Chao-Hsien ChuCollege of Information Sciences and Technology

The Pennsylvania State UniversityUniversity Park, PA 16802

chu@ist.psu.edu

Worm ForensicsWorm Forensics

LearningbyDoing

Theo

ry

Practi

ce

Virus StructureVirus Structure

Compression VirusCompression Virus

Virus ClassificationVirus Classification

• boot sector – The virus infects a master boot record.

• file infector – infect executable files.• macro virus – Macro code.• encrypted virus – the virus was encrypted.• stealth virus – The virus hide itself.• polymorphic virus – The virus mutates with

every infection.• metamorphic virus – The virus mutates with

every infection. The virus rewrites itself completely at each iteration.

Virus CountermeasuresVirus Countermeasures

• prevention - ideal solution but difficult

• realistically need:– detection– identification– removal

• if detect but can’t identify or remove, must discard and replace infected program

Anti-Virus SoftwareAnti-Virus Software

• First –generation. Simple scanners which require a virus signature.

• Second generation. Heuristic scanners. Looking for fragments of code, the beginning of an encryption look, integrity checking.

• Third generation. Use activity traps to identify virus.

• Fourth generation. Include scanning, activity traps and access control activities.

• Generic Decryption (GD)

• Digital Immune System. IBM, Symantec.

• Behavior-Blocking Software. Integrated with OS and monitor program behavior in real time.

Digital Immune SystemsDigital Immune Systems

Behavior-Blocking SoftwareBehavior-Blocking Software

Worm Defense Worm Defense - - ContainmentContainment (1)(1)

1. Quarantine (Signature-based)• Blocking traffic from suspected hosts

2. Rate Limiting / Halting• Temporal throttling (Williamson 2002)• Implemented in XP SP2

“The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system’s event log.”

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx

Proactive Worm ContainmentProactive Worm Containment (PWC) (PWC)

Host-based

Worm Defense Worm Defense - - ContainmentContainment (2)(2)

3. Content Filtering• Automatic worm signature generation – “Earlybird”

(Singh et al. 2004)• For novel worms, assumes that even polymorphic

worms must exhibit some amount of byte-level similarity and content prevalence increases during a worm attack

4. Address Randomization• Anti-hitlist technique (Antonatos et al. 2005) – hitlist

can be made effectively stale using an address change cycle 3-5X longer than the time required to prepare the hitlist

Network Based Worm DefenseNetwork Based Worm Defense

Worm ForensicsWorm Forensics

An aspect of worm forensics is “attribution”:

“By attack attribution we mean the ability to determine the true source of attack including logical/physical origins, paths taken by the attacker, the computers used and the persons or organizations involved.

There are four levels of useful attack attribution:1. to the specific hosts involved in the attack2. to the primary controlling host3. to the actual human actor4. to a higher organization with a specific purpose to the attack”

From BAA 03-03-FHSponsor: NSA, Advanced Research and Development Agency

Attribution ExampleAttribution Example

Kuraq pays a mercenary named John Smith to run a DDoS Attack against a target.

From his home computer in Namibia, John Smith then uses hacker scripts to compromise 15 hosts to act as attack controllers. Each of those attack controllers then breaks into 100 hosts to act as zombies in the attack.

Trace to zombies L1Trace to controllers L2Trace to Smith L3Trace to Smith’s relationship with Kuraq L4

From BAA 03-03-FHSponsor: NSA, Advanced Research and Development Agency

Attribution Levels 1 and 2Attribution Levels 1 and 2

Level 1 Attribution – IP TracebackMethods to determine true IP address in the presence of spoofing• Various approaches:

•Messaging – e.g. iTrace – “ICMP traceback”, a new message format identifying a router originating the message•Packet Marking – place route information in header extensions or the IP header ID field

Level 2 Attribution – Stepping StonesMethods to follow an attack through a series of compromised hosts• Content

•Earliest approach – character frequencies (Staniford-Chen & Huberlein, 1995)

• Timing• Watermarking

Worm Forensic ProblemWorm Forensic Problem

The Internet address space consists of 24 addresses. A network telescope monitors the address set {12,13,14,15}. This telescope makes the observations shown for a worm attack. The worm implements random scanning using the following PRNG:

Xn+1=a * Xn + b mod m where a=3, b=7 and m=16.

Task: Reconstruct the infection sequence and its timing.

Assume the following:• the telescope was functional prior to t=0• a victim scans once per time tick and starts scanning

on the tick following infection using a random initial address.

• The infection begins with one host

Note: the notation XY means that address X was observed sending attack traffic to address Y.

Telescope Observations:

T Observations0 9151 4132 4143 (no observations)4 0125 912; 0156 1113

(no further monitor information is available beyond t=6)

Forensic Case Study: Witty WormForensic Case Study: Witty Worm

• Data Sources: Caida /8 and U Wisconsin /8• Used disassembled Witty worm code to analyze PRNG structure.• PRNG state inferred from observed packets• One source consistently failed to follow PRNG orbit – Patient Zero

(European ISP)

Worm Attribution – Kumar et al. ‘05

Exploiting underlying structure for detailed reconstruction of an internet-scale event

Kumar, A., Paxson, V., & Weaver, N. (2005)., Internet Measurement Conference (IMC'05).

Witty Worm TimelineWitty Worm Timeline

•March 8, 2004: eEye Security discovers a stack overflow vulnerability in the ISS BlackIce/RealSecure IDS products.

•March 9: ISS releases patch

•March 18: eEye announces vulnerability

•March 19: Witty worm is released – 12,000 hosts infected in 75 minutes

Witty Worm PRNG AnalysisWitty Worm PRNG Analysis

Witty used a 32 bit PRNG

• If the entire 32 bit output were used to generate one address, reconstruction of PRNG state would be trivial

• Instead Witty used multiple PRNG cycles to generate 1 address

Case Study: Witty WormCase Study: Witty Worm

Witty Worm pseudocode, from Kumar et al. ‘05

Cracking the Witty PRNG StateCracking the Witty PRNG State

Forensic evidence:• The Witty PRNG implementation is flawed: the orbit misses about 10% of

the IPv4 address space• A single observed packet packet gives 3 partial observations of three

consecutive PRNG cycles.

PRNG state reconstruction:• The top 16 bits of each PRNG cycle are known

• 216 possible lower 16 bits of the first cycle• Only some of these will be consistent with the observed upper 16 bits

of the second cycle• Only one of these will be consistent with the observed upper 16 bits of

the third cycle

The full 32 bit state of the first cycle can be determined

Cracking the Witty PRNG StateCracking the Witty PRNG StateCracking the PRNG state allowed the determination of the uptime of

hosts, the number of disk drives of the hosts and host access bandwidth

Host uptime data and traceroute data were used to speculate that a hitlist of machines at a U.S. military base were targeted, possibly by an ISS insider with knowledge of the vulnerable code installation

Knowledge of the PRNG orbit allowed for the identification of:• 404 victims whose addresses were outside the PRNG orbit

• Implication: possibly hitlist members, or promiscuous scanners

• 1 victim that did not scan the orbit• Implication: possible “patient zero”