Overview What is a worm? What is a worm? Origin? Origin? How does it propagate? How does it propagate? How does it take up resources of an infected node?

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Denial-of-Service Resilience in Peer-to-Peer Systems D. Dumitriu, E. Knightly, A. Kuzmanovic, I. Stoica and W. Zwaenepoel Presenter: Yan Gao.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Freenet A Distributed Anonymous Information Storage and Retrieval System I Clarke O Sandberg I Clarke O Sandberg B WileyT W Hong.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Chapter 3 Review of Protocols And Packet Formats
Wide-area cooperative storage with CFS
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Process-to-Process Delivery:
CS252: Systems Programming Ninghui Li Final Exam Review.
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Covert Communications Simple Nomad DC Feb2004.
Unicast Routing Protocols  A routing protocol is a combination of rules and procedures that lets routers in the internet inform each other of changes.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
1 Routing. 2 Routing is the act of deciding how each individual datagram finds its way through the multiple different paths to its destination. Routing.
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
--Harish Reddy Vemula Distributed Denial of Service.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.
Transmission Control Protocol TCP. Transport layer function.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.
DoS/DDoS attack and defense
 RIP — A distance vector interior routing protocol  IGRP — The Cisco distance vector interior routing protocol (not used nowadays)  OSPF — A link-state.
1 Kyung Hee University Chapter 11 User Datagram Protocol.
© 2002, Cisco Systems, Inc. All rights reserved..
Process-to-Process Delivery:
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Modified Onion Routing GYANRANJAN HAZARIKA AND KARAN MIRANI.
Behrouz A. Forouzan TCP/IP Protocol Suite, 3rd Ed.
Chapter 11 User Datagram Protocol
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
ITIS 6167/8167: Network Security
Chapter 14 User Datagram Protocol (UDP)
Routing Protocols and Concepts – Chapter 5
Routing Protocols and Concepts
A Distributed DoS in Action
Process-to-Process Delivery:
Routing Protocols and Concepts – Chapter 5
Routing Protocols and Concepts – Chapter 5
Routing Protocols and Concepts – Chapter 5
Crisis and Aftermath Morris worm.
Process-to-Process Delivery: UDP, TCP
ITIS 6167/8167: Network and Information Security
Wireless Spoofing Attacks on Mobile Devices
Computer Networks Protocols
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
Presentation transcript:

Overview What is a worm? What is a worm? Origin? Origin? How does it propagate? How does it propagate? How does it take up resources of an infected node? How does it take up resources of an infected node? “Deworming” an infected machine “Deworming” an infected machine

Definition and Origin A worm is a program A worm is a program that can run by itself and that can run by itself and can propagate a fully working version of itself to other machines. can propagate a fully working version of itself to other machines. First worm that ever surfaced is RTM(1998) First worm that ever surfaced is RTM(1998) RTM=Robert T. Moris, author of the program. RTM=Robert T. Moris, author of the program. Propagated by exploiting vunerabilities in Unix systems. Propagated by exploiting vunerabilities in Unix systems. Compiled and run new instances of itself on these systems. Compiled and run new instances of itself on these systems. Other worms Other worms Raman worm (2000) Raman worm (2000) Code Red (September Windows) Code Red (September Windows) Nimda (2001) Nimda (2001) Apache Scalper (June 2002) Apache Scalper (June 2002)

Apache Scalper worm Appeared in June 2002 Appeared in June 2002 Turns system to a node of a P2P network Turns system to a node of a P2P network Features Features Launch denial of service attack. Launch denial of service attack. Send multiple messages (spam). Send multiple messages (spam). Run arbitrary commands on the compromised system. Run arbitrary commands on the compromised system. Upgrade the node worm program. Upgrade the node worm program. Communication by simple P2P networking protocol Communication by simple P2P networking protocol Internodes communication Internodes communication Communication between nodes and controlling program Communication between nodes and controlling program –Carried over UDP

The slapper worm Surfaced in Romania in Surfaced in Romania in Variant of the Apache Scalper worm. Variant of the Apache Scalper worm. Comparing source code. Comparing source code. Slapper worm more robust and efficient in it’s peer to peer network capabilities than Apache Scalper worm. Slapper worm more robust and efficient in it’s peer to peer network capabilities than Apache Scalper worm. Some fatures of apache removed Some fatures of apache removed –Self updating –Sending spam Distributed Denial of Service Agent Distributed Denial of Service Agent Backdoor Backdoor Propagation using UDP Propagation using UDP

Reliability layer Adds header to packet Adds header to packet Singned character (1=message,0=ack). Singned character (1=message,0=ack). Copy of sent messages in message queue for reliable communication. Copy of sent messages in message queue for reliable communication. Message in queue contains(last 128 messages) Message in queue contains(last 128 messages) Message ID Message ID Time of first sent and time of last sent. Time of first sent and time of last sent. Destination IP address Destination IP address UDP port number UDP port number –Protection against sending or receiving and acting on same message twice. –Deletion of message.

