Worm resistance

  • (2 Pages)
  • +
  • 1
  • 2

19 Replies - 1270 Views - Last Post: 13 January 2012 - 02:05 AM

#1 Sinned  Icon User is offline

  • D.I.C Head

Reputation: 18
  • View blog
  • Posts: 207
  • Joined: 13-October 10

Worm resistance

Posted 10 January 2012 - 08:35 AM

Hello everyone,

I'm working on a server, running on a linux OS.
I'm developing it in C/C++.

Now I read something about worms, so I got worrying.
I've read they send code to the server and the server executes this.

But why should a server-program execute this code?
When a server only reads the client input into a "char*", and handle the bytes, this doesn't get executed, does it?

But because worms have been (and still are) a problem, I wonder why this could be a problem.

I hope someone could explain me something about this topic, so I can make my server resistant.

Thanks in advance,

Sinned

Is This A Good Question/Topic? 0
  • +

Replies To: Worm resistance

#2 Martyr2  Icon User is offline

  • Programming Theoretician
  • member icon

Reputation: 4332
  • View blog
  • Posts: 12,127
  • Joined: 18-April 07

Re: Worm resistance

Posted 10 January 2012 - 11:50 AM

Computer worms move through networks using replication, not remote code execution. It isn't that a computer sends a server char * and it executes that statement it is that a computer program is sent to the server and stored. From there it is then transmits the program to other computers.

The danger here is that once the program is sitting on a computer it can open up a channel to the attacker and accept commands to do something within the system.

It would be like I give you a program called abc.exe and you (the server) gladly save it to your hard drive. Without you knowing abc.exe then sends itself to your friend to save. At some later time abc.exe executes and does something like launch a virus or open a TCP connection back to me and I tell it to do things for me like monitor for passwords being thrown around on the network or phishing etc.

Worms are typically a bit easier to detect and destroy since they aren't really attached to other executable files. Where a virus attaches itself to other files that may be legit. Worms can also be detected during transit and stopped by packet filtering or at a hardware level in routers etc.

I hope that clears things up for you. :)

This post has been edited by Martyr2: 10 January 2012 - 11:51 AM

Was This Post Helpful? 1
  • +
  • -

#3 Sinned  Icon User is offline

  • D.I.C Head

Reputation: 18
  • View blog
  • Posts: 207
  • Joined: 13-October 10

Re: Worm resistance

Posted 10 January 2012 - 01:43 PM

It clears things up a bit.

But I still got some questions.

In 2001 there was a worm detected, this was called "Code Red".
Code Red sends requests to web-servers.
And by my knowledge web-servers doesn't store anything coming from the client.

Also, even if the executable worm file was stored on the server, it does not have to get executed. ?
A file is just an amount of bytes, if the server handles it like this, it still has nothing to worry about, does it?

I hope you could explain me a bit more about this?
Was This Post Helpful? 0
  • +
  • -

#4 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 9069
  • View blog
  • Posts: 34,083
  • Joined: 12-June 08

Re: Worm resistance

Posted 10 January 2012 - 02:10 PM

Quote

And by my knowledge web-servers doesn't store anything coming from the client.

Sure.. but remember it's a computer system.. *some how* files are installed on it, right? FTP, drag and drop, email, or even executable code can reside in memory.. or hell just have the computer/server reach out to infected file as the file would reside somewhere else!

Quote

Also, even if the executable worm file was stored on the server, it does not have to get executed. ?

No.. it needs to be executed or at least a process running in memory.

Quote

A file is just an amount of bytes, if the server handles it like this, it still has nothing to worry about, does it?

No.. there's plenty of working to do.

Essentially it means you keep your crap updated... security patches, firewall patches, etc. Limit user access and harden accounts.
Was This Post Helpful? 0
  • +
  • -

#5 GunnerInc  Icon User is offline

  • "Hurry up and wait"
  • member icon




Reputation: 858
  • View blog
  • Posts: 2,279
  • Joined: 28-March 11

Re: Worm resistance

Posted 10 January 2012 - 05:44 PM

Quote

But why should a server-program execute this code?

Simple answer - Buffer overflows. (Which boils down to sloppy programming)

That is why you should always make sure your software is up to date. Exploits are found and fixed.
You could use shellcode to root a server or run commands. NOP sleds are interesting.
Was This Post Helpful? 0
  • +
  • -

#6 Sinned  Icon User is offline

  • D.I.C Head

Reputation: 18
  • View blog
  • Posts: 207
  • Joined: 13-October 10

Re: Worm resistance

Posted 10 January 2012 - 11:36 PM

View Postmodi123_1, on 10 January 2012 - 02:10 PM, said:

Quote

Also, even if the executable worm file was stored on the server, it does not have to get executed. ?

No.. it needs to be executed or at least a process running in memory.

I'm sorry, I formulated this question wrong.
I meant: Only a file gets stored, this does never get executed, so what is the problem?

