15-446 networked systems practicum lecture 14 – worms/viruses/botnets 1
TRANSCRIPT
![Page 1: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/1.jpg)
15-446 Networked Systems Practicum
Lecture 14 – Worms/Viruses/Botnets
1
![Page 2: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/2.jpg)
Outline
• Worms
• Worm Defense
• Botnet/Viruses
2
![Page 3: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/3.jpg)
What is a Computer Worm?
• Self replicating network program• Exploit vulnerabilities to infect remote machines• Victim machines continue to propagate infection
• Three main stages• Detect new targets• Attempt to infect new targets• Activate code on victim machine
• Difference w/ computer virus?• No human intervention required
3
NetworkNetwork
![Page 4: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/4.jpg)
Why Worry About Worms?
• Speed• Much faster than viruses
• CRv2: 14 hours for 359.000 victims• Slammer: 10 minutes for 75.000 victims
• Faster than human reaction• Highly malicious payloads
• DDoS or data corruption
4
![Page 5: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/5.jpg)
Some Major Worms
Worm Year Strategy Victims Other Notes
Morris 1988 Topological
scanning
6K First major autonomous worm
Code Red 2001 Random
scanning
~300K First recent "fast" worm
Nimda 2001 Local scanning
~200K Local subnet scanning Effective mix of techniques
Slammer 2003 Random
scanning
>75K Spread worldwide in 10 minutes
MyDoom 2004 Topological
scanning
<15K First “Zero Day” Worm
Conficker 2008 Random
scanning
>15M? Largest infection, capability of updates
5
![Page 6: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/6.jpg)
Threat Model
Traditional• High-value targets• Insider threats
Worms & Botnets• Automated attack of
millions of targets• Value in aggregate,
not individual systems• Threats: Software
vulnerabilities; naïve users
6
![Page 7: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/7.jpg)
... and it's profitable
• Botnets used for• Spam (and more spam)?• Credit card theft• DDoS extortion
• Flourishing Exchange market• Spam proxying: 3-10 cents/host/week• 25k botnets: $40k - $130k/year• Also for stolen account compromised
machines, credit cards, identities, etc. (be worried)?
7
![Page 8: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/8.jpg)
Why is this problem hard?
• Monoculture: little “genetic diversity” in hosts
• Instantaneous transmission: Almost entire network within 500ms
• Slow immune response: human scales (10x-1Mx slower!)?
• Poor hygiene: Out of date / misconfigured systems; naïve users
• Intelligent designer ... of pathogens
• Near-Anonymitity
8
![Page 9: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/9.jpg)
Code Red I v1
• July 12th, 2001• Exploited a known vulnerability in Microsoft’s Internet
Information Server (IIS)• Buffer overflow in a rarely used URL decoding routine –
published June 18th
• 1st – 19th of each month: attempts to spread• Random scanning of IP address space• 99 propagation threads, 100th defaced pages on server• Static random number generator seed
• Every worm copy scans the same set of addresses Linear growth
9
![Page 10: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/10.jpg)
Code Red I v1
• 20th – 28th of each month: attacks• DDOS attack against 198.137.240.91 (
www.whitehouse.gov)
• Memory resident – rebooting the system removes the worm• However, could quickly be reinfected
10
![Page 11: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/11.jpg)
Code Red I v2
• July 19th, 2001• Largely same codebase – same author?• Ends website defacements• Fixes random number generator seeding bug
• Scanned address space grew exponentially• 359,000 hosts infected in 14 hours• Compromised almost all vulnerable IIS servers on internet
11
![Page 12: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/12.jpg)
Analysis of Code Red I v2
• Random Constant Spread model• Constants
• N = total number of vulnerable machines• K = initial compromise rate, per hour• T = Time at which incident happens
• Variables• a = proportion of vulnerable machines
compromised• t = time in hours
12
![Page 13: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/13.jpg)
Analysis of Code Red I v2
N = total number of vulnerable machinesK = initial compromise rate, per hourT = Time at which incident happens
Variablesa = proportion of vulnerable machines compromisedt = time in hours
“Logistic equation”Rate of growth of epidemic in finite systems when all entities have an equal likelihood of infecting any other entity
13
![Page 14: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/14.jpg)
Code Red I v2 – Plot
• K = 1.8• T = 11.9
Hourly probe rate data for inbound port 80 at the Chemical Abstracts Service during the initial outbreak of Code Red I on July 19th, 2001.
