eEye D

igit

al S

ecu

rity Decoding and

Understanding Internet Worms

Presented byRyan Permeh & Dale Coddington

eEye D

igit

al S

ecu

rity

Course Overview

I. Basic overview / history of worms

II. Worm analysis techniques

III. Worms – under the hood

IV. Worm defense techniques

V. The future of worms

VI. Questions and answers

eEye D

igit

al S

ecu

rity

Basic Overview / History of Worms

eEye D

igit

al S

ecu

rity

Internet Worms-Defined

A worm is a self propagating piece of malicious software. It attacks vulnerable hosts, infects them, then uses them to attack other vulnerable hosts

eEye D

igit

al S

ecu

rity

Internet Worms-Who Writes Them

• Hacker/Crackers

• Researchers

• Virus Writers

eEye D

igit

al S

ecu

rity

Internet Worms-Worms vs. Viruses

• Viruses require interaction

• Worms act on their own

• Viruses use social attacks

• Worms use technical attacks

eEye D

igit

al S

ecu

rity

Internet Worms-History

• Morris Internet Worm– Released in 1998– Overloaded VAX and Sun

machines with invisible processes

– 99 line program written by 23 year old Robert Tappan Morris

– Exploit xyz

eEye D

igit

al S

ecu

rity

Internet Worms-History

• First worms were actually designed and released in the 1980’s

• Worms were non-destructive and generally were released to perform helpful network tasks– Vampire worm: idle during the day, at

night would use spare CPU cycles to perform complex tasks that required the extra computing power

eEye D

igit

al S

ecu

rity

Internet Worms-History

• Eventually negative aspects of worms came to light– An internal Xerox worm had

crashed all the computers in a particular research center

– When machines were restarted the worm re-propagted and crashed the machines again

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques-Capture: Capturing from the Network

• Sniffers

• IDS

• Netcat Listeners

• Specialized Servers (earlybird, etc)

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques-Capture: Capturing from Memory

• Memory Dumps

• Memory Searches

• Crashing to preserve memory

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques-Capture: Capturing from Disk

• File searches

• File monitoring

• Open handles

• Email

• Replicated/Infected files

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques-Dissection / Disassembly: Loading

• Loading files in ida

• Initial Settings

• Trojans vs. Exploit Style worms– Trojans load as programs– Exploits load as baseless code

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques-Dissection / Disassembly: Defining

• Setting variables

• Examining functions

• Examining imports

• Examining Strings

• Define flow of code

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques-Dissection / Disassembly: Drilling

• Finding important code– Via imports– Via calls– Via strings

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques-Debugging as a Disassembly Aid

• Examining in memory constructs

• Runtime factors– decryption/decoding– Variable sets, variable data– External factors, not in a void

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques-Attaching to Worm Infected Processes

• Attach to process

• Debugging running processes

• Finding worm code in process

• Forcing breaks in worm code

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques-Sacrificial Goats / Goatnets: Isolation

• Disconnected

• Replicate important services

• Attempt to simulate real environment

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques-Sacrificial Goats / Goatnets: Infection

• Netcat injection

• Poison servers/clients

• Turn off AV, turn on tools

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis

• Debuggers – VC6 debugger– Softice– Windbg

• Dissassemblers– IDA

eEye D

igit

al S

ecu

rity

Worm Analysis Techniques-Sacrificial Goats / Goatnets: Analysis

• Filemon

• Regmon

• TCPView Pro

• Procdump

eEye D

igit

al S

ecu

rity

Worms – Under the Hood

eEye D

igit

al S

ecu

rity

Worms Under the Hood-Code Red I: Infection

• IDA vulnerability

• Sent entire copy in HTTP GET data

• Static worm

eEye D

igit

al S

ecu

rity

Worms Under the Hood-Code Red I: Propagation

• 100 threads of propagation

• HTTP spread

• Use in-memory copy

eEye D

igit

al S

ecu

rity

Worms Under the Hood-Code Red I: Payload

• Attack whitehouse.gov

• Hook web page delivery

eEye D

igit

al S

ecu

rity

Worms Under the Hood-Code Red II: Infection

• Ida vulnerability

• Similar to code red I

• Leaves a trojan

eEye D

igit

al S

ecu

rity

Worms Under the Hood-Code Red II: Propagation

• Statistical distribution of random address, favoring topologically closer hosts

eEye D

igit

al S

ecu

rity

Worms Under the Hood-Code Red II: Payload

• Trojan Horse– Trojan embedded in worm– Simple compression– Modifies web dirs– Multiple system weakenings

