Lecture Worm Detection

Active Worm and Its Defense 1
Active Worm and Its Defense

CSE651: Network Security
Worm vs. Virus
Worm
A program that propagates itself over a
network, reproducing itself as it goes
Virus
A program that searches out other programs
and infects them by embedding a copy of itself
in them
Active Worm VS [D]DoS
DDoS stands for Distributed Denial of
Service attacks
Propagation method
Goal: congestion, resource appropriation
Rate of distribution
Scope of infection
History
http://snowplow.org/tom/worm/history.html
Morris Worm, first worm virus, released on
November 2, 1988 by Robert Tappan Morris who
was then a 23 year old doctoral student at Cornell
University
Code-Red worm in July 2001 infected more than
350,000 Microsoft IIS servers. The attack
finished in 14 hours
Slammer worm in January 2003 that infected
nearly 75,000 Microsoft SQL servers. Attack
finished in less than one hour
MyDoom worm in February 2004 infected lots of
hosts which automatically and successfully DDoS
attacked a few popular websites
The Morris Worm of 1988
First worm program
Released by Robert T Morris of Cornell University
Affected DECs VAX and Sun Microsystemss Sun 3 systems
Spread
~6000 victims i.e., 5-10% of hosts at that time
more machines disconnected from the net to avoid infection
Cost
Some estimate: $98 million
Other reports: <$1 million
Triggered the creation of CERT (Computer Emergency
Response Team)
Recent Worms
July 13, 2001, Code Red V1
July 19, 2001, Code Red V2
Aug. 04, 2001, Code Red II
Sep. 18, 2001, Nimbda

Jan. 25, 2003, SQL Slammer
More recent
SoBigF, MSBlast
How an Active Worm Spreads
Autonomous
No need of human interaction
infected
machine

machine
scan
probe
transfer copy
Basic Propagation Method
Network Worm: Using port scan to find
vulnerabilities of the targets

Application Worm: Propagate through
email, Instance Messaging, file sharing on
operation systems, P2P file sharing
systems, or other applications

Hybrid Worm
Delivery Method
How is worm code is delivered to vulnerable hosts

Self-contained Self-propagation: Each newly
infected host becomes the new source and
sends worm code to other hosts infected by it

Embedded: Embedded with infected files, such
as emails, shared files

Second Channel: The newly infected host uses
second channel such as TFTP (Trivial File
Transfer Protocol) to download the worm code
from a center source
Scanning Strategy (1)
Random scanning
Probes random addresses in the IP address space (CRv2)
Selective random scanning
A set of addresses that more likely belong to existing
machines can be selected as the target address space.
Hitlist scanning
Probes addresses from an externally supplied list
Topological scanning
Uses information on the compromised host (Email worms)
Local subnet scanning
Preferentially scans targets that reside on the same
subnet. (Code Red II & Nimbda Worm)
Scanning Strategy (2)
Routable scanning
Choose routable IP addresses as the target of scan
DNS scanning
Choose hosts with DNS name as the target of scan
Permutation scanning
Each new infected host gets a different IP addresses block
Synchronization between Infected
Hosts (or Worm Instances)

Asynchronized
Each infected host behavior individually
without synchronization with other infected
hosts
Synchronized
Infected hosts synchronized with each other
by central server etc.
Propagation Activity Control

Non-stopping
Keep port scanning and never stop
Time Control
Preset stopping timer and restart timer and use those
timers to control the port scan activities
Self-Adjustment
Self-control according to the environment (Atak worm)
or the estimation of the infected host amount (Self-
Stop worm)
Centralized Control
Controlled by the attacker
Scan Rate

Constant Scan Rate
Each infected host keeps a constant scan rate which is
limited by the computation ability and outgoing
bandwidth of the host.
Random Varying Scan Rate
Randomly change the scan rate.
Smart Varying Scan Rate
Change the scan rate smartly according to certain rule
according to the attack policy and the environment.
Controlled Varying Scan Rate
Change the scan rate according to the attackers
control command.
Modularity

Non-Modular
Modular
Use modular design in the worm code, so that
new attack modules can be sent to the
infected hosts and plugged in after the
infection.
Organization
Decentralized
There is no organization or cooperation among
infected hosts, and there is no communication
between the infected hosts and the attacker.
Centralized Organization
Organized by Internet Relay Chat (IRC) or
other methods like botnets do, so that the
attacker can control the infected hosts.
Payload with the worm code
Spamming
Code competent to carry out spamming.
DDoS Attack
Code competent to carry out DDoS attacks.
Sniffing
Code competent to watch for interesting clear-text
data passing by the infected hosts.
Spyware
Spyware code.
Keylogging
Code competent to remember and retrieve the
passwords on the infected hosts.
Data Theft
Code competent to steal privacy data.
Techniques for Exploiting
Vulnerability
fingerd (buffer overflow)
sendmail (bug in the debug mode)
rsh/rexec (guess weak passwords)

