1. Sigurnost računala i podataka
Mario Čagalj
Sveučilište u Splitu
2013/2014.

2. Malicious Software Internet Security & Worms
by Prasad S. Athawale (University at Buffalo)
Computer Security: Principles and Practice
by William Stallings and Lawrie Brown
Code Red Worm Propagation Modeling and Analysis by Zou et al.
Produced by Mario Čagalj

3. Malicious Software
Programs exploiting computing system vulnerabilities
Known as malicious software or malware
Malware can be divided into two categories
Program fragments that need host program - parasitic malware
E.g. viruses, logic bombs, and backdoors – cannot exist independently of some actual application program, utility or system program
Independent self-contained programs
E.g. worms, bots – can be run directly by the operating system
We differentiate between software threats that
Do not replicate – activated by a trigger (e.g., logic bombs, bot)
Do replicate/propagate itself (e.g., viruses and worms) .

4. Malicious Software Malicious programs Need host program Independent.
Trapdoors
Logic bombs
Trojan horse
Viruses
Worms
Zombie (Bot)
Replicate

5. Malware Terminology (1/3)
Virus: A piece of code that inserts itself into a host program (infects it). It cannot run independently. It requires that its host program be run to activate it.
Worm: A program that can run independently and can propagate a complete working version of itself onto other hosts on a network.
Logic bomb: A program inserted into software by an intruder. It executes on specific condition (trigger). Triggers for logic bombs can include change in a file, by a particular series of keystrokes, or at a specific time or date.
legitimate code
if date is Friday the 13th;
crash_computer();

6. Malware Terminology (2/3)
Trojan horse: Programs that appear to have one (useful) function but actually perform another (malicious) function, without the user’s knowledge.
Backdoor (trapdoor): Any mechanism that bypasses a normal security check. It is a code that recognizes for example some special input sequence of input; programmers can use backdoors legitimately to debug and test programms.
username = read_username();
password = read_password();
if username is “112_h4ck0r”
return ALLOW_LOGIN;
if username and password are valid
return ALLOW_LOGIN
else return DENY_LOGIN

7. Malware Terminology (3/3)
Exploit: Malicious code specific to a single vulnerability.
Keylogger: Captures key strokes on a compromised system.
Rootkit: A set of hacker tools installed on a computer system after the attcker has broken into the system and gained administrator (root-level) access.
Zombie, bot: Program on infected machine activated to launch attacks on other machines.
Spyware: Collects info from a computer and transmits it to another system.

8. Internet Worms

9. Internet Worms Self-replicating program that propagates over Internet
Using – a worm mails a copy of itself to other system
Remote execution capability – a worm executes a copy of itself on a remote system, either using explicit remote execution facility or by exploiting flaw (e.g., buffer overflow) in some net service
Remote login – a worm logs onto a remote system as a user then uses commands to copy itself from one to the remote system

10. Internet Worms Uses/Applications
Launch a DDoS
Access to Sensitive Information
Spread Disinformation
Unknown reasons
Most generally is the need for being recognized and famous (never has it been that it was an accident)

11. Worm Operation Has phases like a virus Dormant phase Propagation phase
Worm is idle, waiting for trigger event (e.g., date, time, program)
Propagation phase
Worm searches for other systems, connects to it, copies self to it and runs (the copy may not be identical – it morphs to avoid detection)
Triggering phase
Worm activated by some trigger event to perform intended function
Execution phase
The intended function is performed
E.g., DDoS attack on a specified target

12. Worm Operation: Propagation Phase
To propagate a worm generally performes the following functions
Search for other systems to infect by examining different repositories of remote system addresses
IP address-space probing to detect vulnerable targets
Note that this active aquisition/seach phase is not present in viruses
Establish a connection with a remote system
Copy itself to the remote system and cause the copy to be run

