Title: WORM%20PROPAGATION
1WORM PROPAGATION
- Terry Griffin
- Sandeep Pinnamaneni
- Vandana Gunupudi
2Agenda
- Introduction
- Background
- Infamous Worms
- Benchmarks and Metrics
- Requirements
- Summary of Methods
- Conclusion
3Introduction
- What is a worm?
- Piece of software that propagates using
vulnerabilities in software/application - Self-propagating (distinct from a virus)
- Self-replicating
- Spread through the Internet easily due to its
open communication model
4Classification of Worms
- Target Discovery
- How does a worm find new hosts to infect?
- Carrier
- How does it transmit itself to the target?
- Activation
- Mechanism by which the worm operates on the
target - Payloads
- What the worm carries to reach its goal
N.Weaver, V.Paxson, et al, A taxonomy of
computer worms, Proc. Of the ACM workshop on
Rapid Malcode, pp.11-18, 2003.
5Target Discovery
- Scanning
- Sequential or Random
- Permutation scanning
- Bandwidth-limited scanning
- Pre-Generated Target lists
- hit-list of probably victims
- Externally/internally generated target lists
- Topological Worm (Morris Worm)
6Carrier (Propagation Mechanisms)
- Self-carried
- Actively transmits itself as part of the
infection process - Second Channel
- Require a secondary communication channel
- Example Blaster primary channel is RPC
- secondary channel is TFTP
- Embedded
- Appends itself to normal messages
7Activation Mechanism
- Human Activation
- Slowest activation method
- Melissa
- Human Activity based
- Windows Share worms like Nimda
- Scheduled Process Activation
- Like unauthenticated automatic updates
- Self Activation
- Fastest method
8Payloads
- Code carried by the worm apart from its
propagation routines - Empty Payload
- most common
- Internet Remote Control
- Privileged back door
- Spam-Relays
- Sobigs Trojan opened an open-mail relay
- HTML-Proxies
- Sobig distributed web proxies
- Internet DoS (Code Red)
9History of Worms
Sourcehttp//www.sans.org/rr/whitepapers/maliciou
s/1410.php
10Morris Worm
- Topological Worm (6-10 of all Internet hosts
infected) - First large-scale worm that targeted VAX, Sun
Unix systems - Target Discovery
- Scanning the local subnet
- Activation
- Self Activation
- Propagation Mechanism (Self Carried)
- Exploiting a fingered buffer overflow
- Payload
- None
11Code Red I
- July 19, 2001 more than 359,000 computers
connected to the Internet were infected by
Code-Red I v2 worm in less than 14 hours
12Code Red I
- Target Discovery
- Scanning
- Activation
- Self Activation
- Propagation Mechanism (Self Carried)
- Exploiting a Microsoft IIS Web Server buffer
overflow - Payload
- Defacement of websites
13Code Red I
- Exploited buffer overflow in Indexing Service in
Microsoft IIS Server - Days 1-19 of each month
- displays hacked by Chinese message on English
language servers - tries to open connections to infect randomly
chosen machines using 100 threads - Day 20-27
- stops trying to spread
- launches a denial-of-service attack on the IP
address of www1.whitehouse.gon - Code Red I v1
- July 12, 2001
- Used static seed for random number generator
- Each infected computer tries to infect always the
same IP addresses - Not very damaging, spread slowly
- Memory resident
- Code Red I v2
- July 19, 2001
- Used random seed for random number generator
14Code Red Damage
- 359,000 hosts infected in 24 hour period
- Between 1100 and 1600 UTC, the growth is
exponential - 2,000 hosts infected per minute at the peak of
the infection rate (1600 UTC)
15Nimda (September 18, 2001)
- Target Discovery
- Scanning, Email
- Activation
- Self Activation, User action
- Propagation Mechanism (Self Carried)
- Exploiting a Microsoft IIS Web Server buffer
overflow - Payload
- Defacement of websites
- Multi-mode spreading
- attack IIS servers via infected clients
- email itself to address book as a virus
- copy itself across open network shares
- modifying Web pages on infected servers w/ client
exploit - scanning for Code Red II backdoor
- Spread across firewalls.
