Automated Worm Fingerprinting

[ Pobierz całość w formacie PDF ]

consequences. The other principal source of false posi- flect a small number of pathologies. Consequently, in
tives are SPAM e-mails which can exceed address disper- live use we excluded such signatures in a small white
sion thresholds due to the use of distributed mailers and list which is used to post-filter signature reports.
mail relays. While these are far more difficult to whilelist False negatives: Since our experiments have been
since many e-mail viruses also propagate via TCP port run in an uncontrolled environment it is not possible to
25, the effect of their interdiction is far more benign as quantitatively demonstrate the absence of false negatives.
well. Moreover, false positives arising from SPAM are However, a strong qualitative indication is that Earlybird
bursty in practice since they coincide with a mass mail- running live detected every worm outbreak reported on
Repetitions
Label Service Sources Dests
evasions in Section 7. We briefly evaluated the perfor-
SLAMMER UDP/1434 3328 23607
mance impact of this extension and found that using a
SCAN-TCP-PORT22 TCP/22 70 53
flow cache of 131072 elements (7MB in total) the aver-
MAIL-HEADER-FROM TCP/25 12 11
age cost for processing the first packet of a flow is in-
SMB-139 TCP/139 603 378
creased by 0.227 microseconds and the average per-byte
SMB-445 TCP/445 2039 223
cost is increased by 0.042 (absolute numbers and associ-
HEADER-TCP-CLOSE TCP/80 33 136
ated standard deviations are reported in Table 1).
MAIL-HEADER-FROM2 TCP/25 13 14
PROTOCOL-HEADER-EXT TCP/80 15 24
6.7 Live experience with EarlyBird
BLASTER TCP/135 1690 17
OPASERV-WORM UDP/137 180 21033
In addition to the worms described above, Earlybird has
SMB-445-SIG2 TCP/445 11 145
also detected precise signatures for variants of CodeRed,
the MyDoom mail worm and most recently for the
Table 2: Summary signatures reported using an address dis-
Sasser, and Kibvu.B worm. In the case of new worms
persion threshold of 10.
such as Kibvu.B and MyDoom, Earlybird reported signa-
tures long before there were public reports of the worm s
public security mailing lists (including BugTraq, Full-
spread let alone signatures available and we were able
Disclosure, and snort-signatures) during our period of
to use these signatures to assist our network operations
operation. We also checked for false negatives by com-
staff in tracking down infected hosts.
paring the trace we used against a Snort rulebase includ-
While we have experience with all recent worms, we
ing over 340 worm and worm-related signatures aggre-
limit ourselves to describing our experience with two re-
gated from the official Snort distribution as well as the
cent outbreaks, Sasser and Kibvu.B.
snort-signatures mailing list. We found no false nega-
Sasser: We detected Sasser on the morning of Sat-
tives via this method, although the Snort system alerted
urday May 1st, 2004. Though we cannot claim to be the
on a number of instances that were not worms.
first ones to detect Sasser, we certanly did detect it before
signatures were made available by the various anti-virus
6.6 Inter-packet signatures
vendors. Part of the reason for us not detecting Sasser
As described, the content-sifting algorithm used in
earlier is because all inbound traffic destined to port 445
EarlyBird does not keep any per-flow state and can there-
is dropped at the upstream router and thus we could only
fore only generate content signatures that are fully con-
use strictly internal traffic to make an identification. Fig-
tained within a single packet. Thus an attacker might
ure 12 shows a screenshot of the live EarlyBird system
evade detection by splitting an invariant string into
tracking the rate in growth of infected Sasser hosts and
pieces one byte smaller than � one per packet.
their attempts to infect others in the UCSD network.
We have extended the content sifting algorithm to de-
Kibvu.B: Kibvu.B is a recent worm that Earlybird de-
tect such simple evasions at the cost of per flow state
tected on Friday May 14th, 2003 at 3:08AM PDT. In con-
management. While there are many approaches to flow [ Pobierz całość w formacie PDF ]

Linki