260 likes | 418 Views
How to 0wn the Internet in your spare time & A worst case worm. Stuart Staniford, Vern Paxson, Nicholas Weaver Presented by: Jesus Morales. Overview. How to 0wn the Internet in your spare time Worms Analytical Spread Model Worm improvement Cyber CDC A worst-case worm Linear cost model
E N D
How to 0wn the Internet in your spare time & A worst case worm Stuart Staniford, Vern Paxson, Nicholas Weaver Presented by: Jesus Morales
Overview • How to 0wn the Internet in your spare time • Worms • Analytical Spread Model • Worm improvement • Cyber CDC • A worst-case worm • Linear cost model • The attack • Damage estimations
How to 0wn the Internet in your spare time • The Problem: an attacker controlling high numbers of hosts on the Internet could cause much damage • DDOS attacks: shut down much of the Internet • Access/disperse sensitive information • Corrupt information • The way: worms
Worms [Worms] Worms, formally known as “Automated Intrusion Agents”, are software components that are capable of, using their own means, for infecting a computer system and using it in an automated fashion to infect another system. A virus by contrast can’t spread/infect on its own.
Code Red I (July 2001) [Worms] • Began : July 12, 2001 • Exploit : Microsoft IIS webservers (buffer overflow) • Named “Code Red” because : • the folks at eEye security worked through the night to identify and analyze this worm drinking “code red” (mountain dew) to stay up. • the worm defaced some websites with the phrase “Hacked by Chinese” • Launched 99 threads on infected host, which all generated random IP addresses and tried to compromise them. • Version 1 did not infect too many hosts due to use of static seed in the random number generator. Version 2 came out on July 19th with this “bug” fixed and spread rapidly. • The worm behavior each month: • 1st to 19th --- spread by infection • 20th to 28th --- launch DOS on www.whitehouse.gov • 28th till end-of-month --- take rest. • Infected 359,000 hosts in under 14 hours.
Saturation Infected fraction Initial compromise rate Code Red: Analytical model • Simplifying assumptions: • No patching • No firewalls • No churn • Infection rate is proportional to • # hosts already infected • # hosts not infected, but susceptible • Result: Logistic equation • Well known for epi-demics in finite systems
Improvements: Localized scanning [Network Security II ] • Observation: Density of vulnerable hosts in IP address space is not uniform • Idea: Bias scanning towards local network • Used in CodeRed II • P=0.50: Choose address from local class-A network (/8) • P=0.38: Choose address from local class-B network (/16) • P=0.12: Choose random address • Allows worm to spread more quickly
Code Red II (August 2001) [Worms] • Began : August 4th, 2001 • Exploit : Microsoft IIS webservers (buffer overflow) • Named “Code Red II” because : • It contained a comment stating so. However the codebase was new. • Infected IIS on windows 2000 successfully but caused system crash on windows NT. • Installed a root backdoor on the infected machine.
Onset of Nimda 1/2 hour HTTP connections/second seen at LBNL(only confirmed Nimda attacks) Time (PDT) 18 September, 2001 Improvements: Multi-vector [Network Security II ] • Idea: Use multiple propagation methods simultaneously • Example: Nimda • IIS vulnerability • Bulk e-mails • Open network shares • Defaced web pages • Code Red II backdoor
Improvements: Hit-list scanning [Network Security II ] • Problem: Spread is slow during initial phase • Idea: Collect a list of promising targets before worm is released • Low-profile 'stealthy' scan • Distributed scan • Spider/crawler • Surveys or databases • Attacks from other worms • Low overhead, since list shrinks quickly
H0 H4 H3 H1 H2 H1 (Restart) Improvements: Permutation scanning [Network Security II ] • Problem: Many addresses are scanned multiple times • Idea: Generate random permutation of all IP addresses, scan in order • Hit-list hosts start at their own position in the permutation • When an infected host is found, restart at a random point • Can be combined with divide-and-conquer approach
Number of Instances Time (hours) Warhol worms [Network Security II ] "In the future, everyone will have 15 minutes of fame" • Worm using both hit-list and permutation scanning could infect most vulnerable targets in <1 hour • Simulation: Compare • 10 scans/second (Code Red) • 100 scans/second • 100 scans/second plus 10,000 entry hit list (Warhol worm) • First Warhol worm 'in the wild': SQLSlammer -- Andy Warhol
Flash worms [Network Security II ] • A flash worm would start with a hit list that contains most/all vulnerable hosts • Realistic scenario: • Complete scan takes 2h with an OC-12 • Internet warfare? • Problem: Size of the hit list • 9 million hosts 36 MB • Compression works: 7.5MB • Can be sent over a 256kbps DSL link in 3 seconds • Extremely fast: • Full infection in tens of seconds!
