WORM PROPAGATION Terry Griffin Sandeep Pinnamaneni Vandana Gunupudi Agenda Introduction Background Infamous Worms Benchmarks and Metrics Requirements Summary of Methods Conclusion Introduction What is a worm? – – – – Piece of software that propagates using vulnerabilities in software/application Self-propagating (distinct from a virus) Self-replicating Spread through the Internet easily due to its open communication model Classification of Worms Target Discovery – Carrier – How does it transmit itself to the target? Activation – How does a worm find new hosts to infect? Mechanism by which the worm operates on the target Payloads – What the worm carries to reach its goal N.Weaver, V.Paxson, et al, “A taxonomy of computer worms”, Proc. Of the ACM workshop on Rapid Malcode, pp.11-18, 2003. Target Discovery Scanning – – – Pre-Generated Target lists – Sequential or Random Permutation scanning Bandwidth-limited scanning “hit-list” of probably victims Externally/internally generated target lists – Topological Worm (Morris Worm) Carrier (Propagation Mechanisms) Self-carried – Second Channel – – – Actively transmits itself as part of the infection process Require a secondary communication channel Example Blaster: primary channel is RPC; secondary channel is TFTP Embedded – Appends itself to normal messages Activation Mechanism Human Activation – – Human Activity based – Windows Share worms like Nimda Scheduled Process Activation – Slowest activation method Melissa Like unauthenticated automatic updates Self Activation – Fastest method Payloads Code carried by the worm apart from its propagation routines Empty Payload – Internet Remote Control – Sobig’s Trojan opened an open-mail relay HTML-Proxies – Privileged back door Spam-Relays – most common Sobig distributed web proxies Internet DoS (Code Red) History of Worms Source:http://www.sans.org/rr/whitepapers/malicious/1410.php Morris Worm • Topological Worm (6-10% of all Internet hosts infected) • First large-scale worm that targeted VAX, Sun Unix systems • Target Discovery – Scanning the local subnet • Activation – Self Activation • Propagation Mechanism (Self Carried) – Exploiting a fingered buffer overflow • Payload – None Code Red I July 19, 2001: more than 359,000 computers connected to the Internet were infected by Code-Red I v2 worm in less than 14 hours Source: http://www.caida.org Code Red I • Target Discovery – Scanning • Activation – Self Activation • Propagation Mechanism (Self Carried) – Exploiting a Microsoft IIS Web Server buffer overflow • Payload – Defacement of websites Code Red I Exploited buffer overflow in Indexing Service in Microsoft IIS Server Days 1-19 of each month – – Day 20-27 – – stops trying to spread launches a denial-of-service attack on the IP address of www1.whitehouse.gon Code Red I v1 – – – – – displays ‘hacked by Chinese’ message on English language servers tries to open connections to infect randomly chosen machines using 100 threads July 12, 2001 Used static seed for random number generator Each infected computer tries to infect always the same IP addresses Not very damaging, spread slowly Memory resident Code Red I v2 – – July 19, 2001 Used random seed for random number generator Code Red Damage 359,000 hosts infected in 24 hour period Between 11:00 and 16:00 UTC, the growth is exponential 2,000 hosts infected per minute at the peak of the infection rate (16:00 UTC) Nimda (September 18, 2001) • • • • • Target Discovery – Scanning, Email Activation – Self Activation, User action Propagation Mechanism (Self Carried) – Exploiting a Microsoft IIS Web Server buffer overflow Payload – Defacement of websites Multi-mode spreading: – – – – – attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected servers w/ client exploit scanning for Code Red II backdoor Spread across firewalls. SASSER Worm (2004) April 29, 2004 Target Discovery – – Mode of Transmission – Random Scanning of IP addresses on TCP port 445, can scan up to 1,024 addresses simultaneously Buffer Overflow in Windows Local Security Authority Service Server (LSASS) Payload – – Rootkit potential Escalation of privileges Witty (2004) March 19, 2004 Buffer overflow vulnerability in ISS PAM module • Single UDP packet exploits flaw in the passive analysis of Internet Security Systems (ISS) products. • “Bandwidth-limited” UDP worm like Slammer. • Vulnerable pop. (12K) attained in 75 minutes. • Payload: slowly corrupt random disk blocks. • Detailed telescope analysis reveals worm targeted a US military base and was launched