CSE 127CSE 127Computer SecurityComputer Security

Spring 2009Spring 2009

Network worms and worm defenseNetwork worms and worm defense

Stefan SavageStefan Savage

2

Network WormsNetwork Worms

Programs that actively spread between machines

Infection strategy more active Exploit buffer overflows, format bugs, etc Exploit bad password choice Entice user into executing program

3

Network Worms in actionNetwork Worms in action Self-propagating self-replicating network program

Exploits some vulnerability to infect remote machines Infected machines continue propagating infection

4

A brief history of worms…A brief history of worms…

As always Sci-Fi authors get it right first Gerold’s “When H.A.R.L.I.E. was One” (1972) – “Virus” Brunner’s “Shockwave Rider” (1975) – “tapeworm

program” Shoch&Hupp co-opt idea; coin term “worm” (1982)

Key idea: programs that self-propagate through network to accomplish some task; benign

Fred Cohen demonstrates power and threat of self-replicating viruses (1984)

First significant worm in the wild: Morris worm (1988)

5

History: Morris Internet WormHistory: Morris Internet Worm November 2, 1988 Infected around 6,000 major Unix machines Cost of the damage estimated at $10m - $100m Robert T. Morris Jr. unleashed Internet worm

Graduate student at Cornell University Convicted in 1990 of violating Computer Fraud and Abuse Act $10,000 fine, 3 yr. Suspended jail sentence, 400 hours of

community service

Son of the chief scientist at the National Computer Security Center -- part of the National Security Agency

Today he’s a professor at MIT (and a great guy I might add)

6

Morris Worm TransmissionMorris Worm Transmission

Find user accounts on the target machine Dictionary attack on /etc/passwd If it found a match, it would log in and try the same

username/password on other local machines

Exploit bug in fingerd Classic buffer overflow attack

Exploit trapdoor in sendmail Programmer left DEBUG mode in sendmail, which allowed

sendmail to execute an arbitrary shell command string.

7

Morris Worm InfectionMorris Worm Infection

Sent a small loader to target machine 99 lines of C code It was compiled on the remote platform (cross

platform compatibility) The loader program transferred the rest of the

worm from the infected host to the new target. Used authentication! To prevent sys admins from

tampering with loaded code. If there was a transmission error, the loader would

erase its tracks and exit.

8

Morris Worm Stealth/DoSMorris Worm Stealth/DoS When loader obtained full code

It was put into main memory and encrypted Original copies were deleted from disk (Even memory dump wouldn’t expose worm)

Worm periodically changed its name and process ID Resource exhaustion

Denial of service (accidental) There was a bug in the loader program that caused many

copies of the worm to be spawned per host System administrators cut their network connections

Couldn’t use internet to exchange fixes!

Odd observationOdd observation

Between the late 80s and late 90s there are basically no new worm outbreaks…

April 21, 2023 9CSE 127 -- Lecture 5: User Authentication

10

The Modern Worm eraThe Modern Worm era

Email based worms in late 90’s (Melissa & ILoveYou) Infect >1M hosts, but requires user participation

CodeRed worm released in Summer 2001 Exploited buffer overflow in IIS; no user interaction Uniform random target selection (after fixed bug in CRv1) Infects 360,000 hosts in 10 hours (CRv2) Like the energizer bunny… still going years later

Energizes renaissance in worm construction (1000’s) Exploit-based: CRII, Nimda, Slammer, Blaster, Witty, etc… Human-assisted: SoBig, NetSky, MyDoom, etc… 6200 malware variants in 2004; 6x increase from 2003 [Symantec] >200,000 malware variants in first 6mos of 2006 [Symantec] Convergence w/SPAM, DDoS, Spyware, IdTheft, BotNets

11

The worm threat by metaphorThe worm threat by metaphor

Imagine the following species: Poor genetic diversity; heavily inbred Lives in “hot zone”; thriving ecosystem of infectious

pathogens Instantaneous transmission of disease Immune response 10-1M times slower Poor hygiene practices

What would its long-term prognosis be? What if diseases were designed…

Trivial to create a new disease Highly profitable to do so

12

Technical enablers for wormsTechnical enablers for worms Unrestricted connectivity

