1 / 29

Master Internet Security: A Worm & Virus Overview

Delve into internet security through a comprehensive exploration of worms and viruses, their history, impacts, and prevention strategies. Learn from real-world case studies and theoretical models to safeguard your digital presence effectively.

cwatford
Download Presentation

Master Internet Security: A Worm & Virus Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to 0wn the InternetIn Your Spare Time Authors Stuart Staniford, Vern Paxson, Nicholas Weaver Published Proceedings of the 11th USENIX Security Symposium 2002 Presenter Shawn Embleton

  2. Outline • Introduction • Code Red Worm • Better Worms in Practice • Better Worms in Theory • Simulations & Results

  3. Introduction • Internet Worms differ from viruses in that they do not require user participation • excepting poor code and security practices • 1988 Morris Worm • Repeat infections possible – crashed systems • 1999 Melissa Macro • Half worm/virus • Incapacitated many email servers

  4. Code Red v.1 • First seen July 12, 2001 • Spread by exploiting a Microsoft IIS .ida vulnerability discovered by eEye on June 18th • 99 propagation threads, 100th defaced pages • Problem, RNG used static ‘seed’ which also incorporated the TID == 99 spread lists • Resulted in linear spreading

  5. Code Red v.1 Continued • Defaced root level pages • 1st to 19th attempted to spread • 20th to 28th  attempted to DDOS • target was www1.whitehouse.gov • Memory resident • Reboot the system to disinfect

  6. Code Red I v.2 • Started spreading July 19th, 2001 • Similar code base • Fixed the RNG seeding problem • Over 359,000 systems infected in 14 hours • Systems that were power cycled were re-infected before patch could be applied …

  7. Code Red I v.2 Plot Chemical Abstracts K=1.8 T=11.9

  8. Analysis • Random Constant Spread Model [RCS] • N - total number of vulnerable hosts • K – initial compromise rate • T – time fixing when incident occurs • a – proportion of compromised vulnerable • t – time [in hours] • Applied using “logistic equation” • Rate of growth in finite system • Equal likelihood of any attacking any other

  9. Analysis

  10. Better Worms in Practice • Localized Scanning  Code Red II v.3 • August 4, 2001 but different code base • No defacement, no DDOS code, same exploit used [contained a string “Code Red II”] • If no prior infection, initiates, installs backdoor, waits one day and reboots machine • If Chinese language on system, 600/48 threads else 300/24 threads are used to propagate

  11. Better Worms in Practice • Localized Scanning  Code Red II v.3 • 1/8 probability of probing random IP address • 4/8 probability of probing same /8 network • 3/8 probability of probing same /16 network • No analytical model given • No empirical data provided

  12. Better Worms in Practice • Localized Scanning  Code Red II v.3 LBNL

  13. Better Worms in Practice • Localized Scanning  Code Red II v.3 • "GET • /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX • XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX • XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX • XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%uc • bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090 • %u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

  14. Better Worms in Practice • Multi-Vector Worms  Nimda • September 18th, 2001 • 5 different attack vectors • Client to client via email • Client to client via open network shares • Web server to client through browsing • Client to server through Directory Traversal exploits • Client to server through previous worm backdoors

  15. Better Worms in Practice • Multi-Vector Worms  Nimda • Email propagation • MIME message containing ‘readme.exe’ payload • Slight binary variations to change hashes of the attachment • Variable Subject Line • Scans local hypertext files along with received MAPI for additional email addresses to contact  every 10 days • File System propagation • Creates MIME copies of itself on local and network drives • Can exploit Explorer preview vulnerabilities • Trojans legitimate applications on the system

  16. Better Worms in Practice • Multi-Vector Worms  Nimda • Web-Server Propagation • Scans servers that the user browses for vulnerabilities • Looks for Sadmind, Code Red backdoors + new exploits • Spreads to browsing users by appending the following to all files in web-aware directories • Also added ‘guest’ account to Administrators Group

  17. Better Worms in Theory • Hit List Scanning • Permutation Scanning • Topologically Aware Worms • Internet Scale Hit Lists

  18. Better Worms in Theory • Hit List Scanning • Worm needs a substantial base before the exponential spreading really takes off • Before release, gather a list of potentially vulnerable systems • After launch, these systems are infected much more rapidly and provide the needed base • List can retrieved or systematically halved

  19. Better Worms in Theory • Permutation Scanning • Random scanning has inherent problems • Many addresses are rescanned • No way to know when infection is nearing completion • Share a common permutation of the address space • Easy to compute at each host • Newly infected machines start scanning from some index • After N infected machines encountered, stop scanning

  20. Better Worms in Theory • Topologically Aware Worms • Look for Web servers in infected machines caches • High probability of being actual servers • Look for mail in users address book • If spreading through mail servers for instance • Email worms incorporate this tactic now

  21. Better Worms in Theory • FlashWorms  Main Idea of Paper • Obtain hit-list of systems with relevant service open • OC-12 scan the entire Internet in 2 hours • Include pre-knowledge of high-capacity servers • Use a N-partitioned overlapping list infection technique • Argument is made for 30 seconds to total domination

  22. Better Worms in Theory • Contagion Worms • Slower spreading to avoid countermeasures based on heuristics such as capacity fluctuations • Talk about using P2P apps to attain high degree of host inter-connectivity for spreading in a m-way tree type style • More stealthy idea than a fast spreading worm

  23. Simulations • Simulated a ‘Warhol” style worm • Combination of hit-list and permutation scanning • Assumptions • Complete connectivity in 32-bit address space • Scan until 99.99% infection • Parameters • Conventional - Code Red style with 10 scans/second • Fast - Code Red style with 100 scans/second • Warhol - 100 scans/s + hit-list + permutation scanning

  24. Results Simulation

  25. Strengths • Published relatively quickly with a reasonable mathematical model which rather accurately captures the data • Performed simulations that correlate with the proposed mathematical model well • Results support hypothesis of total Internet domination …

  26. Weaknesses • Some of the data could possibly be interpreted in additional manners than offered • Paper seems to have a heavy “what-if” factor • Main call for action is made without laying out any specific plans or specifications • Small incongruities with other recognized associations [such as C.E.R.T.]

  27. Improvements • Authors might have proposed a specific defense system alongside the call for action • Could have gathered data from more locations than just LBNL and Chemical Abstracts Service Corp. • More helpful to compare the different worms using the same analysis methods • Connections/Second vs. Distinct Remote Hosts Attacking

  28. References • www.caida.org • www.cert.org • http://www.thesitewizard.com/news/coderediiworm.shtml • How to 0wn the Internet in Your Spare Time • Staniford, Paxson, Weaver

  29. Questions ?

More Related