Benjamin (May 18th, 2002) Benjamin is a typical P2P worm that offers itself for download with different file names, file types, and file lengths through the KaZaA network. In particular, the worm had more than 2000 different file names to use and padded the files with garbage bytes. In a departure from many other viruses and worms, 'Benjamin' may have had a commercial motivation. The worm opens a Web page named "benjamin.xww.de" which contained advertisements. Slapper (September 13th, 2002) Slapper spread on Linux machines by using a flaw discovered in OpenSSL libraries in August 2002. The worm was found in Eastern Europe late on Friday September 13th 2002. The worm scanned for potentially vulnerable systems on 80/tcp using an invalid HTTP GET request. When a potentially vulnerable Apache system was detected, the worm attempted to connect to the SSL service in order to install the exploit code. Once infected, the victim server started scanning for additional hosts to continue the worm's propagation. The worm constructed a distributed P2P network. In particular, newly infected hosts were instructed to maintain connection via a set of UDP ports. The network could act as a platform for Distributed Denial of Service (DDoS) attacks against other sites. Infected hosts shared information on other infected systems as well as attack instructions. Thus, an attacker could control a distributed network of subverted hosts by connecting to any of the participating nodes. SQLslammer/Sapphire (January 25th, 2003) The SQL slammer (a.k.a. Sapphire) worm was the fastest computer worm ever. The number of infected hosts doubled every 8.5 seconds. The worm infected more than 90 percent of vulnerable hosts within 10 minutes. The worm exploited buffer overflow vulnerability in computers running Microsoft's SQL Server or MSDE 2000. The weakness in an underlying indexing service was discovered almost a year before the worm outbreak and Microsoft released patch for the vulnerability. The worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages worldwide. Sapphire spread was nearly two orders of magnitude faster than the spread of Code Red. Both worms used the same basic strategy of random scanning to find vulnerable machines and then transferring the exploitive payload; they differed in their scanning constraints. The Code Red was latency limited; SQLslammer was bandwidth-limited and was sending infection probes at the maximum speed possible with the available network connectivity.
SQLslammer’s size was 376 bytes - so small, that even with all the packet headers, the payload was only a single 404-byte UDP packet. This can be contrasted with the 4kb size of Code Red, or the 60kb size of Nimda. Previous scanning worms spread via many threads, each invoking connect () to probe random addresses. Therefore, each thread's scanning rate was limited by network latency. In particular, the time required transmitting a TCP SYN packet and waiting for a response or timeout. Worms can compensate this latency by invoking many threads. However, context switch overhead is significant and there are insufficient resources to create enough threads to counteract the network delays. As a result the worm becomes latency dependent again. In contrast, SQlslammer's scanner was limited by each compromised machine's bandwidth to the Internet. Since the SQL Server vulnerability was exploitable using a single packet sent to UDP port 1434; the worm was able to send these scans without requiring a response from the potential victim. Fortunately, SQLslammer worm had a bug in its random number generator that left considerable portion of the Internet hosts not scanned. Blaster (a.k.a. Lovesan) worm (August 11th, 2003) The worm exploits the buffer overflow vulnerability in the Distributed Component Object Model (DCOM) Remote Procedure Calls (RPC) interface that allows arbitrary code to be executed on most of the Windows NT, Windows 2000, and Windows XP platforms. Fortunately, the worm is designed very poorly. Firstly, its scanning rate is very small and the worm itself is latencylimited. Therefore, every machine was probed only once in a half an hour on average during the peak of the epidemics. Secondly, the worm has a bug that forced many of the machines to endlessly reboot thus reducing the number of the scanning hosts. The worm has a payload to create a SYN DDoS attack against Windows update sites. The Blaster worm showed that the auto update functionality provided by Microsoft is quite successful. Despite the fact that at the time the bug was discovered almost all of the PCs were vulnerable just three weeks later when the worm started to spread only half a million of the machines were subverted.
Another important lesson from the Blaster worm epidemics is that even the machines that are not patched by the worm outbreak time are soon patched and only one or at most two worms that share the same vulnerability have a chance for widespread.
Welchia worm (August 19th, 2003) Welchia worm raise a question whether an Internet worm can be good. The worm exploits the same Microsoft DCOM RPC vulnerability as the Blaster worm in addition to the MS03-007 vulnerability in the Microsoft IIS by randomly scanning the IP address space. Surprisingly, the payload of the worm cleans the system from the Blaster worm, downloads the patch for the DCOM RPC bug and patches the system. The worm contains a code to remove itself from the host PC in January 2004. Despite the fact that the worm itself is believed not to contain any malicious code and on contrary cures the infected systems security experts worldwide still treat it as a malicious worm because it installs itself without permission form the user and resides in memory until 2004 in addition to overloading the networks with the probing and patch downloading traffic. Nevertheless, it seems likely that Welchia will cure all the systems infected with the Blaster worm within several days.
