blackhat 2001 las vegas, nazario, “the future of internet worms” the future of internet worms...
Post on 20-Jan-2016
220 Views
Preview:
TRANSCRIPT
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
The Future of Internet Worms
Jose NazarioCrimelabs Research
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Disclaimer
• Will not build
• Intrusion detection
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Overview
• Introduction
• Six Components
• Problems in Current Worm Paradigms
• Evolution of Worm Networks
• Detection Strategies
• Conclusions
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Worms Defined
• Automated intrusion agents
• Infect one host, launch, infect again
• Self propelled– viruses require carrier programs
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Worms in History
• Morris worm
• Persistent Windows worms
• Rise of Linux worms (2000 …)
• Examples: Win32.Bremer, Ramen, sadmind/IIS
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Why Worms?
• Ease– write and launch once– many acquisitions– continually working
• Pervasiveness– weeds out weakest targets– penetrates difficult networks
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Two Futures
• Small increases– better rootkits– encryption– increased attack capabilities
• Paradigm shift
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Six Components of Worms
• Reconnaissance
• Specific Attacks
• Command Interface
• Communication Mechanisms
• Intelligence Capabilities
• Unused and Non-attack Capabilities
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Reconnaissance
• Target identification
• Active methods– scanning
• Passive methods– OS fingerprinting– traffic analysis
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Specific Attacks
• Exploits– buffer overflows, cgi-bin, etc.– Trojan horse injections
• Limited in targets
• Two components– local, remote
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Command Interface
• Interface to compromised system– administrative shell– network client
• Accepts instructions– person– other worm node
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Communications
• Information transfer
• Protocols
• Stealth concerns
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Intelligence Database
• Knowledge of other nodes
• Concrete vs. abstract
• Complete vs. incomplete
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Unused and Non-attack Capabilities
• Remainder of exploits
• Non-exploit capabilities
• Various possibilities
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Assembled Pieces
A
U
Com
I
R
Cmd Cmd
R
I
Com
U
A
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Questions?
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Current Limitations
• Limited capabilities
• Growth and traffic patterns
• Network structure
• Intelligence Database
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Limited Capabilities: Recon
target
target
target
target
target
RPC
LPD
FTP
SNMP
IIS
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Limited Capabilities: Attack
target
1
2
3
if {1|2|3} attackelse abortend
?
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Traffic Growth Rates
Tworm=kN(Tscansnscans)(Tcommncomms)t
fTworm=Tworm_______
Ttot
Traffic, hence profile, increases with time.
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Traffic Growth Patterns
108642
16000
14000
12000
10000
8000
6000
4000
2000
0
Infection Round
Ob
serv
atio
ns
Infected hosts
Actual Traffic
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Network Structure
. .
Early Later
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Network Topology
Early Later
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Limitations of Directionality
.
. .
.. .
..
..
.
. .
.
.
.
.
..
.
. .
..
..
.
.. .
.
..
.
. .
. .
...
... .
.. .
..
..
.
. .
.
.. .
..
.
..
..
.
. .
.
.
.
.
.
.
.
Target Network
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Intelligence Database
N
N
N
N
I
N
N
N
I
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Limitations Conclusions
• Highly visible
• Easily Blocked– need a signature
• Unable to achieve a specific target
• Readily caught
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Questions?
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Future Considerations
• Dynamic behavior
• Dynamic updates
• Communications mechanisms
• Infection mechanisms
• Network topologies
• Communications topology
• New targets
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Dynamic Behavior
TCP
GREICMP 8.053/UDP
80/TCP
SMTP
NNTP
Communications channels
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Dynamic Behavior
Communications
Attacks
Platform
Dynamic invocation of capabilities
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Dynamic Network Roles
Target
R
I
A
Not every node contains all components
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Updates to the Nodes
Publish
Retrieve
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Embedding Messages
• Images
• Text
• MP3 files
• Usenet, web, mailing lists
• Freenet, Gnutella, Napster
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Stealth Broadcasts
M'
S
N N N N
M'=M+m
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Signed Updates
KR( )
KU(KR( ))
U
U
Source verification
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Communications Topology
Broadcast from central site
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Communications Topology
Store and forward
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Passive Methods
N
Target acquisition
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Payload Injection
N
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Network Topology
. ....
..
Guerilla network
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Network Topology
Target
Directed tree
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
New Targets
• Embedded devices– bugs– prevalence on broadband
• Large audience targets– Akamai clients– Political, financial motivations
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Questions?
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Worm Detection
• Challenges– Fast moving– Always adding new nodes
• Traditional Worm Paradigm– Analyze one node, know all– Same signature for all nodes
Hard to distinguish between worms and aggressive or scripted attackers
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Worm Signatures
• Correlation Analysis– Scans, attacks– Quick succession of scans across hosts– Quick follow up of attacks with scans
• Growth of Traffic– exponential
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
New Challenges
• Identifying communications channels
• Identifying all scans, attacks– Constantly changing
• Larger Picture
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Defenses
• Traditional paradigms
• Detection– anomaly detection– agent based IDS– focus on common parts
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Defenses
• NIDS– Hone in on common parts
• Poison Injections– Null, shutdown payloads
• Traffic analysis– Identifying communications partners
All are labor intensive
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Conclusions
• Worms will evolve– increased use of hiding tools
• Impending paradigm shift– not all nodes look alike– update capable– No one signature
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Acknowledgements
• Crimelabs– Rick– Chris– Jeremy– Brandon– Ben
• Michal Zalewski• Simple Nomad• Dug Song
• Blackhat
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Questions?
top related