Professional Documents
Culture Documents
(ATTT) NguyenThaiThanhDat 14111191
(ATTT) NguyenThaiThanhDat 14111191
BI TP C NHN
MN AN TON THNG TIN
NGHIN CU WORM
COMPUTER
c. Hnh vi
Su c gng kt ni ti cng 80 ca my tnh c chn ngu nhin m c chy dch web trn .
Mt khi c kt ni thnh cng, su code red gi cc yu cu theo phng thc HTTP GET ti
website . Cc truy vn ny cha cc m khai thc s dn ti trn b m cho php su thc thi cc
m thi hnh sau . Su khng ghi file trn a cng, nhng thc thi trc tip trn b nh ca my
ch nn nhn. Gi tin tn cng c gi i c dng:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNN
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Sau khi thc hin thnh cng, su kim tra xem c file C:\notworm. Nu file ny c tn ti, tin trnh
s tm thi v trng thi ng. Ngc li n s khi to tin trnh. Mi tin trnh c th sinh thm cc
tin trnh con, c tip tc khi vic to tin trnh t ti s lng 100.
99 tin trnh tip tc khai thc cc h thng khc bng cch sinh ngu nhin a ch IP nu thi im
trc ngy 20 ca thng
Tin trnh th 100 s thay i giao din trang ch ngm nh ca website.
Nu ngy nm gia ngy 20 v 28 ca thng, cc tin trnh ang chy s tn cng t chi dch v vo
trang ch ca Nh Trng ca Chnh ph Hoa K (a ch http://www.whiltehouse.gov) bng cch gi
mt s lng ln d liu rc.
Bin th ca Code Red l Code Red II c pht hin vo ngy 4 thng 8 nm 2001 vn s dng li
trn b m nhng s dng m khai thc khc vi m ban u. Khi tn cng chng c hnh vi:
To mt file ca hu trn my tnh b khai thc bng cch sao chp cmd.exe ti mt th mc c th
truy cp c.
Chng to mt trojan explorer.exe trn th mc gc ca website.
Tc ly lan khng khip hn. Nu my ch IIS ti Trung Quc chng to ra ti 600 tin trnh
tip tc khai thc my ch khc trong vng 48 gi. Nu my ch khng phi t ti Trung Quc chng
khi to 300 tin trnh v ly nhim trong vng 24 gi. Sau mt khong thi gian ly nhim, h thng
b p buc khi ng li, khi khi ng li s xa sch du vt ca su trn b nh my tnh b nhim,
ch cn li trojan explorer.exe.
d. Mc nh hng
Bn ly nhim ca Code Red
Trong vng cha y 14 gi, 359.104 host b tn hi. Cc cng ng Internet ton cu dng nh
trnh c c sc vi su Code-Red. Nhng con su khng gy thit hi ng k cho my b nhi.
N ch sp t mt thi gian nh sn tn cng t chi dch v. Mc d n c gng khi ng
mt tn cng t chi dch v (DoS) tn cng chng li http://www.whitehouse.gov, n lp k hoch cc
cuc tn cng chng li cc a ch IP ca my ch, ch khng phi l tn min, v kim tra chc chn
rng c cng 80 vo a ch IP ca whitehouse.gov trc khi tung ra tn cng t chi dch v. Nhng
tnh nng ny lm cho n d dng trivially v hiu ha t chi dch v.
5/ Slammer nm 2001
Mt loi su c kh nng tn cng vo phn mm c s d liu ca Microsoft ly lan rng trn
Internet vo ngy 25 thng 1 nm 2003, khin mt s loi my rt tin ngng hot ng, khin hu ht
mng Internet ca Hn Quc tc nghn v lm chm giao thng mng ti M cng nh mng Internet
ton cu ni chung
Loi su ny, c tn l SQL Slammer, li dng mt li va c pht hin trong phn mm CSDL
SQL Server ca Microsoft vo thng 7/2002 pht tn. Mc d mt bn phn mm sa li (patch)
c cung cp sau khi l hng ny c pht hin, vn c rt nhiu ngi qun tr mng khng th ci
c bn sa li ny v my ch ca h trong tnh trng nguy him.
