internetworms:&history,&...
TRANSCRIPT
Internet Worms: History, Propaga4on Modeling, and Analysis
Michael E. Locasto CPSC 526
University of Calgary
Agenda
Announcements No class on Thursday (Oct 15) HW1 graded
Worm History Types of worms Worm propaga4on modeling See links on the wiki for today -‐ read SQL Slammer paper
1/14/15 2 locasto uofc cpsc526
Learning Objec4ves
An understanding of the elements of a network worm and the history of the topic
Some insight into how the spread of worms can be monitored (e.g., CAIDA, UCSD network telescope)
An overview of how worm propaga4on behaves and worm impact on the Internet
1/14/15 locasto uofc cpsc526 3
Reminder: “Network” Security
Networks aren’t wires; they are groups of hosts that have managed to convince each other that the same approximate shared state is true
Network security isn’t just about confiden4ality and integrity of conversa4ons, but also the availability and control of the infrastructure itself
Internet end-‐to-‐end seman4cs requires that computers are connected and run a mul4tude of buggy so2ware
1/14/15 locasto uofc cpsc526 4
Top-‐Down Approach to the Topic
Internet Worms
History
Morris Worm Code Red … SQL Slammer
Technical Details
Propaga4on Malware Aspects
Botnets Malware Analysis
Techniques
1/14/15 locasto uofc cpsc526 5
Top-‐Down Approach to the Topic
Internet Worms
History
Morris Worm Code Red … SQL Slammer
Technical Details
Propaga4on Malware Aspects
Botnets Malware Analysis
Techniques
1/14/15 locasto uofc cpsc526 6
What is a Worm?
The working defini4on we’ll use:
A piece of malicious code (malware) that spreads from host to host on the network typically through the exploita4on of a vulnerability (i.e., weakness, coding error, mistake) in a network service on those hosts
Other subtle or secondary characteris4cs that have more to do with the exploit or with the payload
key characteris4c is the unsupervised, semi-‐supervised, or automa4c scanning and spreading
1/14/15 locasto uofc cpsc526 7
What Kinds of Problems do Worms Cause?
Sodware has vulnerabili4es Control of hosts
-‐ use of CPU, bandwidth, storage
Worm traffic can overload/overwhelm network infrastructure -‐ at the edge
-‐ at the core (interes4ng emergent property)
1/14/15 locasto uofc cpsc526 8
Threat “10K d. view”
Worms most directly threaten availability of network services and bandwidth
Indirectly threaten control of integrity and confiden4ality (varies with payload)
1/14/15 locasto uofc cpsc526 9
HISTORY
1/14/15 locasto uofc cpsc526 10
Morris Worm
Nov 2, 1988
Classic stack-‐based buffer overflow exploit in fingerd and a DEBUG ‘backdoor’ in sendmail
1/14/15 locasto uofc cpsc526 11
1/14/15 locasto uofc cpsc526 12
Impact of Morris Worm: Big
rethink r-‐tools & “trusted” hosts
password cracking countermeasures
Significant impact from uncontrolled propaga4on (servers computa4onally overwhelmed)
Forma4on of US C.E.R.T
Discussion of keeping worm code secret
Some discussion about terminology (worm vs. virus)
1/14/15 locasto uofc cpsc526 13
Code Red, Code Red 2
Code
Code Samples (incomplete)
Proper?es
Targets Microsod IIS (web server)
~359,000 infected hosts
Ader a while, it is noise (good way to disguise scan apempt)
1/14/15 locasto uofc cpsc526 14
Some Worms (in Context)
Morris (1988)
Code Red 1 and 2 (2000)
Lion (2001)
NIMDA (2001)
Sasser (2004)
Wipy (2004)
SQL Slammer / Sapphire (2003)
Morris, first
Lion, Linux
NIMDA (email)
Sasser (lsass.exe)
Wipy (security product; BlackICE fw)
Code Red (large spread, MS IIS)
Slammer (fast, MS SQL Server)
1/14/15 locasto uofc cpsc526 15
Some Worms (in Context)
Morris (1988)
Code Red 1 and 2 (2000)
Lion (2001)
NIMDA (2001)
Sasser (2004)
Wipy (2004)
SQL Slammer / Sapphire (2003)
Morris, first
Lion, Linux
NIMDA (email)
Sasser (lsass.exe)
Wipy (security product; BlackICE fw)
Code Red (large spread, MS IIS)
Slammer (fast, MS SQL Server)
Windows XP SP2 puts major crimp in worm propaga4on; packet filter on by default
1/14/15 locasto uofc cpsc526 16
WORM PROPAGATION ANALYSIS How do worms spread? (How do they perform target selec4on?)
