Worm Defense
Worm Defense
Outline
Worm“How to Own the Internet in Your Spare
Time”Worm defenseDiscussions
What is a worm?
An independent program that seeks out new hosts, from an existing host in order to further spread itself.
Other definition:• Programs which are able to replicate themselves (usually
across computer networks) as stand alone programs (or sets of programs) and which do not depend on the existence of a host program are called computer worms
Self-propagation and self-replication What is the differences between a worm and a virus?
By different ways of infecting systems?
History of Worms: The Origins
Science fiction references (i.e. Brunner’s “tapeworm” program in “shockwave rider” 1976
Xerox work in 1982, Shock and Hepp coined the use of the term “worm” and carried out experiments with worm like programs [6]
CHRISTMA EXEC from 1987 that spread via email and required the user to execute it.
Internet worm in 1988. The morris worm infects close to 10% of the then internet (6000 machines).
IRC Worms, from 1987 to present day worms have targeted IRC clients (Mirc and PIRC)
History of Worms : Email worms
Melissa (March 1999)• A worm/virus hybrid that sent mail to the first 50 users in
the outlook address book, containing the worm/virus. Could also spread as a conventional macro virus.
KAK (February 2000)• A VBS worm similar to bubbleboy that exploited a hole in
outlook to autoexecute on receipt. Love Letter (May 2000)
• Another VBS worm that worked like Melissa, but was also able to spread via IRC
History of Worms: resurgence
In the last two years we have seen a resurgence of non email distributed worms
Code Red and variants (from July 13th, 2001) Code Red (CRv1) Code Red I (CRv2) Code Red II
Nimda ( Sep 18th, 2001)Slammer / Sapphire worm (January 2003)
What worms could do?
some of them could be… Launch Distributed Denial of Service (DDoS)
attacks Bring down Electronic commerce site Cut off New outlets Disable Root name servers
Access Sensitive Material on any host Passwords, credit card numbers and address book
Sow Confusion and Disruption Send out false information Make messages appear authentic
Replication methods of Worm
Two main methods exist for worms to spread: Use legitimate services
• Email Sircam + previous examples
• File Shares Sircam + Deloder
Exploit system vulnerabilities• Webservers
NIMDA and CODERED• MS SQLServer
Slammer
Why Worms can Spread?
Homogeneous software base Exploit software design flaws of commonly used
Internet tools Microsoft controls more than 90% of PCs
High-bandwidth interconnections Machines are “close” to each other Makes it easy for a virus to spread
Outline
Worm“How to Own the Internet in Your Spare
Time”Worm defenseDiscussions
Main Ideas
Analyzing current worms, Code Red and Nimda
Develop some new, highly virulent techniques, including hit-list scanning, permutation scanning and use of Internet-sized hit-lists
Envision a “Cyber-Center for Disease Control”
Code Red I (CRv1)
Released July 13, 2001 Exploited vulnerability in Microsoft IIS Web
Server Generated 100 Threads
99 Threads comprised random IP address 1 Threads defaced the web server
Contained a bug Random number initialized with a fixed seed Always compromised same sequence of machine
Random Constant Spread Model
a quantitative theory for the spread of Code Red I worm N
Total number of vulnerable servers Assume fixed
K Initial comprise rate The number of vulnerable hosts an infected host can
compromise Measured in infections/hours
a Fraction of vulnerable machines compromised
t Time (in hours)
RCS (con’t)
N da = (N a) K (1 - a) dt So the differential equation is
da/dt = K a (1 - a) With a solution of
)(
)(
1 TtK
TtK
e
ea
Comments
For an early t, a grows exponentially For a large t, a goes to 1 The rate only depends on K and has nothing to
do with N at all! From the graph, K = 1.8, T = 11.9 Maximum 510,000 scans an hour! Why the scan rate instead of the number of
distinct IPs be fit?
Code Red II
Release August 4th, 2001 Was Unrelated code base with Code Red Exploited vulnerability in a buffer overflow of
Microsoft IIS Web Server Installed a root backdoor allowing unrestricted
remote access Localized scanning strategy
3/8 IP address within the class B network ½ within the class A network 1/8 the whole Internet
Nimda
Released on Sep 18th, 2001Five method to spread at least
From infect client to server, probing for a Microsoft IIS vulnerability (again MS!)
