Worm

guideflannelServers

Dec 4, 2013 (3 years and 8 months ago)

101 views

Mario

Č
agalj




Sveučilište u Splitu


9
.1.201
3
.

Sigurnost računala i podataka

Malicious Software

Internet Security & Worms

by Prasad S.
Athawale

(University at Buffalo)

Computer Security: Principles and Practice

by

William Stallings and
Lawrie

Brown

Code Red Worm Propagation Modeling and Analysis

by
Zou

et al.


Produced by Mario Čagalj

Malicious Software


P
rograms exploiting
computing
system vulnerabilities


K
nown as malicious software or
malware


Malware can be divided into two categories


P
rogram fragments that need host program

-

parasitic
malware


E
.g.
viruses
, logic bombs, and backdoors



cannot exist independently of
some actual application program, utility or system program


I
ndependent self
-
contained programs


E
.g.
worms
, bots



can be run directly by the operating system


We differentiate between software threats that


Do not
replica
te


activated by a trigger (e.g., logic bombs, bot)


Do replicate/propagate itself (e.g., viruses and worms)

3

Malicious Software

4

Malicious
programs

Need host
program

Independent

Trapdoors

Logic
bombs

Trojan
horse

Viruses

Worms

Zombie
(Bot)

Replicate


Virus:

A

piece of code that inserts itself into a host program

(
infects it
). I
t
cannot run independently
. It requires that its host
program be run to activate it
.


Worm:

A program that
can run independently
and can propagate
a complete working version of itself onto other hosts on a
network.


Logic bomb:
A program inserted into software by an intruder. It
executes on specific condition (trigger).
Triggers for logic bombs
can include change in a file, by a particular series of keystrokes,
or at a specific time or date.


Malware Terminology



(1/3)

5

legitimate code


if
date is Friday the 13th;




crash_computer()
;

legitimate code


Trojan horse:
Pr
ograms

that appear to have one

(useful)

function
but actually perform another

(malicious)

function
, without the
user’s knowledge
.


Backdoor (trapdoor):

Any mechanism that bypasses a normal
security check. It is a code that recognizes for example some
special input sequence of input; programmers can use backdoors
legitimately to debug and test programms.


Malware Terminology



(2/3)

6

username = read_username();

password = read_password();

if
username is “112_h4ck0r”




return

ALLOW_LOGIN;

if
username and password are valid




return

ALLOW_LOGIN

else return

DENY_LOGIN


Exploit:

Malicious code specific to a single vulnerability.


Keylogger:
Captures key strokes on a compromised system.


Rootkit:
A set of hacker tools installed on a computer system
after the attcker has broken into the system and gained
administrator (root
-
level) access.


Zombie
, bot:

P
rogram

on infected machine activated to launch
attacks on other machines
.


Spyware:

Collects info from a computer and transmits it to
another system.

Malware Terminology



(3/3)

7

Internet Worm
s

Internet Worms


Se
lf
-
replicating

program

that propagates over Internet


Using email



a worm mails a copy of itself to other system


Remote execution capability


a worm executes a copy of itself
on a remote system, either using explicit remote execution
facility or by exploiting flaw (e.g., buffer overflow) in some net
service (
recall our pentest demo
)


Remote login


a worm logs onto a remote system as a user
then uses commands to copy itself from one to the remote
system

9

Internet Worms Uses/Applications


Launch a DDoS


Access to Sensitive Information


Spread Disinformation


Unknown reasons


M
ost generally is the need for being recogni
z
ed and famous

(
never has it been that it was an accident
)

10

Worm

Operation


Has phases like a virus


Dormant

phase


Worm
is idle, waiting for trigger event (e.g., date, time, program)


Propagation

phase


Worm

searches for other systems, connects to it, copies self to it and
runs
(the copy may not be identical


it
morphs

to avoid detection)


Triggering

phase


Worm activated by some trigger event to perform intended function


Execution

phase


The intended function is performed


E.g., DDoS attack on a specified target

11

Worm Operation: Propagation Phase


To propagate a worm generally performes the following
functions


Search

for other systems to infect by examining different
repositories of remote system addresses


