Jaypee Institute of Information Technology University, Noida
Current Network Security Threats
2007
These Documents Are For Educational Purpose
Presented here by
Gautam Sarswat
Contact at : gautam.sarswat.jbs@gmail.com
Outline
• Network Telescope
• Denial-of-Service Attacks
• Viruses and Worms
• Botnets
Network Telescope
• Chunk of (globally) routed IP address space – 16 million IP addresses
• Little or no legitimate traffic (or easily filtered)
• Unexpected traffic arriving at the network telescope can imply remote network/security events
• Generally good for seeing explosions, not small Events
• Depends on random component in spread
Network Telescope: Denial-of-Service Attacks
• Attacker floods the victim with requests using random spoofed source IP addresses
• Victim believes requests are legitimate and responds to each spoofed address
• According to observation 1/256th of all victim responses to spoofed addresses
Denial-of-Service Attacks
Analysis DoS Attacks over time
Network Telescope Observation Station
• http://www.caida.org/data/realtime/telescope/
• Prevalence and trends in spoofed-source denial-of-service attacks
– http://www.caida.org/data/realtime/telescope/?monitor
=telescope_backscatter
• (live demo)
What is a Network Worm?
• Self-propagating self-replicating network program
– Exploits some vulnerability to infect remote machines
• No human intervention necessary
– Infected machines continue propagating infection
Network Telescope: Worm Attacks
• Infected host scans for other vulnerable hosts by randomly generating IP addresses
• It monitor 1/256th of all IPv4 addresses
• It see 1/256th of all worm traffic of worms with no bias and no bugs
Witty Worm Background
March 19, 2004
• ISS Vulnerability
– A buffer overflow in a PAM (Protocol Analysis Module) in a Internet Security Systems firewall products
• Version 3.6.16 of iss-pam1.dll
– Analyzes ICQ traffic (inbound port 4000)
– Discovered by eEye on March 8, 2004
– Jointly announced March 18,2004 when “patch” available
• Upgrade to the next version at customer cost…
• By far the closest to a zero-day exploit
– Instead of 2-4 weeks after bug release, Witty appeared after 36 hours
Witty Worm Structure
March 19, 2004
• Infects a host running an ISS firewall product
• Sends 20,000 UDP packets as quickly as possible:
– to random source IP addresses
– to random destination port
– with random size between 796 and 1307 bytes
• Damage Victim:
– select random physical device
– seek to random point on that device
– attempt to write over 65k of data with a copy of the beginning of the vulnerable dll
• Repeat until machine is rebooted or machine crashes irreparably
Typical (Code-Red) Host Infection Rate
Early Growth of Witty (5 minutes)
Witty Worm Spread
March 19, 2004
• Sharp rise via initial coordinated activity
• Peaked after approximately 45 minutes
– Approximately 30 minutes later than the fastest worm we’ve seen so far (SQL Slammer)
– Still far faster than any human response
– At peak, Witty generated:
• 90 GB/sec of network traffic
• 11 million packets per second
Early Growth of Witty (2 hours)
Early Growth of Witty (3 days)
Witty Worm Victims
• Consistent with past worms:
– Globally distributed
– Majority high-bandwidth home/small business users
• Unique victim characteristics
– 100% taking proactive security measures
– Infected via software they ran purposefully
Geographic Spread of Witty
Witty Summary
• ~12,000 hosts infected in 30 minutes
• Averaged more than 11 million probes per second world-wide
• Unstoppable
• Irreparably destroyed a significant number of infected computers
Conclusions
• Witty incorporates a number of novel and disturbing features:
– Next day exploit for publicized bug
– Wide-scale deployment
– Successful exploit of small population (no more security through obscurity)
– Future worms will continue to emulate botnets
– increasing levels of stealth and flexibility
– Infected a security product
• Witty demonstrates conclusively that the patch model of networked device security has
failed
– You can’t encourage people to sign on to the ‘net with one click and then also expect them to be security experts
– Running commercial firewall software at their own expense is the gold standard for end user behavior
• Recognition that security is important
• Recognition that they can’t do it themselves
• End-user behavior cannot solve current software security problems
• End-user behavior cannot effectively mitigate current software security problems
• We must:
– Actively address prevention of software vulnerabilities
– Turn our attention to developing large-scale, robust, reliable infrastructure that can mitigate current security problems without end-user intervention
About Blackworm
• Began to spread January 15, 2006
• 95k Visual Basic executable email attachment run by users
• Also spread to attached network shares
• Malicious: on the 3rd day of every month:
– searches for files with 12 common file extensions (.doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd,and .dmp)
– replaces those files with the text string “DATA Error [47 0F 94 93 F4 K5]“
So who cares?
