WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

Transcription

1 WORMS : attacks, defense and models Presented by: Abhishek Sharma Vijay Erramilli

2 What is a computer worm? Is it not the same as a computer virus? A computer worm is a program that selfpropagates across a network exploiting security or policy flaws. A computer virus requires some sort of user action to abet their propagation The line between worms and viruses is not all that sharp : contagion worms

3 Outline A Taxonomy of Computer Worms The Slammer Worm What does the future have in store?

4 A Taxonomy of Computer Worms: know thy enemy To understand the worm threat, it is necessary to under the various types of worms. Taxonomy based on: target discovery carrier activation payloads attackers

5 Target Discovery: the mechanism by which a worm discovers new targets to infect : scanning, hit-list scanning Scanning : entails probing a set of addresses to identify vulnerable hosts. sequential : working through a IP address block using an ordered set of addresses random : trying address out of a block in a pseudo-random fashion Code-Red, Nimda, Slammer Worm

6 Optimizations to scanning Localized scanning strategy : (Code- Red II) With probability 3/8 choose a random IP address from within the class B address (/16 network) of the infected machine. With probability 1/2 choose randomly from the class A (/8 network) of the infected machine. With probability 1/8 choose a random address from the whole Internet.

7 Hit-list Scanning getting off the ground Provide the worm with a list of potentially vulnerable machines. The worm, when released onto an initial machine on this hit-list, begins scanning down the list. When it infects a machine, it divides the hitlist in half, communicating half to the recipient worm, keeping the other half.

8 Permutation Scanning Random scanning is inefficient : many addresses are probed multiple times no means for a randomly scanning worm to effectively determine when all vulnerable machines are infected Permutation scanning a worm can detect that a particular target is already infected all worms share a common pseudo random permutation of the IP address space

9 Spread of Scanning Worms The speed of scanning worms is limited by: Density of vulnerable machines Design of the scanner The ability of edge routers to handle a potentially significant increase in new, diverse communication. Scanning is highly anomalous behavior. Effective detection; defenses designed to stop an entire family of worms

10 How fast do the spread?

11 Topological Worms : Internal Target Lists Many applications contain information about other hosts providing vulnerable services. Topological worm searches for local information to find new victims by trying to discover the local communication topology The original Morris worm used topological techniques including Network Yellow pages, /etc/hosts, and other sources to find new victims.

12 Topological Worms The spread is slower as compared to scanning worms. Can bypass defenses by communicating information known by one instance to other instances. May present a global anomaly, the local traffic may appear normal. Highly distributed sensors may be needed to detect topological worms

13 Target Discovery : Passive Worms A passive worm does not seek out victim machines. Instead, it either waits for potential victims to contact the worm or rely on user behavior to discover new targets Gnuman : Operates by acting as a Gnutella node which replies to all queries with copies of itself. If this copy is copy is run, the Gnuman starts on the victim and repeats itself.

14 Passive Worms continued CRclean : the anti-worm This worm waits for a Code Red II related probe. When it detects an infection attempt, it responds by launching a counterattack. If this counterattack is successful, it removes Code Red II and installs itself on the machine. Never released.

15 Stealth worms --- contagion

16 P2P systems : susceptible to contagion worms Likely need only a single exploit, not a pair Often, peers running identical software Rich interconnection pattern Often used to transfer large files Not mainstream less vulnerability assessment, monitoring

17 P2P network susceptibility continued Often give access to user s desktop rather than server; sensitive data grey content : users less inclined to draw attention to unusual behavior Come with built-in control/ dissemination plain and can be Very Large

18 Toolkit Potential toolkits : large reusable structures where a small amount of additional code can be added to create a worm. Application-independent and applicationdependent toolkits seen in the wild. Application independent toolkit can contain: Code for scanning Transporting payloads

19 Toolkits continued Scanning worms are not application specific. The Slapper worm: attacker inserted a new exploit into the Scalper worm source code. scanning worms can be released as soon as a vulnerability is published

20 Distribution Mechanisms affects the speed and stealth of a worm Mechanisms: Self-carried Second channel : Blaster worm Embedded : contagion worm An embedded strategy only makes sense when the target selection strategy is also stealthy. Distribution: One-to-many Many-to-many Hybrid

21 Activation Self-Activation Human Activation rely on social engineering techniques Human Activity-Based Activation Logging in and therefore executing login scripts Opening a remotely infected file Scheduled Process Activation

22 Payloads None/nonfunctional : Morris, Slammer Disruption through traffic and machine load; by actively advertising vulnerable machines Internet Remote Control Code-Red II opened a trivial-to-use privileged backdoor on victim machines; exploited by anti- Code-Red worms

23 Payloads continued Spam-Relays: Sobig worm Spammers can avoid mechanisms which block known-spamming IP addresses HTML-proxies: Redirect web requests (through DNS) to randomly selected proxy machines Internet DOS

24 Payloads continued. Data Collection Access for sale Data damage : Chenobyl, Klez Worm Maintenance: W32/sonic

25 Code-Red

26 The Slammer Worm Spread nearly two orders of magnitude faster than Code-Red In approx. 3 minutes, the worm achieved its full scanning rate (more than 55 million scans per second) The spread was so aggressive that the worm quickly interfered with its own growth

27

28 Why Slammer was so fast? Code-Red was latency limited: Spreads via many threads, each invoking connect() to open a TCP session to random addresses Consequently, each thread s scanning rate was limited by the network latency

29 Latency limitation of Code-Red Thread is blocked while waiting to receive SYN/ACK Worms can compensate this by invoking large number of threads Operating system limitations : Context-switching overhead Kernel stack memory consumption

30 Slammer was bandwidth limited UDP-based A single packet to UDP port 1434 could exploit the SQL server s vulnerability Smaller size Slammer : 404 bytes Code-Red : 4 Kbytes Nimda : 60 Kbytes

31 Slammer opens a for more worms Smaller susceptible populations are now more attractive Need to automate worm defenses Filtering provides no benefit for actually limiting the number of infected machines What is Slammer propagated only for 10 minutes? 75,000 compromised machines Many might never have been identified!!!

32 Multi-vector worms---nimda By active probing By bulk ing itself as an attachment By copying itself across open network shares By adding exploit code to Web pages on compromised servers By scanning for backdoors left by Code-Red II

33 Code Red 2 kills off Code Red 1 CR 1 returns thanks to bad clocks Code Red 2 settles into weekly pattern Nimda enters the ecosystem Code Red 2 dies off as programmed

34 Code Red 2 dies off as programmed Nimda hums along, slowly cleaned up With its predator gone, Code Red 1 comes back!, still exhibiting monthly pattern