Large-scale adoption of IP model for networks & apps

Software homogeneity & user naiveté Single bug = mass vulnerability in millions of hosts Trusting users (“ok”) = mass vulnerability in millions

of hosts

Few meaningful defenses Effective anonymity (minimal risk)

13

How to think about outbreaksHow to think about outbreaks Worms well described as infectious epidemics

Simplest model: Homogeneous random contacts Classic SI model

» N: population size

» S(t): susceptible hosts at time t

» I(t): infected hosts at time t

» ß: contact rate

» i(t): I(t)/N, s(t): S(t)/N

N

IS

dt

dSN

IS

dt

dI

)1( ii

dt

di

)(

)(

1)(

Tt

Tt

e

eti

courtesy Paxson, Staniford, Weaver

14

What’s important?What’s important?

There are lots of improvements to this model… Chen et al, Modeling the Spread of Active Worms, Infocom 2003 (discrete time) Wang et al, Modeling Timing Parameters for Virus Propagation on the Internet ,

ACM WORM ’04 (delay) Ganesh et al, The Effect of Network Topology on the Spread of Epidemics,

Infocom 2005 (topology) … but the conclusion is the same. We care about two

things:

How likely is it that a given infection attempt is successful?

Target selection (random, biased, hitlist, topological,…) Vulnerability distribution (e.g. density – S(0)/N)

How frequently are infections attempted? ß: Contact rate

15

What can be done?What can be done?

Reduce the number of susceptible hosts Prevention, reduce S(t) while I(t) is still small

(ideally reduce S(0))

Reduce the number of infected hosts Treatment, reduce I(t) after the fact

Reduce the contact rate Containment, reduce ß while I(t) is still small

16

Prevention: Software QualityPrevention: Software Quality

Goal: eliminate vulnerability

Static/dynamic testing (e.g. Cowan, Wagner, Engler, etc) Software process, code review, etc.

Active research community Taken seriously in industry

Security code review alone for Windows Server 2003 ~ $200M

Traditional problems: soundness, completeness, usability Practical problems: scale and cost

17

Prevention: WrappersPrevention: Wrappers

Goal: stop vulnerability from being exploited

Hardware/software buffer overflow prevention NX, /GS, StackGuard, etc

Sandboxing (BSD Jail, Virtual Machines) Limit capabilities of potentially exploited program Don’t allow certain system calls, network packets,

privileges, etc.

18

Prevention: Software HeterogeneityPrevention: Software Heterogeneity Goal: reduce impact of vulnerability

Use software diversity to tolerate attack Exploit existing heterogeneity

» Store you data on a Mac and on Windows Create artificial heterogeneity (hot research topic)

» Large contemporary literature (address randomization, execution polymorphism… use the tricks of the virus writer as a good guy)

Open questions: class of vulnerabilities that can be masked, strength of protection, cost of support

19

Prevention: Software UpdatingPrevention: Software Updating Goal: reduce window of vulnerability

Most worms exploited known vulnerability (1 day -> 3 months)

Window shrinking: automated patch->exploit (some now have negative windows; zeroday attacks)

Patch deployment challenges, downtime, Q/A, etc Rescorla, Is finding security holes a good idea?, WEIS ’04

Network-based filtering: decouple “patch” from code E.g. TCP packet to port 1434 and > 60 bytes Symantec: Generic Exploit Blocking

20

Prevention: Known Exploit BlockingPrevention: Known Exploit Blocking Get early samples of new exploit

Network sensors/honeypots “Zoo” samples

Security company distills “signature” Labor intensive process

Signature pushed out to all customers Host recognizer checks files/memory before execution

Example: Symantec Gets early intelligence via managed service side of business and

DeepSight sensor system >60TB of signature updates per day

Key assumptions: can get samples and signature generation can be amortized

Assumes long reaction window

21

Prevention: Hygiene Prevention: Hygiene EnforcementEnforcement

Goal: keep susceptible hosts off network

Only let hosts connect to network if they are “well cared for”

Recently patched, up-to-date anti-virus, etc… Manual version in place at some organizations

(e.g. NSF)

Cisco Network Admission Control (NAC) Can be expensive to administer

22

TreatmentTreatment Reduce I(t) after the outbreak is done

Practically speaking this is where much happens because our defenses are so bad

Two issues How to detect infected hosts?

