The Threats of Internet Worms. Based on Addressing the Threat of Internet Worms Vern Paxson UCB/ICSI

Transcription

1 The Threats of Internet Worms Based on Addressing the Threat of Internet Worms Vern Paxson UCB/ICSI 1

2 Internet abuse 2

3 What is a worm? A worm is self-replicating software designed to spread through the network Typically exploits security flaws in widely used services Spreads across a network by exploiting flaws in open services. Can cause enormous damage Launch DDOS attacks, install Botnets Access sensitive information Cause confusion by corrupting the sensitive information Worm vs. Virus vs. Trojan horse A virus is code embedded in a file or program Viruses and Trojan horses rely on human intervention Worms are self-contained 3

4 What is a worm? (2.) Not new --- Morris Worm, Nov % of all Internet hosts infected Infects DEC VAX and Sun machines running BSD UNIX connected to the Internet, and becomes the first worm to spread extensively "in the wild", and one of the first well-known programs exploiting buffer overrun vulnerabilities Many more since, but for 13 years none on that scale, until. 4

5 Impact of worms on scanning 5

6 Impact of worms on scanning 6

7 Code Red Initial version released July 13, Exploited known bug in Microsoft IIS Web servers. GET/default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 Payload: Web site defacement HELLO! Welcome to Hacked By Chinese! Only done if language setting = English 7

8 Code Red of July 13, con t 1st through 20th of each month: spread. 20th through end of each month: attack. Flooding attack against i.e., Spread: via random scanning of 32-bit IP address space. But: failure to seed random number generator linear growth. 8

9 Code Red, con t Revision released July 19, White House responds to threat of flooding attack by changing the address of Causes Code Red to die for date 20th of the month. But: This time random number generator correctly seeded. Bingo! 9

10 Network Telescopes and HoneyFarms 10

11 The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department of Computer Science and Engineering & Cooperative Association for Internet Data Analysis (at SDSC) University of California, San Diego 11

12 Context The Internet has an open communications model Benefits: Flexible communication, application innovation Drawbacks: Many opportunities for abuse The Dark Side to the Internet Denial-of-Service Attacks Network Worms and Viruses Automated Scanning/Break-in Tools Etc Question: How big a problem is it really? 12

13 Media The sky is falling every day 13

14 Why is this so hard? Quantitative attack data isn t available Inherently hard to acquire Few content or service providers collect such data If they do, its usually considered sensitive Infeasible to collect at Internet scale How to monitor enough to the Internet to obtain a representative sample? How to manage thousands of bilateral legal negotiations? Data would be out of date as soon as collected 14

15 Network Telescopes A way to observe global network phenomena with only local monitoring Key observation: Large class of attacks use random addresses Worms frequently select new host to infect at random Many DoS attacks hide their source by randomizing source addresses Network Telescope A monitor that records packets sent to a large range of unused Internet addresses Since attacks are random, a telescope samples attacks 15

16 Example: Monitoring Worm Attacks Infected host scans for other vulnerable hosts by randomly generating IP addresses 16

17 What can we infer? How quickly the worm is spreading? Which hosts are infected and when? Where are they located? How quickly are vulnerabilities being fixed? 17

18 Example: Monitoring Denial-of-Service Attacks Attacker floods the victim with requests using random spoofed source IP addresses Victim believes requests are legitimate and responds to each spoofed address Network telescope can infer that a site sending unsolicited reply packets is being attacked 18

19 What can we infer? Number of attacks? How big are they? How long? Who is being attacked? 35 Percent of Attacks Week 1 Week 2 Week unknown net com ro br org edu ca de uk Top-Level Domain 19

20 What s special about the UCSD Network Telescope? Our Telescope is very large and size does matter The more addresses monitored, the more accurate, quick and precise the results We have access to more than 1/256 of all Internet addresses (> 16M IP addresses) Unprecedented insight into global attack activity Can detect new attacks and worms in seconds with low error (Special thanks to Jim Madden & Brian Kantor from UCSD Network Operations whose support makes this research possible) 20

21 UCSD Network Telescope Summary High quality global estimates on Internet security events (Worms, DDoS) ~4000 DoS attacks per week; attacks on network infrastructure Have observed worms spreading faster than 50M hosts per second Collecting ongoing longitudinal data set (20GB/day) Impact of data & methodology Research: Widely used in modeling network attacks and designing defenses Operational Practice: Identifies infected hosts and sites being attacked; variant of backscatter analysis now used by top ISPs Policy: Helps justify and prioritize resources appropriately 21

