1. @Yuan Xue (yuan.xue@vanderbilt.edu) Worm and Botnet Yuan Xue Fall 2013

2. @Yuan Xue (yuan.xue@vanderbilt.edu) Background What is worm? Self-propagating malicious code History Morris worm was one of the first worms distributed over Internet Timeline of notable worms  http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and _worms http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and _worms Examples Code Red – 2001, MS IIS Slammer – 2003, MS SQL Samy (MySpace Worm) – 2005, XSS Two topics System vulnerability Propagation model

3. @Yuan Xue (yuan.xue@vanderbilt.edu) Slammer (Sapphire) Worm When Jan 25 2003 How Exploit Buffer-overflow with MS SQL/MS SQL Server Desktop Engine (known vulnerability, July 2002) Scale At least 74,000 hosts Feature Fast propagation speed (>55million scans per second, two orders of magnitude faster than Code Red worm) No harmful payload Countermeasure Patch Firewall (port blocking)

4. @Yuan Xue (yuan.xue@vanderbilt.edu) Scale The diameter of each circle is a function of the logarithm of the number of infected machines, so large circles visually underrepresent the number of infected cases in order to minimize overlap with adjacent locations

5. @Yuan Xue (yuan.xue@vanderbilt.edu) Details of Slammer Worm SQL server vulnerability The SSRS (SQL Server Resolution Service (SSRS) ) contains a stack buffer overflow that allows an attacker to execute arbitrary code by sending a crafted request to port 1434/udp The code within such a request will be executed by the server host with the privileges of the SQL Server service account. Slammer worm Crafts packets of 376-bytes and send them to a chosen IP addresses on port 1434/udp Random scanning  Randomly select IP addresses If the packet is sent to a vulnerable machine, this victim machine will become infected and will also begin to propagate.

6. @Yuan Xue (yuan.xue@vanderbilt.edu) Buffer Overflow The techniques to exploit a buffer overflow vulnerability vary per architecture, operating system and memory region Heap-based buffer overflow stack-based buffer overflow Linux system memory layout Buffer overflow is an anomalous condition where a program writes data beyond the allocated end of a buffer in memory. 1.The program's code and data consisting of the program's instructions and the initialized and uninitialized static and global data 2.Run-time heap (created using malloc/calloc) 3.Users stack. This stack is used whenever a function call is made.

7. @Yuan Xue (yuan.xue@vanderbilt.edu) Buffer Overflow Stack-based buffer overflow An example void function (int a, int b, int c){ char buffer1[5]; char buffer2[10]; } int main(){ function(1,2,3); }

8. @Yuan Xue (yuan.xue@vanderbilt.edu) Buffer Overflow Stack-based buffer overflow Overwrite a function's return address, which in turn can alter the program's execution path void function (char *str) { char buffer[16]; strcpy (buffer, str); } int main () { char *str = "I am greater than 16 bytes"; // length of str = 27 bytes function (str); } Function's return address is the address of the next instruction in memory, which is executed immediately after the function returns.

9. @Yuan Xue (yuan.xue@vanderbilt.edu) Buffer Overflow Stack-based buffer overflow Overwrite a function's return address, which in turn can alter the program's execution path Hacker can spawn a shell (with root permissions) by jumping the execution path to such code. If there is no such code in the program to be exploited  Place the code we are trying to execute in the buffer's overflowing area.  Overwrite the return address so it points back to the buffer and executes the intended code.  Such code can be inserted into the program using environment variables or program input parameters.

10. @Yuan Xue (yuan.xue@vanderbilt.edu) Propagation Model Random Scanning Initially spread exponentially, slows as the worms retry infected or immune addresses Probe rate of Code red worm (a typical random-scanning worm) Probes of Slammer worm from Dshield data set Initially matched random scanning worm Soon slowed down due to bw saturation and network failures

11. @Yuan Xue (yuan.xue@vanderbilt.edu) Why Slammer Was So Fast? Bandwidth constraint vs. delay constraint Slammer 404 bytes (376 payload) UDP based-- bandwidth constraint Code Red 4K bytes TCP based – delay constraint UDP vs. TCP