» They still spew traffic (commonly true, but poor assumption)» Look for known signature (malware detector)

What to do with infected hosts?» Wipe whole machine» Custom disinfector (need to be sure you get it all…backdoors)» Interesting opportunities for virtualization (checkpoint/rollback)» Aside: interaction with SB1386…

Aside: white wormsAside: white worms

April 21, 2023 23CSE 127 -- Lecture 5: User Authentication

24

ContainmentContainment

Reduce contact rate

Slow down Throttle connection rate to slow spread

» Used in some HP switches Important capability, but worm still spreads…

Quarantine Detect and block worm Lock Down, Scan Detection, Signature inference

25

Quarantine requirementsQuarantine requirements

We can define reactive defenses in terms of: Reaction time – how long to detect, propagate

information, and activate response Containment strategy – how malicious behavior is

identified and stopped Deployment scenario - who participates in the

system

Given these, what are the engineering requirements for any effective defense?

26

Its difficult…Its difficult…

Even with universal defense deployment, containing a CodeRed-style worm (<10% in 24 hours) is tough

Address filtering (blacklists), must respond < 25mins

Content filtering (signatures), must respond < 3hrs For faster worms, seconds For non-universal deployment, life is worse…

See: Moore et al, Internet Quarantine: Requirements for Containing Self-Propagating Code, Infocom 2003 for more details

27

A pretty fast outbreak:A pretty fast outbreak:Slammer (2003)Slammer (2003)

First ~1min behaves like classic random scanning worm

Doubling time of ~8.5 seconds CodeRed doubled every 40mins

>1min worm starts to saturateaccess bandwidth

Some hosts issue >20,000 scans per second

Self-interfering(no congestion control)

Peaks at ~3min >55million IP scans/sec

90% of Internet scanned in <10mins Infected ~100k hosts

(conservative) See: Moore et al, IEEE Security & Privacy, 1(4), 2003 for more details

28

Was Slammer really fast?Was Slammer really fast?

Yes, it was orders of magnitude faster than CodeRed

No, it was poorly written and unsophisticated Who cares? It is literally an academic point

The current debate is whether one can get < 500ms Bottom line: way faster than people!

See: Staniford et al, ACM WORM, 2004 for more details

29

Outbreak Detection/MonitoringOutbreak Detection/Monitoring

Two classes of monitors Ex-situ: “canary in the coal mine”

» Network Telescopes» HoneyNets/Honeypots

In-situ: real activity as it happens

30

Network TelescopesNetwork Telescopes

Infected host scans for other vulnerable hosts by randomly generating IP addresses

Network Telescope: monitor large range of unused IP addresses – will receive scans from infected host

Very scalable. UCSD monitors > 1% of all routable addresses

31

Why do telescopes work?Why do telescopes work?

Assume worm spreads randomly Picks 32bit IP address at random and probes it

Monitor block of n IP addresses

If worm sends m probes/sec, we expect to see one within:

We monitor receives R’ probes per second, can estimate infected host is sending at:

sec232

nm

nRR

322'

32

What can you learn?What can you learn?

How many hosts are infected? How quickly? Where are they from? How quickly are they fixed? What happens in the long term?

33

Code Red: GrowthCode Red: Growth

34

Code Red: Country of OriginCode Red: Country of Origin

0

20000

40000

60000

80000

100000

120000

140000

160000

Infected Hosts

USKoreaChinaTaiwanCanadaUKGermanyAustraliaJapanNetherlands

525 hosts in NZ

35

Code Red: patching rateCode Red: patching rate

36

Code Red: decayCode Red: decay

37

Global animationGlobal animation

38

ProblemProblem

Telescopes are passive, can’t respond to external packets

How to tell the difference between two worms? Initial packet may be identical?

How to tell the difference between a worm something else?

