Mobile Code and Worms

By

Mitun Sinha

Pandurang Kamat

04/16/2003

WORMS

Worms, formally known as “Automated Intrusion Agents”, are software components that are capable of, using their

own means, for infecting a computer system and using it in an automated fashion to infect another system.

What are network worms ?

A virus by contrast can’t spread/infect on its own.

Infect and take over large number of internet hosts…turn them into zombies.

These hosts can then be used to : launch a massive Distributed Denial of Service (DDOS) attack. access sensitive information on the hosts. inject false or malicious information into networks.

Worm-based attack model provides :

“ease” of automation. penetration fuelled by speed and aggressiveness.

What can these “cute creatures” do ?

Reconnaissance capability

Attack capability

Command interface

Communication capability

Intelligence capability

Components of a worm

Target identification

Active methods scanning

Passive methods OS fingerprinting traffic analysis

Reconnaissance

Exploits buffer overflow, cgi-bin etc.

Generally involves privilege escalation

Two components local remote

Attacks

Interface to compromised system root/administrative shell network client

Accepts commands person other worm siblings

Command Interface

Information transfer network vulnerability information commands and data etc.

Network clients to various services

Stealth issues handled much the same way as “rootkits”

Communications

The worm system may maintain a list of infected nodes centralized or distributed

Knowledge of other siblings

The infected machines can then be put to use by instructing them through the command interface

Intelligence

First malicious worm In 1982 some worms were written at Xerox PARC for doing legitimate networking tasks.

Exploits : sendmail (mal-formatted input) and finger daemon (buffer-overflow) on Vax and Sun machines.

Used trust relationships amongst the hosts to spread

No command interface

Infected 6000 hosts (10 % of the Internet)

Morris Worm (November 1988)

Began : July 12, 2001

Exploit : Microsoft IIS webservers (buffer overflow)

Named “Code Red” because : the folks at eEye security worked through the night to identify and analyze this worm drinking “code red” (mountain dew) to stay up. the worm defaced some websites with the phrase “Hacked by Chinese”

Version 1 did not infect too many hosts due to use of static seed in the random number generator. Version 2 came out on July 19th with this “bug” fixed and spread rapidly.

The worm behavior each month: 1st to 19th --- spread by infection 20th to 28th --- launch DOS on www.whitehouse.gov 28th till end-of-month --- take rest.

Infected 359,000 hosts in under 14 hours.

Code Red I (July 2001)

Code Red I (July 2001)

Cumulative total of unique IP addresses infected by the first outbreak of Code-Red-I v2.

(source: “Code-Red: a case study on the spread and victims of an internet worm”. Moore et. al.)

Warhol worms -- infecting most of the targets in under 15 min. “In the future, everybody will be world-famous for 15 minutes.”

-- Andy Warhol

“How to 0wn the Internet in Your Spare Time”. Weaver et. al. Usenix ’02 [Weav02].

Combination of “Hit-list” scanning and “permutation” scanning.

Worms-2… The Next Generation

Source : [Weav02]

SQL Slammer (Jan 2003) – The future is NOW !

Began : January 25th. (Also known as “Sapphire”. )

Exploit : Microsoft SQL Server (buffer overflow) contains a simple, fast scanner in a 376 byte worm inside a UDP packet. all it did was send this packet to udp port 1434.

The first “Warhol” worm. doubled in size every 8.5 seconds. (Code-Red doubled every 37 min.) infected more than 90% of vulnerable hosts within 10 minutes.

No malicious payload but jammed networks worldwide with traffic.

affected businesses, ATM machines, grounded flights etc.

Flaws : too aggressive in scanning; countered its own growth quickly by eating up bandwidth. error in random number generator caused elimination of quite a lot of search space.

SQL Slammer (Jan 2003) -- “The worm that ate the Internet !”

Source: www.caida.org

Worms have been around for a while and are evolving constantly

increase in hiding tools morphing worms warhol worms

stealth worms

Defenses should evolve too enforce fundamentals strictly : security patches, NIDS etc. increase depth of defense, not just perimeter rapid analysis and response (counter-attack) changing strategies to detect dynamic worms

Conclusion