the wonderful world of worm traps gabor szappanos [email protected]
TRANSCRIPT
Why we need worm traps?
Shorten reaction time (eliminate user factor)
Get a sample for disinfection (if known)
Know what is spreading
Get new variants (repacked, recompiled)
Shorten reaction time
Malware starts spreading/seeding
Users notice something unusual
Submit the sample to a virus lab
Sample proves to be malicious
Database update released
Hours/days
Hours Sample is captured in a trap
Virus lab alerted
Instantly
Hours/days
Know what is spreading
Port listeners
•No (or low) interaction traps
•Capture TCP/UDP port traffic
+ Very easy to implement
- Truncated samples on broken connections
Generated at: Wed, 12 Oct 2005 22:01:03 +0300
Vuln Name Attack Count
MS02-061 Elevation of Privilege in SQL Server 213
Microsoft Knowledge Base Q313418 null password vulnerability 40
Microsoft SQL Server SA password brute-force guessing 33
Sasser worm FTPD server buffer overflow 24
MS03-026 RPC Vulnerability 16
Mydoom.A Backdoor execute exploit 3
Dameware remote buffer overflow 2
• Using the backdoor and keeping it (same group) (Mydoom.E, .F, Doomjuice.A, .B)
• Using the backdoor and removing it(Nachi.H, Doomhunter)
• Using the backdoor (Vesser, Agobot variants)
• Not using the backdoor, but seeded via the backdoor(downloader Agent, Apher, Rscrt; Spybots)
• Not using the backdoor, but removing it(Netsky variants)
Mydoom port listener
VirusBuster Mydoom trap 2004
Other (64):33%
Worm.Doomjuice.A 25%
Worm.Agobot.NI 8%
Worm.Vesser.B 5%
Worm.Agobot.LU 4%
Worm.Agobot.WA 3%
Worm.Agobot.WY 3%
Worm.Rbot.DP 3%
Worm.Doomjuice.B 16%
Virusbuster Mydoom trap - 2005I-
Worm.Doomjuice.A 42%
Worm.Doomjuice.B 26%
Worm.Vesser.B 7%
Worm.Gobot.E 1%
Worm.Agobot.Gen.7 2%
Other (11):11%
Worm.Agobot.ZT 5%
Worm.Gobot.H1 4%
Worm.Gobot.C 2%
E-mail traps
•Seeded addresses
•Attachment filtering
•Attachment filtering + spam filter
•Attachment filtering + RPD that support file sharing
SMB traps
•Captures worms spreading via open networks shares
•Create open shares and/or shares with weak
username/password combinations
•Implementation on every OS that support file sharing
+
Easy to implement on non-vulnerable platforms
Easy maintenance
SMB traps
-Damaged samples
Reinfection loops
Depends on ISP settings
2004 2005 Worm.Opaserv.AI 19.24% Worm.Agobot.ALF 23.36% Worm.Opaserv.AF 8.53% Worm.Agobot.ALB 4.33% Win95.Dupator.1503 7.76% Worm.IRCBot.CM 2.89% Worm.Opaserv.AA 6.29% Worm.DR.SdBot.AWM 2.36% Worm.Opaserv.O 5.81% Worm.Agobot.Gen.7 2.23% Worm.Opaserv.D 5.47% DDoS.Boxed.AQ.Gen 2.23% Worm.Opaserv.AK 5.17% Worm.DR.SdBot.AZD 2.10% Worm.Opaserv.I 4.96% Worm.SdBot.AYP 1.84% Worm.Opaserv.AH 4.32% Worm.DR.SdBot.BCI 1.57% Worm.Opaserv.F 4.10% Worm.DR.SdBot.BAS 1.44% Other: 26.88% Other: 55.64%
Location matters
•Identical traps on different ISPs show very different results
•Different filtering rules
•Local spreading preference for most worms
Trap 1 Trap 2
Worm.Opaserv.AI 278 Worm.SdBot.FV 62
Worm.Opaserv.D 127 Win32.Xorala 22
Worm.Opaserv.AH 110 Worm.SdBot.Gen.1 7
Win95.Dupator.1503 109 Worm.SdBot.Gen.2 7
Worm.Opaserv.AA 101 Worm.SdBot.FS 4
