1 / 26

How to 0wn the Internet in your spare time & A worst case worm

How to 0wn the Internet in your spare time & A worst case worm. Stuart Staniford, Vern Paxson, Nicholas Weaver Presented by: Jesus Morales. Overview. How to 0wn the Internet in your spare time Worms Analytical Spread Model Worm improvement Cyber CDC A worst-case worm Linear cost model

hume
Download Presentation

How to 0wn the Internet in your spare time & A worst case worm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to 0wn the Internet in your spare time & A worst case worm Stuart Staniford, Vern Paxson, Nicholas Weaver Presented by: Jesus Morales

  2. Overview • How to 0wn the Internet in your spare time • Worms • Analytical Spread Model • Worm improvement • Cyber CDC • A worst-case worm • Linear cost model • The attack • Damage estimations

  3. How to 0wn the Internet in your spare time • The Problem: an attacker controlling high numbers of hosts on the Internet could cause much damage • DDOS attacks: shut down much of the Internet • Access/disperse sensitive information • Corrupt information • The way: worms

  4. Worms [Worms] Worms, formally known as “Automated Intrusion Agents”, are software components that are capable of, using their own means, for infecting a computer system and using it in an automated fashion to infect another system. A virus by contrast can’t spread/infect on its own.

  5. Code Red I (July 2001) [Worms] • Began : July 12, 2001 • Exploit : Microsoft IIS webservers (buffer overflow) • Named “Code Red” because : • the folks at eEye security worked through the night to identify and analyze this worm drinking “code red” (mountain dew) to stay up. • the worm defaced some websites with the phrase “Hacked by Chinese” • Launched 99 threads on infected host, which all generated random IP addresses and tried to compromise them. • Version 1 did not infect too many hosts due to use of static seed in the random number generator. Version 2 came out on July 19th with this “bug” fixed and spread rapidly. • The worm behavior each month: • 1st to 19th --- spread by infection • 20th to 28th --- launch DOS on www.whitehouse.gov • 28th till end-of-month --- take rest. • Infected 359,000 hosts in under 14 hours.

  6. Saturation Infected fraction Initial compromise rate Code Red: Analytical model • Simplifying assumptions: • No patching • No firewalls • No churn • Infection rate is proportional to • # hosts already infected • # hosts not infected, but susceptible • Result: Logistic equation • Well known for epi-demics in finite systems

  7. Code Red I: Initial and reemergence outbreaks

  8. Improvements: Localized scanning [Network Security II ] • Observation: Density of vulnerable hosts in IP address space is not uniform • Idea: Bias scanning towards local network • Used in CodeRed II • P=0.50: Choose address from local class-A network (/8) • P=0.38: Choose address from local class-B network (/16) • P=0.12: Choose random address • Allows worm to spread more quickly

  9. Code Red II (August 2001) [Worms] • Began : August 4th, 2001 • Exploit : Microsoft IIS webservers (buffer overflow) • Named “Code Red II” because : • It contained a comment stating so. However the codebase was new. • Infected IIS on windows 2000 successfully but caused system crash on windows NT. • Installed a root backdoor on the infected machine.

  10. Onset of Nimda 1/2 hour HTTP connections/second seen at LBNL(only confirmed Nimda attacks) Time (PDT) 18 September, 2001 Improvements: Multi-vector [Network Security II ] • Idea: Use multiple propagation methods simultaneously • Example: Nimda • IIS vulnerability • Bulk e-mails • Open network shares • Defaced web pages • Code Red II backdoor

  11. Improvements: Hit-list scanning [Network Security II ] • Problem: Spread is slow during initial phase • Idea: Collect a list of promising targets before worm is released • Low-profile 'stealthy' scan • Distributed scan • Spider/crawler • Surveys or databases • Attacks from other worms • Low overhead, since list shrinks quickly

  12. H0 H4 H3 H1 H2 H1 (Restart) Improvements: Permutation scanning [Network Security II ] • Problem: Many addresses are scanned multiple times • Idea: Generate random permutation of all IP addresses, scan in order • Hit-list hosts start at their own position in the permutation • When an infected host is found, restart at a random point • Can be combined with divide-and-conquer approach

