How do worms work

1
How do worms work?
Nagraj An Indian comic book hero, who commands
all the snakes of the world.

• Vivek Ramachandran

2
Disclaimer

• This tutorial is to understand how worms work! I
  wrote my own nice worm at IIT Guwahati to
  understand more about worms and their spreading
  pattern and behavior
• If you use this knowledge to do unethical stuff
  like releasing a worm the liability is yours!
• Stop watching this video NOW ! if you have any
  malicious intent in mind

3
Talk Outline

• What are worms?
• The life cycle of a simple worm
• scanning for a victim
• exploiting the victim
• cloning itself onto the victim
• running the clone to further spread infection
• stealth techniques used to hide itself
• What will we code in this section?

4
What are worms?

• A worm is a self replicating program
• Self-replicating gt it makes copies of itself and
  sends them over to hosts across a network
• All copies have the same functionality and
  generally lack any sort of synchronization among
  themselves
• Worms are hated because
• Bandwidth consumption
• Might crash computers they infect
• Infected computers may be used for other attacks
  such as DDoS, Phishing attacks etc

5
Types of worms

• Network worms generally exploits a service such
  as RPC and spreads
• Email worms use mass emails to spread and
  either target the email client (Outlook) or rely
  on user intervention (a click) to spread
• IRC worms
• IM worms
• File sharing worms
• XSS worms MySpace ??

6
The life cycle of a simple worm

• Scanning for a victim
• Exploiting the victim
• Cloning itself onto the victim
• Running the clone to further spread infection
• Stealth techniques used to hide itself

7
The life of a worm
Victim
(2)
Victim
(1)
(2)
Victim
(2)
Victim
8
The life of a worm
Scans for Victim
Rooted !!
Scan
Send Exploit
Get a copy
Worm created
Victim found
9
Scanning for a victim

• Random scan random IP
• Selective random scan IP from global and local
  routing addresses
• Full scan scan all IP addresses
• Divide and conquer scan divide IP addresses
  among child worms
• Subnet scan detect and scan local subnet
• Etc etc

10
Exploiting the victim

• What is an exploit? simply put a piece of code
  which provides access to a victim computer by
  utilizing some flaw in the logic of a program
  running on the victim computer
• By access I mean the ability to run
  commands/programs on the remote computer
• Network worms use what is called a remote
  exploit an exploit which can be launched
  remotely and which gives some code running
  privileges on the victim
• Find a suitable exploit to use in the worm
• Understand the exploit
• Black box approach (wrapper around the exploit)
• White box approach (modifying the exploit)

11
Cloning itself onto the victim

• Once the victim has been exploited the worm needs
  to get a copy of itself on the victim
• Tftp?? Blaster worm
• Http server ??
• Ftp server ??
• Compile source??
• Include worm in the shellcode??

12
Running the clone to further spread infection

• Once the clone has been downloaded run it
• Make it a service??
• Add a registry entry for startup??
• Clone starts scanning again
• Clone finds a victim
• Cycle continues

13
Stealth techniques used to hide itself

• Hide process
• Hide files
• Hide activity
• Delete logs
• rootkit??

14
The life of a worm
Scans for Victim
Rooted !!
Scan
Send Exploit
Get a copy
Worm created
Victim found
15
What will we code in this section?

• IP scanner code (random, sequential, subnet
  scans)
• Understanding an exploit enough so you can to use
  it
• Transporting a copy of the worm
• A simple framework for making worms whenever an
  exploit is released

16
Let the games begin!