CSE 6392 Intrusion Detection Systems - Rangerranger.uta.edu/~dliu/courses/cse6392-ids-spring...• Master boot record viruses are memory resident viruses that infect disks in the same

CSE 6932 By Dr. Donggang Liu 1

CSE 6392Intrusion Detection Systems

Lecture #9Computer Virus and Worm


Outline

• Computer malware: Worm, Virus• Brief History of Computer Worm & Virus• Taxonomy of Computer Worm & Virus• Analysis of Morris Worm• Defense Against Computer Worm & Virus

– Address black list– Honeypots– Content/signature based detection & blocking– Containment based on worm spreading anomaly

• Automated Worm Fingerprinting• Fast Containment of Scanning Worm• Attachment Chain Tracing


Malicious SoftwareMaliciousProgram

Needs host file Independent

Worm ZombieVirusTrojan horseSpyware

Self replicate


• What is computer virus?– A computer virus is a small program written to alter the

way a computer operates, without the permission orknowledge of the user. A virus must meet two criteria:• It must execute itself. It will often place its own code in the path of

execution of another program• It must replicate itself. For example, it may replace other

executable files with a copy of the virus infected file. Viruses caninfect desktop computers and network servers alike.

• Virus is usually embed in other programs or files– Like virus in biology

Computer Virus


• Five recognized types of viruses (according to Symantec)– File infector viruses

• These viruses normally infect executable code, such as .com and .exe files– Boot sector viruses

• Boot sector viruses infect the system area of a disk--that is, the bootrecord on floppy disks and hard disks.

– Master boot record viruses• Master boot record viruses are memory resident viruses that infect disks

in the same manner as boot sector viruses.– Multi-partite viruses

• Multi-partite (also known as polypartite) viruses infect both boot recordsand program files. These are particularly difficult to repair.

– Macro viruses• These types of viruses infect data files.

Computer Virus (Cont’d)


• What is computer worm?– Computer program that replicates itself from system to

system without the use of a host file.– This is in contrast to viruses, which requires the spreading

of an infected host file.• Although worms generally exist inside of other files, often Word

or Excel documents, there is a difference between how worms andviruses use the host file.

– Worm propagates extremely fast• It is possible for a worm to infect 90% of the susceptible hosts in

minutes• Worm has growth pattern similar to real-world biological virus.• The propagation of worm fits well with simple epidemiological

mathematical models

Computer Worm


• Notorious worms– CodeRed (2001)

• MS-Windows NT/2000

– Nimda (2001)• MS-Windows 95/98/ME/NT/2000

– Slammer (2003)• MS SQL Server 2000• MS Desktop Engine (MSDE) 2000

– Blaster (2003)• MS-Windows NT/2000/XP/Server 2003

– Mydoom (2004)

Computer Worm (Cont’d)


• What is a Trojan horse?Trojan Horses are program that claim to be somethingdesirable but, in fact, are malicious.– Install a back door for hackers– Steal sensitive information such as password

• Propagation of Trojan horse– Trojan horse does not replicate itself.– For a Trojan horse to spread, you must, invite these

programs onto your computers• for example, by opening an email attachment or downloading and

running a file from the Internet.• Trojan horse example

– PWSteal.Trojan

Trojan Horse


Spyware

• Spyware– Spyware is a malicious software that aids in

gathering information about a person ororganization without their knowledge. It Canoverload your system and shutdown other services.

• Difference between Spyware & Trojan horse?– Trojan horse claims to be something desirable– Spyware is usually stealthy in that users do not

even known the existence of spyware


The Problem of Computer Virus, Worm

• Computer viruses are the"common cold" of moderntechnology– Virus-scanning company

MessageLabs said itstopped 9.3 million virusesin 2 billion emails last year,which equated to one virusin every 215 emails.


How Do We Get Infected?!

• Email• Sharing Floppies & CDs• Downloading Warez• Peer To Peer File Sharing

(Napster, Kazaa)• Back Alley Websites• Instant Messaging• Just connecting to the

Internet


Brief History of Computer Virus and Worm

• First Computer Virus– Probably early or mid 80’s– DOS virus

• First Computer Worm– Morris worm in 1988– Targeted on BSD Unix

• Now most viruses & worms are on Windows OS– Windows OS runs on more than 90% of desktops these

days– Windows quality


First Computer Worm

• Morris Worm, Nov 2nd, 1988– The first worm– Robert T. Morris, Jr.

