1、The Coming Age of Defensive Worms David Meltzer CTO, Intrusec,Why?,“I dont know whether a good worm can be safe and effective, but this merits serious technical study.”- Martha Stansell-Gamm (May 26, 2003)1 Chief, Computer Crime and Intellectual Property Section, U.S. Department of Justice,What Wil
2、l You Learn?,The history of good wormsThe problems with defensive wormsHow defensive worm problems are solvedPossible evolutionary steps,The Question,Will anyone in charge of a large network ever willingly launch a worm on their own network to protect it?,Worm Reality,A new exploit just came out.You
3、 have 5,000 vulnerable systems.The worm is coming.What do you do?,The Worm Antidote,It fixes all the systems on your network.It does it faster than the worm can spread.It only infects your own systems.Do you run it?,Which Worm Do You Want?,What Will You Learn?,The history of good wormsThe problems w
4、ith defensive wormsHow defensive worm problems are solvedPossible evolutionary steps,“Good Worms”,A Worm, BUT A “beneficial” payload BUT Still Disruptive to networks Runs without permission Requires clean-up ILLEGAL,What Do “Good Worms” Do?,ScanListenExploitPatchDisinfect,Timeline of “Good Worms”,19
5、99,2000,2001,2002,2003,Case Study: Millenium2,3,Discovered 8/15/99 Written by Mixter4 Multiple Linux Vulns: Scans, Patches, BackdoorsScans for systems vulnerable to 5 remote linux holes Exploits remote system Patches 5 linux vulns Installs a backdoor Sends notification to hotmail address of infectio
6、n Installs itself on system,Case Study: Cheese5,Discovered 5/01 Unknown Author Lion Worm Response: Scans, DisinfectsScans for systems infected by Lion Installs itself using backdoor left by Lion Removes Lion backdoor from system,Case Study: Code Green6,Code Released 9/1/2001 Written by Der HexXer Co
7、de Red Response: Scans, Disinfects, Patches Scans for systems infected with CodeRed Exploits ISAPI vuln on infected systems Removes CodeRed from system Installs Q300972 Hotfix on system Installs itself on system,Case Study: CRClean7,Code Released 9/1/2001 Written by Markus Kem Code Red Response: Lis
8、tens, Disinfects, Patches Listens for CodeRed to attack it Exploits ISAPI vuln on CodeRed attackers Removes CodeRed from system Patches ISAPI vuln on system Installs itself on system,Industry Thinking on “Good Worms”,“Generally Not Well Regarded” eEye8,Industry Thinking on “Good Worms” - Continued,“
9、The idea of a patch worm is a nice thought, but it is not a solution” - CERT9,Industry Thinking on “Good Worms” - Continued,“You cannot predict whats going to happen. You dont know what the impact is going to be if its altered. Its never an alternative.” Trend Micro10,Industry Thinking on “Good Worm
10、s” - Continued,“You cannot predict whats going to happen. You dont know what the impact is going to be if its altered. Its never an alternative.” Trend Micro10,Industry Thinking on “Good Worms” - Continued,“-What about the traffic it takes up? -What about the boxes that dont patch properly, dont mak
11、e it back after reboot, or took down etrade in the middle of a trading day? -How does your worm know when its done?-Maybe I dont want my box patched, the patch broke my app -How do I tell your good worm apart from the original bad worm, or the other worm which looks like the good worm, but is really
12、 a bad worm?-How about people like us who track attack data, and you just skewed the heck out of it? When does www1.whitehouse.gov get to come back? If theres still *A* worm around on the 1st, which one is it?-Do we really want an Internet-sized game of corewars?”,Industry Thinking on “Good Worms” -
13、 Continued,“Visions of bots floating around in the ether waging mighty, but invisible, battles belong in books such as Neal Stephensons “The Diamond Age,“ not on production Internet servers.” Timothy Dyck11,Industry Thinking on “Good Worms” - Continued,“ Worms are inherently uncontrollable, meaning
14、that good worms will cause traffic problems and spread out of control. This is true of most worms today, but thats only because no one has designed a legitimate, well-coded and peer-reviewed good worm” eWeek12,/. Wisdom,“The only question raised here is, am I really going to trust this “helpful“ wor
