Upload
lulu
View
13
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Worm Forensics. Chao-Hsien Chu College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu @ist.psu.edu. Theory Practice. Learning by Doing. Virus Structure. Compression Virus. Virus Classification. - PowerPoint PPT Presentation
Citation preview
Chao-Hsien ChuCollege of Information Sciences and Technology
The Pennsylvania State UniversityUniversity Park, PA 16802
Worm ForensicsWorm Forensics
LearningbyDoing
Theo
ry
Practi
ce
Virus StructureVirus Structure
Compression VirusCompression Virus
Virus ClassificationVirus Classification
• boot sector – The virus infects a master boot record.
• file infector – infect executable files.• macro virus – Macro code.• encrypted virus – the virus was encrypted.• stealth virus – The virus hide itself.• polymorphic virus – The virus mutates with
every infection.• metamorphic virus – The virus mutates with
every infection. The virus rewrites itself completely at each iteration.
Virus CountermeasuresVirus Countermeasures
• prevention - ideal solution but difficult
• realistically need:– detection– identification– removal
• if detect but can’t identify or remove, must discard and replace infected program
Anti-Virus SoftwareAnti-Virus Software
• First –generation. Simple scanners which require a virus signature.
• Second generation. Heuristic scanners. Looking for fragments of code, the beginning of an encryption look, integrity checking.
• Third generation. Use activity traps to identify virus.
• Fourth generation. Include scanning, activity traps and access control activities.
• Generic Decryption (GD)
• Digital Immune System. IBM, Symantec.
• Behavior-Blocking Software. Integrated with OS and monitor program behavior in real time.
Digital Immune SystemsDigital Immune Systems
Behavior-Blocking SoftwareBehavior-Blocking Software
Worm Defense Worm Defense - - ContainmentContainment (1)(1)
1. Quarantine (Signature-based)• Blocking traffic from suspected hosts
2. Rate Limiting / Halting• Temporal throttling (Williamson 2002)• Implemented in XP SP2
“The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system’s event log.”
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx
Proactive Worm ContainmentProactive Worm Containment (PWC) (PWC)
Host-based
Worm Defense Worm Defense - - ContainmentContainment (2)(2)
3. Content Filtering• Automatic worm signature generation – “Earlybird”
(Singh et al. 2004)• For novel worms, assumes that even polymorphic
worms must exhibit some amount of byte-level similarity and content prevalence increases during a worm attack
4. Address Randomization• Anti-hitlist technique (Antonatos et al. 2005) – hitlist
can be made effectively stale using an address change cycle 3-5X longer than the time required to prepare the hitlist
Network Based Worm DefenseNetwork Based Worm Defense
Worm ForensicsWorm Forensics
An aspect of worm forensics is “attribution”:
“By attack attribution we mean the ability to determine the true source of attack including logical/physical origins, paths taken by the attacker, the computers used and the persons or organizations involved.
There are four levels of useful attack attribution:1. to the specific hosts involved in the attack2. to the primary controlling host3. to the actual human actor4. to a higher organization with a specific purpose to the attack”
From BAA 03-03-FHSponsor: NSA, Advanced Research and Development Agency
Attribution ExampleAttribution Example
Kuraq pays a mercenary named John Smith to run a DDoS Attack against a target.
From his home computer in Namibia, John Smith then uses hacker scripts to compromise 15 hosts to act as attack controllers. Each of those attack controllers then breaks into 100 hosts to act as zombies in the attack.
Trace to zombies L1Trace to controllers L2Trace to Smith L3Trace to Smith’s relationship with Kuraq L4
From BAA 03-03-FHSponsor: NSA, Advanced Research and Development Agency
Attribution Levels 1 and 2Attribution Levels 1 and 2
Level 1 Attribution – IP TracebackMethods to determine true IP address in the presence of spoofing• Various approaches:
•Messaging – e.g. iTrace – “ICMP traceback”, a new message format identifying a router originating the message•Packet Marking – place route information in header extensions or the IP header ID field
Level 2 Attribution – Stepping StonesMethods to follow an attack through a series of compromised hosts• Content
•Earliest approach – character frequencies (Staniford-Chen & Huberlein, 1995)
• Timing• Watermarking
Worm Forensic ProblemWorm Forensic Problem
The Internet address space consists of 24 addresses. A network telescope monitors the address set {12,13,14,15}. This telescope makes the observations shown for a worm attack. The worm implements random scanning using the following PRNG:
Xn+1=a * Xn + b mod m where a=3, b=7 and m=16.
Task: Reconstruct the infection sequence and its timing.
Assume the following:• the telescope was functional prior to t=0• a victim scans once per time tick and starts scanning
on the tick following infection using a random initial address.
• The infection begins with one host
Note: the notation XY means that address X was observed sending attack traffic to address Y.
Telescope Observations:
T Observations0 9151 4132 4143 (no observations)4 0125 912; 0156 1113
(no further monitor information is available beyond t=6)
Forensic Case Study: Witty WormForensic Case Study: Witty Worm
• Data Sources: Caida /8 and U Wisconsin /8• Used disassembled Witty worm code to analyze PRNG structure.• PRNG state inferred from observed packets• One source consistently failed to follow PRNG orbit – Patient Zero
(European ISP)
Worm Attribution – Kumar et al. ‘05
Exploiting underlying structure for detailed reconstruction of an internet-scale event
Kumar, A., Paxson, V., & Weaver, N. (2005)., Internet Measurement Conference (IMC'05).
Witty Worm TimelineWitty Worm Timeline
•March 8, 2004: eEye Security discovers a stack overflow vulnerability in the ISS BlackIce/RealSecure IDS products.
•March 9: ISS releases patch
•March 18: eEye announces vulnerability
•March 19: Witty worm is released – 12,000 hosts infected in 75 minutes
Witty Worm PRNG AnalysisWitty Worm PRNG Analysis
Witty used a 32 bit PRNG
• If the entire 32 bit output were used to generate one address, reconstruction of PRNG state would be trivial
• Instead Witty used multiple PRNG cycles to generate 1 address
Case Study: Witty WormCase Study: Witty Worm
Witty Worm pseudocode, from Kumar et al. ‘05
Cracking the Witty PRNG StateCracking the Witty PRNG State
Forensic evidence:• The Witty PRNG implementation is flawed: the orbit misses about 10% of
the IPv4 address space• A single observed packet packet gives 3 partial observations of three
consecutive PRNG cycles.
PRNG state reconstruction:• The top 16 bits of each PRNG cycle are known
• 216 possible lower 16 bits of the first cycle• Only some of these will be consistent with the observed upper 16 bits
of the second cycle• Only one of these will be consistent with the observed upper 16 bits of
the third cycle
The full 32 bit state of the first cycle can be determined
Cracking the Witty PRNG StateCracking the Witty PRNG StateCracking the PRNG state allowed the determination of the uptime of
hosts, the number of disk drives of the hosts and host access bandwidth
Host uptime data and traceroute data were used to speculate that a hitlist of machines at a U.S. military base were targeted, possibly by an ISS insider with knowledge of the vulnerable code installation
Knowledge of the PRNG orbit allowed for the identification of:• 404 victims whose addresses were outside the PRNG orbit
• Implication: possibly hitlist members, or promiscuous scanners
• 1 victim that did not scan the orbit• Implication: possible “patient zero”