1、Addressing The Threat of Internet Worms,Vern Paxson ICSI Center for Internet Researchand Lawrence Berkeley National Laboratory vernicir.orgApril 14, 2005,Outline,Worms as seen in the wild “Better” worms: likely evolutionDetection & defenseCCEID: Collaborative Center for Internet Epidemiology and Def
2、enses - UCSD (Prof. Stefan Savage) & ICSI,What is a Worm?,Self-replicating/self-propagating code. Spreads across a network by exploiting flaws in open services. As opposed to viruses, which require user action to quicken/spread Enabled by Internets open communication model plus lack of implementatio
3、n diversity,The Morris Worm: Nov. 1988,First large-scale worm Targeted VAX, Sun Unix systems Spread by Scanning the local subnet Mining /etc/passwd, /etc/hosts.equiv/ .rhosts for targets Exploiting a fingerd buffer overflow Exploiting sendmails DEBUG mode (not a bug!) Included code to Crack password
4、s (including 400-word obfuscated dictionary) Detect co-resident worm processes Die off if magic global is set Phone home to ernie.berkeley.edu (buggy) 6-10% of all Internet hosts infected,Code Red: July/Aug. 2001,Initial version released July 13, 2001.Exploited known bug in Microsoft IIS Web servers
5、.Payload: web site defacement HELLO! Welcome to http:/! Hacked By Chinese! Only done if language setting = English,Code Red of July 13, cont,1st through 20th of each month: spread. 20th through end of each month: attack. Flooding attack against 198.137.240.91 i.e., www.whitehouse.gov Spread: via ran
6、dom scanning of 32-bit IP address space.But: failure to seed random number generator linear growth.,Code Red, cont,Revision released July 19, 2001. White House responds to threat of flooding attack by changing the address of www.whitehouse.gov Causes Code Red to die for date 20th of the month due to
7、 failure of TCP connection to establish.But: this time random number generator correctly seeded. Bingo!,Measuring Internet-Scale Activity: Network Telescopes,Idea: monitor a cross-section of Internet address space to measure network traffic involving wide range of addresses “Backscatter” from DOS fl
8、oods Attackers probing blindly Random scanning from worms LBNLs cross-section: 1/32,768 of Internet Small enough for appreciable telescope lag UCSD, UWiscs cross-section: 1/256.,Spread of Code Red,Network telescopes give lower bound on # infected hosts: 360K. (Beware DHCP & NAT) Course of infection
9、fits classic logistic. Note: larger the vulnerable population, faster the worm spreads.That night ( 20th), worm dies except for hosts with inaccurate clocks! It just takes one of these to restart the worm on August 1st ,Striving for Greater Virulence: Code Red 2,Released August 4, 2001. Comment in c
10、ode: “Code Red 2.” But in fact completely different code base. Payload: a root backdoor, resilient to reboots. Bug: crashes NT, only works on Windows 2000. Localized scanning: prefers nearby addresses.Kills Code Red I.Safety valve: programmed to die Oct 1, 2001.,Striving for Greater Virulence: Nimda
11、,Released September 18, 2001. Multi-mode spreading: attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected servers w/ client exploit scanning for Code Red II backdoors (!)worms form an ecosystem! Leaped a
12、cross firewalls.,Code Red 2 kills off Code Red 1,Code Red 2 settles into weekly pattern,Nimda enters the ecosystem,Code Red 2 dies off as programmed,CR 1 returns thanks to bad clocks,Life Just Before Slammer,Life Just After Slammer,A Lesson in Economy,Slammer exploited connectionless UDP service, ra
13、ther than connection-oriented TCP. Entire worm fit in a single packet!When scanning, worm could “fire and forget”. Stateless!Worm infected 75,000+ hosts in 10 minutes (despite broken random number generator). At its peak, doubled every 8.5 seconds Progress limited by the Internets carrying capacity
14、(= 55 million scans/sec),Modeling Worm Spread,Often well described as infectious epidemics Simplest model: Homogeneous random contacts Classic SI model N: population size S(t): susceptible hosts at time t I(t): infected hosts at time t : contact rate i(t): I(t)/N, s(t): S(t)/N,The Usual Logistic Gro
15、wth,Slammers Bandwidth-Limited Growth,Blaster,Released August 11, 2003. Exploits flaw in RPC service ubiquitous across Windows. Payload: attack Microsoft Windows Update. Despite flawed scanning and secondary infection strategy, rapidly propagates to 8 million (?!) hosts. Actually, bulk of infections
16、 are really Nachia, a Blaster counter-worm. Key paradigm shift: the “perimeter” is gone.,Attacks on Passive Monitoring,Exploits for bugs in read-only analyzers!Suppose protocol analyzer has an error parsing unusual type of packet E.g., tcpdump and malformed optionsAdversary crafts such a packet, ove
17、rruns buffer, causes analyzer to execute arbitrary code,Witty,Released March 19, 2004. Single UDP packet exploits flaw in the passive analysis of Internet Security Systems products. “Bandwidth-limited” UDP worm ala Slammer. Vulnerable pop. (12K) attained in 75 minutes. Payload: slowly corrupt random
18、 disk blocks. Flaw had been announced the previous day. Written by a Pro. Detailed telescope analysis reveals worm targeted a US military base and was launched from a European retail ISP account.,What if Spreading Were Well-Designed?,Observation (Weaver): Much of a worms scanning is redundant. Idea:
19、 coordinated scanning Construct permutation of address space Each new worm starts at a random point Worm instance that “encounters” another instance re-randomizes.Greatly accelerates worm in later stages. Also note: worm can spread & then stop.,What if Spreading Were Well-Designed?, cont,Observation
20、 (Weaver): Accelerate initial phase using a precomputed hit-list of say 1% vulnerable hosts.At 100 scans/worm/sec, can infect huge population in a few minutes.Observation (Staniford): Compute hit-list of entire vulnerable population, propagate via divide & conquer.With careful design, 106 hosts in 2