• 23 years old• Cornell grad student

– Wrote a self-propagating program as a “testconcept”

• Exploited Unix vulnerabilities in sendmail and fingerd• Released at MIT• Bug in the worm caused it to go wild

– Probably wouldn’t have caused much damage otherwise!


Morris Worm

• Targeted Sun 3 and VAX WorkstationRunning BSD Based Unix Operating Systems

• Infected about 6,000 Unix hosts– About 10% of the 60,000 hosts on the Internet

• Reactions– People didn’t know what to do, so they panicked

• Disconnected from net• Unable to receive patches!

– Morris fined $10k, 3 yrs probation, 400 hrscommunity service

– CERT was created


CERT – Computer Emergency Response Team

• Provide technical advice and coordinate responses tosecurity compromises

• Identify trends in intruder activity• Work with other security experts to identify solutions

to security problems• Disseminate information to the broad community• Analyze product vulnerabilities• Publishes technical documents• Presents training courses


AIDS Trojan (1989)

• Often called a “virus”– A trojan is a program with a “surprise” payload– The AIDS trojan was distributed as a way to

enable graphics on TTL monitors– Payload: erase harddisk


Tequila (1990)

• First polymorphic virus– Polymorphic means “changing form”– This was done to defeat virus checkers

• Current status (2004) of polymorphic viruses– Well, the current virus toolkits (MPC, VCS, VCL) create

code which is still caught by scanners• VCL – Virus Creation Laboratory (1992); pull-down menus,

selectable payload– But it’s possible to make a toolkit which will defeat the

scanners – hasn’t been done yet


Michelangelo (1992)

• First virus to get lots of headlines– Lives in MBR (master boot record)– Targets MS-DOS machines– Transfers to floppies/hard-disks when intermixed

• Note this predates widespread use of the Internet– Payload: destroy boot and FAT on March 6th

• Michelangelo’s birthday


DMV (1995)

• Word Macro virus– Macros are sets of executable instructions specific to an application– Back in 1995, MS Word was configured out-of-the-box to execute

immediately any macros in a Word document– This meant that simply opening a document in an email or from the

Web was dangerous• DMV

– Distributed with the paper “Document Macro Viruses”– Harmless (even had dialog boxes)– Trying to prove a point

• Other macro viruses possible with Excel, Access, AdobeAcrobat, and more


Back Orifice Trojan (1998)

• Pun on MS Back Office– Allows remote access via the Internet of Win 95/98 boxes

(BO-2000 runs on Win 2k and NT)– Waits for commands starting with “*!*QWTY?”

• US version used encryption; international could not! – Doesn’t show up in the task list– Written by cDc (Cult of the Dead Cow) and advertised as a

legitimate tool• Used by network managers, in fact

– But has been abused of course• Has plug-ins to 0wn your box (view remote screen, download

registry, etc)


Melissa (1999)

• Combination Word Macro virus and email virus– Sent as an attached doc file– Scanned Outlook address book and sent itself to first 50

addresses– Subject: “Important message from <you>”– Body: Here is the document you asked for; don’t show

anyone• Then attached the most recent doc you had been working on,

infected with Melissa– Spread VERY rapidly all over the world

• Tons of variants


ILoveYou (2000)

• Clever technology, great social engineering– Subject: I love you– Body: Kindly check attached love letter from me

• And message was from sender you know!– Attachment: LOVE-LETTER-FOR-YOU.TXT.vbs

• Note the double-extension – VBS script• If you didn’t have your OS set to show extensions,

you’d just see LOVE-LETTER-FOR-YOU.TXT


ILoveYou (cont)

• Was wildly successful– Mostly due to human nature: someone loves me

• Has countless variants– Joke attached– Mother’s Day Gift confirmation

• Now that’s just wrong– How to stop the ILoveYou virus


It Gets Worse

• SirCam, Nimda, CodeRed, BadTrans– Nimda: Mostly spread via unpatched IIS servers,

but also– Via email (attached EXE)– Browsing dubious web sites with unsecured browser– Using backdoors from other viruses (CodeRed II, eg)– Payload: back door access

– Code Red: still around today!


