WORMS : attacks, defense and models - Boston University

WORMS : attacks, defense and models

Presented by:Abhishek SharmaVijay Erramilli

What is a computer “worm” ? Is it not the same as a computer “virus” ?

A computer worm is a program that self-propagates across a network exploiting security or policy flaws.A computer virus requires some sort of user action to abet their propagationThe line between worms and viruses is not all that sharp : contagion worms

Outline

A Taxonomy of Computer Worms

The “Slammer” Worm

What does the future have in store?

A Taxonomy of Computer Worms:“know thy enemy”To understand the worm threat, it is necessary to under the various types of worms.Taxonomy based on:

target discoverycarrieractivationpayloadsattackers

Target Discovery: the mechanism by which a worm discovers new targets to infect

: scanning, hit-list scanning

Scanning : entails probing a set of addresses to identify vulnerable hosts.

sequential : working through a IP address block using an ordered set of addressesrandom : trying address out of a block in a pseudo-random fashion

Code-Red, Nimda, Slammer Worm

Optimizations to scanning

Localized scanning strategy : (Code- Red II)With probability 3/8 choose a random IP address from within the class B address (/16 network) of the infected machine.With probability 1/2 choose randomly from the class A (/8 network) of the infected machine.With probability 1/8 choose a random address from the whole Internet.

Hit-list Scanning

“getting off the ground”Provide the worm with a list of potentially vulnerable machines.The worm, when released onto an initial machine on this hit-list, begins scanning down the list. When it infects a machine, it divides the hit-list in half, communicating half to the recipient worm, keeping the other half.

Permutation Scanning

Random scanning is inefficient : many addresses are probed multiple timesno means for a randomly scanning worm to effectively determine when all vulnerable machines are infected

Permutation scanninga worm can detect that a particular target is already infectedall worms share a common pseudo random permutation of the IP address space

Spread of Scanning Worms

The speed of scanning worms is limited by:Density of vulnerable machinesDesign of the scannerThe ability of edge routers to handle a potentially significant increase in new, diverse communication.

Scanning is highly anomalous behavior.Effective detection; defenses designed to stop an entire family of worms

How fast do the spread?

Topological Worms : Internal Target Lists

Many applications contain information about other hosts providing vulnerable services.Topological worm searches for local information to find new victims by trying to discover the local communication topology

The original “Morris” worm used topological techniques including Network Yellow pages, /etc/hosts, and other sources to find new victims.

Topological Worms

The spread is slower as compared to scanning worms.Can bypass defenses by communicating information known by one instance to other instances.May present a global anomaly, the local traffic may appear normal.

Highly distributed sensors may be needed to detect topological worms

Target Discovery : Passive Worms

A passive worm does not seek out victim machines. Instead, it either waits for potential victims to contact the worm or rely on user behavior to discover new targetsGnuman : Operates by acting as a Gnutella node which replies to all queries with copies of itself. If this copy is copy is run, the Gnuman starts on the victim and repeats itself.

Passive Worms continued…

CRclean : the “anti-worm”This worm waits for a Code Red II related probe. When it detects an infection attempt, it responds by launching a counterattack. If this counterattack is successful, it removes Code Red II and installs itself on the machine.Never released….

Stealth worms --- contagion

P2P systems : susceptible to contagion worms

Likely need only a single exploit, not a pairOften, peers running identical softwareRich interconnection patternOften used to transfer large filesNot mainstream – less vulnerability assessment, monitoring

P2P network susceptibility continued…

Often give access to user’s desktop rather than server; sensitive data“grey” content : users less inclined to draw attention to unusual behaviorCome with built-in control/ dissemination plain…and can be Very Large

Toolkit Potential

toolkits : large reusable structures where a small amount of additional code can be added to create a worm.Application-independent and application-dependent toolkits seen in the wild.Application independent toolkit can contain:

Code for scanningTransporting payloads

Toolkits continued …

Scanning worms are not application specific. The Slapper worm: attacker inserted a new exploit into the Scalper worm source code.

scanning worms can be released as soon as a vulnerability is published

Distribution Mechanisms

affects the speed and stealth of a wormMechanisms:

Self-carriedSecond channel : Blaster wormEmbedded : contagion worm

An embedded strategy only makes sense when the target selection strategy is also stealthy.

Distribution:One-to-manyMany-to-manyHybrid

Activation

Self-ActivationHuman Activation

rely on social engineering techniquesHuman Activity-Based Activation

Logging in and therefore executing login scriptsOpening a remotely infected file

Scheduled Process Activation

Payloads

None/nonfunctional : Morris, SlammerDisruption through traffic and machine load; by actively advertising vulnerable machines

Internet Remote ControlCode-Red II opened a trivial-to-use privileged backdoor on victim machines; exploited by “anti-Code-Red” worms

Payloads continued…

Spam-Relays: Sobig wormSpammers can avoid mechanisms which block known-spamming IP addresses

HTML-proxies:Redirect web requests (through DNS) to randomly selected proxy machines

Internet DOS

Payloads continued….

Data Collection

Access for sale

Data damage : Chenobyl, Klez

Worm Maintenance: W32/sonic

Code-Red

The Slammer Worm

Spread nearly two orders of magnitude faster than Code-Red

In approx. 3 minutes, the worm achieved its full scanning rate (more than 55 million scans per second)

The spread was so aggressive that the worm quickly interfered with its own growth

Why Slammer was so fast?

Code-Red was latency limited:Spreads via many threads, each invoking connect() to open a TCP session to random addresses

Consequently, each thread’s scanning rate was limited by the network latency

Latency limitation of Code-Red

Thread is blocked while waiting to receive SYN/ACK

Worms can compensate this by invoking large number of threads

Operating system limitations :Context-switching overheadKernel stack memory consumption

Slammer was bandwidth limited

UDP-basedA single packet to UDP port 1434 could exploit the SQL server’s vulnerability

Smaller sizeSlammer : 404 bytesCode-Red : 4 KbytesNimda : 60 Kbytes

Slammer opens a for more worms

Smaller susceptible populations are now more attractive

Need to automate worm defensesFiltering provides no benefit for actually limiting the number of infected machinesWhat is Slammer propagated only for 10 minutes?

75,000 compromised machinesMany might never have been identified !!!

Multi-vector worms---Nimda

By active probingBy bulk e-mailing itself as an attachmentBy copying itself across open network sharesBy adding exploit code to Web pages on compromised serversBy scanning for backdoors left by Code-Red II

Code Red 2 kills off Code Red 1

Code Red 2 settles into weekly pattern

Nimda enters the ecosystem

Code Red 2 dies off as programmed

CR 1 returns thanksto bad clocks

Code Red 2 dies off as programmed

Nimda hums along, slowly cleaned up

With its predator gone, Code Red 1 comes back!, still exhibiting monthly pattern