Page 100 - StudyBook.pdf
P. 100

84     Chapter 2 • General Security Concepts: Attacks

             Worms

             A worm is a self-replicating program that does not alter files but resides in active
             memory and duplicates itself by means of computer networks.Worms run auto-
             matically within OSes and software and are invisible to the user. Often, worms
             aren’t even noticed on systems until the network resources are completely con-
             sumed, or the victim PC’s performance is degraded to unusable levels. Some worms
             are not only self-replicating but also contain a malicious payload.
                 There are many ways in which worms can be transmitted, including e-mail,
             Internet chat rooms, P2P programs, and of course the Internet. It’s worthwhile to
             look at some of the most famous worms of the past years.

                  ■   The Nimda and Code Red worms in 2001 attacked known vulnerabilities
                      in Microsoft’s Internet Information Server (IIS) Web Server.These two
                      worms and their variants replicate themselves on the victim machines and
                      begin scanning the network for additional vulnerable machines. Nimda
                      and Code Red certainly set another precedent for the danger of worms,
                      and are not harmless. Nimda creates open network shares on infected
                      computers, and also creates a Guest account with Administrator privileges,
                      thus allowing access to the system and opening it up to whatever a knowl-
                      edgeable hacker wants to do to it. Code Red (and its variant, Code Red
                      II, which also opened a backdoor for the attacker) defaces Web sites,
                      degrades system performance and causes instability by spawning multiple
                      threads and using bandwidth.
                  ■   The SQL Slammer worm in 2003 exploited a known buffer overflow in
                      Microsoft’s SQL Server and Microsoft SQL Server Desktop Engine
                      (MSDE). It caused infected machines to generate enormous amounts of
                      traffic in attempts to reproduce itself. Local networks and the Internet
                      itself slowed down considerably, and infected thousands of machines and
                      servers.

                  ■   The Blaster worm in 2003 exploited a known buffer overflow in
                      Microsoft’s Distributed Component Object Model (DCOM) Remote
                      Procedure Call (RPC) service, and caused instability and spontaneous
                      reboots in infected machines. It also tried to perform a DDoS attack
                      against windowsupdate.com, which was easily thwarted.
                  ■   The Sasser worm in 2004 exploited a known buffer overflow in
                      Microsoft’s LSAS service through port 139, and caused infected machines




          www.syngress.com
   95   96   97   98   99   100   101   102   103   104   105