IP address
-
space probing to detect vulnerable targets


Note that this active aquisition/seach phase is not present in viruses


Establish a connection

with a remote system


Copy itself

to the remote system and cause the copy to be run

12

Generalized Worm Propagation Model


In the first stage the infected host searches for vulnerable targets


When the target is found, the infected host tries to deliver
malcode to the selected target


Executing the malcode, the target host would be comprimised


Once the system is compromised, some malware can perform
additional tasks


Payload refers to those additional

tasks by a worm (DoS, install

backdoors, self
-
replicate)

13

Infected
Host

Select
Target

Deliver
Malcode

Compromise
System

Infection
Completed

Execute
Payload

Payload

Yes

No

Actions in Each of the Stages


The target selecting stage


Random IP address probing


Harvesting email addresses (e.g., from the address book)


Through file sharing systems


The malcode delivery stage (can send only a part in this stage)


A payload associated with buffer overflows


Using mail of messaging services


Specially crafted HTML pages hosted

on a web server


Compromising the system


Execute malcode: email vulnerabilites,

user intervention, automatic execution


E.g., buffer overflow, backdoors, etc.



14

Infected
Host

Select
Target

Deliver
Malcode

Compromise
System

Infection
Completed

Execute
Payload

Payload

Yes

No

Worm Propagation in Real Life

Morris Worm (Robert Morris in 1988)


To propagate, worm’s first task was to discover other hosts
known to first infected host that would allow entry from this host


Exemained system tables that declare which other machines were trusted by this
host, users’ mail forwarding files, remote access control tables, reports from
services that reported the status of net connections


For each discovered host, v
arious attacks on UNIX systems


C
racking password file to use login/password to logon to other systems


E
xploiting a bug in the finger protocol


E
xploiting a bug in sendmail


I
f

any of the three above

succeed
ed

have remote shell access


S
ent bootstrap program

to the compromised machine’s operating system


The bootstrap program called back the parent program and downloaded the
reminder of the worm to
to copy
it

over


About
4000 of the Internet’s approximately 60,000 (at that time)
hosts were infected

within 16 hours of the worm’s deployment

16

Code Red (July 2001)


The Code Red worm spreads via a buffer overflow in
the
Microsoft Internet Information Server’s (IIS)
Indexing Services


Infection begins
by
issu
ing
HTTP GET

command to a vulnerable IIS system


The worm probes random IP addresses to spread to other hosts



During a certain period of time, it only spreads


It then initiates a denial
-
of
-
service attack against a government
Web site by flooding the site with packets from numerous hosts


Code Red I v2 infected nearly 360,000 servers in 14 hours


Caused problems to infected servers


But more importantly, consumed a significant amount of Internet capacity


Code Red II is a variant that also targets Microsoft IIS


It also installs a backdoor, allowin a hacker to remotely execute commands
on victim computers


17

The Spread of Code
-
Red v2

















18

http://www.caida.org/research/security/code
-
red/coderedv2_analysis.xml

SQL Slammer (January 2003)


Exploited buffer overflow in Microsoft SQL server


A single short (400 bytes) packet to UDP port 1434 was sufficient


T
he worm

infected more than 90 percent of vulnerable

hosts
within 10 minutes


C
ausing significant disruption to

financial, transportation, and government
institutions

and p
recluding any human
-
based response


No malicious content, but simply overloaded networks


The worm’s spreading strategy uses random scanning


I
t

randomly selects IP addresses, eventually finding and infecting

all
susceptible hosts


Slammer spread nearly two orders of magnitude

faster than Code
Red,
yet
it infected fewer machines


The fastest computer worm in history (full scanning rate of 55 million

scans per second after only 3 minutes)


19

The Spread of SQL Slammer


Faster than Code Red (CR)


Slammer is bandwith
-
limited (its scanner is only only 400 bytes long, a
single UDP packet could exploit the SQL server’s vulnerability)


CR is latency
-
limited (its scanner does TCP handshake and therefore has to
wait to receive SYN/ACK packet from target)


However Slammer’s author made several mistakes in the random number
generator (many active IP addresses simply skipped


fewer infections)

20

Code Red v2

Slammer

Saturated
network
with its
scans

Modelling Propagation of Worms

Why Modelling?


