Lesson 4 Networked Computer Security Attacks on Internet Computers

1
Lesson 4Networked Computer Security Attacks on
Internet Computers
2
Overview

• Malicious Software
• Recent Worms/Viruses

3
Malicious Software

• Viruses
• Trojan Horse
• Worms

4
Viruses3 Primary categories

• File infectorsnow extinct in the wild
• Boot sector virusesdied out after hard drives
  became prevalent
• Macro(interpreted)most common, cross
  platformwritten in scripting languages

5
Wormsself propagating program

• Morris
• Pretty Park
• ILOVEYOU (Melissa)
• CODE RED
• NIMDA
• Slapper
• SQL

6
Trojan Horse

• Trojan Horse a program that secretly installs
  itself and does something malicious
• Password sniffers
• Back Orificeallows remote users to takeover
  computer
• Plethora of hacker tools

7
Trends in DoS Attacks The Evolution of Worms
and Other Pesky Varmits
8
10 Propositions on Network Defense

• Networks are critical business support
  systems...if not the sole reason for the business
• Networks exist to operate
• Security should ensure you operate
• All good systems have fail safes
• Vulnerability Alerts are not only a Sys Admin
  Issue
• The threat to our network is real
• There is no distant end on a network
• There is no distant end in network defense
• You are only as good as your weakest link
• You do not want to be the weakest link

9
What is a DoS Attack?

• DoS Attacks prevent or impair the legitimate use
  of computer or network resources
• Consistent and Real Threat due to
• Limited and Consumable Resources
• Internet Security is Highly Interdependent
• Defending Against DoS is not an Exact Science

Source Trends in DOS Attack Technology, Houle et
al, CERT/CC
10
Early Virus/Worms

• Melissa (Mar/Apr 99)
• Macro Virus affecting Microsoft Word 97/2000 and
  Microsoft Outlook 97/98
• Propagates through an infected attachment in
  e-mail
• Infected word file attachment when opened
  replicates the mail message to the first 50
  addresses in the recipients address book
• This Transport Mechanism Still Alive and Well
• Countermeasure Filter Email, Operator Education

11
Early Virus/Worms

• Loveletter (May 00)
• Propagates via email attachment
• When first run, drops copies of itself in several
  places on the system and adds registry keys in
  order to run at system startup
• Overwrites (and renames) several system files
  with copies of itself
• Uses Microsoft Outlook to send copies of itself
  to address book entries
• Tries to download and install a password stealing
  program from the Internet when installed,
  program will email passwords to
  MAILME_at_SUPER.NET.PH

12
Early Virus/Worms

• Kournikova (12-13 Feb 01)
• Propagates via email attachment
• Fools users into thinking it is a jpeg picture of
  Russian tennis player, Anna Kournikova does this
  by sending itself as an attached file called
  AnnaKournikova.jpg.vbs.
• Alters registry files on infected computer
• Sends copies of itself via email address book
• Sends itself out again on the 26th of each month
• Built using free tool off the Internet that
  generates e-mail worms

13
Early MOs

• Making false claims that a file attachment
  contains a software patch or update
• Implying or using entertaining content to entice
  a user into executing a malicious file

14
Early MOs Continued

• Using email delivery techniques that cause the
  message to appear to have come from a familiar or
  trusted source
• Packaging malicious files in deceptively familiar
  ways (e.g., use of familiar but deceptive program
  icons or file names)

15
Present Day Virus/Worms

• Code Red Worm (12 July to 24 Oct)
• Activates 100 connections at a time looking for
  new hosts to infect
• Initially displayed false web page Hacked by
  Chinese removed in 2nd version to hide
  detection
• New host search pseudo-random each new
  instance would start probe at the same first host
  and continue corrected in second version
• Resulted in hosts at beginning of attack list
  inundated with connection requests from each
  infected server
• Designed Stealth Periods, vicious Active Periods
• Propagation Causes DoS Conditions