Top 2004 Worms MyDoom spreads by e-mail to Windows PCs, searches for e-mail addresses in various files, opens backdoor for remote access. Netsky spreads by e-mail, exploits Internet Explorer to automatically execute e-mail attachments, and removes MyDoom and Bagle from PCs. Bagle spreads by e-mail, tries to remove Netsky from PCs, and opens backdoor for remote access, downloads code updates from Web, disables antivirus and firewall software. Spywares A definition of Spyware provided by Steve Gibson states "Spyware is ANY SOFTWARE which employs a user's Internet connection in the background (the so-called "back channel" connection MUST BE PRECEDED by a complete and truthful disclosure of proposed back channel usage, followed by the receipt of explicit, informed, consent for such use. Any Software communicating across the Internet absent these elements is guilty of information theft and is properly and rightfully termed: "Spyware". The term Spyware, in most cases, is synonymous with Adware, and is potentially a Trojan horse program. Spywares can collect the sensitive data (such as the version of Operating System you are running, Browser type, is scripting enabled, what version of Java you are running, Screen size, Available plug-ins, DNS information from your current domain, Run a trace route back to you to find out where you live on the net.) by two varieties of ways: _ By cookies _ By install itself and then execute By Cookies Cookies are small files that are placed in your system by web servers when you visit, and can track and record your internet usage. Each time you visit a site, the site checks to see if you have a cookie for that site, if you do then they retrieve your personal settings for the site, if not they deliver a cookie to your machine. Cookies come in a couple different flavors. Persistent cookies, which are configured to stay on your system for many years using an expiration date, or "session cookies" that are removed when the session is closed. By install itself and then execute Spyware typically is an independent program that runs in the background. Programmers working for Spyware distributing companies can write a routine that can run with system privileges and retrieve information from your computer. If they want to retrieve Word documents from their targets, then they write code that looks for word documents and sends them back to the proper place on the internet. Conclusion Malicious Code "Study in Depth" provides a layered approach to securing information and resources, as well as maintaining confidentiality, integrity, and availability of these resources. Viruses / Worms are consistently among most common attacks. In this paper I explain Malicious Codes, including Trap doors, Trojan horses, and Logic bombs, Zombie, Viruses, Worms and Spywares. Acknowledgement I am grateful to my brother “Vahid” for his efforts in editing this paper.
糖豆 (04/14/2008)
Benjamin (May 18th, 2002)
Benjamin is a typical P2P worm that offers itself for download with different file names, file types, and file lengths through the KaZaA network. In particular, the worm had more than 2000 different file names to use and padded the files with garbage bytes. In a departure from many other viruses and worms, 'Benjamin' may have had a commercial motivation. The worm
opens a Web page named "benjamin.xww.de" which contained advertisements.
Slapper (September 13th, 2002)
Slapper spread on Linux machines by using a flaw discovered in OpenSSL libraries in August 2002. The worm was found in Eastern Europe late on Friday September 13th 2002. The worm scanned for potentially vulnerable systems on 80/tcp using an invalid HTTP GET request. When a potentially vulnerable Apache system was detected, the worm attempted to connect to the SSL service in order to install the exploit code. Once infected, the victim server started scanning for additional hosts to continue the worm's propagation. The worm constructed a distributed P2P network. In particular, newly infected hosts were instructed to maintain connection via a set of UDP ports. The network could act as a platform for Distributed Denial of Service (DDoS) attacks against other sites. Infected hosts shared information on other infected systems as well as attack instructions. Thus, an attacker could control a distributed network of subverted hosts by connecting to any of the participating nodes.
SQLslammer/Sapphire (January 25th, 2003)
The SQL slammer (a.k.a. Sapphire) worm was the fastest computer worm ever. The number of infected hosts doubled every 8.5 seconds. The worm infected more than 90 percent of vulnerable hosts within 10 minutes. The worm exploited buffer overflow vulnerability in computers running Microsoft's SQL Server or MSDE 2000. The weakness in an underlying indexing service was discovered almost a year before the worm outbreak and Microsoft released patch for the vulnerability. The worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages worldwide. Sapphire spread was nearly two orders of magnitude faster than the spread of Code Red. Both worms used the same basic strategy of random scanning to find vulnerable machines and then transferring the exploitive payload; they differed in their scanning constraints. The Code Red was latency limited; SQLslammer was bandwidth-limited and was sending infection probes at the maximum
speed possible with the available network connectivity.
