490 likes | 614 Views
Decoding and Understanding Internet Worms. Presented by Ryan Permeh & Dale Coddington. Course Overview. Basic overview / history of worms Worm analysis techniques Worms – under the hood Worm defense techniques The future of worms Questions and answers. Basic Overview / History of Worms.
E N D
Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington
Course Overview • Basic overview / history of worms • Worm analysis techniques • Worms – under the hood • Worm defense techniques • The future of worms • Questions and answers
Internet Worms-Defined A worm is a self propagating piece of malicious software. It attacks vulnerable hosts, infects them, then uses them to attack other vulnerable hosts
Internet Worms-Who Writes Them • Hacker/Crackers • Researchers • Virus Writers
Internet Worms-Worms vs. Viruses • Viruses require interaction • Worms act on their own • Viruses use social attacks • Worms use technical attacks
Internet Worms-History • Morris Internet Worm • Released in 1998 • Overloaded VAX and Sun machines with invisible processes • 99 line program written by 23 year old Robert Tappan Morris • Exploit xyz
Internet Worms-History • First worms were actually designed and released in the 1980’s • Worms were non-destructive and generally were released to perform helpful network tasks • Vampire worm: idle during the day, at night would use spare CPU cycles to perform complex tasks that required the extra computing power
Internet Worms-History • Eventually negative aspects of worms came to light • An internal Xerox worm had crashed all the computers in a particular research center • When machines were restarted the worm re-propagted and crashed the machines again
Worm Analysis Techniques-Capture: Capturing from the Network • Sniffers • IDS • Netcat Listeners • Specialized Servers (earlybird, etc)
Worm Analysis Techniques-Capture: Capturing from Memory • Memory Dumps • Memory Searches • Crashing to preserve memory
Worm Analysis Techniques-Capture: Capturing from Disk • File searches • File monitoring • Open handles • Email • Replicated/Infected files
Worm Analysis Techniques-Dissection / Disassembly: Loading • Loading files in ida • Initial Settings • Trojans vs. Exploit Style worms • Trojans load as programs • Exploits load as baseless code
Worm Analysis Techniques-Dissection / Disassembly: Defining • Setting variables • Examining functions • Examining imports • Examining Strings • Define flow of code
Worm Analysis Techniques-Dissection / Disassembly: Drilling • Finding important code • Via imports • Via calls • Via strings
Worm Analysis Techniques-Debugging as a Disassembly Aid • Examining in memory constructs • Runtime factors • decryption/decoding • Variable sets, variable data • External factors, not in a void
Worm Analysis Techniques-Attaching to Worm Infected Processes • Attach to process • Debugging running processes • Finding worm code in process • Forcing breaks in worm code
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Isolation • Disconnected • Replicate important services • Attempt to simulate real environment
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Infection • Netcat injection • Poison servers/clients • Turn off AV, turn on tools
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis • Debuggers • VC6 debugger • Softice • Windbg • Dissassemblers • IDA
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis • Filemon • Regmon • TCPView Pro • Procdump
Worms Under the Hood-Code Red I: Infection • IDA vulnerability • Sent entire copy in HTTP GET data • Static worm
Worms Under the Hood-Code Red I: Propagation • 100 threads of propagation • HTTP spread • Use in-memory copy
Worms Under the Hood-Code Red I: Payload • Attack whitehouse.gov • Hook web page delivery
Worms Under the Hood-Code Red II: Infection • Ida vulnerability • Similar to code red I • Leaves a trojan
Worms Under the Hood-Code Red II: Propagation • Statistical distribution of random address, favoring topologically closer hosts
Worms Under the Hood-Code Red II: Payload • Trojan Horse • Trojan embedded in worm • Simple compression • Modifies web dirs • Multiple system weakenings • Adds cmd.exe in web roots
Worms Under the Hood-Nimda: Infection • Outlook/IE vulnerability • Unicode • Double Decode • Open shares
Worms Under the Hood-Nimda: Propagation • Email • Open shares • Web servers
Worms Under the Hood-Nimda: Payload • Opens guest share • Infects system binaries • Adds Registry keys • Adds itself to system startup
Global Alerts / Dissemination-Standard Reporting Mechanisms There is a need for a common reporting mechanism. This would serve to qualitatively correlate incidents regardless of reporter or reporting agency
Global Alerts / Dissemination-Data Sharing • Individual Network sensors sharing data with a central network console • Network consoles sharing data with a reporting agency, like ARIS, CERT or SANS • Sharing data between stores at ARIS,CERT,SANS and others
Global Alerts / Dissemination-Statistical Analysis • Having All the data poses new problems • Reduction of duplicate datasets • Large scale statistical analysis • Storage, processing, and network resources can be large • Worms have distinct statistical signatures
Environment-Modifying Aspects of a Worms Environment • Lysine Deficiencies • Monoculture • Assumptions • Network addresses • Memory locations • Architecture
Counter Worms-Using Aspects of a Worm to stop the Spread • Using same propagation • Contains a fix, or code needed to identify • Should contain extreme limits • Generally not well regarded
Multiple Attack Vectors-Client and Server-Side Flaws • Buffer overflows • Format string attacks • Design flaws • Open shares • Misconfigurations
Encryption/Obfuscation/Polymorphism-Covert Channel / Stealth Worms • Hiding in plain sight • ICMP • Encoding in normal data stream • Nonstandard
Encryption/Obfuscation/Polymorphism-Keyed Payloads • Keying a worm before sending, requiring the worm to “call back” to decode itself. • Clear text worm never transmits • Higher chance of missing key transmissions, less likely to get a worm to disassemble
Encryption/Obfuscation/Polymorphism-Standard Polymorphic/Mutation Techniques • Worms meet viruses • Continuously changing itself • Brute forcing new offsets • Adapting to the environment to become “more fit”
Bigger Scope-Flash Worms • Faster, more accurate spread • Complete spread of all possible targets in 5-20 minutes • Very low false positive rate • Too fast to analyze/disseminate information
Bigger Scope-Intelligent Worms • Worms meet AI • Worm infected hosts communicating in a p2p method • Exchanging information on targeting, propagation, or new infection methods • Agent-like behavior
Bigger Scope-Multi-Platform / OS Worms • Multi-OS shell code • Attacking multiple different vulnerabilities on multiple platforms • Single worm code, large attackable base
References • eEye Code Red I Analysis / Advisory: http://www.eeye.com/html/Research/Advisories/AL20010717.html • eEye Code Red II Analysis / Advisory: http://www.eeye.com/html/Research/Advisories/AL20010804.html
Contact Information • Ryan Permeh- ryan@eEye.com • Dale Coddington dalec@eEye.com