Survey							
                            
		                
		                * Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006 What is a worm? Self-replicating/self-propagating programs  Spread from system to system without user interaction  Finds vulnerabilities in systems and uses them to spread  Spread via network  Different from virus which requires user interaction  Danger? Take over systems  Access sensitive information   Passwords, credit card numbers, patient records, emails  Disrupts system functions  Government, nuclear power plants, hospitals DDoS attack  Bandwidth saturation  Code Red (CRv1) July 13th, 2001  Exploit Microsoft IIS vulnerabilities  Each infected system scans random 32bit IP addresses to attack  Bug in the random generator resulting linear spread  Code Red I (CRv2) July 19th, 2001  Same as CRv1 but with random generator bug fix  DDoS payload targeting IP address of www.whitehouse.gov  Bug in the code made it die for date >= 20th of the month  Code Red II August 4th, 2001  Not related to Code Red (just comment says Code Red)  Exploit buffer overflow in MS IIS web server  Installed remote root backdoor which can be used for anything  Nimda September 18th, 2001  Multiple method of spreading   MS IIS vulnerability  Email  Copying over network shares  Webpage infection  Scan backdoor left by Code Red II  From no probing to 100 probes/sec in just 30 minutes Sapphire/Slammer/SQLSlammer       January 25th, 2003 Exploit MS SQL Server buffer overflow Fastest spreading worm Peak rate of 55million scans/sec after just 3 min Rate slowed down because bandwidth saturation No malicious payload, just saturated bandwidth causing many servers out of connection Slammer effect : Before and after 30 minutes What if Slammer had malicious payload? Used Techniques  Random scanning  Code  Red, Code Red I Localized scanning  Code Red II  Machines in the same network are more likely to run the same software  Multi-vector  Nimda  Several methods of spreading Possible Techniques 1  Hit-list scanning  First 10k infection is the hardest  Use a list of 10~50k vulnerable machines  Several methods to generate the list     Stealthy scan: random scan taking several months Distributed scan: using already compromised hosts DNS search: already known servers such as mail/web servers Just listening: P2P networks advertise their servers, previous worms advertised many servers Possible Techniques 2  Permutation Scanning  Random scan probes same host multiple times  Permutation of IP addresses  When an infected host is found, start from random point in the permutation  Self-coordinated, comprehensive scanning  Very high infection rate Possible Techniques 3      Warhol Worm Hit-list and permutation scanning combined Start off quickly and high infection rate Simulation shows 99.99% of 300k hosts infected in less t han 15 min. Many other techniques    Topological scanning – use info from the infected machine to spread machines in the same subnet Flash worm – using high band width with compressed hit-list Stealth worms – web servers to clients, P2P Dealing with worm threat  Prevention  Prevent vulnerability by Secure coding practices  Patching software  Heterogeneity of network  Treatment  Patching after breakout  Virus scanning  Containment Containment  Incoming  Black list  Signature based detection  Identify scanning characteristics of worms  Outgoing  TCP connection threshold  Use worm signature for outbound traffic Detection – signature based  Attack Signature:  A description which represents a particular attack or action   Vulnerability Signature:  A description of the class of vulnerable systems    Eg, a classic antivirus signature Eg, “Windows XP, SP2, not patched since 10/1/2004” A description of how to exploit a particular vulnerability Behavioral Signatures:   A behavior necessary for a class of worms (E.G. Scanning) A behavior common to many implementations (half-open connec tions) Detection – runtime analysis      Mark all the data from unsafe source and derived data to be dirty Any execution attempts are signaled as possible threat Generate Self-Certifying Allerts and distribute to peers u sing overlay – peers only run overlay code so less susce ptible to attacks Each host verifies alert in a VM and if the vulnerability is found, generates filter Multiple filters to prevent false positive   Generic filter – disjunction of multiple specific conditions Specific filter – more stringent conditions Thoughts  Detection  Polymorphic  Obfuscation, encryption  False  worms positive Attacker generates suspicious traffic with byte strings that are common in normal traffic  Signature generation time  Dynamic taint analysis – expensive or low coverage a nd resource-hungry Thoughts  Distribution/deployment  Pervasive  E2E detection and distribution  Secure  P2P collaboration communication Overlay? Intrusion detection systems?  Honeypots, honeyfarms?  Remarks   Future worms will be more aggressive Need automatic detection mechanisms  No   global answer, need to apply all the techniques Network level detections have limitations becaus e of limited/no knowledge of software vulnerabilit ies E2E detection, secure P2P distribution of worm i nformation