Initialization New node sends join network command to parent. New node sends join network command to parent. Parent responds with a your IP address command. Parent responds with a your IP address command. Broadcasting to other nodes. Broadcasting to other nodes. Empty list of known nodes in new node? Empty list of known nodes in new node? »Failure communication with parent Node sends join network request every 60 seconds Node sends join network request every 60 seconds Node split after complete failure to join network. Node split after complete failure to join network.

Routing Node wants to send a command or message to another node. Node wants to send a command or message to another node. Command encapsulated in “route” command. Command encapsulated in “route” command. Contains Contains –Destination’s IP address –Minimum number of hops(H) Bouncing Bouncing –0 16  destination IP else  two random nodes. –Anonymity. Segmentation Segmentation Route command sent to at least two nodes at every hop. Route command sent to at least two nodes at every hop. Destination node receives 2^H commands. Destination node receives 2^H commands. Duplicates command likely to be processed. Duplicates command likely to be processed. next next

Synchronisation and Broadcasting Broadcasting: Broadcasting: To announce the presece of a new node. To announce the presece of a new node. Destination IP set to zero. Destination IP set to zero. Broadcast segmentation Broadcast segmentation  2 random nodes Synchronisation: Synchronisation: To keep nodes up to date with present number of nodes in network. To keep nodes up to date with present number of nodes in network. Broadcasting of null route command approximately every 10 mins. Broadcasting of null route command approximately every 10 mins. Null route command contains present number of nodes in network. Null route command contains present number of nodes in network. Next Next

Exploit and propagate mod_ssl exploit OpenSSL (30/07/2002) mod_ssl exploit OpenSSL (30/07/2002) –Long SSL2 key argument -> buffer overflow In 3 months different versions In 3 months different versions –Slapper, Cinik, Unlock, Linux.DevNull –Discussion open source »Good for both use and abuse Brett Glass: Brett Glass: –“Upgrading may prevent your system from being taken over, but --> berserk network load, DoS”

Exploit 3 steps 3 steps –A] identify target »Sends invalid GET request ( » => Apache version + OS –B] locate heap in Apache process address space –C] “injected with a poison” (spawn /bin/sh) [B&C]: attack buffer must contain absolute address of the shell code (hardly predictable across all servers)

B] Buffer overflow Heap-located ( stack-based ) Heap-located ( stack-based ) –Global Offset Table »holds addresses of the library functions to call –Key argument > 8 bytes –Victim parses packet data »get_client_master_key() - libssl, no boundary check »Overwriting info following key_arg »In SSL_SESSION structure AND heap management data

B] Buffer Overflow to locate heap

B] Buffer overflow Heap-located ( stack-based ) Heap-located ( stack-based ) –Global Offset Table »holds addresses of the library functions to call –Key argument > 8 bytes –Victim parses packet data »get_client_master_key() - libssl, no boundary check »Overwriting info following key_arg »In SSL_SESSION structure AND heap management data

SSL_SESSION Structure on Heap

B] Buffer overflow => Location of heap revealed => Location of heap revealed key_arg[] buffer overflowed by 56 bytes (8+48), up to the session_id_length field key_arg[] buffer overflowed by 56 bytes (8+48), up to the session_id_length field Edit session_id_length -> 112 Edit session_id_length -> 112 –*cipher = encryption method –*ciphers = structure after SSL_SESSION

C] Second overflow (-> /bin/sh) 1. Corrupt heap management data 1. Corrupt heap management data after key_arg[] –24 bytes data (AAAAA..., p -> NULL, *cipher) –124 bytes shell code 2. Abuse free() to redirect control to shell code 2. Abuse free() to redirect control to shell code –~glibc

SSL_SESSION Structure after C]

Propagate Try to get root after [C] (setuid) Try to get root after [C] (setuid) Download sourcecode from parent Download sourcecode from parent Compile => party on Compile => party on Slapper == DDoS and Backdoor agent Slapper == DDoS and Backdoor agent

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.