Internet Security & Worms

Prasad S. AthawaleDepartment of Computer Science,University at BuffaloState University of New York, Buffalo

Outline

Security Overview Intent History Worms Vs Viruses Worm Modelling Simulation techniques Results/Deductions Future of Worms Possible Research Work

Internet Security

Covers a broad range of issues – from Data Integrity to Availability

Attack types Denial of Service Viruses/Worms Snooping/Sniffing etc

Intent

The primary intent of this presentation is to explore the world of Internet Worms, in

particular look at current research areas, their propagation mechanisms etc and

defense measure if any

History

Morris Worm 2 November 1988 Exploited flaws in fingerd and

sendmail Password guessing /etc/passwd file Trusted Hosts

The Internet Worm Incident Technical Report CSD-TR-933*Eugene H. SpaffordDepartment of Computer SciencesPurdue University

Definition

Worms: Programs that self-propagate across the internet by exploiting security flaws in widely used services1

John Bruner in his novel “The Shockwave Rider” coined the term “worm”

How to Own the Internet in your Spare Time

Stuart Staniford, Vern Paxson, Nicholas Weaver

Worms Vs Viruses

A Virus is a malicious program that spreads using a propagation technique that generally requires user intervention, and always possess a malicious intent

A worm on the other hand, has ability to self-propagate, and may or may not have malicious intent

Requirements!!!

Autonomy Replicability Reconnaissance Capabilities Attack Capabilities

Worms as Attack Vectors: Theory, Threats, and DefensesMatthew Todd, Ph.D.January 31, 2003

Intended Uses/Applications ?

Launch a D-DoS Access to Sensitive Information Spread Disinformation Unknown reasons

Mechanism?

Target Selection Exploit Propagation Mechanism Deployment Tactics Defensive Measures ?

Mechanism of Operation

Worm Propagation and Countermeasures – GSEC Practical – Glenn Gebhart – SANS Institute

Spread of a Worm

Red Dots indicate the infected machines

Bottom left corner number of infected hosts

……

Display Propagation Speed

Why Study Worms ?

Capable of severely hampering the working of the internet

To unable us to build better defense systems

To unable possible good application The worst is yet to come!

Applications of a self propagating piece of code – capable of reaching everywhere really fast ?

Current research Focus

Modelling Scanning Techniques Propagation Mechanisms Prevention Techniques ?

Modelling

Simple Epidemic Model Uses the time tested model of

Infectious diseases to model Worm propagation

Three possible states – Susceptible, Infected, Quarantined/Removed

Simple Epidemic Model

“infectious” hosts: continuously infect others. “removed” hosts in epidemic area:

Recover and immune to the virus. Dead because of the disease.

“removed” hosts in computer area: Patched computers that are clean and immune to the

worm. Computers that are shut down or cut off from worm’s

circulation.

susceptible

infectious

removed

Code Red Worm Propagation Modeling and Analysis – Cliff Zou

Epidemic modeling introduction

Homogeneous assumption: Any host has the equal probability to contact any

other hosts in the system.

Number of contacts I S

Infectious

ISusceptible

Scontact

Code Red Worm Propagation Modeling and Analysis – Cliff Zou

Deterministic epidemic models — Simple epidemic model

State transition:

N: population; S(t): susceptible hosts; I(t): infectious hosts

dI(t)/dt = S(t) I(t) S(t) + I(t) = N

I(t) S(t) symmetric Problems:

Constant infection rate

No “removed” state.

susceptible infectious

0 5 10 15 20 25 30 35 40

1

2

3

4

5

6

7

8

9

10x 10

5

t

I(t)

Code Red Worm Propagation Modeling and Analysis – Cliff Zou

Deterministic epidemic models —Kermack-McKendrick epidemic model

State transition:

R(t): removed from infectious; removal rate

dI(t)/dt = S(t) I(t) – dR(t)/dtdR(t)/dt = I(t); S(t) + I(t) + R(t) = N

Epidemic threshold: No outbreak if S(0) < / Major Out Break if S(0)> /

Problems: Constant infection rate

susceptible infectious removed

0 10 20 30 40

1

2

3

4

5

6

7

8

9

10x 10

5

=0=N/16=N/4=N/2

I(t)

tsusceptible removed

Code Red Worm Propagation Modeling and Analysis – Cliff Zou

No

Consider human countermeasures

Human countermeasures: Clean and patch: download cleaning program, patches. Filter: put filters on firewalls, gateways. Disconnect computers.

Reasons for: Suppress most new viruses/worms from outbreak. Eliminate virulent viruses/worms eventually.

Removal of both susceptible and infectious hosts.

susceptible

infectious

removed

Code Red Worm Propagation Modeling and Analysis – Cliff Zou

?

