CSE651: Network Security

1
Active Worm and Its Defense

• CSE651 Network Security

2
Worm vs. Virus

• Worm
• A program that propagates itself over a network,
  reproducing itself as it goes
• Virus
• A program that searches out other programs and
  infects them by embedding a copy of itself in them

3
Active Worm VS DDoS

• DDoS stands for Distributed Denial of Service
  attacks
• Propagation method
• Goal congestion, resource appropriation
• Rate of distribution
• Scope of infection

4
History

• http//snowplow.org/tom/worm/history.html
• Morris Worm, first worm virus, released on
  November 2, 1988 by Robert Tappan Morris who was
  then a 23 year old doctoral student at Cornell
  University
• Code-Red worm in July 2001 infected more than
  350,000 Microsoft IIS servers. The attack
  finished in 14 hours
• Slammer worm in January 2003 that infected nearly
  75,000 Microsoft SQL servers. Attack finished in
  less than one hour
• MyDoom worm in February 2004 infected lots of
  hosts which automatically and successfully DDoS
  attacked a few popular websites

5
The Morris Worm of 1988

• First worm program
• Released by Robert T Morris of Cornell University
• Affected DECs VAX and Sun Microsystemss Sun 3
  systems
• Spread
• 6000 victims i.e., 5-10 of hosts at that time
• more machines disconnected from the net to avoid
  infection
• Cost
• Some estimate 98 million
• Other reports lt1 million
• Triggered the creation of CERT (Computer
  Emergency Response Team)

6
Recent Worms

• July 13, 2001, Code Red V1
• July 19, 2001, Code Red V2
• Aug. 04, 2001, Code Red II
• Sep. 18, 2001, Nimbda
• Jan. 25, 2003, SQL Slammer
• More recent
• SoBigF, MSBlast

7
How an Active Worm Spreads

• Autonomous
• No need of human interaction

Infected
8
Basic Propagation Method

• Network Worm Using port scan to find
  vulnerabilities of the targets
• Application Worm Propagate through email,
  Instance Messaging, file sharing on operation
  systems, P2P file sharing systems, or other
  applications
• Hybrid Worm

9
Delivery Method

• How is worm code is delivered to vulnerable
  hosts
• Self-contained Self-propagation Each newly
  infected host becomes the new source and sends
  worm code to other hosts infected by it
• Embedded Embedded with infected files, such as
  emails, shared files
• Second Channel The newly infected host uses
  second channel such as TFTP (Trivial File
  Transfer Protocol) to download the worm code from
  a center source

10
Scanning Strategy (1)

• Random scanning
• Probes random addresses in the IP address space
  (CRv2)
• Selective random scanning
• A set of addresses that more likely belong to
  existing machines can be selected as the target
  address space.
• Hitlist scanning
• Probes addresses from an externally supplied list
• Topological scanning
• Uses information on the compromised host (Email
  worms)
• Local subnet scanning
• Preferentially scans targets that reside on the
  same subnet. (Code Red II Nimbda Worm)

11
Scanning Strategy (2)

• Routable scanning
• Choose routable IP addresses as the target of
  scan
• DNS scanning
• Choose hosts with DNS name as the target of scan
• Permutation scanning
• Each new infected host gets a different IP
  addresses block

12
Synchronization between Infected Hosts (or Worm
Instances)

• Asynchronized
• Each infected host behavior individually without
  synchronization with other infected hosts
• Synchronized
• Infected hosts synchronized with each other by
  central server etc.

13
Propagation Activity Control

• Non-stopping
• Keep port scanning and never stop
• Time Control
• Preset stopping timer and restart timer and use
  those timers to control the port scan activities
• Self-Adjustment
• Self-control according to the environment (Atak
  worm) or the estimation of the infected host
  amount (Self-Stop worm)
• Centralized Control
• Controlled by the attacker

14
Scan Rate

• Constant Scan Rate
• Each infected host keeps a constant scan rate
  which is limited by the computation ability and
  outgoing bandwidth of the host.
• Random Varying Scan Rate
• Randomly change the scan rate.
• Smart Varying Scan Rate
• Change the scan rate smartly according to certain
  rule according to the attack policy and the
  environment.
• Controlled Varying Scan Rate
• Change the scan rate according to the attackers
  control command.

15
Modularity

• Non-Modular
• Modular
• Use modular design in the worm code, so that new
  attack modules can be sent to the infected hosts
  and plugged in after the infection.

16
Organization

• Decentralized
• There is no organization or cooperation among
  infected hosts, and there is no communication
  between the infected hosts and the attacker.
• Centralized Organization
• Organized by Internet Relay Chat (IRC) or other
  methods like botnets do, so that the attacker can
  control the infected hosts.

