
  27. 27. BetWorm on the Future ! What BetWorm will do? *BetWorm -> will be uploaded on GitHub by the end of conference *Please feel free to contribute – or reported issues – or have any new ideas
  28. 28. BetWorm Are Available ! https://github.com/yehia-mamdouh/BetWorm *For any Contribution – fixing issues – or comment – get it from GitHub
  29. 29. Thank You @Yehia1mamdouh yehia@dts-solution.com

×