The history of good worms

Download Report

Transcript The history of good worms

The Coming Age of Defensive Worms
David Meltzer
[email protected]
CTO, Intrusec
Why?
“I don't know whether a good worm can be safe and
effective, but this merits serious technical study.”
- Martha Stansell-Gamm (May 26, 2003)1
Chief, Computer Crime and Intellectual Property Section,
U.S. Department of Justice
What Will You Learn?
The history of good worms
The problems with defensive worms
How defensive worm problems are solved
Possible evolutionary steps
The Question
Will anyone in charge of a large
network ever willingly launch a worm
on their own network to protect it?
Worm Reality
A new exploit just came out.
You have 5,000 vulnerable systems.
The worm is coming.
What do you do?
The Worm Antidote
It fixes all the systems on your network.
It does it faster than the worm can spread.
It only ‘infects’ your own systems.
Do you run it?
Which Worm Do You Want?
What Will You Learn?
The history of good worms
The problems with defensive worms
How defensive worm problems are solved
Possible evolutionary steps
“Good Worms”
A Worm, BUT…
– A “beneficial” payload
BUT Still…
– Disruptive to networks
– Runs without permission
– Requires clean-up
– ILLEGAL
What Do “Good Worms” Do?
• Scan
• Listen
• Exploit
• Patch
• Disinfect
Timeline of “Good Worms”
Millenium (8/99)
Cheese (5/01)
Code Green (9/01)
CRClean (9/01)
1999
2000
2001
2002
2003
Case Study: Millenium2,3
Discovered 8/15/99
Written by Mixter4
Multiple Linux Vulns: Scans, Patches, Backdoors
•
•
•
•
•
•
Scans for systems vulnerable to 5 remote linux holes
Exploits remote system
Patches 5 linux vulns
Installs a backdoor
Sends notification to hotmail address of infection
Installs itself on system
Case Study: Cheese5
Discovered 5/01
Unknown Author
Lion Worm Response: Scans, Disinfects
• Scans for systems infected by Lion
• Installs itself using backdoor left by Lion
• Removes Lion backdoor from system
Case Study: Code Green6
Code Released 9/1/2001 Written by Der HexXer
Code Red Response: Scans, Disinfects, Patches
•
•
•
•
•
Scans for systems infected with CodeRed
Exploits ISAPI vuln on infected systems
Removes CodeRed from system
Installs Q300972 Hotfix on system
Installs itself on system
Case Study: CRClean7
Code Released 9/1/2001 Written by Markus Kem
Code Red Response: Listens, Disinfects, Patches
•
•
•
•
•
Listens for CodeRed to attack it
Exploits ISAPI vuln on CodeRed attackers
Removes CodeRed from system
Patches ISAPI vuln on system
Installs itself on system
Industry Thinking on
“Good Worms”
“Generally Not Well Regarded”
– eEye8
Industry Thinking on
“Good Worms” - Continued
“The idea of a patch worm is a nice thought,
but it is not a solution…”
- CERT9
Industry Thinking on
“Good Worms” - Continued
“You cannot predict what’s going to happen. You
don’t know what the impact is going to be if it’s
altered. It’s never an alternative.”
– Trend Micro10
Industry Thinking on
“Good Worms” - Continued
“You cannot predict what’s going to happen. You
don’t know what the impact is going to be if it’s
altered. It’s never an alternative.”
– Trend Micro10
Industry Thinking on
“Good Worms” - Continued
“-What about the traffic it takes up?
-What about the boxes that don't patch properly, don't make it back
after reboot, or took down etrade in the middle of a trading day?
-How does your worm know when it's done?
-Maybe I don't want my box patched, the patch broke my app
-How do I tell your good worm apart from the original bad worm, or the
other worm which looks like the good worm, but is really a bad worm?
-How about people like us who track attack data, and you just skewed
the heck out of it? When does www1.whitehouse.gov get to come
back? If there's still *A* worm around on the 1st, which one is it?
-Do we really want an Internet-sized game of corewars?”
Industry Thinking on
“Good Worms” - Continued
“Visions of bots floating around in the ether waging
mighty, but invisible, battles belong in books such as
Neal Stephenson's "The Diamond Age," not on
production Internet servers.”
– Timothy Dyck11
Industry Thinking on
“Good Worms” - Continued
“… Worms are inherently uncontrollable, meaning
that good worms will cause traffic problems
and spread out of control.
This is true of most worms today, but that's only
because no one has designed a legitimate, wellcoded and peer-reviewed good worm…”
– eWeek12
/. Wisdom
“The only question raised here is, am I really going to trust this "helpful"
worm or others like it to fully patch up my box properly?”
