240 likes | 256 Views
This paper explores the analysis of Code Red, Nimda Worm, and faster techniques for spreading worms. Topics covered include hit-list scanning, permutation scanning, topological scanning, flash worms, stealth worms, exploiting P2P systems, and remote control.
E N D
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004
Overview • What is the paper about ? • Code Red Analysis • Three new techniques for fast spreading • Surreptitious worms • Summary
The threat • Millions of hosts enormous damage • Distributed DOS • Access Sensitive Information • Sow Confusion and Disruption • This paper is about • Fast spreading of worms
Analysis of Code Red I • Compromises MS IIS Web servers • Spreads by random IP generation – 99 threads • Earlier bug Code Red I • DDOS attack to whitehouse.gov • Modeling Random Constant Spread (RCS) • Gives an exponential eq: • Depends only on K, not N
Better Worms • Code Red II • Used a localized scanning technique • 3/8 Class B, 1/2 class A, 1/8 rest • Very successful strategy • Affects many vulnerable hosts • Proceeds quicker 1/8 1/2 3/8
Nimda Worm • Nimda Worm August 2001 • Maintained itself for months , multi-mode worm • Infected Web servers • Bulk emailing • Infecting Web clients • Using CodeRed II backdoors
Onset • Very rapid onset • Mail based spread very effective • Full functionality ?
Creating Better Worms • Hit List Scanning • “getting off the ground” very fast • Say first 10,000 hosts • Pre-select 10,000-50,000 vulnerable machines • First worm carries the entire hit list • Hit list split in half on each infection • Can establish itself in few seconds
Permutation Scanning • Random scanning inefficient lot of overlap • All worms share a common pseudo – random permutation 32 bit block cipher key Index Permutation scanning IP Address
How it works: • After first infection, start scanning after their point in permutation • If machine already infected, random starting index • Minimizes duplication of effort • W sees W’ W’ already working on the permutation list of W W re-starts at a random point • Keeps infection rate very high, comprehensive scan • Permutation key can be changed periodically for effective rescan
A Warhol Worm • Combination of hit-list and permutation scanning • Can spread widely in less than 15 mins • Simulation results
Topological scanning • Use info on victim to identify new targets • Email lists • P2P applications • List of web servers from IE favorites etc.
Faster Worms : Recap • Fast Startup Hit List Scanning • Extremely Efficient Permutation scanning • Combine the above Warhol worms • exploit local information Topological scanning
Flash Worms • Fastest Method Entire internet in 10s of seconds • Obtain hit-list of vulnerable servers in advance • 2 hours for entire IP space on OC-12 link (622 mbps) • List would be big ( ~ 48 MB ) • Divide into n blocks • Infect first of each block and hand over the block to the new worm • Repeat for each block • Alternative: Store pre-assigned chunks on a high BW server • Two limitations • Large list size • Latency • Analysis: Sub-thirty limit on total infection time on a 256 kbps DSL link
Stealth Worms • No peculiar communication patterns • Very difficult to detect • Working: • Pair of exploits: Es for server, Ec for client ??? • Server Client Server , …. • Limitations • Pair of threats required • Depends on web surfing
Exploiting P2P systems • Large set, all running same software • Only single exploit now needed • More favorable for infection: • Interconnect with large number of peers • Transfer large files • Not mainstream protocols • Execute on desktops, not servers • Potentially immense size
Analysis of KaZaA traffic • Immense traffic: 5-10 million conns per day • Huge diversity ! 9 million distinct hosts contacted in November ( from 5,800 univ hosts ) • If Kazaa exploited (variable size headers ? ), than a large number can infected stealthily in a month • Starting point : brute force infect all university hosts ??? • Actual spread much faster ? • Much work remaining total Kazaa size ?
Remote Control • Distributed control • Each worm knows about other worms *it* has infected • Analysis: High connectivity , Average degree= 4 • Without a single point of communication, updates can be passed • Programatic Updates • Worms as “computing capsules” • Can send arbitrary code !
Conclusion • Worms present an extremely serious threat to the safety of the Internet