Active Worm Defense

Modeling
Infection Mitigation
Worm Behavior Modeling (1)
Propagation model

( )
( )
( ) ( ) ( ) t i t i N V r
t d
t di
= 1 * * ) / * (
V is the total number of vulnerable nodes
N is the size of address space
i(t) is the percentage of infected nodes among V
r is the scan rate of the worm
( ) ( ) ( ) ) / * 1 ( * )) ( * * * ( ) ( * N V t i t d V t i r t di V =
Worm Behavior Modeling (2)
Propagation model

M(i): the number of overall infected hosts at time i
N(i): the number of un-infected vulnerable hosts at time i
E(i): the number of newly infected hosts from time tick i to time i+1 .
T: the total number of IP addresses, i.e., 2
32
for IPv4.
N(0): the number of vulnerable hosts on the Internet before the
worm attack starts.
E(0) = 0, M(0) = M
0.

Modeling P2P-based
Active Worm Attacks
Basic worm attack strategies
Pure Random-based Scan (PRS)
Randomly select the attack victim
Adopted by Code-Red-I and Slammer
P2P based attack strategies
Offline P2P-based Hit-list Scan (OPHLS)
Online P2P-based Scan (OPS)
Both strategies exploit P2P system
features
Background: P2P Systems
Host-based overlay system
Structured and unstructured
Rich connectivity
Very popular
3,467,860 users in the FastTrack P2P system;
1,420,399 users in the eDonkey P2P system;
1,155,953 users in the iMesh P2P system;
103,466 users in the Gnutella P2P system.

Two P2P-based Worm
Attack Strategies
Offline P2P-based Hit-list Scan
(OPHLS)
Offline collect P2P host addresses as a hit-list
Attack the hit-list first
Attack Internet via PRS

Online P2P-based Scan (OPS)
Use runtime P2P neighbor information
Attack P2P neighbors
Extra attack resource applied to attack Internet
via PRS

Online-based P2P Worm
Attack Strategy
Performance Comparison of
Attack Strategies
Attack Performance vs. Scan Approaches
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
45 50 55 60 65 70 75
Time
I
n
f
e
c
t
i
o
n

R
a
t
i
o
PRS
OPHLS
OPSS
The P2P-based attack strategies overall outperforms the PRS attack strategy
OPHLS attack strategy achieves the best performance compared to all other
online-based attack strategies
Sensitivity of Attack to P2P
System Size
The Sensitivity of P2P System Size
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
45 50 55 60 65 70
Time
I
n
f
e
c
t
i
o
n

R
a
t
i
o
PRS
OPSS(1000)
OPSS(5000)
OPSS(10000)
OPUS(1000)
OPUS(5000)
OPUS(10000)
With the P2P size increases, the attack performance becomes
consistently better for all attack strategies
Detection
Host-based detection
Network-based detection
Detecting large scale worm propagation
Global distributed traffic monitoring
framework
Distributed monitors and data center
Worm port scanning and background port
scanning

Distributed Worm Monitoring
Systems
Detection Schemes
Worm behavior
Pure random scan
Each worm instance takes part in attack all the time
Constant scan rate
Overall port scanning traffic volume implies the number
of worm instances (infected hosts).
Total number of worm instances and overall port scanning
traffic volume increase exponentially during worm
propagation.

Count-based and trend-based detection schemes

Patching
Filtering/intrusion detection (signature based)
DAW (Distributed Anti-Worm Architecture)
TCP/IP stack reimplementation, bound connection
requests
Goals of DAW
Impede worm progress, allow human
intervention
Detect worm-infected clients
Ensure congestion issues minimized little
routing performance impact

Shigang Chen and Yong Tang. Slowing down
internet worms. In Proceedings of 24th
International Conference on Distributed
Computing Systems, March 2004.
DAW
Requirements
Distributed, sensors act independently
NIDS (rather than HIDS)
Limited responsibility, ensures availability of
nodes
DAW
Active Worm Detection in DAW
User behavior
Few failed connections
(DNS)
Predictable traffic
generation throughout
day
Relatively uniform
intranet traffic
distribution
Worm behavior
Sampling shows 99.96%
failure in scan rate
Spikes in
failure:request ratio
Traffic pattern
disproportionately
favors infected clients
Active Worm -Failures
TCP only, random scanning
ICMP Unreachable/TCP-RST response
99.96% failure 80/tcp
s f
r
N
V
r
|
.
|
\
|
=
'
1
Summary
Worms can spread quickly:
359,000 hosts in < 14 hours
Home / small business hosts play significant role in
global internet health
No system administrator slow response
Cant estimate infected machines by # of unique IP
addresses
DHCP effect appears to be real and significant
Active Worm Defense
Modeling

Lecture Worm Detection

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture Worm Detection

Uploaded by

Copyright:

Available Formats

Active Worm and Its Defense 1

Active Worm and Its Defense

You might also like