Chapter 7 Worms

swimlogisticsElectronics - Devices

Nov 26, 2013 (3 years and 8 months ago)

117 views

Chapter 7


Worms

Worms


We’ve previously discussed worms


Here, consider 2 in slightly more depth

o
Xerox PARC (1982)

o
Morris Worm (1988)


Recall also discussion of Slammer…

History


“Worm” mentioned in fiction in 1975

o
The Shockwave Rider

by John Brunner

o
Next slide…


History


I guess you all know about tapeworms... ? Good. Well,
what I turned loose in the net yesterday was the..,
father and mother of all tapeworms....My newest
----
my
masterpiece
---
breeds by itself.... By now I don't know
exactly what there is in the worm. More bits are being
added automatically as it works its way to places I
never dared guess existed....And
---
no, it can't be killed.
It's indefinitely self
-
perpetuating so long as the net
exists. Even if one segment of it is inactivated, a
counterpart of the missing portion
will remain
in store
at some other station and the worm will automatically
subdivide and send a duplicate head to collect the
spare groups and restore them to their proper place.

History


Xerox Palo Alto Research Center

o
Xerox PARC


Established 1970

o
To create “the office of the future”


Helped create laser printers,
Ethernet, modern PC, GUI, VLSI


Original Apple Macintosh heavily
influenced by the “Alto”

Xerox PARC


Developed a program so unused CPU
cycles could be put to use

o
Use your machine for parallel processing
when not busy with your work


“Worm” to manage the machines

o
Composed of “segments” which is why
they called it a worm

o
One segment per machine

o
Segments communicated with each other

Xerox PARC


“Worm” had many safety features

o
For example, no disk access

o
Also, could be shut down


Key insights

o
Managing growth is difficult

o
Stability is difficult maintain

Morris Worm


“Internet Worm” of 1988


Major wake up call…


Three stages


Stage 1: Get access

o
Sendmail

---

debug command

o
Finger
---

read input using “gets” (no
bounds checking…)

o
rexec

and
pwd

guessing (or
rsh
)

Morris Worm


Stage 2: Grappling hook

o
Once a remote shell was obtained, send,
compile, and run small C program

o
Code sent as source, so immune to
damage by communication channel


Only passed seven bits out of eight


Would have destroyed exe file

o
Retrieve several exes until it found one
that worked

Morris Worm


Stage 3: Propagate

o
Used some stealth
---

named itself “
sh


o
Cleaned up (removed source code, etc.)

o
Prevented “core dump”

o
Propagate by looking at network routing
tables and other local resources

o
Had no destructive payload

Propagation


Humans slow compared to networks

o
“Fast burners”

o
Warhol worms

o
Flash worms

o
Surreptitious (or slow) worms
---

later


How can worm propagate faster?

o
Can’t use too much bandwidth…

Propagation


How to propagate faster

o
Shorten initial startup time

o
Minimize contention between instances
of the worm

o
Increase rate that targets are probed

o
Use low
-
overhead protocols (UDP
vs

TCP)


Recall that Slammer used UDP

Propagation


Surreptitious worm

o
That is, slow worm


Slow infection rate

o
Hide in normal traffic

o
Hard to detect


Create a zombie army

o
What good is that?


A lot like modern
Botnets

Initial Seeding


How to start the worm


A single instance?

o
Slow initial growth

o
Easier to trace


Multiple instances?

o
Faster initial growth

o
Use wireless networks, spam,
Botnets

o
Other?

Finding Targets


IP numbers

o
IPv4, that is


Worms “scan” for targets

o
Search for vulnerable IP addresses


How to scan?

Finding Targets


How to scan?


Random

o
Used in Code Red and Slammer


Localized

o
Favor machines on same network

o
Why?


Hit list

o
Avoids contention, speeds initial spread

Finding Targets


Permutation scanning

o
Treat IP address space as sequence

o
Each worm select random starting point

o
Each time previously
-
infected machine
found, select new starting point

o
Can be used to detect (near) saturation

Finding Targets


Topological scanning

o
Actual network topology

o
Topology of a social network

o
“Topology” of users’ email

o
IM worm


Morris Worm used topological scan

o
Was this a good idea for Morris Worm?


Finding Targets


Passive scanning

o
Wait for useful info to come to you

o
Sniff network traffic for…

o
Valid IP addresses

o
Operating system and services

o
Network traffic pattern


Other scanning strategies?

o
Santy

worm used Google


Worms: The
Bottom Line


A well
-
designed worm…

o
Virus
-
like concealment

o
Exploit technical/human weaknesses

o
Hijacking legitimate transactions

o
Rapid (or slow) spreading


Worms are potent type of malware


Equally potent defensives needed

o
Next chapter