DOCSLIB.ORG

Inside the Slammer Worm

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Slammer Worm Dissection Inside the Slammer Worm DAVID MOORE The Slammer worm spread so quickly that human Cooperative Association for response was ineffective. In January 2003, it packed Internet Data Analysis and a benign payload, but its disruptive capacity was University of California, San surprising. Why was it so effective and what new Diego challenges do this new breed of worm pose? VERN PAXSON International Computer lammer (sometimes called Sapphire) was the first real-world Science fastest computer worm in history. As it began demonstration of a Institute and spreading throughout the Internet, the worm high-speed worm’s capabilities. By comparison, Slam- Lawrence S infected more than 90 percent of vulnerable mer was two orders of magnitude faster than the Code Berkeley hosts within 10 minutes, causing significant disruption to Red worm, which infected more than 359,000 hosts on National financial, transportation, and government institutions 19 July 2001,2 and had a leisurely 37 minutes of popula- Laboratory and precluding any human-based response. In this article, tion doubling time. we describe how it achieved its rapid growth, dissect por- While Slammer had no malicious payload, it caused STEFAN SAVAGE tions of the worm to study some of its flaws, and look at considerable harm by overloading networks and disabling University of our defensive effectiveness against it and its successors. database servers. Many sites lost connectivity as local California, Slammer began to infect hosts slightly before 05:30 copies of the worm saturated their access bandwidths. Al- San Diego UTC on Saturday, 25 January 2003, by exploiting a though most backbone providers appeared to remain sta- buffer-overflow vulnerability in computers on the Inter- ble throughout the epidemic, there were several reports COLLEEN net running Microsoft’s SQL Server or Microsoft SQL of Internet backbone disruption. For a single snapshot of SHANNON Server Desktop Engine (MSDE) 2000. David Litchfield the activity, see www.digitaloffense.net/worms/mssql Cooperative of Next Generation Security Software discovered this un- _udp_worm/internet_health.jpg. Additionally, Tim Association derlying indexing service weakness in July 2002; Mi- Griffin of AT&T Research, has plotted Internet routing for Internet crosoft released a patch for the vulnerability before the data (an overall view of Internet routing behavior) that Data Analysis vulnerability was publicly disclosed (www.microsoft. shows a substantial perturbation in network connectivity com/security/slammer.asp). Exploiting this vulnerability, resulting from Slammer’s spread, (www.research.att. STUART the worm infected at least 75,000 hosts, perhaps consider- com/~griffin/bgp_monitor/sql_worm.html). STANIFORD ably more, and caused network outages and unforeseen If the worm had carried a malicious payload, attacked a Silicon consequences such as canceled airline flights, interference more widespread vulnerability, or targeted a more popular Defense with elections, and ATM failures (see Figure 1). service, its effects would likely have been far more severe. Slammer’s most novel feature is its propagation speed. For more on how we tracked Slammer, see the “Net- NICHOLAS In approximately three minutes, the worm achieved its full work telescope operations” sidebar. WEAVER scanning rate (more than 55 million scans per second), Silicon after which the growth rate slowed because significant How Slammer Defense and portions of the network had insufficient bandwidth to ac- chooses its victims University of commodate more growth. The worm’s spreading strategy uses random scanning—it California, Although Stuart Staniford, Vern Paxson, and randomly selects IP addresses, eventually finding and in- Berkeley Nicholas Weaver had predicted rapid-propagation fecting all susceptible hosts. Random-scanning worms worms on theoretical grounds,1 Slammer provided the initially spread exponentially, but their rapid new-host PUBLISHED BY THE IEEE COMPUTER SOCIETY I 1540-7993/03/$17.00 © 2003 IEEE I IEEE SECURITY & PRIVACY 33 Slammer Worm Dissection Sat Jan 25 06:00:00 2003 (UTC) www.caida.org Number of hosts infected with Slammer: 74, 855 Copyright © 2003 UC Regents Figure 1. The geographical spread of Slammer in the 30 minutes after its release. The diameter of each circle is a function of the logarithm of the number of infected machines, so large circles visually underrepresent the number of infected cases in order to minimize overlap with adjacent locations. For some machines, we can determine only the country of origin rather than a specific city. 250,000 with its scans, and bandwidth consumption and network outages caused site-specific variations in its observed spread. Figure 3 shows a data set from the Distributed In- 200,000 trusion Detection System project (Dshield; www.dshield. org) compared to an RCS model. The model fits ex- 150,000 tremely well up to a point where the probe rate abruptly