Presentation is loading. Please wait.

Presentation is loading. Please wait.

EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington.

Similar presentations


Presentation on theme: "EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington."— Presentation transcript:

1 eEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington

2 eEye Digital Security Course Overview I.Basic overview / history of worms II.Worm analysis techniques III.Worms – under the hood IV.Worm defense techniques V.The future of worms VI.Questions and answers

3 eEye Digital Security Basic Overview / History of Worms

4 eEye Digital Security Internet Worms- Defined A worm is a self propagating piece of malicious software. It attacks vulnerable hosts, infects them, then uses them to attack other vulnerable hosts

5 eEye Digital Security Internet Worms- Who Writes Them Hacker/Crackers Researchers Virus Writers

6 eEye Digital Security Internet Worms- Worms vs. Viruses Viruses require interaction Worms act on their own Viruses use social attacks Worms use technical attacks

7 eEye Digital Security Internet Worms- History Morris Internet Worm –Released in 1998 –Overloaded VAX and Sun machines with invisible processes –99 line program written by 23 year old Robert Tappan Morris –Exploit xyz

8 eEye Digital Security Internet Worms- History First worms were actually designed and released in the 1980’s Worms were non-destructive and generally were released to perform helpful network tasks –Vampire worm: idle during the day, at night would use spare CPU cycles to perform complex tasks that required the extra computing power

9 eEye Digital Security Internet Worms- History Eventually negative aspects of worms came to light –An internal Xerox worm had crashed all the computers in a particular research center –When machines were restarted the worm re-propagted and crashed the machines again

10 eEye Digital Security Worm Analysis Techniques

11 eEye Digital Security Worm Analysis Techniques- Capture: Capturing from the Network Sniffers IDS Netcat Listeners Specialized Servers (earlybird, etc)

12 eEye Digital Security Worm Analysis Techniques- Capture: Capturing from Memory Memory Dumps Memory Searches Crashing to preserve memory

13 eEye Digital Security Worm Analysis Techniques- Capture: Capturing from Disk File searches File monitoring Open handles Replicated/Infected files

14 eEye Digital Security Worm Analysis Techniques- Dissection / Disassembly: Loading Loading files in ida Initial Settings Trojans vs. Exploit Style worms –Trojans load as programs –Exploits load as baseless code

15 eEye Digital Security Worm Analysis Techniques- Dissection / Disassembly: Defining Setting variables Examining functions Examining imports Examining Strings Define flow of code

16 eEye Digital Security Worm Analysis Techniques- Dissection / Disassembly: Drilling Finding important code –Via imports –Via calls –Via strings

17 eEye Digital Security Worm Analysis Techniques- Debugging as a Disassembly Aid Examining in memory constructs Runtime factors –decryption/decoding –Variable sets, variable data –External factors, not in a void

18 eEye Digital Security Worm Analysis Techniques- Attaching to Worm Infected Processes Attach to process Debugging running processes Finding worm code in process Forcing breaks in worm code

19 eEye Digital Security Worm Analysis Techniques- Sacrificial Goats / Goatnets: Isolation Disconnected Replicate important services Attempt to simulate real environment

20 eEye Digital Security Worm Analysis Techniques- Sacrificial Goats / Goatnets: Infection Netcat injection Poison servers/clients Turn off AV, turn on tools

21 eEye Digital Security Worm Analysis Techniques- Sacrificial Goats / Goatnets: Analysis Debuggers –VC6 debugger –Softice –Windbg Dissassemblers –IDA

22 eEye Digital Security Worm Analysis Techniques- Sacrificial Goats / Goatnets: Analysis Filemon Regmon TCPView Pro Procdump

23 eEye Digital Security Worms – Under the Hood

24 eEye Digital Security Worms Under the Hood- Code Red I: Infection IDA vulnerability Sent entire copy in HTTP GET data Static worm

25 eEye Digital Security Worms Under the Hood- Code Red I: Propagation 100 threads of propagation HTTP spread Use in-memory copy

