Decoding And Understanding Internet Worms: Presented By Ryan Permeh & Dale Coddington
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Decoding And Understanding Internet Worms: Presented By Ryan Permeh & Dale Coddington as PDF for free.
More details
- Words: 1,214
- Pages: 49
eEye Digital Security
Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington
eEye Digital Security
Course Overview I.
Basic overview / history of worms
II.
Worm analysis techniques
III.
Worms – under the hood
IV.
Worm defense techniques
V.
The future of worms
VI.
Questions and answers
eEye Digital Security
Basic Overview / History of Worms
Internet WormseEye Digital Security
Defined
A worm is a self propagating piece of malicious software. It attacks vulnerable hosts, infects them, then uses them to attack other vulnerable hosts
Internet WormseEye Digital Security
Who Writes Them
• Hacker/Crackers • Researchers • Virus Writers
Internet WormseEye Digital Security
Worms vs. Viruses
• • • •
Viruses require interaction Worms act on their own Viruses use social attacks Worms use technical attacks
Internet WormseEye Digital Security
History
• Morris Internet Worm – Released in 1998 – Overloaded VAX and Sun machines with invisible processes – 99 line program written by 23 year old Robert Tappan Morris – Exploit xyz
Internet WormseEye Digital Security
History • First worms were actually designed and released in the 1980’s • Worms were non-destructive and generally were released to perform helpful network tasks – Vampire worm: idle during the day, at night would use spare CPU cycles to perform complex tasks that required the extra computing power
Internet WormseEye Digital Security
History
• Eventually negative aspects of worms came to light – An internal Xerox worm had crashed all the computers in a particular research center – When machines were restarted the worm re-propagted and crashed the machines again
eEye Digital Security
Worm Analysis Techniques
Worm Analysis TechniqueseEye Digital Security
Capture: Capturing from the Network
• • • •
Sniffers IDS Netcat Listeners Specialized Servers (earlybird, etc)
Worm Analysis TechniqueseEye Digital Security
Capture: Capturing from Memory
• Memory Dumps • Memory Searches • Crashing to preserve memory
Worm Analysis TechniqueseEye Digital Security
Capture: Capturing from Disk
• • • • •
File searches File monitoring Open handles Email Replicated/Infected files
Worm Analysis TechniqueseEye Digital Security
Dissection / Disassembly: Loading
• Loading files in ida • Initial Settings • Trojans vs. Exploit Style worms – Trojans load as programs – Exploits load as baseless code
Worm Analysis TechniqueseEye Digital Security
Dissection / Disassembly: Defining
• • • • •
Setting variables Examining functions Examining imports Examining Strings Define flow of code
Worm Analysis TechniqueseEye Digital Security
Dissection / Disassembly: Drilling
• Finding important code – Via imports – Via calls – Via strings
Worm Analysis TechniqueseEye Digital Security
Debugging as a Disassembly Aid
• Examining in memory constructs • Runtime factors – decryption/decoding – Variable sets, variable data – External factors, not in a void
Worm Analysis TechniqueseEye Digital Security
Attaching to Worm Infected Processes
• • • •
Attach to process Debugging running processes Finding worm code in process Forcing breaks in worm code
Worm Analysis TechniqueseEye Digital Security
Sacrificial Goats / Goatnets: Isolation
• Disconnected • Replicate important services • Attempt to simulate real environment
Worm Analysis TechniqueseEye Digital Security
Sacrificial Goats / Goatnets: Infection
• Netcat injection • Poison servers/clients • Turn off AV, turn on tools
Worm Analysis TechniqueseEye Digital Security
Sacrificial Goats / Goatnets: Analysis
• Debuggers – VC6 debugger – Softice – Windbg
• Dissassemblers – IDA
Worm Analysis TechniqueseEye Digital Security
Sacrificial Goats / Goatnets: Analysis
• • • •
Filemon Regmon TCPView Pro Procdump
eEye Digital Security
Worms – Under the Hood
Worms Under the HoodeEye Digital Security
Code Red I: Infection
• IDA vulnerability • Sent entire copy in HTTP GET data • Static worm
Worms Under the HoodeEye Digital Security
Code Red I: Propagation
