1. CHAPTER 5
Worms and Other
Malware
Slides adapted from "Foundations of Security: What Every Programmer
Needs To Know" by Neil Daswani, Christoph Kern, and Anita Kesavan
(ISBN 1590597842; http://www.foundationsofsecurity.com). Except as
otherwise noted, the content of this presentation is licensed under the
Creative Commons 3.0 License.
2. Agenda
Worms spreading across Internet through
vulnerabilities in software
History of Worms
Morris Worm
Code Red
Nimda
Blaster & SQL Slammer
Rootkits, Botnets, Spyware, and more Malware
3. 5.1. What Is a Worm?
Virus: program that copies itself into other
programs
Could be transferred through infected disks
Rate dependent on human use
Worm: a virus that uses the network to copy
itself onto other computers
Worms propagate faster than viruses
Large# of computers to infect
Connecting is fast (milliseconds)
4. 5.2. An Abridged History of
Worms
Examples of how worms affect operation of
entire Internet
First Worm: Morris Worm (1988)
Code Red (2001)
Nimda (2001)
Blaster (2003)
SQL Slammer (2003)
5. 5.2.1. Morris Worm: What It Did
Damage: 6000 computers in just few hours
Extensive network traffic by worm propagating
What: just copied itself; didn’t touch data
Exploited and used:
buffer overflow in fingerd (UNIX)
sendmail debug mode (execute arbitrary commands
such as copying worm to another machine)
dictionary of 432 frequently used passwords to login
and remotely execute commands via rexec, rsh
6. 5.2.2. The Morris Worm:
What We Learned
Diversity is good: Homogenity of OSes on
network -> attacker can exploit vulnerabilities
common to most machines
Large programs more vulnerable to attack
sendmail was large, more bug-prone
fingerd was small, but still buggy
Limiting features limits holes: sendmail debug
feature should have been turned off
Users should choose good passwords:
dictionary attack would have been harder
7. 5.2.3. The Creation of CERT
Computer Emergency Response Team (CERT)
created due to damage and disruption caused
by Morris worm
Has become a leading center on worm activity
and software vulnerability announcements
Raises awareness bout cyber-security
8. 5.2.4. The Code Red Worm (1)
Exploited
Microsoft IIS web server buffer overflow
“indexing server” feature: randomly scanned IP
addresses to connect to other IIS servers
Spread rapidly: > 2,000 hosts/min
Evaded automated detection
Detectable more easily by humans than scanners
Resident only in memory, no disk writes
Defaced home page of infected server
10. 5.2.5. The Nimda Worm
Propagation vector: method by which worm
spreads to another machine
Payload: data worm carries as it travels
Spread Rapidly, made Code Red worse
Used multiple propagation vectors
Spread from server to server (as in Code Red)
But also from server to client (browser downloading
infected file also became infected)
Infected client sent e-mails with worm code as
payload
11. 5.2.6. Blaster Worm
Exploited
bufferoverflow in Microsoft OS: attacked Distributed
Component Object Model service
Patch deployed but many users didn’t download it
Caused infected machine to shut down
Issued a DDoS attack against Windows Update
website to prevent users from getting the patch
13. 5.2.6. SQL Slammer Worm
Exploited another buffer overflow
Took a single 376-byte UDP packet
UDP connectionless -> spread quickly
Infected 75,000, 90% w/in 10 mins.
Attacked Microsoft SQL Server DB App
Disabled server, scanned random IPs to infect
Impact
Excessive traffic due to the worm propagating caused
outages in 13,000 BofA ATMs
Airlines were cancelled & delayed
14. 5.3. More Malware
Rootkits: imposter OS tools used by attacker to
hide his tracks
Botnets: network of software robots attacker
uses to control many machines at once to
launch attacks (e.g. DDoS through packet
flooding, click fraud)
Spyware: software that monitors activity of a
system or its users without their consent
15. 5.3. More Malware
Keyloggers: spyware that monitors user
keyboard or mouse input, used to steal
usernames, passwords, credit card #s, etc…
Trojan Horses: software performs additional or
different functions than advertised
Adware: shows ads to users w/o their consent
Clickbots: bot that clicks on ads, leads to click
fraud (against cost-per-click or CPC ad models)
16. 5.3. Distributing Malware1
Most malware distribution through drive-by
downloads (i.e. automatic installation of binary
when visiting website)
Uses pull-based model (e.g. links)
Maximizes exposure by getting as many links as
possible to malware distribution site
Search engines such as Google
mark pages as potentially
malicious to prevent
1 Source: N. Provos et. al. “The Ghost in the Browser: Analysis of Web-based Malware”
17. 5.3. Clickbot.A Botnet2 (1)
Over 100,000 machines, HTTP-based botmaster
Conducted low-noise click fraud against
syndicated search engines
Syndication: get feeds of ad impressions
Sub-Syndication: partner with a syndicated engine
All get a share of revenue from click
Only 7/24 anti-virus scanners detected it in 5/06
IE browser helper object (BHO)
Capable of accessing entire DOM of web pages
Written in PHP with MySQL backend
18. 5.3. Clickbot.A Botnet1 (2)
Used doorway-sites (w/ links for bots to click)
posing as sub-syndicated search engines
Fine-grained control for botmaster
Low noise: set maxclicks bots could do to 20
Used redirectors & several layers below major search
engine (harder to detect/track)
2 Source: N. Daswani et. al. “The Anatomy of Clickbot.A”
19. Summary
Worms propagate rapidly, exploit common
vulnerabilities and cause widespread damage
Prevention
EliminateBuffer Overflows (Programmers)
Don’t open email attachments (Users, SAs)
Disable unnecessary functionality (Users, SAs)
Patch systems regularly (SAs)
Detection
Update scanners with latest definitions
Use auto-updating scanners when possible
Employ programs such as Tripwire (SAs)
Editor's Notes
Welcome to SEC103 on Secure Programming Techniques. In this course, I assume that you have some background in computer security, but now you want to put that background to use. For example, in the Computer Security Principles and Introduction To Cryptography courses, we cover topics such concerning trust and encryption. In this course, we put these principles into to practice, and I’ll show you have to write secure code that builds security into your applications from the ground up.
