WORM%20PROPAGATION - PowerPoint PPT Presentation

About This Presentation
Title:

WORM%20PROPAGATION

Description:

Piece of software that propagates using vulnerabilities in software/application ... Exploiting a fingered buffer overflow. Payload. None. Code Red I ... – PowerPoint PPT presentation

Number of Views:91
Avg rating:3.0/5.0
Slides: 52
Provided by: cse54
Learn more at: http://www.cse.unt.edu
Category:

less

Transcript and Presenter's Notes

Title: WORM%20PROPAGATION


1
WORM PROPAGATION
  • Terry Griffin
  • Sandeep Pinnamaneni
  • Vandana Gunupudi

2
Agenda
  • Introduction
  • Background
  • Infamous Worms
  • Benchmarks and Metrics
  • Requirements
  • Summary of Methods
  • Conclusion

3
Introduction
  • What is a worm?
  • Piece of software that propagates using
    vulnerabilities in software/application
  • Self-propagating (distinct from a virus)
  • Self-replicating
  • Spread through the Internet easily due to its
    open communication model

4
Classification of Worms
  • Target Discovery
  • How does a worm find new hosts to infect?
  • Carrier
  • How does it transmit itself to the target?
  • Activation
  • Mechanism by which the worm operates on the
    target
  • Payloads
  • What the worm carries to reach its goal

N.Weaver, V.Paxson, et al, A taxonomy of
computer worms, Proc. Of the ACM workshop on
Rapid Malcode, pp.11-18, 2003.
5
Target Discovery
  • Scanning
  • Sequential or Random
  • Permutation scanning
  • Bandwidth-limited scanning
  • Pre-Generated Target lists
  • hit-list of probably victims
  • Externally/internally generated target lists
  • Topological Worm (Morris Worm)

6
Carrier (Propagation Mechanisms)
  • Self-carried
  • Actively transmits itself as part of the
    infection process
  • Second Channel
  • Require a secondary communication channel
  • Example Blaster primary channel is RPC
  • secondary channel is TFTP
  • Embedded
  • Appends itself to normal messages

7
Activation Mechanism
  • Human Activation
  • Slowest activation method
  • Melissa
  • Human Activity based
  • Windows Share worms like Nimda
  • Scheduled Process Activation
  • Like unauthenticated automatic updates
  • Self Activation
  • Fastest method

8
Payloads
  • Code carried by the worm apart from its
    propagation routines
  • Empty Payload
  • most common
  • Internet Remote Control
  • Privileged back door
  • Spam-Relays
  • Sobigs Trojan opened an open-mail relay
  • HTML-Proxies
  • Sobig distributed web proxies
  • Internet DoS (Code Red)

9
History of Worms
Sourcehttp//www.sans.org/rr/whitepapers/maliciou
s/1410.php
10
Morris Worm
  • Topological Worm (6-10 of all Internet hosts
    infected)
  • First large-scale worm that targeted VAX, Sun
    Unix systems
  • Target Discovery
  • Scanning the local subnet
  • Activation
  • Self Activation
  • Propagation Mechanism (Self Carried)
  • Exploiting a fingered buffer overflow
  • Payload
  • None

11
Code Red I
  • July 19, 2001 more than 359,000 computers
    connected to the Internet were infected by
    Code-Red I v2 worm in less than 14 hours

12
Code Red I
  • Target Discovery
  • Scanning
  • Activation
  • Self Activation
  • Propagation Mechanism (Self Carried)
  • Exploiting a Microsoft IIS Web Server buffer
    overflow
  • Payload
  • Defacement of websites

13
Code Red I
  • Exploited buffer overflow in Indexing Service in
    Microsoft IIS Server
  • Days 1-19 of each month
  • displays hacked by Chinese message on English
    language servers
  • tries to open connections to infect randomly
    chosen machines using 100 threads
  • Day 20-27
  • stops trying to spread
  • launches a denial-of-service attack on the IP
    address of www1.whitehouse.gon
  • Code Red I v1
  • July 12, 2001
  • Used static seed for random number generator
  • Each infected computer tries to infect always the
    same IP addresses
  • Not very damaging, spread slowly
  • Memory resident
  • Code Red I v2
  • July 19, 2001
  • Used random seed for random number generator

14
Code Red Damage
  • 359,000 hosts infected in 24 hour period
  • Between 1100 and 1600 UTC, the growth is
    exponential
  • 2,000 hosts infected per minute at the peak of
    the infection rate (1600 UTC)

15
Nimda (September 18, 2001)
  • Target Discovery
  • Scanning, Email
  • Activation
  • Self Activation, User action
  • Propagation Mechanism (Self Carried)
  • Exploiting a Microsoft IIS Web Server buffer
    overflow
  • Payload
  • Defacement of websites
  • Multi-mode spreading
  • attack IIS servers via infected clients
  • email itself to address book as a virus
  • copy itself across open network shares
  • modifying Web pages on infected servers w/ client
    exploit
  • scanning for Code Red II backdoor
  • Spread across firewalls.

