Automated Worm Fingerprinting Singh Estan et al Internet
- Slides: 32
Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self. Propagating Code [Moore, Shannon et al] David W. Hill CSCI 297 6. 28. 2005
What is a worm? Self-replicating/self-propagating code. Spreads across a network by exploiting flaws in open services. – As opposed to viruses, which require user action to quicken/spread. Not new --- Morris Worm, Nov. 1988 – 6 -10% of all Internet hosts infected Many more since, but none on that scale …. until Code Red
Internet Worm History Xerox PARC, Schoch and Hupp, 1982 Morris Worm <DEC VAX, sendmail, fingerd> 1988 Code Red (V 1, V 2, II) <IIS>, 2001 NIMDA, <various exploits>, 2001 Slammer Worm <SQL>, 2003 Blaster Worm, <DCOM>, 2003 Sasser Worm, <LSASS>, 2004
Code Red V 1 Initial version released July 13, 2001. Exploited known bug in Microsoft IIS Web servers. 1 st through 20 th of each month: spread. 20 th through end of each month: attack. Payload: web site defacement. Spread: via random scanning of 32 -bit IP address space. But: failure to seed random number generator linear growth.
Code Red V 2 Revision released July 19, 2001. Payload: flooding attack on www. whitehouse. gov. But: this time random number generator correctly seeded. Bingo! Resident in memory, reboot clears the infection Web defacement
Code Red V 2 - Spread
Code Red II New worm released August 4, 2001. Intelligent Replication Engine Installed backdoors Used more threads
Life Just Before Slammer
Life Just After Slammer
Worm Detection – Current Methods Network telescoping- passive monitors that monitor unused address space (Downfalls – non-random, only provide IP not signature Honeypots – slow manual analysis Host-based behavioral detection – dynamically analyze anomalous activity, no inference of large scale attack IDS, IPS – Snort – Labor-intensive, Human-mediated
Worm Containment Host Quarantine – IP ACL, router, firewall (blacklist) String-matching containment Connection throttling – Slow the spread
Earlybird – Content Sifting Content in existing worms is invariant Dynamics for worm to spread are atypical The Earlybird system can extract signatures from traffic to detect worms and automatically react
Signatures Worm Signature Content-based blocking [Moore et al. , 2003] Signature for Code. Red II 05: 45: 31. 912454 90. 196. 22. 196. 1716 > 209. 78. 235. 128. 80: . 0: 1460(1460) ack 1 win 8760 (DF) 0 x 0000 4500 05 dc 84 af 4000 6 f 06 5315 5 ac 4 16 c 4 E. . . @. o. S. Z. . . 0 x 0010 d 14 e eb 80 06 b 4 0050 5 e 86 fe 57 440 b 7 c 3 b. N. . . P^. . WD. |; 0 x 0020 5010 2238 6 c 8 f 0000 4745 5420 2 f 64 6566 P. "8 l. . . GET. /def 0 x 0030 6175 6 c 74 2 e 69 6461 3 f 58 5858 ault. ida? XXXXXXX 0 x 0040 5858 5858 XXXXXXXX. . . 0 x 00 e 0 5858 5858 XXXXXXXX 0 x 00 f 0 5858 5858 XXXXXXXX 0 x 0100 5858 Content 5858 Specific XXXXXXXX : A 5858 Payload String To A Worm 0 x 0110 5858 5825 7539 3025 XXXXX%u 9090% 0 x 01 a 0 303 d 6120 4854 5450 2 f 31 2 e 30 0 d 0 a 436 f 0=a. HTTP/1. 0. . Co. Signature
Worm Behavior - Earlybird Content Invariance Content Prevalence Address Dispersion
Earlybird Implementation Each network packet is scanned for invariant content Maintain a count of unique source and destination IPs Sort based on substring count and size of address list will determine worm traffic Use substrings to automatically create signatures to filter the worm
Earlybird Cont.
Earlybird Cont. System consists of sensors and aggregrator Aggregator – pulls data from sensors, activates network or host level blocking, reporting and control
Earlybird – Memory & CPU Memory and CPU cycle constraints Index content table by using a fixed size hash of the packet payload Scaled bitmaps are used to reduce memory consumption on address dispersion counts
Earlybird Cont. Sensor – 1. 6 Ghz AMD Opteron 242, Linux 2. 6 kernel Captures using libpcap Can sift 1 TB of traffic per day and is able to sift 200 Mbps of continuous traffic Cisco router configured for mirroring
Thresholds Content Prevalence = 3 97 percent of signatures repeat two or fewer times
Thresholds Address Dispersion = 30 src and 30 dst Lower dispersion threshold will produce more false positives Garbage collection – several hours
Earlybird False Positives 99% percent of FPs are from SMTP header strings and HTTP user agents whitelist SPAM e-mails – distributed mailers and relays Bit. Torrent file striping creates many-tomany download profile
Earlybird – Issues of Concern SSH, SSL, IPSEC, VPNs Polymorphism IP spoofing source address Packet injection
Earlybird – Current State UCSD Net. Sift Cisco
Internet Quarantine – Requirements for containing self propagated code Prevention – Managing vulnerabilities Treatment – Disinfection tools, patches Containment – Firewalls, content filters, blacklists. How to completely automate?
Modeling Containment Reaction time – time necessary for detection Containment strategy – blacklisting, content filtering Deployment scenario – how many nodes are participating
Blacklisting vs. Content Filtering
Blacklisting vs. Content Filtering - Aggresiveness
Deployment Scenarios
References - The Threat of Internet Worms, Vern Paxson http: //www. icir. org/vern/talks/vp-worms-ucla-Feb 05. pdf -Cooperative Association for Internet Data Analysis (CAIDA) http: //www. caida. org -Autograph, Toward Automated, Distributed Worm Signature Detection. Usenix Security 2004 -Wikipedia, computer worms, hashing. -Code Carrying Proofs, Aytekin Vargun, Rensselaer Polytechnic Institute
Thank You! Discussion…. .
- Raj birk
- Clam dissection clam scienstructable template
- Who ate the cheese?
- "university of leicester"
- Basic and composite ridge characteristics
- Dna fingerprinting minilab answers
- Image fingerprinting
- Dna fingerprinting
- Restriction fragment length polymorphism
- Passive os fingerprinting daemon
- Lausd fingerprinting
- Dhcp fingerprinting
- Bio rad dna fingerprinting
- Conclusion of dna fingerprinting
- Fingerprinting miami dade county public schools
- Astute fingerprinting
- Second principles of fingerprint
- Dna fingerprinting lesson plan
- Golden rice zanichelli
- Vntr vs str in dna fingerprinting
- Os fingerprinting
- First filipino expert on fingerprinting
- Dna fingerprinting minilab answers
- Gcat dna
- Fingerprinting
- What is internet
- Estoy estas estamos están
- Sistema oseo
- Proteinas como estan formadas
- Topicos generativos ejemplos
- Y como estan los ojos del esclavo fijos en las manos
- Futuro perfecto de indicativo
- Les amistats estan fetes de trossets