• Blackworm is not particularly different from many, many other email viruses, except…
• Every infected computer automatically generates an http request for a web page that displayed a hit count graph (self-documenting code?)
• Logs for the website were available before the first date of payload destruction
• Some victims could be notified before they lost data
Log Analysis
• Simple! Just take the logs and look at who connected and you’ll have the infected IP
addresses!
• Except that the url was publicized…
• Many folks looked at the page to observe the spread of the virus
• Denial-of-service attacks added a large volume of spurious traffic
Log Filtering
• Why not just count IP addresses that were logged once?
• Web traffic aggregators (NAT, proxy servers) obscure victim IP addresses; multiple probes can represent multiple infections
• DHCP use allows two different computers to have the same IP at the time that they
become infected
Log Filtering Process
• Remove referer/browser strings set by common DDoS tools (91.1% of all hits)
• Remove requests for pages different from the one accessed by the virus (0.2%)
• Remove any request with a referer string (virus did not use one in its probes) (0.8%)
• Remove requests from invulnerable Operating Systems: MacOS, Unix, cell phone, and PDA devices (0.03%)
Sources of Error and Uncertainty
• Infected computers that failed to send the probe
• Network firewalls or outages that prevented victims from reaching the web page
• Denial-of-Service attacks preventing infected computers from reaching the web page
• People who viewed the counter only once using a vulnerable browser, but were not infected
Estimating a Victim Count
• Lower bound: for each IP address, the number of unique, vulnerable browser types received from that IP address
• Upper bound: for each IP address, the total number of probes received from that IP address
• Blackworm victim estimate: between 469,507 and 946,835 (3.2%-6.4% of original log entries)
Blackworm Overall
Blackworm by Continent
Blackworm by Country (>2%)
Concurrent Infections
• 45,401 Blackworm victims (10%) had concurrent spyware and/or botnet infections advertised in their browser string
– Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Sgrunt|V109|29|S493689067|dial; FunWebProducts; XBE|29|S04069679521143#398|isdn; snprtz|S04138822910124)
Conclusions
• Log analysis allows insight into email virus spread given sufficient data mining
• Email viruses spread in a slower and steadier pattern than Internet worms, which infect the vast majority of their victims in the first day
• Diurnal patterns are strongly apparent in spread data (people read their email when
they are awake)
• Country distribution of victims does not correlate with web infrastructure development
• Spread strongly influenced by geographic location (based on social and linguistic similarity)
• TLD distribution reflects geographic distribution rather than # of vulnerable hosts/TLD
• 10% of victims had concurrent botnet or spyware infection
Botnets
• Significant transition in motivation for widespread, non-specific malicious activity
– From notoriety -> want to be noticed
– To money -> want stealth to protect revenue stream
• So how do you make money?
– Sending spam
– DoS extortion
– Active (phishing) and passive identity theft
Current Events
• Malicious software development is a business aimed at scalable, manageable
distributed systems
• Coordinated activity makes current antivirus activities increasingly irrelevant
• Demise of signature-based security?
• High system complexity + naïve/uneducated = bad combination Cooperative Association for Internet Data Analysis Current Security Research
• Longitudinal study of Blackworm
• Spamscatter
• Botnet Economics
• Worm Risk Analysis
• Anomaly Detection
Reference