16
SASSER Worm (2004)
  • April 29, 2004
  • Target Discovery
  • Random Scanning of IP addresses on TCP port 445,
  • can scan up to 1,024 addresses simultaneously
  • Mode of Transmission
  • Buffer Overflow in Windows Local Security
    Authority Service Server (LSASS)
  • Payload
  • Rootkit potential
  • Escalation of privileges

17
Witty (2004)
  • March 19, 2004
  • Buffer overflow vulnerability in ISS PAM module
  • Single UDP packet exploits flaw in the passive
    analysis of Internet Security Systems (ISS)
    products.
  • Bandwidth-limited UDP worm like Slammer.
  • Vulnerable pop. (12K) attained in 75 minutes.
  • Payload slowly corrupt random disk blocks.
  • Detailed telescope analysis reveals worm targeted
    a US military base and was launched from a
    European retail ISP account.

18
Other Worms
  • Network.vbs, February 2000
  • This worm had no payload and spread via
    unprotected Windows shares.
  • Ramen, January 2001
  • This worm targeted RedHat Linux systems via
    exploits that were 4 7 months old and, aside
    from defacing web pages did not appear to be
    particularly malicious.
  • However, as noted by the Linux Weekly News,
    multicast traffic was affected as a byproduct of
    the worms scanning mechanism, resulting in
    degraded service over the MBONE for both unicast
    and multicast traffic.

19
Network.vbs Worm
  • The Network.vbs worm propagates via unprotected
    Windows shares. The process as described in CERT
    Incident Note IN-2002-02 is as follows
  • 1. Perform a pseudo-random IP scan, looking for
    hosts with Windows filesharing enabled.
  • 2. Attempt to mount the share named C as local
    drive J.
  • 3. If mount is successful copy network.vbs script
    into the Startup program group.
  • Provided that the above is successful, the worm
    will be executed the next time someone logs into
    the system. It should be noted that the QAZ worm
    uses a similar mechanism, enumerating hosts
    within the Network Neighborhood and replacing
    notepad.exe with the worm binary.

20
ADM Worm
  • The ADM worm propagates via a buffer overflow in
    Unix systems running DNS server daemons derived
    from v 4.9.6 of the ISC BIND code.
  • The worm performs an incremental IP scan,
    starting from a random IP address, looking for
    DNS servers which support the IQUERY command.
    When such a server is encountered the worm
    attempts to exploit a buffer overflow in IQUERY
    response processing which, if successful, allows
    the worm to create an account for itself on the
    exploited host along with a setuid root shell.
  • This account and shell are used to transfer the
    worms tarball to the targeted host via ftp, at
    which point the tarball is untard and the worm
    is executed on the target host, beginning the
    propagation process all over again.

21
ADM Worm
  • ADM and other early worms (Millenium, Ramen,
    li0n, and Sadmind specifically) are composed of
    the following components
  • IP Scanner A mechanism for selecting IPs to
    target.
  • One or more exploits Pre-existing,
    programmatic-attack type exploit used by the worm
    to escalate its privilege level on the targeted
    system.
  • Propagation mechanism Provides the logic
    necessary to move the worm archive from system to
    system, usually via the use of ftp or tftp.
  • Glue/misc scripts These scripts tie the other
    components together and provide worm-specific
    functionality.

22
Slammer Worm Before
  • Figure taken from http//www.caida.org/outreach/pa
    pers/2003/sapphire/sapphire.html

23
Slammer Worm - After
24
SQL Slammer
  • The Slammer worm (also called Sapphire worm)
    consists of an IP scanner combined with an
    exploit for MS SQL Server, written in 376 bytes
    of code.
  • Slammer exploited connectionless UDP service,
    rather than connection-oriented TCP.
  • Entire worm fit in a single packet!
  • Worm infected 75,000 hosts in 10 minutes
    (despite broken random number generator).
  • At its peak, doubled every 8.5 seconds

25
Slammer Worm
  • Propagation speed was Sapphire's novel feature
    in the first minute, the infected population
    doubled in size every 8.5 (1) seconds.
  • The worm achieved its full scanning rate (over 55
    million scans per second) after approximately
    three minutes, after which the rate of growth
    slowed down somewhat because significant portions
    of the network did not have enough bandwidth to
    allow it to operate unhindered. Most vulnerable
    machines were infected within 10-minutes of the
    worm's release. Although worms with this rapid
    propagation had been predicted on theoretical
    grounds, the spread of Sapphire provides the
    first real incident demonstrating the
    capabilities of a high-speed worm.
  • By comparison, it was two orders magnitude faster
    than the Code Red worm, which infected over
    359,000 hosts on July 19th, 2001. In comparison,
    the Code Red worm population had a leisurely
    doubling time of about 37 minutes.

