Automated Worm Automated Worm Fingerprinting Fingerprinting
[Singh, Estan et al][Singh, Estan et al]
Internet Quarantine: Internet Quarantine: Requirements for Self-Requirements for Self-
Propagating Code [Moore, Propagating Code [Moore, Shannon et al]Shannon et al]
David W. HillDavid W. HillCSCI 297CSCI 2976.28.20056.28.2005
What is a worm?What is a worm?
Self-replicating/self-propagating code.Self-replicating/self-propagating code.
Spreads across a network by exploiting flaws Spreads across a network by exploiting flaws in open services.in open services.– As opposed to viruses, which require user action As opposed to viruses, which require user action
to quicken/spread.to quicken/spread.
Not new --- Morris Worm, Nov. 1988Not new --- Morris Worm, Nov. 1988– 6-10% of all Internet hosts infected6-10% of all Internet hosts infected
Many more since, but none on that scale ….Many more since, but none on that scale ….until Code Reduntil Code Red
Internet Worm History Internet Worm History
Xerox PARC, Schoch and Hupp, 1982Xerox PARC, Schoch and Hupp, 1982Morris Worm <DEC VAX, sendmail, Morris Worm <DEC VAX, sendmail, fingerd> 1988fingerd> 1988Code Red (V1, V2, II) <IIS>, 2001Code Red (V1, V2, II) <IIS>, 2001NIMDA, <various exploits>, 2001NIMDA, <various exploits>, 2001Slammer Worm <SQL>, 2003Slammer Worm <SQL>, 2003Blaster Worm, <DCOM>, 2003Blaster Worm, <DCOM>, 2003Sasser Worm, <LSASS>, 2004Sasser Worm, <LSASS>, 2004
Code Red V1Code Red V1
Initial version released July 13, 2001.Initial version released July 13, 2001.
Exploited known bug in Microsoft IIS Web servers.Exploited known bug in Microsoft IIS Web servers.
11stst through 20 through 20thth of each month: spread. of each month: spread.2020thth through end of each month: attack. through end of each month: attack.
Payload: web site defacement.Payload: web site defacement.
Spread: via random scanning of 32-bitSpread: via random scanning of 32-bitIP address space.IP address space.
But: failure to seed random number generator But: failure to seed random number generator linear growth.linear growth.
Code Red V2Code Red V2
Revision released July 19, 2001.Revision released July 19, 2001.
Payload: flooding attack onPayload: flooding attack on www.whitehouse.govwww.whitehouse.gov..
But: this time random number generator But: this time random number generator correctly seeded. Bingo!correctly seeded. Bingo!
Resident in memory, reboot clears the Resident in memory, reboot clears the infectioninfection
Web defacementWeb defacement
Code Red V2 - SpreadCode Red V2 - Spread
Code Red IICode Red II
New New wormworm released August 4, 2001. released August 4, 2001.
IntelIntelligent Replication Engineligent Replication Engine
Installed backdoorsInstalled backdoors
Used more threadsUsed more threads
Life Just Before SlammerLife Just Before Slammer
Life Just After SlammerLife Just After Slammer
Worm Detection – Current Worm Detection – Current MethodsMethods
Network telescoping- passive monitors that Network telescoping- passive monitors that monitor unused address space (Downfalls – monitor unused address space (Downfalls – non-random, only provide IP not signaturenon-random, only provide IP not signatureHoneypots – slow manual analysisHoneypots – slow manual analysisHost-based behavioral detection – Host-based behavioral detection – dynamically analyze anomalous activity, no dynamically analyze anomalous activity, no inference of large scale attackinference of large scale attackIDS, IPS – SnortIDS, IPS – Snort
– Labor-intensive, Human-mediatedLabor-intensive, Human-mediated
Worm ContainmentWorm Containment
Host Quarantine – IP ACL, router, Host Quarantine – IP ACL, router, firewall (blacklist)firewall (blacklist)
String-matching containmentString-matching containment
Connection throttling – Slow the spreadConnection throttling – Slow the spread
Earlybird – Content SiftingEarlybird – Content Sifting
Content in existing worms is invariantContent in existing worms is invariantDynamics for worm to spread are Dynamics for worm to spread are atypicalatypicalThe Earlybird system can extract The Earlybird system can extract signatures from traffic to detect worms signatures from traffic to detect worms and automatically reactand automatically react
05:45:31.912454 90.196.22.196.1716 > 209.78.235.128.80: . 0:1460(1460) ack 1 win 8760 (DF)0x0000 4500 05dc 84af 4000 6f06 5315 5ac4 16c4 [email protected] d14e eb80 06b4 0050 5e86 fe57 440b 7c3b .N.....P^..WD.|;0x0020 5010 2238 6c8f 0000 4745 5420 2f64 6566 P."8l...GET./def0x0030 6175 6c74 2e69 6461 3f58 5858 5858 5858 ault.ida?XXXXXXX0x0040 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX . . . . .0x00e0 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX0x00f0 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX0x0100 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX0x0110 5858 5858 5858 5858 5825 7539 3039 3025 XXXXXXXXX%u9090%0x01a0 303d 6120 4854 5450 2f31 2e30 0d0a 436f 0=a.HTTP/1.0..Co .
