1. Internet Security & Worms Prasad S. Athawale Department of Computer Science, University at Buffalo State University of New York, Buffalo

2. Outline Security Overview Intent History Worms Vs Viruses Worm Modelling Simulation techniques Results/Deductions Future of Worms Possible Research Work

3. Internet Security Covers a broad range of issues – from Data Integrity to Availability Attack types Denial of Service Viruses/Worms Snooping/Sniffing etc

4. Intent The primary intent of this presentation is to explore the world of Internet Worms, in particular look at current research areas, their propagation mechanisms etc and defense measure if any

5. History Morris Worm 2 November 1988 Exploited flaws in fingerd and sendmail Password guessing /etc/passwd file Trusted Hosts The Internet Worm Incident Technical Report CSD-TR-933* Eugene H. Spafford Department of Computer Sciences Purdue University

6. Definition Worms: Programs that self- propagate across the internet by exploiting security flaws in widely used services 1 John Bruner in his novel The Shockwave Rider coined the term worm How to Own the Internet in your Spare Time Stuart Staniford, Vern Paxson, Nicholas Weaver

7. Worms Vs Viruses A Virus is a malicious program that spreads using a propagation technique that generally requires user intervention, and always possess a malicious intent A worm on the other hand, has ability to self-propagate, and may or may not have malicious intent

8. Requirements!!! Autonomy Replicability Reconnaissance Capabilities Attack Capabilities Worms as Attack Vectors: Theory, Threats, and Defenses Matthew Todd, Ph.D. January 31, 2003

9. Intended Uses/Applications ? Launch a D-DoS Access to Sensitive Information Spread Disinformation Unknown reasons

10. Mechanism? Target Selection Exploit Propagation Mechanism Deployment Tactics Defensive Measures ?

11. Mechanism of Operation Worm Propagation and Countermeasures – GSEC Practical – Glenn Gebhart – SANS Institute

12. Spread of a Worm Red Dots indicate the infected machines Bottom left corner number of infected hosts

13. …… Display Propagation Speed

14. Why Study Worms ? Capable of severely hampering the working of the internet To unable us to build better defense systems To unable possible good application The worst is yet to come! Applications of a self propagating piece of code – capable of reaching everywhere really fast ?

15. Current research Focus Modelling Scanning Techniques Propagation Mechanisms Prevention Techniques ?

16. Modelling Simple Epidemic Model Uses the time tested model of Infectious diseases to model Worm propagation Three possible states – Susceptible, Infected, Quarantined/Removed

17. Simple Epidemic Model infectious hosts: continuously infect others. removed hosts in epidemic area: Recover and immune to the virus. Dead because of the disease. removed hosts in computer area: Patched computers that are clean and immune to the worm. Computers that are shut down or cut off from worms circulation. susceptible infectious removed Code Red Worm Propagation Modeling and AnalysisCode Red Worm Propagation Modeling and Analysis – Cliff Zou

18. Epidemic modeling introduction Homogeneous assumption: Any host has the equal probability to contact any other hosts in the system. Number of contacts I S Code Red Worm Propagation Modeling and AnalysisCode Red Worm Propagation Modeling and Analysis – Cliff Zou

19. Modelling an Internet Worm Simple Epidemic Model I(t)= Number of Infectious Hosts at time t S(t)= Number of Susceptible Hosts at time t N= number of hosts in the system β = pair wise infection rate α = worms infection rate (average number of probes sent out by an infected host per unit time) Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff Changchun Zou, Weibo Gong, Don Towsley

20. Deterministic epidemic models Simple epidemic model State transition: N: population; S(t): susceptible hosts; I(t): infectious hosts dI(t)/dt = S(t) I(t) S(t) + I(t) = N I(t) S(t) symmetric Problems: Constant infection rate No removed state. susceptible infectious t I(t) Code Red Worm Propagation Modeling and AnalysisCode Red Worm Propagation Modeling and Analysis – Cliff Zou

21. Modelling an Internet Worm General Epidemic Model Kermack-McKendrick Epidemic Model U(t) = number of previously removed ones at time t gamma = removal rate of infected hosts ρ = epidemic threshold Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff Changchun Zou, Weibo Gong, Don Towsley Epidemic threshold theorem – major outbreak occurs if S(0) > ρ