26
General Model of Worm Propagation
Sourcehttp//www.sans.org/rr/whitepapers/maliciou
s/1410.php
27
Summary of Worm Propagation
  • Worm propagation can be broadly described by a 3
    (or 4) step process illustrated in the figure
    before
  • 0.) Initial Infection The model begins with the
    presumption that there exists a system that is
    already infected by the worm and that the worm is
    active on this system.
  • 1.) Target Acquisition In order for the worm to
    propagate itself it must find additional systems
    to infect. Worms may actively target systems
    usinga. IP addressesb. Email addressesc. File
    system traversalIt should also be noted that
    worms may passively target client system i.e. the
    trojaned web content delivered by web servers
    infected with the Nimda worm.

28
Worm Propagation
  • 2.)Delivery of Hostile Code Once a system has
    been targeted, it is necessary to transfer the
    worm to the targeted system in preparation for
    infection. Code delivery has been observed to
    take place via the following
  • a. Network file systems b. Email
  • c. Web clients d.
    Remote command shell (or equivalent)
  • e. As part of packet payload associated with
    buffer overflows and similar programmatic
    exploits.
  • 3.) Execution of Hostile Code The presence of
    hostile code on a system is
  • not sufficient for worm propagation execution of
    the code must be
  • triggered in some fashion. Code may be executed
    via
  • a. Direct invocation from the command line (or
    equivalent)
  • b. Buffer overflow or other programmatic attack
  • c. Email clients d. Web clients
  • e. User intervention f. Automatic
    execution by target system.
  • 4.) Some worms may only transfer a portion of
    their code in step 3. In that
  • case it is necessary for them to transfer the
    remaining code once the
  • target system has been compromised. This can be
    achieved via
  • a. FTP/TFTP
  • b. Network file systems

29
Benchmarks and Metrics
  • Infection Size
  • Percentage of nodes infected
  • Reaction Time
  • Time between detection of a worm and deployment
    of worm control measures
  • Obviously the lower the better
  • Penetration Ratio
  • Number of nodes infected compared to the size of
    the possible domain
  • Related to infection ratio
  • False Positives/Negatives

30
Propagation Countermeasures
  • The analysis below examines each step in the
    propagation model in detail to determine what
    countermeasures, if any, prove effective.
  • Target Acquisition
  • The specific targeting mechanism varies based on
    the means by which the hostile code will be
    delivered to the target system.
  • 1.) IP Scanning
  • The most popular method for targeting systems to
    date seems to be IP scanning.

31
Target Acquisition
  • The most basic scanning algorithm is as follows
  • 1. Generate an IP address.
  • 2. Perform local setup for network communication.
  • 3. Attempt to connect to the targeted system by
    sending a TCP SYN packet to ltTargeted IP
    AddressgtltPort of Targeted Servicegt.
  • a.) If a TCP SYN-ACK packet is received then the
    remote system at ltTarget IPgt is listening on
    ltPort of targeted servicegt. Send an ACK packet
    and proceed with transfer of hostile code.
  • b.) Receipt of any other type of packet from
    ltTarget IPgt, or failure to receive any packet
    after a certain number of tries, indicates that
    the targeted service is not available for some
    reason. Return to step 1.

32
Target Acquisition
  • The simplest countermeasure to deploy is also the
    most effective unneeded services should be
    turned off. In this situation, the infected host
    sends a SYN packet that is received by the target
    host as usual. However, since the service is
    turned off, there is no process listening on the
    destination port on the target host.
  • The proper response in this situation is for the
    target host to send back an RST packet, the
    receipt of which tells the infected host that the
    targeted service is unavailable, causing the
    infected host to move on to the next target
    (Loop).

33
Target Acquisition
  • In a typical network configuration a firewall is
    deployed somewhere on the network path between
    the infected host and the target host as show in
    Figure below . When the infected host sends a SYN
    packet to the target host the packet is first
    intercepted by the firewall. The firewall is
    configured to prevent most systems from accessing
    services on the target host, which is achieved by
    silently discarding the SYN packet. The infected
    system will generally send several more SYN
    packets that will be treated in the same manner,
    after which the infected system will assume that
    the targeted service is unavailable and move on
    to the next target.

