Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Case Study: Code Red Author: Jedidiah.

Slides:



Advertisements
Similar presentations
Chapter 17: WEB COMPONENTS
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute
Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Preventing Buffer Overflows (for C programmers)
Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Teaching Buffer Overflow Ken Williams NC A&T State University.
Introduction to Web Database Processing
Sans.org Securing IIS Against Code Red Jason Fossen SANS Institute.
Classroom Activities Guide
Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
Computer Security and Penetration Testing
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
C Programmer Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: For C Programmers Author: Jedidiah.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:
Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Open Source Software An Introduction. The Creation of Software l As you know, programmers create the software that we use l What you may not understand.
Windows Internet Explorer 9 Chapter 1 Introduction to Internet Explorer.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
An Introduction to Information Security Why there’s more to hide than you might think and why hiding it is a lot tougher than you ever dreamed of in your.
Introduction to Buffer Overflows Author: Jedidiah R. Crandall, Distributed: 14 July 2002 Embry-Riddle Aeronautical University in Prescott,
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Introduction to Buffer Overflows Author:
Overview of Key Security Concepts and Vocabulary This Document was Funded by the National Science Foundation Federal Cyber Service Scholarship For Service.
Embry-Riddle Aeronautical University Prescott, Arizona
1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.
Buffer Overflow Causes Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: Buffer Overflow Causes Author:
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:
Recent Internet Viruses & Worms By Doppalapudi Raghu.
Computer Viruses and Worms By: Monika Gupta Monika Gupta.
Buffer Overflow Defenses Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: Buffer Overflow Defenses.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.
©Ian Sommerville 2004Software Engineering Case Studies Slide 1 The Internet Worm Compromising the availability and reliability of systems through security.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.
How to Use BO Demos. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. How to Use Buffer Overflow Demos (applets)
1 Figure 9-3: Webserver and E-Commerce Security Importance of Webservice and E-Commerce Security  Cost of disruptions  The cost of loss of reputation.
CSI 3125, Preliminaries, page 1 Networking. CSI 3125, Preliminaries, page 2 Networking A network represents interconnection of computers that is capable.
0wning the koobface botnet. intro web 2.0 botnet spreads through social networks –facebook –myspace –twitter, etc.
Intro to Buffer Overflow Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: Buffer Overflow Intro Author:
Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.
By: Austen Perelman-Hall COSC 101 Presentation.  What is a worm? What is a virus?  What is the Red Worm?  Where did it come from? Causes  Effects.
APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.
OVERVIEW Virus & Worm overview Virus & Worm Difference CodeRed Worm Impact Detection Prevention.
Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.
Buffer Overflow Defenses
* Web Servers/Clients * The HTTP Protocol
Internet Quarantine: Requirements for Containing Self-Propagating Code
Buffer Overflow Defenses
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
A Distributed DoS in Action
Quiz: Buffer Overflow Causes
Case Study: Code Red Author: Jedidiah R. Crandall,
Brad Karp UCL Computer Science
Buffer Overflow Defenses
Preventing Buffer Overflows (for C programmers)
CSE551: Introduction to Information Security
Web Servers (IIS and Apache)
Presentation transcript:

Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Case Study: Code Red Author: Jedidiah R. Crandall, This Document was Funded by the National Science Foundation Federal Cyber Service Scholarship For Service Program: Grant No Distributed July 2002 Embry-Riddle Aeronautical University Prescott, Arizona USA

Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Case Study: Code Red What happened? How did it happen? Why did it happen? When did it happen? What does this mean?

Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. What happened? The Code Red worm exploited a buffer overflow in Microsoft’s IIS server, defaced web sites on English-language servers, and made a failed attempt at a denial-of-service attack on The Code Red II worm exploited the very same vulnerability, except it installed a back door designed to make your entire hard drive available to attackers over the Internet. Between the two worms, about 800,000 machines infected and an estimated $2.5 billion in damages, lost productivity, and clean-up costs.

Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. How did it happen? A server running Microsoft’s IIS will send you a web page if you make a request to that server by telling it what you want (for example, you might tell that you want the hypertext file /oatmeal/raisin.html by typing The string you send is stored in one buffer, which does not overflow because it was properly bounds-checked. Each character is an ASCII character which takes one byte to store. If you requested some other http service, though, this buffer might be reformatted into UNICODE (used for international character sets, 1 character = 2 bytes) and stored in another buffer. It was this other buffer that overflowed because there was no bounds checking to make sure the UNICODE buffer was twice as big as the ASCII buffer. While it is not easy to exploit this kind of buffer overflow, it proved to not be impossible. The buffer overflow allowed the attack code, which was included in the request string, to be executed.

Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. When did it happen? 18 June eEye Digital security reports the vulnerabilityreports 18 June Microsoft releases a patchpatch 19 June 2001 – CERT Advisory CA releasedCA July 2001 – First incarnation of Code Red released, doesn’t spread as well as it couldFirst incarnation 19 July 2001 – Second incarnation of Code Red released, nearly the same code but it spreads much better, failed attempt at a denial-of-service attack on (100’s of thousands of machines infected) 19 July 2001 – CERT advisory CA releasedCA July 2001 – CAIDA follow-up survey shows that nearly a third of the machines infected by Code Red were still not patchedCAIDA 4 August 2001 – 16 days later, Code Red II is released, exploiting the very same vulnerability, but installing a back door on infected machines. 100’s of thousands more machines are infected or re-infected. Code Red II was probably released by a different party as it shared no code with the original Code Red.Code Red II

Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. What does this mean? Vulnerable systems had plenty of opportunity to be patched and weren’t Systems administrators didn’t know there was a vulnerability? Systems administrators didn’t know there was a patch? Media didn’t explain that there was a vulnerability or a patch?” “Cyber terrorism” is a real threat One of the first things the worm did when it infected a machine was to check to see if that machine used English as the default language (If so the web page was defaced). Probably more than 200,000 of the infected machines were in the U.S., U.K., Canada, Australia, and New Zealand. The worm could have easily caused billions of dollars more in data loss for English-speaking-countries only. The denial-of-service attack on the White House would probably have succeeded had the attacker used the URL instead of the IP address.

Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. About this Project This presentation is part of a larger package of materials on buffer overflow vulnerabilities, defenses, and software practices. For more information, go to: Also available are: Demonstrations of how buffer overflows occur (Java applets) PowerPoint lecture-style presentations on an introduction to buffer overflows, preventing buffer overflows (for C programmers), and a case study of Code Red Checklists and Points to Remember for C Programmers An interactive module and quiz set with alternative paths for journalists/analysts and IT managers as well as programmers and testers A scavenger hunt on implications of the buffer overflow vulnerability Please complete a feedback form at to tell us how you used this material and to offer suggestions for improvements.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.