13. Generalized Worm Propagation Model
In the first stage the infected host searches for vulnerable targets
When the target is found, the infected host tries to deliver malcode to the selected target
Executing the malcode, the target host would be comprimised
Once the system is compromised, some malware can perform additional tasks
Payload refers to those additional tasks by a worm (DoS, install backdoors, self-replicate)
Infected Host
Select Target
Deliver Malcode
Compromise System
Infection Completed
Execute Payload
Payload
Yes No
In the target selecting phase, the malware is trying to
somehow choose a way to propagate malcode. There are three
specific common ways among malwares to choose the target.
1-Generating random IP addresses if the vulnerability for
exploiting, is in an active service on machines. 2-Harvesting
addresses via online profiles or on the local machine. 3-
Through file sharing systems.
When the target is selected, the delivery phase begins. The
aim of this phase is to deliver the malicious code to the target.
This could be done via the following methods: 1-As a payload
associated with buffer overflows, e.g. Blaster, Sasser, Slammer
[12]. 2-Using mail or IM services to send special crafted
message to anonymous users, e.g. MyDoom, NetSky, Sohanad
[12]. 3-Specially crafted HTML page hosted on a web server,
e.g. Nimda [12]. 4-Copying the malicious code into network
share or in share folder of Peer to Peer softwares, and
removable devices, e.g. Krepper, Kley and Sircom [12]. In this
phase some malwares just send some portion of the total worm
and let the worm download the rest of it later, e.g. Sobig.F [12].
Compromising the system requires the malcode to be
executed. The execution of malcode can be occurred using one
of the followings: 1- clients vulnerabilities. 2-user
interventions. 3-Automatic execution. The latter method
happens when the malcode delivery is the result of buffer
overrun vulnerability, e.g. blaster exploits DCOM RPC.
As the system compromised the malware may execute
some payloads. Payloads effects are viable if the malware itself
is removed. For instance, if the malware left a backdoor on the
system, this backdoor may live forever even if the malware is
removed. Installing kernel level rootkits in some cases requires
the operating system to be reinstalled again [17].

14. Actions in Each of the Stages
The target selecting stage
Random IP address probing
Harvesting addresses (e.g., from the address book)
Through file sharing systems
The malcode delivery stage (can send only a part in this stage)
A payload associated with buffer overflows
Using mail of messaging services
Specially crafted HTML pages hosted on a web server
Compromising the system
Execute malcode: vulnerabilites, user intervention, automatic execution
E.g., buffer overflow, backdoors, etc.
Infected Host
Select Target
Deliver Malcode
Compromise System
Infection Completed
Execute Payload
Payload
Yes No

15. Worm Propagation in Real Life

16. Morris Worm (Robert Morris in 1988)
To propagate, worm’s first task was to discover other hosts known to first infected host that would allow entry from this host
Exemained system tables that declare which other machines were trusted by this host, users’ mail forwarding files, remote access control tables, reports from services that reported the status of net connections
For each discovered host, various attacks on UNIX systems
Cracking password file to use login/password to logon to other systems
Exploiting a bug in the finger protocol
Exploiting a bug in sendmail
If any of the three above succeeded have remote shell access
Sent bootstrap program to the compromised machine’s operating system
The bootstrap program called back the parent program and downloaded the reminder of the worm to to copy it over
About 4000 of the Internet’s approximately 60,000 (at that time) hosts were infected within 16 hours of the worm’s deployment

17. Code Red (July 2001)
The Code Red worm spreads via a buffer overflow in the Microsoft Internet Information Server’s (IIS) Indexing Services
Infection begins by issuing HTTP GET command to a vulnerable IIS system
The worm probes random IP addresses to spread to other hosts
During a certain period of time, it only spreads
It then initiates a denial-of-service attack against a government Web site by flooding the site with packets from numerous hosts
Code Red I v2 infected nearly 360,000 servers in 14 hours
Caused problems to infected servers
But more importantly, consumed a significant amount of Internet capacity
Code Red II is a variant that also targets Microsoft IIS
It also installs a backdoor, allowin a hacker to remotely execute commands on victim computers

