Internet Worms: Reality or Hype

1
Internet Worms Reality or Hype
Literature Review and Comments

• Shai Rubin
• UW Madison

2
Overview

• Background
• What a worm is
• How a worm works
• 3 behavioral models
• Threat from future worms
• Defending against worms (Wild and Crazy)
• Summary

3
An Internet Worm
Spreading phase
DDoS attack

• Self propagating program
• Speeding Mechanism
• Exploits a bug over the network (e.g., buffer
  overflow in IIS)
• Probe the net to find new machines to exploit

Amazon.com

• Threats
• Distributed denial of service attack
• Access to classified information on each
  compromised host

Router
Host
4
Code Red II
Code Red II Behavior DM02

• Vulnerability buffer overflow Microsoft IIS.
• Vulnerability published 19 June, 2001
• Started Spreading 19 July, 2001
• 360,000 hosts infected in 24 hours (demo)
• Damage 1.2 billion USA01

5
Overview

• Background
• What a worm is
• How a worm works
• Worm behavioral models
• Why analytical models?
• Simple
• Advance
• Sophisticated
• Threat from future worms
• Defending against worms
• Summary

6
Modeling Worm Behavior

• Why analytical model?
• In general, analytical model cheaper than
  simulation
• Help us understand better
• Parameters that influence behavior
• Use the model to explore future worm behavior
• Use model define the properties of defense
  techniques
• Starting point human epidemic
• Many similarities infection, immunization,
  viruses, etc.

7
The Simple Epidemic Model

• Model assumptions SPW02, Bai75
• Homogenous population (each node has k
  neighbors)
• no immunization
• Two parameters
• n Total population size of susceptible
  hosts
• ? - Infection rate
• Number of infected individuals
• Known as Logistic Equation

8
Does Code Red Fit the Simple Model?

• Staniford at el. SPW02
• ? 1.8
• We are done

• Are we really done?
• A match does not entails that the model is
  correct
• Check other viruses/worms
• Weak model assumptions (homogenous population, no
  immunization)
• Unnatural Code Red behavior

9
Advance Epidemic Model

• Model assumptions Bai75
• Homogenous population
• Immunization infected individuals are removed
  from population
• Three basic parameters
• n - Total population size of susceptible
  hosts
• ? - Infection rate
• ? - Removal rate
• No analytical solution1 (unlike the logistic
  equation for the simple model)
• Epidemic Threshold exist
• When the total number of susceptible individuals
  drops blow a certain threshold the epidemic
  dies

??/?effective infection rate
1As far as I know, based on Bai75
10
Do Worms Fit the Advance Model?

• Satorras at el. SV01 No
• Investigate three viruses types.
• Why not? because computer viruses do not die.
• Computer viruses have long lifetime (months)
• This implies, for all computer viruses effective
  spreading rate is just above the epidemic
  threshold
• 2 is very unlikely to occur
• How, we can better explain this observation?

11
Advance Topology Model SV01

• Epidemic models do not account for the scale free
  topology of the Internet
• Model assumptions
• Scale free topology
• Pn has K neighborsK-? (2???3)
• As in the advance model three parameters n,
  ?, ?
• Intuition individuals with higher connectivity
  has higher spreading rate

Scale Free Topology
12
Do Worms Fit the Advance Topology Model?

• Model property epidemic never dies
• Seems to fit data (both of old viruses SV01,
  and current worms SPW02)
• Code Red II does not die

Oct 01
Nov 01
Dec 01
Jan 02
Feb 02
13
The But of Advance Topology

• Does the assumption (scale free topology) valid?
• Viruses/worms attack end machines
  (servers/hosts)
• Routers are the highly connected individuals,
  but they are not susceptible (usually)
• Hence, we should consider a fully connected graph
  of susceptible individuals

14
Current Models Summary
Simple Advanced Topology
Topology K-connected Scale Free
Infection/ Removal rate Constant infection rate (no removal rate) Constant Rates
Analytical solution Yes Approximation
Evidence that fits data Yes Yes
15
Sophisticated Epidemic Model

• Zou at el. ZGT02 objects Staniford at el.
  SPW02
• No removal process
• Model was artificially fitted. Code Red II
  artificially stopped spreading after 24 hours

