Mario Čagalj

Sveučilište u Splitu

2013/2014.

Sigurnost računala i podataka

Malicious SoftwareInternet Security & Wormsby Prasad S. Athawale (University at Buffalo)Computer Security: Principles and Practiceby William Stallings and Lawrie BrownCode Red Worm Propagation Modeling and Analysisby Zou et al.

Produced by Mario Čagalj

Malicious Software Programs exploiting computing system vulnerabilitiesKnown as malicious software or malwareMalware can be divided into two categories

Program fragments that need host program - parasitic malwareE.g. viruses, logic bombs, and backdoors – cannot exist independently of

some actual application program, utility or system programIndependent self-contained programs

E.g. worms, bots – can be run directly by the operating system

We differentiate between software threats thatDo not replicate – activated by a trigger (e.g., logic bombs, bot)Do replicate/propagate itself (e.g., viruses and worms)

3

Malicious Software

4

Malicious programs

Need host program Independent

Trapdoors

Logic bombs

Trojan horse Viruses Worms Zombie

(Bot)

Replicate

Virus: A piece of code that inserts itself into a host program (infects it). It cannot run independently. It requires that its host program be run to activate it.

Worm: A program that can run independently and can propagate a complete working version of itself onto other hosts on a network.

Logic bomb: A program inserted into software by an intruder. It executes on specific condition (trigger). Triggers for logic bombs can include change in a file, by a particular series of keystrokes, or at a specific time or date.

Malware Terminology (1/3)

5

legitimate code if date is Friday the 13th;

crash_computer();legitimate code

Trojan horse: Programs that appear to have one (useful) function but actually perform another (malicious) function, without the user’s knowledge.

Backdoor (trapdoor): Any mechanism that bypasses a normal security check. It is a code that recognizes for example some special input sequence of input; programmers can use backdoors legitimately to debug and test programms.

Malware Terminology (2/3)

6

username = read_username();password = read_password();if username is “112_h4ck0r”

return ALLOW_LOGIN;if username and password are valid

return ALLOW_LOGINelse return DENY_LOGIN

Exploit: Malicious code specific to a single vulnerability.Keylogger: Captures key strokes on a compromised system.Rootkit: A set of hacker tools installed on a computer system

after the attcker has broken into the system and gained administrator (root-level) access.

Zombie, bot: Program on infected machine activated to launch attacks on other machines.

Spyware: Collects info from a computer and transmits it to another system.

Malware Terminology (3/3)

7

Internet Worms

Internet WormsSelf-replicating program that propagates over Internet

Using email – a worm mails a copy of itself to other systemRemote execution capability – a worm executes a copy of

itself on a remote system, either using explicit remote execution facility or by exploiting flaw (e.g., buffer overflow) in some net service

Remote login – a worm logs onto a remote system as a user then uses commands to copy itself from one to the remote system

9

Internet Worms Uses/ApplicationsLaunch a DDoSAccess to Sensitive InformationSpread DisinformationUnknown reasons

Most generally is the need for being recognized and famous (never has it been that it was an accident)

10

Worm OperationHas phases like a virus

Dormant phaseWorm is idle, waiting for trigger event (e.g., date, time, program)

Propagation phaseWorm searches for other systems, connects to it, copies self to it and

runs (the copy may not be identical – it morphs to avoid detection)Triggering phase

Worm activated by some trigger event to perform intended functionExecution phase

The intended function is performedE.g., DDoS attack on a specified target

11

Worm Operation: Propagation PhaseTo propagate a worm generally performes the following

functionsSearch for other systems to infect by examining different

repositories of remote system addressesIP address-space probing to detect vulnerable targetsNote that this active aquisition/seach phase is not present in viruses

Establish a connection with a remote systemCopy itself to the remote system and cause the copy to be run

12

Generalized Worm Propagation ModelIn the first stage the infected host searches for vulnerable targetsWhen the target is found, the infected host tries to deliver

malcode to the selected targetExecuting the malcode, the target host would be comprimisedOnce the system is compromised, some malware can perform

additional tasksPayload refers to those additional

tasks by a worm (DoS, install backdoors, self-replicate)

13

Actions in Each of the StagesThe target selecting stage

Random IP address probingHarvesting email addresses (e.g., from the address book)Through file sharing systems

The malcode delivery stage (can send only a part in this stage)A payload associated with buffer overflowsUsing mail of messaging servicesSpecially crafted HTML pages hosted

on a web serverCompromising the system

Execute malcode: email vulnerabilites, user intervention, automatic execution

E.g., buffer overflow, backdoors, etc.