22. Deterministic epidemic models Kermack- McKendrick epidemic model State transition: R(t): removed from infectious; removal rate dI(t)/dt = S(t) I(t) – dR(t)/dt dR(t)/dt = I(t); S(t) + I(t) + R(t) = N Epidemic threshold: No outbreak if S(0) < / Major Out Break if S(0)> / Problems: Constant infection rate susceptible infectious removed I(t) t susceptible removed Code Red Worm Propagation Modeling and AnalysisCode Red Worm Propagation Modeling and Analysis – Cliff Zou No

23. Consider human countermeasures Human countermeasures: Clean and patch: download cleaning program, patches. Filter: put filters on firewalls, gateways. Disconnect computers. Reasons for: Suppress most new viruses/worms from outbreak. Eliminate virulent viruses/worms eventually. Removal of both susceptible and infectious hosts. susceptible infectious removed Code Red Worm Propagation Modeling and AnalysisCode Red Worm Propagation Modeling and Analysis – Cliff Zou ?

24. Consider human countermeasures Model (extended from KM model): Q(t): removal from susceptible hosts. R(t): removal from infectious hosts. I(t): infectious hosts. J(t) I(t)+R(t): Number of infected hosts hosts that have ever been infected dS(t)/dt = S(t) I(t) - dQ(t)/dt dR(t)/dt = I(t) dQ(t)/dt = S(t)J(t) S(t) + I(t) + R(t) + Q(t) = N Code Red Worm Propagation Modeling and AnalysisCode Red Worm Propagation Modeling and Analysis – Cliff Zou Beta is still considered Constant

25. Two-factor worm model Worm may cause congestion: Huge number of scan packets with unused IP addresses. Routing table cache misses. ( about 30% of IP space is used) Generation of ICMP (router error) in case of invalid IP. Effect: slowing down of worm propagation rate: (t) Two-factor worm model: dS(t)/dt = -(t)S(t)I(t) - dQ(t)/dt dR(t)/dt = I(t) dQ(t)/dt = S(t)J(t) (t) = 0 [ 1 - I(t)/N ] S(t) + I(t) + R(t) + Q(t) = N is used to adjust the level of congestion in the network

26. Modelling an Internet Worm Random Scanning Worm Model K=initial compromise rate α = proportion of vulnerable machines compromised t=time N=total number of vulnerable hosts T=constant of integration – which fixes time of incident How to Own the Internet in your Spare Time Stuart Staniford, Vern Paxson, Nicholas Weaver Logistic Equation- governs the rate of growth of epidemics in finite systems

27. Inferences For early t, alpha grows exponentially For large t, alpha approaches 1(all vulnerable hosts compromised) Rate of this happening is dependent on the rate of infection, and not on number of machines on the internet Thus for a Random Scanning Worm, what matters is the rate of scanning and not the IP address space!!

28. Perfect Worm ? A perfect worm would have: All vulnerable hosts known No dual scanning Immediate infection Using Code Red parameters, N=360000,initially infected = 10 and scan rate of 358/min Time Taken = 1.758 seconds!! On the Performance of Internet Worm Scanning Strategies Cliff Changchun Zou., Don Towsley, Weibo Gong..Department of Electrical & Computer Engineering Department of Computer Science Univ. Massachusetts, Amherst

29. Perfect Worm – with delay

30. Law of Large Numbers The Law of Large Numbers says that in repeated, independent trials with the same probability p of success in each trial, the chance that the percentage of successes differs from the probability p by more than a fixed positive amount, e > 0, converges to zero as the number of trials n goes to infinity, for every positive e.Law of Large Numbers Note two things: The difference between the number of successes and the number of trials times the chance of success in each trial (the expected number of successes) tends to grow as the number of trials increases. (In fact, this difference tends to grow like the square-root of the number of trials.) Although the chance of a large difference between the percentage of successes and the chance of success gets smaller and smaller as n grows, nothing prevents the difference from being large in some sequences of trials. The assumption that this difference always tends to zero, as opposed to this difference having a large probability of being arbitrarily close to zero, is the difference between the Law of Large Numbers, which is a mathematical theorem, and the Empirical Law of Averages, which is an assumption about how the world works that lies at the base of the Frequency Theory of probability.Law of Large NumbersEmpirical Law of Averages Frequency Theory http://stat-www.berkeley.edu/~stark/Java/lln.htm

31. Scanning Techniques Hit-List Based Scanning Stealthy Scans – using nmap ? Distributed Scanning – multiple attackers ? DNS Searches Spiders Just Listen!