Emailing itself as an attachment Copying itself across open network shares From infected server to client Scanning for the backdoors by Code Red II
Better worms
The virulence of a worm could be further increased if Faster scanning More targets
Hit-list Scanning
To “getting off the ground” Hit-list scanning
Collect a list of 10,000 to 50,000 vulnerable machines before releasing the worm
Half the list with the new infected host How to collect them?
Stealthy scans ( same as portscan ) Distributed scanning DNS searches Spiders Public surveys Just listen, waiting others to knock the door
Permutation Scanning
Assumption: a worm could detect that a particular target is already infected
Share a pseudo random permutation of the IP address space
Use a 32-bit block cipher and a key Any host starts just after its point If meet an infected one, start randomly Self-coordinated, comprehensive, also random A partitioned permutation scan, for attacking multiple
security hole (how?)
A Simulation: Warhol Worm
Combination of hit-list and permutation scanning
A simulation of Warhol worm’s spread 2^32 entry address space A 32-bit, 6-round variant of RC5
Sharply reduce the infection time to 15 minutes So called “Warhol”, from the quotation ”In the
future, everyone will have 15 minutes of fame”
Num of Instance
Time
Red: Warhol Green: Fast Scanning Black: Conventional
Hit-list scanning improves the initial spread, whilePermutation scanning keep infection rate high
Topological Scanning
Use information contained on the victim machine to find new targets Neighbors Peers URLs
A compact worm: Flash worm
Mass coverage inside 30 seconds? Flash worms ‘in theory’ can achieve this.
Each copy of the worm carries with it a set of targets, it uses some to target new hosts, and sends along a portion of the remaining addresses to each of its ‘children’.
The result being as a worm makes more copies of itself, each copy get smaller, keeping the worms network load predictable.
Requires high bandwidth for first few infections (10 million addresses = 40 megs!)
Flash worm (con’t)
200k 200k
100k 100k 100k 100k
50k 50k 50k 50k
= Infected computer.
= computer that could be infected, but hasn’t
= computer that wasn’t sucessfully infected
Stealth worms
What the difference? Avoiding detection by having a slow replication rate. Hiding infection mechanism by appearing to be
‘normal’ traffic. Slowly building up a large infection base, with the
hope of payload triggering at a set date. Or store record of infection to allow worms to be
‘activated’ in future, by an authorized signed message sent instantly along the infection path.
Popular with diseases that show no symptoms, harder to achieve in the world of IDS.
Stealth Worm on P2P systems
P2P systems suited to contagion worms All running the same software A client = a server Interconnectivity Transferring large files Pay less attention by the intrusion detection
systems … And potentially immense size
Updates and Control
How to control and modify a worm after its release
Worm-to-worm communication A list of other known, running worm Encrypted communication channels Degree of connectivity
Programmable updates Dynamic code loading supported by OS
Cyber-Center for Disease Control
Mission: Identifying outbreaks Rapidly analyzing pathogens Fighting infections Anticipating new vectors Proactively devising detectors for new vectors Resisting future threat
Outline
Worm“How to Own the Internet in Your Spare
Time”Worm defensesDiscussions
Approach for worm defense
PreventionContainmentCleanup
Worm defense - prevention
Prevention by Reduce the size of vulnerable hosts Limit the speed at which a worm spread
Limitations Depend on current software vulnerabilities
Related research Matthew M.Williamson “Throttling Viruses:
Restricting Propagation to Defeat Malicious Mobil Code”
Worm defense - containment
Block the infectious communication between infected and uninfected hosts, by Firewalls Content filters blacklists
Related work David Moore “Internet Quarantine: Requirements for
Containment Self-Propagating Code” Stuart Staniford “Containment of Scanning Worms in
Enterprise Networks”
Worm defense - cleanup
Cleanup by Disinfection tools System update, patches
Limitations Limited to human time scales Can not handle an acute outbreak
Related work ?
Discussions
Thank you.