16SASSER Worm (2004)
- April 29, 2004
- Target Discovery
- Random Scanning of IP addresses on TCP port 445,
- can scan up to 1,024 addresses simultaneously
- Mode of Transmission
- Buffer Overflow in Windows Local Security
Authority Service Server (LSASS) - Payload
- Rootkit potential
- Escalation of privileges
17Witty (2004)
- March 19, 2004
- Buffer overflow vulnerability in ISS PAM module
- Single UDP packet exploits flaw in the passive
analysis of Internet Security Systems (ISS)
products. - Bandwidth-limited UDP worm like Slammer.
- Vulnerable pop. (12K) attained in 75 minutes.
- Payload slowly corrupt random disk blocks.
- Detailed telescope analysis reveals worm targeted
a US military base and was launched from a
European retail ISP account.
18Other Worms
- Network.vbs, February 2000
- This worm had no payload and spread via
unprotected Windows shares. - Ramen, January 2001
- This worm targeted RedHat Linux systems via
exploits that were 4 7 months old and, aside
from defacing web pages did not appear to be
particularly malicious. - However, as noted by the Linux Weekly News,
multicast traffic was affected as a byproduct of
the worms scanning mechanism, resulting in
degraded service over the MBONE for both unicast
and multicast traffic.
19 Network.vbs Worm
- The Network.vbs worm propagates via unprotected
Windows shares. The process as described in CERT
Incident Note IN-2002-02 is as follows - 1. Perform a pseudo-random IP scan, looking for
hosts with Windows filesharing enabled. - 2. Attempt to mount the share named C as local
drive J. - 3. If mount is successful copy network.vbs script
into the Startup program group. - Provided that the above is successful, the worm
will be executed the next time someone logs into
the system. It should be noted that the QAZ worm
uses a similar mechanism, enumerating hosts
within the Network Neighborhood and replacing
notepad.exe with the worm binary.
20ADM Worm
- The ADM worm propagates via a buffer overflow in
Unix systems running DNS server daemons derived
from v 4.9.6 of the ISC BIND code. - The worm performs an incremental IP scan,
starting from a random IP address, looking for
DNS servers which support the IQUERY command.
When such a server is encountered the worm
attempts to exploit a buffer overflow in IQUERY
response processing which, if successful, allows
the worm to create an account for itself on the
exploited host along with a setuid root shell. - This account and shell are used to transfer the
worms tarball to the targeted host via ftp, at
which point the tarball is untard and the worm
is executed on the target host, beginning the
propagation process all over again.
21ADM Worm
- ADM and other early worms (Millenium, Ramen,
li0n, and Sadmind specifically) are composed of
the following components - IP Scanner A mechanism for selecting IPs to
target. - One or more exploits Pre-existing,
programmatic-attack type exploit used by the worm
to escalate its privilege level on the targeted
system. - Propagation mechanism Provides the logic
necessary to move the worm archive from system to
system, usually via the use of ftp or tftp. - Glue/misc scripts These scripts tie the other
components together and provide worm-specific
functionality.
22Slammer Worm Before
- Figure taken from http//www.caida.org/outreach/pa
pers/2003/sapphire/sapphire.html
23Slammer Worm - After
24SQL Slammer
- The Slammer worm (also called Sapphire worm)
consists of an IP scanner combined with an
exploit for MS SQL Server, written in 376 bytes
of code. - Slammer exploited connectionless UDP service,
rather than connection-oriented TCP. - Entire worm fit in a single packet!
- Worm infected 75,000 hosts in 10 minutes
(despite broken random number generator). - At its peak, doubled every 8.5 seconds
25Slammer Worm
- Propagation speed was Sapphire's novel feature
in the first minute, the infected population
doubled in size every 8.5 (1) seconds. - The worm achieved its full scanning rate (over 55
million scans per second) after approximately
three minutes, after which the rate of growth
slowed down somewhat because significant portions
of the network did not have enough bandwidth to
allow it to operate unhindered. Most vulnerable
machines were infected within 10-minutes of the
worm's release. Although worms with this rapid
propagation had been predicted on theoretical
grounds, the spread of Sapphire provides the
first real incident demonstrating the
capabilities of a high-speed worm. - By comparison, it was two orders magnitude faster
than the Code Red worm, which infected over
359,000 hosts on July 19th, 2001. In comparison,
the Code Red worm population had a leisurely
doubling time of about 37 minutes.
