Mohammad Ashiqur Rahman
Department of Computer ScienceCollege of Engineering
Tennessee Tech University
Worm
Malware
CSC 6575: Internet SecurityFall 2017
Agenda Worm
Famous Worms Worm vs. Virus Worm Life: Components/Stages Virus Detection
Anti-virus More about Known Worms
2Mohammad Ashiq Rahman, Tennessee Tech University
What is Worm? Similar to a virus, but propagates itself through the Internet by
breaking into machines. Main goal:
To bring down and deny access to networks and services. Does things by itself.
Does not rely on user intervention. Does not rely on being transmitted physically (i.e., through portable
disks). Does not rely on being emailed or transferred by the user.
A worm is a self propagating piece of malicious software. It attacks vulnerable hosts, infects them, then uses them to
attack other vulnerable hosts.
Famous(!) Worms Morris Internet worm
The first computer worm is noticed in November 1988. Other famous worms:
MyDoom, 2004 Sobig.F, 2003 ILOVEYOU (Love Bug), 2000 Conficker, 2008 Code Red, 2001 Melissa, 1999 Nimda (Reverse of admiN), 2001 Linux/Ramen, 2001 Stuxnet, 2010
First malware to attack SCADA systems It started through a physical copy!
Viruses vs. WormsHow does it infect a
computer system?It inserts itself into a file or executable program.
It exploits a weakness in an application or operating system by replicating itself.
How can it spread? It has to rely on users transferring infected files/programs to other computer systems.
It can use a network to replicate itself to other computer systems without user intervention.
Does it infect files? Yes, it deletes or modifies files. Sometimes a virus also changes the location of files.
Usually not. Worms usually only monopolize the CPU and memory.
Whose speed is more? Virus is slower than worm. Worm is faster than virus. E.g., the code red worm affected 0.3 million PCs in just 14 Hrs.
Definition The virus is the program code that attaches itself to application program and when application program run it runs along with it.
The worm is a code that replicatesitself in order to consume resources to bring it down.
http://www.diffen.com/difference/Computer_Virus_vs_Computer_Worm
About Morris Internet Worm Robert Morris, a graduate student in Computer Science at Cornell,
wrote an experimental, self-replicating/propagating 99 line program.
He released it to Internet from MIT to disguise its origin (Cornell). November 2, 1988.
Morris soon discovered that the program was replicating and infecting machines at a much faster rate than he had predicted. Ultimately, many machines either crashed or became “catatonic.”
Morris realized that things are getting worse! He contacted a friend at Harvard to discuss a solution. They sent an anonymous message from Harvard over the network,
instructing programmers how to kill the worm and prevent re-infection It was guessed that around 10% of the machines connected to the
Internet were infected. 6,000 machines out of 60,000. The U.S. Government Accountability Office put the cost of the damage at
$100,000–10,000,000.
How 10% Machines Were Down? The worm is written utilizing various Unix security holes.
Sendmail, finger, and rsh/rexec It could execute remote commands on the system.
Weak passwords Obtained user lists by running dictionary attack of 432 “common”
passwords on user lists.
Why all machines weren’t down? It didn't alter or destroy files. It didn't save or transmit the passwords which it cracked. No special attempts is made to gain/utilize root access in a system. It didn't place copies of itself into memory to be executed at a later
time. Targets only DEC VAX machines running 4BSD, and Sun-3 systems.
It only attacked machines attached to the internet. It didn't travel from machine to machine via disk.
Worm: Six Components/Stages A worm needs some generic capabilities to be successful.
Reconnaissance Specific Attacks Command Interface Communication Mechanisms Intelligence Unused Attacks
Reconnaissance Information gathering capabilities of a worm
Target identification Automated
Active methods Scanning
Passive methods Remote OS fingerprinting Traffic analysis
Specific Attacks Through this capability a worm gains entry.
If need be, escalates privileges on another system.
Exploits the vulnerabilities Buffer overflows, cgi-bin errors, etc. Trojan horse injections
Limited in targets System type being targeted Vulnerabilities exist there
Two components of the payload execution Local: Run on the infected machine Remote: Run on the machine targeted
Command Interface Interface to compromised system
Interactive, where a remote control shell is obtained Automatic, where the node is in control of some master Backdoor entry with the administrative access
Allow a master-slave node relationship Network client
Accepts instructions The attacker (person) Other worm node
Communications Information and command transfer Must have some form of communication.
The nodes of the worm network reside on different systems.
Protocols Stealth concerns
Communications channels are usually kept hidden by the worm using the some techniques.
Rootkits
Intelligence Knowledge of other nodes
To make an action in a group A database of infected nodes
Network locations
Update message from a newly acquired node Intelligence type
Concrete vs. abstract Complete vs. incomplete
Unused Attacks Maintains a set of capabilities to launch attacks
Adapts itself to new targets Leverages the system’s flexibility
Allows for a thinner worm base Small payload Worms usually carry with them their collection of exploits, including
ones that are not used.
Worm Propagation Central Source Propagation
This type of propagation involves a central source location. After a computer is infected it locates a source where it can
get code to copy into the compromised computer. After infecting the current computer it finds the next
computer. Then, everything starts over again. Lion worm is this kind of worm.
Worm Propagation (2) Back-Chaining Propagation
The attacking computer initiates a file transfer to the victim computer.
