2: Worms

Friday, December 5, 2008 Sources: see final slide

CS342 Computer Security

Department of Computer Science Wellesley College

Worms vs. Viruses o Both are self-replicating programs o Worms are ((y)usually) self-contained; viruses attach to a host program o Worms are (usually) self-activating; viruses require human intervention to spread. o Worms spread via networks; viruses can, too, but can also spread via other means. o Worms offer a scale of propagation (in terms of speed, number of hosts infected, potential for damage) not easily achieved by other mechanisms. They are the tool of choice for recruiting “” computers. o One copy of a worm is called a segment or node.

Malware 2: Worms 25-2

1 Trends and pertinence

o Virus/Worms: In 12 years, propagation speed, as well as the estimated damages have increased by five, and two orders of magnitude, respectively o DDmgwgwamages will get worse and outag gmes more severe as more and more facets of our lives/society are digitally enmeshed

Malware 2: Worms 25-3

Worm Components Exploit to get ‘in’ to the target – e.g., buffer overflow, password picture from guessing/cracking, misconfiguration Skoudis, p. 79. exploits, etc.

Impact of worm, implements some specific action on behalf of attacker on the target: install , DDOS Pull rest of worm code agent, steal into target via FTP, Selection of new info,use HTTP, etc. (sometimes target addresses Scan targets and computrons and already contained in using different infect vulnerable storage, etc. warhead) selection targets techniques

Other components in some worms: • Intelligence to locate other worm segments. • Communication with other worm segments • Control of other worm segments Malware 2: Worms 25-4

2 Worms: Scanning

o Goal: Find new targets to attack o Common techniques: o Statistical: Scan ' random' IP addresses o Topological: Use information on infected hosts, e.g. address book, .rhosts file, network neighborhood, ... o Avoid double infections!

Malware 2: Worms 25-5

Worm History Name Date Notes Creeper 1971 Program designed to move across a network of air traffic control systems XerPARC worms 1982 Shoch & Hupp distributed computation experiments Morris Worm Nov. 1988 Disabled early by infecting Unix hosts Melissa Mar. 1999 MS word spread via Outlook email Love Bug May 2000 VBScript worm spread via Outlook email Ramen Jan 2001 Linux worm exploiting 3 buffer overflows Code Red Jul 2001 Infected 250K Windows IIS servers in 9 hours with goal of packet flood against whitehouse.gov Nimda Sep 2001 Multiexploit worm with 12 sppgreading mechanisms Klez Jan 2002 Mildly polymorphic; tried to disable antivirus Slapper Sep 2002 Spread via SSL flaw in Apache; built massive DDOS peer-to-peer network SQL Slammer Jan 2003 Small worm spreading in a matter of minutes via flaw in MS SQL Server database

Malware 2: Worms 25-6

3 Morris (or Cornell or Unix) Worm (1988) o Robert Tappan Morris, Jr. o 23 years old, Cornell grad student, father worked at the NSA o He asked himself: “I wonder how large the Internet is?“ o Wrote a self-propagating program as a “test concept” o Exploited Unix vulnerabilities in sendmail and fingerd o Released at MIT o Bug in the worm caused it to go haywire – it was not planned to wreak havoc o The first worm that propagated using the Internet o Internet was designed with functionality in mind! o Following details from Eichin/Rochlis With Microscope and Tweezers paper Malware 2: Worms 25-7

How it entered (multiple means)

o sendmmgm(ail in debug mode (as released in SunOS) allowed connections to spawn a shell. o fingerd (VAX systems) buffer overflow to spawn shell o In shell, compiled & executed C program to download rest of worm program o r-services (no-password access to other machines) o rexec o rsh

Malware 2: Worms 25-8

4 Who it attacked: o accounts with obvious passwords: o none at all o the user name (once and appended to itself) o the “nickname” o last name (both spelled forwards and backwards) o passwords from a 432 word included dictionary o used the words ffmrom ///usr/dict /words as passwd o trusted accounts through .rhosts

Malware 2: Worms 25-9

Systems affected

o SUN and VAX o Gained hostnames and account names through: o /etc/hosts.equiv o /.rhosts o .forward o .rhosts o routing tables o serial P2P links o randomly guessed first-hop addresses