First, what we are going to do is survey some of the most popular and serious viruses and worms that have wreaked havoc by taking advantage of buffer overflow vulnerabilities in widely deployed programs. For the purposes of this course, we define a virus as a computer program that is capable of making copies of itself, and inserting those copies into other programs. Viruses may make copies of themselves onto other programs stored on a computers hard disk or onto floppy disks inserted into the computer. A worm is a virus that may be capable of not only making copies of itself into other programs on hard or floppy disks attached to a particular computer, but are capable of using a computer network to make copies of itself onto other computers (and/or the disks attached to other computers). While computer viruses are a serious threat, the amount of damage they can cause is limited by the number of floppy disks that are infected, and then inserted into other computers. On the other hand, worms spread much more quickly than viruses since a computer infected with a worm can constantly make connections to other computers anywhere on the network and infect them. More info in “White-Hat” Security Arsenal by Avi Rubin.
The first computer worm ever built was the Morris worm (named after Robert Morris). When Robert Morris first deployed his worm, it was able to infect over 6000 computers within just a few hours, at a rate of hundreds of computers a minute. A computer virus would spread much slower since new computers could only be infected at the rate at which floppy disks are inserted into infected computers, and then used in uninfected computers. The rate at which a computer virus can spread would thus be much lower than hundreds per minute because the virus requires the help of the human operator to spread from one computer to another. However, a worm, such as the Morris worm, was able to spread very quickly because it did not need the assistance of a human operator. Instead, as long as an infected computer is connected to the network, the infected computer could contact other uninfected computers on the network and spread to them. So what did the Morris worm do? Well, luckily, all that it did was make copies of itself to other computers on the network. But that in itself was enough to cause significant damage. The amount of network traffic that was generated by the worm scanning for other computers to infect was significant. The effort required by systems administrators to determine if a particular computer was infected, and to remove it was also significant. How did the Morris worm work? What it would do once it started running, was scan the files /etc/hosts.equiv and /.rhosts to find other machines to attack. Then it would try it remote login to some of these hosts as one “vector” (or method) of its attack. The Morris Worm has a dictionary of 432 of “common” passwords that it would try to use to break into user accounts. However, if the worm could not directly remotely login into other hosts, it would use two additional “vectors” of attack. The first was a buffer overflow vulnerability in fingerd, and the second was a bug in the sendmail program that is used to route e-mail in UNIX. We will talk about buffer overflow vulnerabilties later this this course. The particular buffer overflow vulnerability that the Morris worm took advantage of was one in a program called fingerd that is installed on UNIX systems. Finger is a program that let’s you check whether or not a particular user is logged in, and fingerd is a “finger daemon server” that is installed on all UNIX systems. The Morris worm leveraged the fact that fingerd is installed on all UNIX systems to help propagate from one UNIX machine to the next. The second vulnerability based upon a programming bug (also in the sendmail program). The sendmail program is used to route emails from one UNIX host to another, and it had a debugging “feature” that Morris took advantage of to remotely execute code on another machine. Of course, the debugging mode should have been disabled on production UNIX systems, but the fact that it wasn’t highlights a problem that is still around today– making sure that systems are correctly configured to run securely.
Aside from the technical details of the worm and how it worked, we learned a number of other lessons from the Morris worm. Diversity– if all the computers run the same operating systems, they have all the same operating system vulnerabilities. Complexity– writing bug-free software is hard. The more lines of code, the more bugs. The more bugs, the more the likelihood that one of the bugs can result in an exploitable security vulnerability. Good passwords will minimize the effectiveness of dictionary attacks. CERT: Computer Emergency Response Team What if the Morris worm did do something serious? Would shutting down servers be a good idea?
There are various things that programmers, systems admins, and users can do. Progs eliminate buffer overflows Users should not open attachments. Sys admins can auto-strip email attachments. Sys admins and users can disable unnecessary funcationlity. And use firewalls to restrict access to ports that shouldn’t be used and may be vulnerable.