What it did:
– Determine where it could spread
– Spread its infection
– Remain undiscovered and undiscoverable
Effect
Resource exhaustion – repeated infection due to programming bug
Servers are disconnected from the Internet by system admin to stop the infection
Exploit security flaws
– Guess password(encrypted passwd file readable)
– Fingerd: buffer overflow
– Sendmail: trrapdoor(accepts shell command)
spread
– Bootstrap loader to target machine, then fetch
– Rest of code(password authenticated)
Remain un-discoverable
– load code in memory, encrypt, remove file
– Periodically changed name and process ID
What we learned:
– Security scanning and patching
– Computer Emergency Response Team
Prevention: Limit contact to outside world
Detection and Identification
Removal
4 generations of antivirus software:
– simple scanners: Use “signatures” of known virus
– Heuristic scanners: Integrity checking: checksum, encrypted has
– Activity traps
– Full-featured analysis: host-based network-based, sandboxing-based
