How to 0wn the Internet In Your Spare Time
Download
Report
Transcript How to 0wn the Internet In Your Spare Time
How to 0wn the Internet
In Your Spare Time
Authors
Stuart Staniford, Vern Paxson, and Nicholas Weaver
Appears in
Proceedings of the 11th USENIX Security Symposium
(Security '02)
Presented by
Peter Matthews
Overview
Introduction
The Code Red Worm
Creating a Better Worm in Practice
Creating a Better Worm in Theory
Code Red II
Nimda
Hit-list
Topological
Permutation
Warhol
Flash
Stealth worms
Updates and control
Cyber Center for Disease Control
Paper analysis
Introduction
Worm vs. Virus
If one controlled a million hosts…
Human mediated response time
Code Red I v1
July 12th, 2001
Exploited a known vulnerability in Microsoft’s
Internet Information Server (IIS)
Buffer overflow in a rarely used URL decoding routine –
published June 18th
1st – 19th of each month: attempts to spread
Random scanning of IP address space
99 propagation threads, 100th defaced pages on server
Static random number generator seed
Every worm copy scans the same set of addresses
Linear growth
Code Red I v1
20th – 28th of each month: attacks
DDOS attack against 198.137.240.91
(www.whitehouse.gov)
Memory resident – rebooting the system
removes the worm
However, could quickly be reinfected
Code Red I v2
July 19th, 2001
Largely same codebase – same author?
Ends website defacements
Fixes random number generator seeding bug
Scanned address space grew exponentially
359,000 hosts infected in 14 hours
Compromised almost all vulnerable IIS servers on internet
Analysis of Code Red I v2
Random Constant Spread model
Constants
N = total number of vulnerable machines
K = initial compromise rate, per hour
T = Time at which incident happens
Variables
a = proportion of vulnerable machines
compromised
t = time in hours
Analysis of Code Red I v2
N = total number of
vulnerable machines
K = initial
compromise rate, per
hour
T = Time at which
incident happens
Variables
a = proportion of
vulnerable machines
compromised
t = time in hours
“Logistic equation”
Rate of growth of epidemic in finite systems when all entities have an
equal likelihood of infecting any other entity
Code Red I v2 – Plot
K = 1.8
T = 11.9
Hourly probe rate data for inbound port 80 at the Chemical Abstracts Service
during the initial outbreak of Code Red I on July 19th, 2001.
“Better” Worms – In Practice
Code Red II
August 4th, 2001
Exploits same vulnerability, unrelated codebase
No defacement or DDOS, installs backdoor for
unrestricted access
Designed to stop propagating on October 1st,
2001.
Localized Scanning
Localized Scanning
Chose address from same class A (/8) address range with
probability ½
same class B (/16) range with probability 3/8
entire IP range with probability 1/8
Quickly infects parts of internet with many
vulnerable hosts
Spreads very rapidly inside internal network if
manages to pass through external firewall
No analytical model or empirical data given
“Better” Worms – In Practice
Nimda
September 18th, 2001
Multi-vector worm using 5 propagation vectors
Exploits same IIS vulnerability
Bulk-emails itself as an attachment to addresses found on infected
machine
Copies itself via open network shares
Adds browser exploit code to web pages on infected servers
Scans for backdoors left behind by other worms
Shares C:\ drive
Creates “Guest” account in administrator group of NT, 2000
systems
Crossed Firewalls via E-mail
HTTP connections per second seen at the Lawrence Berkeley National
Laboratory, rising due to the onset of Nimda, September 18.
Better Worms – in Theory
Hit-list Scanning
Worm takes a long time to “get off the ground”
Worm author collects a list of, say, 10,00
vulnerable machines
Worm initially attempts to infect these hosts
Hit-list Scanning
How to build Hit-List
Stealthy randomized scan over number of months
Distributed scanning via botnet
DNS searches – e.g. assemble domain list,
search for IP address of mail server in MX records
Web crawling spider similar to search engines
Public surveys – e.g. Netcraft
Listening for announcements – e.g. vulnerable IIS
servers during Code Red I
Permutation Scanning
All worms share a pseudo-random permutation of
the IP address space.
