1 / 40

The Coming Age of Defensive Worms David Meltzer djm@intrusec.com CTO, Intrusec

The Coming Age of Defensive Worms David Meltzer djm@intrusec.com CTO, Intrusec. Why?. “I don't know whether a good worm can be safe and effective, but this merits serious technical study.”

kenadia
Download Presentation

The Coming Age of Defensive Worms David Meltzer djm@intrusec.com CTO, Intrusec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Coming Age of Defensive WormsDavid Meltzerdjm@intrusec.comCTO, Intrusec

  2. Why? “I don't know whether a good worm can be safe and effective, but this merits serious technical study.” - Martha Stansell-Gamm (May 26, 2003)1Chief, Computer Crime and Intellectual Property Section, U.S. Department of Justice

  3. What Will You Learn? The history of good worms The problems with defensive worms How defensive worm problems are solved Possible evolutionary steps

  4. The Question Will anyone in charge of a large network ever willingly launch a worm on their own network to protect it?

  5. Worm Reality A new exploit just came out. You have 5,000 vulnerable systems. The worm is coming. What do you do?

  6. The Worm Antidote It fixes all the systems on your network. It does it faster than the worm can spread. It only ‘infects’ your own systems. Do you run it?

  7. Which Worm Do You Want?

  8. What Will You Learn? The history of good worms The problems with defensive worms How defensive worm problems are solved Possible evolutionary steps

  9. “Good Worms” A Worm, BUT… • A “beneficial” payload BUT Still… • Disruptive to networks • Runs without permission • Requires clean-up • ILLEGAL

  10. What Do “Good Worms” Do? • Scan • Listen • Exploit • Patch • Disinfect

  11. Millenium (8/99) Code Green (9/01) Cheese (5/01) CRClean (9/01) Timeline of “Good Worms” 1999 2000 2001 2002 2003

  12. Case Study: Millenium2,3 Discovered 8/15/99 Written by Mixter4 Multiple Linux Vulns: Scans, Patches, Backdoors • Scans for systems vulnerable to 5 remote linux holes • Exploits remote system • Patches 5 linux vulns • Installs a backdoor • Sends notification to hotmail address of infection • Installs itself on system

  13. Case Study: Cheese5 Discovered 5/01 Unknown Author Lion Worm Response: Scans, Disinfects • Scans for systems infected by Lion • Installs itself using backdoor left by Lion • Removes Lion backdoor from system

  14. Case Study: Code Green6 Code Released 9/1/2001 Written by Der HexXer Code Red Response: Scans, Disinfects, Patches • Scans for systems infected with CodeRed • Exploits ISAPI vuln on infected systems • Removes CodeRed from system • Installs Q300972 Hotfix on system • Installs itself on system

  15. Case Study: CRClean7 Code Released 9/1/2001 Written by Markus Kem Code Red Response: Listens, Disinfects, Patches • Listens for CodeRed to attack it • Exploits ISAPI vuln on CodeRed attackers • Removes CodeRed from system • Patches ISAPI vuln on system • Installs itself on system

  16. Industry Thinking on “Good Worms” “Generally Not Well Regarded” – eEye8

  17. Industry Thinking on “Good Worms” - Continued “The idea of a patch worm is a nice thought, but it is not a solution…” - CERT9

  18. Industry Thinking on “Good Worms” - Continued “You cannot predict what’s going to happen. You don’t know what the impact is going to be if it’s altered. It’s never an alternative.” – Trend Micro10

  19. Industry Thinking on “Good Worms” - Continued “You cannot predict what’s going to happen. You don’t know what the impact is going to be if it’s altered. It’s never an alternative.” – Trend Micro10

  20. Industry Thinking on “Good Worms” - Continued “-What about the traffic it takes up? -What about the boxes that don't patch properly, don't make it back after reboot, or took down etrade in the middle of a trading day? -How does your worm know when it's done? -Maybe I don't want my box patched, the patch broke my app -How do I tell your good worm apart from the original bad worm, or the other worm which looks like the good worm, but is really a bad worm? -How about people like us who track attack data, and you just skewed the heck out of it? When does www1.whitehouse.gov get to come back? If there's still *A* worm around on the 1st, which one is it? -Do we really want an Internet-sized game of corewars?”

  21. Industry Thinking on “Good Worms” - Continued “Visions of bots floating around in the ether waging mighty, but invisible, battles belong in books such as Neal Stephenson's "The Diamond Age," not on production Internet servers.” – Timothy Dyck11

  22. Industry Thinking on “Good Worms” - Continued “… Worms are inherently uncontrollable, meaning that good worms will cause traffic problems and spread out of control. This is true of most worms today, but that's only because no one has designed a legitimate, well-coded and peer-reviewed good worm…” – eWeek12

  23. /. Wisdom “The only question raised here is, am I really going to trust this "helpful" worm or others like it to fully patch up my box properly?” “Two wrongs may not make a right, but I would think in this case they would at least be somewhat better than just the one wrong” “Worms like this wouldn't exist or be news if more sysadmins would do their job instead of playing Quake, looking at pr0n, or IRC'ing all day...” “Automatic (or even semi-automatic) patching is the *dumbest* idea on Earth.”

