Embed Size (px)
Citation preview
WORM PROPAGATION
Terry GriffinSandeep PinnamaneniVandana Gunupudi
Agenda
Introduction Background Infamous Worms Benchmarks and Metrics Requirements Summary of Methods Conclusion
Introduction
What is a worm?– Piece of software that propagates using
vulnerabilities in software/application– Self-propagating (distinct from a virus) – Self-replicating– Spread through the Internet easily due to its open
communication model
Classification of Worms
Target Discovery– How does a worm find new hosts to infect?
Carrier– How does it transmit itself to the target?
Activation– Mechanism by which the worm operates on the target
Payloads– What the worm carries to reach its goal
N.Weaver, V.Paxson, et al, “A taxonomy of computer worms”, Proc. Of the ACM workshop on Rapid Malcode, pp.11-18, 2003.
Target Discovery
Scanning– Sequential or Random– Permutation scanning– Bandwidth-limited scanning
Pre-Generated Target lists– “hit-list” of probably victims
Externally/internally generated target lists– Topological Worm (Morris Worm)
Carrier (Propagation Mechanisms)
Self-carried– Actively transmits itself as part of the infection process
Second Channel– Require a secondary communication channel – Example Blaster: primary channel is RPC; – secondary channel is TFTP
Embedded– Appends itself to normal messages
Activation Mechanism
Human Activation– Slowest activation method– Melissa
Human Activity based – Windows Share worms like Nimda
Scheduled Process Activation– Like unauthenticated automatic updates
Self Activation– Fastest method
Payloads
Code carried by the worm apart from its propagation routines
Empty Payload– most common
Internet Remote Control– Privileged back door
Spam-Relays– Sobig’s Trojan opened an open-mail relay
HTML-Proxies– Sobig distributed web proxies
Internet DoS (Code Red)
History of Worms
Source:http://www.sans.org/rr/whitepapers/malicious/1410.php
Morris Worm
• Topological Worm (6-10% of all Internet hosts infected)• First large-scale worm that targeted VAX, Sun Unix systems• Target Discovery
– Scanning the local subnet • Activation
– Self Activation• Propagation Mechanism (Self Carried)
– Exploiting a fingered buffer overflow• Payload
– None
Code Red I July 19, 2001: more than 359,000 computers connected to the Internet were infected
by Code-Red I v2 worm in less than 14 hours
Source: http://www.caida.org
Code Red I
• Target Discovery– Scanning
• Activation– Self Activation
• Propagation Mechanism (Self Carried)– Exploiting a Microsoft IIS Web Server buffer overflow
• Payload– Defacement of websites
Code Red I
Exploited buffer overflow in Indexing Service in Microsoft IIS Server Days 1-19 of each month
– displays ‘hacked by Chinese’ message on English language servers– tries to open connections to infect randomly chosen machines using 100 threads
Day 20-27– stops trying to spread– launches a denial-of-service attack on the IP address of www1.whitehouse.gon
Code Red I v1– July 12, 2001– Used static seed for random number generator– Each infected computer tries to infect always the same IP addresses– Not very damaging, spread slowly– Memory resident
Code Red I v2– July 19, 2001– Used random seed for random number generator
Code Red Damage
359,000 hosts infected in 24 hour period Between 11:00 and 16:00 UTC, the growth is
exponential 2,000 hosts infected per minute at the peak of the
infection rate (16:00 UTC)
Nimda (September 18, 2001)
• Target Discovery– Scanning, Email
• Activation– Self Activation, User action
• Propagation Mechanism (Self Carried)– Exploiting a Microsoft IIS Web Server buffer overflow
• Payload– Defacement of websites
• Multi-mode spreading:– attack IIS servers via infected clients – email itself to address book as a virus – copy itself across open network shares – modifying Web pages on infected servers w/ client exploit – scanning for Code Red II backdoor
Spread across firewalls.
