CS 268: Lecture 19 (Malware) Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences University of California,

Slides:



Advertisements
Similar presentations
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Advertisements

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Data Communications and Computer Networks Chapter 1 CS 3830 Lecture 5 Omar Meqdadi Department of Computer Science and Software Engineering University of.
CS 4700 / CS 5700 Network Fundamentals Lecture 20: Malware, Botnets, Spam (Wanna buy some v14gr4?) Slides stolen from Vern Paxson (ICSI) and Stefan Savage.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Presenter:
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.
Introduction to Security Computer Networks Computer Networks Term B10.
 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Algorithms for Network Security
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
EE 122: Network Security Kevin Lai December 2, 2002.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Lecture 11 Intrusion Detection (cont)
Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Automated Worm Fingerprinting
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Content Sifting Stefan Savage Sumeet Singh, Cristian Estan, George Varghese, Justin Ma, Kirill Levchenko.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System
Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
15-744: Computer Networking L-23 Worms. 2 Overview Worm propagation Worm signatures.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.
Click to add Text Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Department of Computer Science and Engineering.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
4061 Session 26 (4/19). Today Network security Sockets: building a server.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
Role Of Network IDS in Network Perimeter Defense.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
CS162 Operating Systems and Systems Programming Lecture 18 Security (II) October 31, 2011 Anthony D. Joseph and Ion Stoica
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Automated Worm Fingerprinting
Chap 10 Malicious Software.
CS 268: Lecture 19 (Malware) Ion Stoica Computer Science Division
Lecture 3: Secure Network Architecture
Chap 10 Malicious Software.
November 3, 2003 (last updated: 11/3/2003, 5:45pm)
Automated Worm Fingerprinting
Introduction to Internet Worm
Presentation transcript:

CS 268: Lecture 19 (Malware) Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley, CA (Based on slides from Vern Paxson and Stefan Savage)

2 Motivation  Internet currently used for important services -Financial transactions, medical records  Could be used in the future for critical services -911, surgical operations, energy system control, transportation system control  Networks more open than ever before -Global, ubiquitous Internet, wireless  Malicious Users -Selfish users: want more network resources than you -Malicious users: would hurt you even if it doesn’t get them more network resources

3 Network Security Problems  Host Compromise -Attacker gains control of a host  Denial-of-Service -Attacker prevents legitimate users from gaining service  Attack can be both -E.g., host compromise that provides resources for denial-of-service

4 Host Compromise  One of earliest major Internet security incidents -Internet Worm (1988): compromised almost every BSD- derived machine on Internet  Today: estimated that a single worm could compromise 10M hosts in < 5 min  Attacker gains control of a host -Read data -Erase data -Compromise another host -Launch denial-of-service attacks on another host

5 Definitions  Worm -Replicates itself -Usually relies on stack overflow attack  Virus -Program that attaches itself to another (usually trusted) program  Trojan horse -Program that allows a hacker a back way -Usually relies on user exploitation  Botnet -A collection of programs running autonomously and controlled remotely -Can be used to spread out worms, mounting DDoS attacks

6 Host Compromise: Stack Overflow  Typical code has many bugs because those bugs are not triggered by common input  Network code is vulnerable because it accepts input from the network  Network code that runs with high privileges (i.e., as root) is especially dangerous -E.g., web server

7 Example  What is wrong here? // Copy a variable length user name from a packet #define MAXNAMELEN 64 int offset = OFFSET_USERNAME; char username[MAXNAMELEN]; int name_len; name_len = packet[offset]; memcpy(&username, packet[offset + 1], name_len); name_len name 043 packet

8 Example void foo(packet) { #define MAXNAMELEN 64 int offset = OFFSET_USERNAME; char username[MAXNAMELEN]; int name_len; name_len = packet[offset]; memcpy(&username, packet[offset + 1],name_len); … } “foo” return address username offset name_len Stack X X-4 X-8 X-72 X-76

9 Example void foo(packet) { #define MAXNAMELEN 64 int offset = OFFSET_USERNAME; char username[MAXNAMELEN]; int name_len; name_len = packet[offset]; memcpy(&username, packet[offset + 1],name_len); … } “foo” return address username offset name_len Stack X X-4 X-8 X-72 X-76

10 Effect of Stack Overflow  Write into part of the stack or heap -Write arbitrary code to part of memory -Cause program execution to jump to arbitrary code  Worm -Probes host for vulnerable software -Sends bogus input -Attacker can do anything that the privileges of the buggy program allows Launches copy of itself on compromised host -Spread at exponential rate -10M hosts in < 5 minutes

