Docstoc

Worms

Document Sample
Worms Powered By Docstoc
					CAP6135: Malware and Software
    Vulnerability Analysis

          Worms
            Cliff Zou
           Spring 2012
                Acknowledgement
q   This lecture uses some contents from the lecture notes
    from:
    q   Dr. Vitaly Shmatikov CS 378 - Network Security and
        Privacy




                                 2
              Viruses vs. Worms
              VIRUS                                    WORM
q   Propagates by infecting other         q   Propagates automatically by
    programs                                  copying itself to target
                                              systems
q   Usually inserted into host code       q   Is a standalone program
    (not a standalone program)


    Sometime it is hard to distinguish virus or worm




                                      3
                       Morris Worm

q   1988: No malicious payload, but bogged down infected
    machines by uncontrolled spawning
    q   Infected 10% of all Internet hosts at the time
q   Multiple propagation vectors
    q   Remote execution using rsh and cracked passwords
         q   Tried to crack passwords using small dictionary and publicly readable
             password file; targeted hosts from /etc/hosts.equiv
    q   Buffer overflow in fingerd on VAX                             Dictionary
         q   Standard stack smashing exploit        Buffer overflow     attack
                                                        attack
    q   DEBUG command in Sendmail
         q   In early Sendmail versions, possible to execute a command on a
             remote machine by sending an SMTP (mail transfer) message




                                        4
         Worm propagation process

q   Find new targets
    q    IP random scanning

n   Compromise targets
     u   Exploit vulnerability
     u   Trick users to run
         malicious code --
         Spam

n   Newly infected
    join infection army
                                 5
      Worm research motivation
q   Code Red (Jul. 2001) : 360,000 infected in 14 hours
q   Slammer (Jan. 2003) : 75,000 infected in 10 minutes
        Congested parts of Internet (ATMs down…)
q   Blaster (Aug. 2003) : 150,000 ~ 8 million infected
        DDOS attack (shut down domain windowsupdate.com)
q   Witty (Mar. 2004) : 12,000 infected in half an hour
        Attack vulnerability in ISS security products
q   Sasser (May 2004) : 500,000 infected within two days
q   Storm (Jan 2007): infected 1 to 5 millions computers


                              6
        How do worms propagate?
q   Scanning worms
    q   Worm chooses “random” address
q   Coordinated scanning
    q   Different worm instances scan different addresses
q   Flash worms
    q   Assemble tree of vulnerable hosts in advance, propagate along tree
q   Meta-server worm
    q   Ask server for hosts to infect (e.g., Google for “powered by phpbb”)
q   Topological worm:
    q   Use information from infected hosts (web server logs, email address
        books, config files, SSH “known hosts”)
q   Contagion worm
    q   Propagate parasitically along with normally initiated communication



                                        7
             Summer of 2001
                   [from “How to 0wn the Internet in Your Spare Time”]




Three major worm
outbreaks
                                8
                             Code Red I

q   July 13, 2001: First worm of the modern era
q   Exploited buffer overflow in Microsoft’s Internet
    Information Server (IIS)
q    1st through 20th of each month: spread
    q   Find new targets by random scan of IP address space
         q   Spawn 99 threads to generate addresses and look for IIS
    q   Creator forgot to seed the random number generator, and every
        copy scanned the same set of addresses J
q   21st through the end of each month: attack
    q   Deface websites with “HELLO! Welcome to
        http://www.worm.com! Hacked by Chinese!”



                                       9
        Exception Handling In IIS
                                           [See Chien and Szor, “Blended Attacks…”]

q   Overflow in a rarely used URL decoding routine
    q   A malformed URL is supplied to vulnerable routine…
    q   … another routine notices that stack has been smashed and raises
        an exception. Exception handler is invoked…
    q   … the pointer to exception handler is located on stack. It has been
        overwritten to point to a certain instruction inside the routine that
        noticed the overflow…
    q   … that instruction is CALL EBX. At that moment, EBX is pointing
        into the overwritten buffer…
    q   … the buffer contains the code that finds the worm’s main body on
        the heap and executes it!




                                     10
                       Code Red I v2
q   July 19, 2001: Same codebase as Code Red I, but fixed the
    bug in random IP address generation
    q   Compromised all vulnerable IIS servers on the Internet
    q   Large vulnerable population meant fast worm spread
         q   Scanned address space grew exponentially
         q   350,000 hosts infected in 14 hours!!
q   Payload: distributed packet flooding (denial of service)
    attack on www.whitehouse.gov
    q   Attack was on a fixed IP, so it was avoided.
q   Still alive in the wild!