levels out. Bandwidth saturation and network failure (some networks shut down under the extreme load) produced 100,000 this change in the probe’s growth rate. Number seen in an hour 50,000 Why Slammer was so fast While Slammer spread nearly two orders of magnitude 0 faster than Code Red, it probably infected fewer ma- 0 2 4 6 8 10 12 14 16 18 20 chines. Both worms use the same basic scanning strategy Hour of the day to find vulnerable machines and transfer their exploitive actual number of scans predicted number of scans payloads; however, they differ in their scanning con- straints. While Code Red is latency-limited, Slammer is Figure 2. The Code Red worm was a typical random-scanning worm. bandwidth-limited, enabling Slammer to scan as fast as a This graph shows Code Red’s probe rate during its re-emergence on 1 compromised computer can transmit packets or a net- August, 2001, as seen on one Internet subnetwork, matched against work can deliver them. Slammer’s 376 bytes comprise a the random constant spread worm behavior model. simple, fast scanner. With its requisite headers, the pay- load becomes a single 404-byte user diagram protocol (UDP) packet. Contrast Slammer’s 404 bytes with Code infection slows as the worms continually retry infected or Red’s 4 Kbytes or Nimda’s 60 Kbytes. immune addresses. Thus, as with the Code Red worm Previous scanning worms, such as Code Red, spread shown in Figure 2, Slammer’s infected-host proportion via many threads, each invoking connect() to open a follows a classic logistic form of initial exponential TCP session to random addresses. Consequently, each growth in a finite system.1,2 We label this growth behav- thread’s scanning rate was limited by network latency. ior a random constant spread (RCS) model. After sending a TCP SYN packet to initiate the connection, Slammer’s spread initially conformed to the RCS each thread must wait to receive a corresponding model, but in the later stages it began to saturate networks SYN/ACK packet from the target host or time-out if no re- 34 IEEE SECURITY & PRIVACY I JULY/AUGUST 2003 Slammer Worm Dissection sponse is received. During this time, the thread is blocked 1,100 and cannot infect other hosts. In principle, worms can 1,000 compensate for this latency by invoking a sufficiently large 900 number of threads. In practice, however, operating system 800 limitations, such as context-switch overhead and kernel 700 stack memory consumption, limit the number of active 600 threads a worm can use effectively. So, a worm like Code 500 Red quickly stalls and becomes latency limited, as every 400 thread spends most of its time waiting for responses. 300 In contrast, Slammer’s scanner is limited by each com- 200 promised machine’s Internet bandwidth. Because a single Probes in a two-second sample 100 packet to UDP port 1434 could exploit the SQL server’s 0 vulnerability, the worm was able to broadcast scans without 1,760 1,770 1,780 1,790 1,800 1,810 1,820 requiring responses from potential victims. Slammer’s Seconds after 5:00 a.m. UTC inner loop is very small, and with modern servers’ I/O ca- DShield data K = 6.7m, T = 1808.7s, Peak = 2050, Const. 28 pacity to transmit network data at more than 100 Mbits per second, Slammer frequently was limited by Internet access bandwidth rather than its ability to replicate copies of itself. Figure 3. The early moments of the Distributed Intrusion Detection In principle, an infected machine with a 100-Mbps System (Dshield) data set, matched against the behavior of a Internet connection could produce more than 30,000 random-scanning worm. scans per second. In practice, bandwidth limitations and per-packet overhead limit the largest probe rate we di- rectly observed to 26,000 scans per second, with an Inter- represents the range of the result, and a and b are carefully net-wide average of approximately 4,000 scans per sec- chosen constants. Linear congruent generators are very ond per worm during its early growth phase. efficient and, with appropriate values of a and b have rea- Slammer’s scanning technique is so aggressive that it sonably good distributional properties (although they are quickly interferes with its own growth. Subsequent in- not random from a sequential standpoint). Typically, you fections’ contribution to its growth rate diminishes be- “seed” a generator’s initial value with a source of high- cause those instances must compete with existing infec- quality random numbers to ensure that the precise se- tions for scarce bandwidth. Thus, Slammer achieved its quence is not identical between runs. maximum Internet-wide scanning rate in minutes. Slammer’s author intended to use a linear congruent Any simple-loop approach creates a bandwidth- parameterization that Microsoft popularized, x' = (x × limited UDP scanner, so any future single-packet UDP 214013 + 2531011) mod 232. However, we found two worm probably would have the same property unless its implementation mistakes.
Recommended publications
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G

