Hotspots: The Root Causes of Non- Uniformity in Self-Propagating Malware

Transcription

1 Hotspots: The Root Causes of Non- Uniformity in Self-Propagating Malware Evan Cooke, Z. Morley Mao, Farnam Jahanian *University of Michigan DSN 2006

2 Self-Propagating Malware Worms & Botnets (Source: Microsoft Antimalware Team Report, June 2006) Self-propagating malware highly distributed: Many attackers Many vulnerable systems Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

3 Locating Vulnerable Hosts Address n (e.g., 2 32 ) Step 1: A host becomes infected Step 3: Remote host is infected and then begins the scanning process Step 2: Infected host scans through address space Vulnerable hosts looking for vulnerable hosts Address 0 Scanning processing typically modeled as uniform random process Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

4 Internet Detection Systems Due to distributed nature of attacks: detection systems rely on threat invariants: Static byte sequence Certain TCP/UDP ports Rate of successful/failed connection attempts Detection systems leverage these invariants When a parameter becomes abnormal then alert (e.g. prevalence of byte sequence in Autograph/EarlyBird/Polygraph) Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

5 Hotspots Goal today is to challenge assumptions behind many of these prevalence-based detection approaches: Challenge the long held idea that worm propagation is a uniform process Demonstrate how threat propagation exhibits hotspots (non-uniform targeting behavior) Implications: Detection systems may not alert due to hotspots Distributed detection systems may fail due to hotspots Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

6 Impact of Non-Uniformity on Detection A simple illustration: Will Alert Won t Alert Detection Threshold Non-uniformity impacts prevalence-based detection systems: B,C,E,F will not alert! Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

7 Root Causes of Non-Uniformity We define a hotspot as deviation from uniform propagation behavior We define two major classes of hotspots: 1. Algorithmic Factors - Host-centric, programmatic influences that impact threat propagation 2. Environmental Factors - External network influences that impact threat propagation Hotspots are often not intentional Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

8 Empirical Evidence of Hotspots We now empirically demonstrate algorithmic and environmental factors: Use data from: Internet Motion Sensor - collection of 11 distributed darknet sensors ranging in size from a /25 (CIDR notation, 128 addresses) to a /8 (16 million addresses) Live Botnet Monitors - monitored router on large academic network for the specific C&C signatures of Agobot/Phatbot, rbot/sdbot, and Ghost-Bot Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

9 Algorithmic Factors Host-centric, programmatic influences that impact threat propagation. Hit-lists: pre-programmed lists of target addresses stored in the threat payload or obtained from a remote server. Pseudo-Random Number Generators (PRNGs): target address generation functions that are easily biased by a poor source of entropy or a poor implementation. Local Preference: a bias for nearby addresses that is typically deliberately designed into a propagation algorithm Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

10 Hit-lists Botnet operators intentionally bias propagation toward vulnerable host Sample of captured propagation commands: Bot Command Detected ipscan r.r.r.r dcom2 ipscan s.s.s.s dcom2 ipscan 24.s.s.s dcom2 ipscan s.s dcom2 ipscan s.s.s lsass ipscan s.s webdav3 Scan Type Global Random Global Seq. Local 24/8 Seq. Local 69.27/16 Seq. Local /8 Seq. Local /16 Seq Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

11 PRNG: Blaster Worm Hotspots Number of unique Blaster infected source IPs by /24 across 6 IMS darknet sensors Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

12 PRNG: Blaster Worm We analyzed the decompiled source code: Blaster worm uses GetTickCount() to seed random number generator GetTickCount() returns number of ms since boot time, zero each reboot. Blaster worm design to restart on reboot using registry This spike Hotspots in Blaster scanning distribution correlated with boot times 4-5 minutes corresponds to 2.3 min boot time Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

13 PRNG: Slammer Worm Error in PRNG generator causes short cycles for certain seed values Certain random seeds have short cycles => hotspots Observed Slammer scanning patterns for individual hosts Hotspot in aggregate slammer propagation Host A Host B Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

14 Environmental Factors External network influences that impact threat propagation. Network topology: latency, bandwidth, and other network factors that impact the rate at which an infection can progress. Routing and filtering policy: firewalls and other policy devices that restrict reachability to a target address. Network failures and misconfigurations: dropped packets, mangled packets, and failures that impact success of an infection Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

15 Network Topology: CodeRedII Significant hotspot in M block Number of unique CodeRedII infected source IPs by /24 across 6 IMS darknet sensors Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

16 Network Topology: CodeRedII The M block is in /8 Many NATs use /16 address space CodeRedII has a bias for local /8 addresses If many CodeRedII infected hosts behind 192- NATs they would prefer /8 Test with quarantined CodeRedII hosts: Similar Hotspot non-192/8 Address Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

17 Network Filtering: Fortune 500 Filtering Top 3 infected Fortune 100 Companies: Total IPs CRII IPs Slammer IPs Banking Company Media Company Logistics Company Top 3 infected Broadband Providers: Total IPs CRII IPs Slammer IPs ISP A ISP B ISP C Blaster IPs Blaster IPs Supposition: many infected hosts inside enterprises However they are behind NATs firewalls (strict outgoing filtering) as compared to ISPs Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

18 Implications of Hotspots Detectors at different addresses may report widely different observations of a threat How does this impact distributed detection? Detection Threshold Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

19 Evaluating the Impact of Hotspots Simulate outbreak of threat with hotspots Investigate impact of algorithmic factors: Construct hit-list worm based on CodeRedII Use empirically observed CodeRedII source IPs as vulnerable population (134,586 IPs) Evaluate hit-lists of 4 sizes: 10 /16s (covering 10.60% of vul pop) 100 /16s (covering 50.49% of vul pop) 1000 /16s (covering 91.33% of vul pop) 4481 /16s (covering 100% of vul pop) Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

20 Impact of Algorithmic Factors Infection rate over time for out hit-list worm with 4 different hit-list sizes Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

21 Impact of Algorithmic Factors Randomly place a /24 detector in each of the 4481 /16 networks with a vulnerable host Each sensor alerts after 5 payloads [Autograph] Less than 5% of detectors alerted with 100-item hit-list But, the 100-item hit-list infected > 50% of the vulnerable population in a few minutes Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

22 Place Sensors Inside Hotspots Implication: must place sensors inside hotspots But, hotspots are very hard to predict! However, we can predict some environmental factors Go back to empirically observed CodeRedII hotspot Place sensors inside /8, / Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

23 Predicting Environment Factors Place 255 detectors inside /8 Simulate CodeRedII-like worm where 15% of hosts are behind NATs 100% of the detectors have alerted before 20% of the vulnerable population is infected! Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

24 Summary & Conclusion Hotspots are everywhere: Every self-propagating threat we have observed is influenced algorithmic or environmental factors We often can t predict hotspots due to complex host and network interactions Can t assume that just because one address was attacked so will another Open Problem: Where do we place detectors? ubiquitously throughout address space? Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006

25 Questions & Acknowledgements Questions? Thanks to the ISPs, academic institutions, and organizations for hosting the IMS! Thanks to Jose Nazario, Robert Stone, Rob Malan, and Dug Song at Arbor Networks and Larry Blunk, Bert Rossi, and Manish Karir at Merit Network. And of course our sponsors: For more information on the Internet Motion Sensor: Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006