Walk With-[Geeks]-

Misconceptions About Computer Worms And An Insight Into There Creation


Intro

There are a few misconceptions that some members have about Internet Worms and their behavior.all too often i hear people saying "Oh it looks like you have been infected by some kind of worm" and almost 99% of the time they are completely wrong. So here goes my attempt to clear up a few things on worms.

Definition

A computer worm is a self-replicating Malware computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is due to security shortcomings on the target computer.

REF:en.wikipedia.org/wiki/Computer_worm



Ok So How?
Common and notorious worms have been pieces of code that use a (mostly 0 day) exploit in a widely used services like IIS or Apache. The advantage of using 0 day exploit is that no-one is patched for it and the longer the delay in the patch the more devastating the worm is.

Internet worms flourish by using the full bandwidth of the victim to scan for more victims to copy its self to, so the more hosts that get infected the more scanning packets hit the internet thus creating a pyramid effect.

The common worm model is a piece of code that when it infects a victim spawns numerous threads (Code Red II used 100), in the case of Code Red II the worm used 99 threads to scan for more victims and one thread as a payload that defaced the web server it was running on and/or attempts to cause Denial of Service Conditions on the white house website.

Study - Slammer Worm

The slammer worm is a perfect example of how successful worms spread INCREDIBLY FAST, the Slammer worm infected 90% of vulnerable targets (targets vulnerable to the MS SQL buffer overflow) within TEN MINUTES of its launch at 05:30 UTC on January 25, 2003. The shear speed of the attack cause the entire internet to slow down, in some cases parts of the internet buckled under the bandwidth usage so much that businesses and home users internet got completely disconnected.

A contributing factor to the speed at which the Slammer worm spread is its use of a single UDP packet to exploit victims. The worm itself was a mere 376 bytes which fit perfectly inside a UDP packet allowing Slammer to simple fire thousands of requests per second using the full bandwidth of the node it had infected.

Propagation - And a look at the rabbit hole
But one thing i have found when researching is that NOT ONE book on the market describes how the worm copies itself from an already infected node to a newly exploited node. So im going to use the fact i have got your attention to put a few ideas i have collected together on how worms copy them selves:

1) A 'Sudo Worm' - This is my name for a worm thats exploit payload downloads itself from a fixed remote server. Thus not propagating entirely by itself (hence the sudo) - However, there is one major disadvantage to this technique, if the worm becomes a problem, the CERT organization have the ability to shut down the one server where the worm copy is located (found by reversing the worm code), thus immobilizing the propagation of every infected node. - I know the smart hackers on here are thinking of a way round this through polymorphic code but eventually the worm still needs to be centralized.

2) Socket sharing - this is the most obfuscated topic in worm creation (so please appreciate that im about to be very vague because this was one whole in my research), the payload of the exploit spawns a socket which then listens for the other infected node to send a binary copy of itself straight from memory to the remote node. This is a fast idea but would only work if the two OS's are identical, thus the code has to get alot larger to accommodate multiple OS/architecture versions of itself (so forget about that one UDP packet )

3) Quines - Quines in my opinion are the most interesting peices of code there is - a quine by definition is a program who's ultimate out put is a copy code itself. (Ill pause to let you think about that) So a worms exploit payload would be a working copy of the worm itself, that would then scan for more victims and run the same exploit, to cause the same payload copy of itself to launch on the victim (and on and on and on). (If your interested in learning about quines and how to code and are willing to follow an adf.ly link to help me out then here you go - QUINES )

Worm Creation - THE TRUTH

In all honesty it is very easy to code an internet worm if you have a grasp of the theory and some coding skill,it requires the following elements of code:

An Ip generator - To create a random ip address to search for new victims.

Here is a vague c ip generator function i made to give you an idea of where to start.

Code:

void octgen(){
  int oct[3];
  int i;
  srand ( time(NULL) );
  for(i=0;i<4;i++){oct[i]= rand() % 220 + 1;}
  if (oct[0] != 127 ){
     printf("%i.%i.%i.%i",oct[0],oct[1],oct[2],oct[3]);
     }else{
    octgen();
    }

}

An Exploit
To rival the success of slammer and code red would require a new 0 day exploit and some fast expert programming to get the worm out before the patch, but for a small worm you could easily rip an exploit of http://inj3ct0r.com/ and still infect a few thousand computers.

An Exploit Payload + Propagation Technique

A propagation technique is the hardest thing in creating worms because the whole subject is obfuscated in books and on the internet to stop everyone making worms, so youll need to either make due with a download and exe payload for your worm and be happy with a sudo worm, or code your own payload for your exploit and find a slightly cleverer way to propagate. For Help with payload programming and finding 0 day exploits i suggest you read (yes kids its a book) The Shellcoders Handbook

A Worm Payload
Now this is where it gets interesting and is up to the coder to be honest, personally you could be happy knowing your worm is on thousands of computers silently doing now damage, however potentially you could have a date triggered payload so that every infected node stops propagating and denial of services a high profile site or strings all nodes into a huge botnet. Some of the more devastating (and clever) worms have stolen international secrets, stolen funds and destroyed thousands of pounds worth of data. But ill leave this up to you.

Conclusion
For those of you that have read this far i hope you have enjoy my little insight into the world of computer worms and have enjoyed a small glimpse into how worms are created in the real world. And now i wont be the only person on HF with my fingers crossed when a new high profile 0 day hits the headlines, and im sat there just waiting for the next worm to ravage the internet.

Happy Hacking. :)





Thanks to sol@ris for this!!!