Worms s
pread at
an
exponential rate


E.g.,
10M hosts in < 5 minutes


Hard to deal with manual inte
rvention


How to protect our systems? What are possible effects?


To be able to defend against future worms, we need to
understand


Worms propagation patterns


The impact of human countermeasures (like patching the
computer systems, firewalls, disconnecting devices from the
network, etc.) on worm propagation


The impact of network traffic (recall the Slammer worm)

22

Worm Propagation Modelling


Simple Epidemic Model


Uses the time model of Infectious diseases to model Worm propagation


Three possible states


Susceptible
,
Infected
,
Quarantined/Removed



I
nfectious


hosts: continuously infect others



R
emoved


hosts in epidemic area


Recover and immune to the virus


Dead because of the disease



R
emoved” hosts in computer area:


Patched computers that are clean and immune to the worm


Computers that are shut down or cut off from worm’s circulation


23

Simple Epidemic Model






Assumptions



The population size (#hosts) is large


Any host has equal probability to contact any other hosts in system


Number of contacts is proportional to
#infectious X #susceptible


24

susceptible

infectious

removed

Infectious

(I)

Susceptible

(S)

contact

Classical Simple Epidemic Model


State transition


N

-

population of hosts


S(t)

-

susceptible hosts;
I(t)

-

infectious hosts at time
t

25

susceptible

infectious

Classical General Epidemic Model (SIR)


State transition


N

-

population of hosts


S(t)

-

susceptible hosts


I(t)

-

infectious hosts


R(t)

-

removed from infectious at rate
γ

26

removed

susceptible

infectious

0
10
20
30
40
1
2
3
4
5
6
7
8
9
10
x 10
5

=0

=

N/16

=

N/4

=

N/2
Are the Two SIR Models Adequate?


The classical and general SIR models are not perfectly suitable as
human countermeasures will remove both suceptible and
infectious

hosts from circulation


Human countermeasures include


Clean and patch: download cleaning program, patches


Filter: put filters on firewalls, gateways


Disconnect computers (as in the case of Code Red worm)


Also, the infection rate



is decreased because of the large
amount of scan
-
traffic (e.g., the SQL Slammer worm)


State transition



27

susceptible

infectious

removed

Two Factor Worm Model


Human countermeasures

and
decreased infection rate




N

-

population of hosts


S(t)

-

susceptible hosts


I(t)

-

infectious hosts


R(t)

-

removed from infectious hosts at rate
γ


Q(t)
-

r
emoval

from susceptible

at rate
μ

28

Two Factor Worm Model


Human countermeasures

and
decreased infection rate



β(
t)S(t)
<

γ
:
the number of removed infectious hosts in

a unit time is greater than the number of newly generated

infectious hosts at the same time

Characteristics of
Worm Spread
ing


Worm growth
:
s
low

start,
fast spread

phase,
s
low decay










Speed
-
ups with more advanced
probing techniques


Probing Techniques

(Examples)


