Title: Lesson 4 Networked Computer Security Attacks on Internet Computers
1Lesson 4Networked Computer Security Attacks on
Internet Computers
2Overview
- Malicious Software
- Recent Worms/Viruses
3Malicious Software
- Viruses
- Trojan Horse
- Worms
4Viruses3 Primary categories
- File infectorsnow extinct in the wild
- Boot sector virusesdied out after hard drives
became prevalent - Macro(interpreted)most common, cross
platformwritten in scripting languages
5Wormsself propagating program
- Morris
- Pretty Park
- ILOVEYOU (Melissa)
- CODE RED
- NIMDA
- Slapper
- SQL
6Trojan Horse
- Trojan Horse a program that secretly installs
itself and does something malicious - Password sniffers
- Back Orificeallows remote users to takeover
computer - Plethora of hacker tools
7Trends in DoS Attacks The Evolution of Worms
and Other Pesky Varmits
810 Propositions on Network Defense
- Networks are critical business support
systems...if not the sole reason for the business - Networks exist to operate
- Security should ensure you operate
- All good systems have fail safes
- Vulnerability Alerts are not only a Sys Admin
Issue - The threat to our network is real
- There is no distant end on a network
- There is no distant end in network defense
- You are only as good as your weakest link
- You do not want to be the weakest link
9What is a DoS Attack?
- DoS Attacks prevent or impair the legitimate use
of computer or network resources - Consistent and Real Threat due to
- Limited and Consumable Resources
- Internet Security is Highly Interdependent
- Defending Against DoS is not an Exact Science
Source Trends in DOS Attack Technology, Houle et
al, CERT/CC
10Early Virus/Worms
- Melissa (Mar/Apr 99)
- Macro Virus affecting Microsoft Word 97/2000 and
Microsoft Outlook 97/98 - Propagates through an infected attachment in
e-mail - Infected word file attachment when opened
replicates the mail message to the first 50
addresses in the recipients address book - This Transport Mechanism Still Alive and Well
- Countermeasure Filter Email, Operator Education
11Early Virus/Worms
- Loveletter (May 00)
- Propagates via email attachment
- When first run, drops copies of itself in several
places on the system and adds registry keys in
order to run at system startup - Overwrites (and renames) several system files
with copies of itself - Uses Microsoft Outlook to send copies of itself
to address book entries - Tries to download and install a password stealing
program from the Internet when installed,
program will email passwords to
MAILME_at_SUPER.NET.PH
12Early Virus/Worms
- Kournikova (12-13 Feb 01)
- Propagates via email attachment
- Fools users into thinking it is a jpeg picture of
Russian tennis player, Anna Kournikova does this
by sending itself as an attached file called
AnnaKournikova.jpg.vbs. - Alters registry files on infected computer
- Sends copies of itself via email address book
- Sends itself out again on the 26th of each month
- Built using free tool off the Internet that
generates e-mail worms
13Early MOs
- Making false claims that a file attachment
contains a software patch or update - Implying or using entertaining content to entice
a user into executing a malicious file
14Early MOs Continued
- Using email delivery techniques that cause the
message to appear to have come from a familiar or
trusted source - Packaging malicious files in deceptively familiar
ways (e.g., use of familiar but deceptive program
icons or file names)
15Present Day Virus/Worms
- Code Red Worm (12 July to 24 Oct)
- Activates 100 connections at a time looking for
new hosts to infect - Initially displayed false web page Hacked by
Chinese removed in 2nd version to hide
detection - New host search pseudo-random each new
instance would start probe at the same first host
and continue corrected in second version - Resulted in hosts at beginning of attack list
inundated with connection requests from each
infected server - Designed Stealth Periods, vicious Active Periods
- Propagation Causes DoS Conditions
!!!! When present, resides in volatile memory
!!!! no disk files to search for with Anti-Virus
software
16How CODE RED Works
First infected system
17How CODE RED Works
First infected system
Scans to find new victims
100 system probes
18How CODE RED Works
First infected system
Scans to find new victims
19- Each new victim starts scanning process over
again - 20th to EOM, primary target is
www.whitehouse.gov
20Present Day Virus/Worms
- Sir Cam Worm (17 July to 16 Oct)
- Arrives as an email attachment
- Hi! How are you?Last line See you later. Thanks
- Most significant attribute of the virus is its
ability to forward on documents located on an
infected host - Sir Cam was programmed with a 1 in 20 chance of
deleting all files on an infected host on 16
October - A second payload is also set to fill infected
hard drives with junk data - Overshadowed by Nimda
21Present Day Virus/Worms
- Nimda Worm (18 Sept to 24 Oct)
- Multi Axis Attack
- Email Attachment
- SMB Networking
- Exploited backdoors from Previous Attacks
- IE Exploitation
- Exploit IIS for Wide Propagation
- Propagation Causes DDoS Conditions
22How NIMDA Works
First infected system
23How NIMDA Works
tftp Admin.dll from attacking system (contains
NIMDA payload)
24How NIMDA Works
Sends infected email attachment
NIMDA propagates via open file shares
Infected system scans network for vulnerable IIS
web servers
NIMDA attaches to web pages on infected server
25How NIMDA Works
- NIMDA prefers to target its neighbors - Very
rapid propagation
26Sapphire SQL Wormref http//www.techie.hopto.org
/sqlworm.html
- Outbound traffic to external addresses on UDP
Port 1434 - Scanning causes a significant amount of data to
be transmitted, all of it aimed at UDP port 1434.
- Large amount of ICMP Port/Host Unreachable
messages aimed at server systems - The worm uses a large number of UDP packets to
achieve widespread infection. If the worm aims
packets at a non-existant address (or an address
that has not opened port 1434), an ICMP
Unreachable message may be returned by the router
that detected the error.
27Sapphire SQL Worm (2)
- SQL resolution service failure
- Infection causes resolution service to fail
- Disables access to SQL services
- Effect occurs until the SQL server is restarted.
- Performance Degradation
- Due to scanning for other systems, and the
resultant bandwidth consumption due to outbound
UDP packets (or inbound ICMP error messages as
outlined above), connection speeds to other
services may drop drastically. - Because the worm does not have the facilities to
prevent re-infection, systems may have several
copies of the worm running simultaneously.
28Impact
- Melissa
- 1.2B
- Love Letter
- 8.7B, Most of Fortune 500 Companies
- Kournikova
- Sircam
- 1B
- Code Red
- 2.6B estimated Jul/Aug 01 alone
- Nimda
29Early Lessons Learned
- Filtering at firewalls must be implemented
- Recommended configurations must be at mail
servers and workstations - Vendor supplied upgrades, updates, patches must
be fully employed - Work Force Needs to be Trained
30Nimda and CR Lessons Learned
- Highlights fact that network defense is not the
only defense against interactive hackers - Many attackers were unwitting/unpatched zombies
in the internet world, out of our control - This was an attack against the network
infrastructure - Work Force Still Needs to Practice Safe Computing
- Industry Solutions were Varied and Costly
31The Future of DDoS Attacks?
- Intruder use of Internet Relay Chat (IRC)
- Will use established comm routes
- Not easy to discern from legitimate traffic
- Bogus Domain Names used--STEALTH
- Routers used for Dos Attacks
- Direct attacks on routing protocols
- Less chance of being discovered
- Time to exploit is shrinking
- Non-disclosure within intruder communities
- Increased Blast Zones--collateral damage
Source Trends in DOS Attack Technology, Houle et
al, CERT/CC