eEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington
eEye D
igit
al S
ecu
rity Decoding and
Understanding Internet Worms
Presented byRyan Permeh & Dale Coddington
eEye D
igit
al S
ecu
rity
Course Overview
I. Basic overview / history of worms
II. Worm analysis techniques
III. Worms – under the hood
IV. Worm defense techniques
V. The future of worms
VI. Questions and answers
eEye D
igit
al S
ecu
rity
Basic Overview / History of Worms
eEye D
igit
al S
ecu
rity
Internet Worms-Defined
A worm is a self propagating piece of malicious software. It attacks vulnerable hosts, infects them, then uses them to attack other vulnerable hosts
eEye D
igit
al S
ecu
rity
Internet Worms-Who Writes Them
• Hacker/Crackers
• Researchers
• Virus Writers
eEye D
igit
al S
ecu
rity
Internet Worms-Worms vs. Viruses
• Viruses require interaction
• Worms act on their own
• Viruses use social attacks
• Worms use technical attacks
eEye D
igit
al S
ecu
rity
Internet Worms-History
• Morris Internet Worm– Released in 1998– Overloaded VAX and Sun
machines with invisible processes
– 99 line program written by 23 year old Robert Tappan Morris
– Exploit xyz
eEye D
igit
al S
ecu
rity
Internet Worms-History
• First worms were actually designed and released in the 1980’s
• Worms were non-destructive and generally were released to perform helpful network tasks– Vampire worm: idle during the day, at
night would use spare CPU cycles to perform complex tasks that required the extra computing power
eEye D
igit
al S
ecu
rity
Internet Worms-History
• Eventually negative aspects of worms came to light– An internal Xerox worm had
crashed all the computers in a particular research center
– When machines were restarted the worm re-propagted and crashed the machines again
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Capture: Capturing from the Network
• Sniffers
• IDS
• Netcat Listeners
• Specialized Servers (earlybird, etc)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Capture: Capturing from Memory
• Memory Dumps
• Memory Searches
• Crashing to preserve memory
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Capture: Capturing from Disk
• File searches
• File monitoring
• Open handles
• Replicated/Infected files
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Dissection / Disassembly: Loading
• Loading files in ida
• Initial Settings
• Trojans vs. Exploit Style worms– Trojans load as programs– Exploits load as baseless code
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Dissection / Disassembly: Defining
• Setting variables
• Examining functions
• Examining imports
• Examining Strings
• Define flow of code
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Dissection / Disassembly: Drilling
• Finding important code– Via imports– Via calls– Via strings
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Debugging as a Disassembly Aid
• Examining in memory constructs
• Runtime factors– decryption/decoding– Variable sets, variable data– External factors, not in a void
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Attaching to Worm Infected Processes
• Attach to process
• Debugging running processes
• Finding worm code in process
• Forcing breaks in worm code
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Isolation
• Disconnected
• Replicate important services
• Attempt to simulate real environment
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Infection
• Netcat injection
• Poison servers/clients
• Turn off AV, turn on tools
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis
• Debuggers – VC6 debugger– Softice– Windbg
• Dissassemblers– IDA
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis
• Filemon
• Regmon
• TCPView Pro
• Procdump
eEye D
igit
al S
ecu
rity
Worms – Under the Hood
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Code Red I: Infection
• IDA vulnerability
• Sent entire copy in HTTP GET data
• Static worm
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Code Red I: Propagation
• 100 threads of propagation
• HTTP spread
• Use in-memory copy
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Code Red I: Payload
• Attack whitehouse.gov
• Hook web page delivery
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Code Red II: Infection
• Ida vulnerability
• Similar to code red I
• Leaves a trojan
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Code Red II: Propagation
• Statistical distribution of random address, favoring topologically closer hosts
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Code Red II: Payload
• Trojan Horse– Trojan embedded in worm– Simple compression– Modifies web dirs– Multiple system weakenings
• Adds cmd.exe in web roots
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Nimda: Infection
• Outlook/IE vulnerability
• Unicode
• Double Decode
• Open shares
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Nimda: Propagation
• Open shares
• Web servers
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Nimda: Payload
• Opens guest share
• Infects system binaries
• Adds Registry keys
• Adds itself to system startup
eEye D
igit
al S
ecu
rity
Worm Defense Techniques
eEye D
igit
al S
ecu
rity
Global Alerts / Dissemination-Standard Reporting Mechanisms
There is a need for a common reporting mechanism. This would serve to qualitatively correlate incidents regardless of reporter or reporting agency
eEye D
igit
al S
ecu
rity
Global Alerts / Dissemination-Data Sharing
• Individual Network sensors sharing data with a central network console
• Network consoles sharing data with a reporting agency, like ARIS, CERT or SANS
• Sharing data between stores at ARIS,CERT,SANS and others
eEye D
igit
al S
ecu
rity
Global Alerts / Dissemination-Statistical Analysis
• Having All the data poses new problems– Reduction of duplicate datasets– Large scale statistical analysis– Storage, processing, and network
resources can be large
• Worms have distinct statistical signatures
eEye D
igit
al S
ecu
rity
Environment-Modifying Aspects of a Worms Environment
• Lysine Deficiencies
• Monoculture
• Assumptions– Network addresses– Memory locations– Architecture
eEye D
igit
al S
ecu
rity
Counter Worms-Using Aspects of a Worm to stop the Spread
• Using same propagation
• Contains a fix, or code needed to identify
• Should contain extreme limits
• Generally not well regarded
eEye D
igit
al S
ecu
rity
The Future of Worms
eEye D
igit
al S
ecu
rity
Multiple Attack Vectors-Client and Server-Side Flaws
• Buffer overflows
• Format string attacks
• Design flaws
• Open shares
• Misconfigurations
eEye D
igit
al S
ecu
rity
Encryption/Obfuscation/Polymorphism-Covert Channel / Stealth Worms
• Hiding in plain sight
• ICMP
• Encoding in normal data stream
• Nonstandard
eEye D
igit
al S
ecu
rity
Encryption/Obfuscation/Polymorphism-Keyed Payloads
• Keying a worm before sending, requiring the worm to “call back” to decode itself.
• Clear text worm never transmits
• Higher chance of missing key transmissions, less likely to get a worm to disassemble
eEye D
igit
al S
ecu
rity
Encryption/Obfuscation/Polymorphism-Standard Polymorphic/Mutation Techniques
• Worms meet viruses
• Continuously changing itself
• Brute forcing new offsets
• Adapting to the environment to become “more fit”
eEye D
igit
al S
ecu
rity
Bigger Scope-Flash Worms
• Faster, more accurate spread
• Complete spread of all possible targets in 5-20 minutes
• Very low false positive rate
• Too fast to analyze/disseminate information
eEye D
igit
al S
ecu
rity
Bigger Scope-Intelligent Worms
• Worms meet AI
• Worm infected hosts communicating in a p2p method
• Exchanging information on targeting, propagation, or new infection methods
• Agent-like behavior
eEye D
igit
al S
ecu
rity
Bigger Scope-Multi-Platform / OS Worms
• Multi-OS shell code
• Attacking multiple different vulnerabilities on multiple platforms
• Single worm code, large attackable base
eEye D
igit
al S
ecu
rity
Questions and Answers?
eEye D
igit
al S
ecu
rity
References
• eEye Code Red I Analysis / Advisory:http://www.eeye.com/html/Research/Advisories/AL20010717.html
• eEye Code Red II Analysis / Advisory:http://www.eeye.com/html/Research/Advisories/AL20010804.html
eEye D
igit
al S
ecu
rity
Contact Information
• Ryan Permeh-
• Dale Coddington