22 Measuring activity: Network telescope Monitor cross-section of Internet address space, measure traffic Backscatter from DOS floods Attackers probing blindly Random scanning from worms LBNL s cross-section: 1/32,768 of Internet UCSD, UWisc s cross-section: 1/

23 23

24 Measuring Internet-scale activity: Network telescopes Idea: monitor a cross-section of Internet address space to measure network traffic involving wide range of addresses Backscatter from DOS floods Attackers probing blindly Random scanning from worms 24

25 Spread of Code Red Network telescopes estimate of # infected hosts: 360K. Note: larger the vulnerable population, faster the worm spreads. That night ( 20th), worm dies except for hosts with inaccurate clocks! It just takes one of these to restart the worm on August 1st 25

26 26

27 Striving for greater virulence: Released August 4, Comment in code: Code Red 2. But in fact completely different code base. Code Red 2 Payload: a root backdoor, resilient to reboots. Bug: crashes NT, only works on Windows Kills Code Red 1. Safety valve: Programmed to die Oct 1,

28 Striving for greater virulence: Nimda Released September 18, Multi-mode spreading: Attack IIS servers via infected clients itself to address book as a virus Copy itself across open network shares Modifying Web pages on infected servers w/ client exploit Scanning for Code Red II backdoors (!) Worms form an ecosystem! Leaped across firewalls. 28

29 Code Red 2 kills off Code Red 1 CR 1 returns thanks to bad clocks Code Red 2 settles into weekly pattern Nimda enters the ecosystem Code Red 2 dies off as programmed 29

30 Code Red 2 dies off With its predator as programmed gone, Code Red 1 comes back!, still Nimda hums along, exhibiting monthly slowly cleaned up pattern 30

31 Life just before Slammer 31

32 Life just after Slammer 32

33 A lesson in economy Slammer exploited a connectionless UDP service, rather than connection-oriented TCP. Entire worm fit in a single packet! When scanning, worm could fire and forget. Worm infected 75,000+ hosts in 10 minutes (despite broken random number generator). At its peak, doubled every 8.5 seconds Progress limited by the Internet s bandwidth capacity! 33

34 Slammer s bandwidth-limited growth 34

35 Blaster Released August 11, Exploits flaw in RPC service ubiquitous across Windows. Payload: Attack Microsoft Windows Update. Despite flawed scanning and secondary infection strategy, rapidly propagates to (at least) 100K s of hosts. Actually, bulk of infections are really Nachia, a Blaster counter-worm. Key paradigm shift: firewalls don t help. 35

36 Cost of worms Morris worm, 1988 Infected approximately 6,000 machines 10% of computers connected to the Internet Cost ~ $10 million in downtime and cleanup Code Red worm, July Direct descendant of Morris worm Infected more than 500,000 servers Programmed to go into infinite sleep mode July 28 Caused ~ $2.6 Billion in damages, Love Bug worm: $8.75 billion Statistics: Computer Economics Inc., Carlsbad, California 36

37 Cost of worms (2.) 37

38 What if spreading were well-designed? Observation: Much of a worm s scanning is redundant. Ideas: Accelerate later phase: Coordinated scanning Accelerate initial phase: Use precomputed hit-list Greatly accelerates worm. 38

39 How do worms propagate? Scanning worms Worm chooses random address Coordinated scanning Different worm instances scan different addresses Flash worms Preassemble tree of vulnerable hosts, propagate along tree Not observed in the wild, yet Potential for 106 hosts in < 2 sec! [Staniford] Meta-server worm Contact server for hosts list(e.g., Google for powered by phpbb ) Topological worm Use information from infected hosts (web server logs, address books, config files, SSH known hosts ) Contagion worm Propagate parasitically along with normal communication 39

40 Defenses Detect via honeyfarms: Collections of honeypots fed by a network telescope. Any outbound connection from honeyfarm = worm. Distill signature from inbound/outbound traffic. Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts. 5 minutes to several weeks to write a signature Several hours or more for testing 40

