blackhat 2001 las vegas, nazario, “the future of internet worms” the future of internet worms...

Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”

The Future of Internet Worms

Jose NazarioCrimelabs Research


Disclaimer

• Will not build

• Intrusion detection


Overview

• Introduction

• Six Components

• Problems in Current Worm Paradigms

• Evolution of Worm Networks

• Detection Strategies

• Conclusions


Worms Defined

• Automated intrusion agents

• Infect one host, launch, infect again

• Self propelled– viruses require carrier programs


Worms in History

• Morris worm

• Persistent Windows worms

• Rise of Linux worms (2000 …)

• Examples: Win32.Bremer, Ramen, sadmind/IIS


Why Worms?

• Ease– write and launch once– many acquisitions– continually working

• Pervasiveness– weeds out weakest targets– penetrates difficult networks


Two Futures

• Small increases– better rootkits– encryption– increased attack capabilities

• Paradigm shift


Six Components of Worms

• Reconnaissance

• Specific Attacks

• Command Interface

• Communication Mechanisms

• Intelligence Capabilities

• Unused and Non-attack Capabilities


Reconnaissance

• Target identification

• Active methods– scanning

• Passive methods– OS fingerprinting– traffic analysis


Specific Attacks

• Exploits– buffer overflows, cgi-bin, etc.– Trojan horse injections

• Limited in targets

• Two components– local, remote


Command Interface

• Interface to compromised system– administrative shell– network client

• Accepts instructions– person– other worm node


Communications

• Information transfer

• Protocols

• Stealth concerns


Intelligence Database

• Knowledge of other nodes

• Concrete vs. abstract

• Complete vs. incomplete


Unused and Non-attack Capabilities

• Remainder of exploits

• Non-exploit capabilities

• Various possibilities


Assembled Pieces

A

U

Com

I

R

Cmd Cmd

R

I

Com

U

A


Questions?


Current Limitations

• Limited capabilities

• Growth and traffic patterns

• Network structure

• Intelligence Database


Limited Capabilities: Recon

target

target

target

target

target

RPC

LPD

FTP

SNMP

IIS


Limited Capabilities: Attack

target

1

2

3

if {1|2|3} attackelse abortend

?


Traffic Growth Rates

Tworm=kN(Tscansnscans)(Tcommncomms)t

fTworm=Tworm_______

Ttot

Traffic, hence profile, increases with time.


Traffic Growth Patterns

108642

16000

14000

12000

10000

8000

6000

4000

2000

0

Infection Round

Ob

serv

atio

ns

Infected hosts

Actual Traffic


Network Structure

. .

Early Later


Network Topology

Early Later


Limitations of Directionality

.

. .

.. .

..

..

.

. .

.

.

.

.

..

.

. .

..

..

.

.. .

.

..

.

. .

. .

...

... .

.. .

..

..

.

. .

.

.. .

..

.

..

..

.

. .

.

.

.

.

.

.

.

Target Network


Intelligence Database

N

N

N

N

I

N

N

N

I


Limitations Conclusions

• Highly visible

• Easily Blocked– need a signature

• Unable to achieve a specific target

• Readily caught


Questions?


Future Considerations

• Dynamic behavior

• Dynamic updates

• Communications mechanisms

• Infection mechanisms

• Network topologies

• Communications topology

• New targets


Dynamic Behavior

TCP

GREICMP 8.053/UDP

80/TCP

SMTP

NNTP

Communications channels


Dynamic Behavior

Communications

Attacks

Platform

Dynamic invocation of capabilities


Dynamic Network Roles

Target

R

I

A

Not every node contains all components


Updates to the Nodes

Publish

Retrieve


Embedding Messages

• Images

• Text

• MP3 files

• Usenet, web, mailing lists

• Freenet, Gnutella, Napster


Stealth Broadcasts

M'

S

N N N N

M'=M+m


Signed Updates

KR( )

KU(KR( ))

U

U

Source verification


Communications Topology

Broadcast from central site


Communications Topology

Store and forward


Passive Methods

N

Target acquisition


Payload Injection

N


Network Topology

. ....

..

Guerilla network


Network Topology

Target

Directed tree


New Targets

• Embedded devices– bugs– prevalence on broadband

• Large audience targets– Akamai clients– Political, financial motivations


Questions?


Worm Detection

• Challenges– Fast moving– Always adding new nodes

• Traditional Worm Paradigm– Analyze one node, know all– Same signature for all nodes

Hard to distinguish between worms and aggressive or scripted attackers


Worm Signatures

• Correlation Analysis– Scans, attacks– Quick succession of scans across hosts– Quick follow up of attacks with scans

• Growth of Traffic– exponential


New Challenges

• Identifying communications channels

• Identifying all scans, attacks– Constantly changing

• Larger Picture


Defenses

• Traditional paradigms

• Detection– anomaly detection– agent based IDS– focus on common parts


Defenses

• NIDS– Hone in on common parts

• Poison Injections– Null, shutdown payloads

• Traffic analysis– Identifying communications partners

All are labor intensive


Conclusions

• Worms will evolve– increased use of hiding tools

• Impending paradigm shift– not all nodes look alike– update capable– No one signature


Acknowledgements

• Crimelabs– Rick– Chris– Jeremy– Brandon– Ben

• Michal Zalewski• Simple Nomad• Dug Song

• Blackhat


Questions?

blackhat 2001 las vegas, nazario, “the future of internet worms” the future of internet worms...

Documents

sadmindiiswhy worms

reconlimited capabilities

financial motivationsquestions

carrier programsworms

targetstwo componentslocal

againself propelledviruses

trojan horse injectionslimited

allsame signature