240 likes | 509 Views
Crisis And Aftermath. Reviewed by Yunkyu Sung merius@kdb.snu.ac.kr. Contents. Introduction Worm vs. Virus Worm History example How the worm operated Crisis Aftermath. Worm vs. Virus. Worm History. 1975 John Brunner’s Science fiction 1981 Xerox PARC experimented 1988 Worm Started *
E N D
Crisis And Aftermath Reviewed by Yunkyu Sung merius@kdb.snu.ac.kr
Contents • Introduction • Worm vs. Virus • Worm History • example • How the worm operated • Crisis • Aftermath
Worm History • 1975 John Brunner’s Science fiction • 1981 Xerox PARC experimented • 1988 Worm Started* … • 2003 SQL Slammer worm (1.25 인터넷대란)
03’ 1.25 인터넷 대란 • 2003년 1월 25일 Microsoft SQL server를 대상으로 하는 slammer worm 활동 • 404bytes를 1434/udp (SQL Server Resolution Service Port)로 전송
finger • finger : allows user to obtain information about other user over TPC/IP • Common Unix systems run a demon of finger (fingerd) • The worm broke fingerd program by “buffer overrun” • The worm exploited gets() call
finger Example) in gets(), we set a buffer as 10. (ex. char buff[10]; ) Type over 11 characters buffer overflow • When buffer overflow error occurred, • Normal cases : core dumped and exit • But, the worm : overwriting stack info and causes returning to worm program code. So worm can run alone.
sendmail • sendmail is mailer program to route mail in a heterogeneous network. • By debug option, tester can run programs to display the state of the mail system without sending mail or establishing a separate login connection. • Worm use debug option to invoke set of commands instead of user address
password • Password mechanism in UNIX system • Insert password • “Encryption standard algorithm” encrypted • Compare with Previously encrypted password • If it is same, we get a accessibility • Trusted logins to avoid having to repeatedly type Passwords • rlogin runs without password checking
How worm operated • Main Program : collect information on other machines in the network • Vector Program : try to infect other machines with information obtained
How worm operated (cont’d) • How it works • Connect to target • Transfer source code of each part • Compile it • Run it • Collect information • Try to connect to other machines
Step 1, 2 : Connection & Send • A socket established between vector and infecting machine • Vector tries one of two methods • Using TCP connection to /bin/sh • Using SMTP
Step 3 : file transfer • Vector connected to the ‘server’ • Transfer 3 files • Sun3, VAX binary version of worm • Source code of Vector • Vector became a shell with its input, output still connected to the server • Using execl
Step 4 : Infect Host • Server sent the command streamto the connected shellPATH=/bin:/usr/bin:/usr/ucbrm –f shif [ -f sh ]then p=x1448190else p=shfi • Then for each binarycc –o $P x14481910,sun3.o./$P –p $$ x14481910,sun3.o x14481910,vax.o x14481910,11.crm –f $P
Step 5 : Hide Worm • New worm hides itself • Obscuring its argument vector • Unlinking the binary version of itself • Killing its parent • Read worm binary into memory and encrypt • And delete file from disk
Step 6 : Information gathering • The worm gathers information about • Network interface • Hosts to which the local machines was connected • Using ioctl, netstat • It built lists of these in memory
Step 7 : reachability • Connected status • Directly connected? • Host type? (gateway or local host) • Try to connect using telnet, rexec
Step 8 : Infection Attempts • Attack via rsh • /usr/bin/rsh, /bin/rsh • Can be used without password checking • If successful, go to step 1 and step 2.1 • Finger • Stack overflow attacking • Return stack frame for main routing changed to execve(“/bin/sh”, 0 , 0)If successful, go to step 1 and step 2.1 • Connection to SMTP • Step 2.2
Step 9 : infected machine information • Collect info • /etc/hosts.equiv and /.rhosts • /etc/passwd • .forward • Cracking passwd using simple choices • Cracking passwd with an internal dictionary of words • Cracking passwd with /usr/dict/words • Loop forever trying to infect hosts in its internal tables
Step 10 • Break into remote machines • Read .forward , .rhosts for user accounts • Create the remote shell • Remote rexec service • rexec to the current host • rsh to the remote host • .rhosts or host.equiv file on remote server
Characteristics • Check for other worms running • One of 7 worms become immortal • Fork itself and kill parent • Re-infect the same machine every 12 hours • There are no stop code
Aftermath • First worm • Around 6000 major UNIX machines were infected ( 10% of the network at that time) • Important nation-wide gateways were shutdown • Topic debated • punishment
Then … • Robert T. Morris arrested • He just want to make a tool to gauge the size of the internet • 3 years probation, fine, community service • Computer Emergency Response Team was established