41 Honeypots and Honeynets 41

42 What Is a Honeypot? Abstract definition: A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. (Lance Spitzner) Concrete definition: A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised. 42

43 Example of a simple Honeypot Install vulnerable OS and software on a machine Install monitor or IDS software Connect to the Internet (with global IP) Wait & monitor being scanned, attacked, compromised Finish analysis, clean the machine 43

44 Benefit of deploying Honeypots Risk mitigation: Lure an attacker away from the real production systems ( easy target ). Intrusion Detection System like functionality: Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions. 44

45 Benefit of deploying Honeypots Attack analysis: Find out reasons, and strategies why and how you are attacked. Binary and behavior analysis of capture malicious code Evidence: Once the attacker is identified, all data captured may be used in a legal procedure. Increased knowledge 45

46 Honeypot classification High-interaction honeypots A full and working OS is provided for being attacked VMware virtual environment Several VMware virtual hosts in one physical machine Low-interaction honeypots Only emulate specific network services No real interaction or OS Honeyd Honeynet/honeyfarm A network of honeypots 46

47 Low-interaction Honeypots Pros: Easy to install (simple program) No risk (no vulnerable software to be attacked) One machine supports hundreds of honeypots, covers hundreds of IP addresses Cons: No real interaction to be captured Limited logging/monitor function Hard to detect unknown attacks; hard to generate filters Easily detectable by attackers 47

48 High-interaction Honeypots Pros: Real OS, capture all attack traffic/actions Can discover unknown attacks/vulnerabilites Can capture and analyze code behavior Cons: Time-consuming to build/maintain Time-consuming to analysis attack Risk of being used as stepping stone High computer resource requirement 48

49 Honeynet A network of honeypots High-interaction honeynet A distributed network composing many honeypots Low-interaction honeynet Emulate a virtual network in one physical machine Example: honeyd Mixed honeynet Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm 49

50 Defenses Detect via honeyfarms: Collections of honeypots fed by a network telescope. Any outbound connection from honeyfarm = worm. Distill signature from inbound/outbound traffic. Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts. 5 minutes to several weeks to write a signature Several hours or more for testing 50

51 Early warning: Blaster Worm 7/16 - DeepSight Alerts & TMS initial alerts on the RPC DCOM attack 7/23 - DeepSight TMS warns of suspected exploit code in the wild. Advises to expedite patching. 8/5 - DeepSight TMS Weekly Summary, warns of impending worm. 8/11 - Blaster worm breaks out. ThreatCon is raised to level 3 7/25 - DeepSight TMS & Alerts update with a confirmation of exploit code in the wild. Clear text IDS signatures released. 8/7 TMS alerts stating activity is being seen in the wild. DeepSight Notification IP Addresses Infected With The Blaster Worm Slide: Carey Nachenberg, Symantec 51

52 Need for automation Current threats can spread faster than defenses can reaction Manual capture/analyze/signature/rollout model too slow Contagion Period months days hrs mins secs Program Viruses Preautomation Macro Viruses Contagion Period Signature Response Period Worms Network Worms Postautomation Flash Worms Signature Response Period 1990 Time 2005 Slide: Carey Nachenberg, Symantec 52

53 Signature inference Challenge Need to automatically learn a content signature for each new worm potentially in less than a second! Some proposed solutions Singh et al, Automated Worm Fingerprinting, OSDI 04 Kim et al, Autograph: Toward Automated, Distributed Worm Signature Detection, USENIX Sec 04 53

54 Signature inference Monitor network and look for strings common to traffic with worm-like behavior Signatures can then be used for content filtering Slide: S Savage 54

55 Defenses? Observation: Worms don t need to randomly scan Meta-server worm: ask server for hosts to infect (e.g., Google for powered by phpbb ) Topological worm: fuel the spread with local information from infected hosts (web server logs, address books, config files, SSH known hosts ) No scanning signature; with rich interconnection topology, potentially very fast. 55

56 Defenses?? Contagion worm: Propagate parasitically along with normally initiated communication. E.g., using 2 exploits - Web browser & Web server - infect any vulnerable servers visited by browser, then any vulnerable browsers that come to those servers. E.g., using 1 BitTorrent exploit, glide along immense peer-to-peer network in days/hours. No unusual connection activity at all! :-( 56

