OverviewOverview
What is a worm?What is a worm? Origin?Origin? How does it propagate?How does it propagate? How does it take up resources of an infected How does it take up resources of an infected
node?node? ““Deworming” an infected machineDeworming” an infected machine
Definition and OriginDefinition and Origin
A worm is a program A worm is a program that can run by itself and that can run by itself and can propagate a fully working version of itself to other can propagate a fully working version of itself to other
machines.machines.
First worm that ever surfaced is RTM(1998)First worm that ever surfaced is RTM(1998) RTM=Robert T. Moris, author of the program.RTM=Robert T. Moris, author of the program. Propagated by exploiting vunerabilities in Unix systems.Propagated by exploiting vunerabilities in Unix systems. Compiled and run new instances of itself on these systems.Compiled and run new instances of itself on these systems.
Other wormsOther worms Raman worm (2000)Raman worm (2000) Code Red (September 2001 - Windows)Code Red (September 2001 - Windows) Nimda (2001)Nimda (2001) Apache Scalper (June 2002)Apache Scalper (June 2002)
Apache Scalper wormApache Scalper worm
Appeared in June 2002Appeared in June 2002 Turns system to a node of a P2P networkTurns system to a node of a P2P network FeaturesFeatures
Launch denial of service attack.Launch denial of service attack. Send multiple email messages (spam).Send multiple email messages (spam). Run arbitrary commands on the compromised system.Run arbitrary commands on the compromised system. Upgrade the node worm program.Upgrade the node worm program.
Communication by simple P2P networking Communication by simple P2P networking protocolprotocol
Internodes communicationInternodes communication Communication between nodes and controlling programCommunication between nodes and controlling program
– Carried over UDPCarried over UDP
The slapper wormThe slapper worm Surfaced in Romania in 2002.Surfaced in Romania in 2002. Variant of the Apache Scalper worm.Variant of the Apache Scalper worm.
Comparing source code.Comparing source code.
Slapper worm more robust and efficient in it’s Slapper worm more robust and efficient in it’s peer to peer network capabilities than Apache peer to peer network capabilities than Apache Scalper worm.Scalper worm.
Some fatures of apache removedSome fatures of apache removed– Self updatingSelf updating– Sending spam Sending spam
Distributed Denial of Service AgentDistributed Denial of Service Agent BackdoorBackdoor Propagation using UDPPropagation using UDP
Reliability layerReliability layer Adds header to packetAdds header to packet
Singned character (1=message,0=ack).Singned character (1=message,0=ack).
Copy of sent messages in message queue for Copy of sent messages in message queue for reliable communication.reliable communication.
Message in queue contains(last 128 messages)Message in queue contains(last 128 messages) Message IDMessage ID Time of first sent and time of last sent.Time of first sent and time of last sent. Destination IP addressDestination IP address UDP port numberUDP port number
– Protection against sending or receiving and acting on same Protection against sending or receiving and acting on same message twice.message twice.
– Deletion of message.Deletion of message.
InitializationInitialization
New node sends join network command to New node sends join network command to parent.parent.
Parent responds with a your IP address command.Parent responds with a your IP address command. Broadcasting to other nodes.Broadcasting to other nodes.
Empty list of known nodes in new node?Empty list of known nodes in new node?» Failure communication with parentFailure communication with parent
Node sends join network request every 60 secondsNode sends join network request every 60 seconds
Node split after complete failure to join Node split after complete failure to join network.network.
RoutingRouting Node wants to send a command or message to Node wants to send a command or message to
another node.another node. Command encapsulated in “route” command.Command encapsulated in “route” command.
ContainsContains– Destination’s IP addressDestination’s IP address– Minimum number of hops(H) Minimum number of hops(H)
BouncingBouncing
– 0 <# hops >16 0 <# hops >16 destination IP elsedestination IP else two random nodes.two random nodes.– Anonymity.Anonymity.
SegmentationSegmentation Route command sent to at least two nodes at every hop.Route command sent to at least two nodes at every hop. Destination node receives 2^H commands.Destination node receives 2^H commands. Duplicates command likely to be processed.Duplicates command likely to be processed.
nextnext
Synchronisation and Synchronisation and BroadcastingBroadcasting
Broadcasting: Broadcasting: To announce the presece of a new node.To announce the presece of a new node. Destination IP set to zero.Destination IP set to zero. Broadcast segmentationBroadcast segmentation
2 random nodes2 random nodes
Synchronisation: Synchronisation: To keep nodes up to date with present number of nodes in To keep nodes up to date with present number of nodes in
network.network. Broadcasting of null route command approximately every 10 Broadcasting of null route command approximately every 10
mins.mins. Null route command contains present number of nodes in Null route command contains present number of nodes in
network.network.