  24. What Will You Learn? The history of good worms The problems with defensive worms How defensive worm problems are solved Possible evolutionary steps

  25. Problems with Good Worms No good worm to date has been remotely useable in a legal and effective manner.

  26. Problem #1 - Legality To run a worm legally, it must NEVER attempt to access unauthorized systems. Extreme safeguards must be taken. A software bug will land you in jail.

  27. Problem #2 – Network Usage Worms are extremely noisy, causing network slowdowns and denial of services as a side-effect of running. Need to be network friendly.

  28. Problem #3 – Cleaning Up Worms spreads leaving a new mess to clean-up replacing the old mess. Need to know when the work is done and perform its own clean-up.

  29. Problem #4 – Management Worms are uncontrollable once “released” Need to be able to centrally manage operation and results of worm while it is running.

  30. “Defensive Worms” A Good Worm, BUT… • NOT Disruptive to networks • ONLY Runs with permission • NO clean-up • LEGAL Usable defensive worms do not exist, yet.

  31. What Will You Learn? The history of good worms The problems with defensive worms How defensive worm problems are solved Possible evolutionary steps

  32. Solution #1 – Legality Redundant Safeguards

  33. Solution #1 – Legality Restriction Models Opt-Out Passive IP Ranges Border Routers DNS

  34. Solution #1 – Legality Lysine Deficiency13

  35. Solution #1 – Legality Lysine Deficiency A built-in mechanism that causes a worm to die if it spreads beyond its intended set of targets. “Reverse Lysine” = Opt-Out (CodeRed)

  36. Solution #1 – Legality Heartbeats A central server is checked before each time a worm launches an attack. If the server doesn’t return a heartbeat, the worm pauses its operation. After a timeout period, if heartbeat hasn’t returned, worm self-destructs.

  37. Solution #1 – Legality IP Ranges The worm is configured with the IP addresses you are authorized to attack.

  38. Solution #1 – Legality Border Routers The worm is configured with the border routers of a network. All systems within the network you are authorized to attack. If border router comes between a prospective target and worm, worm does not propagate to it. |If a border router isn’t on the route to a known Internet server, worm is already outside its authorized network.

  39. Solution #1 – Legality DNS The worm is configured with domain names. All systems with hosts that resolve within that domain you are authorized to attack. Worm performs a DNS lookup on all prospective targets. If DNS doesn’t resolve to an authorized domain name, target is not authorized.

  40. References 1. Stansell-Gamm, Martha. “Good Worms Not Mature”, May 26, 2003. URL: http://www.eweek.com/article2/0,3959,1109605,00.asp 2. Vision, Max. “Origin and Brief Analysis of the Millennium Worm”, Sept, 1999.URL: http://www.whitehats.com/library/worms/mworm/index.html 3. Poulsen, Kevin. “Max Vision: FBI pawn?”, May 8, 2001. URL: http://www.securityfocus.com/news/203 4. Mixter. “mw06.tgz”, September 23, 1999. URL: http://packetstormsecurity.nl/groups/mixter/mw06.tgz 5. Barber, Bryan. “Cheese Worm: Pros and Cons of a Friendly Worm”, July 21, 2001. URL: http://www.sans.org/rr/papers/36/31.pdf 6. Hexxer, Der. “CodeGreen beta release”, September 1, 2001.URL: http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0575.html 7. Kem, Marcus. “CRClean.zip”, September 1, 2001. URL: http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0577.html 8. Permeh, Ryan & Coddington, Dale. “Decoding and Understanding Internet Worms”, November 21, 2001. URL: http://www.blackhat.com/presentations/bh-europe-01/dale-coddington/1 9. Houle, Kevin. Quoted in “Cheese worm: A Linux fixer-upper? By Robert Lemos”, May 16, 2001. URL: http://news.com.com/2100-1001-257748.html?legacy=cnet 10. Hartmann, Joe. Quoted in “’Cheesy’ Fix-It Worm Patches Security Flaws By Jay Lyman”, May 18, 2001.URL: http://www.newsfactor.com/perl/story/9869.html 11. Dyck, Timothy. “Thanks, but we don’t want your Cheese (worm)!”, June 30, 2001.URL: http://www.freeos.com/printer.php?entryID=4233 12. Rapoza, Jim. “Up With Good Worms”, April 21, 2003.URL: http://www.eweek.com/article2/0,3959,1037004,00.asp

More Related