Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
Transcript of Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
1/34
WORMS : attacks, defense and
models
Presented by:
Abhishek Sharma
Vijay Erramilli
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
2/34
What is a computer worm ? Is it not the same as
a computer virus ?
A computerworm is a program that self-
propagates across a network exploitingsecurity or policy flaws.
A computer virus requires some sort of user
action to abet their propagation
The line between worms and viruses is not all
that sharp : contagion worms
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
3/34
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
4/34
A Taxonomy of Computer Worms:
know thy enemy To understand the worm threat, it is
necessary to under the various types ofworms.
Taxonomy based on:
target discovery
carrier
activation payloads
attackers
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
5/34
Target Discovery: the mechanism by which a
worm discovers new targets to infect
: scanning, hit-list scanning
Scanning: entails probing a set of addresses
to identify vulnerable hosts.
sequential: working through a IP address block
using an ordered set of addresses
random : trying address out of a block in apseudo-random fashion
Code-Red, Nimda, Slammer Worm
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
6/34
Optimizations to scanning
Localized scanning strategy : (Code- Red II)
With probability 3/8 choose a random IP addressfrom within the class B address (/16 network) of
the infected machine.
With probability 1/2 choose randomly from theclass A (/8 network) of the infected machine.
With probability 1/8 choose a random address
from the whole Internet.
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
7/34
Hit-list Scanning
getting off the ground
Provide the worm with a list of potentiallyvulnerable machines.
The worm, when released onto an initialmachine on this hit-list, begins scanning
down the list.
When it infects a machine, it divides the hit-list in half, communicating half to the recipient
worm, keeping the other half.
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
8/34
PermutationScanning
Random scanning is inefficient :
many addresses are probed multiple times no means for a randomly scanning worm to
effectively determine when all vulnerable
machines are infected Permutation scanning
a worm can detect that a particular target is
already infected all worms share a common pseudo random
permutation of the IP address space
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
9/34
Spread of Scanning Worms
The speed of scanning worms is limited by:
Density of vulnerable machines Design of the scanner
The ability of edge routers to handle a potentially
significant increase in new, diversecommunication.
Scanning is highly anomalous behavior. Effective detection; defenses designed to stop an
entire familyof worms
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
10/34
Howfastdo the spread?
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
11/34
TopologicalWorms : Internal Target Lists
Many applications contain information about
other hosts providing vulnerable services. Topologicalworm searches for local
information to find new victims by trying to
discover the local communication topology
The original Morris worm used topological
techniques including Network Yellow pages,/etc/hosts, and other sources to find new victims.
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
12/34
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
13/34
Target Discovery : Passive Worms
Apassive worm does not seek out victim
machines. Instead, it either waits for potentialvictims to contact the worm or rely on user
behavior to discover new targets
Gnuman : Operates by acting as a Gnutella
node which replies to all queries with copies
of itself. If this copy is copy is run, theGnuman starts on the victim and repeats
itself.
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
14/34
Passive Worms continued
CRclean : the anti-worm
This worm waits for a Code Red II relatedprobe. When it detects an infection attempt, it
responds by launching a counterattack. If this
counterattack is successful, it removes Code
Red II and installs itself on the machine.
Never released.
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
15/34
Stealth worms --- contagion
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
16/34
P2P systems : susceptible to contagion
worms Likely need only a single exploit, not a pair
Often, peers running identicalsoftware Rich interconnection pattern
Often used to transfer large files Not mainstream less vulnerability
assessment, monitoring
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
17/34
P2P network susceptibility continued
Often give access to users desktop rather
than server; sensitive data grey content : users less inclined to draw
attention to unusual behavior
Come with built-in control/ dissemination
plain
and can be Very Large
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
18/34
Toolkit Potential
toolkits : large reusable structures where a
small amount of additional code can beadded to create a worm.
Application-independent and application-
dependent toolkits seen in the wild.
Application independent toolkitcan contain:
Code for scanning Transporting payloads
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
19/34
Toolkits continued
Scanningworms are not application specific.
The Slapperworm: attacker inserted a newexploit into the Scalperworm source code.
scanning worms can be released as
soon as a vulnerability is published
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
20/34
Distribution Mechanisms
affects the speed and stealth of a worm
Mechanisms: Self-carried
Second channel: Blaster worm
Embedded: contagion worm An embedded strategy only makes sense when the target
selection strategy is also stealthy.
Distribution:
One-to-many
Many-to-many
Hybrid
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
21/34
Activation
Self-Activation
Human Activation rely on social engineering techniques
Human Activity-Based Activation Logging in and therefore executing login scripts
Opening a remotely infected file
Scheduled Process Activation
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
22/34
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
23/34
Payloads continued
Spam-Relays: Sobig worm
Spammers can avoid mechanisms which blockknown-spamming IP addresses
HTML-proxies:
Redirect web requests (through DNS) to randomly
selected proxy machines
Internet DOS
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
24/34
Payloads continued.
Data Collection
Access for sale
Data damage : Chenobyl, Klez
Worm Maintenance: W32/sonic
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
25/34
Code-Red
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
26/34
The SlammerWorm
Spread nearly two orders of magnitude fasterthan Code-Red
In approx. 3 minutes, the worm achieved its
full scanning rate (more than 55 million scansper second)
The spread was so aggressive that the wormquickly interfered with its own growth
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
27/34
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
28/34
WhySlammerwas so fast?
Code-Red was latency limited:
Spreads via many threads, each invokingconnect() to open a TCP session to random
addresses
Consequently, each threads scanning rate was
limited by the network latency
li i i f C d R d
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
29/34
Latency limitation of Code-Red
Thread is blocked while waiting to receiveSYN/ACK
Worms can compensate this by invoking
large number of threads
Operating system limitations : Context-switching overhead
Kernel stack memory consumption
Sl b d id h li i d
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
30/34
Slammerwas bandwidth limited
UDP-based
A single packet to UDP port 1434 could exploit theSQL servers vulnerability
Smaller size Slammer: 404 bytes
Code-Red: 4 Kbytes Nimda : 60 Kbytes
Sl f
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
31/34
Slammeropens a for more worms
Smaller susceptible populations are now
more attractive
Need to automate worm defenses
Filtering provides no benefit for actually limiting
the number of infected machines
What is Slammerpropagated only for 10 minutes? 75,000 compromised machines
Many might never have been identified !!!
M l i Ni d
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
32/34
Multi-vector worms---Nimda
By active probing
By bulk e-mailing itself as an attachment By copying itself across open network shares
By adding exploit code to Web pages oncompromised servers
By scanning for backdoors left by
Code-Red II
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
33/34
Code Red 2 killsoff Code Red 1
Code Red 2 settlesinto weekly pattern
Nimda enters the
ecosystem
Code Red 2 dies offas programmed
CR 1
returns
thanks
to badclocks
-
7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj
34/34
Code Red 2 dies off
as programmedNimda hums along,
slowly cleaned up
With its predator
gone, Code Red 1comes back!, still
exhibiting monthly
pattern