Learning Center
Plans & pricing Sign in
Sign Out



									CIS3360: Security in Computing

  Chapter 4.3 : Worms
            Cliff Zou
           Spring 2012
q   This lecture uses some contents from the lecture notes
    q   Dr. Vitaly Shmatikov CS 378 - Network Security and

              Viruses vs. Worms
              VIRUS                                    WORM
q   Propagates by infecting other         q   Propagates automatically by
    programs                                  copying itself to target
q   Usually inserted into host code       q   Is a standalone program
    (not a standalone program)

    Sometime it is hard to distinguish virus or worm

                       Morris Worm

q   1988: No malicious payload, but bogged down infected
    machines by uncontrolled spawning
    q   Infected 10% of all Internet hosts at the time
q   Multiple propagation vectors
    q   Remote execution using rsh and cracked passwords
         q   Tried to crack passwords using small dictionary and publicly readable
             password file; targeted hosts from /etc/hosts.equiv
    q   Buffer overflow in fingerd on VAX                             Dictionary
         q   Standard stack smashing exploit        Buffer overflow     attack
    q   DEBUG command in Sendmail
         q   In early Sendmail versions, possible to execute a command on a
             remote machine by sending an SMTP (mail transfer) message

         Worm propagation process

q   Find new targets
    q    IP random scanning

n   Compromise targets
     u   Exploit vulnerability
     u   Trick users to run
         malicious code --

n   Newly infected
    join infection army
      Worm research motivation
q   Code Red (Jul. 2001) : 360,000 infected in 14 hours
q   Slammer (Jan. 2003) : 75,000 infected in 10 minutes
        Congested parts of Internet (ATMs down…)
q   Blaster (Aug. 2003) : 150,000 ~ 8 million infected
        DDOS attack (shut down domain
q   Witty (Mar. 2004) : 12,000 infected in half an hour
        Attack vulnerability in ISS security products
q   Sasser (May 2004) : 500,000 infected within two days
q   Storm (Jan 2007): infected 1 to 5 millions computers

        How do worms propagate?
q   Scanning worms
    q   Worm chooses “random” address
q   Coordinated scanning
    q   Different worm instances scan different addresses
q   Flash worms
    q   Assemble tree of vulnerable hosts in advance, propagate along tree
q   Meta-server worm
    q   Ask server for hosts to infect (e.g., Google for “powered by phpbb”)
q   Topological worm:
    q   Use information from infected hosts (web server logs, email address
        books, config files, SSH “known hosts”)
q   Contagion worm
    q   Propagate parasitically along with normally initiated communication

             Summer of 2001
                   [from “How to 0wn the Internet in Your Spare Time”]

Three major worm
                             Code Red I

q   July 13, 2001: First worm of the modern era
q   Exploited buffer overflow in Microsoft’s Internet
    Information Server (IIS)
q    1st through 20th of each month: spread
    q   Find new targets by random scan of IP address space
         q   Spawn 99 threads to generate addresses and look for IIS
    q   Creator forgot to seed the random number generator, and every
        copy scanned the same set of addresses J
q   21st through the end of each month: attack
    q   Deface websites with “HELLO! Welcome to! Hacked by Chinese!”

        Exception Handling In IIS
                                           [See Chien and Szor, “Blended Attacks…”]

q   Overflow in a rarely used URL decoding routine
    q   A malformed URL is supplied to vulnerable routine…
    q   … another routine notices that stack has been smashed and raises
        an exception. Exception handler is invoked…
    q   … the pointer to exception handler is located on stack. It has been
        overwritten to point to a certain instruction inside the routine that
        noticed the overflow…
    q   … that instruction is CALL EBX. At that moment, EBX is pointing
        into the overwritten buffer…
    q   … the buffer contains the code that finds the worm’s main body on
        the heap and executes it!

                       Code Red I v2
q   July 19, 2001: Same codebase as Code Red I, but fixed the
    bug in random IP address generation
    q   Compromised all vulnerable IIS servers on the Internet
    q   Large vulnerable population meant fast worm spread
         q   Scanned address space grew exponentially
         q   350,000 hosts infected in 14 hours!!
q   Payload: distributed packet flooding (denial of service)
    attack on
    q   Attack was on a fixed IP, so it was avoided.
q   Still alive in the wild!