Consider human countermeasures

Model (extended from KM model): Q(t): removal from susceptible hosts. R(t): removal from infectious hosts. I(t): infectious hosts. J(t) I(t)+R(t): Number of infected hosts

hosts that have ever been infected

dS(t)/dt = S(t) I(t) - dQ(t)/dtdR(t)/dt = I(t)dQ(t)/dt = S(t)J(t) S(t) + I(t) + R(t) + Q(t) = N

Code Red Worm Propagation Modeling and Analysis – Cliff Zou

Beta is still considered Constant

Two-factor worm model

Worm may cause congestion: Huge number of scan packets with unused IP addresses.

Routing table cache misses. ( about 30% of IP space is used) Generation of ICMP (router error) in case of invalid IP.

Effect: slowing down of worm propagation rate: (t)

Two-factor worm model:

dS(t)/dt = -(t)S(t)I(t) - dQ(t)/dtdR(t)/dt = I(t) dQ(t)/dt = S(t)J(t) (t) = 0 [ 1 - I(t)/N ]

S(t) + I(t) + R(t) + Q(t) = N

is used to adjust the level of congestion in the network

Perfect Worm ?

A ‘perfect worm’ would have: All vulnerable hosts known No dual scanning Immediate infection Using Code Red parameters,N=360000,initially infected = 10 and

scan rate of 358/minTime Taken = 1.758 seconds!!

On the Performance of Internet Worm Scanning StrategiesCliff Changchun Zou., Don Towsley†, Weibo Gong..Department of Electrical & Computer Engineering†Department of Computer ScienceUniv. Massachusetts, Amherst

Perfect Worm – with delay

Scanning Techniques

Hit-List Based Scanning Stealthy Scans – using nmap ? Distributed Scanning – multiple

attackers ? DNS Searches Spiders Just Listen!

Scanning Techniques

Sequential Scanning Hit List Based Scanning Permutation Scanning Preferential Subnet Scanning

Co-ordinated Permutation Scanning

Assumption – A copy of the worm can detect whether a given host is infected

Common permutation of IP address space known to all worms

Any machine starts scanning just after it’s point of infection. If an infected host is found, there onwards random point scanning

‘Self –Coordinating', as minimizing duplication of effort

Number of such infected hosts – stops scanning assuming infection complete

Partitioned Scanning – Initially responsible for some set – divides and hands over to child worm

Subnet Scanning

Cross Network Scanning is too noisy Can create congestion killing own

spread Use different probabilities to target

IP’s in own subnet’s e.g. Code Red own class B 3/8, class A ½, others 1/8 – Code Red, Nimda

Defense Mechanisms

La Brea Tarpit – We can actually do something about it!

Hold Connection Attempts from a Infected Computer

A byte stream flow of only 1215 bytes/hour is sufficient to keep the connection alive

Defense Mechanisms

LaBrea can be defeated using asynchronous mode

Dependent on per host throttling – each host restricts the rate at which a host can connect to new hosts – universal deployment may reduce scanning speed by an order of magnitude

Defense Mechanism

Automatically detecting infected hosts and using firewall filters to contain spread

Practical ApplicationCisco’s NBAR – Network Based Application Recognition Ability to block particular TCP streams

active on a router based on signature recognition

Defense: Internet Quarantine

Prevention This aims to reduce the size of the vulnerable

population Treatment

Generally patches take days to release – only now that relatively reliable distribution networks for patches are springing up

Containment Firewalls, Content Filtering, Automated Routing

Blacklists Intervention ?

Code Red Propagation

Address Blacklisting

Code Red Propagation

Content Filtering

Address Blacklisting

Generalized Worm Containment

Generalized Worm Containment

Content Filtering

Containment Results

Not possible to limit infection to less than 18% of the vulnerable hosts for sufficiently aggressive worms (100 scans/second)

Used scenarios: ‘Top 100 ISPs’ and 50% home users – for address blacklisting

Reason: 99.7% paths blocked but there still exist alternate paths for propagation – works even when reaction time reduced to 0!

Dynamic Quarantine

Based on Methods used in Epidemic Control – ‘Assume guilty till proven innocent’

Non-Intrusive : Block certain ports for a short time, automatic release

Able to reduce/control the propagation speed

Assumption : System is assumed homogeneous and contact rate is constant

Defense Mechanisms

A lot of researchers have researched this area – Staniford, Kephart and White, Wang

Epidemiological analysis of Computer Viruses – suggested that it can be contained but only till the infection rate doesn’t exceed a critical threshold

Containment

Automated mechanisms required Content Filtering works the best Blocking Point – At Core ISPs

Defense: Active Worm Detection

Uses ICMP Destination Unreachable Messages

Collection Point for all ICMP-T3 packets

Correlator – identify threshold crossing occurrences

ICMP T3 copy generated for collector by router

Multiple Cases One IP to Many IP’s on port p Many IPs to 1 IP on port p One IP to other IP on number of ports p Many IPs to 1 IP on a number of ports If instances of such activity exceed

threshold N, an alert is generated 4-6 alerts have shown good response

Defense: Active Worm Detection

Active Vs Passive

Passive – Prevent spreading of Worms by blocking Worm Traffic

Active – Proactive approach by patching vulnerable systems or quickly removing infected systems

Comparison of Active and Passive Mechanisms

Content Filtering defense mechanism limits infections

Address filtering defense requires near perfect deployment

Content Filtering mechanism deployed in the top 30 most connected ASes can outperform active defense

Active defense worms might have to be pre-deployed in the network to be activated as required

Force Multipliers!!

