What does exploit mean? And the Sasser worm - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

What does exploit mean? And the Sasser worm

Description:

An exploit in computing is an attack on a computer system, that takes advantage ... CNET: http://reviews.cnet.com/4520-6600_7-5133023-1.html. BBC News: ... – PowerPoint PPT presentation

Number of Views:56
Avg rating:3.0/5.0
Slides: 17
Provided by: christia4
Category:
Tags: cnet | exe | exploit | lsass | mean | reviews | sasser | worm

less

Transcript and Presenter's Notes

Title: What does exploit mean? And the Sasser worm


1
What does exploit mean?And theSasser worm
  • Seminar on Software Engineering,
  • Short Presentation
  • 07.02.2008
  • Christian Gruber

2
Definition
  • An exploit in computing is an attack on a
    computer system, that takes advantage of a
    particular vulnerability which the system offers
    to intruders.
  • Exploit can be in different forms
  • a piece of software
  • sequence of commands
  • valid / bad input

3
Definition continued
  • Normally a single exploit takes advantage of a
    specific software vulnerability.
  • Exploits are normally designed to provide
  • -superuser-level access
  • -privilege escalation
  • -denial of service attack
  • It is also possible to use several exploits to
    gain access to resources. First to gain low-level
    access, then escalating privileges repeatedly
    until one reaches superuser-level.

4
Classification
  • There are several ways of classifying exploits.
    The most common method is by how the exploit
    contacts the vulnerable software.
  • Local exploit
  • Remote exploit
  • Exploits against client applications

5
  • Zero-day exploit is an attack that takes place
    immediately after a security vulnerability is
    announced.
  • Usually used by hackers/crackers in order to
    cause unintended or unanticipated behavior to
    occur on computer software.
  • When an exploit is found, the vulnerability is
    fixed through a patch. After applying the patch
    exploit becomes obsolete.

6
Different exploit types
  • Exploits can be categorized by the type
    vulnerability they exploit or the method of
    exploitation.
  • - Buffer overflow
  • - Heap overflow
  • - Stack buffer overflow
  • - Integer overflow
  • Return-to-libc attack
  • Format string attack

- Race condition - Code injection - SQL
injection - Cross-site scripting - Cross-site
request forgery
7
Sasser worm
  • Sasser is a computer worm that affects computers
    which are running vulnerable versions of
    Microsofts operating systems Windows XP and
    Windows 2000.
  • Like other worms, Sasser spreads by exploiting
    the operating system through a vulnerable network
    port.
  • It can spread without the help of the user.

8
  • Sasser was first noticed and started spreading on
    April 30, 2004. This worm was named Sasser
    because it spreads by exploiting a buffer
    overflow in the component known as LSASS (Local
    Security Authority Subsystem Service) on the
    affected operating systems.
  • Sasser does not have a malicious payload, meaning
    it does not destroy or alter information within a
    computer.

9
How it works 1/3
  • Sasser takes advantage of a buffer overflow flaw
    in the Local Security Authority Subsystem
    (LSASS), which allows an attacker to gain control
    of infected systems.
  • Sasser adds a copy of itself to the Windows
    directory under the name AVSERVE.EXE
  • It adds the following to the system Registry
    file HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window
    s\CurrentVersion\Run avserve.exe
    c\Windows\avserve.exe

10
How it works 2/3
  • This change to the Registry allows the worm to
    run once the machine reboots.
  • Sasser starts an FTP server on TCP port 5554.
    Meanwhile, it uses TCP port 445 to search random
    chunks of the Internet for additional Windows
    2000 and Windows XP that have not patched the
    LSASS flaw. Sasser launches 128 threads to scan
    the random IP addresses and listens on successive
    ports starting with TCP port 1068. Port 445 is
    used by the Windows file-sharing protocol.

11
How it works 3/3
  • If the Sasser worm finds a vulnerable machine on
    a local network or the Internet, the worm sends a
    specially crafted packet to cause a
    buffer-overflow in lsass.exe. The overflow
    contains instructions in a script file, cmd.ftp,
    on the newly infected machine to open TCP port
    9996 and instructions to download a copy of
    itself from TCP port 5554 on the previously
    infected machine.
  • The file cmd.ftp is then erased. Sasser creates a
    win.log in the root directory of the newly
    infected machine that contains the number of
    remote systems currently infected and the IP
    address of the last infected system.

12
The extent of spread 1/3
  • Taiwan's national post office said 1,600 of its
    machines were hit by the virus which forced more
    than 400 of its 1200 branch offices to revert to
    pen and paper.
  • News agency Agence France-Presse (AFP) had all
    its satellite communications blocked for hours.
  • U.S. flight company Delta Air Lines had to cancel
    several trans-atlantic flights because its
    computer systems had been infected by the worm.

13
The extent of spread 2/3
  • The X-ray department at Lund University Hospital
    had all their four layer X-ray machines disabled
    for several hours and had to redirect emergency
    X-ray patients to a nearby hospital.
  • Australia Westpac Bank staff were forced to use
    manual methods to record transactions as the
    virus made computers unusable.

14
The extent of spread 3/3
  • Security solutions supplier mi2g has claimed that
    the Sasser worm has caused enough damage to be
    considered one of the worst malware of all time.
  • All of the Sasser variants have reportedly caused
    between USD14.8bn and USD18.1bn worth of
    estimated damage worldwide.

15
Could this have been avoided?
  • A patch for the vulnerability Sasser exploits was
    first released on 13 April and then updated on 28
    April. (Sasser was first found on the 30 April).
  • Specialists have speculated that the worm creator
    reverse-engineered the patch to discover the
    vulnerability.

16
References
  • Search Security
  • http//searchsecurity.techtarget.com/sDefinition/0
    ,,sid14_gci553536,00.html
  • CNET
  • http//reviews.cnet.com/4520-6600_7-5133023-1.html
  • BBC News
  • http//news.bbc.co.uk/2/hi/technology/3682537.stm
  • Wikipedia.org
  • http//www.wikipedia.org
Write a Comment
User Comments (0)
About PowerShow.com