!!!! When present, resides in volatile memory
!!!! no disk files to search for with Anti-Virus
software
16
How CODE RED Works
First infected system
17
How CODE RED Works
First infected system
Scans to find new victims
100 system probes
18
How CODE RED Works
First infected system
Scans to find new victims
19
- Each new victim starts scanning process over
again - 20th to EOM, primary target is
www.whitehouse.gov
20
Present Day Virus/Worms

• Sir Cam Worm (17 July to 16 Oct)
• Arrives as an email attachment
• Hi! How are you?Last line See you later. Thanks
• Most significant attribute of the virus is its
  ability to forward on documents located on an
  infected host
• Sir Cam was programmed with a 1 in 20 chance of
  deleting all files on an infected host on 16
  October
• A second payload is also set to fill infected
  hard drives with junk data
• Overshadowed by Nimda

21
Present Day Virus/Worms

• Nimda Worm (18 Sept to 24 Oct)
• Multi Axis Attack
• Email Attachment
• SMB Networking
• Exploited backdoors from Previous Attacks
• IE Exploitation
• Exploit IIS for Wide Propagation
• Propagation Causes DDoS Conditions

22
How NIMDA Works
First infected system
23
How NIMDA Works
tftp Admin.dll from attacking system (contains
NIMDA payload)
24
How NIMDA Works
Sends infected email attachment
NIMDA propagates via open file shares
Infected system scans network for vulnerable IIS
web servers
NIMDA attaches to web pages on infected server
25
How NIMDA Works
- NIMDA prefers to target its neighbors - Very
rapid propagation
26
Sapphire SQL Wormref http//www.techie.hopto.org
/sqlworm.html

• Outbound traffic to external addresses on UDP
  Port 1434
• Scanning causes a significant amount of data to
  be transmitted, all of it aimed at UDP port 1434.
  
• Large amount of ICMP Port/Host Unreachable
  messages aimed at server systems
• The worm uses a large number of UDP packets to
  achieve widespread infection. If the worm aims
  packets at a non-existant address (or an address
  that has not opened port 1434), an ICMP
  Unreachable message may be returned by the router
  that detected the error.

27
Sapphire SQL Worm (2)

• SQL resolution service failure
• Infection causes resolution service to fail
• Disables access to SQL services
• Effect occurs until the SQL server is restarted.
• Performance Degradation
• Due to scanning for other systems, and the
  resultant bandwidth consumption due to outbound
  UDP packets (or inbound ICMP error messages as
  outlined above), connection speeds to other
  services may drop drastically.
• Because the worm does not have the facilities to
  prevent re-infection, systems may have several
  copies of the worm running simultaneously.

28
Impact

• Melissa
• 1.2B
• Love Letter
• 8.7B, Most of Fortune 500 Companies
• Kournikova
• Sircam
• 1B
• Code Red
• 2.6B estimated Jul/Aug 01 alone
• Nimda

29
Early Lessons Learned

• Filtering at firewalls must be implemented
• Recommended configurations must be at mail
  servers and workstations
• Vendor supplied upgrades, updates, patches must
  be fully employed
• Work Force Needs to be Trained

30
Nimda and CR Lessons Learned

• Highlights fact that network defense is not the
  only defense against interactive hackers
• Many attackers were unwitting/unpatched zombies
  in the internet world, out of our control
• This was an attack against the network
  infrastructure
• Work Force Still Needs to Practice Safe Computing
• Industry Solutions were Varied and Costly

31
The Future of DDoS Attacks?

• Intruder use of Internet Relay Chat (IRC)
• Will use established comm routes
• Not easy to discern from legitimate traffic
• Bogus Domain Names used--STEALTH
• Routers used for Dos Attacks
• Direct attacks on routing protocols
• Less chance of being discovered
• Time to exploit is shrinking
• Non-disclosure within intruder communities
• Increased Blast Zones--collateral damage

Source Trends in DOS Attack Technology, Houle et
al, CERT/CC