• 100 threads of propagation • HTTP spread • Use in-memory copy
Worms Under the HoodeEye Digital Security
Code Red I: Payload
• Attack whitehouse.gov • Hook web page delivery
Worms Under the HoodeEye Digital Security
Code Red II: Infection
• Ida vulnerability • Similar to code red I • Leaves a trojan
Worms Under the HoodeEye Digital Security
Code Red II: Propagation
• Statistical distribution of random address, favoring topologically closer hosts
Worms Under the HoodeEye Digital Security
Code Red II: Payload
• Trojan Horse – – – –
Trojan embedded in worm Simple compression Modifies web dirs Multiple system weakenings
• Adds cmd.exe in web roots
Worms Under the HoodeEye Digital Security
Nimda: Infection
• • • •
Outlook/IE vulnerability Unicode Double Decode Open shares
Worms Under the HoodeEye Digital Security
Nimda: Propagation
• Email • Open shares • Web servers
Worms Under the HoodeEye Digital Security
Nimda: Payload
• • • •
Opens guest share Infects system binaries Adds Registry keys Adds itself to system startup
eEye Digital Security
Worm Defense Techniques
Global Alerts / DisseminationeEye Digital Security
Standard Reporting Mechanisms
There is a need for a common reporting mechanism. This would serve to qualitatively correlate incidents regardless of reporter or reporting agency
Global Alerts / DisseminationeEye Digital Security
Data Sharing
• Individual Network sensors sharing data with a central network console • Network consoles sharing data with a reporting agency, like ARIS, CERT or SANS • Sharing data between stores at ARIS,CERT,SANS and others
Global Alerts / DisseminationeEye Digital Security
Statistical Analysis
• Having All the data poses new problems – Reduction of duplicate datasets – Large scale statistical analysis – Storage, processing, and network resources can be large
• Worms have distinct statistical signatures
Environment-
eEye Digital Security
Modifying Aspects of a Worms Environment
• Lysine Deficiencies • Monoculture • Assumptions – Network addresses – Memory locations – Architecture
Counter Worms-
eEye Digital Security
Using Aspects of a Worm to stop the Spread
• Using same propagation • Contains a fix, or code needed to identify • Should contain extreme limits • Generally not well regarded
eEye Digital Security
The Future of Worms
Multiple Attack VectorseEye Digital Security
Client and Server-Side Flaws
• • • • •
Buffer overflows Format string attacks Design flaws Open shares Misconfigurations
Encryption/Obfuscation/Polymorphism-
eEye Digital Security
Covert Channel / Stealth Worms
• • • •
Hiding in plain sight ICMP Encoding in normal data stream Nonstandard
Encryption/Obfuscation/Polymorphism-
eEye Digital Security
Keyed Payloads
• Keying a worm before sending, requiring the worm to “call back” to decode itself. • Clear text worm never transmits • Higher chance of missing key transmissions, less likely to get a worm to disassemble
Encryption/Obfuscation/Polymorphism-
eEye Digital Security
Standard Polymorphic/Mutation Techniques
• • • •
Worms meet viruses Continuously changing itself Brute forcing new offsets Adapting to the environment to become “more fit”
Bigger ScopeeEye Digital Security
Flash Worms
• Faster, more accurate spread • Complete spread of all possible targets in 5-20 minutes • Very low false positive rate • Too fast to analyze/disseminate information
Bigger ScopeeEye Digital Security
Intelligent Worms
• Worms meet AI • Worm infected hosts communicating in a p2p method • Exchanging information on targeting, propagation, or new infection methods • Agent-like behavior
Bigger ScopeeEye Digital Security
Multi-Platform / OS Worms
• Multi-OS shell code • Attacking multiple different vulnerabilities on multiple platforms • Single worm code, large attackable base
eEye Digital Security
Questions and Answers?
eEye Digital Security
References
• eEye Code Red I Analysis / Advisory: http://www.eeye.com/html/Research/Advisories/AL20010717.html
• eEye Code Red II Analysis / Advisory: http://www.eeye.com/html/Research/Advisories/AL20010804.html
eEye Digital Security
Contact Information
• Ryan [email protected]
• Dale Coddington [email protected]
Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington
eEye Digital Security
Course Overview I.
