blackhat 2001 las vegas, nazario, “the future of internet worms” the future of internet worms...

Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”

The Future of Internet Worms

Jose NazarioCrimelabs Research

Disclaimer

• Will not build

• Intrusion detection

Overview

• Introduction

• Six Components

• Problems in Current Worm Paradigms

• Evolution of Worm Networks

• Detection Strategies

• Conclusions

Worms Defined

• Automated intrusion agents

• Infect one host, launch, infect again

• Self propelled– viruses require carrier programs

Worms in History

• Morris worm

• Persistent Windows worms

• Rise of Linux worms (2000 …)

• Examples: Win32.Bremer, Ramen, sadmind/IIS

Why Worms?

• Ease– write and launch once– many acquisitions– continually working

• Pervasiveness– weeds out weakest targets– penetrates difficult networks

Two Futures

• Small increases– better rootkits– encryption– increased attack capabilities

• Paradigm shift

Six Components of Worms

• Reconnaissance

• Specific Attacks

• Command Interface

• Communication Mechanisms

• Intelligence Capabilities

• Unused and Non-attack Capabilities

Reconnaissance

• Target identification

• Active methods– scanning

• Passive methods– OS fingerprinting– traffic analysis

Specific Attacks

• Exploits– buffer overflows, cgi-bin, etc.– Trojan horse injections

• Limited in targets

• Two components– local, remote

Command Interface

• Interface to compromised system– administrative shell– network client

• Accepts instructions– person– other worm node

Communications

• Information transfer

• Protocols

• Stealth concerns

Intelligence Database

• Knowledge of other nodes

• Concrete vs. abstract

• Complete vs. incomplete

Unused and Non-attack Capabilities

• Remainder of exploits

• Non-exploit capabilities

• Various possibilities

Assembled Pieces

Cmd Cmd

Questions?

Current Limitations

• Limited capabilities

• Growth and traffic patterns

• Network structure

• Intelligence Database

Limited Capabilities: Recon

target

Limited Capabilities: Attack

target

if {1|2|3} attackelse abortend

Traffic Growth Rates

Tworm=kN(Tscansnscans)(Tcommncomms)t

fTworm=Tworm_______

Traffic, hence profile, increases with time.

Traffic Growth Patterns

108642

Infection Round

Infected hosts

Actual Traffic

Network Structure

Early Later

Network Topology

Early Later

Limitations of Directionality

Target Network

Intelligence Database

Limitations Conclusions

• Highly visible

• Easily Blocked– need a signature

• Unable to achieve a specific target

• Readily caught

Questions?

Future Considerations

• Dynamic behavior

• Dynamic updates

• Communications mechanisms

• Infection mechanisms

• Network topologies

• Communications topology

• New targets

Dynamic Behavior

GREICMP 8.053/UDP

80/TCP

Communications channels

Dynamic Behavior

Communications

Attacks

Platform

Dynamic invocation of capabilities

Dynamic Network Roles

Target

Not every node contains all components

Updates to the Nodes

Publish

Retrieve

Embedding Messages

• Images

• Text

• MP3 files

• Usenet, web, mailing lists

• Freenet, Gnutella, Napster

Stealth Broadcasts

N N N N

M'=M+m

Signed Updates

KU(KR( ))

Source verification

Communications Topology

Broadcast from central site

Communications Topology

Store and forward

Passive Methods

Target acquisition

Payload Injection

Network Topology

. ....

Guerilla network

Network Topology

Target

Directed tree

New Targets

• Embedded devices– bugs– prevalence on broadband

• Large audience targets– Akamai clients– Political, financial motivations

Questions?

Worm Detection

• Challenges– Fast moving– Always adding new nodes

• Traditional Worm Paradigm– Analyze one node, know all– Same signature for all nodes

Hard to distinguish between worms and aggressive or scripted attackers

Worm Signatures

• Correlation Analysis– Scans, attacks– Quick succession of scans across hosts– Quick follow up of attacks with scans

• Growth of Traffic– exponential

New Challenges

• Identifying communications channels

• Identifying all scans, attacks– Constantly changing

• Larger Picture

Defenses

• Traditional paradigms

• Detection– anomaly detection– agent based IDS– focus on common parts

Defenses

• NIDS– Hone in on common parts

• Poison Injections– Null, shutdown payloads

• Traffic analysis– Identifying communications partners

All are labor intensive

Conclusions

• Worms will evolve– increased use of hiding tools

• Impending paradigm shift– not all nodes look alike– update capable– No one signature

Acknowledgements

• Crimelabs– Rick– Chris– Jeremy– Brandon– Ben

• Michal Zalewski• Simple Nomad• Dug Song

• Blackhat

Questions?

blackhat 2001 las vegas, nazario, “the future of internet worms” the future of internet worms...

sadmindiiswhy worms

reconlimited capabilities

financial motivationsquestions

carrier programsworms

targetstwo componentslocal

againself propelledviruses

trojan horse injectionslimited

allsame signature

Documents

recent internet viruses & worms

the evolving threat of internet worms jose nazario, arbor...

santos rivera-torres daisy nazario-santana conjugal...

defending against internet worms

network security: internet worms and firewalls

internet worms: methods, countermeasures and famous...

worms notes 3 major phylum of worms platyhelminthes...

ednita nazario portada

vigilante: end-to-end containment of internet worms

fighting internet diseases: ddos, worms and miscreantsfirst...

recent internet viruses & worms by doppalapudi raghu

gestione dei laboratori come rendere sicura la navigazione...

artigo de luiz nazario

nazario luque

lecture #11 worms, worms & worms phylum platyhelminthes...

internet worms - a quick overview presented by : sumitha...

the future of internet worms - cs.umd.edu

nazario - anarcoma.pdf

worms and parasites. parasites worms how does a person get...

rodrigo nazario gonzalez hernandez