11 Outline  Worm propagation  Threat detection – content sifting

12 Worm Spreading f = ( e K(t-T) – 1) / (1+ e K(t-T) )  f – fraction of hosts infected  K – rate at which one host can compromise others  T – start time of the attack T f t 1

13 Worm Examples  Morris worm (1988)  Code Red (2001)  MS Slammer (January 2003)  MS Blaster (August 2003)

14 Morris Worm (1988)  Infect multiple types of machines (Sun 3 and VAX) -Spread using a Sendmail bug  Attack multiple security holes including -Buffer overflow in fingerd -Debugging routines in Sendmail -Password cracking  Intend to be benign but it had a bug -Fixed chance the worm wouldn’t quit when reinfecting a machine  number of worm on a host built up rendering the machine unusable

15 Code Red Worm (2001)  Attempts to connect to TCP port 80 on a randomly chosen host  If successful, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow  Worm “bug”: all copies of the worm use the same random generator to scan new hosts -DoS attack on those hosts -Slow to infect new hosts  2 nd generation of Code Red fixed the bug! -It spread much faster

16 MS SQL Slammer (January 2003)  Uses UDP port 1434 to exploit a buffer overflow in MS SQL server  Effect -Generate massive amounts of network packets -Brought down as many as 5 of the 13 internet root name servers  Others -The worm only spreads as an in-memory process: it never writes itself to the hard drive Solution: close UDP port on fairewall and reboot

17 MS SQL Slammer (January 2003)  xx (From

18 MS SQL Slammer (January 2003)  xx (From

19 MS Blaster (August 2003)  Exploit a buffer overflow vulnerability of the RPC (Remote Procedure Call) service  Scan a random IP range to look for vulnerable systems on TCP port 135  Open TCP port 4444, which could allow an attacker to execute commands on the system  DoS windowsupdate.com on certain versions of Windows

20 Hall of Shame  Software that have had many stack overflow bugs: -BIND (most popular DNS server) -RPC (Remote Procedure Call, used for NFS) NFS (Network File System), widely used at UCB -Sendmail (most popular UNIX mail delivery software) -IIS (Windows web server) -SNMP (Simple Network Management Protocol, used to manage routers and other network devices)

21 Spreading faster—distributed coordination (Warhol worms)  Idea 1: reduce redundant scanning. -Construct permutation of address space. -Each new worm instance starts at random point -Worm instance that “encounters” another instance re- randomizes  Idea 2: reduce slow startup phase. -Construct a “hit-list” of vulnerable servers in advance -Then: for 1M vulnerable hosts, 10K hit-list, 100 scans/worm/sec, 1 sec to infect  99% infection in 5 minutes.

22 Spreading still faster — Flash worms  Idea: use an Internet-sized hit list. -Initial copy of the worm has the entire hit list -Each generation, infects n from the list, gives each 1/n of list -Need to engineer for locality, failure & redundancy. -But: n = 10 requires, 7 generations to infect 10 7 hosts  tens of seconds.

23 How can we defend against Internet- scale worms?  Time scales rule out human intervention  Need automated detectors, response (And perhaps honeypots to confuse scanning?)  Very hard research question!  And it’s only half of the problem...

24 Contagion worms  Suppose you have two exploits: Es (Web server) and Ec (Web client)  You infect a server (or client) with Es (Ec)  Then you... wait (Perhaps you bait, e.g., host porn)  When vulnerable client arrives, infect it  You send over both Es and Ec  As client happens to visit other vulnerable servers ) infects

25 Contagion worms (cont’d)  No change in communication patterns, other than slightly larger-than-usual transfers  How do you detect this?  How bad can it be?

