Professional Documents
Culture Documents
CS 155
Network Worms:
Attacks and Defenses
John Mitchell
with slides borrowed from various (noted)
sources
Outline
Worm propagation
Worm examples
Propagation models
Detection methods
Disable
Worm
A worm is self-replicating software designed to
spread through the network
Aggregate statistics
Consequences
Security vulnerabilities
Fingerd
Rsh
sendmail
Worm used debug feature
fingerd
Written in C and runs continuously
Array bounds attack
Attack string
10
Remote shell
Unix trust information
Password cracking
Worm was running as daemon (not root) so needed to break
11
12
System load
Perpetrator
Lessons?
14
15
16
Worm
Date Distinction
Morris
11/8
8
ADM
5/98
Ramen
1/01
Lion
3/01
Cheese
6/01
Code Red
7/01
Walk
8/01
Nimda
9/01
Scalper
6/02
Slammer
1/03
17
Code Red
Initial version released July 13, 2001
When executed,
(www.whitehouse.gov)
19
20
21
22
23
Code Red 2
Released August 4, 2001.
Comment in code: Code Red 2.
24
25
CR 1
returns
thanks
to bad
clocks
26
WORM '04
WORM '03
27
Coordinated scanning
Flash worms
Meta-server worm
Topological worm:
Contagion worm
28
N: population size
S(t): susceptible hosts at time t
I(t): infected hosts at time t
: contact rate
i(t): I(t)/N, s(t): S(t)/N
dI
IS
dt
N
dS
IS
dt
N
29
di
i (1 i )
dt
courtesy Paxson,
Staniford, Weaver
e ( t T )
i (t )
1 e ( t T )
Shortcomings of simplified
model
Prediction is faster than observed
propagation
Possible reasons
30
31
Effect of parameters on
propagation
1.
HitList Size
2. Patching Rate
32
Other models:
Wang et al, Modeling Timing Parameters , WORM 04 (includes delay)
Ganesh et al, The Effect of Network Topology , Infocom 2005 (topology
33
8/5
-DeepSight
TMS
Weekly
Summary,
warns of
impending
worm.
8/11 - Blaster
worm breaks out.
ThreatCon is
raised to level 3
8/7 TMS
alerts
stating
activity is
being seen
in the wild.
DeepSight Notification
IP Addresses Infected With The Blaster Worm
34
reaction
Manual capture/analyze/signature/rollout model too
slow Program
Macro
months
Viruses
days
hrs
Preautomation
mins
Network
Worms
Postautomation
Flash
Worms
Contagion Period
Signature Response Period
secs
1990
35
E-mail
Worms
Viruses
Time
Signature
Response Period
Contagion Period
Need
for can
automation
Current threats
spread faster than defenses can
2005
Signature inference
Challenge
36
Signature inference
Monitor network and look for strings
common to traffic with worm-like
behavior
37
Slide: S Savage
Content sifting
Assume there exists some (relatively) unique
invariant bitstring W across all instances of a
particular worm (true today, not tomorrow...)
Two consequences
Slide: S Savage
Observation:
High-prevalence strings are rare
1
0.998
0.996
0.994
0.992
0.99
0.988
0.986
0.984
10
100
1000
10000
Number of repeats
39
(Stefan
Savage, UCSD *)
100000
B
C
cnn.com
Prevalence Table
40
(Stefan
Savage, UCSD *)
D
Address Dispersion Table
Sources
Destinations
B
C
cnn.com
Prevalence Table
1
41
(Stefan
Savage, UCSD *)
1 (A)
1 (B)
B
C
cnn.com
Prevalence Table
42
(Stefan
Savage, UCSD *)
1 (A)
1 (B)
1 (C)
1 (A)
B
C
cnn.com
Prevalence Table
43
(Stefan
Savage, UCSD *)
2 (A,B)
2 (B,D)
1 (C)
1 (A)
B
C
cnn.com
Prevalence Table
3 (A,B,D) 3 (B,D,E)
1
44
(Stefan
Savage, UCSD *)
1 (C)
1 (A)
Challenges
Computation
State
45
(Stefan
Savage, UCSD *)
A B C D E F G H I J K
46
(Stefan
Savage, UCSD *)
P1
R A N D A B C D O M
Fingerprint = 11000000
P2
R A B C D A N D O M
Fingerprint = 11000000
47
(Stefan
Savage, UCSD *)
How to subsample?