Code Red I v2 (CRv1), July 13, 2001

• Used an IIS vulnerability to perform websitedefacement

• “Randomly” scanned for vulnerable IPs– Linear spread, since random number generator

seed was fixed• In early stages, infection rate was about 1.8

other servers infected per hour• Hosts with inaccurate clocks kept it alive past

July 19


Code Red II, Aug. 4, 2001

• Used same IIS vulnerability as CRv1 butinstalled root backdoor instead

• Fixed random IP generator• Scan:

– Class B address space 3/8 probability– Class A address space 1/2 probability– Whole Internet address space 1/8 probability

• Utilize Topology– Emphasize localized spread


Nimda, Sept. 18, 2001

• Multi-vectored worm [relate back to morrisworm]– IIS vulnerability– Email (Firewall evasion!)– Network shares– Infect webpages– Scan for Code Red and Sadmind backdoors

• Almost no probing to 100 probes/sec in ½ hour


MS SQL Slammer/Sapphire (January 2003)

• Uses UDP port 1434 to exploit a bufferoverflow in MS SQL server

• Effect– Generate massive amounts of network packets– Brought down as many as 5 of the 13 internet root

name servers• Others

– The worm only spreads as an in-memory process: itnever writes itself to the hard drive

• Solution: close UDP port on firewall and reboot


Slammer/Sapphire Worm, January 25, 2003

http://www.caida.org/analysis/security/sapphire/

From 0 infected hosts to 74855 in 30 minutes


Slammer/Sapphire Worm

http://www.cs.berkeley.edu/~nweaver/sapphire/

Fastest spreading worm in historyDoubled in size every 8.5 secondsCode Red’s population doubled every 37 minutesOver 90% of vulnerable machines compromised in ~10minutes

Targeted Microsoft’s SQLServer through buffer overflow (patchhad been released)Sent UDP packets (376 bytes) to port 1434, so easy to filterReached over 55 million scans/sec in under 3 minutes


Witty Worm; March 19, 2004

http://www.cs.berkeley.edu/~nweaver/sapphire/

Used hit-list or timed release of wormCompromised ISS products through buffer overflows (ISSRealSecure Network, RealSecure Server Sensor, RealSecureDesktop, and BlackICE)Infected 12,000 computers and wrote to random points on diskSpread one day after vulnerability was announced


Flash Worms

• Follow pre-computed spread tree based onprior knowledge of system vulnerabilities

• Capable of infecting most vulnerable servers in< 30 seconds…

• Need a high bandwidth link– 9 million servers were 13 Mb compressed– Initial copies of the worm have hit-lists– Hit-lists could be divided up into chunks and

distributed on known high bandwidth servers


Contagion or Stealth worms

• Stealthily propogate a worm– Web server to clients– P2P clients

• Identical software, anonymity, large files, many clients,less monitoring, less diversity

• My estimate: Sometimes 1 in 20 hits on softwaresearches result in detected virus on Kazaa

– Very difficult to detect since traffic pattern changeis so small


KaZaa

• Fizzer, Lolol, K0wbot, Win32.Mydoom.A– Use IRC channels for remote control– Download office_crack or rootkitXP for

Win32.Mydoom.A• Authors recorded 9 million distinct IP

addresses connecting to a monitored universityhost (5800 distinct university host)

• Brilliant Digital– Trojan bundled in Kazaa– http://www.cs.berkeley.edu/~nweaver/0wn2.html


•Blaster–Exploits a vulnerability in Microsoft's DCOM RPC interface–Has been timed to attack a Microsoft security websitedistributing the patch needed to stop the worm in its tracksbefore it hits millions of users.

Blaster (Auguest 2003)


Taxonomy of Computer Worms• Based on Target Discovery

– Scanning– Pre-generated target list– Externally generated target list

• Use google– Internally generated target list

• Use /etc/hosts to generate topological worm– Passive

• Gnuman, CRClean• Base on Propagation Carriers

– Self-carried• Actively spread itself, fastest!

