THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE [Electronic resources] - نسخه متنی

Peter Szor

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید











  • 9.5. Common Worm Code Transfer and Execution Techniques


    Computer worms also differ how they propagate the worm's code from one system to another. Most computer worms simply propagate their main body as an attachment in an e-mail. However, other types of worms utilize different methods, such as injected code and shellcode techniques in conjunction with exploit code, to attack another system.

    9.5.1. Executable CodeBased Attacks


    E-mail can be encoded in various ways, such as UU, BASE64 (MIME), and so on. However, the UU-encoded attachments are not very reliable over the Internet because UU uses some special characters whose interpretation depends on the context. Nowadays, most e-mail clients use MIME-encoded attachments by defaultand that is how most e-mail worms' SMTP client engines transfer themselves to new targets. Script e-mail worms usually send attachments encoded according to the settings of the e-mail client on the compromised system.

    9.5.2. Links to Web Sites or Web Proxies


    Computer worms also can send links to executables hosted elsewhere, such as a single Web site, a set of Web sites, or an FTP location. The actual message on IRC or in e-mail might not have any malicious content in it directlybut infects indirectly. One problem with this kind of attack is the possibility of an accidental DoS attack against the system that hosts the worm's code. Another potential pitfall is that the defender can easily contact Internet service providers to request they disconnect such sites, preventing further propagation of the computer worm.

    Tricky worms send links with the IP address of an already compromised system. First, the worm compromises a machine and opens a crude Web server on the system. Then it sends messages to other users, using the IP address of the machine with the port on which the worm itself is listening for a GET request. In this way, the worm attack becomes peer-to-peer, as Figure 9.8 illustrates. Such computer worms might be able to bypass content filtering easily if the content-filtering rule is based on attachment filtering.

    Figure 9.8. Tricky worms send links in e-mails instead of their own copy.

    MS03-032 bulletin) to download and execute the hosted worm executable on the target automatically.30 worm arrives on a new system, it acts as a crude local Web server on port 8180, hosting a Web page that instructs the user to download and run a program, which is the worm body itself. The worm tricks Instant Messenger users by sending them a link that looks like the following:


    FREE PORN: http://free:porn@192.168.0.1:8180

    where the IP address is the address of an infected system.

    9.5.3. HTML-Based Mail


    The e-mail can even b169 mail-based. Disablin171 support in your e-mail client reduces your chance of exposure to at least some of these threats, such as VBS/Bubbleboy. This worm is described in Chapter 10.

    9.5.4. Remote Login-Based Attacks


    On UNIX-like systems, commands such as rsh, rlogin, rcp, and rexec can be used directly by computer worms. Using such commands, worms can execute themselves on remote systems if the attacked system is not secured or if the password is guessed with a dictionary attack or similar method. Usually, such worms make a copy of their code directly to the remote system and execute themselves via the remote execution facilities.

    On Windows systems, worms like JS/Spida can take advantage of vulnerable Microsoft SQL servers. Spida scans for remote Microsoft SQL server systems on port 1433 and tries to execute itself remotely with the following assumptions:

    • The Microsoft SQL server runs in Administrative mode.

    • The "sa" Microsoft SQL server account has no password set.


    The worm takes advantage of the xp_cmdshell function to execute system commands to run the worm on the remote machine.

    9.5.5. Code Injection Attacks


    A more advanced attack requires exploitation of a target with direct code injection over the network. As traditional buffer overflows are getting more difficult to exploit, attackers are increasingly interested in exploiting server-side vulnerabilities related to a lack of input validation. For example, the Perl/Santy worm utilizes Google to find vulnerable Web sites and runs its own Perl script via a vulnerability in the phpBB bulletin board software. This worm successfully defaced tens of thousands of Web sites on December 21 of 2004. Depending on the thread model of the vulnerable target server, one of the following actions will happen:

    • A new thread is created at the start of the server.

    • A new thread is created upon each incoming request.


    Furthermore, depending on the context of the hijacked thread, the worm

    • Runs in SYSTEM context with high privileges.

    • Runs in the context of a user with either high or low privileges that the worm might be able to escalate.


    These preconditions are often reflected in the worm's operation. When, for example, W32/Slammer exploits a vulnerable Microsoft SQL server, the worm hijacks a thread that was executed at the start of the server. Thus the operations associated with the hijacked thread will be paralyzed because new incoming requests will not be resolved. In addition, the server process and the entire system is heavily overloaded because the worm never stops sending itself to new targets.Chapter 10 from the point of view of exploitation. Figure 9.9 illustrates this.

    Figure 9.9. A typical one-way code injection attack.

    [View full size image]

    In some cases, the injected code creates a new user account on the target that can be used by the attacker to log in to the system remotely.

    Another interesting example of a code injection attack is the W32/Lespaul@mm worm. This worm takes advantage of a vulnerability in Eudora 5 that can be exploited by sending a malformed boundary tag.

    Lespaul is a mass-mailer worm, but just like CodeRed or Slammer, it injects its code directly into the vulnerable Eudora 5 process. The worm does not send an attachment to the recipient; instead, it propagates itself as the mail body. It can appear in the Eudora mailbox as part of an e-mail message featuring an overly long header field; however, its code is never saved into a standalone executable at any point in order to be executed.

    9.5.6. Shell CodeBased Attacks


    Another class of computer worms utilize shell code on the target machine. The basic idea is to run a command prompt on the remote system, such as cmd.exe (on Windows) or /bin/sh (on UNIX) via the exploit code. Consider Figure 9.10 for an illustration.

    Figure 9.10. A typical shell codebased attack.

    [View full size image]

    The worm follows these steps:


    1.

    It injects code into a remote process and binds a specific port to the process. The exploited process starts to listen on the port.

    2.

    The worm attempts to connect to the listening port.

    3.

    If the connection to the port is successful, the previously injected shellcode executes a command prompt and binds that process to the same port that the attacker is using.

    4.

    Finally, the worm can start to send commands to the shell.


    An example of such a worm is W32/Blaster.

    Shellcode-based attacks are typically more common on UNIX systems than on Windows systems. A few variations exist, such as back-connecting shellcode and shellcode that reuses an existing connection.

    Back-connecting shellcode immediately attempts to connect the target with the attacker by establishing a TCP connection from the target to the attacker's machine. The advantage of this method is that it allows machines behind a firewall to "connect-out" to the attacker system.

    This attack requires the attacker system to listen on a particular port and wait for the shellcode to connect, as shown in Figure 9.11.

    Figure 9.11. A back-connecting shellcode.

    Chapter 15 you can find a traced shellcode of Slapper that illustrates the reused connection better.

    Figure 9.12. A connection-reusing shellcode.

    [View full size image]


    • / 191