1 / 37

Viruses, Worms, & DDoS Attacks

Viruses, Worms, & DDoS Attacks. Eric Bulgrin February 8, 2005. Overview. Why are attacks prevalent? Viruses Worms Distributed Denial of Service Attacks (DDoS). Why are attacks prevalent?. Clueless User Base Malicious users Homogeneous computing environments Connectivity. Viruses.

amber
Download Presentation

Viruses, Worms, & DDoS Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Viruses, Worms, & DDoS Attacks Eric Bulgrin February 8, 2005

  2. Overview • Why are attacks prevalent? • Viruses • Worms • Distributed Denial of Service Attacks (DDoS)

  3. Why are attacks prevalent? • Clueless User Base • Malicious users • Homogeneous computing environments • Connectivity

  4. Viruses • Definition: a self-replicating piece of code that attaches itself to other programs and usually requires human interaction to propagate

  5. How viruses work? • Infect executables • Companion infection • Overwriting infection • Prepending infection • Appending infection • Infect Boot Sectors • Infect Document Files

  6. Companion Infection • Called companion or spawning viruses • Do not modify code • Give virus the same name as the executable but with a .COM extension instead of .EXE • Not common since GUIs became prevalent • Example: Trilisa virus/worm, 2002

  7. Overwriting Infection • Called overwriting virus • Replaces portions of the host’s executable code • Opens the file and copies itself to the file • Commonly makes the executable inoperable

  8. Prepending Infection • Called prepending virus • Inserts malicious code at the beginning of host file • Generally does not corrupt the host file • Example: Nimda worm

  9. Appending Infection • Called appending virus • Inserts code at the end of the host file and modifies the beginning of its host to jump to virus code • Example: Appix worm, 2002

  10. Infecting Boot Sectors • What is the boot sector? • Called boot sector viruses • Virus code is attached to the MBR • Example: Michelangelo virus, 1991

  11. Infecting Document Files • Called macro viruses • Virus code is attached to common subroutines such as Document_Open() or Document_Close() • Example: Melissa virus, 1999

  12. Propagation Methods • Removable storage • E-mail and downloads • Shared directories

  13. Defending against viruses • Antivirus software • Virus signatures • Heuristics • Integrity verification • Configuration Hardening • User Education

  14. Worms • Definition: a self-replicating piece of code that spreads via networks and usually does not require human interaction to propagate

  15. Worm Components • Warhead • Propagation Engine • Target Selection Algorithm • Scanning Engine • Payload

  16. Warhead • Gains access to the victim machine • Popular techniques: • Buffer Overflow • File-sharing • E-mail • Common Misconfigurations

  17. Propagation Engine • Transfers the rest of the worm to the target • Sometimes the warhead carries the entire worm • Otherwise it uses file transfer mechanisms such as FTP or HTTP

  18. Target Selection Algorithm • Looks for new victims to attack • Techniques: • E-mail addresses • Network neighborhood • DNS Queries • Random target

  19. Scanning Engine • Uses address generated by targeting engine to scan for suitable victims

  20. Payload • Open a backdoor for attacker • Plant a DDoS flood agent • Perform complex math operations

  21. Impediments to Worm Spread • Diversity of the target environment • Crashing victims • Overexuberant spread • Stepping on itself • Stepped on by another worm

  22. New worms • Multiplatform worms • Zero-day exploit worms • Fast spreading worms • Polymorphic worms • Metamorphic worms

  23. Worm Defenses • Ethical worms • Antivirus • Deploy Patches and harden accessible systems • Block arbitrary outbound connections

  24. DDoS Attacks • Definition: An attack that cripples an application, server, or whole network by disrupting legitimate users’ communication • Different from other attacks • Goal: To prevent victim machines or networks from offering service to legitimate users.

  25. How DDoS Attacks Work • Recruit agent network • Control agent network • Launch attack

  26. Recruit the Agent Network • Can be done manually, semi-manually, or automatically • Worms are commonly used to recruit agents • Agent machines have: good connectivity, ample resources, and are poorly maintained

  27. How to Recruit Agents • Break into vulnerable machines • Malware Propagation methods • Central repository • Back-chaining or pull • Push or forward

  28. Controlling the Agents • Direct commands • Indirect commands

  29. Direct Commands • Handler/agent network • Handler must store IP addresses of all agents • Agents listens for attacker messages on a specified port

  30. Indirect commands • Attacker uses IRC server to send commands • Agents listen to a specific IRC channel

  31. Launch Attack • Types of attacks • Exploit vulnerabilities • Attack a protocol • Attack an application

  32. How to Defend Against DDoS • Protect • Detect • React

  33. Protect • Separate services where possible • Have excess capacity • Minimize the target • Monitor ongoing operations • Prepare personnel and have a plan

  34. Detect • Increase in firewall log entries • Know how much normal or peak traffic is • Increase in dropped packets • Keep an eye on outbound network traffic

  35. React • Depends on the situation and company • What can you filter with your hardware? • Skills of your people • Impact on customers

  36. Questions

  37. References • Dietrich, Sven; Dittrich, David; Mirkovic, Jelena; Reiher, Peter. 2005. Internet Denial of Service Attack and Defense Mechanisms. Upper Saddle River, New Jersey: Prentice Hall • Householder, Allen; Manion, Art; Pesante, Linda; Weaver, George M. 2001. Managing the Threat of Denial-of-Service Attacks. Retrieved January 31, 2005 from CERT Web Site: http://www.cert.org/archive/. • Pethia, Richard. 2003, September 10. Viruses and Worms: What Can We Do About Them? Retrieved February 1, 2005 from CERT Web Site: http://www.cert.org/congressional_testimony/. • Skoudis, Ed. 2004. Malware Fighting Malicious Code. Upper Saddle River, New Jersey: Prentice Hall.

More Related