                 Code Red Code
q   Detailed analysis at:

    Simple worm propagation model

q   address space, size W                      W
q   N : total vulnerable
q   It : infected by time t
    q   N-It vulnerable at time t
q   scan rate (per host), h

                                      Prob. of a scan
                                    hitting vulnerable
         # of increased
     infected in a unit time
Simple worm propagation
             Propagation: Theory
   Classic epidemic model            Cliff C. Zou, Weibo Gong, Don
    q   N: total number of            Towsley, and Lixin Gao. The
                                      Monitoring and Early Detection of
        vulnerable hosts              Internet Worms , IEEE/ACM
                                      Transactions on Networking, 2005 .
    q   I(t): number of infected
        hosts at time t
    q   S(t): number of susceptible
        hosts at time t
    q   I(t) + S(t) = N
    q   b: infection rate
   Differential equation for I(t):
          dI/dt = bI(t) S(t)
   More accurate models adjust
    propagation rate over time
                      Code Red II
q   August 4, 2001: Same IIS vulnerability, completely
    different code, kills Code Red I
    q   Known as “Code Red II” because of comment in code
    q   Worked only on Windows 2000, crashed NT
q   Scanning algorithm preferred nearby addresses
    q   Chose addresses from same class A with probability ½, same
        class B with probability 3/8, and randomly from the entire
        Internet with probability 1/8
q   Payload: installed root backdoor in IIS servers for
    unrestricted remote access
q   Died by design on October 1, 2001

q   September 18, 2001: Multi-modal worm using several
    propagation vectors
    q   Exploit same IIS buffer overflow as Code Red I and II
    q   Bulk-email itself as an attachment to email addresses harvested
        from infected machines
    q   Copy itself across open network shares
    q   Add exploit code to Web pages on compromised sites to infect
        visiting browsers
    q   Scan for backdoors left by Code Red II
q   Payload: turned-off code deleting all data on hard drives
    of infected machines

        Signature-Based Defenses
               Don’t Help
q   Nimda leaped firewalls!
q   Many firewalls pass mail untouched, relying on mail
    servers to filter out infections
    q   Most filters simply scan attachments for signatures (code snippets)
        of known viruses and worms
q   Nimda was a brand-new infection with unknown signature,
    and scanners could not detect it
q   Big challenge: detection of zero-day attacks
    q   When a worm first appears in the wild, signature is not extracted
        until minutes or hours later

Code Red I and II (due to Vern

                            With its
    Code Red II dies off    predator gone,
    as programmed           Code Red I
                            comes back,
                            still exhibiting

    Slammer (Sapphire) Worm

q   January 24/25, 2003: UDP worm exploiting buffer
    overflow in Microsoft’s SQL Server
    q   Overflow was already known and patched by Microsoft… but not
        everybody installed the patch
q   Entire code fits into a single 404-byte UDP packet
    q   Worm binary followed by overflow pointer back to itself
q   Classic buffer overflow combined with random scanning:
    once control is passed to worm code, it randomly
    generates IP addresses and attempts to send a copy of
    itself to port 1434
    q   MS-SQL listens at port 1434

          Slammer Propagation
q   Scan rate of 55,000,000 addresses per second
    q   Scan rate = rate at which worm generates IP addresses of
        potential targets
    q   Up to 30,000 single-packet worm copies per second
q   Initial infection was doubling in 8.5 seconds (!!)
    q   Doubling time of Code Red was 37 minutes
q   Worm-generated packets saturated carrying capacity of
    the Internet in 10 minutes
    q   75,000 SQL servers compromised
    q   And that’s in spite of broken pseudo-random number generator
        used for IP address generation

05:29:00 UTC, January 25,
  [from Moore et al. “The Spread of the Sapphire/Slammer Worm”]

                 30 Minutes Later
          [from Moore et al. “The Spread of the Sapphire/Slammer Worm”]

Size of circles is logarithmic in
the number of infected machines
                 Slammer Impact
q   $1.25 Billion of damage
q   Temporarily knocked out many elements of critical
    q   Bank of America ATM network
    q   Entire cell phone network in South Korea
    q   Five root DNS servers
    q   Continental Airlines’ ticket processing software
q   The worm did not even have malicious payload… simply
    bandwidth exhaustion on the network and resource
    exhaustion on infected machines

    Secret of Slammer’s Speed
q   Old-style worms (Code Red) spawn a new thread which
    tries to establish a TCP connection and, if successful,
    send a copy of itself over TCP
    q   Limited by latency of the network
    q   Majority of TCP connection requests will fail
         q   Each failed IP scan will take 21 seconds to finish (Windows, 3 tries)
q   Slammer was a connectionless UDP worm
    q   No connection establishment, simply send 404-byte UDP packet to
        randomly generated IP addresses
    q   Limited only by bandwidth of the network
q   A TCP worm can scan even faster
    q   Dump zillions of 40-byte TCP-SYN packets into link layer, send
        worm copy only if SYN-ACK comes back