SignaturesSignatures
Worm SignatureWorm SignatureContent-based blocking [Moore et al., 2003]
Signature for CodeRed II
Signature: A Payload Content String Specific To A Worm
Worm Behavior - EarlybirdWorm Behavior - Earlybird
Content InvarianceContent Invariance
Content PrevalenceContent Prevalence
Address DispersionAddress Dispersion
Earlybird ImplementationEarlybird Implementation
Each network packet is scanned for Each network packet is scanned for invariant contentinvariant contentMaintain a count of unique source and Maintain a count of unique source and destination IPsdestination IPsSort based on substring count and size Sort based on substring count and size of address list will determine worm of address list will determine worm traffictrafficUse substrings to automatically create Use substrings to automatically create signatures to filter the wormsignatures to filter the worm
Earlybird Cont.Earlybird Cont.
Earlybird Cont.Earlybird Cont.System consists of sensors and aggregratorSystem consists of sensors and aggregrator
Aggregator – pulls data from sensors, activates network or host Aggregator – pulls data from sensors, activates network or host level blocking, reporting and controllevel blocking, reporting and control
Earlybird – Memory & CPUEarlybird – Memory & CPU
Memory and CPU cycle constraintsMemory and CPU cycle constraintsIndex content table by using a fixed size Index content table by using a fixed size hash of the packet payloadhash of the packet payloadScaled bitmaps are used to reduce Scaled bitmaps are used to reduce memory consumption on address memory consumption on address dispersion countsdispersion counts
Earlybird Cont.Earlybird Cont.
Sensor – 1.6Ghz AMD Opteron 242, Sensor – 1.6Ghz AMD Opteron 242, Linux 2.6 kernelLinux 2.6 kernelCaptures using libpcapCaptures using libpcapCan sift 1TB of traffic per day and is Can sift 1TB of traffic per day and is able to sift 200Mbps of continuous able to sift 200Mbps of continuous traffictrafficCisco router configured for mirroringCisco router configured for mirroring
ThresholdsThresholdsContent Prevalence = 3Content Prevalence = 397 percent of signatures repeat two or fewer times97 percent of signatures repeat two or fewer times
ThresholdsThresholdsAddress Dispersion = 30 src and 30 dstAddress Dispersion = 30 src and 30 dstLower dispersion threshold will produce more false positivesLower dispersion threshold will produce more false positivesGarbage collection – several hoursGarbage collection – several hours
Earlybird False PositivesEarlybird False Positives
99% percent of FPs are from SMTP header strings and HTTP user agents - whitelist99% percent of FPs are from SMTP header strings and HTTP user agents - whitelistSPAM e-mails – distributed mailers and relaysSPAM e-mails – distributed mailers and relaysBitTorrent file striping creates many-to-many download profileBitTorrent file striping creates many-to-many download profile
Earlybird – Issues of Earlybird – Issues of ConcernConcern
SSH, SSL, IPSEC, VPNsSSH, SSL, IPSEC, VPNsPolymorphismPolymorphismIP spoofing source addressIP spoofing source addressPacket injectionPacket injection
Earlybird – Current StateEarlybird – Current State
UCSD UCSD NetSift NetSift Cisco Cisco
Internet Quarantine – Internet Quarantine – Requirements for Requirements for
containing self propagated containing self propagated codecode
Modeling ContainmentModeling Containment
Blacklisting vs. Content Blacklisting vs. Content FilteringFiltering
Blacklisting vs. Content Blacklisting vs. Content Filtering - AggresivenessFiltering - Aggresiveness
Deployment ScenariosDeployment Scenarios
ReferencesReferences
- The Threat of Internet Worms, Vern PaxsonThe Threat of Internet Worms, Vern Paxson
http://www.icir.org/vern/talks/vp-worms-ucla-Feb05.pdf
-Cooperative Association for Internet Data Analysis (CAIDA)http://www.caida.org
-Autograph, Toward Automated, Distributed Worm Signature Detection- Usenix Security 2004
-Wikipedia, computer worms, hashing.
-Code Carrying Proofs, Aytekin Vargun, Rensselaer Polytechnic Institute
Thank You!Thank You!
Discussion…..Discussion…..