Malware 2: Worms 25-10

5 Covering Tracks o Erased argument list so could not tell how it was invoked o Deleted binary after use o Used resource limit functions to prevent a core dump o Named itself “sh” to avoid suspicion o Refreshed itself by forking about every 3 minutes o Constant strings obscured by XORing

Malware 2: Worms 25-11

Example modern worm: Code Red (2001)

o Worm probed random IP addresses and infected Microsoft Internet Information Services (IIS) web server with buffer overflow vulnerability. o Defaced English websites hosted on server with message: Welcome to http://www.worm.com! Hacked by Chinese! o On July 19 over 359,000 hosts infected in 13-hour period o over 2,000 hosts infected per minute at peak o at 5:00 pm, worm attempted DoS attack against 198.137.240.91 (www.whitehouse.gov) o For details, see Moore & Shannon http://www.caida.org/research/security/code- red/coderedv2_analysis.xml o Estimated 975,000 servers infected by end of August with losses of $2.4 billion – Computer Economics o Shut down Japan Airline computer affecting ticketing & check-in, delaying 55 flights and 15,000 passengers 1-2 hours Malware 2: Worms 25-12

6 Spread of Code Red Worm

July 19 01:05:00 2001

Malware 2: Worms 25-13

19 Hours Later

July 19 20:15:00 2001 Malware 2: Worms 25-14

7 Vulnerabilities spawn Exploits

o Vulnerability: A weakness in hardware, an operating system or a software application, usually a feature that can be misused to compromise a system o Exploit: A method used to take advantage of a vulnerability o Example: Code Red o June 18, 2001 Eeye Digital Security discloses vulnerability in Microsoft IIS web server o June 18, 2001 Microsoft issues alert, patch o June 19, 2001 CERT® Advisory CA-2001-13 Buffer Overflow In IIS o July 12, 2001 Code Red v. 1 is released o July 19, 2001 Code Red v.2 is released o August 4, 2001 Code Red II is released o Sept. 18, 2001 Nimda is released

Malware 2: Worms 25-15

Vulnerability and exploit portals

o Mitre’s CVE (Common Vulnerabilities and Exposures) httppg://cve.mitre.org o News http://www.security- update.com Updated ever hour, variety of sources

 Vendor’s sites have sometimes very good vulnerability info

Malware 2: Worms 25-16

8 Code Red: Scanning technique 2,500

2,000

1,500 ote hosts ote g LBNL m 1,000 attackin

Distinct re 500

0 0 50 100 150 Days since Sept. 20, 2001

o Cod e Red I: 99 thread s scan for vu lnera ble IIS installations, using random number generator o Worm deactivated itself after a few days, but was designed to reactivate every month

Malware 2: Worms 25-17

Code Red: Analytical model

Saturation o Simplifying assumptions: o No patching o No firewalls o No churn o Infection rate is proportional to o # hosts already infected o # hosts not infected, but susceptible o Result: Logistic Infected fraction K(tT ) da e equation  K a (1 a) a  dt 1 eK (tT ) o Well known for epi- Initial compromise rate demics in finite systems Malware 2: Worms 25-18

9 Improvements: Localized scanning

o Observation: Density of vulnerable hosts in IP address space is not uniform o Idea: Bias scanning towards local network o Used in CodeRed II o P=0.50: Choose address from local class-A network (/8) o P=0.38: Choose address from local class-B network (/16) o P=0.12: Choose random address o Allows worm to spread more quickly

Malware 2: Worms 25-19

Improvements: Multi-vector o Idea: Use multiple Onset of Nimda propagation methods

L simultaneously N 1/2 hour o Example: Morris worm o fingerd attack o sendmail DEBUG cmd o rhosts files o Password cracking

nections/second seen seen at LB nections/second o Example: Nimda confirmed Nimda attacks) n y o IIS vulnera bility (b(bthoth

(onl server and client!)

