How to 0wn the Internet in your

guideflannelServers

Dec 4, 2013 (3 years and 8 months ago)

64 views

How to 0wn the Internet in your
spare time & A worst case worm

Stuart Staniford,
Vern Paxson,
Nicholas Weaver

Presented by:

Jesus Morales

Overview


How to 0wn the Internet in your spare time


Worms


Analytical Spread Model


Worm improvement


Cyber CDC


A worst
-
case worm


Linear cost model


The attack


Damage estimations

How to 0wn the Internet in
your spare time


The Problem: an attacker controlling
high numbers of hosts on the Internet
could cause much damage


DDOS attacks: shut down much of the
Internet


Access/disperse sensitive information


Corrupt information


The way: worms

Worms
[
Worms]






Worms, formally known as “Automated Intrusion Agents”, are
software components that are capable of,
using their own means
,
for infecting a computer system and using it in an automated
fashion to infect another system.


A
virus

by contrast can’t
spread/infect on its own.

Code Red I (July 2001)

[Worms]


Began : July 12, 2001



Exploit : Microsoft IIS webservers (buffer overflow)



Named “Code Red” because :



the folks at eEye security worked through the night to identify and
analyze this worm drinking “code red” (mountain dew) to stay up.



the worm defaced some websites with the phrase “Hacked by Chinese”



Launched 99 threads on infected host, which all generated random
IP addresses and tried to compromise them.



Version 1 did not infect too many hosts due to use of static seed in
the random number generator. Version 2 came out on July 19th with
this “bug” fixed and spread rapidly.



The worm behavior each month:



1st to 19th
---

spread by infection



20th to 28th
---

launch DOS on
www.whitehouse.gov



28th till end
-
of
-
month
---

take rest.



Infected 359,000 hosts in under 14 hours.

Code Red: Analytical model


Simplifying assumptions:


No patching


No firewalls


No churn


Infection rate is proportional
to


# hosts already infected


# hosts not infected, but
susceptible


Result:
Logistic equation


Well known for epi
-
demics in
finite systems

)
1
(
a
a
K
dt
da




)
(
)
(
1
T
t
K
T
t
K
e
e
a





Saturation

Initial compromise rate

Infected fraction

Code Red I: Initial and
reemergence outbreaks

Improvements: Localized
scanning
[
Network Security II ]


Observation:

Density of vulnerable
hosts in

IP address space is not uniform


Idea:

Bias scanning towards local
network


Used in CodeRed II


P=0.50: Choose address from local class
-
A network (/8)


P=0.38: Choose address from local class
-
B network (/16)


P=0.12: Choose random address


Allows worm to spread more quickly

Code Red II (August 2001)
[Worms]


Began : August 4th, 2001


Exploit : Microsoft IIS webservers (buffer


overflow)


Named “Code Red II” because :



It contained a comment stating so. However the
codebase was new.


Infected IIS on windows 2000 successfully


but caused system crash on windows NT.


Installed a root backdoor on the infected


machine.

Improvements: Multi
-
vector
[
Network Security II ]


Idea: Use
multiple
propagation
methods

simultaneously


Example: Nimda


IIS vulnerability


Bulk e
-
mails


Open network shares


Defaced web pages


Code Red II backdoor

Onset of Nimda

Time (PDT) 18 September, 2001

HTTP connections/second seen at LBNL

(only confirmed Nimda attacks)

1/2 hour

Improvements: Hit
-
list
scanning
[
Network Security II ]


Problem: Spread is slow
during initial phase


Idea: Collect a list of
promising targets before
worm is released


Low
-
profile 'stealthy'
scan


Distributed scan


Spider/crawler


Surveys or databases


Attacks from other
worms


Low overhead, since list
shrinks quickly

Improvements: Permutation
scanning
[
Network Security II ]


Problem: Many addresses are scanned
multiple times


Idea: Generate random
permutation

of all IP
addresses, scan in order


Hit
-
list hosts start at their own position in the permutation


When an infected host is found, restart at a random point


Can be combined with divide
-
and
-
conquer approach

H
0

H
4

H
1

H
3

H
2

H
1

(Restart)

Warhol worms
[
Network Security II ]


Worm using both hit
-
list
and permutation scanning
could infect most
vulnerable targets in <1
hour


Simulation: Compare


10 scans/second

(Code Red)


100 scans/second


100 scans/second plus
10,000 entry hit list
(Warhol worm)


First Warhol worm 'in the
wild': SQLSlammer

"In the future, everyone will have

15 minutes of fame"

--

Andy Warhol

Number of Instances

Time (hours)

Flash worms
[
Network Security II ]


A
flash worm

would start with a hit list
that contains most/all vulnerable hosts


Realistic scenario:


Complete scan takes 2h with an OC
-
12


Internet warfare?