14

Worm Propagation in Real Life

Morris Worm (Robert Morris in 1988)To propagate, worm’s first task was to discover other hosts

known to first infected host that would allow entry from this host Exemained system tables that declare which other machines were trusted by this

host, users’ mail forwarding files, remote access control tables, reports from services that reported the status of net connections

For each discovered host, various attacks on UNIX systems Cracking password file to use login/password to logon to other systems Exploiting a bug in the finger protocol Exploiting a bug in sendmail

If any of the three above succeeded have remote shell access Sent bootstrap program to the compromised machine’s operating system The bootstrap program called back the parent program and downloaded the

reminder of the worm to to copy it overAbout 4000 of the Internet’s approximately 60,000 (at that time)

hosts were infected within 16 hours of the worm’s deployment 16

Code Red (July 2001)The Code Red worm spreads via a buffer overflow in the

Microsoft Internet Information Server’s (IIS) Indexing ServicesInfection begins by issuing HTTP GET command to a vulnerable IIS system

The worm probes random IP addresses to spread to other hosts During a certain period of time, it only spreads It then initiates a denial-of-service attack against a government

Web site by flooding the site with packets from numerous hostsCode Red I v2 infected nearly 360,000 servers in 14 hours

Caused problems to infected serversBut more importantly, consumed a significant amount of Internet capacity

Code Red II is a variant that also targets Microsoft IISIt also installs a backdoor, allowin a hacker to remotely execute commands

on victim computers 17

The Spread of Code-Red v2

18

http://www.caida.org/research/security/code-red/coderedv2_analysis.xml

SQL Slammer (January 2003)Exploited buffer overflow in Microsoft SQL server

A single short (400 bytes) packet to UDP port 1434 was sufficientThe worm infected more than 90 percent of vulnerable hosts

within 10 minutes Causing significant disruption to financial, transportation, and government

institutions and precluding any human-based responseNo malicious content, but simply overloaded networks

The worm’s spreading strategy uses random scanningIt randomly selects IP addresses, eventually finding and infecting all

susceptible hostsSlammer spread nearly two orders of magnitude faster than

Code Red, yet it infected fewer machinesThe fastest computer worm in history (full scanning rate of 55 million

scans per second after only 3 minutes) 19

The Spread of SQL SlammerFaster than Code Red (CR)

Slammer is bandwith-limited (its scanner is only only 400 bytes long, a single UDP packet could exploit the SQL server’s vulnerability)

CR is latency-limited (its scanner does TCP handshake and therefore has to wait to receive SYN/ACK packet from target)

However Slammer’s author made several mistakes in the random number generator (many active IP addresses simply skipped – fewer infections)

20Code Red v2 Slammer

Saturated network with its scans

Modelling Propagation of Worms

Why Modelling?Worms spread at an exponential rate

E.g., 10M hosts in < 5 minutesHard to deal with manual interventionHow to protect our systems? What are possible effects?

To be able to defend against future worms, we need to understand Worms propagation patternsThe impact of human countermeasures (like patching the

computer systems, firewalls, disconnecting devices from the network, etc.) on worm propagation

The impact of network traffic (recall the Slammer worm)22

Worm Propagation ModellingSimple Epidemic Model

Uses the time model of Infectious diseases to model Worm propagationThree possible states – Susceptible, Infected, Quarantined/Removed

“Infectious” hosts: continuously infect others“Removed” hosts in epidemic area

Recover and immune to the virusDead because of the disease

“Removed” hosts in computer area: Patched computers that are clean and immune to the wormComputers that are shut down or cut off from worm’s circulation

23

Simple Epidemic Model

Assumptions The population size (#hosts) is largeAny host has equal probability to contact any other hosts in systemNumber of contacts is proportional to #infectious X #susceptible

24

susceptible

infectious

removed

Infectious (I) Susceptible (S)contact

Classical Simple Epidemic ModelState transition

N - population of hostsS(t) - susceptible hosts; I(t) - infectious hosts at time t

25

susceptible infectious

Classical General Epidemic Model (SIR) State transition

N - population of hostsS(t) - susceptible hosts I(t) - infectious hosts R(t) - removed from infectious at rate γ

26

removedsusceptible infectious

0 10 20 30 40

1

2

3

4

5

6

7

8

9

10x 10

5

=0=N/16=N/4=N/2

Are the Two SIR Models Adequate? The classical and general SIR models are not perfectly suitable as

human countermeasures will remove both suceptible and infectious hosts from circulation

Human countermeasures includeClean and patch: download cleaning program, patchesFilter: put filters on firewalls, gatewaysDisconnect computers (as in the case of Code Red worm)

Also, the infection rate is decreased because of the large amount of scan-traffic (e.g., the SQL Slammer worm)