14
![Page 15: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/15.jpg)
Improvements: Localized scanning
• Observation: Density of vulnerable hosts in IP address space is not uniform
• Idea: Bias scanning towards local network• Used in CodeRed II
• P=0.50: Choose address from local class-A network (/8)
• P=0.38: Choose address from local class-B network (/16)
• P=0.12: Choose random address
• Allows worm to spread more quickly15
![Page 16: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/16.jpg)
Code Red II (August 2001)
• Began : August 4th, 2001
• Exploit : Microsoft IIS webservers (buffer overflow)
• Named “Code Red II” because :• It contained a comment stating so. However the
codebase was new.
• Infected IIS on windows 2000 successfully but caused system crash on windows NT.
• Installed a root backdoor on the infected machine.
16
![Page 17: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/17.jpg)
Improvements: Multi-vector
• Idea: Use multiple propagation methods simultaneously
• Example: Nimda• IIS vulnerability• Bulk e-mails• Open network shares• Defaced web pages• Code Red II backdoor
Onset of Nimda
Time (PDT) 18 September, 2001
HT
TP
con
nect
ions
/sec
ond
seen
at L
BN
L(o
nly
conf
irm
ed N
imda
att
acks
)
1/2 hour
17
![Page 18: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/18.jpg)
Better Worms: Hit-list Scanning
• Worm takes a long time to “get off the ground”
• Worm author collects a list of, say, 10000 vulnerable machines
• Worm initially attempts to infect these hosts
18
![Page 19: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/19.jpg)
How to build Hit-List
• Stealthy randomized scan over number of months
• Distributed scanning via botnet• DNS searches – e.g. assemble domain list,
search for IP address of mail server in MX records
• Web crawling spider similar to search engines• Public surveys – e.g. Netcraft• Listening for announcements – e.g. vulnerable
IIS servers during Code Red I
19
![Page 20: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/20.jpg)
Better Worms: Permutation scanning
• Problem: Many addresses are scanned multiple times
• Idea: Generate random permutation of all IP addresses, scan in order• Hit-list hosts start at their own position in the
permutation• When an infected host is found, restart at a random
point• Can be combined with divide-and-conquer approach
20
H0 H4 H1 H3 H2H1 (Restart)
![Page 21: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/21.jpg)
Warhol Worm
• Simulation shows that employing the two previous techniques, can attack 300,000 hosts in less than 15 minutes
• Conventional = 10 scans/sec
• Fast Scanning = 100 scans/sec
• Warhol = 100 scans/sec,• Permutation scanning
and 10,000 entry hit list
21
![Page 22: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/22.jpg)
Flash worms
• A flash worm would start with a hit list that contains most/all vulnerable hosts
• Realistic scenario:• Complete scan takes 2h with an OC-12• Internet warfare?
• Problem: Size of the hit list• 9 million hosts 36 MB• Compression works: 7.5MB• Can be sent over a 256kbps DSL link in 3 seconds
• Extremely fast:• Full infection in tens of seconds!
23
![Page 23: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/23.jpg)
Surreptitious worms
• Idea: Hide worms in inconspicuous traffic to avoid detection
• Leverage P2P systems?• High node degree• Lots of traffic to hide in• Proprietary protocols• Homogeneous software• Immense size
(30,000,000 Kazaa downloads!)
24
![Page 24: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/24.jpg)
Example Outbreak: SQL Slammer (2003)
• Single, small UDP packet exploit (376 b)• First ~1min: classic random scanning
• Doubles # of infected hosts every ~8.5sec• (In comparison: Code Red doubled in 40min)
• After 1min, starts to saturate access b/w• Interferes with itself, so it slows down• By this point, was sending 20M pps• Peak of 55 million IP scans/sec @ 3min
• 90% of Internet scanned in < 10mins• Infected ~100k or more hosts
25
![Page 25: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/25.jpg)
Stuxnet Worm
• The first worm for control systems• Discovered in June 2010• Attack SCADA systems using Siemens
WinCC/PCS 7 software • Not only spying but also reprogram
programmable logic controllers (PLCs)• Four zero-day attacks used• Infection includes Iran (62K) and China (6M?)• Nation-wide support cyberwarefare?
