Chao-Hsien Chu College of Information Sciences and Technology The Pennsylvania State University

1. Worm Forensics Chao-Hsien Chu College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Theory  Practice Learning by Doing

2. Virus Structure

3. Compression Virus

4. Virus Classification • boot sector – The virus infects a master boot record. • file infector – infect executable files. • macro virus – Macro code. • encrypted virus – the virus was encrypted. • stealth virus – The virus hide itself. • polymorphic virus – The virus mutates with every infection. • metamorphic virus – The virus mutates with every infection. The virus rewrites itself completely at each iteration.

5. Virus Countermeasures • prevention - ideal solution but difficult • realistically need: • detection • identification • removal • if detect but can’t identify or remove, must discard and replace infected program

6. Anti-Virus Software • First –generation. Simple scanners which require a virus signature. • Second generation. Heuristic scanners. Looking for fragments of code, the beginning of an encryption look, integrity checking. • Third generation. Use activity traps to identify virus. • Fourth generation. Include scanning, activity traps and access control activities. • Generic Decryption (GD) • Digital Immune System. IBM, Symantec. • Behavior-Blocking Software. Integrated with OS and monitor program behavior in real time.

7. Digital Immune Systems

8. Behavior-Blocking Software

9. Worm Defense - Containment(1) • 1. Quarantine (Signature-based) • Blocking traffic from suspected hosts • 2. Rate Limiting / Halting • Temporal throttling (Williamson 2002) • Implemented in XP SP2 “The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system’s event log.” http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx

10. Proactive Worm Containment (PWC) Host-based

11. Worm Defense - Containment(2) • 3. Content Filtering • Automatic worm signature generation – “Earlybird” (Singh et al. 2004) • For novel worms, assumes that even polymorphic worms must exhibit some amount of byte-level similarity and content prevalence increases during a worm attack • 4. Address Randomization • Anti-hitlist technique (Antonatos et al. 2005) – hitlist can be made effectively stale using an address change cycle 3-5X longer than the time required to prepare the hitlist

12. Network Based Worm Defense

13. Worm Forensics An aspect of worm forensics is “attribution”: • “By attack attribution we mean the ability to determine the true source of attack including logical/physical origins, paths taken by the attacker, the computers used and the persons or organizations involved. • There are four levels of useful attack attribution: • to the specific hosts involved in the attack • to the primary controlling host • to the actual human actor • to a higher organization with a specific purpose to the attack” • From BAA 03-03-FH • Sponsor: NSA, Advanced Research and Development Agency

14. Attribution Example • Kuraq pays a mercenary named John Smith to run a DDoS Attack against a target. • From his home computer in Namibia, John Smith then uses hacker scripts to compromise 15 hosts to act as attack controllers. Each of those attack controllers then breaks into 100 hosts to act as zombies in the attack. • Trace to zombies  L1 • Trace to controllers  L2 • Trace to Smith  L3 • Trace to Smith’s relationship with Kuraq  L4 • From BAA 03-03-FH • Sponsor: NSA, Advanced Research and Development Agency

15. Attribution Levels 1 and 2 • Level 1 Attribution – IP Traceback • Methods to determine true IP address in the presence of spoofing • Various approaches: • Messaging – e.g. iTrace – “ICMP traceback”, a new message format identifying a router originating the message • Packet Marking – place route information in header extensions or the IP header ID field • Level 2 Attribution – Stepping Stones • Methods to follow an attack through a series of compromised hosts • Content • Earliest approach – character frequencies (Staniford-Chen & Huberlein, 1995) • Timing • Watermarking

16. Worm Forensic Problem The Internet address space consists of 24 addresses. A network telescope monitors the address set {12,13,14,15}. This telescope makes the observations shown for a worm attack. The worm implements random scanning using the following PRNG: Xn+1=a * Xn + b mod m where a=3, b=7 and m=16. Task: Reconstruct the infection sequence and its timing. Assume the following: • the telescope was functional prior to t=0 • a victim scans once per time tick and starts scanning on the tick following infection using a random initial address. • The infection begins with one host Note: the notation XY means that address X was observed sending attack traffic to address Y. • Telescope Observations: • T Observations • 0 915 • 1 413 • 2 414 • 3 (no observations) • 4 012 • 5 912; 015 • 6 1113 • (no further monitor information is available beyond t=6)

17. Forensic Case Study: Witty Worm Worm Attribution – Kumar et al. ‘05 Exploiting underlying structure for detailed reconstruction of an internet-scale event Kumar, A., Paxson, V., & Weaver, N. (2005)., Internet Measurement Conference (IMC'05). • Data Sources: Caida /8 and U Wisconsin /8 • Used disassembled Witty worm code to analyze PRNG structure. • PRNG state inferred from observed packets • One source consistently failed to follow PRNG orbit – Patient Zero (European ISP)

18. Witty Worm Timeline • March 8, 2004: eEye Security discovers a stack overflow vulnerability in the ISS BlackIce/RealSecure IDS products. • March 9: ISS releases patch • March 18: eEye announces vulnerability • March 19: Witty worm is released – 12,000 hosts infected in 75 minutes

19. Witty Worm PRNG Analysis • Witty used a 32 bit PRNG • If the entire 32 bit output were used to generate one address, reconstruction of PRNG state would be trivial • Instead Witty used multiple PRNG cycles to generate 1 address

20. Case Study: Witty Worm Witty Worm pseudocode, from Kumar et al. ‘05

21. Cracking the Witty PRNG State • Forensic evidence: • The Witty PRNG implementation is flawed: the orbit misses about 10% of the IPv4 address space • A single observed packet packet gives 3 partial observations of three consecutive PRNG cycles. • PRNG state reconstruction: • The top 16 bits of each PRNG cycle are known • 216 possible lower 16 bits of the first cycle • Only some of these will be consistent with the observed upper 16 bits of the second cycle • Only one of these will be consistent with the observed upper 16 bits of the third cycle •  The full 32 bit state of the first cycle can be determined

22. Cracking the Witty PRNG State • Cracking the PRNG state allowed the determination of the uptime of hosts, the number of disk drives of the hosts and host access bandwidth • Host uptime data and traceroute data were used to speculate that a hitlist of machines at a U.S. military base were targeted, possibly by an ISS insider with knowledge of the vulnerable code installation • Knowledge of the PRNG orbit allowed for the identification of: • 404 victims whose addresses were outside the PRNG orbit • Implication: possibly hitlist members, or promiscuous scanners • 1 victim that did not scan the orbit • Implication: possible “patient zero”