Active Worms, Buffer Overflow Attacks, and BGP Attacks CSE 4471: Information Security Instructor: Adam C. Champion, Ph.D. Course Coordinator: Prof. Dong Xuan This lecture uses materials from U. of Washington [15], U. Central Florida [16], Clarkson U. [17], Princeton U. [19], and U. of Pennsylvania [20]. We gratefully acknowledge their contributions. 1 Outline • Active Worms • Buffer Overflow Attacks • BGP Attacks 2 Active Worm vs. Virus • Active Worm – A program that propagates itself over a network, reproducing itself as it goes • Virus – A program that searches out other programs and infects them by embedding a copy of itself in them 3 Active Worm vs. DDoS • Propagation – Active worm: from few hosts to many targets – DDoS: from many hosts to few targets • Relationship – Active worm can be used for network reconnaissance, preparation for DDoS 4 Instances of Active Worms (1) • Morris Worm (1988) [1] – First active worm; took down several thousand UNIX machines on Internet • Code Red v2 (2001) [2] – Targeted, spread via MS Windows IIS servers – Launched DDoS attacks on White House, other IP addresses • Nimda (2001, NetBIOS, UDP) [3] – Targeted IIS servers; slowed down Internet traffic • SQL Slammer (2003, UDP) [4] – Targeted MS SQL Server, Desktop Engine – Substantially slowed down Internet traffic • MyDoom (2004–2009, TCP) [5] • Fastest spreading email worm (by some estimates) • Launched DDoS attacks on SCO Group 5 Instances of Active Worms (2) • Jan. 2007: Storm [6] – Email attachment downloaded malware – Infected machine joined a botnet • Nov. 2008–Apr. 2009: Conficker [7] – Spread via vulnerability in MS Windows servers – Also had botnet component • Jun.–Jul. 2009, Mar.–May 2010: Stuxnet [8–9] – Aim: destroy centrifuges at Natanz, Iran nuclear facility – “Escaped” into the wild in 2010 • Aug. 2011: Morto [10] – Spread via Remote Desktop Protocol – OSU Security shut down RDP to all OSU computers 6 How an Active Worm Spreads • Autonomous: human interaction unnecessary (1) Scan (2) Probe (3) Transfer copy Infected machine machine 7 Conficker Worm Spread Data normalized for each country. Source: [7] 8 Scanning Strategies • Random scanning – Probes random addresses in the IP address space (Code Red v2) • Hitlist scanning – Probes addresses from an externally supplied list • Topological scanning – Uses information on compromised host (Email worms, Stuxnet) • Local subnet scanning – Preferentially scans targets that reside on the same subnet. (Code Red v2, Nimda) 9 Techniques for Exploiting Vulnerabilities • Morris Worm – fingerd (buffer overflow) – sendmail (bug in “debug mode”) – rsh/rexec (guess weak passwords) • Code Red, Nimda, etc. (buffer overflows) • Tricking users into opening malicious email attachments 10 Worm Exploit Techniques • Case study: Conficker worm – Issues malformed RPC (TCP, port 445) to Server service on MS Windows systems – Exploits buffer overflow in unpatched systems – Worm installs backdoor, bot software invisibly – Downloads executable file from server, updates itself • Workflow: see backup slides (1), (2) 11 Worm Behavior Modeling (1) • Propagation model mirrors epidemic: V : total # of vulnerable nodes N : size of address space i(t): percentage of infected nodes among V r : an infected node’s scanning speed 12 Worm Behavior Modeling (2) Multiply (*) by V ⋅ dt and collect terms: The total number of newly infected nodes The total number of scans launched by infected nodes The percentage of vulnerable uninfected nodes 13 Modeling the Conficker Worm • This model’s predicted worm propagation where k = βNsimilar. Using the same to value Conficker’sk =1.8 as what used actual propagation in [31], the dynamic curve of a(t) is plotted in Fig. 4. Conficker’s propagation Classical simple epidemic model 1 0.9 0.8 0.7 a(t) 0.6 0.5 0.4 0.3 0.2 0.1 0 Figure 3: Observed Code Red propagation — num- 0 5 10 15 20 25 30 35 40 time: t ber of deactivated hosts (from Caida.org) Figure 4: Classical simple epidemic model (k =1.8) In epidemiology area, both stochastic models and deter- Sources: [7], Fig. 2; [8], Fig. 4 ministic models exist for modeling the spreading of infec- Let S(t)=N J(t)denotethenumberofsusceptible − tious diseases [1, 2, 3, 15]. Stochastic models are suitable hosts at time t.ReplaceJ(t)in(1)byN S(t) and we get 14 − for small-scale system with simple virus dynamics; deter- dS(t) ministic models are suitable for large-scale system under the = βS(t)[N S(t)]. (3) dt − − assumption of mass action, relying on the law of large num- ber [2]. When we model Internet worms propagation, we Equation (1) is identical with (3) except for a minus sign. consider a large-scale network with thousands to millions of Thus the curve in Fig. 4 will remain the same when we computers. Thus we will only consider and use determinis- rotate it 180 degrees around the (thalf , 0.5) point where tic models in this paper. In this section, we