                                      11
                 Code Red Code
q   GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
    NNNNNNNNNNNNNNNNNNN
    %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
    %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
    %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
    HTTP/1.0
q   Detailed analysis at:
    http://research.eeye.com/html/advisories/published/AL20010717.ht
    ml


                                  12
    Simple worm propagation model

q   address space, size W                      W
q   N : total vulnerable
q   It : infected by time t
    q   N-It vulnerable at time t
q   scan rate (per host), h



                                      Prob. of a scan
                                    hitting vulnerable
         # of increased
     infected in a unit time
Simple worm propagation
             Propagation: Theory
                                      Source:
   Classic epidemic model            Cliff C. Zou, Weibo Gong, Don
    q   N: total number of            Towsley, and Lixin Gao. The
                                      Monitoring and Early Detection of
        vulnerable hosts              Internet Worms , IEEE/ACM
                                      Transactions on Networking, 2005 .
    q   I(t): number of infected
        hosts at time t
    q   S(t): number of susceptible
        hosts at time t
    q   I(t) + S(t) = N
    q   b: infection rate
   Differential equation for I(t):
          dI/dt = bI(t) S(t)
   More accurate models adjust
    propagation rate over time
                      Code Red II
q   August 4, 2001: Same IIS vulnerability, completely
    different code, kills Code Red I
    q   Known as “Code Red II” because of comment in code
    q   Worked only on Windows 2000, crashed NT
q   Scanning algorithm preferred nearby addresses
    q   Chose addresses from same class A with probability ½, same
        class B with probability 3/8, and randomly from the entire
        Internet with probability 1/8
q   Payload: installed root backdoor in IIS servers for
    unrestricted remote access
q   Died by design on October 1, 2001


                                  16
                             Nimda
q   September 18, 2001: Multi-modal worm using several
    propagation vectors
    q   Exploit same IIS buffer overflow as Code Red I and II
    q   Bulk-email itself as an attachment to email addresses harvested
        from infected machines
    q   Copy itself across open network shares
    q   Add exploit code to Web pages on compromised sites to infect
        visiting browsers
    q   Scan for backdoors left by Code Red II
q   Payload: turned-off code deleting all data on hard drives
    of infected machines


                                    17
        Signature-Based Defenses
               Don’t Help
q   Nimda leaped firewalls!
q   Many firewalls pass mail untouched, relying on mail
    servers to filter out infections
    q   Most filters simply scan attachments for signatures (code snippets)
        of known viruses and worms
q   Nimda was a brand-new infection with unknown signature,
    and scanners could not detect it
q   Big challenge: detection of zero-day attacks
    q   When a worm first appears in the wild, signature is not extracted
        until minutes or hours later




                                    18
Code Red I and II (due to Vern
                    Paxson)




                            With its
    Code Red II dies off    predator gone,
    as programmed           Code Red I
                            comes back,
                            still exhibiting
                            monthly
                            pattern




                           19
    Slammer (Sapphire) Worm

q   January 24/25, 2003: UDP worm exploiting buffer
    overflow in Microsoft’s SQL Server
    q   Overflow was already known and patched by Microsoft… but not
        everybody installed the patch
q   Entire code fits into a single 404-byte UDP packet
    q   Worm binary followed by overflow pointer back to itself
q   Classic buffer overflow combined with random scanning:
    once control is passed to worm code, it randomly
    generates IP addresses and attempts to send a copy of
    itself to port 1434
    q   MS-SQL listens at port 1434



                                      20
          Slammer Propagation
q   Scan rate of 55,000,000 addresses per second
    q   Scan rate = rate at which worm generates IP addresses of
        potential targets
    q   Up to 30,000 single-packet worm copies per second
q   Initial infection was doubling in 8.5 seconds (!!)
    q   Doubling time of Code Red was 37 minutes
q   Worm-generated packets saturated carrying capacity of
    the Internet in 10 minutes
    q   75,000 SQL servers compromised
    q   And that’s in spite of broken pseudo-random number generator
        used for IP address generation



                                   21
05:29:00 UTC, January 25,
          2003
  [from Moore et al. “The Spread of the Sapphire/Slammer Worm”]




                         22
                 30 Minutes Later
          [from Moore et al. “The Spread of the Sapphire/Slammer Worm”]




Size of circles is logarithmic in
the number of infected machines
                                    23
                 Slammer Impact
q   $1.25 Billion of damage
q   Temporarily knocked out many elements of critical
    infrastructure
    q   Bank of America ATM network
    q   Entire cell phone network in South Korea
    q   Five root DNS servers
    q   Continental Airlines’ ticket processing software
q   The worm did not even have malicious payload… simply
    bandwidth exhaustion on the network and resource
    exhaustion on infected machines



                                     24
    Secret of Slammer’s Speed
q   Old-style worms (Code Red) spawn a new thread which
    tries to establish a TCP connection and, if successful,
    send a copy of itself over TCP
    q   Limited by latency of the network
    q   Majority of TCP connection requests will fail
         q   Each failed IP scan will take 21 seconds to finish (Windows, 3 tries)
q   Slammer was a connectionless UDP worm
    q   No connection establishment, simply send 404-byte UDP packet to
        randomly generated IP addresses
    q   Limited only by bandwidth of the network
q   A TCP worm can scan even faster
    q   Dump zillions of 40-byte TCP-SYN packets into link layer, send
        worm copy only if SYN-ACK comes back

