Transcript WORM PROPAGATION

WORM PROPAGATION
Terry Griffin
Sandeep Pinnamaneni
Vandana Gunupudi
Agenda







Introduction
Background
Infamous Worms
Benchmarks and Metrics
Requirements
Summary of Methods
Conclusion
Introduction

What is a worm?
–
–
–
–
Piece of software that propagates using
vulnerabilities in software/application
Self-propagating (distinct from a virus)
Self-replicating
Spread through the Internet easily due to its open
communication model
Classification of Worms

Target Discovery
–

Carrier
–

How does it transmit itself to the target?
Activation
–

How does a worm find new hosts to infect?
Mechanism by which the worm operates on the target
Payloads
–
What the worm carries to reach its goal
N.Weaver, V.Paxson, et al, “A taxonomy of computer worms”, Proc. Of the ACM workshop on Rapid Malcode, pp.11-18, 2003.
Target Discovery

Scanning
–
–
–

Pre-Generated Target lists
–

Sequential or Random
Permutation scanning
Bandwidth-limited scanning
“hit-list” of probably victims
Externally/internally generated target lists
–
Topological Worm (Morris Worm)
Carrier (Propagation Mechanisms)

Self-carried
–

Second Channel
–
–
–

Actively transmits itself as part of the infection process
Require a secondary communication channel
Example Blaster: primary channel is RPC;
secondary channel is TFTP
Embedded
–
Appends itself to normal messages
Activation Mechanism

Human Activation
–
–

Human Activity based
–

Windows Share worms like Nimda
Scheduled Process Activation
–

Slowest activation method
Melissa
Like unauthenticated automatic updates
Self Activation
–
Fastest method
Payloads


Code carried by the worm apart from its propagation
routines
Empty Payload
–

Internet Remote Control
–

Sobig’s Trojan opened an open-mail relay
HTML-Proxies
–

Privileged back door
Spam-Relays
–

most common
Sobig distributed web proxies
Internet DoS (Code Red)
History of Worms
Source:http://www.sans.org/rr/whitepapers/malicious/1410.php
Morris Worm
• Topological Worm (6-10% of all Internet hosts infected)
• First large-scale worm that targeted VAX, Sun Unix systems
• Target Discovery
– Scanning the local subnet
• Activation
– Self Activation
• Propagation Mechanism (Self Carried)
– Exploiting a fingered buffer overflow
• Payload
– None
Code Red I

July 19, 2001: more than 359,000 computers connected to the Internet were infected
by Code-Red I v2 worm in less than 14 hours
Source: http://www.caida.org
Code Red I
• Target Discovery
– Scanning
• Activation
– Self Activation
• Propagation Mechanism (Self Carried)
– Exploiting a Microsoft IIS Web Server buffer overflow
• Payload
– Defacement of websites
Code Red I

Exploited buffer overflow in Indexing Service in Microsoft IIS Server

Days 1-19 of each month
–
–

Day 20-27
–
–

stops trying to spread
launches a denial-of-service attack on the IP address of www1.whitehouse.gon
Code Red I v1
–
–
–
–
–

displays ‘hacked by Chinese’ message on English language servers
tries to open connections to infect randomly chosen machines using 100 threads
July 12, 2001
Used static seed for random number generator
Each infected computer tries to infect always the same IP addresses
Not very damaging, spread slowly
Memory resident
Code Red I v2
–
–
July 19, 2001
Used random seed for random number generator
Code Red Damage



359,000 hosts infected in 24 hour period
Between 11:00 and 16:00 UTC, the growth is
exponential
2,000 hosts infected per minute at the peak of the
infection rate (16:00 UTC)
Nimda (September 18, 2001)
•
•
•
•
•
Target Discovery
– Scanning, Email
Activation
– Self Activation, User action
Propagation Mechanism (Self Carried)
– Exploiting a Microsoft IIS Web Server buffer overflow
Payload
– Defacement of websites
Multi-mode spreading:
–
–
–
–
–

attack IIS servers via infected clients
email itself to address book as a virus
copy itself across open network shares
modifying Web pages on infected servers w/ client exploit
scanning for Code Red II backdoor
Spread across firewalls.
SASSER Worm (2004)


