PPT slides - SEAS

guideflannelΔιακομιστές

4 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

82 εμφανίσεις

Automated Worm Fingerprinting

[Singh, Estan et al]


Internet Quarantine:
Requirements for Self
-
Propagating Code [Moore,
Shannon et al]

David W. Hill

CSCI 297

6.28.2005


What is a worm?

Self
-
replicating/self
-
propagating code.

Spreads across a network by exploiting flaws
in open services.


As opposed to viruses, which require user action
to quicken/spread.

Not new
---

Morris Worm, Nov. 1988


6
-
10% of all Internet hosts infected

Many more since, but none on that scale ….

until Code Red

Internet Worm History

Xerox PARC, Schoch and Hupp, 1982

Morris Worm <DEC VAX, sendmail,
fingerd> 1988

Code Red (V1, V2, II) <IIS>, 2001

NIMDA, <various exploits>, 2001

Slammer Worm <SQL>, 2003

Blaster Worm, <DCOM>, 2003

Sasser Worm, <LSASS>, 2004

Code Red V1

Initial version released July 13, 2001.

Exploited known bug in Microsoft IIS Web
servers.

1
st

through 20
th

of each month: spread.

20
th

through end of each month: attack.

Payload: web site defacement.

Spread: via random scanning of 32
-
bit

IP address space.

But: failure to seed random number generator


linear growth.

Code Red V2

Revision released July 19, 2001.

Payload: flooding attack on


www.whitehouse.gov
.

But: this time random number generator
correctly seeded. Bingo!

Resident in memory, reboot clears the
infection

Web defacement

Code Red V2
-

Spread

Code Red II

New worm released August 4, 2001.


Intelligent Replication Engine


Installed backdoors


Used more threads

Life Just Before Slammer

Life Just After Slammer

Worm Detection


Current
Methods

Network telescoping
-

passive monitors
that monitor unused address space
(Downfalls


non
-
random, only provide
IP not signature

Honeypots


slow manual analysis

Host
-
based behavioral detection


dynamically analyze anomalous activity,
no inference of large scale attack

IDS, IPS


Snort



Labor
-
intensive, Human
-
mediated



Worm Containment

Host Quarantine


IP ACL, router,
firewall (blacklist)


String
-
matching containment


Connection throttling


Slow the spread






Earlybird


Content Sifting

Content in existing worms is invariant

Dynamics for worm to spread are
atypical

The Earlybird system can extract
signatures from traffic to detect worms
and automatically react


05:45:31.912454 90.196.22.196.1716 > 209.78.235.128.
80
: . 0:1460(1460) ack 1
win 8760 (DF)

0x0000


4500 05dc 84af 4000 6f06 5315 5ac4 16c4

E.....@.o.S.Z...

0x0010


d14e eb80 06b4 0050 5e86 fe57 440b 7c3b

.N.....P^..WD.|;

0x0020


5010 2238 6c8f 0000
4745 5420 2f64 6566

P."8l...
GET./def

0x0030


6175 6c74 2e69 6461 3f58 5858 5858 5858

ault.ida?XXXXXXX

0x0040


5858 5858 5858 5858 5858 5858 5858 5858

XXXXXXXXXXXXXXXX




. . . . .

0x00e0


5858 5858 5858 5858 5858 5858 5858 5858

XXXXXXXXXXXXXXXX

0x00f0


5858 5858 5858 5858 5858 5858 5858 5858

XXXXXXXXXXXXXXXX

0x0100


5858 5858 5858 5858 5858 5858 5858 5858

XXXXXXXXXXXXXXXX

0x0110


5858 5858 5858 5858 5825 7539 3039 3025

XXXXXXXXX%u9090%

0x01a0


303d 6120 4854 5450 2f31 2e30 0d0a 436f

0=a.HTTP/1.0..Co


.

Signatures


Worm Signature




Content
-
based blocking [Moore et al., 2003]


Signature for CodeRed II

Signature
: A Payload Content String Specific To A Worm


Worm Behavior
-

Earlybird

Content Invariance


Content Prevalence


Address Dispersion






Earlybird Implementation

Each network packet is scanned for
invariant content

Maintain a count of unique source and
destination IPs

Sort based on substring count and size
of address list will determine worm
traffic

Use substrings to automatically create
signatures to filter the worm






Earlybird Cont.

Earlybird Cont.

System consists of sensors and aggregrator

Aggregator


pulls data from sensors, activates network or host
level blocking, reporting and control






Earlybird


Memory & CPU

Memory and CPU cycle constraints

Index content table by using a fixed size
hash of the packet payload

Scaled bitmaps are used to reduce
memory consumption on address
dispersion counts






Earlybird Cont.

Sensor


1.6Ghz AMD Opteron 242,
Linux 2.6 kernel

Captures using libpcap

Can sift 1TB of traffic per day and is
able to sift 200Mbps of continuous
traffic

Cisco router configured for mirroring






Thresholds

Content Prevalence = 3

97 percent of signatures repeat two or
fewer times




Thresholds

Address Dispersion = 30 src and 30 dst

Lower dispersion threshold will produce
more false positives

Garbage collection


several hours




Earlybird False Positives

99% percent of FPs are from SMTP
header strings and HTTP user agents
-

whitelist

SPAM e
-
mails


distributed mailers and
relays

BitTorrent file striping creates many
-
to
-
many download profile





Earlybird


Issues of Concern

SSH, SSL, IPSEC, VPNs

Polymorphism

IP spoofing source address

Packet injection




Earlybird


Current State

UCSD

NetSift


Cisco




Internet Quarantine


Requirements for containing
self propagated code

Prevention


Managing vulnerabilities


Treatment


Disinfection tools, patches


Containment


Firewalls, content filters,
blacklists. How to completely
automate?




Modeling Containment

Reaction time


time necessary for
detection


Containment strategy


blacklisting,
content filtering


Deployment scenario


how many
nodes are participating




Blacklisting vs. Content
Filtering

Blacklisting vs. Content
Filtering
-

Aggresiveness

Deployment Scenarios

References

-

The Threat of Internet Worms, Vern Paxson


http://www.icir.org/vern/talks/vp
-
worms
-
ucla
-
Feb05.pdf


-
Cooperative Association for Internet Data Analysis (CAIDA)

http://www.caida.org

-
Autograph, Toward Automated, Distributed Worm Signature Detection
-

Usenix Security 2004

-
Wikipedia, computer worms, hashing.

-
Code Carrying Proofs, Aytekin Vargun, Rensselaer Polytechnic
Institute




Thank You!

Discussion…..