from a European retail ISP account. Other Worms Network.vbs, February 2000: This worm had no payload and spread via unprotected Windows shares. Ramen, January 2001: • This worm targeted RedHat Linux systems via exploits that were 4 – 7 months old and, aside from defacing web pages did not appear to be particularly malicious. • However, as noted by the Linux Weekly News, multicast traffic was affected as a byproduct of the worm’s scanning mechanism, resulting in degraded service over the MBONE for both unicast and multicast traffic. Network.vbs Worm The Network.vbs worm propagates via unprotected Windows shares. The process as described in CERT Incident Note IN-2002-02 is as follows: 1. Perform a pseudo-random IP scan, looking for hosts with Windows filesharing enabled. 2. Attempt to mount the share named “C” as local drive J. 3. If mount is successful copy network.vbs script into the “Startup” program group. Provided that the above is successful, the worm will be executed the next time someone logs into the system. It should be noted that the QAZ worm uses a similar mechanism, enumerating hosts within the “Network Neighborhood” and replacing notepad.exe with the worm binary. ADM Worm • The ADM worm propagates via a buffer overflow in Unix systems running DNS server daemons derived from v 4.9.6 of the ISC BIND code. • The worm performs an incremental IP scan, starting from a random IP address, looking for DNS servers which support the IQUERY command. When such a server is encountered the worm attempts to exploit a buffer overflow in IQUERY response processing which, if successful, allows the worm to create an account for itself on the exploited host along with a setuid root shell. • This account and shell are used to transfer the worm’s tarball to the targeted host via ftp, at which point the tarball is untar’d and the worm is executed on the target host, beginning the propagation process all over again. ADM Worm ADM and other early worms (Millenium, Ramen, li0n, and Sadmind specifically) are composed of the following components: • IP Scanner: A mechanism for selecting IP’s to target. • One or more exploits: Pre-existing, programmatic-attack type exploit used • • by the worm to escalate its privilege level on the targeted system. Propagation mechanism: Provides the logic necessary to move the worm archive from system to system, usually via the use of ftp or tftp. Glue/misc scripts: These scripts tie the other components together and provide worm-specific functionality. Slammer Worm – Before Figure taken from http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html Slammer Worm - After Figure taken from http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html SQL Slammer • The Slammer worm (also called Sapphire worm) consists of an IP scanner combined with an exploit for MS SQL Server, written in 376 bytes of code. • Slammer exploited connectionless UDP service, rather than connection-oriented TCP. • Entire worm fit in a single packet! • Worm infected 75,000+ hosts in 10 minutes (despite broken random number generator). – At its peak, doubled every 8.5 seconds Slammer Worm • Propagation speed was Sapphire's novel feature: in the first minute, the • • infected population doubled in size every 8.5 (±1) seconds. The worm achieved its full scanning rate (over 55 million scans per second) after approximately three minutes, after which the rate of growth slowed down somewhat because significant portions of the network did not have enough bandwidth to allow it to operate unhindered. Most vulnerable machines were infected within 10-minutes of the worm's release. Although worms with this rapid propagation had been predicted on theoretical grounds, the spread of Sapphire provides the first real incident demonstrating the capabilities of a high-speed worm. By comparison, it was two orders magnitude faster than the Code Red worm, which infected over 359,000 hosts on July 19th, 2001. In comparison, the Code Red worm population had a leisurely doubling time of about 37 minutes. General Model of Worm Propagation Source:http://www.sans.org/rr/whitepapers/malicious/1410.php Summary of Worm Propagation Worm propagation can be broadly described by a 3 (or 4) step process illustrated in the figure before: 0.) Initial Infection: The model begins with the presumption that there exists a system that is already infected by the worm and that the worm is active on this system. 