the coming age of defensive worms david meltzer [email protected] cto, intrusec

40
The Coming Age of Defensive Worms David Meltzer [email protected] CTO, Intrusec

Upload: easter-mcgee

Post on 01-Jan-2016

222 views

Category:

Documents


0 download

TRANSCRIPT

The Coming Age of Defensive Worms

David [email protected]

CTO, Intrusec

Why?

“I don't know whether a good worm can be safe and effective, but this merits serious technical study.”

- Martha Stansell-Gamm (May 26, 2003)1

Chief, Computer Crime and Intellectual Property Section, U.S. Department of Justice

What Will You Learn?

The history of good worms

The problems with defensive worms

How defensive worm problems are solved

Possible evolutionary steps

The Question

Will anyone in charge of a large network ever willingly launch a worm

on their own network to protect it?

Worm Reality

A new exploit just came out.

You have 5,000 vulnerable systems.

The worm is coming.

What do you do?

The Worm Antidote

It fixes all the systems on your network.

It does it faster than the worm can spread.

It only ‘infects’ your own systems.

Do you run it?

Which Worm Do You Want?

What Will You Learn?

The history of good worms

The problems with defensive worms

How defensive worm problems are solved

Possible evolutionary steps

“Good Worms”

A Worm, BUT…– A “beneficial” payload

BUT Still…– Disruptive to networks – Runs without permission– Requires clean-up– ILLEGAL

What Do “Good Worms” Do?

• Scan

• Listen

• Exploit

• Patch

• Disinfect

Timeline of “Good Worms”

1999 2000 2001 2002

Millenium (8/99)

Code Green (9/01)

Cheese (5/01)

2003

CRClean (9/01)

Case Study: Millenium2,3

Discovered 8/15/99 Written by Mixter4

Multiple Linux Vulns: Scans, Patches, Backdoors

• Scans for systems vulnerable to 5 remote linux holes• Exploits remote system• Patches 5 linux vulns• Installs a backdoor• Sends notification to hotmail address of infection• Installs itself on system

Case Study: Cheese5

Discovered 5/01 Unknown Author

Lion Worm Response: Scans, Disinfects

• Scans for systems infected by Lion• Installs itself using backdoor left by Lion• Removes Lion backdoor from system

Case Study: Code Green6

Code Released 9/1/2001 Written by Der HexXer

Code Red Response: Scans, Disinfects, Patches

• Scans for systems infected with CodeRed• Exploits ISAPI vuln on infected systems• Removes CodeRed from system• Installs Q300972 Hotfix on system• Installs itself on system

Case Study: CRClean7

Code Released 9/1/2001 Written by Markus Kem

Code Red Response: Listens, Disinfects, Patches

• Listens for CodeRed to attack it• Exploits ISAPI vuln on CodeRed attackers• Removes CodeRed from system• Patches ISAPI vuln on system• Installs itself on system

Industry Thinking on “Good Worms”

“Generally Not Well Regarded”

– eEye8

Industry Thinking on “Good Worms” - Continued

“The idea of a patch worm is a nice thought, but it is not a solution…”

- CERT9

Industry Thinking on “Good Worms” - Continued

“You cannot predict what’s going to happen. You don’t know what the impact is going to be if it’s

altered. It’s never an alternative.”

– Trend Micro10

Industry Thinking on “Good Worms” - Continued

“You cannot predict what’s going to happen. You don’t know what the impact is going to be if it’s

altered. It’s never an alternative.”

– Trend Micro10

Industry Thinking on “Good Worms” - Continued

“-What about the traffic it takes up?

-What about the boxes that don't patch properly, don't make it back after reboot, or took down etrade in the middle of a trading day?

-How does your worm know when it's done?

-Maybe I don't want my box patched, the patch broke my app

-How do I tell your good worm apart from the original bad worm, or the other worm which looks like the good worm, but is really a bad worm?

-How about people like us who track attack data, and you just skewed the heck out of it? When does www1.whitehouse.gov get to come back? If there's still *A* worm around on the 1st, which one is it?

-Do we really want an Internet-sized game of corewars?”

Industry Thinking on “Good Worms” - Continued

“Visions of bots floating around in the ether waging mighty, but invisible, battles belong in books such as

Neal Stephenson's "The Diamond Age," not on production Internet servers.”

– Timothy Dyck11

Industry Thinking on “Good Worms” - Continued

“… Worms are inherently uncontrollable, meaning that good worms will cause traffic problems

and spread out of control.

This is true of most worms today, but that's only because no one has designed a legitimate, well-

coded and peer-reviewed good worm…”

– eWeek12

/. Wisdom

“The only question raised here is, am I really going to trust this "helpful" worm or others like it to fully patch up my box properly?”