Basic overview / history of worms
II.
Worm analysis techniques
III.
Worms – under the hood
IV.
Worm defense techniques
V.
The future of worms
VI.
Questions and answers
eEye Digital Security
Basic Overview / History of Worms
Internet WormseEye Digital Security
Defined
A worm is a self propagating piece of malicious software. It attacks vulnerable hosts, infects them, then uses them to attack other vulnerable hosts
Internet WormseEye Digital Security
Who Writes Them
• Hacker/Crackers • Researchers • Virus Writers
Internet WormseEye Digital Security
Worms vs. Viruses
• • • •
Viruses require interaction Worms act on their own Viruses use social attacks Worms use technical attacks
Internet WormseEye Digital Security
History
• Morris Internet Worm – Released in 1998 – Overloaded VAX and Sun machines with invisible processes – 99 line program written by 23 year old Robert Tappan Morris – Exploit xyz
Internet WormseEye Digital Security
History • First worms were actually designed and released in the 1980’s • Worms were non-destructive and generally were released to perform helpful network tasks – Vampire worm: idle during the day, at night would use spare CPU cycles to perform complex tasks that required the extra computing power
Internet WormseEye Digital Security
History
• Eventually negative aspects of worms came to light – An internal Xerox worm had crashed all the computers in a particular research center – When machines were restarted the worm re-propagted and crashed the machines again
eEye Digital Security
Worm Analysis Techniques
Worm Analysis TechniqueseEye Digital Security
Capture: Capturing from the Network
• • • •
Sniffers IDS Netcat Listeners Specialized Servers (earlybird, etc)
Worm Analysis TechniqueseEye Digital Security
Capture: Capturing from Memory
• Memory Dumps • Memory Searches • Crashing to preserve memory
Worm Analysis TechniqueseEye Digital Security
Capture: Capturing from Disk
• • • • •
File searches File monitoring Open handles Email Replicated/Infected files
Worm Analysis TechniqueseEye Digital Security
Dissection / Disassembly: Loading
• Loading files in ida • Initial Settings • Trojans vs. Exploit Style worms – Trojans load as programs – Exploits load as baseless code
Worm Analysis TechniqueseEye Digital Security
Dissection / Disassembly: Defining
• • • • •
Setting variables Examining functions Examining imports Examining Strings Define flow of code
Worm Analysis TechniqueseEye Digital Security
Dissection / Disassembly: Drilling
• Finding important code – Via imports – Via calls – Via strings
Worm Analysis TechniqueseEye Digital Security
Debugging as a Disassembly Aid
• Examining in memory constructs • Runtime factors – decryption/decoding – Variable sets, variable data – External factors, not in a void
Worm Analysis TechniqueseEye Digital Security
Attaching to Worm Infected Processes
• • • •
Attach to process Debugging running processes Finding worm code in process Forcing breaks in worm code
Worm Analysis TechniqueseEye Digital Security
Sacrificial Goats / Goatnets: Isolation
• Disconnected • Replicate important services • Attempt to simulate real environment
Worm Analysis TechniqueseEye Digital Security
Sacrificial Goats / Goatnets: Infection
• Netcat injection • Poison servers/clients • Turn off AV, turn on tools
Worm Analysis TechniqueseEye Digital Security
Sacrificial Goats / Goatnets: Analysis
• Debuggers – VC6 debugger – Softice – Windbg
• Dissassemblers – IDA
Worm Analysis TechniqueseEye Digital Security
Sacrificial Goats / Goatnets: Analysis
• • • •
Filemon Regmon TCPView Pro Procdump
eEye Digital Security
Worms – Under the Hood
Worms Under the HoodeEye Digital Security
Code Red I: Infection
• IDA vulnerability • Sent entire copy in HTTP GET data • Static worm
Worms Under the HoodeEye Digital Security
Code Red I: Propagation
• 100 threads of propagation • HTTP spread • Use in-memory copy
Worms Under the HoodeEye Digital Security
Code Red I: Payload
• Attack whitehouse.gov • Hook web page delivery
Worms Under the HoodeEye Digital Security
Code Red II: Infection
• Ida vulnerability • Similar to code red I • Leaves a trojan