39

Example: Blaster WormExample: Blaster Worm

Courtesy Farnam Jahanian

40

Example: BlasterExample: BlasterHow telescopes failHow telescopes fail

Courtesy Farnam Jahanian

41

One solution: active respondersOne solution: active responders

Active responder blindly responds to all traffic External SYN packet (TCP connection request) Send SYN/ACK packet in response

This is the moral equivalent to saying “uh huh” on the phone…

It elicits a bit more response – hopefully you see what’s going on

42

Using Active ResponderUsing Active Responder

Courtesy Farnam Jahanian

43

Limited fidelityLimited fidelity

Difficult to mimic complex protocol interactions (some malware requires up to 70 message exchanges)

Can’t tell if the machine would be infected, what it would do etc…

44

HoneypotsHoneypots

Solution: redirect scans to real “infectable” hosts (honeypots)

Analyze/monitor hosts for attacks

Challenges Scalability

» Buy one honeypot per IP address? Liability

» What if a honeypot infects someone else? Detection

» What techniques to tell if a honeypot has been compromised

45

Aside: UCSD Potemkin honeyfarmAside: UCSD Potemkin honeyfarm

Largest honeypot system on the planet Currently supports 65k live honeypots Scalable to several million at reasonable cost

Uses lots of implementation tricks to make this feasible

Only uses a handful of physical machines Only binds honeypots to addresses when an

external request arrives Supports multiple honeypots per physical machine

using “virtual machines”

46

Overall limitations of telescope, Overall limitations of telescope, honeynet, etc monitoringhoneynet, etc monitoring

Depends on worms scanning it What if they don’t scan that range (smart bias) What if they propagate via e-mail, IM?

Inherent tradeoff between liability exposure and detectability

Honeypot detection software exists It doesn’t necessary reflect what’s happening on your

network (can’t count on it for local protection)

Hence, we’re always interested in in situ detection as well

47

Detecting worms on Detecting worms on youryour network network

Two classes of approaches Scan detection: detect that host is infected by

infection attempts

Signature inference: automatically identify content signature for exploit (sharable)

48

Scan DetectionScan Detection

Basic idea: detect scanning behavior indicative of worms and quarantine individual hosts

Lots of variants of this idea, here’s one: Threshold Random Walk algorithm

» Observation: connection attempts to random hosts usually won’t succeed (no machine there, no service on machine)

» Track ratio of failed connection attempts to connection attempts per IP address; should be small

» Can be implemented at very high speed

See: Jung et al, Fast Portscan Detection Using Sequential Hypothesis Testing, Oakland 2004, Weaver et al, Very Fast Containment of Scanning Worms, USENIX Security 2004

49

Signature inferenceSignature inference

Challenge: automatically learn a content “signature” for each new worm – potentially in less than a second!

Singh et al, Automated Worm Fingerprinting, OSDI ’04

50

Approach Approach

Monitor network and look for strings common to traffic with worm-like behavior

Signatures can then be used for content filtering

SRC: 11.12.13.14.3920 DST: 132.239.13.24.5000 PROT: TCP

00F0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................0100 90 90 90 90 90 90 90 90 90 90 90 90 4D 3F E3 77 ............M?.w0110 90 90 90 90 FF 63 64 90 90 90 90 90 90 90 90 90 .....cd.........0120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................0130 90 90 90 90 90 90 90 90 EB 10 5A 4A 33 C9 66 B9 ..........ZJ3.f.0140 66 01 80 34 0A 99 E2 FA EB 05 E8 EB FF FF FF 70 f..4...........p. . .

PACKET HEADER

PACKET PAYLOAD (CONTENT)

Kibvu.B signature captured by Earlybird on May 14th, 2004

51

Content siftingContent sifting

Assume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow...)

Two consequences Content Prevalence: W will be more common in traffic

than other bitstrings of the same length Address Dispersion: the set of packets containing W

will address a disproportionate number of distinct sources and destinations

Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic

52

Address Dispersion Table Sources Destinations Prevalence Table

The basic algorithmThe basic algorithmDetector in

networkA B

cnn.com

C

DE

53

1 (B)1 (A)

Address Dispersion Table Sources Destinations

1

Prevalence Table

The basic algorithmThe basic algorithmDetector in

networkA B

cnn.com

C

DE

541 (A)1 (C)

1 (B)1 (A)

Address Dispersion Table Sources Destinations

1

1

Prevalence Table

The basic algorithmThe basic algorithmDetector in

networkA B

cnn.com

C

DE

551 (A)1 (C)