21、 sec!,What if Spreading Were Well-Designed?, cont,Observation (Morris): worms dont need to randomly scanMeta-server worm: ask server for hosts to infect (e.g., Google for “powered by phpbb”) Topological worm: fuel the spread with local information from infected hosts (web server logs, email address
22、books, config files, SSH “known hosts”)No scanning signature; with rich inter- connection topology, potentially very fast.,What if Spreading Were Well-Designed?, cont,Contagion worm: propagate parasitically along with normally initiated communication.E.g., using 2 exploits - Web browser & Web server
23、 - infect any vulnerable servers visited by browser, then any vulnerable browsers that come to those servers. E.g., using 1 P2P exploit, glide along immense file sharing networks in days/hours.No unusual connection activity at all! :-(,What can be done?*,Recall SI model: N: population size S(t), I(t
24、): susceptible/infectible hosts at time t : contact rate Reduce the number of susceptible hosts Prevention, reduce S(t) while I(t) is still small (ideally reduce S(0) Reduce the contact rate Containment, reduce while I(t) is still small* Much of this framing of the material is courtesy Stefan Savage
25、.,Prevention,Host-based: Make the monoculture hardier Diversify the monocultureNetwork-based: Keep vulnerabilities inaccessible Ciscos Network Admission Control Frisk hosts that try to connect, block if vulnerable Microsofts Shield Shim-layer blocks network traffic that fits known vulnerability (rat
26、her than known exploit),Containment,Reduce contact rateSlow down Throttle connection rate to slow spread Twycross & Williamson, Implementing and Testing a Virus Throttle, USENIX Sec 03 Important capability, but worm still spreads Quarantine Detect and block worm,Outbreak Detection/Monitoring,Classes
27、 of detection Scan detection: detect infected hosts by their propagation attempts Host detection: detect that network activity resulted in violation of programming model Signature inference: automatically identify content signature for exploit (sharable) Classes of monitors Observing actual victims
28、Creating your own victims (Honeynets),Scan Detection,Indirect scan detection Berk et al, Designing a Framework for Active Worm Detection on Global Networks (ICMP) Wong et al, A Study of Mass-mailing Worms, WORM 04 Whyte et al. DNS-based Detection of Scanning Worms in an Enterprise Network, NDSS 05 D
29、irect scan detection Weaver et al. Very Fast Containment of Scanning Worms, USENIX Sec 04 Threshold Random Walk bias source based on connection success rate (Jung et al); use approximate state for fast HW implementation Multi-Gbps design, detect scan in 5-10 attempts Few false positives: Gnutella (p
30、eer access), Windows File Sharing (benign scanning) Venkataraman et al, New Streaming Algorithms for Fast Detection of Superspreaders, NDSS 05,Telescopes + Active Responders,Problem: Telescopes are passive, cant respond to TCP handshake Cant determine payloadSolution: proxy responder Stateless: TCP
31、SYN/ACK (Internet Motion Sensor), per-protocol responders (iSink) Stateful: Honeyd Can differentiate and fingerprint payload False positives generally low since no regular traffic,HoneyNets,Problem: what will payload do? No code executes. Solution: redirect scans to real “infectible” hosts (honeypot
32、s) Individual hosts or VM-based: Collapsar, HoneyStat, Symantec Can reduce false positives/negatives with host-analysis (e.g. TaintCheck, Vigilante, Minos) and behavioral/procedural signatures Challenges Scalability, liability, detection by malware,Honeynets: Not a Panacea,Depends on worms scanning
33、it What if dont scan that range (smart bias)? What if propagate via e-mail, IM, topologically? Background radiation is a big pain How do you weed out the boring same-old / same-old ? It comes in zillions of variants. Just how realistic can your environment be? What if code youre executing wants to m
34、ake outbound connections of various sorts? E.g., TFTP, HTTP, DNS, ,Signature inference,Idea: look for unusual repeated content Can work on non-scanning worms Key off many-to-many communication to avoid confusion w/ non-worm sources “Content Sifting” systems can distill signatures: Singh et al, Autom
35、ated Worm Fingerprinting, OSDI 04 Kim et al, Autograph: Toward Automated, Distributed Worm Signature Detection, USENIX Sec 04But: what about polymorphic worms?,Once You Have A Live Worm, Then What?,Containment Use distilled signature to prevent further spread Different granularities possible: Infect
36、ees (doesnt scale well) Content (or more abstract activity) description Vulnerable populationWould like to leverage detections by others But how can you trust these? What if its an attacker lying to you to provoke a self-damaging response? (Or to hide a later actual attack),Once You Have A Live Worm
37、, Then What?, cont,Proof of infection Idea: alerts come with a verifiable audit trail that demonstrates the exploit, ala proof-carrying code Auto-patching Techniques to derive (and test!) patches to fix vulnerabilities in real-time (Excerpt from my review: “Not as crazy as it sounds”) Auto-antiworm
38、Techniques to automatically derive a new worm from a propagating one, but with disinfectant payload (This one, on the other hand, is as crazy as it sounds),Final Thoughts,The big worry these days isnt worms but phishing and spyware These are dicey because theres money involvedArms race Theres nothing to stop attackers from using worms to help with their phishing & spyware Plus viruses, botnets / spam, DDOS-for-hire “Blended threats” Key question: how will the arms race evolve? A series of gradual steps, with time to adapt/respond Or?,
