1 / 24

How to Own the Internet in your spare time

This paper explores the analysis of Code Red, Nimda Worm, and faster techniques for spreading worms. Topics covered include hit-list scanning, permutation scanning, topological scanning, flash worms, stealth worms, exploiting P2P systems, and remote control.

jbilly
Download Presentation

How to Own the Internet in your spare time

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. How to Own the Internet in your spare time Ashish Gupta Network Security April 2004

  2. Overview • What is the paper about ? • Code Red Analysis • Three new techniques for fast spreading • Surreptitious worms • Summary

  3. The threat • Millions of hosts  enormous damage • Distributed DOS • Access Sensitive Information • Sow Confusion and Disruption • This paper is about • Fast spreading of worms

  4. Analysis of Code Red I • Compromises MS IIS Web servers • Spreads by random IP generation – 99 threads • Earlier bug  Code Red I • DDOS attack to whitehouse.gov • Modeling  Random Constant Spread (RCS) • Gives an exponential eq: • Depends only on K, not N

  5. Better Worms • Code Red II • Used a localized scanning technique • 3/8  Class B, 1/2  class A, 1/8  rest • Very successful strategy • Affects many vulnerable hosts • Proceeds quicker 1/8 1/2 3/8

  6. Nimda Worm • Nimda Worm  August 2001 • Maintained itself for months , multi-mode worm • Infected Web servers • Bulk emailing • Infecting Web clients • Using CodeRed II backdoors

  7. Onset • Very rapid onset • Mail based spread  very effective • Full functionality  ?

  8. Faster Worms

  9. Creating Better Worms • Hit List Scanning • “getting off the ground” very fast • Say first 10,000 hosts • