Lecture Worm Detection

8/2/2019 Lecture Worm Detection

1/37

Active Worm and Its Defense 1

Active Worm and Its Defense

CSE651: Network Security


2/37


Worm vs. Virus

Worm A program that propagates itself over a

network, reproducing itself as it goes

Virus A program that searches out other programs

and infects them by embedding a copy of itselfin them


3/37


Active Worm VS [D]DoS

DDoS stands for Distributed Denial ofServiceattacks

Propagation method

Goal: congestion, resource appropriation Rate of distribution

Scope of infection


4/37


History

http://snowplow.org/tom/worm/history.html Morris Worm, first worm virus, released on

November 2, 1988 by Robert Tappan Morris whowas then a 23 year old doctoral student at Cornell

University Code-Red worm in July 2001 infected more than

350,000 Microsoft IIS servers. The attackfinished in 14 hours

Slammer worm in January 2003 that infectednearly 75,000 Microsoft SQL servers. Attackfinished in less than one hour

MyDoom worm in February 2004 infected lots ofhosts which automatically and successfully DDoS

attacked a few popular websites


5/37


The Morris Worm of 1988

First worm program

Released by Robert T Morris of Cornell University

Affected DECs VAX and Sun Microsystemss Sun 3 systems

Spread ~6000 victims i.e., 5-10% of hosts at that time

more machines disconnected from the net to avoid infection

Cost

Some estimate: $98 million Other reports:


6/37


Recent Worms

July 13, 2001, Code Red V1

July 19, 2001, Code Red V2

Aug. 04, 2001, Code Red II

Sep. 18, 2001, Nimbda

Jan. 25, 2003, SQL Slammer More recent

SoBigF, MSBlast


7/37


How an Active Worm Spreads

Autonomous

No need of human interaction

infected

machine machine

scan

probe

transfercopy


8/37


Basic Propagation Method

Network Worm: Using port scan to findvulnerabilities of the targets

Application Worm: Propagate throughemail, Instance Messaging, file sharing onoperation systems, P2P file sharingsystems, or other applications

Hybrid Worm


9/37


Delivery Method

How is worm code is delivered to vulnerable hosts

Self-contained Self-propagation: Each newlyinfected host becomes the new source andsends worm code to other hosts infected by it

Embedded: Embedded with infected files, suchas emails, shared files

Second Channel: The newly infected host usessecond channel such as TFTP (Trivial File

Transfer Protocol) to download the worm codefrom a center source


10/37


Scanning Strategy (1)

Random scanning Probes random addresses in the IP address space (CRv2)

Selective random scanning

A set of addresses that more likely belong to existingmachines can be selected as the target address space.

Hitlist scanning Probes addresses from an externally supplied list

Topological scanning Uses information on the compromised host (Email worms)

Local subnet scanning Preferentially scans targets that reside on the same

subnet. (Code Red II & Nimbda Worm)


11/37


Scanning Strategy (2)

Routable scanning Choose routable IP addresses as the target of scan

DNS scanning Choose hosts with DNS name as the target of scan

Permutation scanning

Each new infected host gets a different IP addresses block

h i i b I f d


12/37


Synchronization between InfectedHosts (or Worm Instances)

Asynchronized Each infected host behavior individually

without synchronization with other infected

hosts Synchronized

Infected hosts synchronized with each otherby central server etc.


13/37


Propagation Activity Control

Non-stopping Keep port scanning and never stop

Time Control Preset stopping timer and restart timer and use those

timers to control the port scan activities

Self-Adjustment Self-control according to the environment (Atak worm)

or the estimation of the infected host amount (Self-

Stop worm) Centralized Control

Controlled by the attacker


14/37


Scan Rate

Constant Scan Rate Each infected host keeps a constant scan rate which is

limited by the computation ability and outgoingbandwidth of the host.

Random Varying Scan Rate Randomly change the scan rate.

Smart Varying Scan Rate Change the scan rate smartly according to certain rule

according to the attack policy and the environment. Controlled Varying Scan Rate

Change the scan rate according to the attackerscontrol command.


15/37


Modularity

Non-Modular

Modular Use modular design in the worm code, so that

new attack modules can be sent to theinfected hosts and plugged in after theinfection.


16/37


Organization

Decentralized There is no organization or cooperation among

infected hosts, and there is no communication

between the infected hosts and the attacker. Centralized Organization

Organized by Internet Relay Chat (IRC) orother methods like botnets do, so that the

attacker can control the infected hosts.


17/37


Payload with the worm code

Spamming Code competent to carry out spamming.

DDoS Attack Code competent to carry out DDoS attacks.

Sniffing Code competent to watch for interesting clear-textdata passing by the infected hosts.

Spyware Spyware code.

Keylogging Code competent to remember and retrieve thepasswords on the infected hosts.

Data Theft Code competent to steal privacy data.


