Scribd
Upload
102 views

Decoding and Understanding Internet Worms

The document provides an overview of decoding and understanding internet worms. It discusses the history of worms, including the Morris worm in 1988. It covers techniques for analyzing worms, such as capturing them from networks, memory, and disks, and disassembling and debugging them. The document also examines the infection, propagation, and payloads of specific worms like Code Red I and II and Nimda in detail.

Uploaded by

chikulenka
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
102 views

Decoding and Understanding Internet Worms

The document provides an overview of decoding and understanding internet worms. It discusses the history of worms, including the Morris worm in 1988. It covers techniques for analyzing worms, such as capturing them from networks, memory, and disks, and disassembling and debugging them. The document also examines the infection, propagation, and payloads of specific worms like Code Red I and II and Nimda in detail.

Uploaded by

chikulenka
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 49

Decoding and

eEye Digital Security

Understanding Internet
Worms

Presented by
Ryan Permeh &
Dale Coddington
Course Overview

I. Basic overview / history of worms


eEye Digital Security

II. Worm analysis techniques

III. Worms – under the hood

IV. Worm defense techniques

V. The future of worms

VI. Questions and answers


eEye Digital Security

Basic Overview / History of Worms


Internet Worms-
eEye Digital Security
Defined

A worm is a self propagating piece of


malicious software. It attacks
vulnerable hosts, infects them, then
uses them to attack other vulnerable
hosts
Internet Worms-
Who Writes Them

• Hacker/Crackers
eEye Digital Security

• Researchers
• Virus Writers
Internet Worms-
Worms vs. Viruses


eEye Digital Security

Viruses require interaction


• Worms act on their own
• Viruses use social attacks
• Worms use technical attacks
Internet Worms-
History

• Morris Internet Worm


eEye Digital Security

– Released in 1998
– Overloaded VAX and Sun
machines with invisible processes
– 99 line program written by 23
year old Robert Tappan Morris
– Exploit xyz
Internet Worms-
History

• First worms were actually designed


eEye Digital Security

and released in the 1980’s


• Worms were non-destructive and
generally were released to perform
helpful network tasks
– Vampire worm: idle during the day, at
night would use spare CPU cycles to
perform complex tasks that required the
extra computing power
Internet Worms-
History

• Eventually negative aspects of


eEye Digital Security

worms came to light


– An internal Xerox worm had
crashed all the computers in a
particular research center
– When machines were restarted
the worm re-propagted and
crashed the machines again
eEye Digital Security

Worm Analysis Techniques


Worm Analysis Techniques-
Capture: Capturing from the Network


eEye Digital Security

Sniffers
• IDS
• Netcat Listeners
• Specialized Servers (earlybird, etc)
Worm Analysis Techniques-
Capture: Capturing from Memory

• Memory Dumps
eEye Digital Security

• Memory Searches
• Crashing to preserve memory
Worm Analysis Techniques-
Capture: Capturing from Disk


eEye Digital Security

File searches
• File monitoring
• Open handles
• Email
• Replicated/Infected files
Worm Analysis Techniques-
Dissection / Disassembly: Loading

• Loading files in ida


eEye Digital Security

• Initial Settings
• Trojans vs. Exploit Style worms
– Trojans load as programs
– Exploits load as baseless code
Worm Analysis Techniques-
Dissection / Disassembly: Defining


eEye Digital Security

Setting variables
• Examining functions
• Examining imports
• Examining Strings
• Define flow of code
Worm Analysis Techniques-
Dissection / Disassembly: Drilling

• Finding important code


eEye Digital Security

– Via imports
– Via calls
– Via strings
Worm Analysis Techniques-
Debugging as a Disassembly Aid

• Examining in memory constructs


eEye Digital Security

• Runtime factors
– decryption/decoding
– Variable sets, variable data
– External factors, not in a void
Worm Analysis Techniques-
Attaching to Worm Infected Processes


eEye Digital Security

Attach to process
• Debugging running processes
• Finding worm code in process
• Forcing breaks in worm code
Worm Analysis Techniques-
Sacrificial Goats / Goatnets: Isolation

• Disconnected
eEye Digital Security

• Replicate important services


• Attempt to simulate real environment
Worm Analysis Techniques-
Sacrificial Goats / Goatnets: Infection

• Netcat injection
eEye Digital Security

• Poison servers/clients
• Turn off AV, turn on tools
Worm Analysis Techniques-
Sacrificial Goats / Goatnets: Analysis