Worms Under the HoodeEye Digital Security
Code Red II: Propagation
• Statistical distribution of random address, favoring topologically closer hosts
Worms Under the HoodeEye Digital Security
Code Red II: Payload
• Trojan Horse – – – –
Trojan embedded in worm Simple compression Modifies web dirs Multiple system weakenings
• Adds cmd.exe in web roots
Worms Under the HoodeEye Digital Security
Nimda: Infection
• • • •
Outlook/IE vulnerability Unicode Double Decode Open shares
Worms Under the HoodeEye Digital Security
Nimda: Propagation
• Email • Open shares • Web servers
Worms Under the HoodeEye Digital Security
Nimda: Payload
• • • •
Opens guest share Infects system binaries Adds Registry keys Adds itself to system startup
eEye Digital Security
Worm Defense Techniques
Global Alerts / DisseminationeEye Digital Security
Standard Reporting Mechanisms
There is a need for a common reporting mechanism. This would serve to qualitatively correlate incidents regardless of reporter or reporting agency
Global Alerts / DisseminationeEye Digital Security
Data Sharing
• Individual Network sensors sharing data with a central network console • Network consoles sharing data with a reporting agency, like ARIS, CERT or SANS • Sharing data between stores at ARIS,CERT,SANS and others
Global Alerts / DisseminationeEye Digital Security
Statistical Analysis
• Having All the data poses new problems – Reduction of duplicate datasets – Large scale statistical analysis – Storage, processing, and network resources can be large
• Worms have distinct statistical signatures
Environment-
eEye Digital Security
Modifying Aspects of a Worms Environment
• Lysine Deficiencies • Monoculture • Assumptions – Network addresses – Memory locations – Architecture
Counter Worms-
eEye Digital Security
Using Aspects of a Worm to stop the Spread
• Using same propagation • Contains a fix, or code needed to identify • Should contain extreme limits • Generally not well regarded
eEye Digital Security
The Future of Worms
Multiple Attack VectorseEye Digital Security
Client and Server-Side Flaws
• • • • •
Buffer overflows Format string attacks Design flaws Open shares Misconfigurations
Encryption/Obfuscation/Polymorphism-
eEye Digital Security
Covert Channel / Stealth Worms
• • • •
Hiding in plain sight ICMP Encoding in normal data stream Nonstandard
Encryption/Obfuscation/Polymorphism-
eEye Digital Security
Keyed Payloads
• Keying a worm before sending, requiring the worm to “call back” to decode itself. • Clear text worm never transmits • Higher chance of missing key transmissions, less likely to get a worm to disassemble
Encryption/Obfuscation/Polymorphism-
eEye Digital Security
Standard Polymorphic/Mutation Techniques
• • • •
Worms meet viruses Continuously changing itself Brute forcing new offsets Adapting to the environment to become “more fit”
Bigger ScopeeEye Digital Security
Flash Worms
• Faster, more accurate spread • Complete spread of all possible targets in 5-20 minutes • Very low false positive rate • Too fast to analyze/disseminate information
Bigger ScopeeEye Digital Security
Intelligent Worms
• Worms meet AI • Worm infected hosts communicating in a p2p method • Exchanging information on targeting, propagation, or new infection methods • Agent-like behavior
Bigger ScopeeEye Digital Security
Multi-Platform / OS Worms
• Multi-OS shell code • Attacking multiple different vulnerabilities on multiple platforms • Single worm code, large attackable base
eEye Digital Security
Questions and Answers?
eEye Digital Security
References
• eEye Code Red I Analysis / Advisory: http://www.eeye.com/html/Research/Advisories/AL20010717.html
• eEye Code Red II Analysis / Advisory: http://www.eeye.com/html/Research/Advisories/AL20010804.html
eEye Digital Security
Contact Information
• Ryan [email protected]
• Dale Coddington [email protected]
Related Documents
Presented By
June 2020 41
Presented By
June 2020 39
Presented By
May 2020 38
Worms
April 2020 15
Presented By
June 2020 34More Documents from "harishtambe1"
Advanced Software Vulnerability Assessment
June 2020 15
Speed Control Of Dc Motor Using Pulse Width
June 2020 4