12. @Yuan Xue (yuan.xue@vanderbilt.edu) Morris Worm (Redux) 1988: No malicious payload, but bogged down infected machines by uncontrolled spawning Infected 10% of all Internet hosts at the time Multiple propagation vectors Remote execution using rsh and cracked passwords  Tried to crack passwords using small dictionary and publicly readable password file; targeted hosts from /etc/hosts.equiv Buffer overflow in fingerd on VAX  Standard stack smashing exploit DEBUG command in Sendmail  In early Sendmail versions, possible to execute a command on a remote machine by sending an SMTP (mail transfer) message Dictionary attack Buffer overflow attack

13. @Yuan Xue (yuan.xue@vanderbilt.edu) Summer of 2001 [from “How to 0wn the Internet in Your Spare Time”] Three major worm outbreaks

14. @Yuan Xue (yuan.xue@vanderbilt.edu) Code Red I July 13, 2001: First worm of the modern era Exploited buffer overflow in Microsoft’s Internet Information Server (IIS) 1 st through 20 th of each month: spread Find new targets by random scan of IP address space  Spawn 99 threads to generate addresses and look for IIS Creator forgot to seed the random number generator, and every copy scanned the same set of addresses 21 st through the end of each month: attack Deface websites

15. @Yuan Xue (yuan.xue@vanderbilt.edu) Usurped Exception Handling In IIS Overflow in a rarely used URL decoding routine A malformed URL is supplied to vulnerable routine… … another routine notices that stack has been smashed and raises an exception. Exception handler is invoked. … the pointer to exception handler is located on stack. It has been overwritten to point to a certain instruction inside the routine that noticed the overflow. … that instruction is CALL EBX. At that moment, EBX is pointing into the overwritten buffer. … the buffer contains the code that finds the worm’s main body on the heap and executes it! [Chien and Szor, “Blended Attacks…”]

16. @Yuan Xue (yuan.xue@vanderbilt.edu) Code Red I v2 July 19, 2001: Same codebase as Code Red I, but fixed the bug in random IP address generation Compromised all vulnerable IIS servers on the Internet Large vulnerable population meant fast worm spread  Scanned address space grew exponentially  350,000 hosts infected in 14 hours!! Payload: distributed packet flooding (denial of service) attack on www.whitehouse.gov Coding bug causes it to die on the 20 th of each month… but if victim’s clock is wrong, resurrects on the 1 st ! Still alive in the wild

17. @Yuan Xue (yuan.xue@vanderbilt.edu) August 4, 2001: Same IIS vulnerability, completely different code, kills Code Red I Known as “Code Red II” because of comment in code Worked only on Windows 2000, crashed NT Scanning algorithm preferred nearby addresses Chose addresses from same class A with probability ½, same class B with probability 3/8, and randomly from the entire Internet with probability 1/8 Payload: installed root backdoor in IIS servers for unrestricted remote access Died by design on October 1, 2001 Code Red II

18. @Yuan Xue (yuan.xue@vanderbilt.edu) September 18, 2001: Multi-modal worm using several propagation vectors Exploit same IIS buffer overflow as Code Red I and II Bulk-email itself as an attachment to email addresses harvested from infected machines Copy itself across open network shares Add exploit code to Web pages on compromised sites to infect visiting browsers Scan for backdoors left by Code Red II Payload: turned-off code deleting all data on hard drives of infected machines Nimda

19. @Yuan Xue (yuan.xue@vanderbilt.edu) Code Red I and II Code Red II dies off as programmed With its predator gone, Code Red I comes back, still exhibiting monthly pattern [Paxson]

20. @Yuan Xue (yuan.xue@vanderbilt.edu) MySpace.com (Samy worm) Users can post HTML on their pages MySpace.com ensures HTML contains no,, onclick, … but can do Javascript within CSS tags: And can hide “javascript” as “java\nscript” With careful javascript hacking: Samy worm infects anyone who visits an infected MySpace page … and adds Samy as a friend. Samy had millions of friends within 24 hours. http://namb.la/popular/tech.html

21. @Yuan Xue (yuan.xue@vanderbilt.edu) How to defend? – Signature-Based Defenses Don’t Help Nimda leaped firewalls Many firewalls pass mail untouched, relying on mail servers to filter out infections Most filters simply scan attachments for signatures (code snippets) of known viruses and worms Nimda was a brand-new infection with unknown signature, and scanners could not detect it Big challenge: detection of zero-day attacks When a worm first appears in the wild, signature is not extracted until minutes or hours later