But so you all are saying, the only dangerous things are tools like SSH and FTP?

Or buffer overflow, which I definitely have to prevent in my code.

Then I almost understand it, and how I can protect my server.

But I still don't understand:
How could the overflow in a buffer gets executed?
Was This Post Helpful? 0
  • +
  • -

#7 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 9069
  • View blog
  • Posts: 34,083
  • Joined: 12-June 08

Re: Worm resistance

Posted 11 January 2012 - 07:46 AM

Wait.. so cross site scripting, forcing a process to access an external file... the users... exploits that access a file... these don't exist on your system? Amazing!

Quote

I meant: Only a file gets stored, this does never get executed, so what is the problem?

You don't have files on your system that get executed? Never? Never is an OS running? Never is a file served? A process that spins up? Nothing at all?


Quote

How could the overflow in a buffer gets executed?

The traditional way is a buffer is flooded and execution is jumped to a malicious application.
Was This Post Helpful? 0
  • +
  • -

#8 Sinned  Icon User is offline

  • D.I.C Head

Reputation: 18
  • View blog
  • Posts: 207
  • Joined: 13-October 10

Re: Worm resistance

Posted 11 January 2012 - 08:06 AM

View Postmodi123_1, on 11 January 2012 - 07:46 AM, said:

Wait.. so cross site scripting, forcing a process to access an external file... the users... exploits that access a file... these don't exist on your system? Amazing!


:P Yes, it is amazing!

My server isn't built as http-server, but however a server is a server, such as a http-server.

And no, my server isn't accessing any files, only it's own and some shared libraries.
So the only file loading happens native by the OS (loading libraries).
For storing all information I use MySQL databases. (Which is located elsewhere)
And my server really does not call an other executable file on the disk.

View Postmodi123_1, on 11 January 2012 - 07:46 AM, said:

Quote

I meant: Only a file gets stored, this does never get executed, so what is the problem?

You don't have files on your system that get executed? Never? Never is an OS running? Never is a file served? A process that spins up? Nothing at all?

Such as I said, only the OS, and my only files gets executed.
By my knowledge nobody can add a file to my system, which should possibly could get invoked on start-up.

And the processes which are spinning up is just the OS, and my server, which doesn't execute anything else after it.

View Postmodi123_1, on 11 January 2012 - 07:46 AM, said:

Quote

How could the overflow in a buffer gets executed?

The traditional way is a buffer is flooded and execution is jumped to a malicious application.

I don't really understand why this should get executed, but if so many say it does, I believe it (without knowing why).
But I will do my best to prevent buffer overflow.

But so, my server should be completely safe, and not susceptible for a worm? :D

This post has been edited by Sinned: 11 January 2012 - 08:07 AM

Was This Post Helpful? 0
  • +
  • -

#9 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 9069
  • View blog
  • Posts: 34,083
  • Joined: 12-June 08

Re: Worm resistance

Posted 11 January 2012 - 08:29 AM

Quote

My server isn't built as http-server, but however a server is a server, such as a http-server.

Okay dude, I don't get what you are saying. Explain the setup of this box.


Quote

And no, my server isn't accessing any files, only it's own and some shared libraries.

... and that's enough.

Quote

So the only file loading happens native by the OS (loading libraries).

That's enough to exploit.

Quote

For storing all information I use MySQL databases. (Which is located elsewhere)

That's enough to exploit.

Quote

And my server really does not call an other executable file on the disk.

That's enough to exploit.


Quote

Such as I said, only the OS, and my only files gets executed.

That's enough to exploit.

Quote

By my knowledge nobody can add a file to my system, which should possibly could get invoked on start-up.

Famous last words.

Quote

And the processes which are spinning up is just the OS, and my server, which doesn't execute anything else after it.

That's enough to exploit.


Quote

I don't really understand why this should get executed, but if so many say it does, I believe it (without knowing why).
But I will do my best to prevent buffer overflow.

The gist is you push enough of a specific command into a buffer and at the end a file location and an execute command. The buffer jumps through those specific commands and then hits the execute and does it.


Quote

But so, my server should be completely safe, and not susceptible for a worm? :D

Sure.. yeah.. what ever. Go read up on worms and virus vectors.
Was This Post Helpful? 0
  • +
  • -

#10 Sinned  Icon User is offline

  • D.I.C Head

Reputation: 18
  • View blog
  • Posts: 207
  • Joined: 13-October 10

Re: Worm resistance

Posted 11 January 2012 - 08:50 AM

:P Yeah, I don't really know anything about viruses and worms.

So I posted this topic, to let me explain something about it. :D

But you say:
When a computer is running an Operating System and is connected to the internet, a worm can get in.

And then my server is the second point of worrying.

But this is just the thing I don't understand.
By my knowledge a file only gets executed when someone orders him to do.
And also a file could get written when someone give orders to do that.