    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G

    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
  • Undergraduate Report

    Undergraduate Report

    UNDERGRADUATE REPORT Attack Evolution: Identifying Attack Evolution Characteristics to Predict Future Attacks by MaryTheresa Monahan-Pendergast Advisor: UG 2006-6 IINSTITUTE FOR SYSTEMSR RESEARCH ISR develops, applies and teaches advanced methodologies of design and analysis to solve complex, hierarchical, heterogeneous and dynamic problems of engineering technology and systems for industry and government. ISR is a permanent institute of the University of Maryland, within the Glenn L. Martin Institute of Technol- ogy/A. James Clark School of Engineering. It is a National Science Foundation Engineering Research Center. Web site http://www.isr.umd.edu Attack Evolution 1 Attack Evolution: Identifying Attack Evolution Characteristics To Predict Future Attacks MaryTheresa Monahan-Pendergast Dr. Michel Cukier Dr. Linda C. Schmidt Dr. Paige Smith Institute of Systems Research University of Maryland Attack Evolution 2 ABSTRACT Several approaches can be considered to predict the evolution of computer security attacks, such as statistical approaches and “Red Teams.” This research proposes a third and completely novel approach for predicting the evolution of an attack threat. Our goal is to move from the destructive nature and malicious intent associated with an attack to the root of what an attack creation is: having successfully solved a complex problem. By approaching attacks from the perspective of the creator, we will chart the way in which attacks are developed over time and attempt to extract evolutionary patterns. These patterns will eventually
  • Lexisnexis® Congressional Copyright 2003 Fdchemedia, Inc. All Rights

    Lexisnexis® Congressional Copyright 2003 Fdchemedia, Inc. All Rights

    LexisNexis® Congressional Copyright 2003 FDCHeMedia, Inc. All Rights Reserved. Federal Document Clearing House Congressional Testimony September 10, 2003 Wednesday SECTION: CAPITOL HILL HEARING TESTIMONY LENGTH: 4090 words COMMITTEE: HOUSE GOVERNMENT REFORM SUBCOMMITTEE: TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS, AND CENSUS HEADLINE: COMPUTER VIRUS PROTECTION TESTIMONY-BY: RICHARD PETHIA, DIRECTOR AFFILIATION: CERT COORDINATION CENTER BODY: Statement of Richard Pethia Director, CERT Coordination Center Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census Committee on House Government Reform September 10, 2003 Introduction Mr. Chairman and Members of the Subcommittee: My name is Rich Pethia. I am the director of the CERTO Coordination Center (CERT/CC). Thank you for the opportunity to testify on the important issue of cyber security. Today I will discuss viruses and worms and the steps we must take to protect our systems from them. The CERT/CC was formed in 1988 as a direct result of the first Internet worm. It was the first computer security incident to make headline news, serving as a wake-up call for network security. In response, the CERT/CC was established by the Defense Advanced Research Projects Agency at Carnegie Mellon University's Software Engineering Institute, in Pittsburgh. Our mission is to serve as a focal point to help resolve computer security incidents and vulnerabilities, to help others establish incident response capabilities, and to raise awareness of computer security issues and help people understand the steps they need to take to better protect their systems. We activated the center in just two weeks, and we have worked hard to maintain our ability to react quickly.
  • Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

    Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

    Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone Thomas Dübendorfer, Arno Wagner, Theus Hossmann, Bernhard Plattner ETH Zurich, Switzerland [email protected] DIMVA 2005, Wien, Austria Agenda 1) Introduction 2) Flow-Level Backbone Traffic 3) Network Worm Blaster.A 4) E-Mail Worm Sobig.F 5) Conclusions and Outlook © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -2- 1) Introduction Authors Prof. Dr. Bernhard Plattner Professor, ETH Zurich (since 1988) Head of the Communication Systems Group at the Computer Engineering and Networks Laboratory TIK Prorector of education at ETH Zurich (since 2005) Thomas Dübendorfer Dipl. Informatik-Ing., ETH Zurich, Switzerland (2001) ISC2 CISSP (Certified Information System Security Professional) (2003) PhD student at TIK, ETH Zurich (since 2001) Network security research in the context of the DDoSVax project at ETH Further authors: Arno Wagner, Theus Hossmann © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -3- 1) Introduction Worm Analysis Why analyse Internet worms? • basis for research and development of: • worm detection methods • effective countermeasures • understand network impact of worms Wasn‘t this already done by anti-virus software vendors? • Anti-virus software works with host-centric signatures Research method used 1. Execute worm code in an Internet-like testbed and observe infections 2. Measure packet-level traffic and determine network-centric worm signatures on flow-level 3. Extensive analysis of flow-level traffic of the actual worm outbreaks captured in a Swiss backbone © T. Dübendorfer (2005), TIK/CSG, ETH Zurich -4- 1) Introduction Related Work Internet backbone worm analyses: • Many theoretical worm spreading models and simulations exist (e.g.
  • Computer Security CS 426 Lecture 15

