Worm Defense
Download
Report
Transcript Worm Defense
Worm Defense
Alexander Chang
CS239 – Network Security
05/01/2006
What is a worm?
Self-replicating/self-propagating programs
Spread from system to system without
user interaction
Finds vulnerabilities in systems and uses
them to spread
Spread via network
Different from virus which requires user
interaction
Danger?
Take over systems
Access sensitive information
Passwords,
credit card numbers, patient
records, emails
Disrupts system functions
Government,
nuclear power plants, hospitals
DDoS attack
Bandwidth saturation
Code Red (CRv1)
July 13th, 2001
Exploit Microsoft IIS vulnerabilities
Each infected system scans random 32bit
IP addresses to attack
Bug in the random generator resulting
linear spread
Code Red I (CRv2)
July 19th, 2001
Same as CRv1 but with random generator
bug fix
DDoS payload targeting IP address of
www.whitehouse.gov
Bug in the code made it die for date >=
20th of the month
Code Red II
August 4th, 2001
Not related to Code Red (just comment
says Code Red)
Exploit buffer overflow in MS IIS web
server
Installed remote root backdoor which can
be used for anything
Nimda
September 18th, 2001
Multiple method of spreading
MS
IIS vulnerability
Email
Copying over network shares
Webpage infection
Scan backdoor left by Code Red II
From no probing to 100 probes/sec in just
30 minutes
Sapphire/Slammer/SQLSlammer
January 25th, 2003
Exploit MS SQL Server buffer overflow
Fastest spreading worm
Peak rate of 55million scans/sec after just 3 min
Rate slowed down because bandwidth
saturation
No malicious payload, just saturated bandwidth
causing many servers out of connection
Slammer
effect :
Before and
after 30
minutes
What if
Slammer
had
malicious
payload?
Used Techniques
Random scanning
Code
Red, Code Red I
Localized scanning
Code
Red II
Machines in the same network are more likely to run
the same software
Multi-vector
Nimda
Several
methods of spreading
Possible Techniques 1
Hit-list scanning
First
10k infection is the hardest
Use a list of 10~50k vulnerable machines
Several methods to generate the list
Stealthy scan: random scan taking several months
Distributed scan: using already compromised hosts
DNS search: already known servers such as mail/web
servers
Just listening: P2P networks advertise their servers, previous
worms advertised many servers
Possible Techniques 2
Permutation Scanning
Random
scan probes same host multiple
times
Permutation of IP addresses
When an infected host is found, start from
random point in the permutation
Self-coordinated, comprehensive scanning
Very high infection rate
Possible Techniques 3
Warhol Worm
Hit-list and permutation scanning combined
Start off quickly and high infection rate
Simulation shows 99.99% of 300k hosts infected in less t
han 15 min.
Many other techniques
Topological scanning – use info from the infected machine to
spread machines in the same subnet
Flash worm – using high band width with compressed hit-list
Stealth worms – web servers to clients, P2P
Dealing with worm threat
Prevention
Prevent
vulnerability by Secure coding practices
Patching software
Heterogeneity of network
Treatment
Patching
after breakout
Virus scanning
Containment
Containment
Incoming
Black
list
Signature based detection
Identify scanning characteristics of worms
Outgoing
TCP
connection threshold
Use worm signature for outbound traffic
Detection – signature based
Attack Signature:
A description which represents a particular attack or action
Vulnerability Signature:
A description of the class of vulnerable systems
Eg, a classic antivirus signature
Eg, “Windows XP, SP2, not patched since 10/1/2004”
A description of how to exploit a particular vulnerability
Behavioral Signatures:
A behavior necessary for a class of worms (E.G. Scanning)
A behavior common to many implementations (half-open connec
tions)
Detection – runtime analysis
Mark all the data from unsafe source and derived data to
be dirty
Any execution attempts are signaled as possible threat
Generate Self-Certifying Allerts and distribute to peers u
sing overlay – peers only run overlay code so less susce
ptible to attacks
Each host verifies alert in a VM and if the vulnerability is
found, generates filter
Multiple filters to prevent false positive
Generic filter – disjunction of multiple specific conditions
Specific filter – more stringent conditions
Thoughts
Detection
Polymorphic
Obfuscation, encryption
False
worms
positive
Attacker generates suspicious traffic with byte strings that are
common in normal traffic
Signature
generation time
Dynamic taint analysis – expensive or low coverage a
nd resource-hungry
Thoughts
Distribution/deployment
Pervasive
E2E detection and distribution
Secure
P2P collaboration
communication
Overlay?
Intrusion detection systems?
Honeypots, honeyfarms?
Remarks
Future worms will be more aggressive
Need automatic detection mechanisms
No
global answer, need to apply all the techniques
Network level detections have limitations becaus
e of limited/no knowledge of software vulnerabilit
ies
E2E detection, secure P2P distribution of worm i
nformation