1 / 14

Linux Worm Forensics

Linux Worm Forensics. William Stearns wstearns@pobox.com. What are we studying?. Worms – viruses on autopilot Specific techniques for Linux worms. Typical Worm effects (-). Break in via already published exploit Open backdoor, lower defenses Fix original vulnerability

lundy
Download Presentation

Linux Worm Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Linux Worm Forensics William Stearns wstearns@pobox.com

  2. What are we studying? • Worms – viruses on autopilot • Specific techniques for Linux worms

  3. Typical Worm effects (-) • Break in via already published exploit • Open backdoor, lower defenses • Fix original vulnerability • Run attack against random IP blocks • Replace system binaries with hacked versions • Cover tracks, kill logging • Adds itself to startup scripts

  4. Detection • Personal attacks • Mailing lists • Sans’ sensors • Log files

  5. Capture • Affected people often willing to mail source tar file • Download from web site • New strains

  6. Program and script analysis (-) • Read • Read text files and scripts • “strings binary_file” • Disassemble

  7. Program and script analysis, 2 • Run • Isolated physical system, UML or VMware • strace • Debugger • Effects • Ethereal, tcpdump • UML diff • Firewall the test system

  8. Write up • Worm actions • Vulnerability used to enter system • Files replaced • Directories used • Programs run • Boot scripts modified • Backdoor(s) installed • Continuous process

  9. Writing a removal tool • Detectlib • Bash based library for detection and removal • Back end is a function library that detect and remove files • Front end is essentially a reformatted write up

  10. Detectlib functions (-) • InitDetectlib • AttackName WormName • AttackMarker [files] • ReplacedFile BadFile PathToOriginal • PathToRunningApps /full/path • PackagesMangled Program Package

  11. Detectlib functions, 2 • AttackFiles FilesAndDirsToBeRemoved • NukedFiles RemovedOrTruncatedFile • AddedLine File RegexForLine • ReplacedLine File BadRegex GoodString • ServicesStopped SysVServiceToRestart • Echo…

  12. Dissemination • Bugtraq • Sans Mailing list • Packetstorm.securify.com

  13. Credits • Chris Brenton at Altenet • Matt Fearnow at Sans • Dave Dittrich at U. Washington

  14. Wrap-up and questions • William Stearns wstearns@pobox.com • http://www.ists.dartmouth.edu • http://www.washington.edu/People/dad • ftp://ftp.stearns.org/pub/wstearns/ • http://www.stearns.org

More Related