1.) Target Acquisition: In order for the worm to propagate itself it must find additional systems to infect. Worms may actively target systems using: a. IP addresses b. Email addresses c. File system traversal It should also be noted that worms may passively target client system i.e. the trojaned web content delivered by web servers infected with the Nimda worm. Worm Propagation 2.)Delivery of Hostile Code: Once a system has been targeted, it is necessary to transfer the worm to the targeted system in preparation for infection. Code delivery has been observed to take place via the following: a. Network file systems b. Email c. Web clients d. Remote command shell (or equivalent) e. As part of packet payload associated with buffer overflows and similar programmatic exploits. 3.) Execution of Hostile Code: The presence of hostile code on a system is not sufficient for worm propagation; execution of the code must be triggered in some fashion. Code may be executed via: a. Direct invocation from the command line (or equivalent) b. Buffer overflow or other programmatic attack c. Email clients d. Web clients e. User intervention f. Automatic execution by target system. 4.) Some worms may only transfer a portion of their code in step 3. In that case it is necessary for them to transfer the remaining code once the target system has been compromised. This can be achieved via a. FTP/TFTP b. Network file systems Benchmarks and Metrics Infection Size – Reaction Time – – Time between detection of a worm and deployment of worm control measures Obviously the lower the better Penetration Ratio – – Percentage of nodes infected Number of nodes infected compared to the size of the possible domain Related to infection ratio False Positives/Negatives Propagation Countermeasures The analysis below examines each step in the propagation model in detail to determine what countermeasures, if any, prove effective. Target Acquisition: The specific targeting mechanism varies based on the means by which the hostile code will be delivered to the target system. 1.) IP Scanning: The most popular method for targeting systems to date seems to be IP scanning. Target Acquisition The most basic scanning algorithm is as follows: 1. Generate an IP address. 2. Perform local setup for network communication. 3. Attempt to connect to the targeted system by sending a TCP SYN packet to <Targeted IP Address>:<Port of Targeted Service>. a.) If a TCP SYN-ACK packet is received then the remote system at <Target IP> is listening on <Port of targeted service>. Send an ACK packet and proceed with transfer of hostile code. b.) Receipt of any other type of packet from <Target IP>, or failure to receive any packet after a certain number of tries, indicates that the targeted service is not available for some reason. Return to step 1. Target Acquisition • The simplest countermeasure to deploy is also the most • effective; unneeded services should be turned off. In this situation, the infected host sends a SYN packet that is received by the target host as usual. However, since the service is turned off, there is no process listening on the destination port on the target host. The proper response in this situation is for the target host to send back an RST packet, the receipt of which tells the infected host that the targeted service is unavailable, causing the infected host to move on to the next target (Loop). Target Acquisition In a typical network configuration a firewall is deployed somewhere on the network path between the infected host and the target host as show in Figure below . When the infected host sends a SYN packet to the target host the packet is first intercepted by the firewall. The firewall is configured to prevent most systems from accessing services on the target host, which is achieved by silently discarding the SYN packet. The infected system will generally send several more SYN packets that will be treated in the same manner, after which the infected system will assume that the targeted service is unavailable and move on to the next target. Source:http://www.sans.org/rr/whitepapers/malicious/1410.php Hostile Code Delivery E-mail: Code delivery via email is a favorite mechanism of worms and worm-like viruses. The process begins with the worm composing a message containing hostile code and attempting to send that message to the targeted email address. Source:http://www.sans.org/rr/whitepapers/malicious/1410.php Hostile Code Delivery The below configuration forces the infected system to deliver the email via the designated relay and, furthermore, forces that email to be