Multiple Attack Capabilities Defense Command Interface Polymorphism

Worms as Attack Vectors: Theory, Threats, and DefensesMatthew Todd, Ph.D.January 31, 2003

Upgrade

Modular Design Multiple vulnerabilities pre-identified Subsequent ‘0’ day exploits could

be released Signature Alteration (Polymorphism)

Communication Channels

‘Drop-Box’ Concept E-Mail IRC Specific channels on IRC KaZaa File shares Covert Channels ?

Communication Channels

Encrypted channels Public Key, Simple XOR ?

Encrypted data might draw attention – simple XOR might help protect entropy

Distributed Hash Tables Principle used by software like Kazaa to

determine location of files etc

Curious Yellow Vs Curious Blue

Curious Yellow – a high co-ordination worm – uses techniques for fast propagation, and distributed control

Curious Blue to counter it – with distribution of patches carried out in a similar manner

Since both accept updates – can be easily

Proposed ‘Conceptual’ Worms

Flash Warhol BGP Curious Yellow

Flash Worms

Closest thing to a perfect worm IP addresses of all vulnerable hosts

known beforehand Scanning space reduced 99% hosts infected in 2.53 seconds

assuming no delay

Tremendous speed of infection – no time for human intervention

Warhol Worm

Uses combination of Hit-List & Permutation Scanning

This combination improves initial speed – quickly achieving a set base & permutation scanning keeps the worms infection rate high for longer period

Provides a very practical design of a worm – and achieves 99% infection in around 15mins

BGP Routing Worm

Based on BGP Routing Tables Freely Available on the Internet Geographical Information – ISP,AS,

company, country etc.

Reduce the scanning space to 28.6% of all IP space

Routing Worm: A Fast, Selective Attack Worm based on IP Address InformationCliff C. Zou., Don Towsley†, Weibo Gong., Songlin Cai.,.Department of Electrical & Computer Engineering†Department of Computer Science, Univ. Massachusetts, Amherst

Contagion

Slowly spreading worm to avoid detection P2P based High Bandwidth traffic usual – not detected One client/server program may dominate

e.g. KaZaa Not strictly a worm – but can be used to

support a worm! Potential ? - A University 9 million distinct

IP’s in one month!

Takeaway

Stealth would play a major role in the next generation of Worms

Bandwidth, Network Capacity, Widespread use of Computers & a predominantly Ignorant User Community are a given, and these would be exploited to the maximum

Proactive defense mechanisms rather than ‘observing’ mechanisms –

Observe ‘periphery’ of ones network ? For Content Based Systems – Ability to identify

signatures at an early stage Espionage, Rivalry & Enemity + Non-cooperative

Govts/Corporations Design to Security has to be the additional component

along with Reliability, Scalability and Availability

References Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense

Cliff Changchun Zou, Weibo Gong, Don Towsley, Univ. Massachusetts Amherst, MA

On the Performance of Internet Worm Scanning StrategiesCliff Changchun Zou., Don Towsley†, Weibo Gong.Univ. Massachusetts, Amherst

Modelling the Spread of Active WormZesheng Chen (Georgia Tect), Lixin Gai(U Mass), Kevin Kwiat (AFRL)

Slowing down Internet WormsShigang Chen, Yong Tang (UFL, Gainsville)

Comparing Active and Passive Worm DefensesMichael Liljenstam David M. Nicol (UIUC, Urbana Champaigne)

Internet Qurantine:Requirements for Containing Self- Propagating CodeDavid Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage, UCSD

Routing Worm: A Fast, Selective Attack Worm based on IP Address InformationCliff C. Zou., Don Towsley†, Weibo Gong., Songlin CaiUniv. Massachusetts, Amherst

Worms as Attack Vectors: Theory, Threats, and DefensesA Practical Assignment, submitted in partial requirement for GSEC certification (GIAC Security

Essentials Certification Matthew Todd, Ph.D. "I don't think I really love you“ or writing internet worms for fun and profit (C) 1998-2000

Michal Zalewski The Internet Worm Incident Technical Report CSD-TR-933*

Eugene H. Spafford Purdue University How to Own the Internet in your Spare Time

Stuart Staniford (Silicon Defense), Vern Paxson (ICSI Center for Internet Research), Nicholas Weaver (UC Berkeley)

The Future of Internet WormsJose Nazario, with Jeremy Anderson, Rick Wash and Chris ConnellyCrimelabs research

Curious Yellow: The first coordinated Worm DesignBy Brandon Wiley