After initiation, the attacking computer can then send files and any payload over to the victim without intervention.
The victim becomes the attacking computer in the next cycle with a new victim.
More reliable than central source because central source data can be cut off. Cheese worm is an example of this type of propagation.
Worm Propagation (3) Autonomous Propagation
Attack the victim computer and insert the attack instructions directly into the processing space of the victim computer.
It results in the next attack cycle to initiate without any additional file transfer.
Morris and Code Red worms are example of this type.
More About Worms Unix Worm
Ramen
Windows Worm Code Red
Infected over 250,000 systems in 9 hours on July 19, 2001.
Conficker Conficker infected millions of computers including government,
business, and home computers in over 190 countries.
Stuxnet
Ramen Worm First discovered in January of 2001 Attacks RedHat Linux 6.2, 7.0 systems Use well known exploits against rpc.statd, wu-ftpd and LPRng
to gain access. The worm randomly selects a class B address.
The worm starts by running a shell script called start.sh. This script calls a random number generator that returns a random
class B subnet IP address.
The worm attempts to copy itself to these IP addresses. The worm starts an HTTP server on port 27374 for newly
infected machines to download codes.
Code Red Code Red was observed on the Internet on July 15, 2001.
Computers running Microsoft's Internet Information Server (IIS).
Exploits the buffer overflow vulnerability of “idq.dll” “idq.dll” provides support for internet data administrative script files and
internet data queries files for indexing services. The worm sends its code as an HTTP request. The HTTP request exploits a known buffer-overflow vulnerability, which
allows the worm to run on your computer. Use a long string of the repeated letter 'N' to overflow a buffer, allowing
the worm to execute arbitrary code and infect the machine.
Code Red (2) What did Code Red do?
Vandalizing the affected web site to display:HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
Performed activities based on days of the month: Days 1–19: Trying to spread itself by looking for more IIS servers
on the Internet. Days 20–27: Launch denial of service attacks on several fixed IP
addresses. The IP address of the White House web server was among those.
Days 28–End: Sleeps, no active attacks.
Code Red II Code Red II is similar to the Code Red worm.
Released two weeks after Code Red.
It also exploits a security hole in the indexing software included as part of Microsoft's IIS web server software.
Analysis showed it to be a new worm, instead of a variant. Unlike the first, the second has no attacking function. Uses “X” characters to overflow the buffer. Creates a backdoor to allow attacks. Uses statistically distributed random addresses, favoring topologically
closer hosts.
Microsoft released a security patch on June 18, 2001.
Conficker Also known as “Downadup” and “Kido” Targets the Microsoft Windows operating system
First detected in October 2008 Microsoft’s critical security bulletin: MS08-067 “Vulnerability in
Server Service Could Allow Remote Code Execution” The largest known computer worm infection.
Estimated as 9 million in 2009 It uses flaws in Windows OS.
The server service could allow remote code execution if an affected system received a specially crafted RPC request.
Dictionary attacks on administrator passwords to propagate Forms a botnet.
Difficult to counter because of using many advanced malware techniques
Conficker (2) Conficker copies itself with a random name into the system
directory and register itself as a service. Five variants (A – E) of the Conficker are known.
Propagation: It get the newly infected machine's IP address from some websites. It downloads/sets up a small HTTP server. It will scan for other vulnerable machines and when a target is found,
the infected machine URL will be sent to the target as the payload. The remote computer will then download the worm from the URL given
and then start to infect other machines as well.
Allows an attacker to access users' personal information Banking info, credit card numbers, passwords, or personal identity.
Stuxnet Stuxnet is a joint USA-Israel project!
Attacked Iran’s Natanz nuclear plant Iran in 2010 Destroy roughly a fifth of Iran’s nuclear centrifuges
Stuxnet specifically targets PLCs Programmable logic controllers
Target OS is Microsoft Windows Siemens Step7 software for PLC programming Stuxnet is typically introduced via an infected USB flash drive.
Stuxnet has three modules: A worm executing all routines related to the main attack payload. A link file executing the propagated copies of the worm. A rootkit component for hiding all malicious files and processes.
Stuxnet’s design and architecture are not domain-specific A platform for attacking modern SCADA and PLC systems
Future Considerations Dynamic behavior Dynamic updates Communications mechanisms Infection mechanisms Network topologies Communications topology New targets Multi-Platform/OS
THANKS
27Mohammad Ashiq Rahman, Tennessee Tech University
Sources:-https://support.symantec.com/en_US/article.TECH98539.html-http://typeslist.com/different-types-of-computer-viruses/-http://kb.indiana.edu/data/aehs.html-http://wildammo.com/2010/10/12/10-most-destructive-computer-worms-and-viruses-ever/-http://encyclopedia2.thefreedictionary.com/Top+10+Worst+Computer+Worms+of+All+Time-http://www.cgisecurity.com/lib/the_future_of_internet_worms.pdf-https://en.wikipedia.org/wiki/Stuxnet-http://www.symantec.com/connect/articles/security-11-part-1-viruses-and-worms-http://www.thecomputerdoctor.com/viruses/information/cavity_viruses.htm -https://www.symantec.com/security_response/writeup.jsp?docid=2001-011713-2000-99&tabid=2-https://www.sans.org/security-resources/malwarefaq/