@Yuan Xue Worm Attack Yuan Xue Fall 2012
@Yuan Xue Background What is worm? Self-propagating malicious code History Morris worm was one of the first worms distributed over Internet Timeline of notable worms _worms _worms Two examples Code Red – 2001, MS IIS Slammer – 2003, MS SQL Samy (MySpace Worm) – 2005, XSS Two topics System vulnerability Propagation model
@Yuan Xue Slammer (Sapphire) Worm When Jan How Exploit Buffer-overflow with MS SQL/MS SQL Server Desktop Engine (known vulnerability, July 2002) Scale At least 74,000 hosts Feature Fast propagation speed (>55million scans per second, two orders of magnitude faster than Code Red worm) No harmful payload Countermeasure Patch Firewall (port blocking)
@Yuan Xue Scale The diameter of each circle is a function of the logarithm of the number of infected machines, so large circles visually underrepresent the number of infected cases in order to minimize overlap with adjacent locations
@Yuan Xue Details of Slammer Worm SQL server vulnerability The SSRS (SQL Server Resolution Service (SSRS) ) contains a stack buffer overflow that allows an attacker to execute arbitrary code by sending a crafted request to port 1434/udp The code within such a request will be executed by the server host with the privileges of the SQL Server service account. Slammer worm Crafts packets of 376-bytes and send them to a chosen IP addresses on port 1434/udp Random scanning Randomly select IP addresses If the packet is sent to a vulnerable machine, this victim machine will become infected and will also begin to propagate.
@Yuan Xue Buffer Overflow The techniques to exploit a buffer overflow vulnerability vary per architecture, operating system and memory region Heap-based buffer overflow stack-based buffer overflow Linux system memory layout Buffer overflow is an anomalous condition where a program writes data beyond the allocated end of a buffer in memory. 1.The program's code and data consisting of the program's instructions and the initialized and uninitialized static and global data 2.Run-time heap (created using malloc/calloc) 3.Users stack. This stack is used whenever a function call is made.
@Yuan Xue Buffer Overflow Stack-based buffer overflow An example void function (int a, int b, int c){ char buffer1[5]; char buffer2[10]; } int main(){ function(1,2,3); }
@Yuan Xue Buffer Overflow Stack-based buffer overflow Overwrite a function's return address, which in turn can alter the program's execution path void function (char *str) { char buffer[16]; strcpy (buffer, str); } int main () { char *str = "I am greater than 16 bytes"; // length of str = 27 bytes function (str); } Function's return address is the address of the next instruction in memory, which is executed immediately after the function returns.
@Yuan Xue Buffer Overflow Stack-based buffer overflow Overwrite a function's return address, which in turn can alter the program's execution path Hacker can spawn a shell (with root permissions) by jumping the execution path to such code. If there is no such code in the program to be exploited Place the code we are trying to execute in the buffer's overflowing area. Overwrite the return address so it points back to the buffer and executes the intended code. Such code can be inserted into the program using environment variables or program input parameters.
@Yuan Xue Propagation Model Random Scanning Initially spread exponentially, slows as the worms retry infected or immune addresses Probe rate of Code red worm (a typical random-scanning worm) Probes of Slammer worm from Dshield data set Initially matched random scanning worm Soon slowed down due to bw saturation and network failures
@Yuan Xue Why Slammer Was So Fast? Bandwidth constraint vs. delay constraint Slammer 404 bytes (376 payload) UDP based-- bandwidth constraint Code Red 4K bytes TCP based – delay constraint UDP vs. TCP
@Yuan Xue How to Defend? Buffer Overflow Write secure code Use of safe libraries Compiler tools Choice of programming language Dynamic run-time checks Executable space protection Stack-smashing protection Worm Patch MS has released the patch before the worm attack happens Firewall IDS Deep packet inspection Architecture Address space layout randomization
@Yuan Xue Reference Worm A Taxonomy of Computer Worms A Taxonomy of Computer Worms en.wikipedia.org/wiki/Computer_worm Slammer Worm letter.mspx letter.mspx Inside the Slammer Worm, IEEE S&P 2003 Network Telescope