• Furthermore, infection/removal rate not constant.
• Infection rate decreased (due to high network
  traffic)
• Removal rate increased

Real population 490,000
16
Sophisticated Epidemic Model
So, which parameters should we take into account?
17
Models Summary
Simple Advanced Topology Sophisticated
Topology K-connected Scale Free K-Connected
Infection/ Removal rate Constant infection rate (no removal rate) Constant Rates Time dependent rates
Limitations Naive Questionable topology Complex
Analytical solution Yes Approximation No?
Evidence that fits data Yes Yes Yes
Common Highly virulence Highly virulence Highly virulence
18
Overview

• Background
• What a worm is
• How a worm works
• Worm behavior models
• Simple
• Advance
• Sophisticated
• Threat from future worms
• Defending against worms
• The defender advantage
• Defense techniques
• Summary

19
Better Worms

• Can someone implement even faster worms?
• The dominant factor start-up time
• Short start-up time ? faster worm

20
Short Start-Up Time SPW01
Technique
Hit List scanning (HL) Creator prepares a list of potential susceptible machines. Worm splits the list into sub-lists as it propagates. Problem infection rate drops after list is exhausted.
Permutation scanning (PS) Each copy of the worm scans different range of addresses. Problem sill long start up time
Warhol (HLPS) Initially use HL. Continue with PS. Problem ???
21
Better Worms - Simulation
Code Red II (Initial Infection rate 1.8)
Permutation scanning (Initial Infection rate 6)
Warwol (Initial Infection rate 20)
So, is the battle lost?
22
Overview

• Background
• What a worm is
• How a worm works
• 3 behavioral models
• Simple
• Advance
• Sophisticated
• Threat from future worms
• Defending against worms
• Good guy advantages
• Defense techniques
• Summary

23
Good Guy Advantages

• Easier to patch system than implementing a new
  worm CIPART
• Good guys have more resources
• Models suggest easier to slow active worm than
  making it faster
• Other?

24
CIPART Eliminating Known Vulnerabilities

• Code Red exploited known vulnerability
• MS announce a patch on June 19, 2001
• Code Red propagate on July 19, 2001
• 1.2 Billion damage could have been avoided if
  patch was deployed

Linux
Automatic Patcher
Win
Solaris
Vulnerability Exist?
Vulnerability Test Generator
Threat Estimator
Vulnerability Database
Formal Vulnerability Description
Test results
Administrator Report
Audit Tool
25
Quick Response Birds Eat Worms

• Deploy hidden censors (birds) in the web
• Birds machines that pretend they run services
  (e.g., IIS)
• When someone ask do you run x, say yes, I
  run x.
• Check if the censor was infected
• Eliminate worm

26
Defending Against Worms

• The defender advantage

Attacker gain
Defender gain
Same effort (X3) attacker gains 9 hours,
defender gains 30 hours
27
Summary Reality of Hype?
Do worms are a potential threat?
No
What is the magnitude of the threat?
1.2 Billion/worm
Is that a big threat?
No (car accidents in the US 150 Billion/year)
Yes
Reality
Hype
28
Bibliography
SPW02 Stuart Staniford, Vern Paxson, and Nicholas Weaver. "How to 0wn the Internet in Your Spare Time". In the Proceedings of the 11th USENIX Security Symposium, 2002.
SV01 Romualdo Pastor-Satorras and Alessandro Vespignani. "Epidemic Spreading in Scale-Free Networks". Physical Review Letters Vol 86(14), 2001.
ZGT02 Changchun Zou, Weibo Gong, and Don Towsley. "Code Red Worm Propagation Modeling and Analysis". 9th ACM Conference on Computer and Communications Security, 2002.
DM02 David Moore. The Spread of the Code-Red Worm. Cooperative Association for Internet Data Analysis (CAIDA), http//www.caida.org/analysis/security/code-red/coderedv2_analysis.xml, 2002.
USA01 USA Today 08/01/01. http//www.usatoday.com/life/cyber/tech/2001-08-01-code-red-costs.htmmore
Bai75 Norman T. J. Bailey . The mathematical theory of infectious diseases and its applications, 1975.