This preview shows page 1-2-3-4-5-6-7-50-51-52-53-54-55-56-100-101-102-103-104-105-106 out of 106 pages.
Worms and BotsCS155Elie BurszteinOutline• Worm Generation 1• Botnet• Fast Flux• Worm Generation 2• Underground EconomyWorms generation 14WormA worm is self-replicating software designed to spread through the networkTypically, exploit security flaws in widely used servicesCan cause enormous damage Launch DDOS attacks, install bot networks Access sensitive informationCause confusion by corrupting the sensitive information5Cost of worm attacksMorris worm, 1988Infected approximately 6,000 machines10% of computers connected to the Internet cost ~ $10 million in downtime and cleanupCode Red worm, July 16 2001Direct descendant of Morris’ wormInfected more than 500,000 serversProgrammed to go into infinite sleep mode July 28 Caused ~ $2.6 Billion in damages,Love Bug worm: $8.75 billionStatistics: Computer Economics Inc., Carlsbad, California6Internet Worm (First major attack)Released November 1988Program spread through Digital, Sun workstations Exploited Unix security vulnerabilitiesVAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX codeConsequencesNo immediate damage from program itself Replication and threat of damage Load on network, systems used in attackMany systems shut down to prevent further attack7Some historical worms of noteWormDateDistinctionMorris11/88Used multiple vulnerabilities, propagate to “nearby” sysADM5/98Random scanning of IP address spaceRamen1/01Exploited three vulnerabilitiesLion3/01Stealthy, rootkit wormCheese6/01Vigilante worm that secured vulnerable systemsCode Red7/01First sig Windows worm; Completely memory residentWalk8/01Recompiled source code locallyNimda9/01Windows worm: client-to-server, c-to-c, s-to-s, …Scalper6/0211 days after announcement of vulnerability; peer-to-peer network of compromised systemsSlammer1/03Used a single UDP packet for explosive growthKienzle and Elder8Increasing propagation speedCode Red, July 2001Affects Microsoft Index Server 2.0, Windows 2000 Indexing service on Windows NT 4.0.Windows 2000 that run IIS 4.0 and 5.0 Web serversExploits known buffer overflow in Idq.dllVulnerable population (360,000 servers) infected in 14 hoursSQL Slammer, January 2003Affects in Microsoft SQL 2000Exploits known buffer overflow vulnerabilityServer Resolution service vulnerability reported June 2002 Patched released in July 2002 Bulletin MS02-39Vulnerable population infected in less than 10 minutes9Code RedInitial version released July 13, 2001Sends its code as an HTTP requestHTTP request exploits buffer overflow Malicious code is not stored in a filePlaced in memory and then runWhen executed,Worm checks for the file C:\NotwormIf file exists, the worm thread goes into infinite sleep stateCreates new threadsIf the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses10Code Red of July 13 and July 19Initial release of July 131st through 20th month: Spread via random scan of 32-bit IP addr space20th through end of each month: attack.Flooding attack against 198.137.240.91 (www.whitehouse.gov)Failure to seed random number generator ⇒ linear growthRevision released July 19, 2001.White House responds to threat of flooding attack by changing the address of www.whitehouse.govCauses Code Red to die for date ≥ 20th of the month.But: this time random number generator correctly seededSlides: Vern Paxson11Infection rate12Measuring activity: network telescopeMonitor cross-section of Internet address space, measure traffic “Backscatter” from DOS floodsAttackers probing blindlyRandom scanning from wormsLBNL’s cross-section: 1/32,768 of InternetUCSD, UWisc’s cross-section: 1/256.13Spread of Code RedNetwork telescopes estimate of # infected hosts: 360K. (Beware DHCP & NAT)Course of infection fits classic logistic.Note: larger the vulnerable population, faster the worm spreads.That night (⇒ 20th), worm dies … … except for hosts with inaccurate clocks!It just takes one of these to restart the worm on August 1st …Slides: Vern Paxson14Slides: Vern Paxson15Code Red 2Released August 4, 2001.Comment in code: “Code Red 2.”But in fact completely different code base.Payload: a root backdoor, resilient to reboots.Bug: crashes NT, only works on Windows 2000.Localized scanning: prefers nearby addresses.Kills Code Red 1.Safety valve: programmed to die Oct 1, 2001.Slides: Vern Paxson16Striving for Greater Virulence: NimdaReleased September 18, 2001.Multi-mode spreading:attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected servers w/ client exploit scanning for Code Red II backdoors (!) worms form an ecosystem!Leaped across firewalls.Slides: Vern Paxson17Code Red 2 kills off Code Red 1Code Red 2 settles into weekly patternNimda enters the ecosystemCode Red 2 dies off as programmedCR 1 returns thanksto bad clocksSlides: Vern Paxson18How do worms propagate?Scanning worms : Worm chooses “random” addressCoordinated scanning : Different worm instances scan different addressesFlash wormsAssemble tree of vulnerable hosts in advance, propagate along treeNot observed in the wild, yetPotential for 106 hosts in < 2 sec ! [Staniford]Meta-server worm :Ask server for hosts to infect (e.g., Google for “powered by phpbb”)Topological worm: Use information from infected hosts (web server logs, email address books, config files, SSH “known hosts”)Contagion worm : Propagate parasitically along with normally initiated communicationslammer• 01/25/2003• Vulnerability disclosed : 25 june 2002• Better scanning algorithm• UDP Single packet : 380bytesSlammer propagationNumber of scan/secPacket lossA server viewConsequences• ATM systems not available• Phone network overloaded (no 911!)• 5 DNS root down• Planes delayed25Worm Detection and DefenseDetect via honeyfarms: collections of “honeypots” fed by a network telescope.Any outbound connection from honeyfarm = worm.(at least, that’s the theory)Distill signature from inbound/outbound traffic.If telescope covers N addresses, expect detection when worm has infected 1/N of population.Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many
View Full Document