32. Scanning Techniques Sequential Scanning Hit List Based Scanning Permutation Scanning Preferential Subnet Scanning

33. Co-ordinated Permutation Scanning Assumption – A copy of the worm can detect whether a given host is infected Common permutation of IP address space known to all worms Any machine starts scanning just after its point of infection. If an infected host is found, there onwards random point scanning Self –Coordinating', as minimizing duplication of effort Number of such infected hosts – stops scanning assuming infection complete Partitioned Scanning – Initially responsible for some set – divides and hands over to child worm

34. Subnet Scanning Cross Network Scanning is too noisy Can create congestion killing own spread Use different probabilities to target IPs in own subnets e.g. Code Red own class B 3/8, class A ½, others 1/8 – Code Red, Nimda

35. Defense Mechanisms La Brea Tarpit – We can actually do something about it! Hold Connection Attempts from a Infected Computer A byte stream flow of only 1215 bytes/hour is sufficient to keep the connection alive

36. Defense Mechanisms LaBrea can be defeated using asynchronous mode Dependent on per host throttling – each host restricts the rate at which a host can connect to new hosts – universal deployment may reduce scanning speed by an order of magnitude

37. Defense Mechanism Automatically detecting infected hosts and using firewall filters to contain spread Practical Application Ciscos NBAR – Network Based Application Recognition Ability to block particular TCP streams active on a router based on signature recognition

38. Defense: Internet Quarantine Prevention This aims to reduce the size of the vulnerable population Treatment Generally patches take days to release – only now that relatively reliable distribution networks for patches are springing up Containment Firewalls, Content Filtering, Automated Routing Blacklists Intervention ?

39. Code Red Propagation Address Blacklisting

40. Code Red Propagation Content Filtering

41. Address Blacklisting Generalized Worm Containment

42. Content Filtering

43. Containment Results Not possible to limit infection to less than 18% of the vulnerable hosts for sufficiently aggressive worms (100 scans/second) Used scenarios: Top 100 ISPs and 50% home users – for address blacklisting Reason: 99.7% paths blocked but there still exist alternate paths for propagation – works even when reaction time reduced to 0!

44. Dynamic Quarantine Based on Methods used in Epidemic Control – Assume guilty till proven innocent Non-Intrusive : Block certain ports for a short time, automatic release Able to reduce/control the propagation speed Assumption : System is assumed homogeneous and contact rate is constant

45. Defense Mechanisms A lot of researchers have researched this area – Staniford, Kephart and White, Wang Epidemiological analysis of Computer Viruses – suggested that it can be contained but only till the infection rate doesnt exceed a critical threshold

46. Stochastic Process In the mathematics of probability, a stochastic process is a random function. In practical applications, the domain over which the function is defined is a time interval (a stochastic process of this kind is called a time series in applications) or a region of space (a stochastic process being called a random field). Familiar examples of time series include stock market and exchange rate fluctuations, signals such as speech, audio and video; medical data such as a patient's EKG, EEG, blood pressure or temperature; and random movement such as Brownian motion or random walks. Examples of random fields include static images, random topographies (landscapes), or composition variations of an inhomogeneous material.mathematicsprobabilitystochastic processrandomfunction time seriesrandom fieldstock marketexchange rateBrownian motionrandom walks http://en.wikipedia.org/wiki/Stochastic_process

47. Containment Automated mechanisms required Content Filtering works the best Blocking Point – At Core ISPs

48. Defense: Active Worm Detection Uses ICMP Destination Unreachable Messages Collection Point for all ICMP-T3 packets Correlator – identify threshold crossing occurrences ICMP T3 copy generated for collector by router

49. Multiple Cases One IP to Many IPs on port p Many IPs to 1 IP on port p One IP to other IP on number of ports p Many IPs to 1 IP on a number of ports If instances of such activity exceed threshold N, an alert is generated 4-6 alerts have shown good response Defense: Active Worm Detection

50. Active Vs Passive Passive – Prevent spreading of Worms by blocking Worm Traffic Active – Proactive approach by patching vulnerable systems or quickly removing infected systems