State transition

27susceptible

infectious

removed

Two Factor Worm ModelHuman countermeasures and decreased infection rate

N - population of hostsS(t) - susceptible hosts I(t) - infectious hosts, J(t)=I(t)+R(t) - infected hosts R(t) - removed from infectious hosts at rate γQ(t) - removal from susceptible

at rate μ

28

Two Factor Worm ModelHuman countermeasures and decreased infection rate

β(t)S(t) < γ: the number of removed infectious hosts ina unit time is greater than the number of newly generated

infectious hosts at the same time

Characteristics of Worm SpreadingWorm growth: slow start, fast spread phase, slow decay

Speed-ups with more advanced probing techniques

Probing Techniques (Examples)Random ScanningLocal Subnet ScanningRouting WormPre-generated Hit ListTopological

Probing Techniques: Random Scanning32 bit number is randomly generated and used as the IP

addressAside: IPv6 worms will be different …

E.g., Slammer and Code Red IHits black-holed IP space frequently

Only 28.6% of IP space is allocatedAside: can track worms by monitoring unused

addressesHoneypots

Probing Techniques: Subnet ScanningGenerate last 1, 2, or 3 bytes of IP address randomlyCode Red II and BlasterSome scans must be completely random to infect the

whole Internet

Probing Techniques: Routing WormBGP information can tell which IP address blocks are

allocatedThis information is publicly available

http://www.routeviews.org/http://www.ripe.net/ris/

Probing Techniques: TopologicalUses info on the infected host to find the next target

Morris Worm used /etc/hosts , .rhosts Email address booksP2P software usually store info about peers that each host

connects to

Probing Techniques: Hit ListHit list of vulnerable machines is sent with payload

Determined before worm launch by scanningGives the worm a boost in the slow start phaseSkips the phase that follows the exponential model

Infection rate looks linear in the rapid propagation phaseCan avoid detection by the early detection systems

Warhol: Hit List + Permutation Scanning Infection time estimated to about 15 minutesAndy Warhol: “In the future, everybody will have 15 minutes of

fame.”1. Conventional (Code Red-like )

worm capable of 10 scans/second

2. Fast scanning worm capable of 100 scans/second

3. Warhol worm capable of 100 scans/second using a 10,000 entry hit-list

No human-driven intervention is possible when it comes to Warhol worms (or even more severe flash worms – infects Internet in tens of seconds!)

Worm Countermeasures

)(

)()()(

)()(

tIdt

dR

tItStIdt

dI

tStIdt

dS

S(0) = N = / M probe rate of wormM total population (e.g. 232 for IPv4) “removal” rate

3. Reduce # of infected hosts(containment)

2. Reduce rate of infection(suppression)

1. Reduce # of susceptible hosts(prevention)

How to Mitigate the Worm Threat?

Mitigating the Worm ThreatPrevention

This aims to reduce the size of the vulnerable populationSecure programming, applying software updates, AV

protectionPatching

Generally, patches take days to release – only now that relatively reliable distribution networks for patches are springing up

Containment and suppression (the easiest)Firewalls, Content Filtering, Automated Routing Blacklists,

disconnecting infected machines

Worm Countermeasures

Overlaps with anti-virus techniquesOnce worm on system A/V can detect itWorms also cause significant net activity

Scanning for other targets (scan rates 10-10000 scans/second)Worm defense approaches include:

Signature-based worm scan filtering Generates a worm scan signature to prevent worm scans from entering a network/host

Filter-based worm containment Focuses on a worm content rather than a scan signature

Payload-classification-based worm containment Packet based checks

Threshold random walk scan detection Exploits randomness in picking destinations to connect to (to detect scanning)

Rate limiting and rate halting Limit or block outgoing traffic when a given threshold exceeded (for fast worms)

Reaction Time Matters

Worm containment mechanisms should be automated

1. Conventional (Code Red-like ) worm capable of 10 scans/second

2. Fast scanning worm capable of 100 scans/second

3. Warhol worm capable of 100 scans/second using a 10,000 entry hit-list

4. SQL Slammer 30,000 scans/second per machine (on 100 Mbps link)

No human-driven intervention is possible when it comes to Warhol worms (or even more severe flash worms – infects Internet in tens of seconds!)

Closing Words

Worms pose an ongoing threat of use in attack on a variety of sites and infrastructuresThe SQL Slammer affected ATMs, 911 services, caused cancelled

flights, etc.Worms represent and extremely serious threat to the

safety of the InternetWarhol and flash-like worms can infect/affect the

whole Internet in the matter of minutes/secondsThe need for automated response/containment mechanisms

Threat awareness important (reduces sussceptible)Esspecially for software designers and programmers