11.1 - Internet Worms

Question 1

An infection of an existing program that results in the modification of original programs behavior. Typically require user action to spread (pen attachment on email, or runninng an exe that a friend gave on a USB key) - user intervention

Answer 1

Viruses

Question 2

Code that propagates and replicates itself across the network. Usually spread by exploiting flaws in existing programs or open services. Propagate automatically - scanning to spread automatically

Answer 2

Worm

Question 3

Infects an existing executable file

Answer 3

parasitic virus

Question 4

infects running programs

Answer 4

memory-resident virus

Question 5

spreads when system is booted

Answer 5

Boot-sector

Question 6

encrypt part of virus program using randomly generated key

Answer 6

Polymorphic

Question 7

First internet worm

Answer 7

Morris worm, 1988
Had no malicious payload but exhausted resources
effected 10% of all internet hosts
standard buffer overflow exploit

Question 8

Quiz:

Main difference between a worm and a virus?

Answer 8

Worms can spread automatically

Both worms and viruses can have destructive payloads

Question 9

worm life-cycle

Answer 9

1) Discover/”scan” for vulnerable hosts

2) Infect vulnerable machines via remote exploit

Question 10

Worms exploit through multiple vectors in order to spread faster

Answer 10

Vectors

1) remote shell execution/weak passwords
2) buffer overflow /remote exploit
3) debug in sendmail (smtp)

Question 11

General approach of a worm

Answer 11

1) Scan to find a vulnerable host
2) Spread to other vulnerable hosts
3) Remain undetected - undiscoverable to continue to spread

Question 12

Quiz:

What are the three steps in a worm’s “life cycle”?

Answer 12

1) Scans for vulnerable hosts
2) Infects them
3) remains undetected

Question 13

3 major worm outbreaks in 2001

Answer 13

1) Code red I v2
2) Code red II
3) Nimda

Question 14

Zero Day attacks

Answer 14

An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack. In the jargon of computer security, “Day Zero” is the day on which the interested party (presumably the vendor of the targeted system) learns of the vulnerability.

A zero-day vulnerability is a computer-software vulnerability that is unknown to those who would be interested in mitigating the vulnerability. Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network.

Question 15

Random constant spread

Answer 15

K: initial compromise rate
N: # of vulnerable hosts
a: Fraction of hosts already compromised

Nda = (Na)*K(1-a) dt

a = e^K(t-T)/1+e^K(t-T)

If you want to design a fast spreading worm you need a high compromise rate (K)

Question 16

How to increase the compromising rate

Answer 16

1) Create a Hit List: List of vulnerable hosts (gets rid of that flat part of the curve that is most dormant)
2) Permutation scanning: Shared permutation of IP address lists. Starts from own IP and work down.

*The Slammer worm (Jan 2003) used thiese techniques
-> entire code fit into one UDP packet! (connectionless!)
Caused 1.2 billion dollars in damage
No payload - just bandwidth exhaustion
All this damage inflicted in just 30 minutes

Question 17

Quiz:

What allowed the Slammer work to spread so quickly?

Answer 17

1) UDP - connectionless transport

2) Could fit in a single packet