Random Scanning


Local Subnet Scanning


Routing Worm


Pre
-
generated Hit List


Topological

Probing Techniques
:
Random Scanning


32 bit number is randomly generated and used as the IP
address


Aside: IPv6 worms will be different …


E.g., Slammer and Code Red I


Hits black
-
holed IP space frequently


Only 28.6% of IP space is allocated


Aside: can track worms by monitoring unused
addresses


Honeypots

Probing Techniques
:
Subnet Scanning


Generate last 1, 2, or 3 bytes of IP address randomly


Code Red II and Blaster


Some scans must be completely random to infect
the
whole
I
nternet

Probing Techniques
:
Routing Worm


BGP information can tell which IP address blocks are
allocated


This information is publicly available


http://www.routeviews.org/


http://www.ripe.net/ris/

Probing Techniques
:
Topological


Uses info on the infected host to find the next target


Morris Worm used /etc/hosts , .rhosts


Email address books


P2P software usually store info about peers that each host
connects to

Probing Techniques
:
Hit List


Hit list of vulnerable machines is sent with payload


Determined before worm launch by scanning


Gives the worm a boost in the slow start phase


Skips the phase that follows the exponential model


Infection rate looks linear in the rapid propagation phase


Can avoid detection by the early detection systems

Warhol: Hit List + Permutation Scanning


Infection time estimated to about 15 minutes


Andy Warhol
: “In the future, everybody will have 15 minutes of
fame.”

1.
Conventional

(Code Red
-
like )
worm capable of 10 scans/second

2.
Fast scanning
worm capable of 100
scans/second

3.
Warhol

worm capable of 100
scans/second using a 10,000 entry
hit
-
list


No human
-
driven intervention is
possible when it comes to Warhol
worms (or even more severe

flash
worms



infects Internet in tens of
seconds!)

Worm Countermeasures

)
(
)
(
)
(
)
(
)
(
)
(
t
I
dt
dR
t
I
t
S
t
I
dt
dI
t
S
t
I
dt
dS









S(0) =
N



=



/ M


probe rate of worm

M

total population (
e.g.
2
32

for
IPv4)




removal” rate

3. Reduce # of infected hosts


(containment)

2. Reduce rate of infection


(suppression)

1. Reduce # of susceptible hosts


(prevention)

How to Mitigate the Worm Threat?

Mitigating the Worm Threat


Prevention


This aims to reduce the size of the vulnerable population


Secure programming, applying software updates, AV protection


Patching


Generally
,

patches take days to release


only now that relatively reliable
distribution networks for patches are springing up


Containment

and suppression (the easiest)


Firewalls, Content Filtering, Automated Routing Blacklists
,
disconnecting infected machines


Reduce # of Susceptible Hosts (Patching)

Reduce # of Infected Hosts (e.g., AV)

Worm Countermeasures


O
verlaps with anti
-
virus techniques


O
nce worm on system A/V can detect

it


W
orms also cause significant net activity


Scanning for other targets (scan rates 10
-
10000 scans/second)


W
orm defense approaches include:


S
ignature
-
based worm scan filtering


Generates a worm scan signature to prevent worm scans from entering a network/host


F
ilter
-
based worm containment


Focuses on a worm content rather than a scan signature


P
ayload
-
classification
-
based worm containment


Packet based checks


T
hreshold random walk scan detection


Exploits randomness in picking destinations to connect to (to detect scanning)


R
ate limiting and rate halting


Limit or block outgoing traffic when a given threshold exceeded (for fast worms)

Reaction Time Matters


Worm containment mechanisms should be automated

1.
Conventional (Code Red
-
like )
worm capable of 10 scans/second

2.
Fast scanning worm capable of 100
scans/second

3.
Warhol worm capable of 100
scans/second using a 10,000 entry
hit
-
list

4.
SQL Slammer 30,000 scans/second
per machine (on 100 Mbps link)


No human
-
driven intervention is
possible when it comes to Warhol
worms (or even more severe

flash
worms



infects Internet in tens of
seconds!)

Reaction Time Matters


Reactive Address Blacklisting
strategy against Slammer (
α

is the
proportion of sussceptible hosts)



Closing Words


Worms pose an ongoing threat of use in attack on a
variety of sites and infrastructures


The SQL Slammer affected ATMs, 911 services, caused cancelled
flights, etc.


Worms represent and extremely serious threat to the
safety of the Internet


Warhol and flash
-
like worms can infect/affect the
whole Internet in the matter of minutes/seconds


The need for automated response/containment mechanisms


Threat awareness important (reduces sussceptible)


Esspecially for software designers and programmers