“Two wrongs may not make a right, but I would think in this case they would at least be somewhat better than just the one wrong”

“Worms like this wouldn't exist or be news if more sysadmins would do their job instead of playing Quake, looking at pr0n, or IRC'ing all day...”

“Automatic (or even semi-automatic) patching is the *dumbest* idea on Earth.”

What Will You Learn?

The history of good worms

The problems with defensive worms

How defensive worm problems are solved

Possible evolutionary steps

Problems with Good Worms

No good worm to date has been remotely useable in a legal and effective

manner.

Problem #1 - Legality

To run a worm legally, it must NEVER attempt to access unauthorized

systems.

Extreme safeguards must be taken.

A software bug will land you in jail.

Problem #2 – Network Usage

Worms are extremely noisy, causing network slowdowns and denial of

services as a side-effect of running.

Need to be network friendly.

Problem #3 – Cleaning Up

Worms spreads leaving a new mess to clean-up replacing the old mess.

Need to know when the work is done and perform its own clean-up.

Problem #4 – Management

Worms are uncontrollable once “released”

Need to be able to centrally manage operation and results of worm

while it is running.

“Defensive Worms”

A Good Worm, BUT…– NOT Disruptive to networks – ONLY Runs with permission– NO clean-up– LEGAL

Usable defensive worms do not exist, yet.

What Will You Learn?

The history of good worms

The problems with defensive worms

How defensive worm problems are solved

Possible evolutionary steps

Solution #1 – Legality

Redundant Safeguards

Solution #1 – Legality

Restriction Models

Opt-Out

Passive

IP Ranges

Border Routers

DNS

Solution #1 – Legality

Lysine Deficiency13

Solution #1 – Legality

Lysine Deficiency

A built-in mechanism that causes a worm to die if it spreads beyond its intended

set of targets.

“Reverse Lysine” = Opt-Out (CodeRed)

Solution #1 – Legality

Heartbeats

A central server is checked before each time a worm launches an attack.

If the server doesn’t return a heartbeat, the worm pauses its operation.

After a timeout period, if heartbeat hasn’t returned, worm self-destructs.

Solution #1 – Legality

IP Ranges

The worm is configured with the IP addresses you are authorized to attack.

Solution #1 – Legality

Border Routers

The worm is configured with the border routers of a network. All systems within the network you are

authorized to attack.

If border router comes between a prospective target and worm, worm does not propagate to it.

|If a border router isn’t on the route to a known Internet server, worm is already outside its

authorized network.

Solution #1 – Legality

DNS

The worm is configured with domain names. All systems with hosts that resolve within that domain you are authorized to attack.

Worm performs a DNS lookup on all prospective targets. If DNS doesn’t

resolve to an authorized domain name, target is not authorized.

References

1. Stansell-Gamm, Martha. “Good Worms Not Mature”, May 26, 2003. URL: http://www.eweek.com/article2/0,3959,1109605,00.asp

2. Vision, Max. “Origin and Brief Analysis of the Millennium Worm”, Sept, 1999.URL: http://www.whitehats.com/library/worms/mworm/index.html

3. Poulsen, Kevin. “Max Vision: FBI pawn?”, May 8, 2001. URL: http://www.securityfocus.com/news/203

4. Mixter. “mw06.tgz”, September 23, 1999. URL: http://packetstormsecurity.nl/groups/mixter/mw06.tgz

5. Barber, Bryan. “Cheese Worm: Pros and Cons of a Friendly Worm”, July 21, 2001. URL: http://www.sans.org/rr/papers/36/31.pdf

6. Hexxer, Der. “CodeGreen beta release”, September 1, 2001.URL: http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0575.html

7. Kem, Marcus. “CRClean.zip”, September 1, 2001. URL: http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0577.html

8. Permeh, Ryan & Coddington, Dale. “Decoding and Understanding Internet Worms”, November 21, 2001. URL: http://www.blackhat.com/presentations/bh-europe-01/dale-coddington/1

9. Houle, Kevin. Quoted in “Cheese worm: A Linux fixer-upper? By Robert Lemos”, May 16, 2001. URL: http://news.com.com/2100-1001-257748.html?legacy=cnet

10. Hartmann, Joe. Quoted in “’Cheesy’ Fix-It Worm Patches Security Flaws By Jay Lyman”, May 18, 2001.URL: http://www.newsfactor.com/perl/story/9869.html

11. Dyck, Timothy. “Thanks, but we don’t want your Cheese (worm)!”, June 30, 2001.URL: http://www.freeos.com/printer.php?entryID=4233

12. Rapoza, Jim. “Up With Good Worms”, April 21, 2003.URL: http://www.eweek.com/article2/0,3959,1037004,00.asp