26 eEye Digital Security Worms Under the Hood- Code Red I: Payload Attack whitehouse.gov Hook web page delivery

27 eEye Digital Security Worms Under the Hood- Code Red II: Infection Ida vulnerability Similar to code red I Leaves a trojan

28 eEye Digital Security Worms Under the Hood- Code Red II: Propagation Statistical distribution of random address, favoring topologically closer hosts

29 eEye Digital Security Worms Under the Hood- Code Red II: Payload Trojan Horse –Trojan embedded in worm –Simple compression –Modifies web dirs –Multiple system weakenings Adds cmd.exe in web roots

30 eEye Digital Security Worms Under the Hood- Nimda: Infection Outlook/IE vulnerability Unicode Double Decode Open shares

31 eEye Digital Security Worms Under the Hood- Nimda: Propagation Open shares Web servers

32 eEye Digital Security Worms Under the Hood- Nimda: Payload Opens guest share Infects system binaries Adds Registry keys Adds itself to system startup

33 eEye Digital Security Worm Defense Techniques

34 eEye Digital Security Global Alerts / Dissemination- Standard Reporting Mechanisms There is a need for a common reporting mechanism. This would serve to qualitatively correlate incidents regardless of reporter or reporting agency

35 eEye Digital Security Global Alerts / Dissemination- Data Sharing Individual Network sensors sharing data with a central network console Network consoles sharing data with a reporting agency, like ARIS, CERT or SANS Sharing data between stores at ARIS,CERT,SANS and others

36 eEye Digital Security Global Alerts / Dissemination- Statistical Analysis Having All the data poses new problems –Reduction of duplicate datasets –Large scale statistical analysis –Storage, processing, and network resources can be large Worms have distinct statistical signatures

37 eEye Digital Security Environment- Modifying Aspects of a Worms Environment Lysine Deficiencies Monoculture Assumptions –Network addresses –Memory locations –Architecture

38 eEye Digital Security Counter Worms- Using Aspects of a Worm to stop the Spread Using same propagation Contains a fix, or code needed to identify Should contain extreme limits Generally not well regarded

39 eEye Digital Security The Future of Worms

40 eEye Digital Security Multiple Attack Vectors- Client and Server-Side Flaws Buffer overflows Format string attacks Design flaws Open shares Misconfigurations

41 eEye Digital Security Encryption/Obfuscation/Polymorphism- Covert Channel / Stealth Worms Hiding in plain sight ICMP Encoding in normal data stream Nonstandard

42 eEye Digital Security Encryption/Obfuscation/Polymorphism- Keyed Payloads Keying a worm before sending, requiring the worm to “call back” to decode itself. Clear text worm never transmits Higher chance of missing key transmissions, less likely to get a worm to disassemble

43 eEye Digital Security Encryption/Obfuscation/Polymorphism- Standard Polymorphic/Mutation Techniques Worms meet viruses Continuously changing itself Brute forcing new offsets Adapting to the environment to become “more fit”

44 eEye Digital Security Bigger Scope- Flash Worms Faster, more accurate spread Complete spread of all possible targets in 5-20 minutes Very low false positive rate Too fast to analyze/disseminate information

45 eEye Digital Security Bigger Scope- Intelligent Worms Worms meet AI Worm infected hosts communicating in a p2p method Exchanging information on targeting, propagation, or new infection methods Agent-like behavior

46 eEye Digital Security Bigger Scope- Multi-Platform / OS Worms Multi-OS shell code Attacking multiple different vulnerabilities on multiple platforms Single worm code, large attackable base

47 eEye Digital Security Questions and Answers?

48 eEye Digital Security References eEye Code Red I Analysis / Advisory: eEye Code Red II Analysis / Advisory:

49 eEye Digital Security Contact Information Ryan Permeh- Dale Coddington


Download ppt "EEye Digital Security Decoding and Understanding Internet Worms Presented by Ryan Permeh & Dale Coddington."

Similar presentations


Ads by Google