April 29, 2004
Target Discovery
–
–

Mode of Transmission
–

Random Scanning of IP addresses on TCP port 445,
can scan up to 1,024 addresses simultaneously
Buffer Overflow in Windows Local Security Authority Service
Server (LSASS)
Payload
–
–
Rootkit potential
Escalation of privileges
Witty (2004)
March 19, 2004
 Buffer overflow vulnerability in ISS PAM
module

• Single UDP packet exploits flaw in the passive analysis of
Internet Security Systems (ISS) products.
• “Bandwidth-limited” UDP worm like Slammer.
• Vulnerable pop. (12K) attained in 75 minutes.
• Payload: slowly corrupt random disk blocks.
• Detailed telescope analysis reveals worm targeted a US military
base and was launched from a European retail ISP account.
Other Worms
Network.vbs, February 2000:
This worm had no payload and spread via unprotected Windows
shares.
Ramen, January 2001:
• This worm targeted RedHat Linux systems via exploits that
were 4 – 7 months old and, aside from defacing web pages did
not appear to be particularly malicious.
• However, as noted by the Linux Weekly News, multicast traffic
was affected as a byproduct of the worm’s scanning mechanism,
resulting in degraded service over the MBONE for both unicast
and multicast traffic.
Network.vbs Worm
The Network.vbs worm propagates via unprotected Windows shares. The
process as described in CERT Incident Note IN-2002-02 is as follows:
1. Perform a pseudo-random IP scan, looking for hosts with Windows
filesharing enabled.
2. Attempt to mount the share named “C” as local drive J.
3. If mount is successful copy network.vbs script into the “Startup” program
group.
Provided that the above is successful, the worm will be executed the next time
someone logs into the system. It should be noted that the QAZ worm uses a
similar mechanism, enumerating hosts within the “Network Neighborhood”
and replacing notepad.exe with the worm binary.
ADM Worm
• The ADM worm propagates via a buffer overflow in Unix systems running
DNS server daemons derived from v 4.9.6 of the ISC BIND code.
• The worm performs an incremental IP scan, starting from a random IP
address, looking for DNS servers which support the IQUERY command.
When such a server is encountered the worm attempts to exploit a buffer
overflow in IQUERY response processing which, if successful, allows the
worm to create an account for itself on the exploited host along with a
setuid root shell.
• This account and shell are used to transfer the worm’s tarball to the targeted
host via ftp, at which point the tarball is untar’d and the worm is executed
on the target host, beginning the propagation process all over again.
ADM Worm
ADM and other early worms (Millenium, Ramen, li0n, and Sadmind
specifically) are composed of the following components:
• IP Scanner: A mechanism for selecting IP’s to target.
• One or more exploits: Pre-existing, programmatic-attack type exploit used
•
•
by the worm to escalate its privilege level on the targeted system.
Propagation mechanism: Provides the logic necessary to move the worm
archive from system to system, usually via the use of ftp or tftp.
Glue/misc scripts: These scripts tie the other components together and
provide worm-specific functionality.
Slammer Worm – Before
Figure taken from http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html
Slammer Worm - After
Figure taken from
http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html
SQL Slammer
• The Slammer worm (also called Sapphire worm)
consists of an IP scanner combined with an exploit
for MS SQL Server, written in 376 bytes of code.
• Slammer exploited connectionless UDP service,
rather than connection-oriented TCP.
• Entire worm fit in a single packet!
• Worm infected 75,000+ hosts in 10 minutes
(despite broken random number generator).
– At its peak, doubled every 8.5 seconds
Slammer Worm
• Propagation speed was Sapphire's novel feature: in the first minute, the
•
•
infected population doubled in size every 8.5 (±1) seconds.
The worm achieved its full scanning rate (over 55 million scans per second)
after approximately three minutes, after which the rate of growth slowed
down somewhat because significant portions of the network did not have
enough bandwidth to allow it to operate unhindered. Most vulnerable
machines were infected within 10-minutes of the worm's release. Although
worms with this rapid propagation had been predicted on theoretical
grounds, the spread of Sapphire provides the first real incident
demonstrating the capabilities of a high-speed worm.
By comparison, it was two orders magnitude faster than the Code Red
worm, which infected over 359,000 hosts on July 19th, 2001. In
comparison, the Code Red worm population had a leisurely doubling time
of about 37 minutes.
General Model of Worm Propagation
Source:http://www.sans.org/rr/whitepapers/malicious/1410.php
Summary of Worm Propagation
Worm propagation can be broadly described by a 3 (or 4) step process
illustrated in the figure before:
0.) Initial Infection: The model begins with the presumption that there exists a
system that is already infected by the worm and that the worm is active on
this system.
1.) Target Acquisition: In order for the worm to propagate itself it must find
additional systems to infect. Worms may actively target systems using:
a. IP addresses
b. Email addresses
c. File system traversal
It should also be noted that worms may passively target client system i.e.
the trojaned web content delivered by web servers infected with the Nimda
worm.
Worm Propagation
2.)Delivery of Hostile Code: Once a system has been targeted, it is necessary to transfer the
worm to the targeted system in preparation for infection. Code delivery has been observed to
take place via the following:
a. Network file systems
b. Email
c. Web clients
d. Remote command shell (or equivalent)
e. As part of packet payload associated with buffer overflows and similar programmatic exploits.
3.) Execution of Hostile Code: The presence of hostile code on a system is
not sufficient for worm propagation; execution of the code must be
triggered in some fashion. Code may be executed via:
a. Direct invocation from the command line (or equivalent)
b. Buffer overflow or other programmatic attack
c. Email clients
d. Web clients
e. User intervention
f. Automatic execution by target system.
4.) Some worms may only transfer a portion of their code in step 3. In that
case it is necessary for them to transfer the remaining code once the
target system has been compromised. This can be achieved via
a. FTP/TFTP
b. Network file systems
Benchmarks and Metrics

