Transcript Worm - ANTS

IEEE Communications Surveys & Tutorials • 1st Quarter
2008
Outline
 Terminology
 Internet Worms
 Defending Against Internet Worms
 Containment
Terminology
 Activation
 Activation is when a worm starts performing its malicious activities. Activation
might be triggered on a specific date or under certain conditions.
 False alarm
 A false alarm is an incorrect alert generated by a worm detection system.
 False positive
 A false positive is a false alarm where an alert is generated when there is no
actual attack or threat.
 False negative
 False negative means the detection system missed an attack. It is a false negative
if no alert is generated while the system is under an attack.
 Infection
 Infection is the result of the worm performing its malicious activities on the
host.
 Target finding
 Target finding is the first step in a worm’s life to discover victims (vulnerable
hosts).
Terminology
 Threshold
 Threshold is a predefined condition that, if met, indicates the
existence of specious traffic or a worm attack.
 Transfer
 Transfer refers to sending a copy of the worm to the target after the
victim (target) is discovered.
 Virus
 A virus is a malicious piece of code that attaches to other programs
to propagate. It cannot propagate by itself, and normally depends
on a certain user intervention, such as opening up an email
attachment or running an executable file, to be activated .
 Worm
 A worm is a malicious piece of code that self propagates, often via
network connections, exploiting security flaws in computers on the
network.
Internet Worms
 Definition: a piece of malicious code that duplicates
and propagates by itself. Usually, it does not require
any human interaction and spreads via network
connections.
 Life of a worm
 Phase 1: target finding
 Phase 2: worm transforming
 Phase 3: worm activation
 Phase 4: infection
Can be caught
by NIDS
Categorization of worm
characteristics
Worm target finding scheme
 Blind target finding
1. Sequential
2. Random
3. Permutation
 High failure connection rate
 Many anomaly-based detection systems are designed to
capture this type of worm.
 Hit list
 prescanned stealthily
 more accurate and may cause more damage
Worm target finding scheme
 Topological
 Many hosts on the Internet store information about
other hosts on the network.
 Worms use this information to gain knowledge of
topology of the network and use that as the path of
infection.
 Spread very fast.
 Passive
 Require certain host behavior or human intervention to
propagate
 Use search engines
Worm Propagation Scheme
 Self-carried worms
 Through a second channel
 Embedded propagation
 Botnet
 A group of compromised hosts under the control of a
botmaster.
Worm Payload Format
 Monomorphic worm
 Worms send the payload in a straightforward
unchanged fashion
 Polymorphic worm
 Worms change their payload dynamically by scrambling
the program
 Metamorphic worm
 Worms change not only its appearance but also its
behavior
Internet Worm Defense
Worm Detection
 Signature Based
 traditional technique used for intrusion detection
systems (IDSs)
 take a look at the payload and indentify whether or not
it contains a worm
 require an entry in the database
 Anomaly Based
 detect abnormal behaviors and generate alarms
 requires the definition of normal network behavior
Traffic Rate/Connection Count:
TCP SYN
 If the number of SYN packets sent from a certain host
exceeds a threshold value within a period of time, the
host is considered to be scanning.
 Pro’s

able to catch most active scanning worms
 Con’s



easy to cause false alarms
not efficient
useless against UDP worms
Failed Connection Counts:
TCP RST and ICMP
 Failed connection
 attempt to connect to a nonexisting IP address or an
existing IP address with the target port closed
Failed Connection Counts:
TCP RST and ICMP (cont’d)
 To detect active scanning worms depending on failed
connections
 Pro’s


more efficient and accurate
useful for both TCP and UDP worms
 Con’s



not effective for hit list, topological or passive scanning worms
ICMP error messages may blocked or dropped by some border
routers or gateway systems
not suitable for large networks
Ratio of Success and Failure
Connections
 Instead of counting the failure or successful
connection attempts, some believe it is the ratio or
correlation of successful and failed connections that
matters.
 Counting the number of connections, whether
successful or not, depends on the Internet usage and
network size to be effective.
 If the network being monitored is large, this can be
very resource consuming.
Destination-Source Correlation
 base on the correlation between incoming and
outgoing traffic
 Pro’s


able to detect almost all types of scans with the same port
works for both TCP and UDP worms
 Con’s

only capture scans from worms targeting the same port
Illustration of a destination-source
correlation scheme
DarkNet/Unused Address Space
 Monitor unused address space instead of used ones
 scanning or connection attempts toward nonexisting
addresses are abnormal behaviors of a regular network
 Pro’s


requires significantly less resources
works for both TCP and UDP worms
 Con’s

not very useful against hit list, topological, or passive scans
Honeypots
 A honeypot is a vulnerable system on the network that
does not provide any real services
 a security resource whose value lies in being probed, attacked,
or compromised
 In a normal situation, no traffic is supposed to come
toward the honeypot.
 Pro’s
 able to detect both TCP and UDP worms
 gather less but higher quality data
 able to detect hit list scan and topological worms
 Con’s
 not useful to passive worms
Honeypot used in worm detection
and containment
Unknown Signature Detection
Systems
 Signature-based detection systems is vulnerability against
unknown attacks.
 To remedy this issue, some algorithms have been proposed to
detect unknown attacks by generating signatures in real time.
 considered anomaly-based
 E.g.1. Honeycomb
 honeypot-based IDS system
 capable of generating signatures for unknown worms
 E.g.2. Autograph method
 Relies on unsuccessful scans
 Automatically generates signatures for TCP worms

by analyzing the contents of the payload based on the most frequently
occurring byte sequence in the suspicious flow.
Detecting Polymorphic Worms
 Most payload detection algorithms target
monomorphic worm payloads only and have no
defense against polymorphic worms.
 Karp, and Song proposed polygraph
 Certain payload contents are not changed
 Protocol framing bytes
 Value used for return address
 Pointer to overwrite a jump target
 Dived signatures into tokens
 Generate tokens automatically and detect worms based
on these tokens
Combination usage of detection
schemes
 Unknown signature-based detection system
 Take time to generate signatures, and since there are
defined signatures already
 Known signature-based detection system
 Can’t detect unknown worms
 Merge them!
Anomaly detection methods vs.
worms characteristic.
Containment
 Slowing Down Infection
 Rate limiting techniques
 Blocking
 Address Blocking

when a host is identified as a scanner or victim, any traffic
from that host address is dropped.
 Content Blocking
 If packet content matches a worm signature, the packet will
be dropped automatically
 Honeypot
 Trap worms to infect simulated machine by Honeypot
Comments
 No perfect solution to deal with all existing and future
worms.
 Efficiency issue