Stanford Foundations of Information Security XACS101 1.4,1.5 - Worms and Other Malware/Buffer Overflows

Notes from section 1.4 and 1.5 of Stanford Foundations of Information Security XACS101 Course.


Morriss Worm (1988)

What was learned

The Code Red Worm

- Exploited IIS web server buffer overflow - 2,000 hosts/min

The Nimda Worm  - Used many propagation vectors:

  1. Server to Server (like Code Red)
  2. Server to Client (download infected file)
  3. Inflected client sent emails w/ worm code as payload

SQL Slammer Worm

Types of Malware

  1. Rootkits - imposter OS tools used by attacker to hide tracks
  2. Botnets - network of compromised machines
  3. Spyware - monitors activity
  4. Keyloggers
  5. Trojan Horsed - claims to do one thing, but does something else
  6. Adware - shows ad to users w/o consent
  7. Clickbots

Click.A Botbot - 2006 - Used HTTP, most previously used IRC

Distributing Malware

Zeus Botnet focused on stealing financial data - spread by drive-by-downloads and phishing

Buffer Overflow

Stack overflow overwrite return address

StackGuard - detect return address is being overridden at runtime

Static Analysis