                                         25
    Blaster and Welchia/Nachia

q   August 11, 2003: Scanning worm exploiting RPC service
    in Microsoft Windows XP and 2000
    q   First address at random, then sequential upward scan
         q   Easy to detect, yet propagated widely and leaped firewalls
q   Payload: denial of service against MS Windows Update +
    installing remotely accessible backdoor
q   Welchia/Nachia was intended as a counter-worm
    q   Random-start sequential scan, use ICMP to determine if address
        is live, then copy itself over, patch RPC vulnerability, remove
        Blaster if found
    q   Did more damage by flooding networks with traffic



                                        26
                     Search Worms
                                                            [Provos et al.]
q   Generate search query
    q   Search for version numbers of vulnerable software to find
        exploitable targets
    q   Search for popular domains to harvest email addresses
q   Analyze search results
    q   Remove duplicates, URLs belonging to search engine
q   Infect identified targets
    q   Reformat URLs to include the exploit
         q   For example, append exploit code instead of username
    q   Exploit code downloads the actual infection, joins the infected
        machine to a botnet, etc.




                                       27
                           MyDoom
                                                        [Provos et al.]
q    Spreads by email
q    MyDoom: searches local hard drive for addresses
q    MyDoom.O: uses Web search engines
      q   Queries split between Google (45%), Lycos (22.5%), Yahoo (20%)
          and Altavista (12.5%)



    Google’s view                               Number of IP addresses
    of MyDoom                                   generating queries
                                                (60,000 hosts infected in
      Peak scan rate:                           8 hours)
      30,000 queries per second
                                               Number of served queries
                                               drops as Google’s anomaly
                                               detection kicks in
                                    28
                              Santy
                                                        [Provos et al.]
q   Written in Perl, exploits a bug in phpBB bulletin board
    system (prior to version 2.0.11)
    q   Allows injection of arbitrary code into Web server running phpBB
q   Uses Google to find sites running phpBB
q   Once injected, downloads actual worm code from a central
    site, asks Google for more targets and connects infected
    machine to an IRC botnet
q   Multiple variants of the same worm
    q   Polymorphism: actual Perl code changes from infection to
        infection, so filtering worm traffic is difficult!




                                    29
    Evading Anomaly Detection
                                                 [Provos et al.]
q   Google will refuse worm-generated queries
q   Different Santy variants generate different search terms or
    take them from an IRC botmaster




q   Google’s solution: if an IP address generates a lot of
    “rare” queries, ask it to solve a CAPTCHA




                               30
            Index-Based Filtering
                                                      [Provos et al.]
q   Idea: if worm relies on search results to spread, don’t
    provide vulnerable targets in search results
q   During crawl phase, tag all pages that seem to contain
    vulnerable software or sensitive information such as email
    addresses
    q   Can’t drop them from the index because they may contain
        information useful to legitimate searchers
q   Do not return the result of a query if it contains (a) pages
    from many hosts, and (b) high percentage of them are
    tagged as vulnerable
    q   What are the limitations of this approach?



                                    31
                             Witty Worm
 q   March 19, 2004, exploiting buffer overflow in
     firewall (ISS) products
 q   Infected 12,000 machines in 45 mins




Figures from “The Spread of the Witty Worm”, CAIDA

                                           32
                        Witty Worm
q   First widely propagated worm w. destructive payload
    q   Corrupted hard disk
q   Seeded with more ground-zero hosts
    q   110 infected machines in first 10 seconds
q   Shortest interval btw vulnerability disclosure & worm
    release
    q   1 day
q   Demonstrate worms effective for niche too
q   Security devices can open doors to attacks
    q   Other examples: Anti-virus software, IDS
    q   Installing security software does not mean more secure



                                    33
    Storm Worm / Peacomm (2007)
q   Spreads by cleverly designed spam campaign
    q   Arrives as an email with catchy subject
         q   First instance: “230 dead as storm batters Europe”
         q   Other examples: “Condoleeza Rice has kicked German Chancellor”,
             “Radical Muslim drinking enemies’s blood”, “Saddam Hussein alive!”,
             “Fidel Castro dead”, etc.
q   Attachment or URL with malicious payload
    q   FullVideo.exe, MoreHere.exe, ReadMore.exe, etc.
    q   Also masquerades as flash postcards
q   Once opened, installs Trojan (wincom32) & rootkit




                                        34
    Storm Worm Characteristics
                                                       [Porras et al.]
q   Infected machine joins botnet
    q   Between 1 and 5 million machines infected (Sep 2007)
q   Obfuscated peer-to-peer control structure
    q   Not like Agobot, which uses simple IRC control channel
    q   Interacts with peers via eDonkey protocol
q   Obfuscated code, anti-debugging defenses
    q   Goes into infinite loop if detects VMware or Virtual PC
    q   Large number of spurious probes (evidence of external analysis)
        triggers distributed DoS attack




                                   35
         Storm Worm Outbreaks
q   Spambot binary used to spread new infections in
    subsequent campaigns
    q   Looks for email addresses and mailing lists in the files on the
        infected machines




                                     36

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:10/16/2013
language:English
pages:36