Transcript Worm Defense

Worm Defense
Alexander Chang
CS239 – Network Security
05/01/2006
What is a worm?
Self-replicating/self-propagating programs
 Spread from system to system without
user interaction
 Finds vulnerabilities in systems and uses
them to spread
 Spread via network
 Different from virus which requires user
interaction

Danger?
Take over systems
 Access sensitive information

 Passwords,
credit card numbers, patient
records, emails

Disrupts system functions
 Government,
nuclear power plants, hospitals
DDoS attack
 Bandwidth saturation

Code Red (CRv1)
July 13th, 2001
 Exploit Microsoft IIS vulnerabilities
 Each infected system scans random 32bit
IP addresses to attack
 Bug in the random generator resulting
linear spread

Code Red I (CRv2)
July 19th, 2001
 Same as CRv1 but with random generator
bug fix
 DDoS payload targeting IP address of
www.whitehouse.gov
 Bug in the code made it die for date >=
20th of the month

Code Red II
August 4th, 2001
 Not related to Code Red (just comment
says Code Red)
 Exploit buffer overflow in MS IIS web
server
 Installed remote root backdoor which can
be used for anything

Nimda
September 18th, 2001
 Multiple method of spreading

 MS
IIS vulnerability
 Email
 Copying over network shares
 Webpage infection
 Scan backdoor left by Code Red II

From no probing to 100 probes/sec in just
30 minutes
Sapphire/Slammer/SQLSlammer






January 25th, 2003
Exploit MS SQL Server buffer overflow
Fastest spreading worm
Peak rate of 55million scans/sec after just 3 min
Rate slowed down because bandwidth
saturation
No malicious payload, just saturated bandwidth
causing many servers out of connection
Slammer
effect :
Before and
after 30
minutes
What if
Slammer
had
malicious
payload?
Used Techniques

Random scanning
 Code

Red, Code Red I
Localized scanning
 Code
Red II
 Machines in the same network are more likely to run
the same software

Multi-vector
 Nimda
 Several
methods of spreading
Possible Techniques 1

Hit-list scanning
 First
10k infection is the hardest
 Use a list of 10~50k vulnerable machines
 Several methods to generate the list




Stealthy scan: random scan taking several months
Distributed scan: using already compromised hosts
DNS search: already known servers such as mail/web
servers
Just listening: P2P networks advertise their servers, previous
worms advertised many servers
Possible Techniques 2

Permutation Scanning
 Random
scan probes same host multiple
times
 Permutation of IP addresses
 When an infected host is found, start from
random point in the permutation
 Self-coordinated, comprehensive scanning
 Very high infection rate
Possible Techniques 3





Warhol Worm
Hit-list and permutation scanning combined
Start off quickly and high infection rate
Simulation shows 99.99% of 300k hosts infected in less t
han 15 min.
Many other techniques



Topological scanning – use info from the infected machine to
spread machines in the same subnet
Flash worm – using high band width with compressed hit-list
Stealth worms – web servers to clients, P2P
Dealing with worm threat

Prevention
 Prevent
vulnerability by Secure coding practices
 Patching software
 Heterogeneity of network

Treatment
 Patching
after breakout
 Virus scanning

Containment
Containment

Incoming
 Black
list
 Signature based detection
 Identify scanning characteristics of worms

Outgoing
 TCP
connection threshold
 Use worm signature for outbound traffic
Detection – signature based

Attack Signature:

A description which represents a particular attack or action


Vulnerability Signature:

A description of the class of vulnerable systems



Eg, a classic antivirus signature
Eg, “Windows XP, SP2, not patched since 10/1/2004”
A description of how to exploit a particular vulnerability
Behavioral Signatures:


A behavior necessary for a class of worms (E.G. Scanning)
A behavior common to many implementations (half-open connec
tions)
Detection – runtime analysis





Mark all the data from unsafe source and derived data to
be dirty
Any execution attempts are signaled as possible threat
Generate Self-Certifying Allerts and distribute to peers u
sing overlay – peers only run overlay code so less susce
ptible to attacks
Each host verifies alert in a VM and if the vulnerability is
found, generates filter
Multiple filters to prevent false positive


Generic filter – disjunction of multiple specific conditions
Specific filter – more stringent conditions
Thoughts

Detection
 Polymorphic

Obfuscation, encryption
 False

worms
positive
Attacker generates suspicious traffic with byte strings that are
common in normal traffic
 Signature
generation time
 Dynamic taint analysis – expensive or low coverage a
nd resource-hungry
Thoughts

Distribution/deployment
 Pervasive

E2E detection and distribution
 Secure

P2P collaboration
communication
Overlay?
Intrusion detection systems?
 Honeypots, honeyfarms?

Remarks


Future worms will be more aggressive
Need automatic detection mechanisms
 No


global answer, need to apply all the techniques
Network level detections have limitations becaus
e of limited/no knowledge of software vulnerabilit
ies
E2E detection, secure P2P distribution of worm i
nformation