18. The Spread of Code-Red v2
The Spread of Code-Red v2

19. SQL Slammer (January 2003)
Exploited buffer overflow in Microsoft SQL server
A single short (400 bytes) packet to UDP port 1434 was sufficient
The worm infected more than 90 percent of vulnerable hosts within 10 minutes
Causing significant disruption to financial, transportation, and government institutions and precluding any human-based response
No malicious content, but simply overloaded networks
The worm’s spreading strategy uses random scanning
It randomly selects IP addresses, eventually finding and infecting all susceptible hosts
Slammer spread nearly two orders of magnitude faster than Code Red, yet it infected fewer machines
The fastest computer worm in history (full scanning rate of 55 million scans per second after only 3 minutes)

20. The Spread of SQL Slammer
Faster than Code Red (CR)
Slammer is bandwith-limited (its scanner is only only 400 bytes long, a single UDP packet could exploit the SQL server’s vulnerability)
CR is latency-limited (its scanner does TCP handshake and therefore has to wait to receive SYN/ACK packet from target)
However Slammer’s author made several mistakes in the random number generator (many active IP addresses simply skipped – fewer infections)
Saturate d network with its scans
Code Red v2
Slammer

21. Modelling Propagation of Worms

22. Why Modelling? Worms spread at an exponential rate
E.g., 10M hosts in < 5 minutes
Hard to deal with manual intervention
How to protect our systems? What are possible effects?
To be able to defend against future worms, we need to understand
Worms propagation patterns
The impact of human countermeasures (like patching the computer systems, firewalls, disconnecting devices from the network, etc.) on worm propagation
The impact of network traffic (recall the Slammer worm)

23. Worm Propagation Modelling
Simple Epidemic Model
Uses the time model of Infectious diseases to model Worm propagation
Three possible states – Susceptible, Infected, Quarantined/Removed
“Infectious” hosts: continuously infect others
“Removed” hosts in epidemic area
Recover and immune to the virus
Dead because of the disease
“Removed” hosts in computer area:
Patched computers that are clean and immune to the worm
Computers that are shut down or cut off from worm’s circulation

24. Simple Epidemic Model Assumptions
The population size (#hosts) is large
Any host has equal probability to contact any other hosts in system
Number of contacts is proportional to #infectious X #susceptible
susceptible
infectious
removed
Infectious (I)
Susceptible (S)
contact

25. Classical Simple Epidemic Model
State transition
N - population of hosts
S(t) - susceptible hosts; I(t) - infectious hosts at time t
susceptible
infectious

26. Classical General Epidemic Model (SIR)
susceptible
infectious
removed
State transition
N - population of hosts
S(t) - susceptible hosts
I(t) - infectious hosts
R(t) - removed from infectious at rate γ

27. Are the Two SIR Models Adequate?
The classical and general SIR models are not perfectly suitable as human countermeasures will remove both suceptible and infectious hosts from circulation
Human countermeasures include
Clean and patch: download cleaning program, patches
Filter: put filters on firewalls, gateways
Disconnect computers (as in the case of Code Red worm)
Also, the infection rate  is decreased because of the large amount of scan-traffic (e.g., the SQL Slammer worm)
State transition
susceptible
infectious
removed

28. Two Factor Worm Model
Human countermeasures and decreased infection rate 
N - population of hosts
S(t) - susceptible hosts
I(t) - infectious hosts, J(t)=I(t)+R(t) - infected hosts
R(t) - removed from infectious hosts at rate γ
Q(t) - removal from susceptible at rate μ

29. Two Factor Worm Model
Human countermeasures and decreased infection rate 
β(t)S(t) < γ: the number of removed infectious hosts in
a unit time is greater than the number of newly generated
infectious hosts at the same time

30. Characteristics of Worm Spreading
Worm growth: slow start, fast spread phase, slow decay
Speed-ups with more advanced probing techniques

