Digging For Worms, Fishing For Answers

1
Digging For Worms, Fishing For Answers

• Speaker Lim Ka Tiong
• Based on the original paper by CER

2
Objective

• Malicious programs like worms also need to do
  some probing (like port scans) in order to select
  potential victims to attack.
• So can we make use of this behaviour to help us
  detect a worms presence?

3
Outline

• Background Information
• Modelling Worms Behaviour
• Detection Techniques
• Current Techniques
• Proposed Technique
• Final Remarks

4
Background Information

• Definition of worm SAN
• A computer program that can run independently,
  can propagate a complete working version of
  itself onto other hosts on a network, and may
  consume computer resources destructively.

5
Background Information

• Characteristics of worms MIG
• Propagation nature
• Exploited vulnerability
• Impact on infected host
• Attack rate dynamics
• IP address scanning

6
Background Information

• A few recent worms
• w32.beagle.o_at_mm
• w32.bizex.worm
• Refer to Symantec

7
Modelling Worms Behaviour

• The Four stage Life-cycle

8
Modelling Worms Behaviour

• Phase 1 Target Selection
• Performs reconnaissance.
• Simply probes a potential victim to see if its
  running a service on a particular port.
• If service is running,
• go to phase 2

9
Modelling Worms Behaviour

• Phase 2 Exploitation
• Compromises the target by exploiting a particular
  vulnerability.
• Often use well-known vulnerabilities and
  published exploits.
• If succeed,
• go to phase 3

10
Modelling Worms Behaviour

• Phase 3 Infection
• Set up shop on the newly infected machine.
• Activities can be anything.
• e.g. do nothing, open back doors, change system
  files, etc
• Okies, lets spread!

11
Modelling Worms Behaviour

• Phase 4 Propagation
• Attempts to spread by choosing new targets.
• Difference from Target Selection! - in the point
  of view from which the actions take place.
• Infected local host is choosing new target using
  probes going out in outbound network traffic.

12
Modelling Worms Behaviour
13
Detection Techniques

• Current Techniques
• Focus on detecting Target Selection,
  Exploitation, Infection.
• Proposed Technique
• Focus on detecting Propagation by watching
  outbound network traffic from an infected host.

14
Current Techniques

• Detecting Target Selection
• Involves inbound network probe Firewall.
• Involves probe on public services Testing for
  X events of interest across a Y sized time
  window. SDJ
• Limitation
• What if infected host sends only one probe into a
  network? (e.g. receive only one inbound request)

15
Current Techniques

• Detecting Exploitation
• Keep servers up-to-date with the latest patches!
• Use signatures based filter NIDS.
• Limitation
• What if it is a new vulnerability and the exploit
  has never been seen in the wild?

16
Current Techniques

• Detecting Infection
• Modifies system files file integrity program.
• Opens a backdoor netstat / network scanner.
• Limitation
• How do we know the exact actions of a worm?
• What if there is little noticeable footprints?

17
Proposed Technique

• Idea To detect Propagation by watching outbound
  network traffic from an infected host.
• Prior Work in detecting scans
• GrIDS (Graph Based IDS)
• Bro IDS
• Using the X Events in Y Period of Time Technique.

18
Proposed Technique

• Prior Work Graph Based IDS SSR
• Building activity graphs of network traffic.
• e.g. look for tree-like connection graph.

19
Proposed Technique

• Prior Work Bro IDS VPA
• Have outbound scan detection built in using rule
  description language.
• e.g. to look for the number of connections to
  cross a particular threshold, but no timing
  mechanism is used.

20
Proposed Technique

• X Events in Y Period of Time Technique in
  Outbound Scan Detection
• Can see all of the scans leaving a scanning
  (infected) host.
• Attempt to distinguish a horizontal scan.

21
Huh? Explanation

• Horizontal Scan?
• Horizontal scan occurs when a worm is only
  probing a particular port on a set of different
  hosts.
• e.g. probing of port 53 on randomly selected IP
  addresses.
• Vertical scan occurs when a scanning host probes
  several ports on the same target.

22
Proposed Technique

• X Events in Y Period of Time Technique in
  Outbound Scan Detection
• Can see all of the scans leaving a scanning
  (infected) host.
• Attempt to distinguish a horizontal scan.
• Detection will be performed at a network sensor
  that can see all traffic, not on the infected
  host.

23
Huh? Explanation

• Why at the network sensor?
• So that detection will not be altered or switch
  off (by the worm or user).
• Detection will be performed at a network sensor
  that can see all traffic,
• Then determine a fixed count for outbound packets
  (Threshold) over a fixed period of time (Quantum).

24
Proposed Technique

• X Events in Y Period of Time Technique in
  Outbound Scan Detection
• Can see all of the scans leaving a scanning
  (infected) host.
• Attempt to distinguish a horizontal scan.
• Detection will be performed at a network sensor
  that can see all traffic, not on the infected
  host.
• Sound alert when Threshold is exceeded.

25
Proposed Technique

• X Events in Y Period of Time Technique

26
Proposed Technique

• Limitations
• What if the worm is content to spread slowly?
• What if the worm evolve to employ other
  techniques to spread?

27
Final Remarks

• Current Implementation and Future Work
• Preliminary tests on isolated network can detect
  rapid horizontal scans.
• Next is to deploy it on a production network to
  determine value of Threshold and Quantum.
• Investigation on techniques to detect other type
  of outbound scans.

28
Other Related Works

• Twycross Williamson TW
• Focus on the network behaviour of virus.
• The attempt to create a large number of outgoing
  connections per second.
• Restrict the rate of connections to new hosts
  such that most normal traffic is unaffected.
• Toth Kruegel TK

29
Discussion

• Contact limkatio_at_comp.nus.edu.sg

30
References

• CER The CERIAS Intrusion Detection Research
  Group. Digging for Worms, Fishing for Answers. In
  Proceedings of the Annual Computer Security
  Application Conference (ACSAC'02), 2002.
  http//www.acsac.org/2002/abstracts/68.html
• SAN SANS Glossary of Terms Used in Security
  and Intrusion Detection, updated May 2003.
  http//www.sans.org/resources/glossary.php
• MIG Miguel Vargas Martin. Overview of Worms
  and Defence Strategies, 2003. http//www.scs.carle
  ton.ca/mvargas/lecture95.4108-v1.0.pdf
• SDJ S. Northcutt, D. McLachlan, and J. Novak.
  Network Intrusion Detection An Analyst's
  HandBook. New Riders, Sep 2000.
• SSR S. Staniford-Chen, S. Cheung, R. Crawford,
  M. Dilger, J. Frank, J. Hoagland, K. Levitt, C.
  Wee, R. Yip, D. Zerkle. GrIDS - A Graph Based
  Intrusion Detection System for Large Networks.
  http//seclab.cs.ucdavis.edu/arpa/grids/welcome.ht
  ml
• VPA V. Paxson. Bro A System for Detecting
  Network Intruders in Real-Time.
  http//www.icir.org/vern/bro-info.html
• TW Twycross Williamson. Implementing and
  testing a virus throttle. In 12th Usenix Security
  Symposium, 2003. http//www.hpl.hp.com/techreport
  s/2003/HPL-2003-103.pdf
• TK Toth Kruegel. Evaluating the impact of
  automated intrusion response mechanisms. In
  Proceedings of the Annual Computer Security
  Application Conference (ACSAC'02), 2002.
  http//www.acsac.org/2002/papers/78.pdf