– Second channel• Blaster

– Embedded• Append or replace normal message, stealthy!


• Two Parts– The main part of worm

• 2 linkable, binary modules: sun3.o, vax.o• Contain the main body of the worm

– Finding the next infection target– Cracking password– Exploit vulnerabilities of target to gain access– etc.

– Bootstrap (l1.c)• C program used to download the binary modules and

itself to the newly infected host

Logical Structure of Morris Worm


• Try to obtain remote Bourn Shell (sh)– Rsh/rexec– Sendmail debug option– Fingerd buffer overflow

• Transfer l1.c over– Save it in a file in /usr/tmp– Compile & link to generate the bootstrap executable– Run the bootstrap executable

• The bootstrap will– Connect back to the worm server (the host from which current host

got infected)– Download sun3.o, vax.o and l1.c to current host– Become a shell (via execl(“/bin/sh”, sh, 0)) whose input and output

are connected the worm server• Now the worm server has direct control of the infected host

Logical Steps of Morris Worm


• The worm server instruct the infected host, viaremote shell, to– Link the binary modules to generate worm executable on

the infected host– Execute the newly generated worm executable on the

infected host• The worm executable will

– Find new infection targets– Open a random TCP port and listen on it

• Now current host becomes a new worm server!– Exploit the vulnerabilities of the new targets

Logical Steps of Morris Worm


• The Morris Worm Used a Number of Techniques to EvadeDetection– Erase the argument list after using it– Delete the executable file– Prevent core dump from happening

• Leaves no trace in case of abnormal termination– Compiled under the name sh

• So process table only shows sh is running– Periodic refreshing process

• Every 3 minutes, the worm forks• Terminate parent process• Running the child process

– All constant strings were obscured by XOR’ing with some constant

Covering Tricks of Morris Worm


• It attacked SUN and VAX only– Fingerd of VAX (fingerd exploits on SUN

caused core dump)– Sendmail of SUN

• However, it did NOT try to– Gain privileged access (root)– Destroy any data– Plan any logic or time bombs

Facts about Morris Worm


Worm Spreading

f = (e K(t-T) – 1) / (1+ e K(t-T) )• f – fraction of hosts infected• K – rate at which one host can

compromise others• T – start time of the attack

T t

f1


Scanning Techniques

• Localized Scanning• Hit List Scanning• Permutation Scanning• Topological Scanning• Stealth Worms


How to Spread Faster

• The Warhol worm– capable of infecting machines in a matter of

minutes…• Hit-list scanning

– Faster startup• Permutation Scanning

– Limit redundant scans• Topologically Aware worms


Hit-lists

• Brute-force• Use your favorite search engine• DNS search• Distributed scanning using zombies• Stealth scan (takes longer but pretty much

undetectable)


Permutation Scanning

• Eliminate redundant scanning by partitioningsearches

• Start scanning from your point in permutation– If machine in sequence is infected, randomly

choose new point to scan and increment counter– Else infect computer and then scan

• Stop scanning when counter == SCAN_LIMIT


Topological Scanning

• Use email addresses– MyDoom used Google, Yahoo, Altavista, and

Lycos• Internet cache for URLs• P2P peers• Ping results


• Detection of Virus and Worm– Detect the existence of virus and worm

• Before the breakout• After the breakout

• Containment/Quarantine– Mitigate the negative impact of virus or worm

• Compatibility issue• Regression test effort

• Automatic Patching– How about letting Microsoft automatically updating your Windows

OS?• Active Immunization (just like vaccine in real-world)

– Anti-worm– What else?

Current Defences against Virus and Worm


• Based on Predefined Attack Signatures– Effective against known worms only– Attack signatures won’t be available before the attack happens and

causes damage– Signature updates can be overwhelming

• Challenges– What if worm or virus is polymorphic?

• Well…– Some worm only need minutes to infect all the possible hosts– How to generate signatures fast enough to be used for those zero-

day worms?• Automatic signature generation

– How to distribute generated signatures quickly?