SASSER Worm (2004)
April 29, 2004 Target Discovery
– Random Scanning of IP addresses on TCP port 445, – can scan up to 1,024 addresses simultaneously
Mode of Transmission– Buffer Overflow in Windows Local Security Authority
Service Server (LSASS) Payload
– Rootkit potential– Escalation of privileges
Witty (2004)
March 19, 2004Buffer overflow vulnerability in ISS PAM
module• Single UDP packet exploits flaw in the passive analysis of
Internet Security Systems (ISS) products.• “Bandwidth-limited” UDP worm like Slammer.• Vulnerable pop. (12K) attained in 75 minutes.• Payload: slowly corrupt random disk blocks.• Detailed telescope analysis reveals worm targeted a US military
base and was launched from a European retail ISP account.
Other Worms
Network.vbs, February 2000: This worm had no payload and spread via unprotected Windows
shares.
Ramen, January 2001: • This worm targeted RedHat Linux systems via exploits that
were 4 – 7 months old and, aside from defacing web pages did not appear to be particularly malicious.
• However, as noted by the Linux Weekly News, multicast traffic was affected as a byproduct of the worm’s scanning mechanism, resulting in degraded service over the MBONE for both unicast and multicast traffic.
Network.vbs Worm
The Network.vbs worm propagates via unprotected Windows shares. The process as described in CERT Incident Note IN-2002-02 is as follows:
1. Perform a pseudo-random IP scan, looking for hosts with Windows filesharing enabled.
2. Attempt to mount the share named “C” as local drive J.3. If mount is successful copy network.vbs script into the “Startup” program
group.
Provided that the above is successful, the worm will be executed the next time someone logs into the system. It should be noted that the QAZ worm uses a similar mechanism, enumerating hosts within the “Network Neighborhood” and replacing notepad.exe with the worm binary.
ADM Worm
• The ADM worm propagates via a buffer overflow in Unix systems running DNS server daemons derived from v 4.9.6 of the ISC BIND code.
• The worm performs an incremental IP scan, starting from a random IP address, looking for DNS servers which support the IQUERY command. When such a server is encountered the worm attempts to exploit a buffer overflow in IQUERY response processing which, if successful, allows the worm to create an account for itself on the exploited host along with a setuid root shell.
• This account and shell are used to transfer the worm’s tarball to the targeted host via ftp, at which point the tarball is untar’d and the worm is executed on the target host, beginning the propagation process all over again.
ADM and other early worms (Millenium, Ramen, li0n, and Sadmind specifically) are composed of the following components:
• IP Scanner: A mechanism for selecting IP’s to target.• One or more exploits: Pre-existing, programmatic-attack type exploit used
by the worm to escalate its privilege level on the targeted system.• Propagation mechanism: Provides the logic necessary to move the worm
archive from system to system, usually via the use of ftp or tftp.• Glue/misc scripts: These scripts tie the other components together and
provide worm-specific functionality.
ADM Worm
Slammer Worm – Before
Figure taken from http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html
Slammer Worm - After
Figure taken from http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html
SQL Slammer
• The Slammer worm (also called Sapphire worm) consists of an IP scanner combined with an exploit for MS SQL Server, written in 376 bytes of code.
• Slammer exploited connectionless UDP service, rather than connection-oriented TCP.
• Entire worm fit in a single packet!• Worm infected 75,000+ hosts in 10 minutes
(despite broken random number generator).– At its peak, doubled every 8.5 seconds
Slammer Worm
• Propagation speed was Sapphire's novel feature: in the first minute, the infected population doubled in size every 8.5 (±1) seconds.
• The worm achieved its full scanning rate (over 55 million scans per second) after approximately three minutes, after which the rate of growth slowed down somewhat because significant portions of the network did not have enough bandwidth to allow it to operate unhindered. Most vulnerable machines were infected within 10-minutes of the worm's release. Although worms with this rapid propagation had been predicted on theoretical grounds, the spread of Sapphire provides the first real incident demonstrating the capabilities of a high-speed worm.
• By comparison, it was two orders magnitude faster than the Code Red worm, which infected over 359,000 hosts on July 19th, 2001. In comparison, the Code Red worm population had a leisurely doubling time of about 37 minutes.