Ngn hng Bank of America ca M cho bit 13.000 my rt tin ATM t chi cho rt tin. Ti Hn
Quc, nh cung cp dch v Internet ln nht KT cho bit hu nh tt c khch hng ca hng ny b
ngt kt ni Internet trong khi cuc tn cng xy ra. Nhng ngi s dng my tnh ti Trung Quc
cho bit cc website trn mng b cht cng v tc download gim xung rt thp. l lc cc
my ch nh danh DNS ca nc ny (cc my ch chuyn chuyn i cc a ch trang web sang cc
a ch s theo giao thc Internet (IP) b su SQL Slammer tn cng. V ch vn vn vi 376 byte m
dng lnh, su SQL Slammer c sc mnh gh gm v gy ra mt nn dch trn quy m ton cu.
Hng phn mm chng virus F-Secure cho bit hu qu ca nn dch ny l rt ng k v loi su ny
to ra mt lng rt ln cc gi tin lu chuyn trn mng, lm qu ti cc my ch v router, gim tc
giao thng mng. F-Secure cho bit 5 trong s 13 my ch nh danh ct li ca mng Internet
ton cu b treo trong nn dch ny.
Theo F-Secure, phn m lnh ca SQL Slammer ch th cho phn mm CSDL ca Microsoft SQL
Server chy vo mt vng lp v tn, lin tc gi d liu n cc my tnh khc, qua thc hin hnh
thc tn cng t chi dch v DOS (denial of service). Sc ph hoi ca loi su ny c th snh vi
tn hi lm giao thng Internet khp toa cu ngng hot ng vo ma h nm 2001 m virus Code
Red gy ra.
Mc d SQL Slammer khng c mc ch ph hu cc d liu trn my tnh b nhim, loi su ny
c cc hng chng virus v Microsoft nh gi mc nguy kch vi nhng tn tht m n gy ra.
Theo cc chuyn gia, loi su ny khng ly lan qua e-mail v khng nh hng trc tip n cc my
tnh gia nh. Tuy nhin, cc my PC s dng Microsoft SQL Server 2000 Desktop Engine, chng hn
nh Visual Studio .Net v phin bn Office XP Developer Edition cng c nguy c b ph hoi rt cao.
Tng t nh su CodRed trc y, su Slammer ch tn ti trong b nh ca my ch b ly nhim,
khng to mi, thay i bt k tp tin no trn h thng. Do vy, ch cn tt tin trnh sqlserver.exe hay
khi ng li my l c th loi b c su ny. Tuy nhin, nu my ch cha c ci t bn cp
nht th khi c khi ng li cng s nhanh chng b su Slammer thm nhp li. Nu cha kp ci
t bn sa li, chn tt c cc gi tin UDP n cng 1434 trn my ch hay mng. loi b hon
ton nguy c b nhim su Slammer, ci t ngay bn sa li ca Microsoft hoc ci t MSSQL 2000
Service Pack 3
Theo hng chng virus Messagelabs, nhng cuc tn cng u tin ca SQLSlammer c pht hin
vo khong 05:30 GMT th by (12:30 theo gi H Ni), v sau lin tc c thng bo ti nhiu
nc trn ton cu.
Cng theo Messagelabs, khng nh cc loi su t gi th vi s lng ln (mass-mailing), SQL
Slammer khng ghi cc file ln cng my tnh, m nm trong b nh RAM. Mc d do c tnh ny,
SQL Slammer rt d tiu dit ch cn khi ng li my tnh n li khin cc phn mm chng
virus rt kh pht hin ra. Ngay khi my tnh khi ng li v tip tc kt ni vo Internet, n s li b
nhim SQL Slammer, tr khi c sa li m loi su ny s dng.
Cc nh qun tr h thng cng hnh ng nhanh chng ngn chn loi ssau ny tip tc pht
trin thm. n cui ngy th 7, loi su ny c xu hng qua mc nh im v gim tc ly
nhim. Tuy nhin, y vn c ghi nhn l loi su gy nh hng nhiu nht trong vng 18 thng
gn nht, mc thit hi c th ln n nhiu triu USD. Hn Quc l nc b su ny tn cng mnh
nht.