1/14/15 locasto uofc cpsc526 17
Mo4va4on
Internet great medium for spreading malicious code – Code Red & Co. renew interest in worm studies; can we detect & block “typical” worm traffic based on spreading characteris4cs (if not content)
Issues: – How to explain worm propaga4on curves? – What factors affect spreading behavior? – Can we generate a more accurate model?
Worm scanning preferences, RNG, hitlists
1/14/15 locasto uofc cpsc526 18
ACM CCS 2002, Zhou et al.
Two-‐factor propaga4on analysis
1/14/15 locasto uofc cpsc526 19
Two-‐Factor Worm Model
Two major factors affect worm spread: – dynamic human countermeasures
• an4-‐virus sodware cleaning • patching • firewall updates • disconnect/shutdown
– interference due to aggressive scanning
Thus, rate of infec4on (ß) is not constant
1/14/15 locasto uofc cpsc526 20
Two-‐Factor Worm Model (cont)
Restric4ons:
consider only “con4nuously ac4vated” worms
consider worms that propagate without respect to topology
1/14/15 locasto uofc cpsc526 21
Infec4on Sta4s4cs
1/14/15 locasto uofc cpsc526 22
Classic Simple Epidemic Model
Classic simple epidemic model, k=1.8, k=BN
a(t) = J(t) / N (frac4on of popula4on infected)
Wrong! (compare to previous slide)
1/14/15 locasto uofc cpsc526 23
Simple Epidemic Model Math
Variables – Infected hosts (had virus at some point) = J(t)
– popula4on size = N – infec4on rate = ß(t)
dJ(t)/dt = βJ(t)[N - J(t)]
1/14/15 locasto uofc cpsc526 24
Two-‐factor Model Math
dI(t)/dt = β(t)[N - R(t) - I(t) - Q(t)]I(t) - dR(t)/dt
– S(t) = suscep4ble hosts – I(t) = infec4ous hosts – R(t) = removed hosts from I popula4on – Q(t) = removed hosts from S popula4on – J(t) = I(t) + R(t) – C(t) = R(t) + Q(t) – J(t) = I(t) + R(t) – N = popula4on (I+R+Q+S)
1/14/15 locasto uofc cpsc526 25
Two-‐Factor Fit
Take removed hosts from both S and I popula4ons into account
Non-‐constant infec4on rate (decreases)
Fits well with observed data
1/14/15 locasto uofc cpsc526 26
Results
Two-‐factor worm model – accurate model without topology constraints
– explains exponen4al start & end drop off – iden4fies 2 cri4cal factors in worm propaga4on
Only 60% of Code Red targets infected
1/14/15 locasto uofc cpsc526 27
Thought Experiment: Can We Make “Beper” Worms?
Focus of the paper “How to 0wn the Internet in Your Spare Time”
Introduces the concept of a “Warhol Worm” that infects the en4re Internet in 15 minutes
A short 4me later (late January 2003), in reality, SQL Slammer does beper than that (10 minutes)
1/14/15 locasto uofc cpsc526 28
SQL Slammer / Sapphire
Aimed at MS SQL Server machines (port 1434) A single 404 byte UDP packet was sufficient for infec4on; 10 minutes to infect suscep4ble popula4on
1/14/15 locasto uofc cpsc526 29
Slammer Propaga4on Compared to Two-‐Factor Code Red Analysis
Spreading aggressively enough to interfere with its own propaga4on (>30 mins)
No malicious payload Ideal to filter (block port)
Infected about 75,000 hosts
1/14/15 locasto uofc cpsc526 30
Slammer Emergent Behavior
There are/were rela4vely few MS SQL Server instances on the Internet
So why did the Internet exhibit instability?
The worm scanning was aggressive enough to probe a lot of the IPv4 space in a very short amount of 4me; this probing caused addi4onal near-‐simultaneous route lookups; core rou4ng tables overflowed and some routers restarted as a failsafe
1/14/15 locasto uofc cpsc526 31
Related Topics
• White worms • Botnets
– botnet inves4ga4ons & takeovers – c&c – botnet analysis – fast-‐flux/DNS
• Dark Applica4on Communi4es [NSPW 2006]
1/14/15 locasto uofc cpsc526 32