26 Outline  Worm propagation  Threat detection – content sifting

27 Threat Detection  Both defense and deterrence are predicated on getting good intelligence -Need to detect, characterize and analyze new malware threats -Need to be do it quickly across a very large number of events  Classes of monitors -Network-based -Endpoint-based  Monitoring environments -In-situ: real activity as it happens Network/host IDS -Ex-situ: “canary in the coal mine” HoneyNets/Honeypots (Stefan Savage, UCSD *)

28 Worm Signature Inference  Challenge: need to automatically learn a content “signature” for each new worm – in less than a second!  Approach: Monitor network and look for strings common to traffic with worm-like behavior  Signatures can then be used for content filtering SRC: DST: PROT: TCP 00F D 3F E M?.w FF cd EB 10 5A 4A 33 C9 66 B ZJ3.f A 99 E2 FA EB 05 E8 EB FF FF FF 70 f p... PACKET HEADER PACKET PAYLOAD (CONTENT) Kibvu.B signature captured by Earlybird on May 14 th, 2004 (Stefan Savage, UCSD *)

29 Content sifting  Assume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm  Two consequences -Content Prevalence: W will be more common in traffic than other bitstrings of the same length -Address Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinations  Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic (Stefan Savage, UCSD *)

30 Address Dispersion Table Sources Destinations Prevalence Table The basic algorithm Detector in network AB cnn.com C D E (Stefan Savage, UCSD *)

31 1 (B)1 (A) Address Dispersion Table Sources Destinations 1 Prevalence Table The basic algorithm Detector in network AB cnn.com C D E (Stefan Savage, UCSD *)

32 1 (A)1 (C) 1 (B)1 (A) Address Dispersion Table Sources Destinations 1 1 Prevalence Table The basic algorithm Detector in network AB cnn.com C D E (Stefan Savage, UCSD *)

33 1 (A)1 (C) 2 (B,D)2 (A,B) Address Dispersion Table Sources Destinations 1 2 Prevalence Table The basic algorithm Detector in network AB cnn.com C D E (Stefan Savage, UCSD *)

34 1 (A)1 (C) 3 (B,D,E)3 (A,B,D) Address Dispersion Table Sources Destinations 1 3 Prevalence Table The basic algorithm Detector in network AB cnn.com C D E (Stefan Savage, UCSD *)

35 Challenges  Computation -To support a 1Gbps line rate we have 12us to process each packet, at 10Gbps 1.2us, at 40Gbps… Dominated by memory references; state expensive -Content sifting requires looking at every byte in a packet  State -On a fully-loaded 1Gbps link a naïve implementation can easily consume 100MB/sec for table -Computation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM (Stefan Savage, UCSD *)

36 Which substrings to index?  Approach 1: Index all substrings -Way too many substrings  too much computation  too much state  Approach 2: Index whole packet -Very fast but trivially evadable (e.g., Witty, Viruses)  Approach 3: Index all contiguous substrings of a fixed length ‘S’ -Can capture all signatures of length ‘S’ and larger A B C D E F G H I J K (Stefan Savage, UCSD *)

37 How to represent substrings?  Store hash instead of literal to reduce state  Incremental hash to reduce computation  Rabin fingerprint is one such efficient incremental hash function [Rabin81,Manber94] -One multiplication, addition and mask per byte R A N D A B C D O M R A B C D A N D O M P1 P2 Fingerprint = (Stefan Savage, UCSD *)

38 How to subsample?  Approach 1: sample packets -If we chose 1 in N, detection will be slowed by N  Approach 2: sample at particular byte offsets -Susceptible to simple evasion attacks -No guarantee that we will sample same sub-string in every packet  Approach 3: sample based on the hash of the substring (Stefan Savage, UCSD *)

39 Value sampling [Manber ’94]  Sample hash if last ‘N’ bits of the hash are equal to the value ‘V’ -The number of bits ‘N’ can be dynamically set -The value ‘V’ can be randomized for resiliency  P track  Probability of selecting at least one substring of length S in a L byte invariant -For 1/64 sampling (last 6 bits equal to 0), and 40 byte substrings P track = 99.64% for a 400 byte invariant A B C D E F G H I J K Fingerprint = SAMPLE Fingerprint = SAMPLE Fingerprint = IGNORE Fingerprint = IGNORE (Stefan Savage, UCSD *)

40 Only 0.6% of the 40 byte substrings repeat more than 3 times in a minute Number of repeats Cumulative fraction of signatures Observation: High-prevalence strings are rare (Stefan Savage, UCSD *)

41 Efficient high-pass filters for content  Only want to keep state for prevalent substrings  Chicken vs egg: how to count strings without maintaining state for them?  Multi Stage Filters: randomized technique for counting “heavy hitter” network flows with low state and few false positives [Estan02] -Instead of using flow id, use content hash Rabin Fingerprints with Mandber’s Value sampling -Three orders of magnitude memory savings (Stefan Savage, UCSD *)