18/37


Techniques for ExploitingVulnerability fingerd (buffer overflow)

sendmail (bug in the debug mode)

rsh/rexec (guess weak passwords)


19/37


Active Worm Defense

Modeling

Infection Mitigation


20/37


Worm Behavior Modeling (1)

Propagation model

titiNVrtd

tdi 1**)/*(

V is the total number of vulnerable nodes

N is the size of address space

i(t) is the percentage of infected nodes among V r is the scan rate of the worm

)/*1(*))(***()(* NVtitdVtirtdiV


21/37


Worm Behavior Modeling (2)

Propagation model

M(i): the number of overall infected hosts at time i

N(i): the number of un-infected vulnerable hosts at time i

E(i): the number of newly infected hosts from time tick i to time i+1 . T: the total number of IP addresses, i.e., 232 for IPv4.

N(0): the number of vulnerable hosts on the Internet before the

worm attack starts.

E(0) = 0, M(0) = M0.


22/37


Modeling P2P-basedActive Worm AttacksBasic worm attack strategiesPure Random-based Scan (PRS)

Randomly select the attack victim

Adopted by Code-Red-I and Slammer

P2P based attack strategiesOffline P2P-based Hit-list Scan (OPHLS)

Online P2P-based Scan (OPS)Both strategies exploit P2P system

features


23/37


Background: P2P Systems

Host-based overlay system

Structured and unstructured

Rich connectivityVery popular

3,467,860 users in the FastTrackP2P system; 1,420,399 users in the eDonkeyP2P system;

1,155,953 users in the iMeshP2P system;

103,466 users in the GnutellaP2P system.

P P b d


24/37


Two P2P-based WormAttack Strategies Offline P2P-based Hit-list Scan

(OPHLS) Offline collect P2P host addresses as a hit-list

Attack the hit-list first Attack Internet via PRS

Online P2P-based Scan (OPS) Use runtime P2P neighbor information Attack P2P neighbors Extra attack resource applied to attack Internet

via PRS

l b d P2P


25/37


Online-based P2P WormAttack Strategy


26/37


Performance Comparison ofAttack Strategies

Attack Performance vs. Scan Approaches

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

45 50 55 60 65 70 75

Time

Infection

Ratio

PRS

OPHLS

OPSS

The P2P-based attack strategies overall outperforms the PRSattack strategy

OPHLSattack strategy achieves the best performance compared to all other

online-based attack strategies


27/37


Sensitivity of Attack to P2PSystem Size

The Sensitivity of P2P System Size

0

0.1

0.2

0.3

0.40.5

0.6

0.7

0.8

0.9

1

45 50 55 60 65 70

Time

Infectio

n

Ratio

PRS

OPSS(1000)

OPSS(5000)

OPSS(10000)

OPUS(1000)

OPUS(5000)

OPUS(10000)

With the P2P size increases, the attack performance becomes

consistently better for all attack strategies


28/37


Detection

Host-based detection

Network-based detection Detecting large scale worm propagation

Global distributed traffic monitoringframework

Distributed monitors and data center

Worm port scanning and background port

scanning


29/37


Distributed Worm MonitoringSystems


30/37


Detection Schemes

Worm behavior Pure random scan

Each worm instance takes part in attack all the time

Constant scan rate

Overall port scanning traffic volume implies the numberof worm instances (infected hosts).

Total number of worm instances and overall port scanningtraffic volume increase exponentially during wormpropagation.

Count-based and trend-based detection schemes


31/37



Patching

Filtering/intrusion detection (signature based) DAW (Distributed Anti-Worm Architecture)

TCP/IP stack reimplementation, bound connectionrequests


32/37


Goals of DAW

Impede worm progress, allow humanintervention

Detect worm-infected clients

Ensure congestion issues minimized littlerouting performance impact

Shigang Chen and Yong Tang. Slowing down

internet worms. In Proceedings of 24thInternational Conference on DistributedComputing Systems, March 2004.


33/37


DAW

Requirements Distributed, sensors act independently

NIDS (rather than HIDS)

Limited responsibility, ensures availability ofnodes


34/37


DAW


35/37


Active Worm Detection in DAW

User behavior Few failed connections

(DNS)

Predictable traffic

generation throughoutday

Relatively uniformintranet trafficdistribution

Worm behavior Sampling shows 99.96%

failure in scan rate

Spikes in

failure:request ratio Traffic pattern

disproportionatelyfavors infected clients


36/37


Active Worm -Failures

TCP only, random scanning

ICMP Unreachable/TCP-RST response

99.96% failure 80/tcp

sf rN

Vr

'1


37/37


Summary

Worms can spread quickly: 359,000 hosts in < 14 hours Home / small business hosts play significant role in

global internet health No system administrator slow response

Cant estimate infected machines by # of unique IPaddresses DHCP effect appears to be real and significant

Active Worm Defense Modeling


Lecture Worm Detection

Documents

Transcript of Lecture Worm Detection