What does exploit mean? And the Sasser worm

1
What does exploit mean?And theSasser worm

• Seminar on Software Engineering,
• Short Presentation
• 07.02.2008
• Christian Gruber

2
Definition

• An exploit in computing is an attack on a
  computer system, that takes advantage of a
  particular vulnerability which the system offers
  to intruders.
• Exploit can be in different forms
• a piece of software
• sequence of commands
• valid / bad input

3
Definition continued

• Normally a single exploit takes advantage of a
  specific software vulnerability.
• Exploits are normally designed to provide
• -superuser-level access
• -privilege escalation
• -denial of service attack
• It is also possible to use several exploits to
  gain access to resources. First to gain low-level
  access, then escalating privileges repeatedly
  until one reaches superuser-level.

4
Classification

• There are several ways of classifying exploits.
  The most common method is by how the exploit
  contacts the vulnerable software.
• Local exploit
• Remote exploit
• Exploits against client applications

5

• Zero-day exploit is an attack that takes place
  immediately after a security vulnerability is
  announced.
• Usually used by hackers/crackers in order to
  cause unintended or unanticipated behavior to
  occur on computer software.
• When an exploit is found, the vulnerability is
  fixed through a patch. After applying the patch
  exploit becomes obsolete.

6
Different exploit types

• Exploits can be categorized by the type
  vulnerability they exploit or the method of
  exploitation.

• - Buffer overflow
• - Heap overflow
• - Stack buffer overflow
• - Integer overflow
• Return-to-libc attack
• Format string attack

- Race condition - Code injection - SQL
injection - Cross-site scripting - Cross-site
request forgery
7
Sasser worm

• Sasser is a computer worm that affects computers
  which are running vulnerable versions of
  Microsofts operating systems Windows XP and
  Windows 2000.
• Like other worms, Sasser spreads by exploiting
  the operating system through a vulnerable network
  port.
• It can spread without the help of the user.

8

• Sasser was first noticed and started spreading on
  April 30, 2004. This worm was named Sasser
  because it spreads by exploiting a buffer
  overflow in the component known as LSASS (Local
  Security Authority Subsystem Service) on the
  affected operating systems.
• Sasser does not have a malicious payload, meaning
  it does not destroy or alter information within a
  computer.

9
How it works 1/3

• Sasser takes advantage of a buffer overflow flaw
  in the Local Security Authority Subsystem
  (LSASS), which allows an attacker to gain control
  of infected systems.
• Sasser adds a copy of itself to the Windows
  directory under the name AVSERVE.EXE
• It adds the following to the system Registry
  file HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window
  s\CurrentVersion\Run avserve.exe
  c\Windows\avserve.exe

10
How it works 2/3

• This change to the Registry allows the worm to
  run once the machine reboots.
• Sasser starts an FTP server on TCP port 5554.
  Meanwhile, it uses TCP port 445 to search random
  chunks of the Internet for additional Windows
  2000 and Windows XP that have not patched the
  LSASS flaw. Sasser launches 128 threads to scan
  the random IP addresses and listens on successive
  ports starting with TCP port 1068. Port 445 is
  used by the Windows file-sharing protocol.

11
How it works 3/3

• If the Sasser worm finds a vulnerable machine on
  a local network or the Internet, the worm sends a
  specially crafted packet to cause a
  buffer-overflow in lsass.exe. The overflow
  contains instructions in a script file, cmd.ftp,
  on the newly infected machine to open TCP port
  9996 and instructions to download a copy of
  itself from TCP port 5554 on the previously
  infected machine.
• The file cmd.ftp is then erased. Sasser creates a
  win.log in the root directory of the newly
  infected machine that contains the number of
  remote systems currently infected and the IP
  address of the last infected system.

12
The extent of spread 1/3

• Taiwan's national post office said 1,600 of its
  machines were hit by the virus which forced more
  than 400 of its 1200 branch offices to revert to
  pen and paper.
• News agency Agence France-Presse (AFP) had all
  its satellite communications blocked for hours.
• U.S. flight company Delta Air Lines had to cancel
  several trans-atlantic flights because its
  computer systems had been infected by the worm.

13
The extent of spread 2/3

• The X-ray department at Lund University Hospital
  had all their four layer X-ray machines disabled
  for several hours and had to redirect emergency
  X-ray patients to a nearby hospital.
• Australia Westpac Bank staff were forced to use
  manual methods to record transactions as the
  virus made computers unusable.

14
The extent of spread 3/3

• Security solutions supplier mi2g has claimed that
  the Sasser worm has caused enough damage to be
  considered one of the worst malware of all time.
• All of the Sasser variants have reportedly caused
  between USD14.8bn and USD18.1bn worth of
  estimated damage worldwide.

15
Could this have been avoided?

• A patch for the vulnerability Sasser exploits was
  first released on 13 April and then updated on 28
  April. (Sasser was first found on the 30 April).
• Specialists have speculated that the worm creator
  reverse-engineered the patch to discover the
  vulnerability.

16
References

• Search Security
• http//searchsecurity.techtarget.com/sDefinition/0
  ,,sid14_gci553536,00.html
• CNET
• http//reviews.cnet.com/4520-6600_7-5133023-1.html
  
• BBC News
• http//news.bbc.co.uk/2/hi/technology/3682537.stm
• Wikipedia.org
• http//www.wikipedia.org