7/ Sasser nm 2004
a. Thng tin chung
Bo co u tin pht hin su my tnh sasser vo ngy 30 thng 4 nm 2004 v su ny pht trin ly
lan mnh m trn mng Internet.
Ngay t ngy u tin, theo cc chuyn gia bo mt, worm sasser ly nhim hn mt triu my tnh
v h rt nhiu cc h thng my tnh khc.
Khng ging nh cc worm khc cng giai on ny, su Sasser khng i ly nhim bng cch gi e-
mail, thay v n lm theo cch ca mnh trn Internet. Hng Microsoft xc nhn rng Su Sasser
(Sasser Worm W32.Sasser.A v cc bin th ca n) ang lan truyn trn Internet. Su ny khai thc
mt l hng Local Security Authority Subsystem Service (LSASS) c cp trong bn tin bo
mt Microsoft Security Bulletin MS04-011 c pht hnh ngy 13 thng 04 nm 2004.
b. C ch, th on ly lan, ph hoi
Li dng l hng bo mt c nh m l MS04-011 trong cc h thng Windows XP, 2000 truy
nhp h thng t xa. Su sasser khi ng 128 tin trnh qut m c gng tm thy h thng d b tn
thng vi a ch IP ngu nhin. Cc my tnh c thm d trn cng 445 l cng mc nh cho dch
v SMB ca Windows.
Cc tc v qut thm d c th dn ti lm li my tnh b thm d. Vi h thng Windows 2000,
ngi s dng c th nhn c thng bo li sau
8/ Conficker
a. Thng tin chung
L mt trong nhng su my tnh ni ting, c pht hin u tin vo u thng 11 nm 2008, worm
Conficker, cn c bit n vi tn Downup, Downadup v Kido, l mt loi su my tnh nhm n
h iu hnh Microsoft Windows, c pht hin ln u tin vo thng 10 nm 2008. Bin th u
tin ca su ny lan truyn qua Internet nh khai thc mt l hng trong chng mng ca Windows
2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta,
v Windows Server 2008 R2 Beta va c khm ph vo thng trc. Loi su ny gy kh khn mt
cch ng ngc nhin cho cc nh iu hnh mng v c quan thc thi lut php v n s dng phi
hp nhiu loi k thut phn mm c hi (malware) tin tin vi nhau.
Quay ngc thi gian trc vi thng. Ngy 23 Thng 10 nm 2008, Microsoft cng b bn tin bo
mt quan trng c m l MS08-067 Vulnerability in Server Service Could Allow Remote Code
Execution. Microsoft gii thch rng cc l hng trong dch v my ch c th cho php thc thi m t
xa nu mt h thng b nh hng nhn c mt cuc gi th tc t xa (RPC). iu ny c th cho
php k tn cng khai thc l hng ny m khng cn xc thc chy m nh phn trn cc h thng
Windows 2000 Service Pack (SP) 4, Windows XP SP2 v SP3, Windows Server 2003 SP1 v SP2,
Vista vng SP1, Windows Server h thng 2008 v Windows 7. Ngoi ra, Microsoft cnh bo rng
l hng ny c th c s dng trong tn cng ca mt dng su khai thc l hng. nh gi l hng
ny vi mc 10,0, l nh gi nghim trng nht ca h v ch ra mt l hng c tc ng cao v
kh nng thnh cng khai thc cao.
Kt lun
Lch s ca su my tnh cn tip tc pht trin ng hnh vi cc cng b l hng ca phn mm,
thit blin tc c a ra gn y. Ngy nay cc kt ni l tnh nng khng th thiu ca mi h
thng, vi s ra i ca cc thit b IoT (Internet of Thing), kt ni l rt quan trng. Mng, kt ni
chnh l mi trng nui dng ca su my tnh. V vy bo m an ton v gim thiu ri ro khi
c s c lin quan ti su my tnh l vn cn c cp khi thit k v pht trin mi h thng
thng tin. Cn c gii php d qut, pht hin cc im yu, cc l hng, cc li zero day kp thi
c bin php chng v gim thiu ri ro do su my tnh gy ra.