decoding and understanding internet worms

8/14/2019 Decoding and Understanding Internet Worms

1/49

eE

ye

Digit

al

Securit

y Decoding and

Understanding Internet

Worms

Presented byRyan Permeh &

Dale Coddington
http://www.eeye.com/html/index.html


2/49

eE

ye

Digit

al

Securit

y

Course Overview

I. Basic overview / history of worms

II. Worm analysis techniques

III. Worms under the hood

IV. Worm defense techniques

V. The future of worms

VI. Questions and answers


3/49

eE

ye

Digit

al

Securit

y

Basic Overview / History of Worms
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html


4/49

eE

ye

Digit

al

Securit

y

Internet Worms-Defined

A worm is a self propagating piece of

malicious software. It attacks

vulnerable hosts, infects them, thenuses them to attack other vulnerable

hosts


5/49

eE

ye

Digit

al

Securit

y

Internet Worms-Who Writes Them

Hacker/Crackers

Researchers

Virus Writers


6/49

eE

ye

Digit

al

Securit

y

Internet Worms-Worms vs. Viruses

Viruses require interaction

Worms act on their own

Viruses use social attacks Worms use technical attacks


7/49

eE

ye

Digit

al

Securit

y

Internet Worms-History

Morris Internet Worm

Released in 1998

Overloaded VAX and Sunmachines with invisible processes

99 line program written by 23year old Robert Tappan Morris

Exploit xyz


8/49

eE

ye

Digit

al

Securit

y


First worms were actually designedand released in the 1980s

Worms were non-destructive and

generally were released to performhelpful network tasks

Vampire worm: idle during the day, atnight would use spare CPU cycles to

perform complex tasks that required theextra computing power


9/49

eE

ye

Digit

al

Securit

y


Eventually negative aspects ofworms came to light

An internal Xerox worm hadcrashed all the computers in aparticular research center

When machines were restarted

the worm re-propagted andcrashed the machines again


10/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques


11/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques-Capture: Capturing from the Network

Sniffers

IDS

Netcat Listeners Specialized Servers (earlybird, etc)


12/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques-Capture: Capturing from Memory

Memory Dumps

Memory Searches

Crashing to preserve memory


13/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques-Capture: Capturing from Disk

File searches

File monitoring

Open handles Email

Replicated/Infected files


14/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques-Dissection / Disassembly: Loading

Loading files in ida

Initial Settings

Trojans vs. Exploit Style wormsTrojans load as programs

Exploits load as baseless code


15/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques-Dissection / Disassembly: Defining

Setting variables

Examining functions

Examining imports Examining Strings

Define flow of code


16/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques-Dissection / Disassembly: Drilling

Finding important code

Via imports

Via callsVia strings

l i h i


17/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques-Debugging as a Disassembly Aid

Examining in memory constructs

Runtime factors

decryption/decodingVariable sets, variable data

External factors, not in a void

A l i h i


18/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques-Attaching to Worm Infected Processes

Attach to process

Debugging running processes

Finding worm code in process Forcing breaks in worm code

W A l i T h i


19/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques-Sacrificial Goats / Goatnets: Isolation

Disconnected

Replicate important services

Attempt to simulate real environment

W A l i T h i


20/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques-Sacrificial Goats / Goatnets: Infection