SQLslammer’s size was 376 bytes - so small, that even with all the packet headers, the payload was only a single 404-byte UDP packet. This can be contrasted with the 4kb size of Code Red, or the 60kb size of Nimda. Previous scanning worms spread via many threads, each invoking connect () to probe random addresses. Therefore, each thread's scanning rate was limited by network latency. In particular, the time required transmitting a TCP SYN packet and waiting for a response or timeout. Worms can compensate this latency by invoking many threads. However, context switch overhead is significant and there are insufficient resources to create enough threads to counteract the network delays. As a result the worm becomes
latency dependent again. In contrast, SQlslammer's scanner was limited by each compromised machine's bandwidth to the Internet. Since the SQL Server vulnerability was exploitable using a single packet sent to UDP port 1434; the worm was able to send these scans without requiring a response from the potential victim. Fortunately, SQLslammer worm had a bug in its random number generator that left considerable portion of the Internet hosts not scanned.
Blaster (a.k.a. Lovesan) worm (August 11th, 2003)
The worm exploits the buffer overflow vulnerability in the Distributed Component Object Model (DCOM) Remote Procedure Calls (RPC) interface that allows arbitrary code to be executed on most of the Windows NT, Windows 2000, and Windows XP platforms. Fortunately, the worm is designed very poorly. Firstly, its scanning rate is very small and the worm itself is latencylimited. Therefore, every machine was probed only once in a half an hour on average during the peak of the epidemics. Secondly, the worm has a bug that forced many of the machines to endlessly reboot thus reducing the number of the scanning hosts. The worm has a payload to create a SYN DDoS attack against Windows update sites. The Blaster worm showed that the auto update functionality provided by Microsoft is quite successful. Despite the fact that at the time the bug was discovered almost all of the PCs were vulnerable just three weeks later when the worm started to spread only half a million of the machines were subverted.
Another important lesson from the Blaster worm epidemics is that even the machines that are not patched by the worm outbreak time are soon patched and only one or at most two worms that share the same vulnerability have a chance for widespread.
Welchia worm (August 19th, 2003)
Welchia worm raise a question whether an Internet worm can be good. The worm exploits the same Microsoft DCOM RPC vulnerability as the Blaster worm in addition to the MS03-007 vulnerability in the Microsoft IIS by randomly scanning the IP address space. Surprisingly, the payload of the worm cleans the system from the Blaster worm, downloads the patch for the
DCOM RPC bug and patches the system. The worm contains a code to remove itself from the host PC in January 2004. Despite the fact that the worm itself is believed not to contain any malicious code and on contrary cures the infected systems security experts worldwide still treat it as a malicious worm because it installs itself without permission form the user and
resides in memory until 2004 in addition to overloading the networks with the probing and patch downloading traffic. Nevertheless, it seems likely that Welchia will cure all the systems infected with the Blaster worm within several days.
Top 2004 Worms
MyDoom
spreads by e-mail to Windows PCs, searches for e-mail addresses in various files, opens backdoor for remote access.
Netsky
spreads by e-mail, exploits Internet Explorer to automatically execute e-mail attachments, and removes MyDoom and Bagle from PCs.
Bagle
spreads by e-mail, tries to remove Netsky from PCs, and opens backdoor for remote access, downloads code updates from Web, disables antivirus and firewall software.
Spywares
A definition of Spyware provided by Steve Gibson states "Spyware is ANY SOFTWARE which employs a user's Internet connection in the background (the so-called "back channel" connection MUST BE PRECEDED by a complete and truthful disclosure of proposed back channel usage, followed by the receipt of explicit, informed, consent for such use. Any Software communicating across the Internet absent these elements is guilty of information theft and is properly and rightfully termed: "Spyware". The term Spyware, in most cases, is synonymous with Adware, and is potentially a Trojan horse program. Spywares can collect the sensitive data (such as the version of Operating System you are running, Browser type, is
scripting enabled, what version of Java you are running, Screen size, Available plug-ins, DNS information from your current domain, Run a trace route back to you to find out where you live on the net.) by two varieties of ways:
_ By cookies
_ By install itself and then execute
By Cookies
Cookies are small files that are placed in your system by web servers when you visit, and can track and record your internet usage. Each time you visit a site, the site checks to see if you have a cookie for that site, if you do then they retrieve your personal settings for the site, if not they deliver a cookie to your machine. Cookies come in a couple different flavors.
Persistent cookies, which are configured to stay on your system for many years using an expiration date, or "session cookies" that are removed when the session is closed.
By install itself and then execute
Spyware typically is an independent program that runs in the background. Programmers working for Spyware distributing companies can write a routine that can run with system privileges and retrieve information from your computer. If they want to retrieve Word documents from their targets, then they write code that looks for word documents and sends them back to the proper place on the internet.
Conclusion
Malicious Code "Study in Depth" provides a layered approach to securing information and resources, as well as maintaining confidentiality, integrity, and availability of these resources. Viruses / Worms are consistently among most common attacks. In this paper I explain Malicious Codes, including Trap doors, Trojan horses, and Logic bombs, Zombie, Viruses, Worms and Spywares.
Acknowledgement
I am grateful to my brother “Vahid” for his efforts in editing this paper.