When a machine is infected, it starts scanning IP’s
just after its point in the permutation
When a worm finds an already infected machine, it
chooses a new random start point in the list
Self-coordination reduces duplicate scanning
Allows the worm to become dormant if finds
infection rate is high enough…
Warhol Worm
Simulation shows that employing the two previous
techniques, can attack 300,000 hosts in less than 15
minutes
Conventional = 10 scans/sec
Fast Scanning = 100 scans/sec
Warhol = 100 scans/sec,
Permutation scanning and
10,000 entry hit list
Warhol Worm
Topological Scanning
Alternative to hit-list scanning
Uses information in infected host to select new
targets
Web servers in host’s caches
P2P peers
Mail servers in user’s address book
Flash Worms
Worm contains list of all vulnerable hosts on the
internet
Could scan entire internet with an OC-12 in 2 hours
9 million servers = 36 MB address list
Differenced & Compressed = 7.5 MB
List divided into n segments
Worm attacks top server in each segment, if infects then
distributes this list segment to child worm
Infection tree for 3 million servers with n = 10 is only 7
layers deep
With fast enough servers near root of tree, could infect
most vulnerable servers in < 30 seconds
Stealth Worms
Slow spread rate to avoid notice of
countermeasures
Web-server to client to web-server…
P2P Clients
High degree of host connectivity, large amount of
traffic, poor traffic monitoring.
Minimize change in traffic pattern
Updates and Control
Why?
Exploit new vulnerabilities, fix bugs, add new
functionality on demand
Historically implemented via IRC channels
and web servers.
Updates and Control
Distributed control
Each worm can keep a list of a subset of infected
hosts
A command can be cryptographically signed and
sent to other hosts
Commands received can be verified, forwarded
Control decentralized
However, network must be connected
Cyber “Center for Disease
Control”
Paper calls for creation of digital analog of the Center for Disease
Control and Prevention
Identifying outbreaks
Rapidly analyzing pathogens
Analyze threat potential of new applications
Proactively devising detectors for new vectors
Establish network for worm signature propagation
Development of agents to terminate/isolate worms
Anticipating new vectors
Develop program analysis tools
Fighting infections
Widespread deployment and use of sensors along Internet
Detection of worms based on their traffic patterns
Develop application analysis tools
Resisting future threats
Foster research into infrastructure modifications and application development
paradigms that are more resilient
Strengths of Paper
Published quickly with quite good model and
analysis
Novel ideas
Vindicated in forecasting of Warhol worm
Sapphire/Slammer worm (2003)
Number of infected hosts doubled every 8.5 seconds
at peak
90% of vulnerable machines infected after 10 minutes
Weaknesses of Paper
No consideration of CERT
Simulations over-simplify matters
Funded by federal government
2003: US-CERT attempts to help prevent cyber attacks,
protect systems, and respond to the effects of cyber
attacks across the Internet
For example, no consideration of network congestion
TCP-centric
Data from very limited number (2) of sites used in
assessing worm strength / growth
References
Eeye Digital Security ANALYSIS: .ida "Code Red" Worm
(research.eeye.com/html/advisories/published/AL20010717.html)
CAIDA Analysis of Code-Red
(www.caida.org/analysis/security/code-red/)
Eeye Digital Security ANALYSIS: CodeRed II Worm
(research.eeye.com/html/advisories/published/AL20010804.html)
CERT Advisory CA-2003-04 MS-SQL Server Worm
(http://www.cert.org/advisories/CA-2003-04.html)
CERT Advisory CA-2001-26 Nimda Worm
(http://www.cert.org/advisories/CA-2001-26.html)
CERT (www.cert.org)
How to 0wn the Internet in Your Spare Time, Staniford, Paxson,
and Weaver
Questions?