26
![Page 26: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/26.jpg)
Prevention
• Get rid of the or permute vulnerabilities• (e.g., address space randomization) • makes it harder to compromise
• Block traffic (firewalls)• only takes one vulnerable computer wandering between in &
out or multi-homed, etc.• Keep vulnerable hosts off network
• incomplete vuln. databases & 0-day worms• Slow down scan rate
• Allow hosts limited # of new contacts/sec.• Can slow worms down, but they do still spread
• Quarantine• Detect worm, block it
27
![Page 27: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/27.jpg)
Outline
• Worms
• Worm Defense
• Botnet/Viruses
28
![Page 28: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/28.jpg)
Context
• Worm Detection• Scan detection• Honeypots• Host based behavioral detection
• Payload-based
29
![Page 29: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/29.jpg)
Worm: Countermeasures
• Signature-based worm scan filtering• Vulnerable to polymorphic worms
• Scan detection• High scanning activity to identify victims• Scanning with high failure rate compared to legitimate users
(DNS)• TCP RST, ICMP Unreachable
• Two dimensions: time, space• Rate limiting, rate halting• False positive (Index crawler, NAT, etc.)• Disruption to legitimate services• Not applicable to UDP based propagation
30
![Page 30: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/30.jpg)
Worm behavior
• Content Invariance• Limited polymorphism e.g. encryption
• key portions are invariant e.g. decryption routine
• Content Prevalence• invariant portion appear frequently
• Address Dispersion• # of infected distinct hosts grow overtime
• reflecting different source and dest. addresses
31
![Page 31: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/31.jpg)
Signature Inference
• Content prevalence: Autograph, EarlyBird, etc.• Assumes some content invariance• Pretty reasonable for starters.
• Goal: Identify “attack” substrings• Maximize detection rate• Minimize false positive rate
32
![Page 32: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/32.jpg)
Content Sifting
• For each string w, maintain • prevalence(w): Number of times it is found in
the network traffic• sources(w): Number of unique sources
corresponding to it• destinations(w): Number of unique destinations
corresponding to it
• If thresholds exceeded, then block(w)
33
![Page 33: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/33.jpg)
Issues
• How to compute prevalence(w), sources(w) and destinations(w) efficiently?
• Scalable
• Low memory and CPU requirements
• Real time deployment over a Gigabit link
34
![Page 34: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/34.jpg)
Estimating Content Prevalence
• Table[payload] • 1 GB table filled in 10 seconds
• Table[hash[payload]]• 1 GB table filled in 4 minutes• Tracking millions of ants to track a few
elephants• Collisions...false positives
35
![Page 35: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/35.jpg)
stream memoryArray of counters
Hash(Pink)
Multistage Filters
36
![Page 36: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/36.jpg)
packet memoryArray of counters
Hash(Green)
Multistage Filters
37
![Page 37: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/37.jpg)
packet memoryArray of counters
Hash(Green)
Multistage Filters
38
![Page 38: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/38.jpg)
packet memory
Multistage Filters
39
![Page 39: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/39.jpg)
packet memoryCollisions are OK
Multistage Filters
40
![Page 40: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/40.jpg)
packet memory
packet1 1
Insert
Reached threshold
Multistage Filters
41
![Page 41: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/41.jpg)
packet memory
packet1 1
Multistage Filters
42
![Page 42: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/42.jpg)
packet memory
packet1 1
packet2 1
Multistage Filters
43
![Page 43: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/43.jpg)
Stage 2
packet memory
packet1 1
Stage 1
Multistage Filters
No false negatives!(guaranteed detection)
44
![Page 44: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/44.jpg)
Gray = all prior packets
Conservative Updates
45
![Page 45: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/45.jpg)
Redundant
Redundant
Conservative Updates
46
![Page 46: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/46.jpg)
Conservative Updates
47
![Page 47: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/47.jpg)
Value Sampling
• The problem: s-b+1 substrings
• Solution: Sample
• But: Random sampling is not good enough
• Trick: Sample only those substrings for which the fingerprint matches a certain pattern
48
![Page 48: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/48.jpg)
sources(w) & destinations(w)
• Address Dispersion
• Counting distinct elements vs. repeating elements
• Simple list or hash table is too expensive
• Key Idea: Bitmaps
• Trick : Scaled Bitmaps
49
![Page 49: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/49.jpg)
Bitmap counting – direct bitmap
