Overview Overview What is a worm? What is a worm? Origin? - - PowerPoint PPT Presentation

Overview Overview

 What is a worm?

What is a worm?

 Origin?

Origin?

 How does it propagate?

How does it propagate?

 How does it take up resources of an

How does it take up resources of an infected node? infected node?

 “

“Deworming” an infected machine Deworming” an infected machine

Definition and Origin Definition and Origin

 A worm is a program

A worm is a program

 that can run by itself and

that can run by itself and

 can propagate a fully working version of itself to other

can propagate a fully working version of itself to other machines. machines.

 First worm that ever surfaced is RTM(1998)

First worm that ever surfaced is RTM(1998)

 RTM=Robert T. Moris, author of the program.

RTM=Robert T. Moris, author of the program.

 Propagated by exploiting vunerabilities in Unix systems.

Propagated by exploiting vunerabilities in Unix systems.

 Compiled and run new instances of itself on these systems.

Compiled and run new instances of itself on these systems.

 Other worms

Other worms

 Raman worm (2000)

Raman worm (2000)

 Code Red (September 2001 - Windows)

Code Red (September 2001 - Windows)

 Nimda (2001)

Nimda (2001)

 Apache Scalper (June 2002)

Apache Scalper (June 2002)

Apache Scalper worm Apache Scalper worm

 Appeared in June 2002

Appeared in June 2002

 Turns system to a node of a P2P network

Turns system to a node of a P2P network

 Features

Features

 Launch denial of service attack.

Launch denial of service attack.

 Send multiple email messages (spam).

Send multiple email messages (spam).

 Run arbitrary commands on the compromised system.

Run arbitrary commands on the compromised system.

 Upgrade the node worm program.

Upgrade the node worm program.

 Communication by simple P2P networking

Communication by simple P2P networking protocol protocol

 Internodes communication

Internodes communication

 Communication between nodes and controlling program

Communication between nodes and controlling program – Carried over UDP Carried over UDP

The slapper worm The slapper worm

 Surfaced in Romania in 2002.

Surfaced in Romania in 2002.

 Variant of the Apache Scalper worm.

Variant of the Apache Scalper worm.

 Comparing source code.

Comparing source code.

 Slapper worm more robust and efficient in it’s

Slapper worm more robust and efficient in it’s peer to peer network capabilities than Apache peer to peer network capabilities than Apache Scalper worm. Scalper worm.

 Some fatures of apache removed

Some fatures of apache removed – Self updating Self updating – Sending spam Sending spam

 Distributed Denial of Service Agent

Distributed Denial of Service Agent

 Backdoor

Backdoor

 Propagation using UDP

Propagation using UDP

Reliability layer Reliability layer

 Adds header to packet

Adds header to packet

 Singned character (1=message,0=ack).

Singned character (1=message,0=ack).

 Copy of sent messages in message queue for

Copy of sent messages in message queue for reliable communication. reliable communication.

 Message in queue contains(last 128 messages)

Message in queue contains(last 128 messages)

 Message ID

Message ID

 Time of first sent and time of last sent.

Time of first sent and time of last sent.

 Destination IP address

Destination IP address

 UDP port number

UDP port number – Protection against sending or receiving and acting on same Protection against sending or receiving and acting on same message twice. message twice. – Deletion of message. Deletion of message.

Initialization Initialization

 New node sends join network command to

New node sends join network command to parent. parent.

 Parent responds with a your IP address command.

Parent responds with a your IP address command.

 Broadcasting to other nodes.

Broadcasting to other nodes.

 Empty list of known nodes in new node?

Empty list of known nodes in new node?

» Failure communication with parent Failure communication with parent

 Node sends join network request every 60 seconds

Node sends join network request every 60 seconds

 Node split after complete failure to join

Node split after complete failure to join network. network.

Routing Routing

 Node wants to send a command or message to

Node wants to send a command or message to another node. another node.

 Command encapsulated in “route” command.

Command encapsulated in “route” command.

 Contains

Contains – Destination’s IP address Destination’s IP address – Minimum number of hops(H) Minimum number of hops(H)

 Bouncing

Bouncing – 0 <# hops >16 0 <# hops >16  destination IP else destination IP else  two random nodes. two random nodes. – Anonymity. Anonymity.

 Segmentation

Segmentation

 Route command sent to at least two nodes at every hop.

Route command sent to at least two nodes at every hop.

 Destination node receives 2^H commands.

Destination node receives 2^H commands.

 Duplicates command likely to be processed.

Duplicates command likely to be processed.

