Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Detecting a Worm

    Worms and Trojans often bypass firewalls and other traditional security measures to enter a network. In this example, you create a custom attack object to detect the Blaster worm on your network.

    The CERT advisory (http://www.cert.org/advisories/CA-2003-20.html) for the Blaster worm gives the following information:

    The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface...”  

    From this information, you know that the attack uses DCOM exploit, a previously identified security hole. Now you must locate the attack code. The advisory also includes references that link to more information about the attack. Unfortunately, none of the referenced Web pages contain exploit code. After searching the Web using the information you learned from the CERT advisory, you locate exploit code on PacketStorm (http://packetstormsecurity.com/0307-exploits/dcom.c).

    To develop this attack object:

    1. Reproduce the attack to determine the attack context, direction, and pattern. Ideally, use scio ccap and Wireshark concurrently so you have to run the attack only once. Figure 1 shows the packet capture on in Wireshark.

      Figure 1: Blaster Worm Packet Capture

      Image g036663.gif
    2. Discover the elements of the attack signature:

      • Service. You know from the CERT advisory that the attack uses ICMP, for which the IDP OS does not support service contexts. Review the packet capture to confirm the protocol as ICMP.
      • Context. Use scio ccap to determine whether we can match a particular service context. In this example, the ICMP service contexts are not supported by the IDP system, and the output of scio ccap is blank. You must specify the first packet context for the attack.
      • Pattern. Select the first frame listed in Wireshark and review the information in the second section. Because you know that ICMP packets should not contain data, you investigate the 64 byte data payload. You can easily see the irregular payload is multiple “AA” characters, which is probably code attempting to overflow a buffer. Because this pattern is unusual in the context of an ICMP packet, select it as your signature.
      • Direction. Locate the source IP that initiated the session. In this example, you cannot determine the attack direction.
    3. Create an attack object to match the attack signature. In this example, we use the following regular expression to match the signature:
      \X AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA \X.* 

      Figure 2 shows the Custom Attack – Attack Pattern page for this example.

      Figure 2: Blaster Worm Attack Pattern

      Image g036662.gif

      In this expression:

      • The \X expression indicates that a hexadecimal value is to follow.
      • The dot star combination (.*) indicates a wildcard match. When used at the end of an expression, the wildcard indicates that anything can follow the specified expression.
    4. Test the attack object.

    Published: 2011-02-08