Surreptitious worms [Network Security II ] • Idea: Hide worms in inconspicuous traffic to avoid detection • Leverage P2P systems? • High node degree • Lots of traffic to hide in • Proprietary protocols • Homogeneous software • Immense size (30,000,000 Kazaa downloads!)
Conclusion: A Cyber-CDC? [Network Security II ] • Paper advocates creation of a CDC equivalent for computer worms and -viruses • Responsibilities of the CDC: • Deploy sensors to detect outbreaks quickly • Rapidly analyze new pathogens • Propagate signatures to isolate the worm/virus • Do research in the field • CDC should be collaborative, but not all information should be available to the public "Partially open" approach
Worst-case worm • Question: how much economic damage to the US in a worst-case worm attack? • Estimates based on: • Worst-case worm • Linear damage model • Lost productivity • Repair time • Lost data • Damage to systems • Assumption: Murphy’s Law
Cost model • Dtotal = total cost of damage • Ninf = number of systems infected • Dsystem = damage per system • Ppenetration = fraction of systems infected • Nvulnerable = potential infectees • Drec = cost of system recovery • Ttime = total downtime (hr) • Dtime = cost of downtime per hour • Pdata = probability of unrecoverable data loss • Ddata = cost of data loss • Pbios = probability of system loss due to hardware damage • Dbios = replacement value of the computer
Cost model (cont) • Dtotal = Ninf * Dsystem • Ninf = Ppenetration * Nvulnerable • Dsystem = Drec + Ttime*Dtime + Pdata*Ddata + Pbios*Dbios
The attack: target • Target • Windows SMB/CIFS file sharing server • Part of all distributions since Windows 98 • Desktop file sharing, printer sharing, centralized Windows file servers. • Is on by default • Assumption: the attacker knows a “zero day” exploit for SMB/CIFS
The attack: Propagation • Internet spread • Slammer infected 10’s of thousands of servers in less than 10 minutes. • Flash worms: spread < 1 minute • Spread through gateways • Slow phase: mail and web vectors require some level of human action within an organization • Conservative upper bound: 1 day. Probably much faster. • Intranet spread • Nearly instantaneous • Fast LANs: infection of a new victim < 1 second. • Can use hit-list to spread even faster
Damage • Estimations: • Penetration (Ppenetration): .60 of all vulnerable machines • Number of vulnerable machines (Nvulnerable): 85 mill • Consider only business and gov’t (2001) • Not considering home computers • Recovery (Drec): $20 per system • Down time: • Dtime: 35 $/hr • Ttime: 16 hr (2 days)
Damage (cont.) • Data loss (Ddata): $2,000 • Percentage of unrecoverable data (Plost_data): 0.1 • Percentage of unrecoverable machines (Pbios): 0.1 • Cost for lost machines (Dbios): $2,400
Conclusion • Damage potential is huge • Need preventive measures • Solid data back ups • Protect BIOSes • Mail-worm defenses • Improved recovery procedures • Reduce monocultures • Vulnerable spots (SMB/CIFS) are ubiquitous hence merit special defenses
References • Network Security II: lecture 22 COMP529 - Computer Network Protocols and Systems. Andreas Haeberlen www.cs.rice.edu/~eugeneng/teaching/f04/comp529/lectures/lecture22.ppt • Worms Pandurang Kamat www.scd.ucar.edu/nets/presentations/Security-for-I2techs/Security-for-I2techs.ppt