57 Some cheery thoughts (Stefan Savage, UCSD/CCIED) Imagine the following species: Poor genetic diversity; heavily inbred Lives in hot zone ; thriving ecosystem of infectious pathogens Instantaneous transmission of disease Immune response 10-1M times slower Poor hygiene practices What would its long-term prognosis be? What if diseases were designed Trivial to create a new disease Highly profitable to do so 57

58 Broader view of defenses Prevention Make the monoculture hardier Get the darn code right in the first place or figure out what s wrong with it and fix it Lots of active research (static & dynamic methods) Security reviews now taken seriously by industry E.g., ~$200M just to review Windows Server 2003 But very expensive And very large Installed Base problem Prevention Diversify the monoculture Via exploiting existing heterogeneity Via creating artificial heterogeneity 58

59 Broader view of defenses, con t Prevention Keep vulnerabilities inaccessible Cisco s Network Admission Control Frisk hosts that try to connect, block if vulnerable Microsoft s Shield ( Band-Aid ) Shim-layer blocks network traffic that fits known vulnerability (rather than known exploit) Detection Look for unusual repeated content Can work on non-scanning worms Key off many-to-many communication to avoid confusion w/ non-worm sources EarlyBird, Autograph -- distill signature But: what about polymorphic worms? 59

60 Once you have a live worm, then what? Containment Use distilled signature to prevent further spread Would like to leverage detections by others But how can you trust these? What if it s an attacker lying to you to provoke a selfdamaging response? (Or to hide a later actual attack) 60

61 Once you have a live worm, then what?, con t Proof of infection Idea: alerts come with a verifiable audit trail that demonstrates the exploit, ala proof-carrying code Auto-patching Techniques to derive (and test!) patches to fix vulnerabilities in real-time (Excerpt from a review: Not as crazy as it sounds ) Auto-antiworm Techniques to automatically derive a new worm from a propagating one, but with disinfectant payload (This one, on the other hand, is as crazy as it sounds) 61

62 Incidental damage Today Today s worms have significant real-world impact: Code Red disrupted routing Slammer disrupted elections, ATMs, airline schedules, operations at an off-line nuclear power plant Blaster possibly contributed to Great Blackout of Aug. 2003? Plus major clean-up costs But today s worms are amateurish Unimaginative payloads 62

63 Where are the nastier worms?? Botched propagation the norm Doesn t anyone read the literature? e.g., permutation scanning, flash worms, metaserver worms, topological, contagion Botched payloads the norm e.g., Flooding-attack fizzles Current worm authors are in it for kicks ( or testing) No arms race yet. 63

64 Next-generation worm authors Military Crooks: Denial-of-service, spamming for hire Access worms Very worrisome onset of blended threats Worms + viruses + spamming + phishing + DOS-for-hire + botnets + spyware Money on the table Arms race (market price for spam proxies: 3-10 /host/week) 64

65 Better payloads Wiping a disk costs $550/$2550* A well-designed version of Blaster could have infected 10M machines. (8M+ for sure!) The same service exploited by Blaster has other vulnerabilities Potentially a lot more $$$: flashing BIOS, corrupting databases, spreadsheets Lower-bound estimate: $50B if well-designed 65

66 Attacks on passive monitoring Exploits for bugs in read-only analyzers! Suppose protocol analyzer has an error parsing unusual type of packet E.g., tcpdump and malformed options Adversary crafts such a packet, overruns buffer, causes analyzer to execute arbitrary code 66

67 Witty Released March 19, Single UDP packet exploits flaw in the passive analysis of Internet Security Systems products. Bandwidth-limited UDP worm ala Slammer. Distribution: Used a pre-populated list of ground-zero hosts. Vulnerable pop. (12K) attained in 75 minutes. Payload: First Internet worm to carry a destructive payload Slowly corrupt random disk blocks. 67

68 Witty, con t Flaw had been announced the previous day. Telescope analysis reveals: Initial spread seeded via a hit-list. In fact, targeted a U.S. military base. Analysis also reveals Patient Zero, a European retail ISP. Written by a Pro. 68

69 What kind of services are targeted 69

70 More information Timeline of virus and worms Early worms: Eugene H. Spafford, The Internet Worm: Crisis and Aftermath, CACM 32(6) , June 1989 Page, Bob, "A Report on the Internet Worm", Summaries: 70