15、m or others like it to fully patch up my box properly?”“Two wrongs may not make a right, but I would think in this case they would at least be somewhat better than just the one wrong” “Worms like this wouldnt exist or be news if more sysadmins would do their job instead of playing Quake, looking at
16、pr0n, or IRCing all day.”“Automatic (or even semi-automatic) patching is the *dumbest* idea on Earth.”,What Will You Learn?,The history of good wormsThe problems with defensive wormsHow defensive worm problems are solvedPossible evolutionary steps,Problems with Good Worms,No good worm to date has be
17、en remotely useable in a legal and effective manner.,Problem #1 - Legality,To run a worm legally, it must NEVER attempt to access unauthorized systems.Extreme safeguards must be taken. A software bug will land you in jail.,Problem #2 Network Usage,Worms are extremely noisy, causing network slowdowns
18、 and denial of services as a side-effect of running.Need to be network friendly.,Problem #3 Cleaning Up,Worms spreads leaving a new mess to clean-up replacing the old mess.Need to know when the work is done and perform its own clean-up.,Problem #4 Management,Worms are uncontrollable once “released”N
19、eed to be able to centrally manage operation and results of worm while it is running.,“Defensive Worms”,A Good Worm, BUT NOT Disruptive to networks ONLY Runs with permission NO clean-up LEGALUsable defensive worms do not exist, yet.,What Will You Learn?,The history of good wormsThe problems with def
20、ensive wormsHow defensive worm problems are solvedPossible evolutionary steps,Solution #1 Legality,Redundant Safeguards,Solution #1 Legality,Restriction Models Opt-Out Passive IP Ranges Border Routers DNS,Solution #1 Legality,Lysine Deficiency13,Solution #1 Legality,Lysine DeficiencyA built-in mecha
21、nism that causes a worm to die if it spreads beyond its intended set of targets.“Reverse Lysine” = Opt-Out (CodeRed),Solution #1 Legality,HeartbeatsA central server is checked before each time a worm launches an attack. If the server doesnt return a heartbeat, the worm pauses its operation.After a t
22、imeout period, if heartbeat hasnt returned, worm self-destructs.,Solution #1 Legality,IP RangesThe worm is configured with the IP addresses you are authorized to attack.,Solution #1 Legality,Border RoutersThe worm is configured with the border routers of a network. All systems within the network you
23、 are authorized to attack.If border router comes between a prospective target and worm, worm does not propagate to it.|If a border router isnt on the route to a known Internet server, worm is already outside its authorized network.,Solution #1 Legality,DNSThe worm is configured with domain names. Al
24、l systems with hosts that resolve within that domain you are authorized to attack.Worm performs a DNS lookup on all prospective targets. If DNS doesnt resolve to an authorized domain name, target is not authorized.,References,1. Stansell-Gamm, Martha. “Good Worms Not Mature”, May 26, 2003. URL: http
25、:/ 2. Vision, Max. “Origin and Brief Analysis of the Millennium Worm”, Sept, 1999. URL: http:/ 3. Poulsen, Kevin. “Max Vision: FBI pawn?”, May 8, 2001. URL: http:/ 4. Mixter. “mw06.tgz”, September 23, 1999. URL: http:/packetstormsecurity.nl/groups/mixter/mw06.tgz 5. Barber, Bryan. “Cheese Worm: Pros
26、 and Cons of a Friendly Worm”, July 21, 2001. URL: http:/www.sans.org/rr/papers/36/31.pdf 6. Hexxer, Der. “CodeGreen beta release”, September 1, 2001. URL: http:/ 7. Kem, Marcus. “CRClean.zip”, September 1, 2001. URL: http:/ 8. Permeh, Ryan & Coddington, Dale. “Decoding and Understanding Internet Wo
27、rms”, November 21, 2001. URL: http:/ 9. Houle, Kevin. Quoted in “Cheese worm: A Linux fixer-upper? By Robert Lemos”, May 16, 2001. URL: http:/ 10. Hartmann, Joe. Quoted in “Cheesy Fix-It Worm Patches Security Flaws By Jay Lyman”, May 18, 2001. URL: http:/ 11. Dyck, Timothy. “Thanks, but we dont want your Cheese (worm)!”, June 30, 2001. URL: http:/ 12. Rapoza, Jim. “Up With Good Worms”, April 21, 2003. URL: http:/
