decoding and understanding internet worms
TRANSCRIPT
-
8/14/2019 Decoding and Understanding Internet Worms
1/49
eE
ye
Digit
al
Securit
y Decoding and
Understanding Internet
Worms
Presented byRyan Permeh &
Dale Coddington
http://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
2/49
eE
ye
Digit
al
Securit
y
Course Overview
I. Basic overview / history of worms
II. Worm analysis techniques
III. Worms under the hood
IV. Worm defense techniques
V. The future of worms
VI. Questions and answers
http://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
3/49
eE
ye
Digit
al
Securit
y
Basic Overview / History of Worms
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
4/49
eE
ye
Digit
al
Securit
y
Internet Worms-Defined
A worm is a self propagating piece of
malicious software. It attacks
vulnerable hosts, infects them, thenuses them to attack other vulnerable
hosts
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
5/49
eE
ye
Digit
al
Securit
y
Internet Worms-Who Writes Them
Hacker/Crackers
Researchers
Virus Writers
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
6/49
eE
ye
Digit
al
Securit
y
Internet Worms-Worms vs. Viruses
Viruses require interaction
Worms act on their own
Viruses use social attacks Worms use technical attacks
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
7/49
eE
ye
Digit
al
Securit
y
Internet Worms-History
Morris Internet Worm
Released in 1998
Overloaded VAX and Sunmachines with invisible processes
99 line program written by 23year old Robert Tappan Morris
Exploit xyz
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
8/49
eE
ye
Digit
al
Securit
y
Internet Worms-History
First worms were actually designedand released in the 1980s
Worms were non-destructive and
generally were released to performhelpful network tasks
Vampire worm: idle during the day, atnight would use spare CPU cycles to
perform complex tasks that required theextra computing power
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
9/49
eE
ye
Digit
al
Securit
y
Internet Worms-History
Eventually negative aspects ofworms came to light
An internal Xerox worm hadcrashed all the computers in aparticular research center
When machines were restarted
the worm re-propagted andcrashed the machines again
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
10/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
11/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques-Capture: Capturing from the Network
Sniffers
IDS
Netcat Listeners Specialized Servers (earlybird, etc)
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
12/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques-Capture: Capturing from Memory
Memory Dumps
Memory Searches
Crashing to preserve memory
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
13/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques-Capture: Capturing from Disk
File searches
File monitoring
Open handles Email
Replicated/Infected files
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
14/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques-Dissection / Disassembly: Loading
Loading files in ida
Initial Settings
Trojans vs. Exploit Style wormsTrojans load as programs
Exploits load as baseless code
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
15/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques-Dissection / Disassembly: Defining
Setting variables
Examining functions
Examining imports Examining Strings
Define flow of code
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
16/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques-Dissection / Disassembly: Drilling
Finding important code
Via imports
Via callsVia strings
l i h i
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
17/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques-Debugging as a Disassembly Aid
Examining in memory constructs
Runtime factors
decryption/decodingVariable sets, variable data
External factors, not in a void
A l i h i
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
18/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques-Attaching to Worm Infected Processes
Attach to process
Debugging running processes
Finding worm code in process Forcing breaks in worm code
W A l i T h i
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
19/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Isolation
Disconnected
Replicate important services
Attempt to simulate real environment
W A l i T h i
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
20/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Infection
Netcat injection
Poison servers/clients
Turn off AV, turn on tools
W A l i T h i
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
21/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis
Debuggers
VC6 debugger
SofticeWindbg
Dissassemblers
IDA
W A l i T h i
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
22/49
eEye
Digit
al
Securit
y
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis
Filemon
Regmon
TCPView Pro Procdump
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
23/49
eEye
Digit
al
Securit
y
Worms Under the Hood
W U d th H d
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
24/49
eEye
Digit
al
Securit
y
Worms Under the Hood-Code Red I: Infection
IDA vulnerability
Sent entire copy in HTTP GET data
Static worm
W U d th H d
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
25/49
eEye
Digit
al
Securit
y
Worms Under the Hood-Code Red I: Propagation
100 threads of propagation
HTTP spread
Use in-memory copy
W U d th H d
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
26/49
eEye
Digit
al
Securit
y
Worms Under the Hood-Code Red I: Payload
Attack whitehouse.gov
Hook web page delivery