• Debuggers
eEye Digital Security

– VC6 debugger
– Softice
– Windbg
• Dissassemblers
– IDA
Worm Analysis Techniques-
Sacrificial Goats / Goatnets: Analysis


eEye Digital Security

Filemon
• Regmon
• TCPView Pro
• Procdump
eEye Digital Security

Worms – Under the Hood


Worms Under the Hood-
Code Red I: Infection

• IDA vulnerability
eEye Digital Security

• Sent entire copy in HTTP GET data


• Static worm
Worms Under the Hood-
Code Red I: Propagation

• 100 threads of propagation


eEye Digital Security

• HTTP spread
• Use in-memory copy
Worms Under the Hood-
Code Red I: Payload

• Attack whitehouse.gov
eEye Digital Security

• Hook web page delivery


Worms Under the Hood-
Code Red II: Infection

• Ida vulnerability
eEye Digital Security

• Similar to code red I


• Leaves a trojan
Worms Under the Hood-
Code Red II: Propagation

• Statistical distribution of random


eEye Digital Security

address, favoring topologically closer


hosts
Worms Under the Hood-
Code Red II: Payload

• Trojan Horse
eEye Digital Security

– Trojan embedded in worm


– Simple compression
– Modifies web dirs
– Multiple system weakenings
• Adds cmd.exe in web roots
Worms Under the Hood-
Nimda: Infection


eEye Digital Security

Outlook/IE vulnerability
• Unicode
• Double Decode
• Open shares
Worms Under the Hood-
Nimda: Propagation

• Email
eEye Digital Security

• Open shares
• Web servers
Worms Under the Hood-
Nimda: Payload


eEye Digital Security

Opens guest share


• Infects system binaries
• Adds Registry keys
• Adds itself to system startup
eEye Digital Security

Worm Defense Techniques


Global Alerts / Dissemination-
eEye Digital Security
Standard Reporting Mechanisms

There is a need for a common reporting


mechanism. This would serve to
qualitatively correlate incidents
regardless of reporter or reporting
agency
Global Alerts / Dissemination-
Data Sharing

• Individual Network sensors sharing


eEye Digital Security

data with a central network console


• Network consoles sharing data with a
reporting agency, like ARIS, CERT or
SANS
• Sharing data between stores at
ARIS,CERT,SANS and others
Global Alerts / Dissemination-
Statistical Analysis

• Having All the data poses new


eEye Digital Security

problems
– Reduction of duplicate datasets
– Large scale statistical analysis
– Storage, processing, and network
resources can be large
• Worms have distinct statistical
signatures
Environment-
Modifying Aspects of a Worms
Environment

• Lysine Deficiencies
eEye Digital Security

• Monoculture
• Assumptions
– Network addresses
– Memory locations
– Architecture
Counter Worms-
Using Aspects of a Worm to stop the
Spread

• Using same propagation


eEye Digital Security

• Contains a fix, or code needed to


identify
• Should contain extreme limits
• Generally not well regarded
eEye Digital Security

The Future of Worms


Multiple Attack Vectors-
Client and Server-Side Flaws


eEye Digital Security

Buffer overflows
• Format string attacks
• Design flaws
• Open shares
• Misconfigurations
Encryption/Obfuscation/Polymorphism-
Covert Channel / Stealth Worms


eEye Digital Security

Hiding in plain sight


• ICMP
• Encoding in normal data stream
• Nonstandard
Encryption/Obfuscation/Polymorphism-
Keyed Payloads

• Keying a worm before sending,


eEye Digital Security

requiring the worm to “call back” to


decode itself.
• Clear text worm never transmits
• Higher chance of missing key
transmissions, less likely to get a
worm to disassemble
Encryption/Obfuscation/Polymorphism-
Standard Polymorphic/Mutation
Techniques


eEye Digital Security

Worms meet viruses


• Continuously changing itself
• Brute forcing new offsets
• Adapting to the environment to
become “more fit”
Bigger Scope-
Flash Worms

• Faster, more accurate spread


eEye Digital Security

• Complete spread of all possible targets


in 5-20 minutes
• Very low false positive rate
• Too fast to analyze/disseminate
information
Bigger Scope-
Intelligent Worms

• Worms meet AI
eEye Digital Security

• Worm infected hosts communicating


in a p2p method
• Exchanging information on targeting,
propagation, or new infection methods
• Agent-like behavior
Bigger Scope-
Multi-Platform / OS Worms

• Multi-OS shell code


eEye Digital Security

• Attacking multiple different


vulnerabilities on multiple platforms
• Single worm code, large attackable
base
eEye Digital Security

Questions and Answers?


eEye Digital Security References

• eEye Code Red I Analysis / Advisory:


http://www.eeye.com/html/Research/Advisories/AL20010717.html

• eEye Code Red II Analysis / Advisory:


http://www.eeye.com/html/Research/Advisories/AL20010804.html
eEye Digital Security Contact Information

• Ryan Permeh-
[email protected]

• Dale Coddington
[email protected]

You might also like