Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Slides:

Advertisements

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Sigurnost računala i podataka

By Hiranmayi Pai Neeraj Jain

Introduction to Security Computer Networks Computer Networks Term B10.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)

Web server security Dr Jim Briggs WEBP security1.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Cryptography and Network Security Chapter 21

Active Worm and Its Defense1 CSE651: Network Security.

Malicious Software Malicious Software Han Zhang & Ruochen Sun.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

“How to 0wn the Internet in Your Spare Time” Nathanael Paul Malware Seminar September 7, 2004.

Honeypot and Intrusion Detection System

Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

Final Introduction ---- Web Security, DDoS, others

Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

CIS 442- Chapter 3 Worms. Biological and computer worms Definition, main characteristics Differences from Viruses Bandwidth consumption and speed of propagation.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Types of Electronic Infection

Security at NCAR David Mitchell February 20th, 2007.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Recent Internet Viruses & Worms By Doppalapudi Raghu.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

4061 Session 26 (4/19). Today Network security Sockets: building a server.

Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Advanced Anti-Virus Techniques

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

How to 0wn the Internet In Your Spare Time Authors Stuart Staniford, Vern Paxson, Nicholas Weaver Published Proceedings of the 11th USENIX Security Symposium.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Internet security for the home Paul Norton MEng(Hons) MIEE Electronic engineer working for Pascall Electronics Ltd. on the Isle of Wight A talk on Internet.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Very Fast containment of Scanning Worms

Viruses and Other Malicious Content

A Distributed DoS in Action

Brad Karp UCL Computer Science

CSE551: Introduction to Information Security

Introduction to Internet Worm

Presentation transcript:

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006

What is a worm? Self-replicating/self-propagating programs Spread from system to system without user interaction Finds vulnerabilities in systems and uses them to spread Spread via network Different from virus which requires user interaction

Danger? Take over systems Access sensitive information  Passwords, credit card numbers, patient records, s Disrupts system functions  Government, nuclear power plants, hospitals DDoS attack Bandwidth saturation

Code Red (CRv1) July 13 th, 2001 Exploit Microsoft IIS vulnerabilities Each infected system scans random 32bit IP addresses to attack Bug in the random generator resulting linear spread

Code Red I (CRv2) July 19 th, 2001 Same as CRv1 but with random generator bug fix DDoS payload targeting IP address of Bug in the code made it die for date >= 20 th of the month

Code Red II August 4 th, 2001 Not related to Code Red (just comment says Code Red) Exploit buffer overflow in MS IIS web server Installed remote root backdoor which can be used for anything

Nimda September 18 th, 2001 Multiple method of spreading  MS IIS vulnerability   Copying over network shares  Webpage infection  Scan backdoor left by Code Red II From no probing to 100 probes/sec in just 30 minutes

Sapphire/Slammer/SQLSlammer January 25 th, 2003 Exploit MS SQL Server buffer overflow Fastest spreading worm Peak rate of 55million scans/sec after just 3 min Rate slowed down because bandwidth saturation No malicious payload, just saturated bandwidth causing many servers out of connection

Slammer effect : Before and after 30 minutes What if Slammer had malicious payload?

Used Techniques Random scanning  Code Red, Code Red I Localized scanning  Code Red II  Machines in the same network are more likely to run the same software Multi-vector  Nimda  Several methods of spreading

Possible Techniques 1 Hit-list scanning  First 10k infection is the hardest  Use a list of 10~50k vulnerable machines  Several methods to generate the list Stealthy scan: random scan taking several months Distributed scan: using already compromised hosts DNS search: already known servers such as mail/web servers Just listening: P2P networks advertise their servers, previous worms advertised many servers

Possible Techniques 2 Permutation Scanning  Random scan probes same host multiple times  Permutation of IP addresses  When an infected host is found, start from random point in the permutation  Self-coordinated, comprehensive scanning  Very high infection rate

Possible Techniques 3 Warhol Worm Hit-list and permutation scanning combined Start off quickly and high infection rate Simulation shows 99.99% of 300k hosts infected in less t han 15 min. Many other techniques  Topological scanning – use info from the infected machine to spread machines in the same subnet  Flash worm – using high band width with compressed hit-list  Stealth worms – web servers to clients, P2P

Dealing with worm threat Prevention  Prevent vulnerability by Secure coding practices  Patching software  Heterogeneity of network Treatment  Patching after breakout  Virus scanning Containment

Incoming  Black list  Signature based detection  Identify scanning characteristics of worms Outgoing  TCP connection threshold  Use worm signature for outbound traffic

Detection – signature based Attack Signature:  A description which represents a particular attack or action Eg, a classic antivirus signature Vulnerability Signature:  A description of the class of vulnerable systems Eg, “Windows XP, SP2, not patched since 10/1/2004”  A description of how to exploit a particular vulnerability Behavioral Signatures:  A behavior necessary for a class of worms (E.G. Scanning)  A behavior common to many implementations (half-open connec tions)

Detection – runtime analysis Mark all the data from unsafe source and derived data to be dirty Any execution attempts are signaled as possible threat Generate Self-Certifying Allerts and distribute to peers u sing overlay – peers only run overlay code so less susce ptible to attacks Each host verifies alert in a VM and if the vulnerability is found, generates filter Multiple filters to prevent false positive  Generic filter – disjunction of multiple specific conditions  Specific filter – more stringent conditions

Thoughts Detection  Polymorphic worms Obfuscation, encryption  False positive Attacker generates suspicious traffic with byte strings that are common in normal traffic  Signature generation time  Dynamic taint analysis – expensive or low coverage a nd resource-hungry

Thoughts Distribution/deployment  Pervasive P2P collaboration E2E detection and distribution  Secure communication Overlay? Intrusion detection systems? Honeypots, honeyfarms?

Remarks Future worms will be more aggressive Need automatic detection mechanisms  No global answer, need to apply all the techniques Network level detections have limitations becaus e of limited/no knowledge of software vulnerabilit ies E2E detection, secure P2P distribution of worm i nformation