EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale...
-
Upload
griffin-owen -
Category
Documents
-
view
217 -
download
0
Transcript of EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale...
![Page 1: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/1.jpg)
eEye D
igit
al S
ecu
rity Decoding and
Understanding Internet Worms
Presented byRyan Permeh & Dale Coddington
![Page 2: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/2.jpg)
eEye D
igit
al S
ecu
rity
Course Overview
I. Basic overview / history of worms
II. Worm analysis techniques
III. Worms – under the hood
IV. Worm defense techniques
V. The future of worms
VI. Questions and answers
![Page 3: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/3.jpg)
eEye D
igit
al S
ecu
rity
Basic Overview / History of Worms
![Page 4: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/4.jpg)
eEye D
igit
al S
ecu
rity
Internet Worms-Defined
A worm is a self propagating piece of malicious software. It attacks vulnerable hosts, infects them, then uses them to attack other vulnerable hosts
![Page 5: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/5.jpg)
eEye D
igit
al S
ecu
rity
Internet Worms-Who Writes Them
• Hacker/Crackers
• Researchers
• Virus Writers
![Page 6: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/6.jpg)
eEye D
igit
al S
ecu
rity
Internet Worms-Worms vs. Viruses
• Viruses require interaction
• Worms act on their own
• Viruses use social attacks
• Worms use technical attacks
![Page 7: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/7.jpg)
eEye D
igit
al S
ecu
rity
Internet Worms-History
• Morris Internet Worm– Released in 1998– Overloaded VAX and Sun
machines with invisible processes
– 99 line program written by 23 year old Robert Tappan Morris
– Exploit xyz
![Page 8: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/8.jpg)
eEye D
igit
al S
ecu
rity
Internet Worms-History
• First worms were actually designed and released in the 1980’s
• Worms were non-destructive and generally were released to perform helpful network tasks– Vampire worm: idle during the day, at
night would use spare CPU cycles to perform complex tasks that required the extra computing power
![Page 9: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/9.jpg)
eEye D
igit
al S
ecu
rity
Internet Worms-History
• Eventually negative aspects of worms came to light– An internal Xerox worm had
crashed all the computers in a particular research center
– When machines were restarted the worm re-propagted and crashed the machines again
![Page 10: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/10.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques
![Page 11: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/11.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Capture: Capturing from the Network
• Sniffers
• IDS
• Netcat Listeners
• Specialized Servers (earlybird, etc)
![Page 12: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/12.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Capture: Capturing from Memory
• Memory Dumps
• Memory Searches
• Crashing to preserve memory
![Page 13: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/13.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Capture: Capturing from Disk
• File searches
• File monitoring
• Open handles
• Replicated/Infected files
![Page 14: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/14.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Dissection / Disassembly: Loading
• Loading files in ida
• Initial Settings
• Trojans vs. Exploit Style worms– Trojans load as programs– Exploits load as baseless code
![Page 15: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/15.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Dissection / Disassembly: Defining
• Setting variables
• Examining functions
• Examining imports
• Examining Strings
• Define flow of code
![Page 16: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/16.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Dissection / Disassembly: Drilling
• Finding important code– Via imports– Via calls– Via strings
![Page 17: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/17.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Debugging as a Disassembly Aid
• Examining in memory constructs
• Runtime factors– decryption/decoding– Variable sets, variable data– External factors, not in a void
![Page 18: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/18.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Attaching to Worm Infected Processes
• Attach to process
• Debugging running processes
• Finding worm code in process
• Forcing breaks in worm code
![Page 19: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/19.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Isolation
• Disconnected
• Replicate important services
• Attempt to simulate real environment
![Page 20: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/20.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Infection
• Netcat injection
• Poison servers/clients
• Turn off AV, turn on tools
![Page 21: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/21.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis
• Debuggers – VC6 debugger– Softice– Windbg
• Dissassemblers– IDA
![Page 22: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/22.jpg)
eEye D
igit
al S
ecu
rity
Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis
• Filemon
• Regmon
• TCPView Pro
• Procdump
![Page 23: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/23.jpg)
eEye D
igit
al S
ecu
rity
Worms – Under the Hood
![Page 24: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/24.jpg)
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Code Red I: Infection
• IDA vulnerability
• Sent entire copy in HTTP GET data
• Static worm
![Page 25: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/25.jpg)
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Code Red I: Propagation
• 100 threads of propagation
• HTTP spread