    Computer Security CS 426 Lecture 15

    Computer Security CS 426 Lecture 15 Malwares CS426 Fall 2010/Lecture 15 1 Trapdoor • SttitittSecret entry point into a system – Specific user identifier or password that circumvents normal security procedures. • Commonlyyy used by developers – Could be included in a compiler. CS426 Fall 2010/Lecture 15 2 Logic Bomb • Embedded in legitimate programs • Activated when specified conditions met – E.g., presence/absence of some file; Particular date/time or particular user • When triggered, typically damages system – Modify/delete files/disks CS426 Fall 2010/Lecture 15 3 Examppgle of Logic Bomb • In 1982 , the Trans-Siber ian Pipe line inc iden t occurred. A KGB operative was to steal the plans fhititdtltditfor a sophisticated control system and its software from a Canadian firm, for use on their Siberi an pi peli ne. The CIA was tippe d o ff by documents in the Farewell Dossier and had the company itlibbithinsert a logic bomb in the program for sabotage purposes. This eventually resulted in "the most monu mental non-nu clear ex plosion and fire ever seen from space“. CS426 Fall 2010/Lecture 15 4 Trojan Horse • Program with an overt Example: Attacker: (expected) and covert effect Place the following file cp /bin/sh /tmp/.xxsh – Appears normal/expected chmod u+s,o+x /tmp/.xxsh – Covert effect violates security policy rm ./ls • User tricked into executing ls $* Trojan horse as /homes/victim/ls – Expects (and sees) overt behavior – Covert effect performed with • Victim user’s authorization ls CS426 Fall 2010/Lecture 15 5 Virus • Self-replicating
  • MODELING the PROPAGATION of WORMS in NETWORKS: a SURVEY 943 in Section 2, Which Set the Stage for Later Sections

    MODELING the PROPAGATION of WORMS in NETWORKS: a SURVEY 943 in Section 2, Which Set the Stage for Later Sections

    942 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 16, NO. 2, SECOND QUARTER 2014 Modeling the Propagation of Worms in Networks: ASurvey Yini Wang, Sheng Wen, Yang Xiang, Senior Member, IEEE, and Wanlei Zhou, Senior Member, IEEE, Abstract—There are the two common means for propagating attacks account for 1/4 of the total threats in 2009 and nearly worms: scanning vulnerable computers in the network and 1/5 of the total threats in 2010. In order to prevent worms from spreading through topological neighbors. Modeling the propa- spreading into a large scale, researchers focus on modeling gation of worms can help us understand how worms spread and devise effective defense strategies. However, most previous their propagation and then, on the basis of it, investigate the researches either focus on their proposed work or pay attention optimized countermeasures. Similar to the research of some to exploring detection and defense system. Few of them gives a nature disasters, like earthquake and tsunami, the modeling comprehensive analysis in modeling the propagation of worms can help us understand and characterize the key properties of which is helpful for developing defense mechanism against their spreading. In this field, it is mandatory to guarantee the worms’ spreading. This paper presents a survey and comparison of worms’ propagation models according to two different spread- accuracy of the modeling before the derived countermeasures ing methods of worms. We first identify worms characteristics can be considered credible. In recent years, although a variety through their spreading behavior, and then classify various of models and algorithms have been proposed for modeling target discover techniques employed by them.
  • The Blaster Worm: Then and Now