Approach 1: sample packets
Increment
Counters
Stage 1
Field
Extraction
Hash 2
Comparator
Stage 2
Comparator
Hash 3
Stage 3
Comparator
49
(Stefan
Savage, UCSD *)
ALERT !
If
all counters
above
threshold
Threshold
Stage 1
Stage 2
Stage 3
50
(Stefan
Savage, UCSD *)
Observation:
High address dispersion is rare
too
Nave implementation might maintain a list of
sources
(or destinations) for each string hash
Hash(Source)
Hash : based on Source (or Destination)
Sample : keep only a sample of the bitmap
Estimate : scale up sampled count
Adapt : periodically increase scaling factor
numBitmaps
-1)
TAP
Apache + PHP
Summary
data
Mysql + rrdtools
0.042 microseconds
56
(Stefan
Savage, UCSD *)
Experience
Quite good.
57
(Stefan
Savage, UCSD *)
Sasser
58
(Stefan
Savage, UCSD *)
False Negatives
Easy to prove presence, impossible to prove
absence
Live evaluation: over 8 months detected every
worm outbreak reported on popular security
mailing lists
Offline evaluation: several traffic traces run
against both Earlybird and Snort IDS (w/all wormrelated signatures)
59
(Stefan
Savage, UCSD *)
False Positives
Common protocol
headers
protocols
Non-worm
epidemic Activity
SPAM
BitTorrent
60
(Stefan
Savage, UCSD *)
GNUTELLA.CONNECT
/0.6..X-Max-TTL:
.3..X-Dynamic-Qu
erying:.0.1..X-V
ersion:.4.0.4..X
-Query-Routing:.
0.1..User-Agent:
.LimeWire/4.0.6.
.Vendor-Message:
.0.1..X-Ultrapee
r-Query-Routing:
Song et al.
Port-scanning [Autograph],
contacting honey pots [Honeycomb],
traffic patterns [Earlybird]
False negatives: Non-scanning worms
False positives: Easy for attackers to raise false alarms
61
Anomalous requests
Flow
Selector
TaintCheck
TaintCheck Approach
Observation:
Advantages
63
Fast
Accurate
Effective against polymorphic worms
Semantic-based Signature
Generation (I)
Worm Request
!!!
!!!
Overwritten
Return Address
64
!!!
Sting Architecture
Innocuous
Flows
Incoming traffic
65
Sting Evaluation
Slammer worm attack:
Sting evaluation I:
66
Data Localization
Limited to a single packet
68
BEGIN
Pseudo-signature:
DESCRIPTION:
MS02-039
NAME: MS SQL Vuln
if (packet.port()UDP
== 1434 &&
TRANSIT-TYPE:
TRIGGER:
ANY:ANY->ANY:1434
packet[0]
== 4 &&
OFFSET:
0, PACKET
packet.size()
> 60)
SIG-BEGIN
{
"\x04<getpacketsize(r0)>
report_exploit(MS02-039);
<inrange(r0,61,1000000)>
}
<reportid()>"
SIG-END
END
Data Localization
Limited to 256 bytes from
start of RPC bind command
69
BEGIN
DESCRIPTION:
MS03-026
Sample signature:
NAME: RPC Vulnerability
TRANSIT-TYPE: TCP, UDP
if (port ==ANY:ANY->ANY:135
135 &&
TRIGGER:
type == request &&
SIG-BEGIN
func == CoGetInstanceFromFile &&
"\x05\x00\x0B\x03\x10\x00\x00
parameters.length()
> 62)
(about
50 more bytes...)
{ \x00\x00.*\x05\x00
<forward(5)><getbeword(r0)>
report_exploit(MS03-026);
} <inrange(r0,63,20000)>
<reportid()>"
SIG-END
END
Conclusions
Worm attacks
Detect
Disable
70