Worm Defense

Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions

What is a worm? An independent program that seeks out new hosts, from an existing host in order to further spread itself. Other definition: Programs which are able to replicate themselves (usually across computer networks) as stand alone programs (or sets of programs) and which do not depend on the existence of a host program are called computer worms Self-propagation and self-replication What is the differences between a worm and a virus? By different ways of infecting systems?

History of Worms: The Origins Science fiction references (i.e. Brunner’s “tapeworm” program in “shockwave rider” 1976 Xerox work in 1982, Shock and Hepp coined the use of the term “worm” and carried out experiments with worm like programs [6] CHRISTMA EXEC from 1987 that spread via and required the user to execute it. Internet worm in The morris worm infects close to 10% of the then internet (6000 machines). IRC Worms, from 1987 to present day worms have targeted IRC clients (Mirc and PIRC)

History of Worms : worms Melissa (March 1999) A worm/virus hybrid that sent mail to the first 50 users in the outlook address book, containing the worm/virus. Could also spread as a conventional macro virus. KAK (February 2000) A VBS worm similar to bubbleboy that exploited a hole in outlook to autoexecute on receipt. Love Letter (May 2000) Another VBS worm that worked like Melissa, but was also able to spread via IRC

History of Worms: resurgence In the last two years we have seen a resurgence of non distributed worms Code Red and variants (from July 13th, 2001)  Code Red (CRv1)  Code Red I (CRv2)  Code Red II Nimda ( Sep 18 th, 2001) Slammer / Sapphire worm (January 2003)

What worms could do? some of them could be… Launch Distributed Denial of Service (DDoS) attacks  Bring down Electronic commerce site  Cut off New outlets  Disable Root name servers Access Sensitive Material on any host  Passwords, credit card numbers and address book Sow Confusion and Disruption  Send out false information  Make messages appear authentic

Replication methods of Worm Two main methods exist for worms to spread: Use legitimate services  Sircam + previous examples File Shares  Sircam + Deloder Exploit system vulnerabilities Webservers  NIMDA and CODERED MS SQLServer  Slammer

Why Worms can Spread? Homogeneous software base  Exploit software design flaws of commonly used Internet tools  Microsoft controls more than 90% of PCs High-bandwidth interconnections  Machines are “close” to each other  Makes it easy for a virus to spread

Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions

Main Ideas Analyzing current worms, Code Red and Nimda Develop some new, highly virulent techniques, including hit-list scanning, permutation scanning and use of Internet- sized hit-lists Envision a “Cyber-Center for Disease Control”

Code Red I (CRv1) Released July 13, 2001 Exploited vulnerability in Microsoft IIS Web Server Generated 100 Threads  99 Threads comprised random IP address  1 Threads defaced the web server Contained a bug  Random number initialized with a fixed seed  Always compromised same sequence of machine

Random Constant Spread Model a quantitative theory for the spread of Code Red I worm N  Total number of vulnerable servers  Assume fixed K  Initial comprise rate  The number of vulnerable hosts an infected host can compromise  Measured in infections/hours a  Fraction of vulnerable machines compromised t  Time (in hours)

RCS (con’t) N da = (N a) K (1 - a) dt So the differential equation is da/dt = K a (1 - a) With a solution of

Comments For an early t, a grows exponentially For a large t, a goes to 1 The rate only depends on K and has nothing to do with N at all! From the graph, K = 1.8, T = 11.9 Maximum 510,000 scans an hour! Why the scan rate instead of the number of distinct IPs be fit?