• Adds cmd.exe in web roots

eEye D

igit

al S

ecu

rity

Worms Under the Hood-Nimda: Infection

• Outlook/IE vulnerability

• Unicode

• Double Decode

• Open shares

eEye D

igit

al S

ecu

rity

Worms Under the Hood-Nimda: Propagation

• Email

• Open shares

• Web servers

eEye D

igit

al S

ecu

rity

Worms Under the Hood-Nimda: Payload

• Opens guest share

• Infects system binaries

• Adds Registry keys

• Adds itself to system startup

eEye D

igit

al S

ecu

rity

Worm Defense Techniques

eEye D

igit

al S

ecu

rity

Global Alerts / Dissemination-Standard Reporting Mechanisms

There is a need for a common reporting mechanism. This would serve to qualitatively correlate incidents regardless of reporter or reporting agency

eEye D

igit

al S

ecu

rity

Global Alerts / Dissemination-Data Sharing

• Individual Network sensors sharing data with a central network console

• Network consoles sharing data with a reporting agency, like ARIS, CERT or SANS

• Sharing data between stores at ARIS,CERT,SANS and others

eEye D

igit

al S

ecu

rity

Global Alerts / Dissemination-Statistical Analysis

• Having All the data poses new problems– Reduction of duplicate datasets– Large scale statistical analysis– Storage, processing, and network

resources can be large

• Worms have distinct statistical signatures

eEye D

igit

al S

ecu

rity

Environment-Modifying Aspects of a Worms Environment

• Lysine Deficiencies

• Monoculture

• Assumptions– Network addresses– Memory locations– Architecture

eEye D

igit

al S

ecu

rity

Counter Worms-Using Aspects of a Worm to stop the Spread

• Using same propagation

• Contains a fix, or code needed to identify

• Should contain extreme limits

• Generally not well regarded

eEye D

igit

al S

ecu

rity

The Future of Worms

eEye D

igit

al S

ecu

rity

Multiple Attack Vectors-Client and Server-Side Flaws

• Buffer overflows

• Format string attacks

• Design flaws

• Open shares

• Misconfigurations

eEye D

igit

al S

ecu

rity

Encryption/Obfuscation/Polymorphism-Covert Channel / Stealth Worms

• Hiding in plain sight

• ICMP

• Encoding in normal data stream

• Nonstandard

eEye D

igit

al S

ecu

rity

Encryption/Obfuscation/Polymorphism-Keyed Payloads

• Keying a worm before sending, requiring the worm to “call back” to decode itself.

• Clear text worm never transmits

• Higher chance of missing key transmissions, less likely to get a worm to disassemble

eEye D

igit

al S

ecu

rity

Encryption/Obfuscation/Polymorphism-Standard Polymorphic/Mutation Techniques

• Worms meet viruses

• Continuously changing itself

• Brute forcing new offsets

• Adapting to the environment to become “more fit”

eEye D

igit

al S

ecu

rity

Bigger Scope-Flash Worms

• Faster, more accurate spread

• Complete spread of all possible targets in 5-20 minutes

• Very low false positive rate

• Too fast to analyze/disseminate information

eEye D

igit

al S

ecu

rity

Bigger Scope-Intelligent Worms

• Worms meet AI

• Worm infected hosts communicating in a p2p method

• Exchanging information on targeting, propagation, or new infection methods

• Agent-like behavior

eEye D

igit

al S

ecu

rity

Bigger Scope-Multi-Platform / OS Worms

• Multi-OS shell code

• Attacking multiple different vulnerabilities on multiple platforms

• Single worm code, large attackable base

eEye D

igit

al S

ecu

rity

Questions and Answers?

eEye D

igit

al S

ecu

rity

References

• eEye Code Red I Analysis / Advisory:http://www.eeye.com/html/Research/Advisories/AL20010717.html

• eEye Code Red II Analysis / Advisory:http://www.eeye.com/html/Research/Advisories/AL20010804.html

eEye D

igit

al S

ecu

rity

Contact Information

• Ryan Permeh-

ryan@eEye.com

• Dale Coddington

dalec@eEye.com