Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj

7/29/2019 Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj

1/34

WORMS : attacks, defense and

models

Presented by:

Abhishek Sharma

Vijay Erramilli


2/34

What is a computer worm ? Is it not the same as

a computer virus ?

A computerworm is a program that self-

propagates across a network exploitingsecurity or policy flaws.

A computer virus requires some sort of user

action to abet their propagation

The line between worms and viruses is not all

that sharp : contagion worms


3/34


4/34

A Taxonomy of Computer Worms:

know thy enemy To understand the worm threat, it is

necessary to under the various types ofworms.

Taxonomy based on:

target discovery

carrier

activation payloads

attackers


5/34

Target Discovery: the mechanism by which a

worm discovers new targets to infect

: scanning, hit-list scanning

Scanning: entails probing a set of addresses

to identify vulnerable hosts.

sequential: working through a IP address block

using an ordered set of addresses

random : trying address out of a block in apseudo-random fashion

Code-Red, Nimda, Slammer Worm


6/34

Optimizations to scanning

Localized scanning strategy : (Code- Red II)

With probability 3/8 choose a random IP addressfrom within the class B address (/16 network) of

the infected machine.

With probability 1/2 choose randomly from theclass A (/8 network) of the infected machine.

With probability 1/8 choose a random address

from the whole Internet.


7/34

Hit-list Scanning

getting off the ground

Provide the worm with a list of potentiallyvulnerable machines.

The worm, when released onto an initialmachine on this hit-list, begins scanning

down the list.

When it infects a machine, it divides the hit-list in half, communicating half to the recipient

worm, keeping the other half.


8/34

PermutationScanning

Random scanning is inefficient :

many addresses are probed multiple times no means for a randomly scanning worm to

effectively determine when all vulnerable

machines are infected Permutation scanning

a worm can detect that a particular target is

already infected all worms share a common pseudo random

permutation of the IP address space


9/34

Spread of Scanning Worms

The speed of scanning worms is limited by:

Density of vulnerable machines Design of the scanner

The ability of edge routers to handle a potentially

significant increase in new, diversecommunication.

Scanning is highly anomalous behavior. Effective detection; defenses designed to stop an

entire familyof worms


10/34

Howfastdo the spread?


11/34

TopologicalWorms : Internal Target Lists

Many applications contain information about

other hosts providing vulnerable services. Topologicalworm searches for local

information to find new victims by trying to

discover the local communication topology

The original Morris worm used topological

techniques including Network Yellow pages,/etc/hosts, and other sources to find new victims.


12/34


13/34

Target Discovery : Passive Worms

Apassive worm does not seek out victim

machines. Instead, it either waits for potentialvictims to contact the worm or rely on user

behavior to discover new targets

Gnuman : Operates by acting as a Gnutella

node which replies to all queries with copies

of itself. If this copy is copy is run, theGnuman starts on the victim and repeats

itself.


14/34

Passive Worms continued

CRclean : the anti-worm

This worm waits for a Code Red II relatedprobe. When it detects an infection attempt, it

responds by launching a counterattack. If this

counterattack is successful, it removes Code

Red II and installs itself on the machine.

Never released.


15/34

Stealth worms --- contagion


16/34

P2P systems : susceptible to contagion

worms Likely need only a single exploit, not a pair

Often, peers running identicalsoftware Rich interconnection pattern

Often used to transfer large files Not mainstream less vulnerability

assessment, monitoring


17/34

P2P network susceptibility continued

Often give access to users desktop rather

than server; sensitive data grey content : users less inclined to draw

attention to unusual behavior

Come with built-in control/ dissemination

plain

and can be Very Large


18/34

Toolkit Potential

toolkits : large reusable structures where a

small amount of additional code can beadded to create a worm.

Application-independent and application-

dependent toolkits seen in the wild.

Application independent toolkitcan contain:

Code for scanning Transporting payloads


19/34

Toolkits continued

Scanningworms are not application specific.

The Slapperworm: attacker inserted a newexploit into the Scalperworm source code.

scanning worms can be released as

soon as a vulnerability is published


20/34

Distribution Mechanisms

affects the speed and stealth of a worm

Mechanisms: Self-carried

Second channel: Blaster worm

Embedded: contagion worm An embedded strategy only makes sense when the target

selection strategy is also stealthy.

Distribution:

One-to-many

Many-to-many

Hybrid


21/34

Activation

Self-Activation

Human Activation rely on social engineering techniques

Human Activity-Based Activation Logging in and therefore executing login scripts

Opening a remotely infected file

Scheduled Process Activation


22/34


23/34

Payloads continued

Spam-Relays: Sobig worm

Spammers can avoid mechanisms which blockknown-spamming IP addresses

HTML-proxies:

Redirect web requests (through DNS) to randomly

selected proxy machines

Internet DOS


24/34

Payloads continued.

Data Collection

Access for sale

Data damage : Chenobyl, Klez

Worm Maintenance: W32/sonic


25/34

Code-Red


26/34

The SlammerWorm

Spread nearly two orders of magnitude fasterthan Code-Red

In approx. 3 minutes, the worm achieved its

full scanning rate (more than 55 million scansper second)

The spread was so aggressive that the wormquickly interfered with its own growth


27/34


28/34

WhySlammerwas so fast?

Code-Red was latency limited:

Spreads via many threads, each invokingconnect() to open a TCP session to random

addresses

Consequently, each threads scanning rate was

limited by the network latency

li i i f C d R d


29/34

Latency limitation of Code-Red

Thread is blocked while waiting to receiveSYN/ACK

Worms can compensate this by invoking

large number of threads

Operating system limitations : Context-switching overhead

Kernel stack memory consumption

Sl b d id h li i d


30/34

Slammerwas bandwidth limited

UDP-based

A single packet to UDP port 1434 could exploit theSQL servers vulnerability

Smaller size Slammer: 404 bytes

Code-Red: 4 Kbytes Nimda : 60 Kbytes

Sl f


31/34

Slammeropens a for more worms

Smaller susceptible populations are now

more attractive

Need to automate worm defenses

Filtering provides no benefit for actually limiting

the number of infected machines

What is Slammerpropagated only for 10 minutes? 75,000 compromised machines

Many might never have been identified !!!

M l i Ni d


32/34

Multi-vector worms---Nimda

By active probing

By bulk e-mailing itself as an attachment By copying itself across open network shares

By adding exploit code to Web pages oncompromised servers

By scanning for backdoors left by

Code-Red II


33/34

Code Red 2 killsoff Code Red 1

Code Red 2 settlesinto weekly pattern

Nimda enters the

ecosystem

Code Red 2 dies offas programmed

CR 1

returns

thanks

to badclocks


34/34

Code Red 2 dies off

as programmedNimda hums along,

slowly cleaned up

With its predator

gone, Code Red 1comes back!, still

exhibiting monthly

pattern

Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj

Documents

Transcript of Abhishek 0713 Worms.jjjjjjjjjjjjjjjjjjjjjjjjj