520 likes | 556 Views
The Future of Internet Worms. Jose Nazario Crimelabs Research. Disclaimer. Will not build Intrusion detection. Overview. Introduction Six Components Problems in Current Worm Paradigms Evolution of Worm Networks Detection Strategies Conclusions. Worms Defined.
E N D
The Future of Internet Worms Jose Nazario Crimelabs Research Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Disclaimer • Will not build • Intrusion detection Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Overview • Introduction • Six Components • Problems in Current Worm Paradigms • Evolution of Worm Networks • Detection Strategies • Conclusions Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Worms Defined • Automated intrusion agents • Infect one host, launch, infect again • Self propelled • viruses require carrier programs Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Worms in History • Morris worm • Persistent Windows worms • Rise of Linux worms (2000 …) • Examples: Win32.Bremer, Ramen, sadmind/IIS Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Why Worms? • Ease • write and launch once • many acquisitions • continually working • Pervasiveness • weeds out weakest targets • penetrates difficult networks Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Two Futures • Small increases • better rootkits • encryption • increased attack capabilities • Paradigm shift Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Six Components of Worms • Reconnaissance • Specific Attacks • Command Interface • Communication Mechanisms • Intelligence Capabilities • Unused and Non-attack Capabilities Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Reconnaissance • Target identification • Active methods • scanning • Passive methods • OS fingerprinting • traffic analysis Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Specific Attacks • Exploits • buffer overflows, cgi-bin, etc. • Trojan horse injections • Limited in targets • Two components • local, remote Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Command Interface • Interface to compromised system • administrative shell • network client • Accepts instructions • person • other worm node Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Communications • Information transfer • Protocols • Stealth concerns Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Intelligence Database • Knowledge of other nodes • Concrete vs. abstract • Complete vs. incomplete Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Unused and Non-attack Capabilities • Remainder of exploits • Non-exploit capabilities • Various possibilities Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Assembled Pieces Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Questions? Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Current Limitations • Limited capabilities • Growth and traffic patterns • Network structure • Intelligence Database Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Limited Capabilities: Recon Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Limited Capabilities: Attack Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Traffic Growth Rates Tworm=kN(Tscansnscans)(Tcommncomms)t Tworm fTworm= _______ Ttot Traffic, hence profile, increases with time. Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Traffic Growth Patterns Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Network Structure Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Network Topology Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Limitations of Directionality Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Intelligence Database Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Limitations Conclusions • Highly visible • Easily Blocked • need a signature • Unable to achieve a specific target • Readily caught Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Questions? Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Future Considerations • Dynamic behavior • Dynamic updates • Communications mechanisms • Infection mechanisms • Network topologies • Communications topology • New targets Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Dynamic Behavior Communications channels Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Dynamic Behavior Dynamic invocation of capabilities Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Dynamic Network Roles Not every node contains all components Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Updates to the Nodes Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Embedding Messages • Images • Text • MP3 files • Usenet, web, mailing lists • Freenet, Gnutella, Napster Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Stealth Broadcasts Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Signed Updates Source verification Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Communications Topology Broadcast from central site Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Communications Topology Store and forward Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Passive Methods Target acquisition Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Payload Injection Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Network Topology Guerilla network Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Network Topology Directed tree Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
New Targets • Embedded devices • bugs • prevalence on broadband • Large audience targets • Akamai clients • Political, financial motivations Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Questions? Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Worm Detection • Challenges • Fast moving • Always adding new nodes • Traditional Worm Paradigm • Analyze one node, know all • Same signature for all nodes Hard to distinguish between worms and aggressive or scripted attackers Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Worm Signatures • Correlation Analysis • Scans, attacks • Quick succession of scans across hosts • Quick follow up of attacks with scans • Growth of Traffic • exponential Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
New Challenges • Identifying communications channels • Identifying all scans, attacks • Constantly changing • Larger Picture Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Defenses • Traditional paradigms • Detection • anomaly detection • agent based IDS • focus on common parts Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Defenses • NIDS • Hone in on common parts • Poison Injections • Null, shutdown payloads • Traffic analysis • Identifying communications partners All are labor intensive Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Conclusions • Worms will evolve • increased use of hiding tools • Impending paradigm shift • not all nodes look alike • update capable • No one signature Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”
Crimelabs Rick Chris Jeremy Brandon Ben Michal Zalewski Simple Nomad Dug Song Blackhat Acknowledgements Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms”