Automated Worm Automated Worm Fingerprinting Fingerprinting [Singh, Estan et al] [Singh, Estan et al] Internet Quarantine: Internet Quarantine: Requirements for Self- Requirements for Self- Propagating Code [Moore, Propagating Code [Moore, Shannon et al] Shannon et al] David W. Hill David W. Hill CSCI 297 CSCI 297 6.28.2005 6.28.2005
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Spreads across a network by exploiting flaws Spreads across a network by exploiting flaws in open services.in open services.– As opposed to viruses, which require user action As opposed to viruses, which require user action
to quicken/spread.to quicken/spread.
Not new --- Morris Worm, Nov. 1988Not new --- Morris Worm, Nov. 1988– 6-10% of all Internet hosts infected6-10% of all Internet hosts infected
Many more since, but none on that scale ….Many more since, but none on that scale ….until Code Reduntil Code Red
Initial version released July 13, 2001.Initial version released July 13, 2001.
Exploited known bug in Microsoft IIS Web servers.Exploited known bug in Microsoft IIS Web servers.
11stst through 20 through 20thth of each month: spread. of each month: spread.2020thth through end of each month: attack. through end of each month: attack.
Payload: web site defacement.Payload: web site defacement.
Spread: via random scanning of 32-bitSpread: via random scanning of 32-bitIP address space.IP address space.
But: failure to seed random number generator But: failure to seed random number generator linear growth.linear growth.
Code Red V2Code Red V2
Revision released July 19, 2001.Revision released July 19, 2001.
Payload: flooding attack onPayload: flooding attack on www.whitehouse.govwww.whitehouse.gov..
But: this time random number generator But: this time random number generator correctly seeded. Bingo!correctly seeded. Bingo!
Resident in memory, reboot clears the Resident in memory, reboot clears the infectioninfection
Web defacementWeb defacement
Code Red V2 - SpreadCode Red V2 - Spread
Code Red IICode Red II
New New wormworm released August 4, 2001. released August 4, 2001.
Worm Detection – Current Worm Detection – Current MethodsMethods
Network telescoping- passive monitors that Network telescoping- passive monitors that monitor unused address space (Downfalls – monitor unused address space (Downfalls – non-random, only provide IP not signaturenon-random, only provide IP not signatureHoneypots – slow manual analysisHoneypots – slow manual analysisHost-based behavioral detection – Host-based behavioral detection – dynamically analyze anomalous activity, no dynamically analyze anomalous activity, no inference of large scale attackinference of large scale attackIDS, IPS – SnortIDS, IPS – Snort
Content in existing worms is invariantContent in existing worms is invariantDynamics for worm to spread are Dynamics for worm to spread are atypicalatypicalThe Earlybird system can extract The Earlybird system can extract signatures from traffic to detect worms signatures from traffic to detect worms and automatically reactand automatically react
Each network packet is scanned for Each network packet is scanned for invariant contentinvariant contentMaintain a count of unique source and Maintain a count of unique source and destination IPsdestination IPsSort based on substring count and size Sort based on substring count and size of address list will determine worm of address list will determine worm traffictrafficUse substrings to automatically create Use substrings to automatically create signatures to filter the wormsignatures to filter the worm
Earlybird Cont.Earlybird Cont.
Earlybird Cont.Earlybird Cont.System consists of sensors and aggregratorSystem consists of sensors and aggregrator
Aggregator – pulls data from sensors, activates network or host Aggregator – pulls data from sensors, activates network or host level blocking, reporting and controllevel blocking, reporting and control
Earlybird – Memory & CPUEarlybird – Memory & CPU
Memory and CPU cycle constraintsMemory and CPU cycle constraintsIndex content table by using a fixed size Index content table by using a fixed size hash of the packet payloadhash of the packet payloadScaled bitmaps are used to reduce Scaled bitmaps are used to reduce memory consumption on address memory consumption on address dispersion countsdispersion counts
Earlybird Cont.Earlybird Cont.
Sensor – 1.6Ghz AMD Opteron 242, Sensor – 1.6Ghz AMD Opteron 242, Linux 2.6 kernelLinux 2.6 kernelCaptures using libpcapCaptures using libpcapCan sift 1TB of traffic per day and is Can sift 1TB of traffic per day and is able to sift 200Mbps of continuous able to sift 200Mbps of continuous traffictrafficCisco router configured for mirroringCisco router configured for mirroring
ThresholdsThresholdsContent Prevalence = 3Content Prevalence = 397 percent of signatures repeat two or fewer times97 percent of signatures repeat two or fewer times
ThresholdsThresholdsAddress Dispersion = 30 src and 30 dstAddress Dispersion = 30 src and 30 dstLower dispersion threshold will produce more false positivesLower dispersion threshold will produce more false positivesGarbage collection – several hoursGarbage collection – several hours
99% percent of FPs are from SMTP header strings and HTTP user agents - whitelist99% percent of FPs are from SMTP header strings and HTTP user agents - whitelistSPAM e-mails – distributed mailers and relaysSPAM e-mails – distributed mailers and relaysBitTorrent file striping creates many-to-many download profileBitTorrent file striping creates many-to-many download profile
Earlybird – Issues of Earlybird – Issues of ConcernConcern