Active Worm and Its Defense1 CSE651: Network Security

Active Worm and Its Defense 1

Active Worm and Its Defense

CSE651: Network Security


Worm vs. Virus

Worm A program that propagates itself over a

network, reproducing itself as it goes Virus

A program that searches out other programs and infects them by embedding a copy of itself in them


Active Worm VS [D]DoS

DDoS stands for Distributed Denial of Service attacks

Propagation method Goal: congestion, resource

appropriation Rate of distribution Scope of infection


History

http://snowplow.org/tom/worm/history.html Morris Worm, first worm ”virus”, released on

November 2, 1988 by Robert Tappan Morris who was then a 23 year old doctoral student at Cornell University

Code-Red worm in July 2001 infected more than 350,000 Microsoft IIS servers. The attack finished in 14 hours

Slammer worm in January 2003 that infected nearly 75,000 Microsoft SQL servers. Attack finished in less than one hour

MyDoom worm in February 2004 infected lots of hosts which automatically and successfully DDoS attacked a few popular websites


The Morris Worm of 1988

First “worm” program Released by Robert T Morris of Cornell University Affected DEC’s VAX and Sun Microsystems’s Sun 3 systems

Spread ~6000 victims i.e., 5-10% of hosts at that time more machines disconnected from the net to avoid

infection

Cost Some estimate: $98 million Other reports: <$1 million

Triggered the creation of CERT (Computer Emergency Response Team)


Recent Worms

July 13, 2001, Code Red V1

July 19, 2001, Code Red V2

Aug. 04, 2001, Code Red II

Sep. 18, 2001, Nimbda

…

Jan. 25, 2003, SQL Slammer

More recent SoBigF, MSBlast …


How an Active Worm Spreads

Autonomous No need of human interaction

infected machine machine

scanprobe

transfer copy


Basic Propagation Method

Network Worm: Using port scan to find vulnerabilities of the targets

Application Worm: Propagate through email, Instance Messaging, file sharing on operation systems, P2P file sharing systems, or other applications

Hybrid Worm


Delivery Method

How is worm code is delivered to vulnerable hosts

Self-contained Self-propagation: Each newly infected host becomes the new source and sends worm code to other hosts infected by it

Embedded: Embedded with infected files, such as emails, shared files

Second Channel: The newly infected host uses second channel such as TFTP (Trivial File Transfer Protocol) to download the worm code from a center source


Scanning Strategy (1)

Random scanning Probes random addresses in the IP address space (CRv2)

Selective random scanning A set of addresses that more likely belong to existing

machines can be selected as the target address space.

Hitlist scanning Probes addresses from an externally supplied list

Topological scanning Uses information on the compromised host (Email worms)

Local subnet scanning Preferentially scans targets that reside on the same

subnet. (Code Red II & Nimbda Worm)


Scanning Strategy (2)

Routable scanning Choose routable IP addresses as the target of scan

DNS scanning Choose hosts with DNS name as the target of scan

Permutation scanning Each new infected host gets a different IP addresses block


Synchronization between Infected Hosts (or Worm Instances)

Asynchronized Each infected host behavior individually

without synchronization with other infected hosts

Synchronized Infected hosts synchronized with each

other by central server etc.


Propagation Activity Control

Non-stopping Keep port scanning and never stop

Time Control Preset stopping timer and restart timer and use

those timers to control the port scan activities

Self-Adjustment Self-control according to the environment (Atak

worm) or the estimation of the infected host amount (Self-Stop worm)

Centralized Control Controlled by the attacker


Scan Rate

Constant Scan Rate Each infected host keeps a constant scan rate

which is limited by the computation ability and outgoing bandwidth of the host.

Random Varying Scan Rate Randomly change the scan rate.

Smart Varying Scan Rate Change the scan rate smartly according to certain

rule according to the attack policy and the environment.

Controlled Varying Scan Rate Change the scan rate according to the attacker’s

control command.


Modularity

Non-Modular Modular

Use modular design in the worm code, so that new attack modules can be sent to the infected hosts and plugged in after the infection.


Organization

Decentralized There is no organization or cooperation

among infected hosts, and there is no communication between the infected hosts and the attacker.

Centralized Organization Organized by Internet Relay Chat (IRC) or

other methods like botnets do, so that the attacker can control the infected hosts.


Payload with the worm code

Spamming Code competent to carry out spamming.

DDoS Attack Code competent to carry out DDoS attacks.

Sniffing Code competent to watch for interesting clear-text

data passing by the infected hosts. Spyware

Spyware code. Keylogging

Code competent to remember and retrieve the passwords on the infected hosts.

Data Theft Code competent to steal privacy data.


