WORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli

WORMS : attacks, defense and models Presented by: Abhishek Sharma Vijay Erramilli

What is a computer worm? Is it not the same as a computer virus? A computer worm is a program that selfpropagates across a network exploiting security or policy flaws. A computer virus requires some sort of user action to abet their propagation The line between worms and viruses is not all that sharp : contagion worms

Outline A Taxonomy of Computer Worms The Slammer Worm What does the future have in store?

A Taxonomy of Computer Worms: know thy enemy To understand the worm threat, it is necessary to under the various types of worms. Taxonomy based on: target discovery carrier activation payloads attackers

Target Discovery: the mechanism by which a worm discovers new targets to infect : scanning, hit-list scanning Scanning : entails probing a set of addresses to identify vulnerable hosts. sequential : working through a IP address block using an ordered set of addresses random : trying address out of a block in a pseudo-random fashion Code-Red, Nimda, Slammer Worm

Optimizations to scanning Localized scanning strategy : (Code- Red II) With probability 3/8 choose a random IP address from within the class B address (/16 network) of the infected machine. With probability 1/2 choose randomly from the class A (/8 network) of the infected machine. With probability 1/8 choose a random address from the whole Internet.

Hit-list Scanning getting off the ground Provide the worm with a list of potentially vulnerable machines. The worm, when released onto an initial machine on this hit-list, begins scanning down the list. When it infects a machine, it divides the hitlist in half, communicating half to the recipient worm, keeping the other half.

Permutation Scanning Random scanning is inefficient : many addresses are probed multiple times no means for a randomly scanning worm to effectively determine when all vulnerable machines are infected Permutation scanning a worm can detect that a particular target is already infected all worms share a common pseudo random permutation of the IP address space

Spread of Scanning Worms The speed of scanning worms is limited by: Density of vulnerable machines Design of the scanner The ability of edge routers to handle a potentially significant increase in new, diverse communication. Scanning is highly anomalous behavior. Effective detection; defenses designed to stop an entire family of worms

How fast do the spread?

Topological Worms : Internal Target Lists Many applications contain information about other hosts providing vulnerable services. Topological worm searches for local information to find new victims by trying to discover the local communication topology The original Morris worm used topological techniques including Network Yellow pages, /etc/hosts, and other sources to find new victims.

Topological Worms The spread is slower as compared to scanning worms. Can bypass defenses by communicating information known by one instance to other instances. May present a global anomaly, the local traffic may appear normal. Highly distributed sensors may be needed to detect topological worms

Target Discovery : Passive Worms A passive worm does not seek out victim machines. Instead, it either waits for potential victims to contact the worm or rely on user behavior to discover new targets Gnuman : Operates by acting as a Gnutella node which replies to all queries with copies of itself. If this copy is copy is run, the Gnuman starts on the victim and repeats itself.

Passive Worms continued CRclean : the anti-worm This worm waits for a Code Red II related probe. When it detects an infection attempt, it responds by launching a counterattack. If this counterattack is successful, it removes Code Red II and installs itself on the machine. Never released.

Stealth worms --- contagion

P2P systems : susceptible to contagion worms Likely need only a single exploit, not a pair Often, peers running identical software Rich interconnection pattern Often used to transfer large files Not mainstream less vulnerability assessment, monitoring

P2P network susceptibility continued Often give access to user s desktop rather than server; sensitive data grey content : users less inclined to draw attention to unusual behavior Come with built-in control/ dissemination plain and can be Very Large

Toolkit Potential toolkits : large reusable structures where a small amount of additional code can be added to create a worm. Application-independent and applicationdependent toolkits seen in the wild. Application independent toolkit can contain: Code for scanning Transporting payloads

Toolkits continued Scanning worms are not application specific. The Slapper worm: attacker inserted a new exploit into the Scalper worm source code. scanning worms can be released as soon as a vulnerability is published

Distribution Mechanisms affects the speed and stealth of a worm Mechanisms: Self-carried Second channel : Blaster worm Embedded : contagion worm An embedded strategy only makes sense when the target selection strategy is also stealthy. Distribution: One-to-many Many-to-many Hybrid

Activation Self-Activation Human Activation rely on social engineering techniques Human Activity-Based Activation Logging in and therefore executing login scripts Opening a remotely infected file Scheduled Process Activation

Payloads None/nonfunctional : Morris, Slammer Disruption through traffic and machine load; by actively advertising vulnerable machines Internet Remote Control Code-Red II opened a trivial-to-use privileged backdoor on victim machines; exploited by anti- Code-Red worms

Payloads continued Spam-Relays: Sobig worm Spammers can avoid mechanisms which block known-spamming IP addresses HTML-proxies: Redirect web requests (through DNS) to randomly selected proxy machines Internet DOS

Payloads continued. Data Collection Access for sale Data damage : Chenobyl, Klez Worm Maintenance: W32/sonic

Code-Red

The Slammer Worm Spread nearly two orders of magnitude faster than Code-Red In approx. 3 minutes, the worm achieved its full scanning rate (more than 55 million scans per second) The spread was so aggressive that the worm quickly interfered with its own growth

Why Slammer was so fast? Code-Red was latency limited: Spreads via many threads, each invoking connect() to open a TCP session to random addresses Consequently, each thread s scanning rate was limited by the network latency

Latency limitation of Code-Red Thread is blocked while waiting to receive SYN/ACK Worms can compensate this by invoking large number of threads Operating system limitations : Context-switching overhead Kernel stack memory consumption

Slammer was bandwidth limited UDP-based A single packet to UDP port 1434 could exploit the SQL server s vulnerability Smaller size Slammer : 404 bytes Code-Red : 4 Kbytes Nimda : 60 Kbytes

Slammer opens a for more worms Smaller susceptible populations are now more attractive Need to automate worm defenses Filtering provides no benefit for actually limiting the number of infected machines What is Slammer propagated only for 10 minutes? 75,000 compromised machines Many might never have been identified!!!

Multi-vector worms---nimda By active probing By bulk e-mailing itself as an attachment By copying itself across open network shares By adding exploit code to Web pages on compromised servers By scanning for backdoors left by Code-Red II

Code Red 2 kills off Code Red 1 CR 1 returns thanks to bad clocks Code Red 2 settles into weekly pattern Nimda enters the ecosystem Code Red 2 dies off as programmed

Code Red 2 dies off as programmed Nimda hums along, slowly cleaned up With its predator gone, Code Red 1 comes back!, still exhibiting monthly pattern