received by the designated mail exchange, significantly reducing the number of potential delivery paths that the system administrator must monitor. source:http://www.sans.org/rr/whitepapers/malicious/1410.php Hostile Code Delivery Web Clients: Forcing clients to use a designated proxy for web communication causes web content delivery to take on the form shown in below figure. Clients send requests for web content to the proxy, which then forwards the request on to the appropriate web server. The web server, in turn, provides the proxy with the requested content, which the proxy sends back to the requesting client. source:http://www.sans.org/rr/whitepapers/malicious/1410.php Execution of Hostile Code E-mail Clients: There are a number of mechanisms by which email clients can be induced to execute hostile code. An email client may be induced to execute code in one of three ways: 1.) Programmatic Attack 2.) Rendering By-Product 3.) User Intervention Additional Code Transfer • Some worms transfer additional code from the infected system to the target • • system once the initial exploit of the targeted system is completed. Unfortunately, if the worm gets this far there is likely little that can be done to prevent its spread. At this point both the infected host and the targeted host are completely compromised, so any preventative measures must be deployed between these two systems. Once again, an appropriately configured firewall may prevent the complete propagation of the worm. This underlies the importance of having a wellconfigured policy regarding outgoing connections in addition to incoming connections. Summary As we can see from previous slides the spread is phenomenal.... is the number of host infected in real time. is the pair wise rate of infection. is the infection rate. Summary Breakdown of a typical current day worm: Reconnaissance capabilities Specific attack capabilities A command interface Communications capabilities Intelligence capabilities Unused attack capabilities Summary Reconnaissance capabilities Automated sweeps and scans to Identify possible victims Determine best method to infect new victim (if possible) Summary Specific attack cabilities Method in which the worm gains entry – – buffer overflows cgi-bin errors Attack portion of code has two parts – – component which runs on infected host component which looks for new host Summary A command interface Node is only worthwhile if it can be used – – Interactive interface (direct login) Automatic interface (parent child) Summary Communications capabilities Typically reside on different systems, therefore method of communication is necessary Transfer of information Typically hidden Summary Intelligence capabilities Possible distributed effort All machines working together You must – Know who is infected – can be achieved with update message/email to central point what network address is / system type How to contact them irc chat lines direct login Summary Unused attack capabilities Multiple attack methods allow for more flexibility Send only necessary payload (specific attack) Future Future: Worms will change Infection mechanisms will become smarter. Use network topology to their advantage. Stealthier communications methods Smarter Target Selection More dynamic behavior Future Typical Defense (obvious stuff) Patch, Patch, Patch Defense in Depth IDS and Response Mechanisms Future New Detection Strategies Monitor shifts in traffic Anomaly Detection Exploit worm network flaws Conclusions 1. 2. 3. Future defense of worms is labor intensive with current Internet design. The infrastructure itself needs to assist with detecting Internet Worms. A proper design could mimic a multi-level security system. References 1. http://www.sans.org/rr/whitepapers/malicious/1410.php 2. http://www.cs.berkeley.edu/~nweaver/sapphire/ 3. http://www.securityfocus.com/infocus/1752 4. http://www.icir.org/vern/papers/cdc-usenix-sec02/ Kienzle, D.M., Elder, M.C., Recent worms: a survey and trends, Proceedings of the 2003 ACM workshop on Rapid Malcode, pp.1-10. N.Weaver, V.Paxson, et al, A taxonomy of computer worms• , Proc. Of the ACM workshop on Rapid Malcode, pp.11-18, 2003. S. Staniford, V. Paxson, and N. Weaver, How to own internet in your spare time•in Proceedings of the USENIX Security Symposium, pp. 149-167,2002. Cliff Changchun Zou, Lixin Gao, Weibo Gong, Don Towsley. Monitoring and Early Warning for Internet Worms 5. 6. 7. 8. 9. Jose Nazario, The Future of Internet Worms , Crimelabs research: www.crimelabs.net