Infection Size
–

Reaction Time
–
–

Time between detection of a worm and deployment of
worm control measures
Obviously the lower the better
Penetration Ratio
–
–

Percentage of nodes infected
Number of nodes infected compared to the size of the
possible domain
Related to infection ratio
False Positives/Negatives
Propagation Countermeasures
The analysis below examines each step in the propagation model in detail to
determine what countermeasures, if any, prove effective.
Target Acquisition:
The specific targeting mechanism varies based on the means by which the
hostile code will be delivered to the target system.
1.) IP Scanning:
The most popular method for targeting systems to date seems to be IP
scanning.
Target Acquisition
The most basic scanning algorithm is as follows:
1. Generate an IP address.
2. Perform local setup for network communication.
3. Attempt to connect to the targeted system by sending a TCP SYN
packet to <Targeted IP Address>:<Port of Targeted Service>.
a.) If a TCP SYN-ACK packet is received then the remote system at
<Target IP> is listening on <Port of targeted service>. Send an ACK
packet and proceed with transfer of hostile code.
b.) Receipt of any other type of packet from <Target IP>, or failure to
receive any packet after a certain number of tries, indicates that the
targeted service is not available for some reason. Return to step 1.
Target Acquisition
• The simplest countermeasure to deploy is also the most
•
effective; unneeded services should be turned off. In this
situation, the infected host sends a SYN packet that is received
by the target host as usual. However, since the service is turned
off, there is no process listening on the destination port on the
target host.
The proper response in this situation is for the target host to
send back an RST packet, the receipt of which tells the infected
host that the targeted service is unavailable, causing the
infected host to move on to the next target (Loop).
Target Acquisition
In a typical network configuration a firewall is deployed somewhere on the
network path between the infected host and the target host as show in Figure
below . When the infected host sends a SYN packet to the target host the
packet is first intercepted by the firewall. The firewall is configured to prevent
most systems from accessing services on the target host, which is achieved by
silently discarding the SYN packet. The infected system will generally send
several more SYN packets that will be treated in the same manner, after which
the infected system will assume that the targeted service is unavailable and
move on to the next target.
Source:http://www.sans.org/rr/whitepapers/malicious/1410.php
Hostile Code Delivery
E-mail: Code delivery via email is a favorite mechanism of worms and
worm-like viruses. The process begins with the worm composing a
message containing hostile code and attempting to send that message
to the targeted email address.
Source:http://www.sans.org/rr/whitepapers/malicious/1410.php
Hostile Code Delivery
The below configuration forces the infected system to deliver the email
via the designated relay and, furthermore, forces that email to be
received by the designated mail exchange, significantly reducing the
number of potential delivery paths that the system administrator must
monitor.
source:http://www.sans.org/rr/whitepapers/malicious/1410.php
Hostile Code Delivery
Web Clients:
Forcing clients to use a designated proxy for web communication causes web content
delivery to take on the form shown in below figure. Clients send requests for web
content to the proxy, which then forwards the request on to the appropriate web
server. The web server, in turn, provides the proxy with the requested content,
which the proxy sends back to the requesting client.
source:http://www.sans.org/rr/whitepapers/malicious/1410.php
Execution of Hostile Code
E-mail Clients:
There are a number of mechanisms by which email clients can be induced to
execute hostile code.
An email client may be induced to execute code in one of three ways:
1.) Programmatic Attack
2.) Rendering By-Product
3.) User Intervention
Additional Code Transfer
• Some worms transfer additional code from the infected system to the target
•
•
system once the initial exploit of the targeted system is completed.
Unfortunately, if the worm gets this far there is likely little that can be done
to prevent its spread. At this point both the infected host and the targeted
host are completely compromised, so any preventative measures must be
deployed between these two systems.
Once again, an appropriately configured firewall may prevent the complete
propagation of the worm. This underlies the importance of having a wellconfigured policy regarding outgoing connections in addition to incoming
connections.
Summary
As we can see from previous slides the spread is phenomenal....
is the number of host infected in real time.
is the pair wise rate of infection.
is the infection rate.
Summary
Breakdown of a typical current day worm:






