Mohammad Ashiqur Rahman

Department of Computer ScienceCollege of Engineering

Tennessee Tech University

Worm

Malware

CSC 6575: Internet SecurityFall 2017

Agenda Worm

Famous Worms Worm vs. Virus Worm Life: Components/Stages Virus Detection

Anti-virus More about Known Worms

2Mohammad Ashiq Rahman, Tennessee Tech University

What is Worm? Similar to a virus, but propagates itself through the Internet by

breaking into machines. Main goal:

To bring down and deny access to networks and services. Does things by itself.

Does not rely on user intervention. Does not rely on being transmitted physically (i.e., through portable

disks). Does not rely on being emailed or transferred by the user.

A worm is a self propagating piece of malicious software. It attacks vulnerable hosts, infects them, then uses them to

attack other vulnerable hosts.

Famous(!) Worms Morris Internet worm

The first computer worm is noticed in November 1988. Other famous worms:

MyDoom, 2004 Sobig.F, 2003 ILOVEYOU (Love Bug), 2000 Conficker, 2008 Code Red, 2001 Melissa, 1999 Nimda (Reverse of admiN), 2001 Linux/Ramen, 2001 Stuxnet, 2010

First malware to attack SCADA systems It started through a physical copy!

Viruses vs. WormsHow does it infect a

computer system?It inserts itself into a file or executable program.

It exploits a weakness in an application or operating system by replicating itself.

How can it spread? It has to rely on users transferring infected files/programs to other computer systems.

It can use a network to replicate itself to other computer systems without user intervention.

Does it infect files? Yes, it deletes or modifies files. Sometimes a virus also changes the location of files.

Usually not. Worms usually only monopolize the CPU and memory.

Whose speed is more? Virus is slower than worm. Worm is faster than virus. E.g., the code red worm affected 0.3 million PCs in just 14 Hrs.

Definition The virus is the program code that attaches itself to application program and when application program run it runs along with it.

The worm is a code that replicatesitself in order to consume resources to bring it down.

http://www.diffen.com/difference/Computer_Virus_vs_Computer_Worm

About Morris Internet Worm Robert Morris, a graduate student in Computer Science at Cornell,

wrote an experimental, self-replicating/propagating 99 line program.

He released it to Internet from MIT to disguise its origin (Cornell). November 2, 1988.

Morris soon discovered that the program was replicating and infecting machines at a much faster rate than he had predicted. Ultimately, many machines either crashed or became “catatonic.”

Morris realized that things are getting worse! He contacted a friend at Harvard to discuss a solution. They sent an anonymous message from Harvard over the network,

instructing programmers how to kill the worm and prevent re-infection It was guessed that around 10% of the machines connected to the

Internet were infected. 6,000 machines out of 60,000. The U.S. Government Accountability Office put the cost of the damage at

$100,000–10,000,000.

How 10% Machines Were Down? The worm is written utilizing various Unix security holes.

Sendmail, finger, and rsh/rexec It could execute remote commands on the system.

Weak passwords Obtained user lists by running dictionary attack of 432 “common”

passwords on user lists.

Why all machines weren’t down? It didn't alter or destroy files. It didn't save or transmit the passwords which it cracked. No special attempts is made to gain/utilize root access in a system. It didn't place copies of itself into memory to be executed at a later

time. Targets only DEC VAX machines running 4BSD, and Sun-3 systems.

It only attacked machines attached to the internet. It didn't travel from machine to machine via disk.

Worm: Six Components/Stages A worm needs some generic capabilities to be successful.

Reconnaissance Specific Attacks Command Interface Communication Mechanisms Intelligence Unused Attacks

Reconnaissance Information gathering capabilities of a worm

Target identification Automated

Active methods Scanning

Passive methods Remote OS fingerprinting Traffic analysis

Specific Attacks Through this capability a worm gains entry.

If need be, escalates privileges on another system.

Exploits the vulnerabilities Buffer overflows, cgi-bin errors, etc. Trojan horse injections

Limited in targets System type being targeted Vulnerabilities exist there

Two components of the payload execution Local: Run on the infected machine Remote: Run on the machine targeted

Command Interface Interface to compromised system

Interactive, where a remote control shell is obtained Automatic, where the node is in control of some master Backdoor entry with the administrative access

Allow a master-slave node relationship Network client

Accepts instructions The attacker (person) Other worm node

Communications Information and command transfer Must have some form of communication.

The nodes of the worm network reside on different systems.

Protocols Stealth concerns

Communications channels are usually kept hidden by the worm using the some techniques.

Rootkits

Intelligence Knowledge of other nodes

To make an action in a group A database of infected nodes

Network locations

Update message from a newly acquired node Intelligence type

Concrete vs. abstract Complete vs. incomplete

Unused Attacks Maintains a set of capabilities to launch attacks

Adapts itself to new targets Leverages the system’s flexibility

Allows for a thinner worm base Small payload Worms usually carry with them their collection of exploits, including

ones that are not used.

Worm Propagation Central Source Propagation

This type of propagation involves a central source location. After a computer is infected it locates a source where it can

get code to copy into the compromised computer. After infecting the current computer it finds the next

computer. Then, everything starts over again. Lion worm is this kind of worm.

Worm Propagation (2) Back-Chaining Propagation

The attacking computer initiates a file transfer to the victim computer.

