WORMS : attacks, defense and models Presented by: Abhishek Sharma Vijay Erramilli. ... all worms share a common pseudo random permutation of the IP address space.
WORMS : attacks, defense and models Presented by: Abhishek Sharma Vijay Erramilli
What is a computer “worm” ? Is it not the same as a computer “virus” ?
A computer worm is a program that selfpropagates across a network exploiting security or policy flaws. A computer virus requires some sort of user action to abet their propagation The line between worms and viruses is not all that sharp : contagion worms
Outline
A Taxonomy of Computer Worms
The
What does the future have in store?
“Slammer” Worm
A Taxonomy of Computer Worms: “know thy enemy”
To understand the worm threat, it is necessary to under the various types of worms. Taxonomy based on:
target discovery carrier activation payloads attackers
Target Discovery: the mechanism by which a worm discovers new targets to infect : scanning, hit-list scanning
Scanning : entails probing a set of addresses to identify vulnerable hosts.
sequential : working through a IP address block using an ordered set of addresses random : trying address out of a block in a pseudo-random fashion
Code-Red, Nimda, Slammer Worm
Optimizations to scanning
Localized scanning strategy : (Code- Red II)
With probability 3/8 choose a random IP address from within the class B address (/16 network) of the infected machine. With probability 1/2 choose randomly from the class A (/8 network) of the infected machine. With probability 1/8 choose a random address from the whole Internet.
Hit-list Scanning
“getting off the ground” Provide the worm with a list of potentially vulnerable machines. The worm, when released onto an initial machine on this hit-list, begins scanning down the list. When it infects a machine, it divides the hitlist in half, communicating half to the recipient worm, keeping the other half.
Permutation Scanning
Random scanning is inefficient :
many addresses are probed multiple times no means for a randomly scanning worm to effectively determine when all vulnerable machines are infected
Permutation scanning
a worm can detect that a particular target is already infected all worms share a common pseudo random permutation of the IP address space
Spread of Scanning Worms
The speed of scanning worms is limited by:
Density of vulnerable machines Design of the scanner The ability of edge routers to handle a potentially significant increase in new, diverse communication.
Scanning is highly anomalous behavior.
Effective detection; defenses designed to stop an entire family of worms
How fast do the
spread?
Topological Worms : Internal Target Lists
Many applications contain information about other hosts providing vulnerable services. Topological worm searches for local information to find new victims by trying to discover the local communication topology
The original “Morris” worm used topological techniques including Network Yellow pages, /etc/hosts, and other sources to find new victims.
Topological Worms
The spread is slower as compared to scanning worms. Can bypass defenses by communicating information known by one instance to other instances. May present a global anomaly, the local traffic may appear normal.
Highly distributed sensors may be needed to detect topological worms
Target Discovery : Passive Worms
A passive worm does not seek out victim machines. Instead, it either waits for potential victims to contact the worm or rely on user behavior to discover new targets Gnuman : Operates by acting as a Gnutella node which replies to all queries with copies of itself. If this copy is copy is run, the Gnuman starts on the victim and repeats itself.
Passive Worms continued…
CRclean : the “anti-worm” This worm waits for a Code Red II related probe. When it detects an infection attempt, it responds by launching a counterattack. If this counterattack is successful, it removes Code Red II and installs itself on the machine. Never released….
Stealth worms --- contagion
P2P systems : susceptible to contagion worms
Likely need only a single exploit, not a pair Often, peers running identical software Rich interconnection pattern Often used to transfer large files Not mainstream – less vulnerability assessment, monitoring
P2P network susceptibility continued…
Often give access to user’s desktop rather than server; sensitive data “grey” content : users less inclined to draw attention to unusual behavior Come with built-in control/ dissemination plain …and can be Very Large
Toolkit Potential
toolkits : large reusable structures where a small amount of additional code can be added to create a worm. Application-independent and applicationdependent toolkits seen in the wild. Application independent toolkit can contain:
Code for scanning Transporting payloads
Toolkits continued …
Scanning worms are not application specific. The Slapper worm: attacker inserted a new exploit into the Scalper worm source code. scanning worms can be released as soon as a vulnerability is published
Distribution Mechanisms
affects the speed and stealth of a worm Mechanisms:
Self-carried Second channel : Blaster worm Embedded : contagion worm
An embedded strategy only makes sense when the target selection strategy is also stealthy.
Distribution:
One-to-many Many-to-many Hybrid
Activation
Self-Activation Human Activation
Human Activity-Based Activation
rely on social engineering techniques Logging in and therefore executing login scripts Opening a remotely infected file
Scheduled Process Activation
Payloads
None/nonfunctional : Morris, Slammer
Disruption through traffic and machine load; by actively advertising vulnerable machines
Internet Remote Control
Code-Red II opened a trivial-to-use privileged backdoor on victim machines; exploited by “antiCode-Red” worms
Payloads continued…
Spam-Relays: Sobig worm
HTML-proxies:
Spammers can avoid mechanisms which block known-spamming IP addresses
Redirect web requests (through DNS) to randomly selected proxy machines
Internet DOS
Payloads continued….
Data Collection
Access for sale
Data damage : Chenobyl, Klez
Worm Maintenance: W32/sonic
Code-Red
The Slammer Worm
Spread nearly two orders of magnitude faster than Code-Red
In approx. 3 minutes, the worm achieved its full scanning rate (more than 55 million scans per second)
The spread was so aggressive that the worm quickly interfered with its own growth
Why Slammer was so fast?
Code-Red was latency limited:
Spreads via many threads, each invoking connect() to open a TCP session to random addresses Consequently, each thread’s scanning rate was limited by the network latency
Latency limitation of Code-Red
Thread is blocked while waiting to receive SYN/ACK
Worms can compensate this by invoking large number of threads
Operating system limitations :
Context-switching overhead Kernel stack memory consumption
Slammer was bandwidth limited
UDP-based
A single packet to UDP port 1434 could exploit the SQL server’s vulnerability
Smaller size
Slammer : 404 bytes Code-Red : 4 Kbytes Nimda : 60 Kbytes
Slammer opens a
for more worms
Smaller susceptible populations are now more attractive
Need to automate worm defenses
Filtering provides no benefit for actually limiting the number of infected machines What is Slammer propagated only for 10 minutes?
75,000 compromised machines Many might never have been identified !!!
Multi-vector worms---Nimda
By active probing By bulk e-mailing itself as an attachment By copying itself across open network shares By adding exploit code to Web pages on compromised servers By scanning for backdoors left by Code-Red II
Code Red 2 kills off Code Red 1
CR 1 returns thanks to bad clocks
Nimda enters the ecosystem
Code Red 2 settles into weekly pattern
Code Red 2 dies off as programmed
Code Red 2 dies off as programmed Nimda hums along, slowly cleaned up
With its predator gone, Code Red 1 comes back!, still exhibiting monthly pattern
