Transcript How to Own the Internet In Your Spare Time!

How to Own the
Internet In Your
Spare Time!
Group III
Bill Barnes, Jeanann Boyce, Joe
Braccia, Tonya Stephens,
Resources
http://www.cs.berkeley.edu/~nweaver/cdc.web/cdc.
pdf
http://www.cfz.org.uk/
web.mit.edu
www.whitehouse.gov
www.cert.com
www.governmentsecurity.org
www.infosec.net
Introduction
• Denial of service DDOS attacks- control
hosts on the Web to do enormous damage
• Bring down:
–
–
–
–
–
–
E-commerce sites
News outlets
Command and coordination infrastructure
Routers
Root name servers
Collect sensitive information –passwords, credit
card numbers, address books, archived email,
• Sow confusion and chaos by distributing
false information
•
•
•
•
Problem
“The Internet is an insecure
place. Many of the protocols
used in the Internet do not
provide any security. Tools to
"sniff" passwords off of the
network are in common use by
malicious hackers.
Worms, viruses challenge the
security of the Internet
Interruptions of Networks and
Denial of Service
Corruption of sensitive
information
Excerpt from web.mit.edu
Code Red – version I
• Used Microsoft’s web server .ida
vulnerability
• Launched 99 threads of random IP
addresses. Random number generator
initialized on a fixed seed, so all IP
addresses had the same fixed seed.
• Linear spread, could be stopped with
relative ease.
Progression of the Infection
• Binomial distribution – each server is
either infected or not, until all servers are
infected
Inf
Inf
Inf
Inf
Inf
Inf
Inf
Inf
Inf
Inf
Code Red II
Was not really code red
Code Red II
• Code Red left back doors in infected
systems
• Code Red II was really the residue of
Code Red
• It lead to the spread of another worm the
Nimda Worm
Code Red I version II
• Spread through mailing lists discussion
• Now used random number generation for
IP address
• DDOS payload targeting
www.whitehouse.gov
• Worm turned itself off as a result of an
internal constraint, then turned itself back
on August 1 (still continues to reappear)
The arbitrary reappearance is called the
Random Constant Spread Model (RCS)
Spreading of Nimda Worm
• from client to client via email
• from client to client via open network shares
• from web server to client via browsing of compromised
web sites
• from client to web server via active scanning for and
exploitation of various Microsoft IIS 4.0 / 5.0 directory
traversal vulnerabilities (VU#111677and CA-2001-12)
• from client to web server via scanning for the back doors
left behind by the "Code Red II" (IN-2001-09), and
"sadmind/IIS" (CA-2001-11) worms
E-mail
• Arrives as an email
• Has a readme.exe attachment
• The text in the subject line of the mail
message is variable.
• There are many slight variations
• The worm will attempt to resends the
infected email messages every 10 days.
Where does it mail itself?
• The email addresses targeted are taken
from two sources
• The html files in the user's web cache
folder
• The contents of the user's email messages
On a Server
• The infected client transfers a copy of the
Nimda code via tftp (69/UDP) to any IIS
server that it scans and finds vulnerable. T
• On the server machine, the worm
traverses each directory in the system and
writes a MIME- copy of itself to disk with
.eml or .nws extensions.
• Any web content files found, are appended
with JavaScript
More Damage
• In order to further expose the machine, the
worm
• enables the sharing of the c: drive as C$
• creates a "Guest" account on Windows NT
and 2000 systems
• adds this account to the "Administrator"
group.
On it Goes
• Furthermore, the Nimda worm creates
Trojan horse copies of legitimate
applications.
• These will first execute the Nimda code
further infecting the system.
Impact
• Intruders can execute commands within the
LocalSystem security context on machines.
• On a client the worm will be run with the same
privileges as the user who triggered it.
• Hosts infected will be party to attacks on other
Internet sites. The high scanning rate of the
Nimda worm may also cause bandwidth denialof-service conditions on networks with infected
machines.
Problem
• The worm spreads with a binomial
progression
• The problem is getting the start
• A large number of machines are protected
• This slows down the worm in the initial
stages
Solution: Better Worms
•
•
•
•
Hit list scanning
Permutation scanning
Topologically aware worms
Internet scale hit list
Hit list scanning
• The code writer develops a list of
potentially vulnerable machines and starts
there
– Port Scans
– Distributed Scans
– DNS Scans
– Spiders
– Surveys
– Listening in on newsgroups and chats
Permutation scanning
• Scan is random but starts at the point of
the present infection on the current
machine.
• This provides a coordinated scan.
• This keeps the infection rate high.
Topologically aware worms
• The virus infects a host.
• Information on the host is used to develop
new targets.
• Non random spread to targeted systems
occurs.
Stealth Worm
• Elegant
– A host server is infected
– The host checks each machine coming to the
site for vulnerability
– When a client is found vulnerable the worm
goes to the client.