General Model of Worm Propagation
Source:http://www.sans.org/rr/whitepapers/malicious/1410.php
Summary of Worm Propagation
Worm propagation can be broadly described by a 3 (or 4) step process illustrated in the figure before:
0.) Initial Infection: The model begins with the presumption that there exists a system that is already infected by the worm and that the worm is active on this system.
1.) Target Acquisition: In order for the worm to propagate itself it must find additional systems to infect. Worms may actively target systems using:a. IP addressesb. Email addressesc. File system traversalIt should also be noted that worms may passively target client system i.e. the trojaned web content delivered by web servers infected with the Nimda worm.
Worm Propagation
2.)Delivery of Hostile Code: Once a system has been targeted, it is necessary to transfer the worm to the targeted system in preparation for infection. Code delivery has been observed to take place via the following:
a. Network file systems b. Emailc. Web clients d. Remote command shell (or equivalent)e. As part of packet payload associated with buffer overflows and similar programmatic
exploits.3.) Execution of Hostile Code: The presence of hostile code on a system isnot sufficient for worm propagation; execution of the code must betriggered in some fashion. Code may be executed via:a. Direct invocation from the command line (or equivalent)b. Buffer overflow or other programmatic attackc. Email clients d. Web clientse. User intervention f. Automatic execution by target system. 4.) Some worms may only transfer a portion of their code in step 3. In thatcase it is necessary for them to transfer the remaining code once thetarget system has been compromised. This can be achieved viaa. FTP/TFTPb. Network file systems
Benchmarks and Metrics
Infection Size– Percentage of nodes infected
Reaction Time– Time between detection of a worm and deployment of
worm control measures– Obviously the lower the better
Penetration Ratio– Number of nodes infected compared to the size of the
possible domain– Related to infection ratio
False Positives/Negatives
Propagation Countermeasures
The analysis below examines each step in the propagation model in detail to determine what countermeasures, if any, prove effective.
Target Acquisition:The specific targeting mechanism varies based on the means by which the
hostile code will be delivered to the target system.
1.) IP Scanning:
The most popular method for targeting systems to date seems to be IP scanning.
Target Acquisition
The most basic scanning algorithm is as follows:1. Generate an IP address.2. Perform local setup for network communication.3. Attempt to connect to the targeted system by sending a TCP SYN
packet to <Targeted IP Address>:<Port of Targeted Service>.a.) If a TCP SYN-ACK packet is received then the remote system at
<Target IP> is listening on <Port of targeted service>. Send an ACK packet and proceed with transfer of hostile code.
b.) Receipt of any other type of packet from <Target IP>, or failure to receive any packet after a certain number of tries, indicates that the targeted service is not available for some reason. Return to step 1.
Target Acquisition
• The simplest countermeasure to deploy is also the most effective; unneeded services should be turned off. In this situation, the infected host sends a SYN packet that is received by the target host as usual. However, since the service is turned off, there is no process listening on the destination port on the target host.
• The proper response in this situation is for the target host to send back an RST packet, the receipt of which tells the infected host that the targeted service is unavailable, causing the infected host to move on to the next target (Loop).
Target Acquisition
In a typical network configuration a firewall is deployed somewhere on the network path between the infected host and the target host as show in Figure below . When the infected host sends a SYN packet to the target host the packet is first intercepted by the firewall. The firewall is configured to prevent most systems from accessing services on the target host, which is achieved by silently discarding the SYN packet. The infected system will generally send several more SYN packets that will be treated in the same manner, after which the infected system will assume that the targeted service is unavailable and move on to the next target.
Source:http://www.sans.org/rr/whitepapers/malicious/1410.php
Hostile Code Delivery
E-mail: Code delivery via email is a favorite mechanism of worms and worm-like viruses. The process begins with the worm composing a message containing hostile code and attempting to send that message to the targeted email address.