After initiation, the attacking computer can then send files and any payload over to the victim without intervention.

The victim becomes the attacking computer in the next cycle with a new victim.

More reliable than central source because central source data can be cut off. Cheese worm is an example of this type of propagation.

Worm Propagation (3) Autonomous Propagation

Attack the victim computer and insert the attack instructions directly into the processing space of the victim computer.

It results in the next attack cycle to initiate without any additional file transfer.

Morris and Code Red worms are example of this type.

More About Worms Unix Worm

Ramen

Windows Worm Code Red

Infected over 250,000 systems in 9 hours on July 19, 2001.

Conficker Conficker infected millions of computers including government,

business, and home computers in over 190 countries.

Stuxnet

Ramen Worm First discovered in January of 2001 Attacks RedHat Linux 6.2, 7.0 systems Use well known exploits against rpc.statd, wu-ftpd and LPRng

to gain access. The worm randomly selects a class B address.

The worm starts by running a shell script called start.sh. This script calls a random number generator that returns a random

class B subnet IP address.

The worm attempts to copy itself to these IP addresses. The worm starts an HTTP server on port 27374 for newly

infected machines to download codes.

Code Red Code Red was observed on the Internet on July 15, 2001.

Computers running Microsoft's Internet Information Server (IIS).

Exploits the buffer overflow vulnerability of “idq.dll” “idq.dll” provides support for internet data administrative script files and

internet data queries files for indexing services. The worm sends its code as an HTTP request. The HTTP request exploits a known buffer-overflow vulnerability, which

allows the worm to run on your computer. Use a long string of the repeated letter 'N' to overflow a buffer, allowing

the worm to execute arbitrary code and infect the machine.

Code Red (2) What did Code Red do?

Vandalizing the affected web site to display:HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

Performed activities based on days of the month: Days 1–19: Trying to spread itself by looking for more IIS servers

on the Internet. Days 20–27: Launch denial of service attacks on several fixed IP

addresses. The IP address of the White House web server was among those.

Days 28–End: Sleeps, no active attacks.

Code Red II Code Red II is similar to the Code Red worm.

Released two weeks after Code Red.

It also exploits a security hole in the indexing software included as part of Microsoft's IIS web server software.

Analysis showed it to be a new worm, instead of a variant. Unlike the first, the second has no attacking function. Uses “X” characters to overflow the buffer. Creates a backdoor to allow attacks. Uses statistically distributed random addresses, favoring topologically

closer hosts.

Microsoft released a security patch on June 18, 2001.

Conficker Also known as “Downadup” and “Kido” Targets the Microsoft Windows operating system

First detected in October 2008 Microsoft’s critical security bulletin: MS08-067 “Vulnerability in

Server Service Could Allow Remote Code Execution” The largest known computer worm infection.

Estimated as 9 million in 2009 It uses flaws in Windows OS.

The server service could allow remote code execution if an affected system received a specially crafted RPC request.

Dictionary attacks on administrator passwords to propagate Forms a botnet.

Difficult to counter because of using many advanced malware techniques

Conficker (2) Conficker copies itself with a random name into the system

directory and register itself as a service. Five variants (A – E) of the Conficker are known.

Propagation: It get the newly infected machine's IP address from some websites. It downloads/sets up a small HTTP server. It will scan for other vulnerable machines and when a target is found,

the infected machine URL will be sent to the target as the payload. The remote computer will then download the worm from the URL given

and then start to infect other machines as well.

Allows an attacker to access users' personal information Banking info, credit card numbers, passwords, or personal identity.

Stuxnet Stuxnet is a joint USA-Israel project!

Attacked Iran’s Natanz nuclear plant Iran in 2010 Destroy roughly a fifth of Iran’s nuclear centrifuges

Stuxnet specifically targets PLCs Programmable logic controllers

Target OS is Microsoft Windows Siemens Step7 software for PLC programming Stuxnet is typically introduced via an infected USB flash drive.

Stuxnet has three modules: A worm executing all routines related to the main attack payload. A link file executing the propagated copies of the worm. A rootkit component for hiding all malicious files and processes.

Stuxnet’s design and architecture are not domain-specific A platform for attacking modern SCADA and PLC systems

Future Considerations Dynamic behavior Dynamic updates Communications mechanisms Infection mechanisms Network topologies Communications topology New targets Multi-Platform/OS

THANKS

27Mohammad Ashiq Rahman, Tennessee Tech University

Sources:-https://support.symantec.com/en_US/article.TECH98539.html-http://typeslist.com/different-types-of-computer-viruses/-http://kb.indiana.edu/data/aehs.html-http://wildammo.com/2010/10/12/10-most-destructive-computer-worms-and-viruses-ever/-http://encyclopedia2.thefreedictionary.com/Top+10+Worst+Computer+Worms+of+All+Time-http://www.cgisecurity.com/lib/the_future_of_internet_worms.pdf-https://en.wikipedia.org/wiki/Stuxnet-http://www.symantec.com/connect/articles/security-11-part-1-viruses-and-worms-http://www.thecomputerdoctor.com/viruses/information/cavity_viruses.htm -https://www.symantec.com/security_response/writeup.jsp?docid=2001-011713-2000-99&tabid=2-https://www.sans.org/security-resources/malwarefaq/