W U d th H d
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
27/49
eEye
Digit
al
Securit
y
Worms Under the Hood-Code Red II: Infection
Ida vulnerability
Similar to code red I
Leaves a trojan
W U d th H d
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
28/49
eEye
Digit
al
Securit
y
Worms Under the Hood-Code Red II: Propagation
Statistical distribution of random
address, favoring topologically closer
hosts
W U d th H d
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
29/49
eEye
Digit
al
Securit
y
Worms Under the Hood-Code Red II: Payload
Trojan Horse
Trojan embedded in worm
Simple compressionModifies web dirs
Multiple system weakenings
Adds cmd.exe in web roots
W U d th H d
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
30/49
eEye
Digit
al
Securit
y
Worms Under the Hood-Nimda: Infection
Outlook/IE vulnerability
Unicode
Double Decode Open shares
W U d th H d
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
31/49
eEye
Digit
al
Securit
y
Worms Under the Hood-Nimda: Propagation
Email
Open shares
Web servers
Worms Under the Hood
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
32/49
eEye
Digit
al
Securit
y
Worms Under the Hood-Nimda: Payload
Opens guest share
Infects system binaries
Adds Registry keys Adds itself to system startup
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
33/49
eEye
Digit
al
Securit
y
Worm Defense Techniques
Global Alerts / Dissemination
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
34/49
eEye
Digit
alSecurit
y
Global Alerts / Dissemination-Standard Reporting Mechanisms
There is a need for a common reporting
mechanism. This would serve to
qualitatively correlate incidents
regardless of reporter or reporting
agency
Global Alerts / Dissemination
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
35/49
eEye
Digit
alSecurit
y
Global Alerts / Dissemination-Data Sharing
Individual Network sensors sharing
data with a central network console
Network consoles sharing data with areporting agency, like ARIS, CERT or
SANS
Sharing data between stores atARIS,CERT,SANS and others
Global Alerts / Dissemination
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
36/49
eEye
Digit
alSecurit
y
Global Alerts / Dissemination-Statistical Analysis
Having All the data poses new
problems
Reduction of duplicate datasets
Large scale statistical analysis
Storage, processing, and network
resources can be large
Worms have distinct statistical
signatures
nv ronmen
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
37/49
eEye
Digit
alSecurit
y
nv ronmen -Modifying Aspects of a WormsEnvironment
Lysine Deficiencies
Monoculture
AssumptionsNetwork addresses
Memory locations
Architecture
oun er orms
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
38/49
eEye
Digit
alSecurit
y
oun er orms-Using Aspects of a Worm to stop theSpread
Using same propagation
Contains a fix, or code needed to
identify Should contain extreme limits
Generally not well regarded
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
39/49
eEye
Digit
alSecurit
y
The Future of Worms
Multiple Attack Vectors
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
40/49
eEye
Digit
alSecurit
y
Multiple Attack Vectors-Client and Server-Side Flaws
Buffer overflows
Format string attacks
Design flaws Open shares
Misconfigurations
Encryption/Obfuscation/Polymorphism
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
41/49
eEye
Digit
alSecurit
y
Encryption/Obfuscation/Polymorphism-Covert Channel / Stealth Worms
Hiding in plain sight
ICMP
Encoding in normal data stream Nonstandard
Encryption/Obfuscation/Polymorphism
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
42/49
e
Eye
Digit
alSecurit
y
Encryption/Obfuscation/Polymorphism-Keyed Payloads
Keying a worm before sending,
requiring the worm to call back to
decode itself.
Clear text worm never transmits
Higher chance of missing key
transmissions, less likely to get aworm to disassemble
ncryp on usca on o ymorp sm-
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
43/49
e
Eye
Digit
alSecurit
y
ncryp on usca on o ymorp smStandard Polymorphic/Mutation
Techniques
Worms meet viruses
Continuously changing itself
Brute forcing new offsets Adapting to the environment to
become more fit
Bigger Scope
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
44/49
e
Eye
Digit
alSecurit
y
Bigger Scope-Flash Worms
Faster, more accurate spread
Complete spread of all possible targets
in 5-20 minutes Very low false positive rate
Too fast to analyze/disseminate
information
Bigger Scope-
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
45/49
e
Eye
Digit
alSecurit
y
Bigger Scope-Intelligent Worms
Worms meet AI
Worm infected hosts communicating
in a p2p method Exchanging information on targeting,
propagation, or new infection methods
Agent-like behavior
Bigger Scope-
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
46/49
e
Eye
Digit
alSecurit
y
Bigger Scope-Multi-Platform / OS Worms
Multi-OS shell code
Attacking multiple different
vulnerabilities on multiple platforms Single worm code, large attackable
base
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
47/49
e
Eye
Digit
alSecurit
y
Questions and Answers?
R f
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
48/49
e
Eye
Digit
alSecurit
y
References
eEye Code Red I Analysis / Advisory:http://www.eeye.com/html/Research/Advisories/AL20010717.html
eEye Code Red II Analysis / Advisory:http://www.eeye.com/html/Research/Advisories/AL20010804.html
C t t I f ti
http://www.eeye.com/html/index.htmlhttp://www.eeye.com/html/index.html -
8/14/2019 Decoding and Understanding Internet Worms
49/49
e
Eye
Digit
alSecurit
y
Contact Information
Ryan Permeh-
Dale Coddington
http://www.eeye.com/html/index.html