Transcript RFID Technology

Automated Worm Fingerprinting
[Singh, Estan et al]
Internet Quarantine:
Requirements for SelfPropagating Code [Moore,
Shannon et al]
David W. Hill
CSCI 297
6.28.2005
What is a worm?
Self-replicating/self-propagating code.
Spreads across a network by exploiting flaws
in open services.
– As opposed to viruses, which require user action
to quicken/spread.
Not new --- Morris Worm, Nov. 1988
– 6-10% of all Internet hosts infected
Many more since, but none on that scale ….
until Code Red
Internet Worm History
Xerox PARC, Schoch and Hupp, 1982
Morris Worm <DEC VAX, sendmail,
fingerd> 1988
Code Red (V1, V2, II) <IIS>, 2001
NIMDA, <various exploits>, 2001
Slammer Worm <SQL>, 2003
Blaster Worm, <DCOM>, 2003
Sasser Worm, <LSASS>, 2004
Code Red V1
Initial version released July 13, 2001.
Exploited known bug in Microsoft IIS Web
servers.
1st through 20th of each month: spread.
20th through end of each month: attack.
Payload: web site defacement.
Spread: via random scanning of 32-bit
IP address space.
But: failure to seed random number generator
 linear growth.
Code Red V2
Revision released July 19, 2001.
Payload: flooding attack on
www.whitehouse.gov.
But: this time random number generator
correctly seeded. Bingo!
Resident in memory, reboot clears the
infection
Web defacement
Code Red V2 - Spread
Code Red II
New worm released August 4, 2001.
Intelligent Replication Engine
Installed backdoors
Used more threads
Life Just Before Slammer
Life Just After Slammer
Worm Detection – Current
Methods
Network telescoping- passive monitors
that monitor unused address space
(Downfalls – non-random, only provide
IP not signature
Honeypots – slow manual analysis
Host-based behavioral detection –
dynamically analyze anomalous activity,
no inference of large scale attack
IDS, IPS – Snort
– Labor-intensive, Human-mediated
Worm Containment
Host Quarantine – IP ACL, router,
firewall (blacklist)
String-matching containment
Connection throttling – Slow the spread
Earlybird – Content Sifting
Content in existing worms is invariant
Dynamics for worm to spread are
atypical
The Earlybird system can extract
signatures from traffic to detect worms
and automatically react
Signatures
Worm Signature
Content-based blocking [Moore et al., 2003]
Signature for CodeRed II
05:45:31.912454 90.196.22.196.1716 > 209.78.235.128.80: . 0:1460(1460) ack 1
win 8760 (DF)
0x0000
4500 05dc 84af 4000 6f06 5315 5ac4 16c4
[email protected]...
0x0010
d14e eb80 06b4 0050 5e86 fe57 440b 7c3b
.N.....P^..WD.|;
0x0020
5010 2238 6c8f 0000 4745 5420 2f64 6566
P."8l...GET./def
0x0030
6175 6c74 2e69 6461 3f58 5858 5858 5858
ault.ida?XXXXXXX
0x0040
5858 5858 5858 5858 5858 5858 5858 5858
XXXXXXXXXXXXXXXX
. . . . .
0x00e0
5858 5858 5858 5858 5858 5858 5858 5858
XXXXXXXXXXXXXXXX
0x00f0
5858 5858 5858 5858 5858 5858 5858 5858
XXXXXXXXXXXXXXXX
0x0100
5858 5858 5858
5858Content
5858 5858
5858Specific
XXXXXXXXXXXXXXXX
: A 5858
Payload
String
To A Worm
0x0110
5858 5858 5858 5858 5825 7539 3039 3025
XXXXXXXXX%u9090%
0x01a0
303d 6120 4854 5450 2f31 2e30 0d0a 436f
0=a.HTTP/1.0..Co
.
Signature
Worm Behavior - Earlybird
Content Invariance
Content Prevalence
Address Dispersion
Earlybird Implementation
Each network packet is scanned for
invariant content
Maintain a count of unique source and
destination IPs
Sort based on substring count and size
of address list will determine worm
traffic
Use substrings to automatically create
signatures to filter the worm
Earlybird Cont.
Earlybird Cont.
System consists of sensors and aggregrator
Aggregator – pulls data from sensors, activates network or host
level blocking, reporting and control
Earlybird – Memory & CPU
Memory and CPU cycle constraints
Index content table by using a fixed size
hash of the packet payload
Scaled bitmaps are used to reduce
memory consumption on address
dispersion counts
Earlybird Cont.
Sensor – 1.6Ghz AMD Opteron 242,
Linux 2.6 kernel
Captures using libpcap
Can sift 1TB of traffic per day and is
able to sift 200Mbps of continuous
traffic
Cisco router configured for mirroring
Thresholds
Content Prevalence = 3
97 percent of signatures repeat two or
fewer times
Thresholds
Address Dispersion = 30 src and 30 dst
Lower dispersion threshold will produce
more false positives
Garbage collection – several hours
Earlybird False Positives
99% percent of FPs are from SMTP
header strings and HTTP user agents whitelist
SPAM e-mails – distributed mailers and
relays
BitTorrent file striping creates many-tomany download profile
Earlybird – Issues of Concern
SSH, SSL, IPSEC, VPNs
Polymorphism
IP spoofing source address
Packet injection
Earlybird – Current State
UCSD NetSift  Cisco
Internet Quarantine –
Requirements for containing
self propagated code
Prevention – Managing vulnerabilities
Treatment – Disinfection tools, patches
Containment – Firewalls, content filters,
blacklists. How to completely
automate?
Modeling Containment
Reaction time – time necessary for
detection
Containment strategy – blacklisting,
content filtering
Deployment scenario – how many
nodes are participating
Blacklisting vs. Content
Filtering
Blacklisting vs. Content
Filtering - Aggresiveness
Deployment Scenarios
References
- The Threat of Internet Worms, Vern Paxson
http://www.icir.org/vern/talks/vp-worms-ucla-Feb05.pdf
-Cooperative Association for Internet Data Analysis (CAIDA)
http://www.caida.org
-Autograph, Toward Automated, Distributed Worm Signature DetectionUsenix Security 2004
-Wikipedia, computer worms, hashing.
-Code Carrying Proofs, Aytekin Vargun, Rensselaer Polytechnic
Institute
Thank You!
Discussion…..