NextNext
Exploit and propagateExploit and propagate
mod_ssl exploit OpenSSL (30/07/2002)mod_ssl exploit OpenSSL (30/07/2002)– Long SSL2 key argument -> buffer overflowLong SSL2 key argument -> buffer overflow
In 3 months different versionsIn 3 months different versions– Slapper, Cinik, Unlock, Linux.DevNullSlapper, Cinik, Unlock, Linux.DevNull– Discussion open sourceDiscussion open source
» Good for both use and abuseGood for both use and abuse
Brett Glass:Brett Glass:– ““Upgrading may prevent your system from being Upgrading may prevent your system from being
taken over, but --> berserk network load, DoS”taken over, but --> berserk network load, DoS”
ExploitExploit
3 steps3 steps– A] identify targetA] identify target
» Sends invalid GET request (HTTP:80)Sends invalid GET request (HTTP:80)» => Apache version + OS=> Apache version + OS
– B] locate heap in Apache process address spaceB] locate heap in Apache process address space– C] “injected with a poison” (spawn /bin/sh)C] “injected with a poison” (spawn /bin/sh)
[B&C]: attack buffer must contain [B&C]: attack buffer must contain absoluteabsolute address of the shell code address of the shell code
(hardly predictable across all servers)(hardly predictable across all servers)
B] Buffer overflowB] Buffer overflow
Heap-located ( <-> stack-based )Heap-located ( <-> stack-based )– Global Offset TableGlobal Offset Table
» holds addresses of the library functions to callholds addresses of the library functions to call
– Key argument > 8 bytesKey argument > 8 bytes– Victim parses packet dataVictim parses packet data
» get_client_master_key() - libssl, no boundary checkget_client_master_key() - libssl, no boundary check» Overwriting info following key_argOverwriting info following key_arg» In SSL_SESSION structure AND heap management dataIn SSL_SESSION structure AND heap management data
B] Buffer Overflow to locate heap
B] Buffer overflowB] Buffer overflow
Heap-located ( <-> stack-based )Heap-located ( <-> stack-based )– Global Offset TableGlobal Offset Table
» holds addresses of the library functions to callholds addresses of the library functions to call
– Key argument > 8 bytesKey argument > 8 bytes– Victim parses packet dataVictim parses packet data
» get_client_master_key() - libssl, no boundary checkget_client_master_key() - libssl, no boundary check» Overwriting info following key_argOverwriting info following key_arg» In SSL_SESSION structure AND heap management dataIn SSL_SESSION structure AND heap management data
SSL_SESSION Structure on HeapSSL_SESSION Structure on Heap
B] Buffer overflowB] Buffer overflow
=> Location of heap revealed=> Location of heap revealed
key_arg[] buffer overflowed by 56 bytes (8+48), key_arg[] buffer overflowed by 56 bytes (8+48), up to the session_id_length fieldup to the session_id_length field
Edit session_id_length -> 112Edit session_id_length -> 112– *cipher = encryption method*cipher = encryption method– *ciphers = structure after SSL_SESSION*ciphers = structure after SSL_SESSION
C] Second overflow (-> /bin/sh)C] Second overflow (-> /bin/sh)
1. Corrupt heap management data1. Corrupt heap management data
after key_arg[]after key_arg[]
– 24 bytes data24 bytes data (AAAAA... , p -> NULL, (AAAAA... , p -> NULL, *cipher)*cipher)
– 124 bytes shell code124 bytes shell code
2. 2. Abuse free() to redirect control to shell codeAbuse free() to redirect control to shell code– ~glibc~glibc
SSL_SESSION Structure after C]SSL_SESSION Structure after C]
PropagatePropagate
Try to get root after [C]Try to get root after [C] (setuid)(setuid)
Download sourcecode from parentDownload sourcecode from parent
Compile => party onCompile => party on
---------------------- Slapper == DDoS and Backdoor agentSlapper == DDoS and Backdoor agent