2. Chao-Hsien Chu College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Worm Forensics Learning by Doing Theory  Practice

3. Virus Structure

4. Compression Virus

5. Virus Classification boot sector – The virus infects a master boot record. file infector – infect executable files. macro virus – Macro code. encrypted virus – the virus was encrypted. stealth virus – The virus hide itself. polymorphic virus – The virus mutates with every infection. metamorphic virus – The virus mutates with every infection. The virus rewrites itself completely at each iteration.

6. Virus Countermeasures prevention - ideal solution but difficult realistically need: –detection –identification –removal if detect but can’t identify or remove, must discard and replace infected program

7. Anti-Virus Software First –generation. Simple scanners which require a virus signature. Second generation. Heuristic scanners. Looking for fragments of code, the beginning of an encryption look, integrity checking. Third generation. Use activity traps to identify virus. Fourth generation. Include scanning, activity traps and access control activities. Generic Decryption (GD) Digital Immune System. IBM, Symantec. Behavior-Blocking Software. Integrated with OS and monitor program behavior in real time.

8. Digital Immune Systems

9. Behavior-Blocking Software

10. Worm Defense - Containment(1) Worm Defense - Containment (1) 1.Quarantine (Signature-based) Blocking traffic from suspected hosts 2.Rate Limiting / Halting Temporal throttling (Williamson 2002) Implemented in XP SP2 “The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system’s event log.” http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx

11. Proactive Worm Containment (PWC) Host-based

12. Worm Defense - Containment(2) Worm Defense - Containment (2) 3.Content Filtering Automatic worm signature generation – “Earlybird” (Singh et al. 2004) For novel worms, assumes that even polymorphic worms must exhibit some amount of byte-level similarity and content prevalence increases during a worm attack 4.Address Randomization Anti-hitlist technique (Antonatos et al. 2005) – hitlist can be made effectively stale using an address change cycle 3-5X longer than the time required to prepare the hitlist

13. Network Based Worm Defense

14. Worm Forensics An aspect of worm forensics is “attribution”: “By attack attribution we mean the ability to determine the true source of attack including logical/physical origins, paths taken by the attacker, the computers used and the persons or organizations involved. There are four levels of useful attack attribution: 1.to the specific hosts involved in the attack 2.to the primary controlling host 3.to the actual human actor 4.to a higher organization with a specific purpose to the attack” From BAA 03-03-FH Sponsor: NSA, Advanced Research and Development Agency

15. Attribution Example Kuraq pays a mercenary named John Smith to run a DDoS Attack against a target. From his home computer in Namibia, John Smith then uses hacker scripts to compromise 15 hosts to act as attack controllers. Each of those attack controllers then breaks into 100 hosts to act as zombies in the attack. Trace to zombies  L1 Trace to controllers  L2 Trace to Smith  L3 Trace to Smith’s relationship with Kuraq  L4 From BAA 03-03-FH Sponsor: NSA, Advanced Research and Development Agency

16. Attribution Levels 1 and 2 Level 1 Attribution – IP Traceback Methods to determine true IP address in the presence of spoofing Various approaches: Messaging – e.g. iTrace – “ICMP traceback”, a new message format identifying a router originating the message Packet Marking – place route information in header extensions or the IP header ID field Level 2 Attribution – Stepping Stones Methods to follow an attack through a series of compromised hosts Content Earliest approach – character frequencies (Staniford-Chen & Huberlein, 1995) Timing Watermarking

17. Worm Forensic Problem The Internet address space consists of 24 addresses. A network telescope monitors the address set {12,13,14,15}. This telescope makes the observations shown for a worm attack. The worm implements random scanning using the following PRNG: Xn+1=a * Xn + b mod m where a=3, b=7 and m=16. Task: Reconstruct the infection sequence and its timing. Assume the following: the telescope was functional prior to t=0 a victim scans once per time tick and starts scanning on the tick following infection using a random initial address. The infection begins with one host Note: the notation X  Y means that address X was observed sending attack traffic to address Y. Telescope Observations: TObservations 09  15 14  13 24  14 3(no observations) 40  12 59  12; 0  15 611  13 (no further monitor information is available beyond t=6)

18. Forensic Case Study: Witty Worm Data Sources: Caida /8 and U Wisconsin /8 Used disassembled Witty worm code to analyze PRNG structure. PRNG state inferred from observed packets One source consistently failed to follow PRNG orbit – Patient Zero (European ISP) Worm Attribution – Kumar et al. ‘05 Exploiting underlying structure for detailed reconstruction of an internet-scale event Kumar, A., Paxson, V., & Weaver, N. (2005)., Internet Measurement Conference (IMC'05).

19. Witty Worm Timeline March 8, 2004: eEye Security discovers a stack overflow vulnerability in the ISS BlackIce/RealSecure IDS products. March 9: ISS releases patch March 18: eEye announces vulnerability March 19: Witty worm is released – 12,000 hosts infected in 75 minutes

20. Witty Worm PRNG Analysis Witty used a 32 bit PRNG If the entire 32 bit output were used to generate one address, reconstruction of PRNG state would be trivial Instead Witty used multiple PRNG cycles to generate 1 address

21. Case Study: Witty Worm Witty Worm pseudocode, from Kumar et al. ‘05

22. Cracking the Witty PRNG State Forensic evidence: The Witty PRNG implementation is flawed: the orbit misses about 10% of the IPv4 address space A single observed packet packet gives 3 partial observations of three consecutive PRNG cycles. PRNG state reconstruction: The top 16 bits of each PRNG cycle are known 2 16 possible lower 16 bits of the first cycle Only some of these will be consistent with the observed upper 16 bits of the second cycle Only one of these will be consistent with the observed upper 16 bits of the third cycle  The full 32 bit state of the first cycle can be determined

23. Cracking the Witty PRNG State Cracking the PRNG state allowed the determination of the uptime of hosts, the number of disk drives of the hosts and host access bandwidth Host uptime data and traceroute data were used to speculate that a hitlist of machines at a U.S. military base were targeted, possibly by an ISS insider with knowledge of the vulnerable code installation Knowledge of the PRNG orbit allowed for the identification of: 404 victims whose addresses were outside the PRNG orbit Implication: possibly hitlist members, or promiscuous scanners 1 victim that did not scan the orbit Implication: possible “patient zero”