Stanford Foundations of Information Security XACS101 1.4,1.5 - Worms and Other Malware/Buffer Overflows

Notes from section 1.4 and 1.5 of Stanford Foundations of Information Security XACS101 Course.

Intro

• Virus copies itself into other programs
• Worm is a virus that uses Network to copy itself
  • Spread faster than virus b/c no need for human interaction

Morriss Worm (1988)

• just copied itself - 6000 computers in a few hours
• exploited and used:
  • buffer overflow in fingered (unix util)
  • sendmail in debug mode used to execute arbitrary command
  • list of 432 frequently used passwords

What was learned

• Diversity is good– e.g. one dominant flavor of OS like Windows will be a greater attack vector
• Large programs more bug-prone
• Limiting features limits holes
  • If debug mode was turned off, Morriss bug would not have been able to spread

The Code Red Worm

- Exploited IIS web server buffer overflow - 2,000 hosts/min

• Only in memory so not detected by scanners
• Defaced home page of infected server

The Nimda Worm  - Used many propagation vectors:

1. Server to Server (like Code Red)
2. Server to Client (download infected file)
3. Inflected client sent emails w/ worm code as payload

SQL Slammer Worm

• Started to affect commercial (13K BoA ATMs)

Types of Malware

1. Rootkits - imposter OS tools used by attacker to hide tracks
2. Botnets - network of compromised machines
3. Spyware - monitors activity
4. Keyloggers
5. Trojan Horsed - claims to do one thing, but does something else
6. Adware - shows ad to users w/o consent
7. Clickbots

Click.A Botbot - 2006 - Used HTTP, most previously used IRC

• Used IE browser helper object (BHO)
• Written in PHP w/ MySQL backup, tracked IP addresses of compromised

Distributing Malware

• Worms distribution are very visible
• Drive-by-downloads - just by loading the page client gets affected

Zeus Botnet focused on stealing financial data - spread by drive-by-downloads and phishing

Buffer Overflow

Stack overflow overwrite return address

• Not just “executable stacks”. Can jump to existing function or Return-into-libc !STUDY!

StackGuard - detect return address is being overridden at runtime

• insert a canary (random value, unpredictable to attacker), check canary value prior to return and if changed halt program

Static Analysis

• Heap-based overflows - can happen in Javascript interpreters !LEARNED!

Others:

• Format String

• Integer Overflows