2 (B,D)2 (A,B)

Address Dispersion Table Sources Destinations

1

2

Prevalence Table

The basic algorithmThe basic algorithmDetector in

networkA B

cnn.com

C

DE

561 (A)1 (C)

3 (B,D,E)3 (A,B,D)

Address Dispersion Table Sources Destinations

1

3

Prevalence Table

The basic algorithmThe basic algorithmDetector in

networkA B

cnn.com

C

DE

57

ChallengesChallenges Computation

To support a 1Gbps line rate we have 12us to process each packet… at 10Gbps 1.2us

» Dominated by memory references; state expensive Content sifting requires looking at every byte in a packet

State On a fully-loaded 1Gbps link a naïve implementation

can easily consume 100MB/sec for tables

If you’re interested you can read the paper for the gory details on how we actually do it :-)

70

Software prototype: EarlybirdSoftware prototype: Earlybird

AMD Opteron 242 (1.6Ghz)

Linux 2.6

Libpcap

EB Sensor code (using C)

EarlyBird Sensor

TAPSummary

data

Reporting & Control

EarlyBird Aggregator

EB Aggregator (using C)

Mysql + rrdtools

Apache + PHP

Linux 2.6

Setup 1: Large fraction of the UCSD campus traffic, Traffic mix: approximately 5000 end-hosts, dedicated servers for campus wide services (DNS, Email, NFS etc.)Line-rate of traffic varies between 100 & 500Mbps.

Setup 2: Fraction of local ISP Traffic, Traffic mix: dialup customers, leased-line customers Line-rate of traffic is roughly 100Mbps.

To other sensors and blocking devices

73

Experience w/EarlybirdExperience w/Earlybird Extremely good

Detected and automatically generated signatures for every known worm outbreak over eight months

Can produce a precise signature for a new worm in a fraction of a second

Known worms detected: Code Red, Nimda, WebDav, Slammer, Opaserv, …

Unknown worms (with no public signatures) detected:

MsBlaster, Bagle, Sasser, Kibvu, …

74

Sasser Sasser

77

False NegativesFalse Negatives Easy to prove presence, impossible to prove absence

Live evaluation: over 8 months detected every worm outbreak reported on popular security mailing lists

Offline evaluation: several traffic traces run against both Earlybird and Snort IDS (w/all worm-related signatures)

Worms not detected by Snort, but detected by Earlybird The converse never true

78

False PositivesFalse Positives Common protocol

headers Mainly HTTP and SMTP

headers Distributed (P2P) system

protocol headers Procedural whitelist

» Small number of popular protocols

Non-worm epidemic Activity

SPAM BitTorrent

GNUTELLA.CONNECT /0.6..X-Max-TTL:  .3..X-Dynamic-Qu  erying:.0.1..X-V  ersion:.4.0.4..X  -Query-Routing:.  0.1..User-Agent:  .LimeWire/4.0.6.  .Vendor-Message:  .0.1..X-Ultrapee  r-Query-Routing:

79

Major UCSD success storyMajor UCSD success story Major UCSD success story

Content sifting technologies patented by UC and licensed to startup, Netsift Inc.

Improved and accelerated (esp for hardware implementation) 12mos later Netsift was acquired by Cisco

When you buy a Cisco enterprise switch in 24mos it will have this capability

80

LimitationsLimitations Variant content

Polymorphism, metamorphism… no invariant signature Network evasion

More about this when we cover IDS End-to-end encryption vs content-based security

Privacy vs security policy Slow/stealthy worms

Under threshold DoS via manipulation

Make a worm with the string “Republican” in it Trust between monitors

You say “ABC” is a worm signature, why should I trust you?

81

Distributed detection issuesDistributed detection issues

Suppose I detect a worm… I want to tell you about it. Why should I trust you?

If you lie you might tell me that “From: “ was a worm signature

Self-Certifying Alerts (Microsoft Research) Have worm alert encode the vulnerability itself Recipient runs alert in safe “sandboxed”

environment and proves to self that vulnerability exists (and thus signature is valid)

82

Next timeNext time

Bots, rootkits and spyware