  13. Number of Instances Time (hours) Warhol worms [Network Security II ] "In the future, everyone will have 15 minutes of fame" • Worm using both hit-list and permutation scanning could infect most vulnerable targets in <1 hour • Simulation: Compare • 10 scans/second (Code Red) • 100 scans/second • 100 scans/second plus 10,000 entry hit list (Warhol worm) • First Warhol worm 'in the wild': SQLSlammer -- Andy Warhol

  14. Flash worms [Network Security II ] • A flash worm would start with a hit list that contains most/all vulnerable hosts • Realistic scenario: • Complete scan takes 2h with an OC-12 • Internet warfare? • Problem: Size of the hit list • 9 million hosts  36 MB • Compression works: 7.5MB • Can be sent over a 256kbps DSL link in 3 seconds • Extremely fast: • Full infection in tens of seconds!

  15. Surreptitious worms [Network Security II ] • Idea: Hide worms in inconspicuous traffic to avoid detection • Leverage P2P systems? • High node degree • Lots of traffic to hide in • Proprietary protocols • Homogeneous software • Immense size (30,000,000 Kazaa downloads!)

  16. Conclusion: A Cyber-CDC? [Network Security II ] • Paper advocates creation of a CDC equivalent for computer worms and -viruses • Responsibilities of the CDC: • Deploy sensors to detect outbreaks quickly • Rapidly analyze new pathogens • Propagate signatures to isolate the worm/virus • Do research in the field • CDC should be collaborative, but not all information should be available to the public "Partially open" approach

  17. Worst-case worm • Question: how much economic damage to the US in a worst-case worm attack? • Estimates based on: • Worst-case worm • Linear damage model • Lost productivity • Repair time • Lost data • Damage to systems • Assumption: Murphy’s Law

  18. Cost model • Dtotal = total cost of damage • Ninf = number of systems infected • Dsystem = damage per system • Ppenetration = fraction of systems infected • Nvulnerable = potential infectees • Drec = cost of system recovery • Ttime = total downtime (hr) • Dtime = cost of downtime per hour • Pdata = probability of unrecoverable data loss • Ddata = cost of data loss • Pbios = probability of system loss due to hardware damage • Dbios = replacement value of the computer

  19. Cost model (cont) • Dtotal = Ninf * Dsystem • Ninf = Ppenetration * Nvulnerable • Dsystem = Drec + Ttime*Dtime + Pdata*Ddata + Pbios*Dbios

  20. The attack: target • Target • Windows SMB/CIFS file sharing server • Part of all distributions since Windows 98 • Desktop file sharing, printer sharing, centralized Windows file servers. • Is on by default • Assumption: the attacker knows a “zero day” exploit for SMB/CIFS

  21. The attack: Propagation • Internet spread • Slammer infected 10’s of thousands of servers in less than 10 minutes. • Flash worms: spread < 1 minute • Spread through gateways • Slow phase: mail and web vectors require some level of human action within an organization • Conservative upper bound: 1 day. Probably much faster. • Intranet spread • Nearly instantaneous • Fast LANs: infection of a new victim < 1 second. • Can use hit-list to spread even faster

  22. Damage • Estimations: • Penetration (Ppenetration): .60 of all vulnerable machines • Number of vulnerable machines (Nvulnerable): 85 mill • Consider only business and gov’t (2001) • Not considering home computers • Recovery (Drec): $20 per system • Down time: • Dtime: 35 $/hr • Ttime: 16 hr (2 days)

  23. Damage (cont.) • Data loss (Ddata): $2,000 • Percentage of unrecoverable data (Plost_data): 0.1 • Percentage of unrecoverable machines (Pbios): 0.1 • Cost for lost machines (Dbios): $2,400

  24. Damage (cont.)

  25. Conclusion • Damage potential is huge • Need preventive measures • Solid data back ups • Protect BIOSes • Mail-worm defenses • Improved recovery procedures • Reduce monocultures • Vulnerable spots (SMB/CIFS) are ubiquitous hence merit special defenses

  26. References • Network Security II: lecture 22 COMP529 - Computer Network Protocols and Systems. Andreas Haeberlen www.cs.rice.edu/~eugeneng/teaching/f04/comp529/lectures/lecture22.ppt • Worms Pandurang Kamat www.scd.ucar.edu/nets/presentations/Security-for-I2techs/Security-for-I2techs.ppt

More Related