8/2/2019 Lecture Worm Detection
1/37
Active Worm and Its Defense 1
Active Worm and Its Defense
CSE651: Network Security
8/2/2019 Lecture Worm Detection
2/37
Active Worm and Its Defense 2
Worm vs. Virus
Worm A program that propagates itself over a
network, reproducing itself as it goes
Virus A program that searches out other programs
and infects them by embedding a copy of itselfin them
8/2/2019 Lecture Worm Detection
3/37
Active Worm and Its Defense 3
Active Worm VS [D]DoS
DDoS stands for Distributed Denial ofServiceattacks
Propagation method
Goal: congestion, resource appropriation Rate of distribution
Scope of infection
8/2/2019 Lecture Worm Detection
4/37
Active Worm and Its Defense 4
History
http://snowplow.org/tom/worm/history.html Morris Worm, first worm virus, released on
November 2, 1988 by Robert Tappan Morris whowas then a 23 year old doctoral student at Cornell
University Code-Red worm in July 2001 infected more than
350,000 Microsoft IIS servers. The attackfinished in 14 hours
Slammer worm in January 2003 that infectednearly 75,000 Microsoft SQL servers. Attackfinished in less than one hour
MyDoom worm in February 2004 infected lots ofhosts which automatically and successfully DDoS
attacked a few popular websites
8/2/2019 Lecture Worm Detection
5/37
Active Worm and Its Defense 5
The Morris Worm of 1988
First worm program
Released by Robert T Morris of Cornell University
Affected DECs VAX and Sun Microsystemss Sun 3 systems
Spread ~6000 victims i.e., 5-10% of hosts at that time
more machines disconnected from the net to avoid infection
Cost
Some estimate: $98 million Other reports:
8/2/2019 Lecture Worm Detection
6/37
Active Worm and Its Defense 6
Recent Worms
July 13, 2001, Code Red V1
July 19, 2001, Code Red V2
Aug. 04, 2001, Code Red II
Sep. 18, 2001, Nimbda
Jan. 25, 2003, SQL Slammer More recent
SoBigF, MSBlast
8/2/2019 Lecture Worm Detection
7/37
Active Worm and Its Defense 7
How an Active Worm Spreads
Autonomous
No need of human interaction
infected
machine machine
scan
probe
transfercopy
8/2/2019 Lecture Worm Detection
8/37
Active Worm and Its Defense 8
Basic Propagation Method
Network Worm: Using port scan to findvulnerabilities of the targets
Application Worm: Propagate throughemail, Instance Messaging, file sharing onoperation systems, P2P file sharingsystems, or other applications
Hybrid Worm
8/2/2019 Lecture Worm Detection
9/37
Active Worm and Its Defense 9
Delivery Method
How is worm code is delivered to vulnerable hosts
Self-contained Self-propagation: Each newlyinfected host becomes the new source andsends worm code to other hosts infected by it
Embedded: Embedded with infected files, suchas emails, shared files
Second Channel: The newly infected host usessecond channel such as TFTP (Trivial File
Transfer Protocol) to download the worm codefrom a center source
8/2/2019 Lecture Worm Detection
10/37
Active Worm and Its Defense 10
Scanning Strategy (1)
Random scanning Probes random addresses in the IP address space (CRv2)
Selective random scanning
A set of addresses that more likely belong to existingmachines can be selected as the target address space.
Hitlist scanning Probes addresses from an externally supplied list
Topological scanning Uses information on the compromised host (Email worms)
Local subnet scanning Preferentially scans targets that reside on the same
subnet. (Code Red II & Nimbda Worm)
8/2/2019 Lecture Worm Detection
11/37
Active Worm and Its Defense 11
Scanning Strategy (2)
Routable scanning Choose routable IP addresses as the target of scan
DNS scanning Choose hosts with DNS name as the target of scan
Permutation scanning
Each new infected host gets a different IP addresses block
h i i b I f d
8/2/2019 Lecture Worm Detection
12/37
Active Worm and Its Defense 12
Synchronization between InfectedHosts (or Worm Instances)
Asynchronized Each infected host behavior individually
without synchronization with other infected
hosts Synchronized
Infected hosts synchronized with each otherby central server etc.