“Two wrongs may not make a right, but I would think in this case they
would at least be somewhat better than just the one wrong”
“Worms like this wouldn't exist or be news if more sysadmins would do
their job instead of playing Quake, looking at pr0n, or IRC'ing all day...”
“Automatic (or even semi-automatic) patching is
the *dumbest* idea on Earth.”
What Will You Learn?
The history of good worms
The problems with defensive worms
How defensive worm problems are solved
Possible evolutionary steps
Problems with Good Worms
No good worm to date has been
remotely useable in a legal and effective
manner.
Problem #1 - Legality
To run a worm legally, it must NEVER
attempt to access unauthorized
systems.
Extreme safeguards must be taken.
A software bug will land you in jail.
Problem #2 – Network Usage
Worms are extremely noisy, causing
network slowdowns and denial of
services as a side-effect of running.
Need to be network friendly.
Problem #3 – Cleaning Up
Worms spreads leaving a new mess to
clean-up replacing the old mess.
Need to know when the work is done and
perform its own clean-up.
Problem #4 – Management
Worms are uncontrollable once “released”
Need to be able to centrally manage
operation and results of worm
while it is running.
“Defensive Worms”
A Good Worm, BUT…
– NOT Disruptive to networks
– ONLY Runs with permission
– NO clean-up
– LEGAL
Usable defensive worms do not exist, yet.
What Will You Learn?
The history of good worms
The problems with defensive worms
How defensive worm problems
are solved
Possible evolutionary steps
Solution #1 – Legality
Redundant Safeguards
Solution #1 – Legality
Restriction Models
Opt-Out
Passive
IP Ranges
Border Routers
DNS
Solution #1 – Legality
Lysine Deficiency13
Solution #1 – Legality
Lysine Deficiency
A built-in mechanism that causes a worm to
die if it spreads beyond its intended
set of targets.
“Reverse Lysine” = Opt-Out (CodeRed)
Solution #1 – Legality
Heartbeats
A central server is checked before each time
a worm launches an attack.
If the server doesn’t return a heartbeat, the
worm pauses its operation.
After a timeout period, if heartbeat hasn’t
returned, worm self-destructs.
Solution #1 – Legality
IP Ranges
The worm is configured with the IP
addresses you are authorized to attack.
Solution #1 – Legality
Border Routers
The worm is configured with the border routers of a
network. All systems within the network you are
authorized to attack.
If border router comes between a prospective target
and worm, worm does not propagate to it.
|If a border router isn’t on the route to a known
Internet server, worm is already outside its
authorized network.
Solution #1 – Legality
DNS
The worm is configured with domain names.
All systems with hosts that resolve within
that domain you are authorized to attack.
Worm performs a DNS lookup on all
prospective targets. If DNS doesn’t
resolve to an authorized domain name,
target is not authorized.
References
1. Stansell-Gamm, Martha. “Good Worms Not Mature”, May 26, 2003.
URL: http://www.eweek.com/article2/0,3959,1109605,00.asp
2. Vision, Max. “Origin and Brief Analysis of the Millennium Worm”, Sept, 1999.
URL: http://www.whitehats.com/library/worms/mworm/index.html
3. Poulsen, Kevin. “Max Vision: FBI pawn?”, May 8, 2001.
URL: http://www.securityfocus.com/news/203
4. Mixter. “mw06.tgz”, September 23, 1999.
URL: http://packetstormsecurity.nl/groups/mixter/mw06.tgz
5. Barber, Bryan. “Cheese Worm: Pros and Cons of a Friendly Worm”, July 21, 2001.
URL: http://www.sans.org/rr/papers/36/31.pdf
6. Hexxer, Der. “CodeGreen beta release”, September 1, 2001.
URL: http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0575.html
7. Kem, Marcus. “CRClean.zip”, September 1, 2001.
URL: http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0577.html
8. Permeh, Ryan & Coddington, Dale. “Decoding and Understanding Internet Worms”, November 21, 2001.
URL: http://www.blackhat.com/presentations/bh-europe-01/dale-coddington/1
9. Houle, Kevin. Quoted in “Cheese worm: A Linux fixer-upper? By Robert Lemos”, May 16, 2001.
URL: http://news.com.com/2100-1001-257748.html?legacy=cnet
10. Hartmann, Joe. Quoted in “’Cheesy’ Fix-It Worm Patches Security Flaws By Jay Lyman”, May 18, 2001.
URL: http://www.newsfactor.com/perl/story/9869.html
11. Dyck, Timothy. “Thanks, but we don’t want your Cheese (worm)!”, June 30, 2001.
URL: http://www.freeos.com/printer.php?entryID=4233
12. Rapoza, Jim. “Up With Good Worms”, April 21, 2003.
URL: http://www.eweek.com/article2/0,3959,1037004,00.asp