26 General Model of Worm Propagation
Sourcehttp//www.sans.org/rr/whitepapers/maliciou
s/1410.php
27 Summary of Worm Propagation
- Worm propagation can be broadly described by a 3
(or 4) step process illustrated in the figure
before - 0.) Initial Infection The model begins with the
presumption that there exists a system that is
already infected by the worm and that the worm is
active on this system. - 1.) Target Acquisition In order for the worm to
propagate itself it must find additional systems
to infect. Worms may actively target systems
usinga. IP addressesb. Email addressesc. File
system traversalIt should also be noted that
worms may passively target client system i.e. the
trojaned web content delivered by web servers
infected with the Nimda worm.
28Worm Propagation
- 2.)Delivery of Hostile Code Once a system has
been targeted, it is necessary to transfer the
worm to the targeted system in preparation for
infection. Code delivery has been observed to
take place via the following - a. Network file systems b. Email
- c. Web clients d.
Remote command shell (or equivalent) - e. As part of packet payload associated with
buffer overflows and similar programmatic
exploits. - 3.) Execution of Hostile Code The presence of
hostile code on a system is - not sufficient for worm propagation execution of
the code must be - triggered in some fashion. Code may be executed
via - a. Direct invocation from the command line (or
equivalent) - b. Buffer overflow or other programmatic attack
- c. Email clients d. Web clients
- e. User intervention f. Automatic
execution by target system. - 4.) Some worms may only transfer a portion of
their code in step 3. In that - case it is necessary for them to transfer the
remaining code once the - target system has been compromised. This can be
achieved via - a. FTP/TFTP
- b. Network file systems
29Benchmarks and Metrics
- Infection Size
- Percentage of nodes infected
- Reaction Time
- Time between detection of a worm and deployment
of worm control measures - Obviously the lower the better
- Penetration Ratio
- Number of nodes infected compared to the size of
the possible domain - Related to infection ratio
- False Positives/Negatives
30Propagation Countermeasures
- The analysis below examines each step in the
propagation model in detail to determine what
countermeasures, if any, prove effective. - Target Acquisition
- The specific targeting mechanism varies based on
the means by which the hostile code will be
delivered to the target system. - 1.) IP Scanning
- The most popular method for targeting systems to
date seems to be IP scanning.
31Target Acquisition
- The most basic scanning algorithm is as follows
- 1. Generate an IP address.
- 2. Perform local setup for network communication.
- 3. Attempt to connect to the targeted system by
sending a TCP SYN packet to ltTargeted IP
AddressgtltPort of Targeted Servicegt. - a.) If a TCP SYN-ACK packet is received then the
remote system at ltTarget IPgt is listening on
ltPort of targeted servicegt. Send an ACK packet
and proceed with transfer of hostile code. - b.) Receipt of any other type of packet from
ltTarget IPgt, or failure to receive any packet
after a certain number of tries, indicates that
the targeted service is not available for some
reason. Return to step 1.
32Target Acquisition
- The simplest countermeasure to deploy is also the
most effective unneeded services should be
turned off. In this situation, the infected host
sends a SYN packet that is received by the target
host as usual. However, since the service is
turned off, there is no process listening on the
destination port on the target host. - The proper response in this situation is for the
target host to send back an RST packet, the
receipt of which tells the infected host that the
targeted service is unavailable, causing the
infected host to move on to the next target
(Loop).
33Target Acquisition
- In a typical network configuration a firewall is
deployed somewhere on the network path between
the infected host and the target host as show in
Figure below . When the infected host sends a SYN
packet to the target host the packet is first
intercepted by the firewall. The firewall is
configured to prevent most systems from accessing
services on the target host, which is achieved by
silently discarding the SYN packet. The infected
system will generally send several more SYN
packets that will be treated in the same manner,
after which the infected system will assume that
the targeted service is unavailable and move on
to the next target.
Sourcehttp//www.sans.org/rr/whitepapers/maliciou
s/1410.php
34Hostile Code Delivery
- E-mail Code delivery via email is a favorite
mechanism of worms and worm-like viruses. The
process begins with the worm composing a message
containing hostile code and attempting to send
that message to the targeted email address.