• Use in-memory copy
![Page 26: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/26.jpg)
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Code Red I: Payload
• Attack whitehouse.gov
• Hook web page delivery
![Page 27: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/27.jpg)
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Code Red II: Infection
• Ida vulnerability
• Similar to code red I
• Leaves a trojan
![Page 28: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/28.jpg)
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Code Red II: Propagation
• Statistical distribution of random address, favoring topologically closer hosts
![Page 29: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/29.jpg)
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Code Red II: Payload
• Trojan Horse– Trojan embedded in worm– Simple compression– Modifies web dirs– Multiple system weakenings
• Adds cmd.exe in web roots
![Page 30: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/30.jpg)
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Nimda: Infection
• Outlook/IE vulnerability
• Unicode
• Double Decode
• Open shares
![Page 31: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/31.jpg)
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Nimda: Propagation
• Open shares
• Web servers
![Page 32: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/32.jpg)
eEye D
igit
al S
ecu
rity
Worms Under the Hood-Nimda: Payload
• Opens guest share
• Infects system binaries
• Adds Registry keys
• Adds itself to system startup
![Page 33: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/33.jpg)
eEye D
igit
al S
ecu
rity
Worm Defense Techniques
![Page 34: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/34.jpg)
eEye D
igit
al S
ecu
rity
Global Alerts / Dissemination-Standard Reporting Mechanisms
There is a need for a common reporting mechanism. This would serve to qualitatively correlate incidents regardless of reporter or reporting agency
![Page 35: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/35.jpg)
eEye D
igit
al S
ecu
rity
Global Alerts / Dissemination-Data Sharing
• Individual Network sensors sharing data with a central network console
• Network consoles sharing data with a reporting agency, like ARIS, CERT or SANS
• Sharing data between stores at ARIS,CERT,SANS and others
![Page 36: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/36.jpg)
eEye D
igit
al S
ecu
rity
Global Alerts / Dissemination-Statistical Analysis
• Having All the data poses new problems– Reduction of duplicate datasets– Large scale statistical analysis– Storage, processing, and network
resources can be large
• Worms have distinct statistical signatures
![Page 37: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/37.jpg)
eEye D
igit
al S
ecu
rity
Environment-Modifying Aspects of a Worms Environment
• Lysine Deficiencies
• Monoculture
• Assumptions– Network addresses– Memory locations– Architecture
![Page 38: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/38.jpg)
eEye D
igit
al S
ecu
rity
Counter Worms-Using Aspects of a Worm to stop the Spread
• Using same propagation
• Contains a fix, or code needed to identify
• Should contain extreme limits
• Generally not well regarded
![Page 39: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/39.jpg)
eEye D
igit
al S
ecu
rity
The Future of Worms
![Page 40: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/40.jpg)
eEye D
igit
al S
ecu
rity
Multiple Attack Vectors-Client and Server-Side Flaws
• Buffer overflows
• Format string attacks
• Design flaws
• Open shares
• Misconfigurations
![Page 41: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/41.jpg)
eEye D
igit
al S
ecu
rity
Encryption/Obfuscation/Polymorphism-Covert Channel / Stealth Worms
• Hiding in plain sight
• ICMP
• Encoding in normal data stream
• Nonstandard
![Page 42: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/42.jpg)
eEye D
igit
al S
ecu
rity
Encryption/Obfuscation/Polymorphism-Keyed Payloads
• Keying a worm before sending, requiring the worm to “call back” to decode itself.
• Clear text worm never transmits
• Higher chance of missing key transmissions, less likely to get a worm to disassemble
![Page 43: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/43.jpg)
eEye D
igit
al S
ecu
rity
Encryption/Obfuscation/Polymorphism-Standard Polymorphic/Mutation Techniques
• Worms meet viruses
• Continuously changing itself
• Brute forcing new offsets
• Adapting to the environment to become “more fit”
![Page 44: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/44.jpg)
eEye D
igit
al S
ecu
rity
Bigger Scope-Flash Worms
• Faster, more accurate spread
• Complete spread of all possible targets in 5-20 minutes
• Very low false positive rate
• Too fast to analyze/disseminate information
![Page 45: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/45.jpg)
eEye D
igit
al S
ecu
rity
Bigger Scope-Intelligent Worms
• Worms meet AI
• Worm infected hosts communicating in a p2p method
• Exchanging information on targeting, propagation, or new infection methods
• Agent-like behavior
![Page 46: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/46.jpg)
eEye D
igit
al S
ecu
rity
Bigger Scope-Multi-Platform / OS Worms
• Multi-OS shell code
• Attacking multiple different vulnerabilities on multiple platforms
• Single worm code, large attackable base
![Page 47: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/47.jpg)
eEye D
igit
al S
ecu
rity
Questions and Answers?
![Page 48: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/48.jpg)
eEye D
igit
al S
ecu
rity
References
• eEye Code Red I Analysis / Advisory:http://www.eeye.com/html/Research/Advisories/AL20010717.html
• eEye Code Red II Analysis / Advisory:http://www.eeye.com/html/Research/Advisories/AL20010804.html
![Page 49: EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649cdf5503460f949a8a37/html5/thumbnails/49.jpg)
eEye D
igit
al S
ecu
rity
Contact Information
• Ryan Permeh-
• Dale Coddington