22. @Yuan Xue (yuan.xue@vanderbilt.edu) How to Defend? Buffer Overflow Write secure code  Use of safe libraries Compiler tools  Choice of programming language Dynamic run-time checks  Executable space protection  Stack-smashing protection Worm Patch  MS has released the patch before the worm attack happens Firewall IDS  Deep packet inspection Architecture  Address space layout randomization

23. @Yuan Xue (yuan.xue@vanderbilt.edu) Santy Written in Perl, exploits a bug in phpBB bulletin board system (prior to version 2.0.11) Allows injection of arbitrary code into Web server running phpBB Uses Google to find sites running phpBB Once injected, downloads actual worm code from a central site, asks Google for more targets and connects infected machine to an IRC botnet Multiple variants of the same worm Polymorphism: actual Perl code changes from infection to infection, so filtering worm traffic is difficult! [Provos et al.]

24. @Yuan Xue (yuan.xue@vanderbilt.edu) Evading Anomaly Detection Google will refuse worm-generated queries Different Santy variants generate different search terms or take them from an IRC botmaster Google’s solution: if an IP address generates a lot of “rare” queries, ask it to solve a CAPTCHA Exploit the fact that different infections of the same worm must use different queries (why?) [Provos et al.]

25. @Yuan Xue (yuan.xue@vanderbilt.edu) Index-Based Filtering Idea: if worm relies on search results to spread, don’t provide vulnerable targets in search results During crawl phase, tag all pages that seem to contain vulnerable software or sensitive information such as email addresses Can’t drop them from the index because they may contain information useful to legitimate searchers Do not return the result of a query if it contains (a) pages from many hosts, and (b) high percentage of them are tagged as vulnerable What are the limitations of this approach? [Provos et al.]

26. @Yuan Xue (yuan.xue@vanderbilt.edu) Botnets Botnet is a network of autonomous programs capable of acting on instructions Typically a large (up to several hundred thousand) group of remotely controlled “zombie” systems  Machine owners are not aware they have been compromised Controlled and upgraded via IRC or P2P Used as a platform for various attacks Distributed denial of service Spam and click fraud Launching pad for new exploits/worms

27. @Yuan Xue (yuan.xue@vanderbilt.edu) Bot History Eggdrop (1993): early IRC bot DDoS bots (late 90s): Trin00, TFN, Stacheldracht RATs (late 90s): “Remote Administration Trojans” Variants of Back Orifice and NetBus, SubSeven, Bionet Related to rootkits Modern bots: Agobot (PhatBot, SDBot), GTBot Active spreading, multiple propagation vectors  Combines characteristics of a worm and a trojan  Many mutations and morphs of the same codebase Remotely controlled (typically via IRC) Stormbot and Conficker (2007-2009)

28. @Yuan Xue (yuan.xue@vanderbilt.edu) Typical Infection Path Exploit a vulnerability to execute a short program (shellcode) on victim’s machine Buffer overflows, email viruses, etc. Shellcode downloads and installs actual bot Bot disables firewall and antivirus software Bot locates IRC server, connects, joins channel Typically need DNS to find out server’s IP address  Especially if server’s original IP address has been blacklisted Authentication password often stored in bot binary Botmaster issues authenticated commands

29. @Yuan Xue (yuan.xue@vanderbilt.edu)... /connect jade.va.us.dal.net /join #hacker... Win XP... /connect jade.va.us.dal.net /join #hacker... Win XP... /connect jade.va.us.dal.net /join #hacker... Win XP jade.va.dal.net Joining the IRC Channel

30. @Yuan Xue (yuan.xue@vanderbilt.edu) (12:59:27pm) -- A9-pcgbdv (A9-pcgbdv@140.134.36.124) has joined (#owned) Users : 1646 (12:59:27pm) (@Attacker).ddos.synflood 216.209.82.62 (12:59:27pm) -- A6-bpxufrd (A6-bpxufrd@wp95- 81.introweb.nl) has joined (#owned) Users : 1647 (12:59:27pm) -- A9-nzmpah (A9-nzmpah@140.122.200.221) has left IRC (Connection reset by peer) (12:59:28pm) (@Attacker).scan.enable DCOM (12:59:28pm) -- A9-tzrkeasv (A9-tzrkeas@220.89.66.93) has joined (#owned) Users : 1650 Command and Control

31. @Yuan Xue (yuan.xue@vanderbilt.edu) Botnet Propagation Each bot can scan IP space for new victims Automatically  Each bot contains hard-coded list of IRC servers’ DNS names  As infection is spreading, IRC servers and channels that the new bots are looking for are often no longer reachable On-command: target specific /8 or /16 prefixes  Botmasters share information about prefixes to avoid Evidence of botnet-on-botnet warfare DoS server by multiple IRC connections (“cloning”) Active botnet management Detect non-responding bots, identify “superbots” [Abu Rajab et al.]

