DecodingandUnderstandingInternetWorms.ppt

Decoding and Understanding Internet Worms  Course Overview Basic overview / history of worms Worm analysis techniques Worms – under the hood Worm defense techniques The future of worms Questions and answers Internet Worms-Defined A worm is a self propagating piece of malicious software. It attacks vulnerable hosts, infects them, then uses them to attack other vulnerable hosts Internet Worms-Who Writes Them Hacker/Crackers Researchers Virus Writers Internet Worms-Worms vs. Viruses Viruses require interaction Worms act on their own Viruses use social attacks Worms use technical attacks Internet Worms-History Morris Internet Worm Released in 1998 Overloaded VAX and Sun machines with invisible processes 99 line program written by 23 year old Robert Tappan Morris Exploit xyz Internet Worms-History First worms were actually designed and released in the 1980’s Worms were non-destructive and generally were released to perform helpful network tasks Vampire worm: idle during the day, at night would use spare CPU cycles to perform complex tasks that required the extra computing power Internet Worms-History Eventually negative aspects of worms came to light An internal Xerox worm had crashed all the computers in a particular research center When machines were restarted the worm re-propagted and crashed the machines again Worm Analysis Techniques-Capture: Capturing from the Network Sniffers IDS Netcat Listeners Specialized Servers (earlybird, etc) Worm Analysis Techniques-Capture: Capturing from Memory Memory Dumps Memory Searches Crashing to preserve memory Worm Analysis Techniques-Capture: Capturing from Disk File searches File monitoring Open handles Email Replicated/Infected files Worm Analysis Techniques-Dissection / Disassembly: Loading Loading files in ida Initial Settings Trojans vs. Exploit Style worms Trojans load as programs Exploits load as baseless code Worm Analysis Techniques-Dissection / Disassembly: Defining Setting variables Examining functi