Techniques for Exploiting Vulnerability fingerd (buffer overflow) sendmail (bug in the “debug mode”) rsh/rexec (guess weak passwords)


Active Worm Defense

Modeling Infection Mitigation


Worm Behavior Modeling (1)

Propagation model

titiNVrtd

tdi 1**)/*(

• V is the total number of vulnerable nodes• N is the size of address space• i(t) is the percentage of infected nodes among V• r is the scan rate of the worm

)/*1(*))(***()(* NVtitdVtirtdiV


Worm Behavior Modeling (2)

Propagation model

•M(i): the number of overall infected hosts at time i• N(i): the number of un-infected vulnerable hosts at time i• E(i): the number of newly infected hosts from time tick i to time i+1 .• T: the total number of IP addresses, i.e., 232 for IPv4. • N(0): the number of vulnerable hosts on the Internet before the

worm attack starts. • E(0) = 0, M(0) = M0.


Modeling P2P-based Active Worm Attacks

Basic worm attack strategiesPure Random-based Scan (PRS)

• Randomly select the attack victim• Adopted by Code-Red-I and Slammer

P2P based attack strategies Offline P2P-based Hit-list Scan (OPHLS)Online P2P-based Scan (OPS)Both strategies exploit P2P system

features


Background: P2P SystemsHost-based overlay systemStructured and unstructuredRich connectivityVery popular

– 3,467,860 users in the FastTrack P2P system; – 1,420,399 users in the eDonkey P2P system; – 1,155,953 users in the iMesh P2P system;

– 103,466 users in the Gnutella P2P system.


Two P2P-based Worm Attack Strategies

Offline P2P-based Hit-list Scan (OPHLS) Offline collect P2P host addresses as a hit-list Attack the hit-list first Attack Internet via PRS

Online P2P-based Scan (OPS) Use runtime P2P neighbor information Attack P2P neighbors Extra attack resource applied to attack Internet

via PRS


Online-based P2P Worm Attack Strategy


Performance Comparison of Attack Strategies

Attack Performance vs. Scan Approaches

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

45 50 55 60 65 70 75

Time

Infe

ctio

n R

atio

PRS

OPHLS

OPSS

• The P2P-based attack strategies overall outperforms the PRS attack strategy

• OPHLS attack strategy achieves the best performance compared to all other online-based attack strategies


Sensitivity of Attack to P2P System Size

The Sensitivity of P2P System Size

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

45 50 55 60 65 70

Time

Infe

ctio

n R

atio

PRS

OPSS(1000)

OPSS(5000)

OPSS(10000)

OPUS(1000)

OPUS(5000)

OPUS(10000)

• With the P2P size increases, the attack performance becomes consistently better for all attack strategies


Detection

Host-based detection Network-based detection

Detecting large scale worm propagation Global distributed traffic monitoring

framework Distributed monitors and data center Worm port scanning and background port

scanning


Distributed Worm Monitoring Systems


Detection Schemes

Worm behavior Pure random scan Each worm instance takes part in attack all the time Constant scan rate Overall port scanning traffic volume implies the

number of worm instances (infected hosts). Total number of worm instances and overall port

scanning traffic volume increase exponentially during worm propagation.

Count-based and trend-based detection schemes


Infection Mitigation

Patching Filtering/intrusion detection (signature based)

DAW (Distributed Anti-Worm Architecture)

TCP/IP stack reimplementation, bound connection requests


Goals of DAW

Impede worm progress, allow human intervention

Detect worm-infected clients Ensure congestion issues minimized –

little routing performance impact

Shigang Chen and Yong Tang. Slowing down internet worms. In Proceedings of 24th International Conference on Distributed Computing Systems, March 2004.


DAW

Requirements Distributed, sensors act independently NIDS (rather than HIDS) Limited responsibility, ensures availability of

nodes


DAW


Active Worm Detection in DAW

User behavior Few failed

connections (DNS) Predictable traffic

generation throughout “day”

Relatively uniform intranet traffic distribution

Worm behavior Sampling shows

99.96% failure in scan rate

Spikes in failure:request ratio

Traffic pattern disproportionately favors infected clients


Active Worm -Failures

TCP only, random scanning ICMP Unreachable/TCP-RST response 99.96% failure 80/tcp

sf rN

Vr

'1


Summary Worms can spread quickly:

359,000 hosts in < 14 hours Home / small business hosts play significant

role in global internet health No system administrator slow response Can’t estimate infected machines by # of unique IP

addresses• DHCP effect appears to be real and significant

Active Worm Defense Modeling Infection Mitigation

Documents

Active Worm and Its Defense1 CSE651: Network Security