Sourcehttp//www.sans.org/rr/whitepapers/maliciou
s/1410.php
34
Hostile Code Delivery
  • E-mail Code delivery via email is a favorite
    mechanism of worms and worm-like viruses. The
    process begins with the worm composing a message
    containing hostile code and attempting to send
    that message to the targeted email address.

Sourcehttp//www.sans.org/rr/whitepapers/maliciou
s/1410.php
35
Hostile Code Delivery
  • The below configuration forces the infected
    system to deliver the email via the designated
    relay and, furthermore, forces that email to be
    received by the designated mail exchange,
    significantly reducing the number of potential
    delivery paths that the system administrator must
    monitor.

sourcehttp//www.sans.org/rr/whitepapers/maliciou
s/1410.php
36
Hostile Code Delivery
  • Web Clients
  • Forcing clients to use a designated proxy for web
    communication causes web content delivery to take
    on the form shown in below figure. Clients send
    requests for web content to the proxy, which then
    forwards the request on to the appropriate web
    server. The web server, in turn, provides the
    proxy with the requested content, which the proxy
    sends back to the requesting client.

sourcehttp//www.sans.org/rr/whitepapers/maliciou
s/1410.php
37
Execution of Hostile Code
  • E-mail Clients
  • There are a number of mechanisms by which email
    clients can be induced to execute hostile code.
  • An email client may be induced to execute code in
    one of three ways
  • 1.) Programmatic Attack
  • 2.) Rendering By-Product
  • 3.) User Intervention

38
Additional Code Transfer
  • Some worms transfer additional code from the
    infected system to the target system once the
    initial exploit of the targeted system is
    completed.
  • Unfortunately, if the worm gets this far there is
    likely little that can be done to prevent its
    spread. At this point both the infected host and
    the targeted host are completely compromised, so
    any preventative measures must be deployed
    between these two systems.
  • Once again, an appropriately configured firewall
    may prevent the complete propagation of the worm.
    This underlies the importance of having a
    well-configured policy regarding outgoing
    connections in addition to incoming connections.

39
Summary
As we can see from previous slides the spread is
phenomenal....
                                                          is the number of host infected in real time.
                                                          is the pair wise rate of infection.
                                                          is the infection rate.
40
Summary
  • Breakdown of a typical current day worm
  • Reconnaissance capabilities
  • Specific attack capabilities
  • A command interface
  • Communications capabilities
  • Intelligence capabilities
  • Unused attack capabilities

41
Summary
  • Reconnaissance capabilities
  • Automated sweeps and scans to Identify possible
    victims
  • Determine best method to infect new victim (if
    possible)

42
Summary
  • Specific attack cabilities
  • Method in which the worm gains entry
  • buffer overflows
  • cgi-bin errors
  • Attack portion of code has two parts
  • component which runs on infected host
  • component which looks for new host

43
Summary
  • A command interface
  • Node is only worthwhile if it can be used
  • Interactive interface (direct login)
  • Automatic interface (parent child)

44
Summary
  • Communications capabilities
  • Typically reside on different systems, therefore
    method of communication is necessary
  • Transfer of information
  • Typically hidden

45
Summary
  • Intelligence capabilities
  • Possible distributed effort
  • All machines working together
  • You must
  • Know who is infected
  • can be achieved with update message/email to
    central point
  • what network address is / system type
  • How to contact them
  • irc chat lines
  • direct login

46
Summary
  • Unused attack capabilities
  • Multiple attack methods allow for more
    flexibility
  • Send only necessary payload (specific attack)

47
Future
  • Future Worms will change
  • Infection mechanisms will become smarter.
  • Use network topology to their advantage.
  • Stealthier communications methods
  • Smarter Target Selection
  • More dynamic behavior

48
Future
  • Typical Defense (obvious stuff)
  • Patch, Patch, Patch
  • Defense in Depth
  • IDS and Response Mechanisms

49
Future
  • New Detection Strategies
  • Monitor shifts in traffic
  • Anomaly Detection
  • Exploit worm network flaws

50
Conclusions
  • Future defense of worms is labor intensive with
    current Internet design.
  • The infrastructure itself needs to assist with
    detecting Internet Worms.
  • A proper design could mimic a multi-level
    security system.

51
References
  • http//www.sans.org/rr/whitepapers/malicious/1410.
    php
  • http//www.cs.berkeley.edu/nweaver/sapphire/
  • http//www.securityfocus.com/infocus/1752
  • http//www.icir.org/vern/papers/cdc-usenix-sec02/
  • Kienzle, D.M., Elder, M.C., Recent worms a
    survey and trends, Proceedings of the 2003 ACM
    workshop on Rapid Malcode, pp.1-10.
  • N.Weaver, V.Paxson, et al, A taxonomy of computer
    worms
Write a Comment
User Comments (0)
About PowerShow.com