Problem: Size of the hit list


9 million hosts


36 MB


Compression works: 7.5MB


Can be sent over a 256kbps DSL link in 3 seconds


Extremely fast:


Full infection in tens of seconds!

Surreptitious worms
[
Network Security II ]


Idea: Hide worms in
inconspicuous traffic
to avoid detection


Leverage P2P
systems?


High node degree


Lots of traffic to hide in


Proprietary protocols


Homogeneous software


Immense size (30,000,000
Kazaa downloads!)

Conclusion: A Cyber
-
CDC?
[
Network
Security II ]


Paper advocates creation of a

CDC

equivalent for
computer worms and
-
viruses


Responsibilities of the CDC:


Deploy sensors to detect outbreaks quickly


Rapidly analyze new pathogens


Propagate signatures to isolate the worm/virus


Do research in the field


CDC should be collaborative, but not all information
should be available to the public




"Partially open" approach

Worst
-
case worm


Question: how much economic damage to the
US in a worst
-
case worm attack?


Estimates based on:


Worst
-
case worm


Linear damage model


Lost productivity


Repair time


Lost data


Damage to systems


Assumption: Murphy’s Law


Cost model


D
total

= total cost of damage


N
inf

= number of systems infected


D
system

= damage per system


P
penetration

= fraction of systems infected


N
vulnerable

= potential infectees


D
rec

= cost of system recovery


T
time

= total downtime (hr)


D
time

= cost of downtime per hour


P
data

= probability of unrecoverable data loss


D
data

= cost of data loss


P
bios

= probability of system loss due to hardware damage


D
bios

= replacement value of the computer

Cost model (cont)


D
total

= N
inf

* D
system


N
inf

= P
penetration

* N
vulnerable


D
system

= D
rec

+ T
time
*D
time

+


P
data
*D
data

+ P
bios
*D
bios

The attack: target


Target


Windows SMB/CIFS file sharing server


Part of all distributions since Windows 98


Desktop file sharing, printer sharing,
centralized Windows file servers.


Is on by default


Assumption: the attacker knows a “zero
day” exploit for SMB/CIFS

The attack: Propagation


Internet spread


Slammer infected 10’s of thousands of servers in less than
10 minutes.


Flash worms: spread < 1 minute


Spread through gateways


Slow phase: mail and web vectors require some level of
human action within an organization


Conservative upper bound: 1 day. Probably much faster.


Intranet spread


Nearly instantaneous


Fast LANs: infection of a new victim < 1 second.


Can use hit
-
list to spread even faster

Damage


Estimations:


Penetration (P
penetration
): .60 of all vulnerable
machines


Number of vulnerable machines (N
vulnerable
): 85
mill


Consider only business and gov’t (2001)


Not considering home computers


Recovery (D
rec
): $20 per system


Down time:


D
time
: 35 $/hr


T
time
: 16 hr (2 days)

Damage (cont.)


Data loss (D
data
): $2,000


Percentage of unrecoverable data
(P
lost_data
): 0.1


Percentage of unrecoverable machines
(P
bios
): 0.1


Cost for lost machines (D
bios
): $2,400

Damage (cont.)

Conclusion


Damage potential is huge


Need preventive measures


Solid data back ups


Protect BIOSes


Mail
-
worm defenses


Improved recovery procedures


Reduce monocultures


Vulnerable spots (SMB/CIFS) are ubiquitous hence
merit special defenses

References


Network Security II: lecture 22
COMP529
-

Computer Network Protocols and Systems
.
Andreas Haeberlen
www.cs.rice.edu/~eugeneng/teaching/f04/co
mp529/lectures/lecture22.ppt


Worms


Pandurang Kamat
www.scd.ucar.edu/nets/presentations/Securit
y
-
for
-
I2techs/Security
-
for
-
I2techs.ppt