1 / 32

Internet Worms: Methods, Countermeasures and Famous Incidents

Internet Worms: Methods, Countermeasures and Famous Incidents. Presented by: Tran To Brian Tully. Worms Are Bad!. Damages Lost productivity Compromised information Lost Money Total billions of dollars per year Worms and viruses cost $8 billion in Jan. 2003 alone.

marius
Télécharger la présentation

Internet Worms: Methods, Countermeasures and Famous Incidents

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Worms: Methods, Countermeasures and Famous Incidents Presented by: Tran To Brian Tully

  2. Worms Are Bad! • Damages • Lost productivity • Compromised information • Lost Money • Total billions of dollars per year • Worms and viruses cost $8 billion in Jan. 2003 alone

  3. Worms Exploit Vulnerabilities • Systems have faults • Orange Book – de facto standard that rates the security of operating systems • Windows has a class D rating – minimal protection • Unix has a class C1 rating – discretionary security protection

  4. Goals • Examine system vulnerabilities • Weak passwords • Trap doors • Buffer overflows • Famous Incidents • Morris, Code Red, Blaster, Slammer, Sasser • Countermeasures

  5. What is a Worm? • Necessary Criteria • Replication • Self-contained • Multi-tasking system • For network worms – replication across communication links

  6. Two Major Classifications • Host computer worms • Entirely contained in computer it is running on • Uses network only to propagate • Network worms • Multiple segments on different hosts • Uses network for several communication purposes

  7. Worms Are Not Really Bad?! • By definition worms are not malicious • Simply a program that replicates • First used for network management • Took advantage of system properties • Malicious worms do the same

  8. History of Worms • Term coined by John Brunner • 1970s novel “The Shockwave Rider” • Xerox Palo Alto Research Center (PARC) • John Schoch and John Hepps use worms for distributed computations • Prove useful but managing worms is difficult • Night worm crashes systems • Possible malicious uses realized

  9. System Vulnerabilities • Worms attack availability, confidentiality and integrity • Exploit flaws in OS to replicate • Weak passwords • Trap Doors • Gain access to user accounts • Buffer Overflow • Gain root access

  10. Password Attack • Brute force • Time consuming • Worms take advantage of weak passwords • Dictionary attack • List of commonly used passwords

  11. Backdoor Attack • Usually undocumented feature that sidesteps security mechanisms • debugging • Maintenance • Easy access to system once discovered

  12. Buffer Overflow • Buffer – contiguous allotted chunk of memory, such as an array • In C and C++ there is no bounds checking • Can write past end of a buffer • Spill into user space or OS space • Functions sprintf(), scanf(), gets(), strcpy() • Do not check that destination buffer is large enough • Buffer overflow attacks exploit this

  13. Stack Overflow Attack • Buffer put on a stack • Maintains pointers • Subroutine Call • Parameters and return address pushed on stack • By entering long unchecked parameters, attacker can manipulate return address

  14. Stack Overflow Attack • Attacker has two options • Inject attack code into return address • Gain root privileges • Change return address • Alter the path to point to malicious code

  15. Countermeasures • Choose hard to guess passwords • Do not build backdoors • Write secure code • Use strncpy() instead of strcpy() to limit the side of the buffer • Bound checking compilers

  16. Famous Incidents • Christmas Tree Worm • Attacked IBM in Dec. 1987 • Chain letter and Trojan horse • Drew Christmas tree on display  • Also forced computers to shut down 

  17. Morris Worm • Released Nov. 2, 1988 • Purpose was to propagate • Attacked mail servers • Exploited holes in Unix • Trap door in Sendmail • Buffer overflow Finger Daemon • Overwrote 512 character buffer with 536 • Extra 24 characters executed as commands • Password Cracker

  18. Morris Worm • Affected 6,000 systems • Consumed excessive system resources • Morris confessed to creating the worm out of boredom?! (I sleep when I’m bored, I don’t terrorize the nation) • Convicted in 1990 of violating 1986 Computer Fraud and Abuse Act • Fined $10,000 • Three years probation

  19. Code Red • Affected more than 250,000 servers in July 2001 • Web servers running Microsoft’s Internet Information Server (IIS) • Checked port 80 and sent HTTP GET request to propagate • Exploited buffer overflow vulnerability of idq.dll

  20. Code Red • First nineteen days • Looked for servers to infect • Defaced web pages requested by servers • Days 20-27 • Launched DDOS attack against the White House web site • Day 28 • Worm slept • Affected 750,000 servers total costing $2 billion

  21. Blaster Worm • Released Aug. 11, 2003 • Affected Windows XP and Win2K systems • Purpose was to launch a DDOS attack against Microsoft’s windowsupdate.com • Spread Fast • Filtered ISPs for vulnerable systems • Exploited buffer overflow in Microsoft’s interface between Windows Distributed Component Object Model (DCOM) and Remote Procedure Call (RPC) • Gained root privileges through TCP/IP RPC packets • Prevented users from downloading patches

  22. Blaster Worm • Used Port Scanning • Port 135 used by RPC • Deposit Trojan horse • Execute remote shell • Initiate TFTP request to download worm • Computer is now unwilling participant in DDOS attack • 1.4 million computers affected • Patch had been released a month prior

  23. Slammer Worm • Fastest spreading worm • Doubled in size every 8.5 seconds • Affected 75,000 computers in 10 mins • Used random scanning • Selected IP addresses at random to infect and eventually found all vulnerable hosts • Simple fast scanner

  24. Slammer Worm • Goal was to DDOS attack various hosts and slow down the Internet in general • Exploited buffer overflow vulnerabilities in Microsoft’s SQL Server • Transmitted TCP-SYN packet • Patch was available for six months before attacks occurred

  25. Before the Slammer Worm hit

  26. Thirty minutes later …

  27. Sasser Worm • First noticed April 30, 2004 • Affected Windows XP and Win2K • Connected directly to open ports • Exploited buffer overflow in Microsoft’s local security authority subsystem service • Connected through TCP port 445 • Installed FTP server and transferred itself • Patch was available before release • Worm was possibly reverse-engineered from patch

  28. Countermeasures • Update system • Download patches on a regular basis • Limit the amount of time a vulnerability can be exploited • Update anti-virus software on a regular basis • Latest software use heuristics • Identify code common to worms and variants • Configure firewall properly • Disable unnecessary services e.g. web and ftp servers • Build completely secure systems

  29. Summary • Worms are here to stay • Individuals do not have much of a choice in systems • Security is dependent on developers of product • Forced to use insecure product knowing worms can attack it • Only solution is to not connect to the Internet, dig a hole and throw your router into the depths of the underworld

  30. Possible Alternatives • With minimal effort a user can greatly increase the security of his or her inherently insecure system • Patches and updates • Minimal time between when vulnerability is discovered and when vulnerability is fixed • Firewall • Limit access to system so worms can’t get in to start • Simple procedures significantly reduce the extent to which worms can spread and cause damage

  31. Questions?

More Related