Detection of Computer Virus and Worms


Containment Strategies

• Address Blacklisting• Rate limiting• Honeypots


Email Worms Problem

(source: http://www.sophos.com)

Email worms cause billions of dollars of damage yearly.Nearly all of the most virulent worms of 2004 spread byemail:


Detecting Novel Worm Without Signature

• Most antivirus schemes rely on virus signatureinformation for virus detection and control.

• A new virus often causes huge damage before itssignature is available.

• Signature based schemes are necessary yet usuallytoo late.

What can we do before the damage is done?


Unknown Viruses Don’t Kill Us All:What Can We Learn?

The Modern Way:DNA Fingerprinting

The traditional way:Contact Tracing

QuarantineIsolation

VaccinationCure

The Real World The Cyber World

The Traditional Way:Virus Signature Detection

???

Signature Based Policy


Applications of Contact Tracing

• New diseases.– no DNA fingerprints available.

• STD disease (such as AIDS).– easy to identify contacts.

• Early stages of an epidemic.– limited number of virus transmission chains.


Attachment Chain Tracing (ACT)

ACT is a contact tracing based framework foremail virus detection and control.

• Detection: ACT traces the contact records of emailhosts to look for transmission chain (TC) of viruses.

• Quarantine: Differentiated quarantine policy is usedto quarantine hosts of different categories.

• Vaccination: Case category information helps toidentify high degree, infective hosts that should beimmunized first.


Case Classification: The Principles

• Hosts are classified into different categoriesaccording to their infective symptom ANDrelations (links) with other hosts.

• Infective symptom of fast spreading viruses:sending emails with attachments at rates higherthan the threshold.

• Relations:– Receivers: who have contacted them make a

difference!– Senders: how their contacts affect others matters!


Case classification: The Concepts

• Normal: A host which has no symptom and has nolink from other non-normal hosts.

• Suspicious: A host which has the symptom but has nolink from any probable host.

• Linked: A host has no symptom but has links fromsuspicious hosts.

• Potential: A host has no symptom but has links fromprobable hosts.

• Probable: A suspicious host which also belongs to anestablished transmission chain or has links from otherprobable hosts.


Case classification: State Transition

Normal Linked Probable

Potential

Suspicious

Suspicious

link

Infe

ctio

us

sym

ptom

Probable

linkIn

fect

ious

sym

ptom

Probable link or established

transmission chainIn

fectiou

s

sym

pto

m

Pro

ba

ble

link

exposed

susceptible infective


Transmission Chain: The Concepts

• Layers of contact of host i:– Primary (layer 1) contacts: Hosts that have links with host

i.– Secondary (layer 2) contacts: Hosts that have links with the

primary contacts of host i.– Layer k contacts: Hosts that have links with layer k-1

contacts of host i.• Transmission chain: A transmission chain with length

K is a series of links that connect an index case to thelayer K contacts of it. For an index case, a contacttrace stack (CTS) is used to keep its layers ofcontacts.


Differentiated Quarantine Policy

• Soft quarantine: Emails from probable hosts: Emails from potential hosts:

Blocking/marking quarantine:– emails from probable hosts: block.– emails from potential hosts: mark.


Pros and Cons

• Pros– no virus signature needed.– light weight.– lower false alarm.– fully automated detection and quarantine.– soft quarantine: flexible, damage free, easy to implement.

• Cons– must observe all email traffic.– not effective against hit-list attacks.– not effective for dense networks.


• Two important theoretical results– Fred Cohen has demonstrated that there is no algorithm

that could detect all computer viruses• F. Cohen. Computer Viruses: Theory and Experiments.

Computers & Security, Vol. 6(1), Pages 22−35, 1987– David Chess and Steve White have added the bad news

and pointed out that there exist computer viruses thatno algorithm can detect

• D. M. Chess and S. R. White. An Undetectable ComputerVirus. In Virus Bulletin Conference 2000.http://www.research.ibm.com/antivirus/SciPapers/VB2000DC.pdf

Decidability Issue on `Virus and WormDetection

Documents

CSE 6392 Intrusion Detection Systems - Rangerranger.uta.edu/~dliu/courses/cse6392-ids-spring...• Master boot record viruses are memory resident viruses that infect disks in the same