    The Blaster Worm: Then and Now

    Worms The Blaster Worm: Then and Now The Blaster worm of 2003 infected at least 100,000 Microsoft Windows systems and cost millions in damage. In spite of cleanup efforts, an antiworm, and a removal tool from Microsoft, the worm persists. Observing the worm’s activity can provide insight into the evolution of Internet worms. MICHAEL n Wednesday, 16 July 2003, Microsoft and continued to BAILEY, EVAN Security Bulletin MS03-026 (www. infect new hosts COOKE, microsoft.com/security/incident/blast.mspx) more than a year later. By using a wide area network- FARNAM O announced a buffer overrun in the Windows monitoring technique that observes worm infection at- JAHANIAN, AND Remote Procedure Call (RPC) interface that could let tempts, we collected observations of the Blaster worm DAVID WATSON attackers execute arbitrary code. The flaw, which the during its onset in August 2003 and again in August 2004. University of Last Stage of Delirium (LSD) security group initially This let us study worm evolution and provides an excel- Michigan uncovered (http://lsd-pl.net/special.html), affected lent illustration of a worm’s four-phase life cycle, lending many Windows operating system versions, including insight into its latency, growth, decay, and persistence. JOSE NAZARIO NT 4.0, 2000, and XP. Arbor When the vulnerability was disclosed, no known How the Blaster worm attacks Networks public exploit existed, and Microsoft made a patch avail- The initial Blaster variant’s decompiled source code re- able through their Web site. The CERT Coordination veals its unique behavior (http://robertgraham.com/ Center and other security organizations issued advisories journal/030815-blaster.c).
  • Code Red Worm Propagation Modeling and Analysis ∗

    Code Red Worm Propagation Modeling and Analysis ∗

    Code Red Worm Propagation Modeling and Analysis ∗ Cliff Changchun Zou Weibo Gong Don Towsley Dept. Electrical & Dept. Electrical & Dept. Computer Science Computer Engineering Computer Engineering Univ. Massachusetts Univ. Massachusetts Univ. Massachusetts Amherst, MA Amherst, MA Amherst, MA [email protected] [email protected] [email protected] ABSTRACT the Internet has become a powerful mechanism for propa- The Code Red worm incident of July 2001 has stimulated gating malicious software programs. Worms, defined as au- activities to model and analyze Internet worm propagation. tonomous programs that spread through computer networks In this paper we provide a careful analysis of Code Red prop- by searching, attacking, and infecting remote computers au- agation by accounting for two factors: one is the dynamic tomatically, have been developed for more than 10 years countermeasures taken by ISPs and users; the other is the since the first Morris worm [30]. Today, our computing in- slowed down worm infection rate because Code Red rampant frastructure is more vulnerable than ever before [28]. The propagation caused congestion and troubles to some routers. Code Red worm and Nimda worm incidents of 2001 have Based on the classical epidemic Kermack-Mckendrick model, shown us how vulnerable our networks are and how fast we derive a general Internet worm model called the two- a virulent worm can spread; furthermore, Weaver presented factor worm model. Simulations and numerical solutions some design principles for worms such that they could spread of the two-factor worm model match the observed data of even faster [34]. In order to defend against future worms, we Code Red worm better than previous models do.
  • Virus Protection: the Triad of Armor — Part I: the Workstation

    Virus Protection: the Triad of Armor — Part I: the Workstation

    BY SCOTT JONES Virus Protection: The Triad of Armor — Part I: The Workstation irus protection and prevention are important tasks for system administrators. This article, the V first in a three-part series, examines how to protect one cornerstone of the IT environment — the workstation — and prevent malicious attacks. Code Red, Klez, oh my! Given the intense computer viruses have to cause damage in order to be NIMDA, level of virus activity in the past few classified as a virus. years, I thought it would be helpful to share some insight There are several different types of viruses, although into virus protection and prevention. This three-part series experts debate some of the classifications. The list includes aptly named “The Triad of Armor,” will examine the three stealth, polymorphic, cavity, and tunneling. Nevertheless, cornerstones of virus protection: the workstation, server and these viruses fit the basic description, even though they may email gateway. perform additional operations. A computer worm, much like a virus, can also replicate HISTORY functional copies of itself, but unlike a virus, worms are usually self-contained programs or sets of programs, and do There is some debate as to what the first computer virus not need to attach themselves to a host program. Worms are was. Some say it was the “Brain” virus written in 1986. usually designed to replicate across computer networks. However, in 1981, there were accounts of viruses infecting You can compare the Trojan Horse to the one used in Apple II operating systems. It is not my intent to argue what the battle of Troy — something that looks harmless but the first true computer virus was, but to merely note that has other intentions.
  • Me Code Write Good – the L33t Skillz of the Virus Writer

