Automated Worm Fingerprinting
Download
1 / 32

David W. Hill CSCI 297 6.28.2005 - PowerPoint PPT Presentation


  • 93 Views
  • Uploaded on

Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self-Propagating Code [Moore, Shannon et al]. David W. Hill CSCI 297 6.28.2005. What is a worm?. Self-replicating/self-propagating code. Spreads across a network by exploiting flaws in open services.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' David W. Hill CSCI 297 6.28.2005' - shika


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Automated Worm Fingerprinting [Singh, Estan et al]Internet Quarantine: Requirements for Self-Propagating Code [Moore, Shannon et al]

David W. HillCSCI 2976.28.2005


What is a worm
What is a worm?

  • Self-replicating/self-propagating code.

  • Spreads across a network by exploiting flaws in open services.

    • As opposed to viruses, which require user action to quicken/spread.

  • Not new --- Morris Worm, Nov. 1988

    • 6-10% of all Internet hosts infected

  • Many more since, but none on that scale ….

    until Code Red


Internet worm history
Internet Worm History

  • Xerox PARC, Schoch and Hupp, 1982

  • Morris Worm <DEC VAX, sendmail, fingerd> 1988

  • Code Red (V1, V2, II) <IIS>, 2001

  • NIMDA, <various exploits>, 2001

  • Slammer Worm <SQL>, 2003

  • Blaster Worm, <DCOM>, 2003

  • Sasser Worm, <LSASS>, 2004


Code red v1
Code Red V1

  • Initial version released July 13, 2001.

  • Exploited known bug in Microsoft IIS Web servers.

  • 1st through 20th of each month: spread.20th through end of each month: attack.

  • Payload: web site defacement.

  • Spread: via random scanning of 32-bitIP address space.

  • But: failure to seed random number generator  linear growth.


Code red v2
Code Red V2

  • Revision released July 19, 2001.

  • Payload: flooding attack onwww.whitehouse.gov.

  • But: this time random number generator correctly seeded. Bingo!

  • Resident in memory, reboot clears the infection

  • Web defacement



Code red ii
Code Red II

  • New worm released August 4, 2001.

  • Intelligent Replication Engine

  • Installed backdoors

  • Used more threads




Worm detection current methods
Worm Detection – Current Methods

  • Network telescoping- passive monitors that monitor unused address space (Downfalls – non-random, only provide IP not signature

  • Honeypots – slow manual analysis

  • Host-based behavioral detection – dynamically analyze anomalous activity, no inference of large scale attack

  • IDS, IPS – Snort

    • Labor-intensive, Human-mediated


Worm containment
Worm Containment

  • Host Quarantine – IP ACL, router, firewall (blacklist)

  • String-matching containment

  • Connection throttling – Slow the spread


Earlybird content sifting
Earlybird – Content Sifting

  • Content in existing worms is invariant

  • Dynamics for worm to spread are atypical

  • The Earlybird system can extract signatures from traffic to detect worms and automatically react


Signatures
Signatures

  • Worm Signature

Content-based blocking [Moore et al., 2003]

Signature for CodeRed II

05:45:31.912454 90.196.22.196.1716 > 209.78.235.128.80: . 0:1460(1460) ack 1 win 8760 (DF)

0x0000 4500 05dc 84af 4000 6f06 5315 5ac4 16c4 [email protected]

0x0010 d14e eb80 06b4 0050 5e86 fe57 440b 7c3b .N.....P^..WD.|;

0x0020 5010 2238 6c8f 0000 4745 5420 2f64 6566 P."8l...GET./def

0x0030 6175 6c74 2e69 6461 3f58 5858 5858 5858 ault.ida?XXXXXXX

0x0040 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX

. . . . .

0x00e0 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX

0x00f0 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX

0x0100 5858 5858 5858 5858 5858 5858 5858 5858 XXXXXXXXXXXXXXXX

0x0110 5858 5858 5858 5858 5825 7539 3039 3025 XXXXXXXXX%u9090%

0x01a0 303d 6120 4854 5450 2f31 2e30 0d0a 436f 0=a.HTTP/1.0..Co .

Signature: A Payload Content String Specific To A Worm


Worm behavior earlybird
Worm Behavior - Earlybird

  • Content Invariance

  • Content Prevalence

  • Address Dispersion


Earlybird implementation
Earlybird Implementation

  • Each network packet is scanned for invariant content

  • Maintain a count of unique source and destination IPs

  • Sort based on substring count and size of address list will determine worm traffic

  • Use substrings to automatically create signatures to filter the worm



Earlybird cont1
Earlybird Cont.

  • System consists of sensors and aggregrator

  • Aggregator – pulls data from sensors, activates network or host level blocking, reporting and control


Earlybird memory cpu
Earlybird – Memory & CPU

  • Memory and CPU cycle constraints

  • Index content table by using a fixed size hash of the packet payload

  • Scaled bitmaps are used to reduce memory consumption on address dispersion counts


Earlybird cont2
Earlybird Cont.

  • Sensor – 1.6Ghz AMD Opteron 242, Linux 2.6 kernel

  • Captures using libpcap

  • Can sift 1TB of traffic per day and is able to sift 200Mbps of continuous traffic

  • Cisco router configured for mirroring


Thresholds
Thresholds

  • Content Prevalence = 3

  • 97 percent of signatures repeat two or fewer times


Thresholds1
Thresholds

  • Address Dispersion = 30 src and 30 dst

  • Lower dispersion threshold will produce more false positives

  • Garbage collection – several hours


Earlybird false positives
Earlybird False Positives

  • 99% percent of FPs are from SMTP header strings and HTTP user agents - whitelist

  • SPAM e-mails – distributed mailers and relays

  • BitTorrent file striping creates many-to-many download profile


Earlybird issues of concern
Earlybird – Issues of Concern

  • SSH, SSL, IPSEC, VPNs

  • Polymorphism

  • IP spoofing source address

  • Packet injection


Earlybird current state
Earlybird – Current State

  • UCSD NetSift  Cisco


Internet quarantine requirements for containing self propagated code
Internet Quarantine – Requirements for containing self propagated code

  • Prevention – Managing vulnerabilities

  • Treatment – Disinfection tools, patches

  • Containment – Firewalls, content filters, blacklists. How to completely automate?


Modeling containment
Modeling Containment propagated code

  • Reaction time – time necessary for detection

  • Containment strategy – blacklisting, content filtering

  • Deployment scenario – how many nodes are participating




Deployment scenarios
Deployment Scenarios propagated code


References
References propagated code

- The Threat of Internet Worms, Vern Paxson

http://www.icir.org/vern/talks/vp-worms-ucla-Feb05.pdf

-Cooperative Association for Internet Data Analysis (CAIDA)http://www.caida.org

-Autograph, Toward Automated, Distributed Worm Signature Detection- Usenix Security 2004

-Wikipedia, computer worms, hashing.

-Code Carrying Proofs, Aytekin Vargun, Rensselaer Polytechnic Institute


Thank you

Thank You! propagated code

Discussion…..


ad