51. Comparison of Active and Passive Mechanisms Content Filtering defense mechanism limits infections Address filtering defense requires near perfect deployment Content Filtering mechanism deployed in the top 30 most connected ASes can outperform active defense Active defense worms might have to be pre-deployed in the network to be activated as required

52. Force Multipliers!! Multiple Attack Capabilities Defense Command Interface Polymorphism Worms as Attack Vectors: Theory, Threats, and Defenses Matthew Todd, Ph.D. January 31, 2003

53. Upgrade Modular Design Multiple vulnerabilities pre-identified Subsequent 0 day exploits could be released Signature Alteration (Polymorphism)

54. Communication Channels Drop-Box Concept E-Mail IRC Specific channels on IRC KaZaa File shares Covert Channels ?

55. Communication Channels Encrypted channels Public Key, Simple XOR ? Encrypted data might draw attention – simple XOR might help protect entropy Distributed Hash Tables Principle used by software like Kazaa to determine location of files etc

56. Curious Yellow Vs Curious Blue Curious Yellow – a high co- ordination worm – uses techniques for fast propagation, and distributed control Curious Blue to counter it – with distribution of patches carried out in a similar manner Since both accept updates – can be easily

57. Proposed Conceptual Worms Flash Warhol BGP Curious Yellow

58. Flash Worms Closest thing to a perfect worm IP addresses of all vulnerable hosts known beforehand Scanning space reduced 99% hosts infected in 2.53 seconds assuming no delay Tremendous speed of infection – no time for human intervention

59. Warhol Worm Uses combination of Hit-List & Permutation Scanning This combination improves initial speed – quickly achieving a set base & permutation scanning keeps the worms infection rate high for longer period Provides a very practical design of a worm – and achieves 99% infection in around 15mins

60. BGP Routing Worm Based on BGP Routing Tables Freely Available on the Internet Geographical Information – ISP,AS, company, country etc. Reduce the scanning space to 28.6% of all IP space Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou., Don Towsley, Weibo Gong., Songlin Cai.,.Department of Electrical & Computer Engineering Department of Computer Science, Univ. Massachusetts, Amherst

61. Contagion Slowly spreading worm to avoid detection P2P based High Bandwidth traffic usual – not detected One client/server program may dominate e.g. KaZaa Not strictly a worm – but can be used to support a worm! Potential ? - A University 9 million distinct IPs in one month!

62. Takeaway Stealth would play a major role in the next generation of Worms Bandwidth, Network Capacity, Widespread use of Computers & a predominantly Ignorant User Community are a given, and these would be exploited to the maximum Proactive defense mechanisms rather than observing mechanisms – Observe periphery of ones network ? For Content Based Systems – Ability to identify signatures at an early stage Espionage, Rivalry & Enemity + Non-cooperative Govts/Corporations Design to Security has to be the additional component along with Reliability, Scalability and Availability

63. References Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense Cliff Changchun Zou, Weibo Gong, Don Towsley, Univ. Massachusetts Amherst, MA On the Performance of Internet Worm Scanning Strategies Cliff Changchun Zou., Don Towsley, Weibo Gong. Univ. Massachusetts, Amherst Modelling the Spread of Active Worm Zesheng Chen (Georgia Tect), Lixin Gai(U Mass), Kevin Kwiat (AFRL) Slowing down Internet Worms Shigang Chen, Yong Tang (UFL, Gainsville) Comparing Active and Passive Worm Defenses Michael Liljenstam David M. Nicol (UIUC, Urbana Champaigne) Internet Qurantine:Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage, UCSD Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou., Don Towsley, Weibo Gong., Songlin Cai Univ. Massachusetts, Amherst Worms as Attack Vectors: Theory, Threats, and Defenses A Practical Assignment, submitted in partial requirement for GSEC certification (GIAC Security Essentials Certification Matthew Todd, Ph.D. "I don't think I really love you or writing internet worms for fun and profit (C) 1998-2000 Michal Zalewski The Internet Worm Incident Technical Report CSD-TR-933* Eugene H. Spafford Purdue University How to Own the Internet in your Spare Time Stuart Staniford (Silicon Defense), Vern Paxson (ICSI Center for Internet Research), Nicholas Weaver (UC Berkeley) The Future of Internet Worms Jose Nazario, with Jeremy Anderson, Rick Wash and Chris Connelly Crimelabs research Curious Yellow: The first coordinated Worm Design By Brandon Wiley