Code Red II Release August 4 th, 2001 Was Unrelated code base with Code Red Exploited vulnerability in a buffer overflow of Microsoft IIS Web Server Installed a root backdoor allowing unrestricted remote access Localized scanning strategy  3/8 IP address within the class B network  ½ within the class A network  1/8 the whole Internet

Nimda Released on Sep 18 th, 2001 Five method to spread at least  From infect client to server, probing for a Microsoft IIS vulnerability (again MS!)  ing itself as an attachment  Copying itself across open network shares  From infected server to client  Scanning for the backdoors by Code Red II

Better worms The virulence of a worm could be further increased if  Faster scanning  More targets

Hit-list Scanning To “getting off the ground” Hit-list scanning  Collect a list of 10,000 to 50,000 vulnerable machines before releasing the worm  Half the list with the new infected host  How to collect them? Stealthy scans ( same as portscan ) Distributed scanning DNS searches Spiders Public surveys Just listen, waiting others to knock the door

Permutation Scanning Assumption: a worm could detect that a particular target is already infected Share a pseudo random permutation of the IP address space Use a 32-bit block cipher and a key Any host starts just after its point If meet an infected one, start randomly Self-coordinated, comprehensive, also random A partitioned permutation scan, for attacking multiple security hole (how?)

A Simulation: Warhol Worm Combination of hit-list and permutation scanning A simulation of Warhol worm’s spread  2^32 entry address space  A 32-bit, 6-round variant of RC5 Sharply reduce the infection time to 15 minutes  So called “Warhol”, from the quotation ”In the future, everyone will have 15 minutes of fame”

Num of Instance Time Red: Warhol Green: Fast Scanning Black: Conventional Hit-list scanning improves the initial spread, while Permutation scanning keep infection rate high

Topological Scanning Use information contained on the victim machine to find new targets  Neighbors  Peers  URLs

A compact worm: Flash worm Mass coverage inside 30 seconds? Flash worms ‘in theory’ can achieve this. Each copy of the worm carries with it a set of targets, it uses some to target new hosts, and sends along a portion of the remaining addresses to each of its ‘children’. The result being as a worm makes more copies of itself, each copy get smaller, keeping the worms network load predictable. Requires high bandwidth for first few infections (10 million addresses = 40 megs!)

Flash worm (con’t) 200k 100k 50k = Infected computer. = computer that could be infected, but hasn’t = computer that wasn’t sucessfully infected

Stealth worms What the difference? Avoiding detection by having a slow replication rate. Hiding infection mechanism by appearing to be ‘normal’ traffic. Slowly building up a large infection base, with the hope of payload triggering at a set date. Or store record of infection to allow worms to be ‘activated’ in future, by an authorized signed message sent instantly along the infection path. Popular with diseases that show no symptoms, harder to achieve in the world of IDS.

Stealth Worm on P2P systems P2P systems suited to contagion worms  All running the same software  A client = a server  Interconnectivity  Transferring large files  Pay less attention by the intrusion detection systems  …  And potentially immense size

Updates and Control How to control and modify a worm after its release Worm-to-worm communication  A list of other known, running worm  Encrypted communication channels  Degree of connectivity Programmable updates  Dynamic code loading supported by OS

Cyber-Center for Disease Control Mission:  Identifying outbreaks  Rapidly analyzing pathogens  Fighting infections  Anticipating new vectors  Proactively devising detectors for new vectors  Resisting future threat

Outline Worm “How to Own the Internet in Your Spare Time” Worm defenses Discussions

Approach for worm defense Prevention Containment Cleanup

Worm defense - prevention Prevention by  Reduce the size of vulnerable hosts  Limit the speed at which a worm spread Limitations  Depend on current software vulnerabilities Related research  Matthew M.Williamson “Throttling Viruses: Restricting Propagation to Defeat Malicious Mobil Code”

Worm defense - containment Block the infectious communication between infected and uninfected hosts, by  Firewalls  Content filters  blacklists Related work  David Moore “Internet Quarantine: Requirements for Containment Self-Propagating Code”  Stuart Staniford “Containment of Scanning Worms in Enterprise Networks”

Worm defense - cleanup Cleanup by  Disinfection tools  System update, patches Limitations  Limited to human time scales  Can not handle an acute outbreak Related work  ?

Discussions

Thank you.