8/2/2019 Lecture Worm Detection
13/37
Active Worm and Its Defense 13
Propagation Activity Control
Non-stopping Keep port scanning and never stop
Time Control Preset stopping timer and restart timer and use those
timers to control the port scan activities
Self-Adjustment Self-control according to the environment (Atak worm)
or the estimation of the infected host amount (Self-
Stop worm) Centralized Control
Controlled by the attacker
8/2/2019 Lecture Worm Detection
14/37
Active Worm and Its Defense 14
Scan Rate
Constant Scan Rate Each infected host keeps a constant scan rate which is
limited by the computation ability and outgoingbandwidth of the host.
Random Varying Scan Rate Randomly change the scan rate.
Smart Varying Scan Rate Change the scan rate smartly according to certain rule
according to the attack policy and the environment. Controlled Varying Scan Rate
Change the scan rate according to the attackerscontrol command.
8/2/2019 Lecture Worm Detection
15/37
Active Worm and Its Defense 15
Modularity
Non-Modular
Modular Use modular design in the worm code, so that
new attack modules can be sent to theinfected hosts and plugged in after theinfection.
8/2/2019 Lecture Worm Detection
16/37
Active Worm and Its Defense 16
Organization
Decentralized There is no organization or cooperation among
infected hosts, and there is no communication
between the infected hosts and the attacker. Centralized Organization
Organized by Internet Relay Chat (IRC) orother methods like botnets do, so that the
attacker can control the infected hosts.
8/2/2019 Lecture Worm Detection
17/37
Active Worm and Its Defense 17
Payload with the worm code
Spamming Code competent to carry out spamming.
DDoS Attack Code competent to carry out DDoS attacks.
Sniffing Code competent to watch for interesting clear-textdata passing by the infected hosts.
Spyware Spyware code.
Keylogging Code competent to remember and retrieve thepasswords on the infected hosts.
Data Theft Code competent to steal privacy data.
8/2/2019 Lecture Worm Detection
18/37
Active Worm and Its Defense 18
Techniques for ExploitingVulnerability fingerd (buffer overflow)
sendmail (bug in the debug mode)
rsh/rexec (guess weak passwords)
8/2/2019 Lecture Worm Detection
19/37
Active Worm and Its Defense 19
Active Worm Defense
Modeling
Infection Mitigation
8/2/2019 Lecture Worm Detection
20/37
Active Worm and Its Defense 20
Worm Behavior Modeling (1)
Propagation model
titiNVrtd
tdi 1**)/*(
V is the total number of vulnerable nodes
N is the size of address space
i(t) is the percentage of infected nodes among V r is the scan rate of the worm
)/*1(*))(***()(* NVtitdVtirtdiV
8/2/2019 Lecture Worm Detection
21/37
Active Worm and Its Defense 21
Worm Behavior Modeling (2)
Propagation model
M(i): the number of overall infected hosts at time i
N(i): the number of un-infected vulnerable hosts at time i
E(i): the number of newly infected hosts from time tick i to time i+1 . T: the total number of IP addresses, i.e., 232 for IPv4.
N(0): the number of vulnerable hosts on the Internet before the
worm attack starts.
E(0) = 0, M(0) = M0.
8/2/2019 Lecture Worm Detection
22/37
Active Worm and Its Defense 22
Modeling P2P-basedActive Worm AttacksBasic worm attack strategiesPure Random-based Scan (PRS)
Randomly select the attack victim
Adopted by Code-Red-I and Slammer
P2P based attack strategiesOffline P2P-based Hit-list Scan (OPHLS)
Online P2P-based Scan (OPS)Both strategies exploit P2P system
features
8/2/2019 Lecture Worm Detection
23/37
Active Worm and Its Defense 23
Background: P2P Systems
Host-based overlay system
Structured and unstructured
Rich connectivityVery popular
3,467,860 users in the FastTrackP2P system; 1,420,399 users in the eDonkeyP2P system;
1,155,953 users in the iMeshP2P system;
103,466 users in the GnutellaP2P system.