Worm.Opaserv.AF 100 TrojanProxy.Small.B 2
Worm.Opaserv.AG 98 BAT.Killav.V 2
Worm.Opaserv.O 69 Worm.SdBot.EL 2
Worm.Opaserv.I 67 Worm.SdBot.FP 2
Worm.Opaserv.F 53 Worm.SdBot.GR 2
Worm.Opaserv.Z 28 Worm.P2P.Spybot.Gen.2 1
Worm.Protoride.A 24 W32.Elkern.C 1
Worm.Win32.Randex.Gen 24 Worm.Win32.Randex.Gen 1
Worm.SdBot.EE 23 Worm.SdBot.FC 1
Win95.Spaces.1445.B 22 Worm.IRCBot.M 1
Win32.Funlove.4070 21 Worm.IRCBot.N 1
Worm.Opaserv.T 15 Worm.SdBot.FR 1
Worm.Opaserv.B 11 Worm.SdBot.GQ 1
Worm.Opaserv.E 10 Worm.Spybot.EO 1
Worm.SdBot.Gen.1 9 Worm.SdBot.EY 1
Native traps
•Default install without patches
•Carefully designed (DMZ)
•Security measures to stop spreading
+
Shows exactly what is affecting user population
Get downloaded and dropped components properly
Native traps
-Need to be careful in design not to get infective
Collects malware specific to the installed OS / patch state
2005.08. 2005.09 Trojan.Poebot.B 8.73% Trojan.Poebot.B 16.09% Trojan.Downloader.Dyfuca.Ei 3.87% Trojan.Poebot.D 8.91% Trojan.Lowzones.Hp.S02 3.85% Trojan.Small.Hp 7.12% Trojan.Downloader.Agent.Tv 3.74% Adware.Elitetoolbar.A16 5.28% Adware.180search.A31 3.26% Adware.Elitetoolbar.A04.Etb.B2 5.15% Trojan.Downloader.Istbar.Gen 3.18% Trojan.Rbot.Gen 4.75% Trojan.Dubar 3.05% Trojan.Small.Hp.A16 4.16% Trojan.Downloader.Agent.Fx 2.89% Adware.Mediaticket.A16 4.16% Adware.Mediagtw.A5 2.65% Trojan.Small.Hp.A01 2.18% Trojan.Roundstid.Hp 2.55% Trojan.Hwclk 1.65% Trojan.Downloader.Small.Asf 2.55% Adware.Betterinternet.A1 1.65% Trojan.Nail.B5 2.28% Trojan.Nanspy.E 1.58% Adware.Mediagtw.A1 2.20% Trojan.Rbot.J18 1.45% Adware.Mediaticket.S05 2.07% Worm.Gaobot.Gen 1.32% Trojan.Downloader.Small.Gr 2.04% Trojan.Rbot 1.19% Trojan.Poebot.D 1.96% Adware.Elitetoolbar.A01.A2 1.12% Trojan.Downloader.Vb.Jl 1.96% Adware.Elitetoolbar.A01.A1 1.12% Adware.Elitetoolbar.S02 1.96% Adware.Clientax.A16 1.12% Trojan.Rbot.Hp 1.94% Trojan.Rbot.Hp.A02 1.06% Adware.Bargainbuddy 1.80% Adware.Toolbar.Elitebar.Am 1.06% Other: 41.44% Other: 27.90%
Protocol emulators
•Emulate common vulnerabilities
•Parse shell codes
•Implemented on different platforms
•Windows: WormRadar, HBPot, Multipot
•Linux: MWCollect, Nepenthes
+
Safe to use - no danger of getting infective
Emulates many OS version at once
Protocol emulators
-Needs to be updated for new vulnerabilities/shell codes
Captures may be truncated
Worm.RBot.BTW 8.33% Worm.RBot.BYE 8.05% Trojan.DR.Juntador.N 7.26% Worm.Codbot.Y 5.72% Worm.RBot.BWY 4.84% Worm.RBot.BZQ 4.56% Worm.RBot.BXS 4.51% Worm.RBot.BWL 3.96% Worm.RBot.BYD 3.58% Worm.RBot.BZV 2.93% Trojan.DR.Juntador.M 2.79% Worm.RBot.BXR 2.70% Worm.RBot.CCC 2.23% Worm.RBot.BZM 2.23% Trojan.DR.Juntador.D 2.14% Other 34.16%
In a selected 37 hour period 6699 attempts, of them 3057 successful, 73 different malware samples.
It takes about 1.3 minutes for an average user to get infected.
URL traps
•Monitor known download sites
•Keep track of the new variants
•Source:
•URLs obtained from malware analysis
•URLs extracted from mass-distributed e-mails
Other places to monitor
•IRC channels
•P2P networks
•Usenet
•Self-spreading malware
•Seeding
•Botnet commands
Questions?