– As the client surfs he spreads the worm to
other servers
The Dreaded Mongolian Death
Worm
• Attacks
– spits yellow saliva that works like powerful
acid
– generates electrical discharges powerful
enough to kill a camel
• Is probably not a worm
– Scientists think it is a limbless, burrowing
reptile, probably a giant member of a group of
reptiles known as worm lizards
Last Known Site of M.D.W
For the latest breaking news about the Mongolian Death Worm:
http://www.cfz.org.uk/
Updates and Controls
• Goner mail worm [CE02] contained
primitive remote control code
• Code Red II contain a form of unlimited
remote control
• Darwin and Bigfoot
– Next evolution
– We haven’t seen it yet, but believe it’s out
there
Distributed Control
• The worms have:
– a list of other known, running copies of the
worm
– an ability to create encrypted communication
channels to spread information
• The worms can:
– Verify the command
– Share the command
– Execute the command
Distributed Control
• The really rotten part:
– any command can be initially sent to an any
worm instance
– it spreads to all running copies
Degree of Connectivity
• the average degree of nodes in the worm
network is 4 when 95% infection is achieved
• The average degree of nodes in the worm
network is 5.5 when 99% infection is achieved.
• each permutation based rescan will add 2 to the
degree of every worm,
– Representing the copy discovered by each instance
– The copy which discovers each instance.
– Multiple rescans increase the connectivity between
worms without additional communication between the
worm instances.
Programmatic Updates
• Dynamic code loading is supported by
many Operating Systems
– The worm author can exploit this
“convenience”
• The combo of flexible language and a
small interpreter leads to greater worm
control
New Attack Models and Seeds
•
•
•
•
New security hole found
Attack created
Released on the worm network
Quick Worm Propagation
Cryptographic Modules
• If home grown, then it maybe so-so
• If it exploits say, OpenSSL, then
widespread panic and mass chaos may
ensue
Solution:
Create a Cyber CDC
“Center for Disease Control”
Cyber CDC Mission
• Monitor the national and worldwide
progression of various forms of disease
• Identify incipient threats and new outbreaks
• Actively foster research for combating
various diseases and other health threats.
Roles of Cyber CDC
• Identify outbreaks
• Rapidly analyze pathogens
• Fight infections
• Anticipate new vectors
• Proactively devise detectors for new vectors
• Resist future threats
Role 1 – Identify Outbreaks
Identify and analyze malicious code events before a fast active worm
reaches saturation.
•
Task 1
develop robust communication mechanisms for gathering and coordinating “field
information”
• Mechanisms would likely be (i) decentralized, and (ii) span multiple
communication mechanisms (e.g., Internet, cellular, pager, private line).
•
Task 2
Sponsor research in automated mechanisms for detecting worms based on traffic
patterns;
• Foster the deployment of a widespread set of sensors. The set of sensors
must be sufficiently diverse or secret such that an attacker cannot design
their worm to avoid them – but there are policy issues concerning privacy
and access control
Role 2 – Rapidly analyzing pathogens
Once a worm pathogen is identified, the next step is to understand (i) how it
spreads and (ii) what it does in addition to spreading.
CDC Task
• Procure and develop state-of-the-art program
analysis tools, to assist an on-call group of experts.
• Tools would need to go beyond simple disassembly
– i.e. recognize variants from a library of different
algorithms and components using a variety of
development toolkits, and also components from
previous worms, which would be archived in detail by
a CDC staff librarian.
Role 3 -- Fighting infections
Retard the progress or subsequent application of the worm
CDC Task
.
• Establish mechanisms to propagate
signatures describing how worms and their
traffic can be detected and terminated or
isolated, and deploy an accompanying
body of agents that can then apply the
mechanisms
Role 4 -- Anticipating new vectors
Proactive -- identify incipient threats using techniques which would also apply
to the numerous strains of zombies present on the Internet, as they too are a
significant resource for an attacker.
CDC Task
• Track the use of different applications in the Internet, to detect
when previously unknown ones begin to appear in widespread
use via conventional traffic monitoring variables such as
TCP/UDP port numbers.
CDC Task
• Analyze the threat potential of new applications. How widely
spread might their use become? How homogeneous are the
clients and servers? What are likely exploit strategies for
subverting the implementations? What are the application’s
native communication patterns?
Role 5 -- Proactively devising detectors
Deploy analyzers that understand how the protocol functions, to have some
hope of detecting contagion worms as they propagate.
CDC Task
•
Foster
the development of application analysis modules
suitable for integration with the intrusion detection
systems in use by the CDC’s outbreak identification
elements.
Role 6 -- Resisting future threats
Shift the makeup of Internet applications such that they become much less
amenable to abuse – e.g. this may entail broader notions of sandboxing, type
safety, and inherent limitations on the rate of creating connections and the
volume of traffic transmitted over them.
CDC Task
• Foster research into resilient application design
paradigms and infrastructure modifications that
(somehow) remain viable for adaptation by the
commercial software industry, perhaps assisted
by legislation or government policy.
CDC Task
• Vet applications as conforming to a certain
standard of resilience to exploitation, particularly
self propagating forms of exploitation.
Issues for the CDC
Implementation is challenging -• Open, shared DB???
• Competes with private sector interests – McAffee et. al.
• Authenticating inputs from field sources – a lengthy manual assessment
which slows the collection of vital information
• Presents a target for side-attacks which would cripple the analysis effort
• Provides experiential information to attacker which would help them hone
their attacks
• Boundary -- National vs International
A Pikachu Production
This presentation
brought to you by
Pikachus every
where!