introduce two J(thalf )=S(thalf )=N/2. Fig. 4 and Eq. (2) show that classical deterministic epidemic models, which are the bases at the beginning when 1 a(t) is roughly equal to 1, the − of our two-factor Internet worm model. We also point out number of infectious hosts is nearly exponentially increased. their problems when we try to use them to model Internet The propagation rate begins to decrease when about 80% of worm propagation. all susceptible hosts have been infected. In epidemiology modeling, hosts that are vulnerable to Staniford et al. [31] presented a Code Red propagation be infected by virus are called susceptible hosts; hosts that model based on the data provided by Eichman [18] up to have been infected and can infect others are called infectious 21:00 UTC July 19th. The model captures the key behavior hosts; hosts that are immune or dead such that they can’t of the first half part of the Code Red dynamics. It is essen- be infected by virus are called removed hosts, no matter tially the classical simple epidemic model (1). We provide, whether they have been infected before or not. A host is in this paper, a more detailed analysis that accounts for two called an infected host at time t if it has been infected by important factors involved in Code red spreading. Part of virus before t,nomatterwhetheritisstillinfectiousoris our effort is to explain the evolution of Code Red spreading removed [2] at time t. In this paper, we will use the same after the beginning phase of its propagation. Although the terminology for computer worms modeling. classical epidemic model can match the beginning phase of Code Red spreading, it can’t explain the later part of Code 3.1 Classical simple epidemic model Red propagation: during the last five hours from 20:00 to In classical simple epidemic model, each host stays in one 00:00 UTC, the worm scans kept decreasing (Fig. 1). of two states: susceptible or infectious. The model assumes From the simple epidemic model (Fig. 4), the authors in that once a host is infected by a virus, it will stay in infec- [31] concluded that Code Red came to saturating around tious state forever. Thus state transition of any host can 19:00 UTC — almost all susceptible IIS servers online on only be: susceptible infectious [15]. The classical simple July 19th had been infected around that time. The numer- epidemic model for a→ finite population is ical solution of our model in Section 6, however, shows that only about 60% of all susceptible IIS servers online have dJ(t) been infected around 19:00 UTC on July 19th. = βJ(t)[N J(t)], (1) dt − 3.2 Classical general epidemic model: Kermack- where J(t)isthenumberofinfectedhostsattimet; N is the Mckendrick model size of population; and β is the infection rate. At beginning, In epidemiology area, Kermack-Mckendrick model consid- t =0,J(0) hosts are infectious and the other N J(0) hosts − ers the removal process of infectious hosts [15]. It assumes are all susceptible. that during an epidemic of a contagious disease, some infec- Let a(t)=J(t)/N be the fraction of the population that tious hosts either recover or die; once a host recovers from 2 is infectious at time t .Dividingbothsidesof(1)byN the disease, it will be immune to the disease forever — the yields the equation used in [31]: hosts are in “removed” state after they recover or die from da(t) the disease. Thus each host stays in one of three states at = ka(t)[1 a(t)], (2) dt − any time: susceptible, infectious, removed. Any host in the Practical Considerations • This model assumes machine state: vulnerable → infected – In reality, countermeasures slow worm infection • Infected machines can be “cleaned” (removed from epidemic) • State: vulnerable → infected → removed – Attackers may limit, vary worm scan rate – Complicates mathematical models • Need time-varying parameters for number of removed hosts R(t), worm scan rate r(t) • Resulting differential equations are complex, cannot be solved using calculus alone 15 Summary: Active Worms • Worms can spread quickly: – 359,000 hosts in under 14 hours • Home / small business hosts play significant role in global internet health – No system administrator ⇒ slow response – Can’t estimate infected machines by # of unique IP addresses: DHCP effect apparently real, significant • Active Worm Modeling 16 Outline • Active Worms • Buffer Overflow Attacks • BGP Attacks 17 What is a Buffer Overflow? • Intent – Arbitrary code execution • Spawn a remote shell or infect with worm/virus – Denial of service • Cause software to crash – E.g., ping of death attack • Steps – Inject attack code into buffer – Overflow return address – Redirect control flow to attack code – Execute18 attack code Attack Possibilities • Targets – Stack, heap, static area – Parameter modification (non-pointer data) • Change parameters for existing call to exec() • Change privilege control variable • Injected code vs.