17
Payload with the worm code

• Spamming
• Code competent to carry out spamming.
• DDoS Attack
• Code competent to carry out DDoS attacks.
• Sniffing
• Code competent to watch for interesting
  clear-text data passing by the infected hosts.
• Spyware
• Spyware code.
• Keylogging
• Code competent to remember and retrieve the
  passwords on the infected hosts.
• Data Theft
• Code competent to steal privacy data.

18
Techniques for Exploiting Vulnerability

• fingerd (buffer overflow)
• sendmail (bug in the debug mode)
• rsh/rexec (guess weak passwords)

19
Active Worm Defense

• Modeling
• Infection Mitigation

20
Worm Behavior Modeling (1)

• Propagation model

• V is the total number of vulnerable nodes
• N is the size of address space
• i(t) is the percentage of infected nodes among V
• r is the scan rate of the worm

21
Worm Behavior Modeling (2)

• Propagation model

• M(i) the number of overall infected hosts at
  time i
• N(i) the number of un-infected vulnerable
  hosts at time i
• E(i) the number of newly infected hosts from
  time tick i to time i1 .
• T the total number of IP addresses, i.e., 232
  for IPv4.
• N(0) the number of vulnerable hosts on the
  Internet before the
• worm attack starts.
• E(0) 0, M(0) M0.

22
Modeling P2P-based Active Worm Attacks

• Basic worm attack strategies
• Pure Random-based Scan (PRS)
• Randomly select the attack victim
• Adopted by Code-Red-I and Slammer
• P2P based attack strategies
• Offline P2P-based Hit-list Scan (OPHLS)
• Online P2P-based Scan (OPS)
• Both strategies exploit P2P system features

23
Background P2P Systems

• Host-based overlay system
• Structured and unstructured
• Rich connectivity
• Very popular
• 3,467,860 users in the FastTrack P2P system
• 1,420,399 users in the eDonkey P2P system
• 1,155,953 users in the iMesh P2P system
• 103,466 users in the Gnutella P2P system.
  

24
Two P2P-based Worm Attack Strategies

• Offline P2P-based Hit-list Scan (OPHLS)
• Offline collect P2P host addresses as a hit-list
• Attack the hit-list first
• Attack Internet via PRS
• Online P2P-based Scan (OPS)
• Use runtime P2P neighbor information
• Attack P2P neighbors
• Extra attack resource applied to attack Internet
  via PRS

25
Online-based P2P Worm Attack Strategy
26
Performance Comparison of Attack Strategies

• The P2P-based attack strategies overall
  outperforms the PRS attack strategy
• OPHLS attack strategy achieves the best
  performance compared to all other online-based
  attack strategies

27
Sensitivity of Attack to P2P System Size

• With the P2P size increases, the attack
  performance becomes consistently better for all
  attack strategies

28
Detection

• Host-based detection
• Network-based detection
• Detecting large scale worm propagation
• Global distributed traffic monitoring framework
• Distributed monitors and data center
• Worm port scanning and background port scanning

29
Distributed Worm Monitoring Systems
30
Detection Schemes

• Worm behavior
• Pure random scan
• Each worm instance takes part in attack all the
  time
• Constant scan rate
• Overall port scanning traffic volume implies the
  number of worm instances (infected hosts).
• Total number of worm instances and overall port
  scanning traffic volume increase exponentially
  during worm propagation.
• Count-based and trend-based detection schemes

31
Infection Mitigation

• Patching
• Filtering/intrusion detection (signature based)
• DAW (Distributed Anti-Worm Architecture)
• TCP/IP stack reimplementation, bound connection
  requests

32
Goals of DAW

• Impede worm progress, allow human intervention
• Detect worm-infected clients
• Ensure congestion issues minimized little
  routing performance impact
• Shigang Chen and Yong Tang. Slowing down internet
  worms. In Proceedings of 24th International
  Conference on Distributed Computing Systems,
  March 2004.

33
DAW

• Requirements
• Distributed, sensors act independently
• NIDS (rather than HIDS)
• Limited responsibility, ensures availability of
  nodes

34
DAW
35
Active Worm Detection in DAW

• User behavior
• Few failed connections (DNS)
• Predictable traffic generation throughout day
• Relatively uniform intranet traffic distribution

• Worm behavior
• Sampling shows 99.96 failure in scan rate
• Spikes in failurerequest ratio
• Traffic pattern disproportionately favors
  infected clients

36
Active Worm -Failures

• TCP only, random scanning
• ICMP Unreachable/TCP-RST response
• 99.96 failure ? 80/tcp

37
Summary

• Worms can spread quickly
• 359,000 hosts in lt 14 hours
• Home / small business hosts play significant role
  in global internet health
• No system administrator ? slow response
• Cant estimate infected machines by of unique
  IP addresses
• DHCP effect appears to be real and significant
• Active Worm Defense
• Modeling
• Infection Mitigation