    Me Code Write Good – the L33t Skillz of the Virus Writer

    Me code write good – The l33t skillz of the virus writer. John Canavan Symantec Security Response Abstract •We will take a look at the legacy of less than expert level virus writers, and examine the threat they continue to pose. 2 – Background •July 1962 , Mariner 1 space probe •1985-1987, Therac-25 radiation therapy machine. •August 2003, power blackout affected the North Eastern Coast of the United States. 3 – Bugs in viruses •Until recently, typically written by amateur fanatics, hacked together by script kiddies or as a form of experimentation by overly-curious fledgling coders with minimal testing. •Case studies of bugs in well known viruses… • Overview • Bugs • Impact 4 – The Morris Worm •2 November 1988, Exploited flaws in fingerd/gets and sendmail in BSD-derived versions of UNIX •Many machines gave in to the crippling load and failed completely as their swap space or process tables were exhausted •Most problems due to flawed logic in propagation control routine. 5 – The Morris Worm - Analysis •Designed simply to spread to as many systems as possible •The worm first attempted to spawn a remote shell, invoking /usr/ucb/rsh, /usr/bin/rsh, and /bin/rsh. •If this failed the worm connected to the remote finger server daemon sending a 536 byte buffer overflow exploit string to execute an execve(“/bin/sh”,0, 0). This attack only worked on vulnerable VAX machines, and caused a core dump on Suns. •Finally the worm would attempt to exploit an SMTP vulnerability, setting debug on and sending: mail from: </dev/null> rcpt to: <"|sed -e ’1,/^$/’d | /bin/sh ; exit 0"> 6 – The Morris Worm - Bugs •Calls are made to functions with incorrect numbers of arguments •Local variables are declared but never used •Includes routines that are never referenced •Others that will not be executed because of conditions that are never met.
  • How to 0Wn the Internet in Your Spare Time

    How to 0Wn the Internet in Your Spare Time

    USENIX Association Proceedings of the 11th USENIX Security Symposium San Francisco, California, USA August 5-9, 2002 THE ADVANCED COMPUTING SYSTEMS ASSOCIATION © 2002 by The USENIX Association All Rights Reserved For more information about the USENIX Association: Phone: 1 510 528 8649 FAX: 1 510 548 5738 Email: [email protected] WWW: http://www.usenix.org Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. How to 0wn the Internet in Your Spare Time Stuart Staniford∗ Vern Paxsony Nicholas Weaver z Silicon Defense ICSI Center for Internet Research UC Berkeley [email protected] [email protected] [email protected] Abstract 1 Introduction If you can control a million hosts on the Internet, you can do enormous damage. First, you can launch dis- The ability of attackers to rapidly gain control of vast tributed denial of service (DDOS) attacks so immensely numbers of Internet hosts poses an immense risk to the diffuse that mitigating them is well beyond the state-of- overall security of the Internet. Once subverted, these the-art for DDOS traceback and protection technologies. hosts can not only be used to launch massive denial of Such attacks could readily bring down e-commerce sites, service floods, but also to steal or corrupt great quantities news outlets, command and coordination infrastructure, of sensitive information, and confuse and disrupt use of specific routers, or the root name servers.
  • Viruses, Infections and Protection

    Viruses, Infections and Protection

    Viruses, infections and protection www.pandPanasdao Sftowftawraer.ec. omSoluciones Antivirus para Empresas. December 2003 © Panda Software Viruses, infections and protection Virus epidemics in 2003 and antivirus protection At present, a large number of computers around the world lack adequate antivirus protection, as shown by the virus epidemics throughout the year 2003 caused, in most cases, by ‘old’ malicious codes. In contrast with the situation in the past (when some malicious codes were able to spread very quickly but then disappeared shortly after), this year, infections have been mostly caused by viruses whose proliferation has not diminished so rapidly. Actually, they have managed to persist long after antivirus vendors had an antidote against them. This is one of the conclusions that can be extracted from the ranking of the Top Ten viruses most frequently detected by Panda ActiveScan -Panda Software's free online scanner- in 2003. Top Ten viruses most frequently detected by Panda ActiveScan in 2003 Virus % of infections First appeared W32/Bugbear.B 11.21% June 2003 W32/Klez.I 8.59% April 2002 Trj/PSW.Bugbear.B 6.45% June 2003 W32/Blaster 5.32% August 2003 W32/Parite.B 5.1% November 2001 W32/Mapson@MM 4.73% June 2003 W32/EnerKaz 4.42% December 2002 Trj/JS.NoCLose 3.59% January 2003 W32/Bugbear 3.43% September 2002 W32/Bugbear.B.Dam 2.52% June 2003 Bugbear.B (11.21%) tops this ranking largely due to its ability to spread massively by e-mail, and the way that it exploits a vulnerability in Internet Explorer to run automatically.