Netcat injection

Poison servers/clients

Turn off AV, turn on tools

W A l i T h i


21/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis

Debuggers

VC6 debugger

SofticeWindbg

Dissassemblers

IDA

W A l i T h i


22/49

eEye

Digit

al

Securit

y

Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis

Filemon

Regmon

TCPView Pro Procdump


23/49

eEye

Digit

al

Securit

y

Worms Under the Hood

W U d th H d


24/49

eEye

Digit

al

Securit

y

Worms Under the Hood-Code Red I: Infection

IDA vulnerability

Sent entire copy in HTTP GET data

Static worm

W U d th H d


25/49

eEye

Digit

al

Securit

y

Worms Under the Hood-Code Red I: Propagation

100 threads of propagation

HTTP spread

Use in-memory copy

W U d th H d


26/49

eEye

Digit

al

Securit

y

Worms Under the Hood-Code Red I: Payload

Attack whitehouse.gov

Hook web page delivery

W U d th H d


27/49

eEye

Digit

al

Securit

y

Worms Under the Hood-Code Red II: Infection

Ida vulnerability

Similar to code red I

Leaves a trojan

W U d th H d


28/49

eEye

Digit

al

Securit

y

Worms Under the Hood-Code Red II: Propagation

Statistical distribution of random

address, favoring topologically closer

hosts

W U d th H d


29/49

eEye

Digit

al

Securit

y

Worms Under the Hood-Code Red II: Payload

Trojan Horse

Trojan embedded in worm

Simple compressionModifies web dirs

Multiple system weakenings

Adds cmd.exe in web roots

W U d th H d


30/49

eEye

Digit

al

Securit

y

Worms Under the Hood-Nimda: Infection

Outlook/IE vulnerability

Unicode

Double Decode Open shares

W U d th H d


31/49

eEye

Digit

al

Securit

y

Worms Under the Hood-Nimda: Propagation

Email

Open shares

Web servers

Worms Under the Hood


32/49

eEye

Digit

al

Securit

y

Worms Under the Hood-Nimda: Payload

Opens guest share

Infects system binaries

Adds Registry keys Adds itself to system startup


33/49

eEye

Digit

al

Securit

y

Worm Defense Techniques

Global Alerts / Dissemination


34/49

eEye

Digit

alSecurit

y

Global Alerts / Dissemination-Standard Reporting Mechanisms

There is a need for a common reporting

mechanism. This would serve to

qualitatively correlate incidents

regardless of reporter or reporting

agency



35/49

eEye

Digit

alSecurit

y

Global Alerts / Dissemination-Data Sharing

Individual Network sensors sharing

data with a central network console

Network consoles sharing data with areporting agency, like ARIS, CERT or

SANS

Sharing data between stores atARIS,CERT,SANS and others



36/49

eEye

Digit

alSecurit

y

Global Alerts / Dissemination-Statistical Analysis

Having All the data poses new

problems

Reduction of duplicate datasets

Large scale statistical analysis

Storage, processing, and network

resources can be large

Worms have distinct statistical

signatures

nv ronmen


37/49

eEye

Digit

alSecurit

y

nv ronmen -Modifying Aspects of a WormsEnvironment

Lysine Deficiencies

Monoculture

AssumptionsNetwork addresses

Memory locations

Architecture

oun er orms


38/49

eEye

Digit

alSecurit

y

oun er orms-Using Aspects of a Worm to stop theSpread

Using same propagation

Contains a fix, or code needed to

identify Should contain extreme limits

Generally not well regarded


39/49

eEye

Digit

alSecurit

y

The Future of Worms

Multiple Attack Vectors


40/49

eEye

Digit

alSecurit

y

Multiple Attack Vectors-Client and Server-Side Flaws

Buffer overflows

Format string attacks

Design flaws Open shares

Misconfigurations

Encryption/Obfuscation/Polymorphism


41/49

eEye

Digit

alSecurit

y

Encryption/Obfuscation/Polymorphism-Covert Channel / Stealth Worms

Hiding in plain sight

ICMP

Encoding in normal data stream Nonstandard

Encryption/Obfuscation/Polymorphism


42/49

e

Eye

Digit

alSecurit

y

Encryption/Obfuscation/Polymorphism-Keyed Payloads

Keying a worm before sending,

requiring the worm to call back to

decode itself.

Clear text worm never transmits

Higher chance of missing key

transmissions, less likely to get aworm to disassemble

ncryp on usca on o ymorp sm-


43/49

e

Eye

Digit

alSecurit

y

ncryp on usca on o ymorp smStandard Polymorphic/Mutation

Techniques

Worms meet viruses

Continuously changing itself

Brute forcing new offsets Adapting to the environment to

become more fit

Bigger Scope


44/49

e

Eye

Digit

alSecurit

y

Bigger Scope-Flash Worms

Faster, more accurate spread

Complete spread of all possible targets

in 5-20 minutes Very low false positive rate

Too fast to analyze/disseminate

information

Bigger Scope-


45/49

e

Eye

Digit

alSecurit

y

Bigger Scope-Intelligent Worms

Worms meet AI

Worm infected hosts communicating

in a p2p method Exchanging information on targeting,

propagation, or new infection methods

Agent-like behavior

Bigger Scope-


46/49

e

Eye

Digit

alSecurit

y

Bigger Scope-Multi-Platform / OS Worms

Multi-OS shell code

Attacking multiple different

vulnerabilities on multiple platforms Single worm code, large attackable

base


47/49

e

Eye

Digit

alSecurit

y

Questions and Answers?

R f


48/49

e

Eye

Digit

alSecurit

y

References

eEye Code Red I Analysis / Advisory:http://www.eeye.com/html/Research/Advisories/AL20010717.html

eEye Code Red II Analysis / Advisory:http://www.eeye.com/html/Research/Advisories/AL20010804.html

C t t I f ti


49/49

e

Eye

Digit

alSecurit

y

Contact Information

Ryan Permeh-

[email protected]

Dale Coddington

[email protected]

decoding and understanding internet worms

Documents