2. Agenda
Facts – Age of Malware
Quick look on Worms History
Worst Worms Ever
Petty Worm
PLZ The Name is: BetWorm
BetWorm: on the Future
Questions
3. The Famous - Who Am I Today ?!!!
* Penetration Tester Specialist and Security Researcher at DTS-Solution
* Certified a lot of things (Would there be a difference? )
* Author of WeBzY and XSSYA Tools
* Experienced in Penetration Testing, SE Assessment, Physical SEC over 8 years
* Bug Hunter in my Spare Time – Coding Malicious Stuff just for me
5. Worms History
1- Jerusalem (also known as BlackBox): Discovered in 1987, deleting
files that are executed on each Friday the 13th
2- Storm Worm: Discovered in 2007 an estimated 1 million to 10 million
computers were still part of this botnet
3- MSBlast : Discovered in 2003 When MSBlast hit, it installed a TFTP
(Trivial File Transfer Protocol) server and downloaded code onto the
infected host. over 25 million hosts were known to be infected.
4- Melissa: Discovered In 1999,Melissa spread through Microsoft Word
97 and Word 2000, The Melissa worm caused $1 billion in damages.
5- Code Red: Discovered in 2001, The worm took advantage of a buffer
overflow vulnerability in Microsoft IIS servers and damages estimated at
$2 billion.
6. Worst Worms Ever
* We will have a quick look of Worst worms Ever?
Note: This is not Worm Analysis Talk
7. MyDoom
When Executed -> open Notepad with garbage data in it
When Spreading -> the infections e-mail used to distribute the worm
copies use variable subjects, bodies and attachment names
Further actions -> Open up a backdoor to infected computers lunching
DLL file as a child process of Explorer.EXE
Collection -> worm collects addresses where to send it self from windows
Address Book and from file with extension (dbx - htm - txt -php)
8. Conficker
What does?
* Disable important system services and security products, such as
( Windows Defender, Microsoft Security Essentials, or Windows Update.)
* Download arbitrary files.
* Prevent you from visiting websites, including those that allow you to
download security updates.
How does the Conficker worm spread?
The Conficker worm spreads by copying itself to the Windows system
folder.
Spread through file sharing and through removable drives, such as USB
drives, especially those with weak passwords
9. Sasser
What does?
* It creates a copy of itself in the Windows Directory as 'avserve.exe'.
This copy is added to the Registry
* Exploits the MS04-011 (LSASS) vulnerability to gain access.
* The worm starts 128 scanning threads that try to find vulnerable
systems on random IP addresses. Computers are probed on port 445
which is the default port for Windows SMB communication on NT-based
systems.
Summary of TCP ports used by the worm:
445/TCP: The worm attacks through this port
9996/TCP: Remote shell opened by the exploit on the vulnerable hosts
10. So What is the Common?
It’s obvious the common functions that all harmful Worms share !!
Spread: By exploiting operating system vulnerabilities.
Harm: Networks by consuming bandwidth & overloading web servers.
Hold: “Payloads” that damage host computers. or hold backdoors.
replicate: Computer worms have the ability to self-replicate.
11. Petty Worm
* We have Create a lot defense to protect ourselves against harmful
worms, implement AV’s, Firewalls, IPS, IDS ..etc – we implement
offensive tasks to measure our security effectiveness.
*But we never think to use Worms as a Defense !
12. Petty Worm
*Worms Are good but people are bad
So What Next? I Reverse Worm Intentions ! Creating Petty Worm
13. PLZ The Name: BetWorm
BetWorm
*Use the offensive mechanism for defensive solution.
*Use the common functions of harmful Worm but in Reverse.
Spread: By Authentication to host computers in same LAN .
Safe: Not consuming bandwidth and overloading web servers.
Cure: By collect all possible weakness that might be used by attackers
Controllable: It can’t be spread outside your network.
14. PLZ The Name: BetWorm
BetWorm
* BetWorm wrote on Python
* Defensive & Offensive worm: End Point Security? Attacker Perspective
* Worm only run on limited privilege user
* Compatible with Linux Environment (First Stage on the Project)
* It’s about online scripts + modifying + my Own Script
16. PLZ The Name: BetWorm
So What Actually BetWorm do?
!Spreading!
* It scan an entire range you specify up and running SSH
* Connect through Credentials you specify (Limited User)
* Drop BetWorm (/tmp/) – or any path of your choice.
18. PLZ The Name: BetWorm
So What Actually BetWorm do?
Who is the Target?!
* Give you all system information (Kernel , hostname – OS – Logged in
Users – Environment)
* Running Application - All current users
* First Stage of any attack (know your target)
20. PLZ The Name: BetWorm
So What Actually BetWorm do?
How far the Target is Vulnerable ?!
* Analyze all attacking points - Client Side Attack
* Outdated Application - Process (Privilege escalation)
* You get a shell (Case)
22. PLZ The Name: BetWorm
So What Actually BetWorm do?
Is the target have a malicious connections?!
*Detecting Live connections on target machine
* Check if the user have active connections to malicious domains
* Based on Comparison
*Self Deleted
25. BetWorm on the Future !
What BetWorm will do?
*BetWrom – is a very new project Open Source
*BetWrom will have the ability to check spread more faster
*Will have the ability to collect all weakness and save it as HTML and
send back to Petty command and control server
26. BetWorm on the Future !
What BetWorm will do?
*it Will have it’s own Local Webserver
*BetWrom – will be compatible with Linux and Windows
*GUI – so you only full empty fields Hit and Run
27. BetWorm on the Future !
What BetWorm will do?
*BetWorm -> will be uploaded on GitHub by the end of conference
*Please feel free to contribute – or reported issues – or have any new
ideas
28. BetWorm Are Available !
https://github.com/yehia-mamdouh/BetWorm
*For any Contribution – fixing issues – or comment – get it from
GitHub