View Postmodi123_1, on 11 January 2012 - 08:29 AM, said:

Quote

But so, my server should be completely safe, and not susceptible for a worm? :D

Sure.. yeah.. what ever. Go read up on worms and virus vectors.

Do you have a suggestion where to find information about worms and viruses? :D
Was This Post Helpful? 0
  • +
  • -

#11 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 9069
  • View blog
  • Posts: 34,083
  • Joined: 12-June 08

Re: Worm resistance

Posted 11 January 2012 - 08:59 AM

Quote

:P Yeah, I don't really know anything about viruses and worms.
So I posted this topic, to let me explain something about it.

*sigh* I thought smelled uninformed... So you are just making assumptions and flailing your hands around saying you have taken measures. Ah.. good to know.

You still haven't explained your server box at any level.

Quote

But you say:
When a computer is running an Operating System and is connected to the internet, a worm can get in.


yes.. a machine can be cracked or exploited.

Quote

But this is just the thing I don't understand.
By my knowledge a file only gets executed when someone orders him to do.
And also a file could get written when someone give orders to do that.


Yes.. and the person giving those orders is the person attacking your machine... or an idiot user... or a sibling.. or an unpatched process.

Quote

Do you have a suggestion where to find information about worms and viruses?

Good is always good. Just search "how does a worm work" and drop the the ones talking about the worms in the dirt. I mean seriously - this is a giant and open topic. It's not some niche subset... the research burden's on you.
Was This Post Helpful? 2
  • +
  • -

#12 Sinned  Icon User is offline

  • D.I.C Head

Reputation: 18
  • View blog
  • Posts: 207
  • Joined: 13-October 10

Re: Worm resistance

Posted 11 January 2012 - 10:02 AM

Alright, I'll look for information about worms.

View Postmodi123_1, on 11 January 2012 - 08:59 AM, said:

You still haven't explained your server box at any level.

Here it is:
Spoiler


And again very thanks for the feedback and help on my - maybe a bit stupid - questions. :D
Was This Post Helpful? 0
  • +
  • -

#13 GunnerInc  Icon User is offline

  • "Hurry up and wait"
  • member icon




Reputation: 858
  • View blog
  • Posts: 2,279
  • Joined: 28-March 11

Re: Worm resistance

Posted 11 January 2012 - 05:08 PM

Quote

And then my server is the second point of worrying.


No, your server is the FIRST point of worry; not the OS, not the mouse munching on cheese over in the corner. Your server is what interacts with the internet before your OS.

Quote

I don't really understand why this should get executed, but if so many say it does, I believe it (without knowing why).
But I will do my best to prevent buffer overflow.


It would behoove you to learn about buffer exploits and the many exploits if you are writing a server. Most buffer exploits happen with the stack, since that is the easiest place to overwrite ESP.
Was This Post Helpful? 0
  • +
  • -

#14 Sinned  Icon User is offline

  • D.I.C Head

Reputation: 18
  • View blog
  • Posts: 207
  • Joined: 13-October 10

Re: Worm resistance

Posted 12 January 2012 - 08:03 AM

View PostGunnerInc, on 11 January 2012 - 05:08 PM, said:

Quote

And then my server is the second point of worrying.


No, your server is the FIRST point of worry; not the OS, not the mouse munching on cheese over in the corner. Your server is what interacts with the internet before your OS.


I didn't know that.
I thought a machine should only do something, like connecting to the internet, if someone (like the OS) orders him to.
So if a computer doesn't start-up from LAN, why should it connect to the internet?
And mostly I see, when Linux boots, it configures "DHCP" at one of the last things.

I think I understand too little about this part of computer security.
Here is my view on computers (in steps, what is happening by doing something):
Spoiler

Was This Post Helpful? 0
  • +
  • -

#15 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 9069
  • View blog
  • Posts: 34,083
  • Joined: 12-June 08

Re: Worm resistance

Posted 12 January 2012 - 08:09 AM

Quote

I believe this is all what is happening with a server socket.
So I don't understand why a worm or hacker can get in the PC.

As I said - the malicious program tells it to! A server has to be administered.. those administration doors create holes that are exploitable.

Quote

The only way to connect to a PC is on running services on ports.
If the server program is written good, without leaks, there is no harm.

In an ideal world sure, but code is often not written to perfection... not to mention the intentional holes given by administrators. Then there's updates... people like having new stuff. More efficient.. faster serving.. etc. Those updates then might not work fine with the existing code base... or they might introduce holes. You expect computers to be some sort of closed system - well stop thinking that.

Quote

So this is how I think about computers.
I don't understand how it can get harmed if everything should work fairly.

Then you should take off the rose colored glasses and get out of the idealized world. The only certain way to not get attacked via your connection is to unplug the system from the net or any network attached to the net.
Was This Post Helpful? 2
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2