42 Field Extraction Comparator Counters Hash 1 Hash 2 Hash 3 Stage 1 Stage 2 Stage 3 ALERT ! If all counters above threshold Finding “heavy hitters” via Multistage Filters Increment (Stefan Savage, UCSD *)

43 Multistage filters in action Grey = other hahes Yellow = rare hash Green = common hash Stage 1 Stage 3 Stage 2 Counters Threshold... (Stefan Savage, UCSD *)

44  Naïve implementation might maintain a list of sources (or destinations) for each string hash  But dispersion only matters if its over threshold -Approximate counting may suffice -Trades accuracy for state in data structure  Scalable Bitmap Counters -Similar to multi-resolution bitmaps [Estan03] -Reduce memory by 5x for modest accuracy error Observation: High address dispersion is rare too (Stefan Savage, UCSD *)

45 Scalable Bitmap Counters  Hash : based on Source (or Destination)  Sample : keep only a sample of the bitmap  Estimate : scale up sampled count  Adapt : periodically increase scaling factor  With 3, 32-bit bitmaps, error factor = 28.5% 11 Hash(Source) Error Factor = 2/(2 numBitmaps -1) (Stefan Savage, UCSD *)

46 Content sifting summary  Index fixed-length substrings using incremental hashes  Subsample hashes as function of hash value  Multi-stage filters to filter out uncommon strings  Scalable bitmaps to tell if number of distinct addresses per hash crosses threshold  Now its fast enough to implement (Stefan Savage, UCSD *)

47 Software prototype: Earlybird AMD Opteron 242 (1.6Ghz) Linux 2.6 Libpcap EB Sensor code (using C) EarlyBird Sensor TAP Summary data Reporting & Control EarlyBird Aggregator EB Aggregator (using C) Mysql + rrdtools Apache + PHP Linux 2.6 Setup 1: Large fraction of the UCSD campus traffic, Traffic mix: approximately 5000 end-hosts, dedicated servers for campus wide services (DNS, , NFS etc.) Line-rate of traffic varies between 100 & 500Mbps. Setup 2: Fraction of local ISP Traffic, Traffic mix: dialup customers, leased-line customers Line-rate of traffic is roughly 100Mbps. To other sensors and blocking devices (Stefan Savage, UCSD *)

48 Content Sifting in Earlybird KEYRepeatsSourcesDestinations Found ADTEntry? Key = RabinHash(“IAMA”) (0.349, 0.037) IAMAWORM ADTEntry=Find(Key) (0.021) Address Dispersion Table Prevalence Table YES is prevalence > thold YES value sample key NO Update Multistage Filter ( 0.146) Update Entry (0.027) Create & Insert Entry (0.37) 2MB Multi-stage Filter Scalable bitmaps with three, 32-bit stages Each entry is 28bytes. (Stefan Savage, UCSD *)

49 Content sifting overhead  Mean per-byte processing cost microseconds, without value sampling microseconds, with 1/64 value sampling (~60 microseconds for a 1500 byte packet, can keep up with 200Mbps)  Additional overhead in per-byte processing cost for flow-state maintenance (if enabled): microseconds (Stefan Savage, UCSD *)

50 Experience  Quite good. -Detected and automatically generated signatures for every known worm outbreak over eight months -Can produce a precise signature for a new worm in a fraction of a second -Software implementation keeps up with 200Mbps  Known worms detected: -Code Red, Nimda, WebDav, Slammer, Opaserv, …  Unknown worms (with no public signatures) detected: -MsBlaster, Bagle, Sasser, Kibvu, … (Stefan Savage, UCSD *)

51 Sasser (Stefan Savage, UCSD *)

52 False Negatives  Easy to prove presence, impossible to prove absence  Live evaluation: over 8 months detected every worm outbreak reported on popular security mailing lists  Offline evaluation: several traffic traces run against both Earlybird and Snort IDS (w/all worm-related signatures) -Worms not detected by Snort, but detected by Earlybird -The converse never true (Stefan Savage, UCSD *)

53 False Positives  Common protocol headers -Mainly HTTP and SMTP headers -Distributed (P2P) system protocol headers -Procedural whitelist Small number of popular protocols  Non-worm epidemic Activity -SPAM -BitTorrent GNUTELLA.CONNECT /0.6..X-Max-TTL:.3..X-Dynamic-Qu erying:.0.1..X-V ersion: X -Query-Routing: User-Agent:.LimeWire/ Vendor-Message:.0.1..X-Ultrapee r-Query-Routing: (Stefan Savage, UCSD *)