    Blaster and Welchia/Nachia

q   August 11, 2003: Scanning worm exploiting RPC service
    in Microsoft Windows XP and 2000
    q   First address at random, then sequential upward scan
         q   Easy to detect, yet propagated widely and leaped firewalls
q   Payload: denial of service against MS Windows Update +
    installing remotely accessible backdoor
q   Welchia/Nachia was intended as a counter-worm
    q   Random-start sequential scan, use ICMP to determine if address
        is live, then copy itself over, patch RPC vulnerability, remove
        Blaster if found
    q   Did more damage by flooding networks with traffic

                     Search Worms
                                                            [Provos et al.]
q   Generate search query
    q   Search for version numbers of vulnerable software to find
        exploitable targets
    q   Search for popular domains to harvest email addresses
q   Analyze search results
    q   Remove duplicates, URLs belonging to search engine
q   Infect identified targets
    q   Reformat URLs to include the exploit
         q   For example, append exploit code instead of username
    q   Exploit code downloads the actual infection, joins the infected
        machine to a botnet, etc.

                                                        [Provos et al.]
q    Spreads by email
q    MyDoom: searches local hard drive for addresses
q    MyDoom.O: uses Web search engines
      q   Queries split between Google (45%), Lycos (22.5%), Yahoo (20%)
          and Altavista (12.5%)

    Google’s view                               Number of IP addresses
    of MyDoom                                   generating queries
                                                (60,000 hosts infected in
      Peak scan rate:                           8 hours)
      30,000 queries per second
                                               Number of served queries
                                               drops as Google’s anomaly
                                               detection kicks in
                                                        [Provos et al.]
q   Written in Perl, exploits a bug in phpBB bulletin board
    system (prior to version 2.0.11)
    q   Allows injection of arbitrary code into Web server running phpBB
q   Uses Google to find sites running phpBB
q   Once injected, downloads actual worm code from a central
    site, asks Google for more targets and connects infected
    machine to an IRC botnet
q   Multiple variants of the same worm
    q   Polymorphism: actual Perl code changes from infection to
        infection, so filtering worm traffic is difficult!

    Evading Anomaly Detection
                                                 [Provos et al.]
q   Google will refuse worm-generated queries
q   Different Santy variants generate different search terms or
    take them from an IRC botmaster

q   Google’s solution: if an IP address generates a lot of
    “rare” queries, ask it to solve a CAPTCHA

            Index-Based Filtering
                                                      [Provos et al.]
q   Idea: if worm relies on search results to spread, don’t
    provide vulnerable targets in search results
q   During crawl phase, tag all pages that seem to contain
    vulnerable software or sensitive information such as email
    q   Can’t drop them from the index because they may contain
        information useful to legitimate searchers
q   Do not return the result of a query if it contains (a) pages
    from many hosts, and (b) high percentage of them are
    tagged as vulnerable
    q   What are the limitations of this approach?

                             Witty Worm
 q   March 19, 2004, exploiting buffer overflow in
     firewall (ISS) products
 q   Infected 12,000 machines in 45 mins

Figures from “The Spread of the Witty Worm”, CAIDA

                        Witty Worm
q   First widely propagated worm w. destructive payload
    q   Corrupted hard disk
q   Seeded with more ground-zero hosts
    q   110 infected machines in first 10 seconds
q   Shortest interval btw vulnerability disclosure & worm
    q   1 day
q   Demonstrate worms effective for niche too
q   Security devices can open doors to attacks
    q   Other examples: Anti-virus software, IDS
    q   Installing security software does not mean more secure

    Storm Worm / Peacomm (2007)
q   Spreads by cleverly designed spam campaign
    q   Arrives as an email with catchy subject
         q   First instance: “230 dead as storm batters Europe”
         q   Other examples: “Condoleeza Rice has kicked German Chancellor”,
             “Radical Muslim drinking enemies’s blood”, “Saddam Hussein alive!”,
             “Fidel Castro dead”, etc.
q   Attachment or URL with malicious payload
    q   FullVideo.exe, MoreHere.exe, ReadMore.exe, etc.
    q   Also masquerades as flash postcards
q   Once opened, installs Trojan (wincom32) & rootkit

    Storm Worm Characteristics
                                                       [Porras et al.]
q   Infected machine joins botnet
    q   Between 1 and 5 million machines infected (Sep 2007)
q   Obfuscated peer-to-peer control structure
    q   Not like Agobot, which uses simple IRC control channel
    q   Interacts with peers via eDonkey protocol
q   Obfuscated code, anti-debugging defenses
    q   Goes into infinite loop if detects VMware or Virtual PC
    q   Large number of spurious probes (evidence of external analysis)
        triggers distributed DoS attack

         Storm Worm Outbreaks
q   Spambot binary used to spread new infections in
    subsequent campaigns
    q   Looks for email addresses and mailing lists in the files on the
        infected machines


To top