31. Probing Techniques (Examples)
Random Scanning
Local Subnet Scanning
Routing Worm
Pre-generated Hit List
Topological

32. Probing Techniques: Random Scanning
32 bit number is randomly generated and used as the IP address
Aside: IPv6 worms will be different …
E.g., Slammer and Code Red I
Hits black-holed IP space frequently
Only 28.6% of IP space is allocated
Aside: can track worms by monitoring unused addresses
Honeypots

33. Probing Techniques: Subnet Scanning
Generate last 1, 2, or 3 bytes of IP address randomly
Code Red II and Blaster
Some scans must be completely random to infect the whole Internet

34. Probing Techniques: Routing Worm
BGP information can tell which IP address blocks are allocated
This information is publicly available

35. Probing Techniques: Topological
Uses info on the infected host to find the next target
Morris Worm used /etc/hosts , .rhosts
address books
P2P software usually store info about peers that each host connects to

36. Probing Techniques: Hit List
Hit list of vulnerable machines is sent with payload
Determined before worm launch by scanning
Gives the worm a boost in the slow start phase
Skips the phase that follows the exponential model
Infection rate looks linear in the rapid propagation phase
Can avoid detection by the early detection systems

37. Warhol: Hit List + Permutation Scanning
Infection time estimated to about 15 minutes
Andy Warhol: “In the future, everybody will have 15 minutes of fame.”
Conventional (Code Red-like ) worm capable of 10 scans/second
Fast scanning worm capable of 100 scans/second
Warhol worm capable of 100 scans/second using a 10,000 entry hit-list
No human-driven intervention is possible when it comes to Warhol worms (or even more severe flash worms – infects Internet in tens of seconds!)

38. Worm Countermeasures

39. How to Mitigate the Worm Threat?
1. Reduce # of susceptible hosts
(prevention)
S(0) = N
 =  / M
probe rate of worm
M total population (e.g. 232 for IPv4)
 “removal” rate
2. Reduce rate of infection
(suppression)
3. Reduce # of infected hosts
(containment)

40. Mitigating the Worm Threat
Prevention
This aims to reduce the size of the vulnerable population
Secure programming, applying software updates, AV protection
Patching
Generally, patches take days to release – only now that relatively reliable distribution networks for patches are springing up
Containment and suppression (the easiest)
Firewalls, Content Filtering, Automated Routing Blacklists, disconnecting infected machines

41. Worm Countermeasures Overlaps with anti-virus techniques
Once worm on system A/V can detect it
Worms also cause significant net activity
Scanning for other targets (scan rates scans/second)
Worm defense approaches include:
Signature-based worm scan filtering
Generates a worm scan signature to prevent worm scans from entering a network/host
Filter-based worm containment
Focuses on a worm content rather than a scan signature
Payload-classification-based worm containment
Packet based checks
Threshold random walk scan detection
Exploits randomness in picking destinations to connect to (to detect scanning)
Rate limiting and rate halting
Limit or block outgoing traffic when a given threshold exceeded (for fast worms)

42. Reaction Time Matters Worm containment mechanisms should be automated
Conventional (Code Red-like ) worm capable of 10 scans/second
Fast scanning worm capable of 100 scans/second
Warhol worm capable of 100 scans/second using a 10,000 entry hit-list
SQL Slammer 30,000 scans/second per machine (on 100 Mbps link)
No human-driven intervention is possible when it comes to Warhol worms (or even more severe flash worms – infects Internet in tens of seconds!)

43. Closing Words
Worms pose an ongoing threat of use in attack on a variety of sites and infrastructures
The SQL Slammer affected ATMs, 911 services, caused cancelled flights, etc.
Worms represent and extremely serious threat to the safety of the Internet
Warhol and flash-like worms can infect/affect the whole Internet in the matter of minutes/seconds
The need for automated response/containment mechanisms
Threat awareness important (reduces sussceptible)
Esspecially for software designers and programmers