HASH(green)=10001001
Set bits in the bitmap using hash of the flow ID of incoming packets
50
![Page 50: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/50.jpg)
Bitmap counting – direct bitmap
HASH(blue)=00100100
Different flows have different hash values
51
![Page 51: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/51.jpg)
Bitmap counting – direct bitmap
HASH(green)=10001001
Packets from the same flow always hash to the same bit
52
![Page 52: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/52.jpg)
Bitmap counting – direct bitmap
HASH(violet)=10010101
Collisions OK, estimates compensate for them
53
![Page 53: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/53.jpg)
Bitmap counting – direct bitmap
HASH(orange)=11110011
54
![Page 54: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/54.jpg)
Bitmap counting – direct bitmap
HASH(pink)=11100000
55
![Page 55: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/55.jpg)
Bitmap counting – direct bitmap
HASH(yellow)=01100011
As the bitmap fills up, estimates get inaccurate
56
![Page 56: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/56.jpg)
Bitmap counting – direct bitmap
Solution: use more bits
HASH(green)=10001001
57
![Page 57: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/57.jpg)
Bitmap counting – direct bitmap
Solution: use more bits
Problem: memory scales with the number of flows
HASH(blue)=00100100
58
![Page 58: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/58.jpg)
Bitmap counting – virtual bitmap
Solution: a) store only a portion of the bitmap
b) multiply estimate by scaling factor
59
![Page 59: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/59.jpg)
Bitmap counting – virtual bitmap
HASH(pink)=11100000
60
![Page 60: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/60.jpg)
Bitmap counting – virtual bitmap
HASH(yellow)=01100011
Problem: estimate inaccurate when few flows active
61
![Page 61: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/61.jpg)
Bitmap counting – multiple bmps
Solution: use many bitmaps, each accurate for a different range
62
![Page 62: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/62.jpg)
Bitmap counting – multiple bmps
HASH(pink)=11100000
63
![Page 63: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/63.jpg)
Bitmap counting – multiple bmps
HASH(yellow)=01100011
64
![Page 64: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/64.jpg)
Bitmap counting – multiple bmps
Use this bitmap to estimate number of flows
65
![Page 65: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/65.jpg)
Bitmap counting – multiple bmps
Use this bitmap to estimate number of flows
66
![Page 66: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/66.jpg)
Bitmap counting – multires. bmp
Problem: must update up to three bitmaps per packet
Solution: combine bitmaps into one
OR
OR
67
![Page 67: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/67.jpg)
HASH(pink)=11100000
Bitmap counting – multires. bmp
68
![Page 68: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/68.jpg)
Bitmap counting – multires. bmp
HASH(yellow)=01100011
69
![Page 69: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/69.jpg)
Multiresolution Bitmaps
• Still too expensive to scale
• Scaled bitmap• Recycles the hash space with too many bits set• Adjusts the scaling factor according
70
![Page 70: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/70.jpg)
Scaled Bitmap
• Idea: Subsample the range of hash space• How it works?
• multiple bitmaps each mapped to progressively smaller and smaller portions of the hash space.
• bitmap recycled if necessary.
Result
Roughly 5 time less memory + actual estimation of address dispersion
71
![Page 71: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/71.jpg)
Putting It Together
header payload
substring fingerprintssubstring fingerprints
key src cnt dest cnt
AD entry exist?update counters
key cntelseupdate counter
cnt > prevalence threshold?create AD entry
Content Prevalence Table
Address Dispersion Table
counters > dispersion threshold?report key as suspicious worm
72
![Page 72: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/72.jpg)
Putting It Together
• Sample frequency: 1/64
• String length: 40
• Use 4 hash functions to update prevalence table• Multistage filter reset every 60 seconds
73
![Page 73: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/73.jpg)
Parameter Tuning
• Prevalence threshold: 3• Very few signatures repeat
• Address dispersion threshold• 30 sources and 30 destinations• Reset every few hours• Reduces the number of reported signatures
down to ~25,000
74
![Page 74: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/74.jpg)
Parameter Tuning
• Tradeoff between and speed and accuracy• Can detect Slammer in 1 second as opposed to
5 seconds • With 100x more reported signatures
75
![Page 75: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/75.jpg)
False Negatives in EB
• False Negatives• Very hard to prove...
• Earlybird detected all worm outbreaks reported on security lists over 8 months
• EB detected all worms detected by Snort (signature-based IDS)?