Source:http://www.sans.org/rr/whitepapers/malicious/1410.php
Hostile Code Delivery
The below configuration forces the infected system to deliver the email via the designated relay and, furthermore, forces that email to be received by the designated mail exchange, significantly reducing the number of potential delivery paths that the system administrator must monitor.
source:http://www.sans.org/rr/whitepapers/malicious/1410.php
Hostile Code Delivery
Web Clients:Forcing clients to use a designated proxy for web communication causes web content
delivery to take on the form shown in below figure. Clients send requests for web content to the proxy, which then forwards the request on to the appropriate web server. The web server, in turn, provides the proxy with the requested content, which the proxy sends back to the requesting client.
source:http://www.sans.org/rr/whitepapers/malicious/1410.php
Execution of Hostile Code
E-mail Clients:There are a number of mechanisms by which email clients can be induced to
execute hostile code.
An email client may be induced to execute code in one of three ways:
1.) Programmatic Attack
2.) Rendering By-Product
3.) User Intervention
Additional Code Transfer
• Some worms transfer additional code from the infected system to the target system once the initial exploit of the targeted system is completed.
• Unfortunately, if the worm gets this far there is likely little that can be done to prevent its spread. At this point both the infected host and the targeted host are completely compromised, so any preventative measures must be deployed between these two systems.
• Once again, an appropriately configured firewall may prevent the complete propagation of the worm. This underlies the importance of having a well-configured policy regarding outgoing connections in addition to incoming connections.
Summary
is the number of host infected in real time.
is the pair wise rate of infection.
is the infection rate.
As we can see from previous slides the spread is phenomenal....
Summary
Breakdown of a typical current day worm: Reconnaissance capabilities Specific attack capabilities A command interface Communications capabilities Intelligence capabilities Unused attack capabilities
Summary
Reconnaissance capabilities Automated sweeps and scans to Identify possible victims Determine best method to infect new victim (if possible)
Summary
Specific attack cabilities Method in which the worm gains entry
– buffer overflows– cgi-bin errors
Attack portion of code has two parts– component which runs on infected host– component which looks for new host
Summary
A command interface Node is only worthwhile if it can be used
– Interactive interface (direct login)– Automatic interface (parent child)
Summary
Communications capabilities Typically reside on different systems, therefore
method of communication is necessary Transfer of information Typically hidden
Summary
Intelligence capabilities Possible distributed effort All machines working together You must
– Know who is infected can be achieved with update message/email to central point what network address is / system type
– How to contact them irc chat lines direct login
Summary
Unused attack capabilities Multiple attack methods allow for more flexibility Send only necessary payload (specific attack)
Future
Future: Worms will change Infection mechanisms will become smarter. Use network topology to their advantage. Stealthier communications methods Smarter Target Selection More dynamic behavior
Future
Typical Defense (obvious stuff) Patch, Patch, Patch Defense in Depth IDS and Response Mechanisms
Future
New Detection Strategies Monitor shifts in traffic Anomaly Detection Exploit worm network flaws
Conclusions
1. Future defense of worms is labor intensive with current Internet design.
2. The infrastructure itself needs to assist with detecting Internet Worms.
3. A proper design could mimic a multi-level security system.
References
1. http://www.sans.org/rr/whitepapers/malicious/1410.php
2. http://www.cs.berkeley.edu/~nweaver/sapphire/
3. http://www.securityfocus.com/infocus/1752
4. http://www.icir.org/vern/papers/cdc-usenix-sec02/5. Kienzle, D.M., Elder, M.C., Recent worms: a survey and trends, Proceedings of the 2003 ACM
workshop on Rapid Malcode, pp.1-10.6. N.Weaver, V.Paxson, et al, A taxonomy of computer worms, Proc. Of the ACM workshop on
Rapid Malcode, pp.11-18, 2003.7. S. Staniford, V. Paxson, and N. Weaver, How to own internet in your spare time in Proceedings
of the USENIX Security Symposium, pp. 149-167,2002.8. Cliff Changchun Zou, Lixin Gao, Weibo Gong, Don Towsley. Monitoring and Early Warning for
Internet Worms
9. Jose Nazario, The Future of Internet Worms , Crimelabs research: www.crimelabs.net
