Analysis on the propagation mode of worms

Basic structure and propagation process of worms
Intrusion Process Analysis
Analysis of General Worm Propagation Modes
Other possible modes of Worm Propagation
Viewing the worm propagation mode from the perspective of security defense

I. Basic STRUCTURE AND PROPAGATION PROCESS OF worms

The basic program structure of the worm is:

1. propagation module: responsible for spreading worms. This is the part to be discussed in this article.

2. Hidden module: after intruding into the host, the worm program is hidden to prevent discovery by users.

3. Target function module: Implements computer control, monitoring, or damage functions.

The propagation module consists of three basic modules: scanning module, attack module, and replication module.

The general propagation process of the worm program is:

1. Scanning: the scanning function module of the worm is used to detect vulnerable hosts. When the program sends vulnerability detection information to a host and receives successful feedback, it will get a propagation object.

2. attack: the attack module automatically attacks the objects found in step 1 according to the vulnerability attack steps to obtain the permissions of the host (generally administrator permissions) and a shell.

3. Replication: The Replication Module copies the worm program to the new host and starts it through the interaction between the original host and the new host.

We can see that the propagation module actually implements the automatic intrusion function. Therefore, the worm propagation technology is the primary technology of the worm technology. Without the worm propagation technology, there will be no worm technology.

Ii. Analysis of intrusion Process

Presumably everyone is familiar with the general steps of intrusion. Let's just recall it.

Step 1: collect information about the target host in various ways to find available vulnerabilities or vulnerabilities.

Step 2: attack the host based on the vulnerabilities or defects of the target host until the host administrator privilege is obtained.

Step 3: Use the obtained permissions to install backdoors, springboards, control terminals, monitors, and so on the host to clear logs.

We will analyze it step by step.

First, there are many methods to collect information, including technical and non-technical ones. Technical methods include scanning hosts with scanners, detecting operating system types, versions, host names, user names, open ports, open services, and Open Server software versions of hosts. Non-technical methods include establishing relationships with the host administrator, defrauding Trust, and forcing others. Of course, the more information is collected, the better. After collecting the information, go to step 2.

Step 2: analyze the collected information to find the information that can be effectively used. If there is a ready-made vulnerability, you can use it to find the attack method on the Internet. If there is any attack code, copy it directly, and then use the code to obtain the permission. OK; if no existing vulnerabilities can be exploited, you can use the collected information to test and guess the user password. On the other hand, you can test and analyze the system in use to find a usable vulnerability. If you can find a way to obtain the system permission at last, go to step 3. Otherwise, give up.

Step 3: if you have the host permission, do what you want. If you don't know what to do, quit and play the game you like.

During scanning, you should consider the IP address segment to avoid repeated IP address segments for different program bodies. in addition, the scanning time should not be too concentrated. The exploitation of vulnerabilities should be made into a pattern to facilitate the addition of new vulnerabilities.