Sourcehttp//www.sans.org/rr/whitepapers/maliciou
s/1410.php
35Hostile Code Delivery
- The below configuration forces the infected
system to deliver the email via the designated
relay and, furthermore, forces that email to be
received by the designated mail exchange,
significantly reducing the number of potential
delivery paths that the system administrator must
monitor.
sourcehttp//www.sans.org/rr/whitepapers/maliciou
s/1410.php
36Hostile Code Delivery
- Web Clients
- Forcing clients to use a designated proxy for web
communication causes web content delivery to take
on the form shown in below figure. Clients send
requests for web content to the proxy, which then
forwards the request on to the appropriate web
server. The web server, in turn, provides the
proxy with the requested content, which the proxy
sends back to the requesting client.
sourcehttp//www.sans.org/rr/whitepapers/maliciou
s/1410.php
37Execution of Hostile Code
- E-mail Clients
- There are a number of mechanisms by which email
clients can be induced to execute hostile code. - An email client may be induced to execute code in
one of three ways - 1.) Programmatic Attack
- 2.) Rendering By-Product
- 3.) User Intervention
38Additional Code Transfer
- Some worms transfer additional code from the
infected system to the target system once the
initial exploit of the targeted system is
completed. - Unfortunately, if the worm gets this far there is
likely little that can be done to prevent its
spread. At this point both the infected host and
the targeted host are completely compromised, so
any preventative measures must be deployed
between these two systems. - Once again, an appropriately configured firewall
may prevent the complete propagation of the worm.
This underlies the importance of having a
well-configured policy regarding outgoing
connections in addition to incoming connections.
39Summary
As we can see from previous slides the spread is
phenomenal....
is the number of host infected in real time.
is the pair wise rate of infection.
is the infection rate.
40Summary
- Breakdown of a typical current day worm
- Reconnaissance capabilities
- Specific attack capabilities
- A command interface
- Communications capabilities
- Intelligence capabilities
- Unused attack capabilities
41Summary
- Reconnaissance capabilities
- Automated sweeps and scans to Identify possible
victims - Determine best method to infect new victim (if
possible)
42Summary
- Specific attack cabilities
- Method in which the worm gains entry
- buffer overflows
- cgi-bin errors
- Attack portion of code has two parts
- component which runs on infected host
- component which looks for new host
43Summary
- A command interface
- Node is only worthwhile if it can be used
- Interactive interface (direct login)
- Automatic interface (parent child)
44Summary
- Communications capabilities
- Typically reside on different systems, therefore
method of communication is necessary - Transfer of information
- Typically hidden
45Summary
- Intelligence capabilities
- Possible distributed effort
- All machines working together
- You must
- Know who is infected
- can be achieved with update message/email to
central point - what network address is / system type
- How to contact them
- irc chat lines
- direct login
46Summary
- Unused attack capabilities
- Multiple attack methods allow for more
flexibility - Send only necessary payload (specific attack)
47Future
- Future Worms will change
- Infection mechanisms will become smarter.
- Use network topology to their advantage.
- Stealthier communications methods
- Smarter Target Selection
- More dynamic behavior
48Future
- Typical Defense (obvious stuff)
- Patch, Patch, Patch
- Defense in Depth
- IDS and Response Mechanisms
49Future
- New Detection Strategies
- Monitor shifts in traffic
- Anomaly Detection
- Exploit worm network flaws
50Conclusions
- Future defense of worms is labor intensive with
current Internet design. - The infrastructure itself needs to assist with
detecting Internet Worms. - A proper design could mimic a multi-level
security system.
51References
- http//www.sans.org/rr/whitepapers/malicious/1410.
php - http//www.cs.berkeley.edu/nweaver/sapphire/
- http//www.securityfocus.com/infocus/1752
- http//www.icir.org/vern/papers/cdc-usenix-sec02/
- Kienzle, D.M., Elder, M.C., Recent worms a
survey and trends, Proceedings of the 2003 ACM
workshop on Rapid Malcode, pp.1-10. - N.Weaver, V.Paxson, et al, A taxonomy of computer
worms