HTTP co HTTP o Autoexec code in Outlook email o Windows file sharing Time (PDT) 18 September, 2001 o Code Red II backdoor

Malware 2: Worms 25-20

10 Improvements: Hit-list scanning

o Problem: Spread is slow during initial phase o Idea: Collect a list of promising targets before worm is released o Low-profile 'stealthy' scan o Distributed scan o Spider/crawler o Surveys or databases o Attacks from other worms o Low overhead, since list shrinks quickly

Malware 2: Worms 25-21

Improvements: Permutation scanning

H0 H4 H1 H3 H1 (Restart) H2

o Problem: Many addresses are scanned multiple times o Idea: Generate random permutation of all IP addresses, scan in order o Hit-list hosts start at their own position in the permutation o When an infected host is found, restart at a random point o Can be combined with divide-and-conquer approach

Malware 2: Worms 25-22

11 Flash worms

o A flash worm would start with a hit list that contains most/all vulnerable hosts o Realistic scenario: o Complete scan takes 2h with an OC-12 o Internet warfare? o Problem: Size of the hit list o 9 million hosts  36 MB o Compression works: 7.5MB o Can be sent over a 256kbps DSL link in 3 seconds o Extremely fast: o Full infection in tens of seconds!

Malware 2: Worms 25-23

Warhol worms o Worm using both hit- "In the future, everyone will have list and permutation 15 minutes of fame" scanning could infect -- Andy Warhol most vulnerabl e targets in <1 hour o Simulation: Compare o 10 scans/second (Code Red) o 100 scans/second o 100 scans/second plus ber of ber of Instances

m 10,,y000 entry hit list

Nu (Warhol worm)

Time (hours)

Malware 2: Worms 25-24

12 Surreptitious worms o Idea: Hide worms in inconspicuous traffic to avoid ddtetec tintion o Example: HTTP o Leverage P2P systems? o High node degree o Lots of traffic to hide in o Proprietary protocols o Homogeneous software o Immense size (30,000,000 Kazaa downloads!)

Malware 2: Worms 25-25

Ethical Worms?

What about “ethical” (“white”, good) worms to combat the bad worms? Pros: o Install patches more quickly than human or update tool o Avoid human frailties in patch installation o Could require opt-in to use Cons: o May inflict unintentional damage, especially if buggy o Some applications require security hole to work o Often need careful testing after patch installation o Possible legal action for breaking systems o Using machine resources without permission is problematic

Malware 2: Worms 25-26

13 Worm Defenses o Anti-virus effective against some worms, but not fast-spreading ones o Harden systems o Install systems with secure configuration o AlApply pathtches reliliilgiously o Track vulnerabilities via Bugtraq and other lists. o Develop security policies/processes o Block arbitrary outbound connections from public machines to limit worm spreading (many orgs. flter incoming connections but neglect outgoing ones). o Egress antispoof filters o Establish incident response team o Don’t play with worms!

Malware 2: Worms 25-27

Skoudis Prediction (2004)

“ I strongly believe that a determined hacker will temporarily disable major portions of the Internet in the next five years. Using the worm techniques described throughout this chapter, an attacker sould write a worm that disables the Internet for a couple of days. ... I admit, this opinion is controversial, and I’d be happy to be wrong. ... Based on where worms are heading, I frankly think we’re heading for a giant Internet snow day. The only down side of this whole snow storm analogy is that you and I are the folks who drive the snowplows of the computer world.

Malware 2: Worms 25-28

14 Resources o Daniel Bilar, Worms, CS342 slides, Oct. 17, 2006 o Mark W. Eichin and Jon A. Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November, 1988. Proceedings of the 1989 IEEE Computer Society Symposium on Security and Privacy. http:// www.mit .ed u/ peopl e/ ei chi n/ vi rus/ mai n.ht ml o David Moore and Colleen Shannon, The Spread of the Code Red Worm (CRv2), http://www.caida.org/research/security/code-red/coderedv2_analysis.xml o Jerome Saltzer, Slammer: An Urgent Wake-up Call, Feb. 1, 2003, http://web.mit.edu/Saltzer/www/publications/Slammer.html o John Shoch and Jon Hupp, The “Worm” Programs – Early Experience with a Distributed Computation. Communications of the ACM, Mar. 1982. http://www.cs.berkeley.edu/~prabal/resources/osprelim/SH82.pdf o Ed Skoudis, Malware: Fighting Malicious Code, Prentice Hall, 2004 o Stuart Staniford, Vern Paxson, and Nicholas Weaver, How to 0wn the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, 2002. http://www.icir.org/vern/papers/cdc-usenix-sec02/

Malware 2: Worms 25-29

15