Reconnaissance capabilities
Specific attack capabilities
A command interface
Communications capabilities
Intelligence capabilities
Unused attack capabilities
Summary
Reconnaissance capabilities


Automated sweeps and scans to Identify possible victims
Determine best method to infect new victim (if possible)
Summary
Specific attack cabilities
Method in which the worm gains entry

–
–
buffer overflows
cgi-bin errors
Attack portion of code has two parts

–
–
component which runs on infected host
component which looks for new host
Summary
A command interface
Node is only worthwhile if it can be used

–
–
Interactive interface (direct login)
Automatic interface (parent child)
Summary
Communications capabilities



Typically reside on different systems, therefore
method of communication is necessary
Transfer of information
Typically hidden
Summary
Intelligence capabilities
Possible distributed effort
All machines working together
You must



–
Know who is infected


–
can be achieved with update message/email to central point
what network address is / system type
How to contact them


irc chat lines
direct login
Summary
Unused attack capabilities


Multiple attack methods allow for more flexibility
Send only necessary payload (specific attack)
Future
Future: Worms will change





Infection mechanisms will become smarter.
Use network topology to their advantage.
Stealthier communications methods
Smarter Target Selection
More dynamic behavior
Future
Typical Defense (obvious stuff)



Patch, Patch, Patch
Defense in Depth
IDS and Response Mechanisms
Future
New Detection Strategies



Monitor shifts in traffic
Anomaly Detection
Exploit worm network flaws
Conclusions
1.
2.
3.
Future defense of worms is labor intensive with
current Internet design.
The infrastructure itself needs to assist with
detecting Internet Worms.
A proper design could mimic a multi-level security
system.
References
1.
http://www.sans.org/rr/whitepapers/malicious/1410.php
2.
http://www.cs.berkeley.edu/~nweaver/sapphire/
3.
http://www.securityfocus.com/infocus/1752
4.
http://www.icir.org/vern/papers/cdc-usenix-sec02/
Kienzle, D.M., Elder, M.C., Recent worms: a survey and trends, Proceedings of the 2003 ACM
workshop on Rapid Malcode, pp.1-10.
N.Weaver, V.Paxson, et al, A taxonomy of computer worms•
, Proc. Of the ACM workshop on Rapid
Malcode, pp.11-18, 2003.
S. Staniford, V. Paxson, and N. Weaver, How to own internet in your spare time•in Proceedings of
the USENIX Security Symposium, pp. 149-167,2002.
Cliff Changchun Zou, Lixin Gao, Weibo Gong, Don Towsley. Monitoring and Early Warning for
Internet Worms
5.
6.
7.
8.
9.
Jose Nazario, The Future of Internet Worms , Crimelabs research: www.crimelabs.net