P P b d
8/2/2019 Lecture Worm Detection
24/37
Active Worm and Its Defense 24
Two P2P-based WormAttack Strategies Offline P2P-based Hit-list Scan
(OPHLS) Offline collect P2P host addresses as a hit-list
Attack the hit-list first Attack Internet via PRS
Online P2P-based Scan (OPS) Use runtime P2P neighbor information Attack P2P neighbors Extra attack resource applied to attack Internet
via PRS
l b d P2P
8/2/2019 Lecture Worm Detection
25/37
Active Worm and Its Defense 25
Online-based P2P WormAttack Strategy
8/2/2019 Lecture Worm Detection
26/37
Active Worm and Its Defense 26
Performance Comparison ofAttack Strategies
Attack Performance vs. Scan Approaches
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
45 50 55 60 65 70 75
Time
Infection
Ratio
PRS
OPHLS
OPSS
The P2P-based attack strategies overall outperforms the PRSattack strategy
OPHLSattack strategy achieves the best performance compared to all other
online-based attack strategies
8/2/2019 Lecture Worm Detection
27/37
Active Worm and Its Defense 27
Sensitivity of Attack to P2PSystem Size
The Sensitivity of P2P System Size
0
0.1
0.2
0.3
0.40.5
0.6
0.7
0.8
0.9
1
45 50 55 60 65 70
Time
Infectio
n
Ratio
PRS
OPSS(1000)
OPSS(5000)
OPSS(10000)
OPUS(1000)
OPUS(5000)
OPUS(10000)
With the P2P size increases, the attack performance becomes
consistently better for all attack strategies
8/2/2019 Lecture Worm Detection
28/37
Active Worm and Its Defense 28
Detection
Host-based detection
Network-based detection Detecting large scale worm propagation
Global distributed traffic monitoringframework
Distributed monitors and data center
Worm port scanning and background port
scanning
8/2/2019 Lecture Worm Detection
29/37
Active Worm and Its Defense 29
Distributed Worm MonitoringSystems
8/2/2019 Lecture Worm Detection
30/37
Active Worm and Its Defense 30
Detection Schemes
Worm behavior Pure random scan
Each worm instance takes part in attack all the time
Constant scan rate
Overall port scanning traffic volume implies the numberof worm instances (infected hosts).
Total number of worm instances and overall port scanningtraffic volume increase exponentially during wormpropagation.
Count-based and trend-based detection schemes
8/2/2019 Lecture Worm Detection
31/37
Active Worm and Its Defense 31
Infection Mitigation
Patching
Filtering/intrusion detection (signature based) DAW (Distributed Anti-Worm Architecture)
TCP/IP stack reimplementation, bound connectionrequests
8/2/2019 Lecture Worm Detection
32/37
Active Worm and Its Defense 32
Goals of DAW
Impede worm progress, allow humanintervention
Detect worm-infected clients
Ensure congestion issues minimized littlerouting performance impact
Shigang Chen and Yong Tang. Slowing down
internet worms. In Proceedings of 24thInternational Conference on DistributedComputing Systems, March 2004.
8/2/2019 Lecture Worm Detection
33/37
Active Worm and Its Defense 33
DAW
Requirements Distributed, sensors act independently
NIDS (rather than HIDS)
Limited responsibility, ensures availability ofnodes
8/2/2019 Lecture Worm Detection
34/37
Active Worm and Its Defense 34
DAW
8/2/2019 Lecture Worm Detection
35/37
Active Worm and Its Defense 35
Active Worm Detection in DAW
User behavior Few failed connections
(DNS)
Predictable traffic
generation throughoutday
Relatively uniformintranet trafficdistribution
Worm behavior Sampling shows 99.96%
failure in scan rate
Spikes in
failure:request ratio Traffic pattern
disproportionatelyfavors infected clients
8/2/2019 Lecture Worm Detection
36/37
Active Worm and Its Defense 36
Active Worm -Failures
TCP only, random scanning
ICMP Unreachable/TCP-RST response
99.96% failure 80/tcp
sf rN
Vr
'1
8/2/2019 Lecture Worm Detection
37/37
Active Worm and Its Defense 37
Summary
Worms can spread quickly: 359,000 hosts in < 14 hours Home / small business hosts play significant role in
global internet health No system administrator slow response
Cant estimate infected machines by # of unique IPaddresses DHCP effect appears to be real and significant
Active Worm Defense Modeling
Infection Mitigation