CSCE 465 Lecture 8

From Notes
Jump to navigation Jump to search

« previous | Thursday, February 7, 2013 | next »


Lecture Slides


Worms (Cont'd)

Nimda Worm

September 18, 2001

Multi-modal wrm used several propagation vectors:

  • IIS buffer overflow (same as Code Red I and II)
  • Bulk email itself as an attachment
  • Copy itself across open network shares
  • Add exploit to website
  • Code Red II backdooors

Turned off code deleting all data on hard drives

Some signature-based defenses don't help:

  • Leaped firewalls
  • mail had to be filtered on mail servers
  • brand new infection with unknown signature; scanners could not detect it.
  • detection of zero-day attacks: when a worm first appears in the wild, it takes minutes to hours to identify its signature.

Slammer (Sapphire) Worm

January 24–25 2003

UDP worm that exploited buffer overflow in Microsoft SQL server (already known and patched by MS, but not everyone has updated)

Entire code fits in 404-byte UDP packet

Scan rate (generated) 55 M addresses per second

Infection doubled every 8.5 seconds

Worm-generated packets saturated carrying capacity of Internet in 10 minutes

  • 75,000 SQL servers compromised
  • IN SPITE of broken random number generator

Impact

  • $1.25 B damage
  • knocked out many elements of critical infrastructure:
    • Bank of America ATM network
    • Entire cell network in South Korea
    • Five root DNS servers
    • Continental Airlines' ticket processing software

No malicious payload (just exhausted bandwidth)

Old-style worms (Code Red) spawned new thread to establish TCP connection (3-way handshake)

Slammer used connectionless UDP: just simply send 404-byte UDP packet to randomly generated IP addresses

Blaster and Welchia/Nachia

August 11, 2003

Scanning worm exploiting Windows XP/2000 RPC service

Payload: DoS against MS Windows Update and install remotely accessible backdoor

Welchia/Nachia intended as a counter-worm:

  • patch RPC vulnerability and remove Blaster worm if found
  • did more damage by flooding networks with traffic.

Search Worms

Generate search query

  • find version numbers of vulnerable software (find exploitable targets)
  • Search for popular domains to harvest email addresses

Analyze search results

Modify URLs to exploit

MyDoom

Spreads by email.

  • MyDoom Searches local hard drive for addresses
  • MyDoom.O uses Web search (Google/45%, Lycos/22.5%, Yahoo/20%, and Altavista/12.5%)

Google stopped responding to MyDoom

Santy

Written in Perl, exploits bug in phpBB bulletin board system (allows injection of arbitrary code into Web server using phpBB

Uses Google to find sites running phpBB

once injected, downloads worm code from a central site, asks Google for more targets and connects infected machine to an IRC botnet.

Perl code is permutated among infections, so filtering traffic is difficult.

Google asks to solve CAPTCHA if IP address generates a lot of "rare" queries. Does not return result of query if it contains

  1. pages from many hosts
  2. high percentage of them are tagged vulnerable


Worm Detection and Defense

Propagation modeling

Automatic signature generation:

  • Earlybird
  • Autograph

Detection:

  • Honeypots (HoneyStat)
  • Local information (DSC)
  • Global information (Kalman Filter)

Mitigation and response


Conficker Worm

2008–2010

Most important worm since slammer (4 yrs later)

Vulnerability in Windows 2000/XP/Vista/2003/2008 Server service

  • Found in wild
  • Announced by MS and released patch at about same time
  • Reward offered to find author of worm

Buffer overflow in RPC Port 139/445

Initial Version: Conficker A

  • Infection: Netbios MS08-067
  • Update: HTTP pull / 250 rand / 8 TLD
  • No self-defense

Updated to Conficker B

  • New Infection: removable media via DLL
  • New Update:Netbios file sharing
  • New Self-defense: block DNS lookups no auto-updates

Conficker C

  • Infection

Conficker D

  • Updated Infection: HTTP pull / 50,000 rand / 150 (?) TLD and Peer-to-peer push
  • New Self-defense: disabled safe mode, etc.


Binary Security

conficker used a digital signature to verify that update was authored by the correct person.

  • signature verified by MD6 checksum (used before public release)
  • MD6 buffer overflow vulnerability fixed by attacker!


Botnet

centralized
Network of compromised machine controlled by botmaster via central server
decentralized
no single point of failure

Life Cycle

  1. Exploit and infect vulnerable machine
  2. Machine now becomes a bot
  3. DNS lookup of Command and Control server
  4. Join botnet IRC server (authentication)
  5. Accept commands from botmaster (authentication)


Malware Collection (honeypot/honeynet)[1]

  • Attract attacks
  • Capture binary network information
  • infiltrate botnets


Footnotes

  1. Recommended reading: A multifaceted approach to understanding the Botnet phenomenon
Retrieved from "https://notes.komputerwiz.net/w/index.php?title=CSCE_465_Lecture_8&oldid=2621"