32. @Yuan Xue (yuan.xue@vanderbilt.edu) Rise of Botnets 2003: 800-900,000 infected hosts, up to 100K nodes per botnet 2006: 5 million distinct bots, but smaller botnets Thousands rather than 100s of thousands per botnet Reasons: evasion, economics, ease of management More bandwidth (1 Mbps and more per host) For-profit criminal activity (not just mischief) Spread spam Extort money by threatening/unleashing DoS attacks Move to P2P control structures (rather than IRC)

33. @Yuan Xue (yuan.xue@vanderbilt.edu) Denial of Service (DoS) Redux Goal: overwhelm victim machine and deny service to its legitimate clients DoS often exploits networking protocols Smurf: ICMP echo request to broadcast address with spoofed victim’s address as source Ping of death: ICMP packets with payloads greater than 64K crash older versions of Windows SYN flood: “open TCP connection” request from a spoofed address UDP flood: exhaust bandwidth by sending thousands of bogus UDP packets

34. @Yuan Xue (yuan.xue@vanderbilt.edu) Distributed Denial of Service (DDoS) Build a botnet of zombies Multi-layer architecture: use some of the zombies as “masters” to control other zombies Command zombies to stage a coordinated attack on the victim Does not require spoofing (why?) Even in the case of SYN flood, SYN cookies don’t help (why?) Overwhelm victim with traffic arriving from thousands of different sources

35. @Yuan Xue (yuan.xue@vanderbilt.edu) DDoS Architecture Victim Attacker Master machines Zombie machines

36. @Yuan Xue (yuan.xue@vanderbilt.edu) Scan for known buffer overflows in Linux & Solaris Unpatched versions of wu-ftpd, statd, amd, … Root shell on compromised host returns confirmation Install attack daemon using remote shell access Send commands (victim IP, attack parameters), using plaintext passwords for authentication Attacker to master: TCP, master to zombie: UDP To avoid detection, daemon issues warning if someone connects when master is already authenticated August 1999: a network of 227 Trin00 zombies took U. of Minnesota offline for 3 days Trin00

37. @Yuan Xue (yuan.xue@vanderbilt.edu) Supports multiple DoS attack types Smurf; ICMP, SYN, UDP floods Attacker runs masters directly via root backdoor; masters talk to zombies using ICMP echo reply No authentication of master’s commands, but commands are encoded as 16-bit binary numbers inside ICMP packets to prevent accidental triggering Vulnerable to connection hijacking and RST sniping List of zombie daemons’ IP addresses is encrypted in later versions of TFN master scripts Protects identities of zombies if master is discovered Tribal Flood Network

38. @Yuan Xue (yuan.xue@vanderbilt.edu) Combines “best” features of Trin00 and TFN Multiple attack types (like TFN) Symmetric encryption for attacker-master connections Master daemons can be upgraded on demand February 2000: crippled Yahoo, eBay, Amazon, Schwab, E*Trade, CNN, Buy.com, ZDNet Smurf-like reflection attack on Yahoo consumed more than a Gigabit/sec of bandwidth Sources of attack still unknown Stacheldraht

39. @Yuan Xue (yuan.xue@vanderbilt.edu) Reference Worm A Taxonomy of Computer Worms A Taxonomy of Computer Worms en.wikipedia.org/wiki/Computer_worm Slammer Worm http://www.microsoft.com/sql/prodinfo/previousversions/ letter.mspx http://www.microsoft.com/sql/prodinfo/previousversions/ letter.mspx http://www.cert.org/advisories/CA-2003-04.html Inside the Slammer Worm, IEEE S&P 2003 Network Telescope http://en.wikipedia.org/wiki/Network_telescope http://www.caida.org/research/security/telescope/