1Network Worms: Attacks and Defenses John Mitchellwith slides borrowed from various (noted) sourcesCS 155Spring 20062OutlineWorm propagation Worm examples Propagation modelsDetection methods Traffic patterns: EarlyBird Watch attack: TaintCheck and Sting Look at vulnerabilities: Generic Exploit BlockingDisable Generate worm signatures and use in network or host-based filters3WormA worm is self-replicating software designed to spread through the network Typically exploit security flaws in widely used services Can cause enormous damage Launch DDOS attacks, install bot networks Access sensitive information Cause confusion by corrupting the sensitive informationWorm vs Virus vs Trojan horse A virus is code embedded in a file or program Viruses and Trojan horses rely on human intervention Worms are self-contained and may spread autonomously4Cost of worm attacksMorris worm, 1988 Infected approximately 6,000 machines 10% of computers connected to the Internet cost ~ $10 million in downtime and cleanupCode Red worm, July 16 2001 Direct descendant of Morris’ worm Infected more than 500,000 servers Programmed to go into infinite sleep mode July 28 Caused ~ $2.6 Billion in damages,Love Bug worm: $8.75 billionStatistics: Computer Economics Inc., Carlsbad, California5Aggregate statistics6Internet Worm (First major attack)Released November 1988 Program spread through Digital, Sun workstations Exploited Unix security vulnerabilities VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX codeConsequences No immediate damage from program itself Replication and threat of damage Load on network, systems used in attack Many systems shut down to prevent further attack27Internet Worm DescriptionTwo parts Program to spread worm look for other machines that could be infected try to find ways of infiltrating these machines Vector program (99 lines of C) compiled and run on the infected machines transferred main program to continue attackSecurity vulnerabilities fingerd – Unix finger daemon sendmail - mail distribution program Trusted logins (.rhosts) Weak passwords8Three ways the worm spreadSendmail Exploit debug option in sendmail to allow shell access Fingerd Exploit a buffer overflow in the fgets function Apparently, this was the most successful attackRsh Exploit trusted hosts Password cracking9sendmailWorm used debug feature Opens TCP connection to machine's SMTP port Invokes debug mode Sends a RCPT TO that pipes data through shell Shell script retrieves worm main program places 40-line C program in temporary file called x$$,l1.c where $$ is current process ID Compiles and executes this program Opens socket to machine that sent script Retrieves worm main program, compiles it and runs10fingerdWritten in C and runs continuouslyArray bounds attack Fingerd expects an input string Worm writes long string to internal 512-byte buffer Attack string Includes machine instructions Overwrites return address Invokes a remote shell Executes privileged commands11Remote shellUnix trust information /etc/host.equiv – system wide trusted hosts file /.rhosts and ~/.rhosts – users’ trusted hosts fileWorm exploited trust information Examining files that listed trusted machines Assume reciprocal trust If X trusts Y, then maybe Y trusts XPassword cracking Worm was running as daemon (not root) so needed to break into accounts to use .rhosts feature Dictionary attack Read /etc/passwd, used ~400 common password strings12The worm itselfProgram is called 'sh' Clobbers argv array so a 'ps' will not show its name Opens its files, then unlinks (deletes) them so can't be found Since files are open, worm can still access their contentsTries to infect as many other hosts as possible When worm successfully connects, forks a child to continue the infection while the parent keeps trying new hostsWorm did not: Delete system's files, modify existing files, install trojanhorses, record or transmit decrypted passwords, capture superuser privileges, propagate over UUCP, X.25, DECNET, or BITNET313Detecting Morris Internet WormFiles Strange files appeared in infected systems Strange log messages for certain programsSystem load Infection generates a number of processes Systems were reinfected => number of processes grew and systems became overloaded Apparently not intended by worm’s creatorThousands of systems were shut down14Stopping the wormSystem admins busy for several days Devised, distributed, installed modifications Perpetrator Student at Cornell; discovered quickly and charged Sentence: community service and $10,000 fine Program did not cause deliberate damage Tried (failed) to control # of processes on host machinesLessons? Security vulnerabilities come from system flaws Diversity is useful for resisting attack “Experiments” can be dangerous15Sources for more informationEugene H. Spafford, The Internet Worm: Crisis and Aftermath, CACM 32(6) 678-687, June 1989Page, Bob, "A Report on the Internet Worm", http://www.ee.ryerson.ca:8080/~elf/hack/iworm.html16Some historical worms of noteUsed a single UDP packet for explosive growth1/03Slammer11 days after announcement of vulnerability; peer-to-peer network of compromised systems6/02ScalperWindows worm: client-to-server, c-to-c, s-to-s, …9/01NimdaRecompiled source code locally8/01WalkFirst sig Windows worm; Completely memory resident7/01Code RedVigilante worm that secured vulnerable systems6/01CheeseStealthy, rootkit worm3/01LionExploited three vulnerabilities1/01RamenRandom scanning of IP address space5/98ADMUsed multiple vulnerabilities, propagate to “nearby” sys11/88MorrisDistinctionDateWormKienzle and Elder17Increasing propagation speedCode Red, July 2001 Affects Microsoft Index Server 2.0, Windows 2000 Indexing service on Windows NT 4.0. Windows 2000 that run IIS 4.0 and 5.0 Web servers Exploits known buffer overflow in Idq.dll Vulnerable population (360,000 servers) infected in 14 hoursSQL Slammer, January 2003 Affects in Microsoft SQL 2000 Exploits known buffer overflow vulnerability Server Resolution service vulnerability reported June 2002 Patched released in July 2002 Bulletin MS02-39 Vulnerable population infected in less than 10
View Full Document