Synchronisation and Synchronisation and Broadcasting Broadcasting

 Broadcasting:

Broadcasting:

 To announce the presece of a new node.

To announce the presece of a new node.

 Destination IP set to zero.

Destination IP set to zero.

 Broadcast segmentation

Broadcast segmentation   2 random nodes 2 random nodes

 Synchronisation:

Synchronisation:

 To keep nodes up to date with present number of nodes in

To keep nodes up to date with present number of nodes in network. network.

 Broadcasting of null route command approximately every 10

Broadcasting of null route command approximately every 10 mins. mins.

 Null route command contains present number of nodes in

Null route command contains present number of nodes in network. network.

 Next

Next

Exploit and propagate Exploit and propagate

 mod_ssl exploit OpenSSL (30/07/2002)

mod_ssl exploit OpenSSL (30/07/2002)

– Long SSL2 key argument -> buffer overflow Long SSL2 key argument -> buffer overflow

 In 3 months different versions

In 3 months different versions

– Slapper, Cinik, Unlock, Linux.DevNull Slapper, Cinik, Unlock, Linux.DevNull – Discussion open source Discussion open source

» Good for both use and abuse Good for both use and abuse  Brett Glass:

Brett Glass:

– “ “Upgrading may prevent your system from being Upgrading may prevent your system from being taken over, but --> berserk network load, DoS” taken over, but --> berserk network load, DoS”

Exploit Exploit

 3 steps

3 steps

– A] identify target A] identify target

» Sends invalid GET request (HTTP:80) Sends invalid GET request (HTTP:80) » => Apache version + OS => Apache version + OS

– B] locate heap in Apache process address space B] locate heap in Apache process address space – C] “injected with a poison” (spawn /bin/sh) C] “injected with a poison” (spawn /bin/sh)

[B&C]: attack buffer must contain [B&C]: attack buffer must contain absolute absolute address of the shell code address of the shell code (hardly predictable across all servers) (hardly predictable across all servers)

B] Buffer overflow B] Buffer overflow

 Heap-located ( <-> stack-based )

Heap-located ( <-> stack-based )

– Global Offset Table Global Offset Table

» holds addresses of the library functions to call holds addresses of the library functions to call

– Key argument > 8 bytes Key argument > 8 bytes – Victim parses packet data Victim parses packet data

» get_client_master_key() - libssl, no boundary check get_client_master_key() - libssl, no boundary check » Overwriting info following key_arg Overwriting info following key_arg

» In SSL_SESSION structure AND heap management data In SSL_SESSION structure AND heap management data

B] Buffer Overflow to locate heap

B] Buffer overflow B] Buffer overflow

 Heap-located ( <-> stack-based )

Heap-located ( <-> stack-based )

– Global Offset Table Global Offset Table

» holds addresses of the library functions to call holds addresses of the library functions to call

– Key argument > 8 bytes Key argument > 8 bytes – Victim parses packet data Victim parses packet data

» get_client_master_key() - libssl, no boundary check get_client_master_key() - libssl, no boundary check » Overwriting info following key_arg Overwriting info following key_arg

» In SSL_SESSION structure AND heap management data In SSL_SESSION structure AND heap management data

SSL_SESSION Structure on Heap SSL_SESSION Structure on Heap

B] Buffer overflow B] Buffer overflow

 => Location of heap revealed

=> Location of heap revealed

 key_arg[] buffer overflowed by 56 bytes (8+48),

key_arg[] buffer overflowed by 56 bytes (8+48), up to the session_id_length field up to the session_id_length field

 Edit session_id_length -> 112

Edit session_id_length -> 112 – *cipher = encryption method *cipher = encryption method – *ciphers = structure after SSL_SESSION *ciphers = structure after SSL_SESSION

C] Second overflow (-> /bin/sh) C] Second overflow (-> /bin/sh)

 1. Corrupt heap management data

• 1. Corrupt heap management data

after key_arg[] after key_arg[]

– 24 bytes data 24 bytes data

(AAAAA... , p -> NULL, *cipher) (AAAAA... , p -> NULL, *cipher)

– 124 bytes shell code 124 bytes shell code

 2.

• 2. Abuse free() to redirect control to shell code

Abuse free() to redirect control to shell code – ~glibc ~glibc

SSL_SESSION Structure after C] SSL_SESSION Structure after C]

Propagate Propagate

 Try to get root after [C]

Try to get root after [C]

(setuid) (setuid)

 Download sourcecode from parent

Download sourcecode from parent

 Compile => party on

Compile => party on

•  Slapper == DDoS and Backdoor agent

Slapper == DDoS and Backdoor agent