• And some that weren't
76
![Page 76: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/76.jpg)
False Positives in EB
• Common protocol headers• HTTP, SMTP headers• p2p protocol headers
• Non-worm epidemic activity• Spam• BitTorrent (!)
• Solution:• Small whitelist...
77
![Page 77: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/77.jpg)
Outline
• Worms
• Worm Defense
• Botnet/Viruses
78
![Page 78: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/78.jpg)
... and it's profitable
• Botnets used for• Spam (and more spam)?• Credit card theft• DDoS extortion
• Flourishing Exchange market• Spam proxying: 3-10 cents/host/week• 25k botnets: $40k - $130k/year• Also for stolen account compromised
machines, credit cards, identities, etc. (be worried)?
79
![Page 79: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/79.jpg)
Botnet
• A group of zombie computers under the remote control of an attacker via a command and control (C&C) server
C&C Server
Attacker
ZombiesTarget Sites
CommandAttack
C&C Server
C&C Server
80
![Page 80: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/80.jpg)
Botnet Countermeasure
• Detecting new botnets by using honeypots, analyzing spam pools, capturing group activities in DNS
• Sinkholing or nullrouting C&C server connections and cleaning zombies
81
![Page 81: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/81.jpg)
Outline
• Worms
• Worm Defense
• Botnet/Viruses
82
![Page 82: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/82.jpg)
Malicious Code
• Many types of malicious code• Virus, worm, botnet, spyware, spam, etc.
• Who writes this and why?• Challenge (for fun)• Fame (for pride)• Business (for money)
• Black markets for attacks (DDoS and spams) and info(credit cards, vulnerabilities)
• Ideology (for activism)• Hactivism, cyberterrorism, cyberwarefare
83
![Page 83: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/83.jpg)
What is a Computer Virus?
• Program that spreads itself by infecting (modifying) an executable file and making copies of itself
84
![Page 84: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/84.jpg)
Components
1. Propagation mechanism• Sharing infected file with other computers
• USB drive, email attachment, and shared folders
• Executing infected file Infect other computers and spread infection
2. Trigger• Time/condition when payload is activated
3. Payload• Damage existing files• Extort sensitive information• Consume computer’s resources
85
![Page 85: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/85.jpg)
Infected File
1 Insert document in fax machine. (Program entry-point)
2 Dial the phone number.
3 Hit the SEND button on the fax.
4 Wait for completion. If a problem occurs, go back to step 1.
5 End task.
86
1 Skip to step 6.
2 Dial the phone number.
3 Hit the SEND button on the fax.
4 Wait for completion. If a problem occurs, go back to step 1.
5 End task.
6 VIRUS instructions
7 Insert document in fax machine and go to step 2.
Before
After
Nachenberg, Computer Virus-Antivirus Coevolution, CACM 1997
![Page 86: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/86.jpg)
Propagation
• Virus replicates when infected file is executed• Task is not entirely automated
• User makes the first step• Virus copies malicious code to other files• Jump instruction to malicious code is added
• Why are Windows-based viruses most prolific?• Largest population• Why write a virus if only a few people are infected?
87
![Page 87: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/87.jpg)
Detection
• Infected file has a larger size than initial version of file
• Scanners record files lengths and searches for changes
• Virus can easily bypass detection through compression
(packing)
89
P P
V
PP P
V
![Page 88: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/88.jpg)
Detection (cont’d)
• Virus signature• Same structure and bit pattern for
uniquely identifying a virus
90New malicious code signatures, Symantec 2010
![Page 89: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/89.jpg)
More Advanced Viruses
• Encrypted viruses• Prevent “signature” to detect virus via encryption
Polymorphic viruses Change virus code to prevent signature
91
![Page 90: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/90.jpg)
Detection of Encrypted Virus
• A different encryption key is generated for each new infection• Therefore, encrypted virus body appears
different in each infected file• Antivirus can no longer parse virus body for the
virus signatures
• Still pattern matching possible• Still identical copy of decryption routine
92
![Page 91: 15-446 Networked Systems Practicum Lecture 14 – Worms/Viruses/Botnets 1](https://reader035.vdocument.in/reader035/viewer/2022070404/56649f355503460f94c53f74/html5/thumbnails/91.jpg)
Detection of Polymorphic Viruses
• Advanced encrypted virus• Formerly, constant decryption routine• Now, mutable decryption routine
• unique crypto code generated for each copy
• No more signatures in code
93