Lesson 4 Networked Computer Security Attacks on Internet Computers

Overview  Malicious Software  Recent Worms/Viruses

Malicious Software  Viruses  Trojan Horse  Worms

Viruses—3 Primary categories  File infectors—now extinct in the wild  Boot sector viruses—died out after hard drives became prevalent  Macro(interpreted)—most common, cross platform…written in scripting languages

Worms—self propagating program  Morris  Pretty Park  ILOVEYOU (Melissa)  CODE RED  NIMDA  Slapper  SQL

Trojan Horse  Trojan Horse: a program that secretly installs itself and does something malicious  Password sniffers  Back Orifice—allows remote users to takeover computer  Plethora of hacker tools

Trends in DoS Attacks: The Evolution of Worms and Other Pesky Varmits

10 Propositions on Network Defense  Networks are critical business support systems...if not the sole reason for the business  Networks exist to operate  Security “should” ensure you operate  All “good” systems have fail safes  Vulnerability Alerts are “not only” a Sys Admin Issue  The threat to our network is real  There is no distant end on a network  There is no distant end in network defense  You are only as good as your weakest link  You do not want to be the weakest link

What is a DoS Attack?  DoS Attacks prevent or impair the legitimate use of computer or network resources  Consistent and Real Threat due to:  Limited and Consumable Resources  Internet Security is Highly Interdependent  Defending Against DoS is not an Exact Science Source: Trends in DOS Attack Technology, Houle et al, CERT/CC

Early Virus/Worms  Melissa (Mar/Apr 99)  Macro Virus affecting Microsoft Word 97/2000 and Microsoft Outlook 97/98 Propagates through an infected attachment in Infected word file attachment when opened replicates the mail message to the first 50 addresses in the recipients address book This Transport Mechanism Still Alive and Well Countermeasure: Filter , Operator Education

Early Virus/Worms  Loveletter (May 00)  Propagates via attachment  When first run, drops copies of itself in several places on the system and adds registry keys in order to run at system startup  Overwrites (and renames) several system files with copies of itself  Uses Microsoft Outlook to send copies of itself to address book entries  Tries to download and install a password stealing program from the Internet; when installed, program will passwords to

 Kournikova (12-13 Feb 01)  Propagates via attachment  Fools users into thinking it is a jpeg picture of Russian tennis player, Anna Kournikova; does this by sending itself as an attached file called AnnaKournikova.jpg.vbs.  Alters registry files on infected computer  Sends copies of itself via address book  Sends itself out again on the 26th of each month  Built using free tool off the Internet that generates worms Early Virus/Worms

Early MOs  Making false claims that a file attachment contains a software patch or update  Implying or using entertaining content to entice a user into executing a malicious file

Early MOs Continued  Using delivery techniques that cause the message to appear to have come from a familiar or trusted source  Packaging malicious files in deceptively familiar ways (e.g., use of familiar but deceptive program icons or file names)

 Code Red Worm (12 July to 24 Oct)  Activates 100 connections at a time looking for new hosts to infect  Initially displayed false web page “Hacked by Chinese”– removed in 2nd version to hide detection  New host search “pseudo-random” – each new instance would start probe at the same first host and continue – corrected in second version  Resulted in hosts at beginning of attack list inundated with connection requests from each infected server  Designed Stealth Periods, vicious Active Periods  Propagation Causes DoS Conditions Present Day Virus/Worms !!!! When present, resides in volatile memory !!!! no disk files to search for with Anti-Virus software

How CODE RED Works First infected system

How CODE RED Works First infected system 100 system probes Scans to find new victims

How CODE RED Works First infected system Scans to find new victims

- Each new victim starts scanning process over again - 20th to EOM, primary target is

 Sir Cam Worm (17 July to ~16 Oct)  Arrives as an attachment  Hi! How are you? Last line: See you later. Thanks  Most significant attribute of the virus is its ability to forward on documents located on an infected host  Sir Cam was programmed with a 1 in 20 chance of deleting all files on an infected host on 16 October  A second payload is also set to fill infected hard drives with junk data  Overshadowed by Nimda Present Day Virus/Worms

 Nimda Worm (18 Sept to 24 Oct)  Multi Axis Attack  Attachment  SMB Networking  Exploited backdoors from Previous Attacks  IE Exploitation  Exploit IIS for Wide Propagation  Propagation Causes DDoS Conditions Present Day Virus/Worms

How NIMDA Works First infected system

How NIMDA Works First infected systemAttacking system tftp Admin.dll from attacking system (contains NIMDA payload)

How NIMDA Works First infected system Sends infected attachment NIMDA attaches to web pages on infected server Infected system scans network for vulnerable IIS web servers NIMDA propagates via open file shares

How NIMDA Works - NIMDA prefers to target its neighbors - Very rapid propagation

Sapphire SQL Worm ref:  Outbound traffic to external addresses on UDP Port 1434  Scanning causes a significant amount of data to be transmitted, all of it aimed at UDP port  Large amount of ICMP Port/Host Unreachable messages aimed at server systems  The worm uses a large number of UDP packets to achieve widespread infection. If the worm aims packets at a non-existant address (or an address that has not opened port 1434), an ICMP Unreachable message may be returned by the router that detected the error.

Sapphire SQL Worm (2)  SQL resolution service failure  Infection causes resolution service to fail  Disables access to SQL services  Effect occurs until the SQL server is restarted.  Performance Degradation  Due to scanning for other systems, and the resultant bandwidth consumption due to outbound UDP packets (or inbound ICMP error messages as outlined above), connection speeds to other services may drop drastically.  Because the worm does not have the facilities to prevent re- infection, systems may have several copies of the worm running simultaneously.

 Melissa  $1.2B  Love Letter  $8.7B, Most of Fortune 500 Companies  Kournikova  Sircam  $1B  Code Red  $2.6B estimated Jul/Aug 01 alone  Nimda Impact

 Filtering at firewalls must be implemented  Recommended configurations must be at mail servers and workstations  Vendor supplied upgrades, updates, patches must be fully employed  Work Force Needs to be Trained Early Lessons Learned

Nimda and CR Lessons Learned  Highlights fact that network defense is not the only defense against interactive hackers  Many “attackers” were unwitting/unpatched zombies in the internet world, out of our control  This was an attack against the network infrastructure  Work Force Still Needs to Practice Safe Computing  Industry Solutions were Varied and Costly

The Future of DDoS Attacks?  Intruder use of Internet Relay Chat (IRC)  Will use established comm routes  Not easy to discern from legitimate traffic  Bogus Domain Names used--STEALTH  Routers used for Dos Attacks  Direct attacks on routing protocols  Less chance of being discovered  Time to exploit is shrinking  Non-disclosure within intruder communities  Increased Blast Zones--collateral damage Source: Trends in DOS Attack Technology, Houle et al, CERT/CC