Overview Overview What is a worm? What is a worm? Origin? Origin? How does it propagate? How does it propagate? How does it take up resources of an How does it take up resources of an infected node? infected node? “ “Deworming” an infected machine Deworming” an infected machine
Definition and Origin Definition and Origin A worm is a program A worm is a program that can run by itself and that can run by itself and can propagate a fully working version of itself to other can propagate a fully working version of itself to other machines. machines. First worm that ever surfaced is RTM(1998) First worm that ever surfaced is RTM(1998) RTM=Robert T. Moris, author of the program. RTM=Robert T. Moris, author of the program. Propagated by exploiting vunerabilities in Unix systems. Propagated by exploiting vunerabilities in Unix systems. Compiled and run new instances of itself on these systems. Compiled and run new instances of itself on these systems. Other worms Other worms Raman worm (2000) Raman worm (2000) Code Red (September 2001 - Windows) Code Red (September 2001 - Windows) Nimda (2001) Nimda (2001) Apache Scalper (June 2002) Apache Scalper (June 2002)
Apache Scalper worm Apache Scalper worm Appeared in June 2002 Appeared in June 2002 Turns system to a node of a P2P network Turns system to a node of a P2P network Features Features Launch denial of service attack. Launch denial of service attack. Send multiple email messages (spam). Send multiple email messages (spam). Run arbitrary commands on the compromised system. Run arbitrary commands on the compromised system. Upgrade the node worm program. Upgrade the node worm program. Communication by simple P2P networking Communication by simple P2P networking protocol protocol Internodes communication Internodes communication Communication between nodes and controlling program Communication between nodes and controlling program – Carried over UDP Carried over UDP
The slapper worm The slapper worm Surfaced in Romania in 2002. Surfaced in Romania in 2002. Variant of the Apache Scalper worm. Variant of the Apache Scalper worm. Comparing source code. Comparing source code. Slapper worm more robust and efficient in it’s Slapper worm more robust and efficient in it’s peer to peer network capabilities than Apache peer to peer network capabilities than Apache Scalper worm. Scalper worm. Some fatures of apache removed Some fatures of apache removed – Self updating Self updating – Sending spam Sending spam Distributed Denial of Service Agent Distributed Denial of Service Agent Backdoor Backdoor Propagation using UDP Propagation using UDP
Reliability layer Reliability layer Adds header to packet Adds header to packet Singned character (1=message,0=ack). Singned character (1=message,0=ack). Copy of sent messages in message queue for Copy of sent messages in message queue for reliable communication. reliable communication. Message in queue contains(last 128 messages) Message in queue contains(last 128 messages) Message ID Message ID Time of first sent and time of last sent. Time of first sent and time of last sent. Destination IP address Destination IP address UDP port number UDP port number – Protection against sending or receiving and acting on same Protection against sending or receiving and acting on same message twice. message twice. – Deletion of message. Deletion of message.
Initialization Initialization New node sends join network command to New node sends join network command to parent. parent. Parent responds with a your IP address command. Parent responds with a your IP address command. Broadcasting to other nodes. Broadcasting to other nodes. Empty list of known nodes in new node? Empty list of known nodes in new node? » Failure communication with parent Failure communication with parent Node sends join network request every 60 seconds Node sends join network request every 60 seconds Node split after complete failure to join Node split after complete failure to join network. network.
Routing Routing Node wants to send a command or message to Node wants to send a command or message to another node. another node. Command encapsulated in “route” command. Command encapsulated in “route” command. Contains Contains – Destination’s IP address Destination’s IP address – Minimum number of hops(H) Minimum number of hops(H) Bouncing Bouncing – 0 <# hops >16 0 <# hops >16 destination IP else destination IP else two random nodes. two random nodes. – Anonymity. Anonymity. Segmentation Segmentation Route command sent to at least two nodes at every hop. Route command sent to at least two nodes at every hop. Destination node receives 2^H commands. Destination node receives 2^H commands. Duplicates command likely to be processed. Duplicates command likely to be processed.
Synchronisation and Synchronisation and Broadcasting Broadcasting Broadcasting: Broadcasting: To announce the presece of a new node. To announce the presece of a new node. Destination IP set to zero. Destination IP set to zero. Broadcast segmentation Broadcast segmentation 2 random nodes 2 random nodes Synchronisation: Synchronisation: To keep nodes up to date with present number of nodes in To keep nodes up to date with present number of nodes in network. network. Broadcasting of null route command approximately every 10 Broadcasting of null route command approximately every 10 mins. mins. Null route command contains present number of nodes in Null route command contains present number of nodes in network. network. Next Next
Exploit and propagate Exploit and propagate mod_ssl exploit OpenSSL (30/07/2002) mod_ssl exploit OpenSSL (30/07/2002) – Long SSL2 key argument -> buffer overflow Long SSL2 key argument -> buffer overflow In 3 months different versions In 3 months different versions – Slapper, Cinik, Unlock, Linux.DevNull Slapper, Cinik, Unlock, Linux.DevNull – Discussion open source Discussion open source » Good for both use and abuse Good for both use and abuse Brett Glass: Brett Glass: – “ “Upgrading may prevent your system from being Upgrading may prevent your system from being taken over, but --> berserk network load, DoS” taken over, but --> berserk network load, DoS”
Exploit Exploit 3 steps 3 steps – A] identify target A] identify target » Sends invalid GET request (HTTP:80) Sends invalid GET request (HTTP:80) » => Apache version + OS => Apache version + OS – B] locate heap in Apache process address space B] locate heap in Apache process address space – C] “injected with a poison” (spawn /bin/sh) C] “injected with a poison” (spawn /bin/sh) [B&C]: attack buffer must contain absolute absolute address of the shell code address of the shell code [B&C]: attack buffer must contain (hardly predictable across all servers) (hardly predictable across all servers)
B] Buffer overflow B] Buffer overflow Heap-located ( <-> stack-based ) Heap-located ( <-> stack-based ) – Global Offset Table Global Offset Table » holds addresses of the library functions to call holds addresses of the library functions to call – Key argument > 8 bytes Key argument > 8 bytes – Victim parses packet data Victim parses packet data » get_client_master_key() - libssl, no boundary check get_client_master_key() - libssl, no boundary check » Overwriting info following key_arg Overwriting info following key_arg » In SSL_SESSION structure AND heap management data In SSL_SESSION structure AND heap management data
B] Buffer Overflow to locate heap
B] Buffer overflow B] Buffer overflow Heap-located ( <-> stack-based ) Heap-located ( <-> stack-based ) – Global Offset Table Global Offset Table » holds addresses of the library functions to call holds addresses of the library functions to call – Key argument > 8 bytes Key argument > 8 bytes – Victim parses packet data Victim parses packet data » get_client_master_key() - libssl, no boundary check get_client_master_key() - libssl, no boundary check » Overwriting info following key_arg Overwriting info following key_arg » In SSL_SESSION structure AND heap management data In SSL_SESSION structure AND heap management data
SSL_SESSION Structure on Heap SSL_SESSION Structure on Heap
B] Buffer overflow B] Buffer overflow => Location of heap revealed => Location of heap revealed key_arg[] buffer overflowed by 56 bytes (8+48), key_arg[] buffer overflowed by 56 bytes (8+48), up to the session_id_length field up to the session_id_length field Edit session_id_length -> 112 Edit session_id_length -> 112 – *cipher = encryption method *cipher = encryption method – *ciphers = structure after SSL_SESSION *ciphers = structure after SSL_SESSION
Recommend
More recommend
