5 - Worms and Other Malware 安全测试 教学课件.pptVIP

Agenda Worms spreading across Internet through vulnerabilities in software History of Worms Morris Worm Code Red Nimda Blaster SQL Slammer Rootkits, Botnets, Spyware, and more Malware 5.1. What Is a Worm? Virus: program that copies itself into other programs Could be transferred through infected disks Rate dependent on human use Worm: a virus that uses the network to copy itself onto other computers Worms propagate faster than viruses Large # of computers to infect Connecting is fast (milliseconds) 5.2. An Abridged History of Worms Examples of how worms affect operation of entire Internet First Worm: Morris Worm (1988) Code Red (2001) Nimda (2001) Blaster (2003) SQL Slammer (2003) 5.2.1. Morris Worm: What It Did Damage: 6000 computers in just few hours Extensive network traffic by worm propagating What: just copied itself; didn’t touch data Exploited and used: buffer overflow in fingerd (UNIX) sendmail debug mode (execute arbitrary commands such as copying worm to another machine) dictionary of 432 frequently used passwords to login and remotely execute commands via rexec, rsh 5.2.2. The Morris Worm: What We Learned Diversity is good: Homogenity of OSes on network - attacker can exploit vulnerabilities common to most machines Large programs more vulnerable to attack sendmail was large, more bug-prone fingerd was small, but still buggy Limiting features limits holes: sendmail debug feature should have been turned off Users should choose good passwords: dictionary attack would have been harder 5.2.3. The Creation of CERT Computer Emergency Response Team (CERT) created due to damage and disruption caused by Morris worm Has become a leading center on worm activity and software vulnerability announcements Raises awareness bout cyber-security 5.2.4. The Code Red Worm (1) Exploited Microsoft IIS web server buffer overflow “indexing server” feature: randomly scanned IP addresses to connect to other IIS servers Spread rapidly: 2,000 hosts/min Evaded automat