CIS 551 Scribe Notes - Lecture 10

• Reflected DoS (via ping)
  • Approach - broadcast a ping request with the target's address as the return address
  • Effect - all hosts reply to the ping, flooding the target
  • Assumptions being violated
    • sender's address will be legitimate
    • ping should not be a broadcast service
  • Remedy...? (hard to trace and prevent)
    • turning off ping works, but could have negative effects for legitimate users
    • limit scope of broadcast messages in network configuration
  
  
• Distributed DoS (via SYN flooding)
  • Approach - coordinate multiple machines to flood ( >600,000 packets per second) a server with TCP SYN packets
    • target machine will maintain a queue of all open TCP connections (consuming resources)
    • SYN requests are never acknowledged
    • sending address is spoofed/randomized to hide the source of the attack, and to avoid the possibility of detection/filtration
  • Effect - target machine can no longer accept legitimate TCP connections
  • Assumption being violated - users of TCP will always send an ACK after receiving a SYN+ACK
  • Remedy...? (still an open research problem)
    • filtering? (might work, but source address can be spoofed)
    • decentralized file storage?
  • For some more details see this article

• Keep in mind the goals of many malicious code writers:
  • difficult to detect
    
  • hard to destroy or deactivate
    
  • spread infection widely/quickly (or slowly to avoid detection)
    
  • can reinfect a host
    
  • east to create
    
  • affect the widest range of hosts (machine/OS independent)
    

• Trapdoors
  • secret entry point into a program
  • inserted during code development (by accident, intentionally, or maliciously)
  • example: sendmail had a debugging mode active in it, led to Morris Worm
  
  
• Trojan Horses
  • programs that pretends to be one thing, but are actually another
  • have a legendary namesake
  • example: game that doubles as an sshd process, phishing attacks, fake websites that request personal info
  
  
• Worms
  • self-contained running programs (academic distinction rrom viruses: no human necessary for replication)
  • infection strategy relies on underlying vulnerability, such as buffer overflows or weak passwords
  • defenses include firewall filtering, resource monitoring, and proper access control
  • have a less than legendary namesake
    
    
  • Morris Worm (October 1988)
    • Infection
      • sent a small "loader" payload to target machine (99 lines of C)
      • "loader" payload was compiled on target machine
      • compiled "loader" then transferred (with authentication to avoid sys admin tampering) the rest of the worm to the target
      • if an error occurred, loader would erase tracks and exit
      • encrypted attack code in memory (so core dumps wouldn't expose worm)
      • periodically changed its name and process id
    • Effect
      • acted as a denial of service attack due to a bug in the loader (caused many copies of worm per host)
      • system adminstrators cut their network connections
      • brief note: machines reached max number of processes per host, which was 100 in 1988
    
    
  • Code Red Worm (July 2001)
    • Infection
      • exploited a buffer overflow in IIS Indexing Service DLL
      • exploit string sent on TCP port 80
      • throttled infection rate by ceasing execution on already infected hosts
      • spawned threads to scan random IP addresses for hosts listening on port 80, and exploiting those vulnerable
    • Effect
      • all web pages served by the target machine were defaced (given certain conditions)
      • "Hacked by Chinese!" appeared on all pages hosted by infected hosts
      • in less than 14 hours, there were 359,104 hosts infected
      • see this Code Red Analysis for more information
    
    
  • Slammer Worm (January 2003)
    • Infection
      • exploited a buffer overflow in Microsoft's SQL Server or MS SQL Desktop Engine
      • exploit string sent on port 1434, in a single UDP packet
      • bug in the code slowed its growth (bad random number generator)
    • Effect
      • no malicious payload
      • infected over 75,000 hosts in less than 10 minutes (90% of vulnerable hosts)
      • peak port scanning rate (55 million scans/sec) in 3 minutes
      • ... see Flash Worm link (below) for dangers related to modern worms
    
    
  • Worm Research Sources
    • Inside the Slammer Worm, Moore et al. (2003).
    • How to 0wn the Internet in Your Spare Time , Staniford, Paxson, and Weaver (2002).
    • Top Speed of Internet Flash Worms, Staniford, Moore, Paxson, and Weaver (2004).
    • Internet Quarantine: Requirements for Containing Self-propagating Code, Moore et al. (2003)
    • Automated Worm Fingerprinting, Singh et al. (2004)
  
  
• Viruses
  • a potentially malicious program (academic distinction from worms: typically require some user action to activate)
  • creates copies of itself, with the potential for mutation
  • attaches to a host program or data, and needs that host to propagate
  • see this article on "Elk Cloner", one of the first known computer viruses for interesting background
    
    
  • Melissa Macro Virus (March 1999)
    • Infection
      • implemented in Visual Basic for Applications (VBA)
      • sends email message with infected Word document attachment to top 50 entries in address book
      • additionally infected "Normal.dot" template file (causing later outbreaks)
      • email message containing an infected Word document was the vehicle for delivery
      • lowered the security settings for macros, permitting all to run without warning
      • checked the registry for "... by Kwyjibo" to throttle infection rate
    • Effect
      • code was not "malicious" per say, but clogged mail servers
      • if the minute matched the day of the month, the macro would insert a joke
      • for an interesting look at the influence of The Simpsons on our culture, click here

The End!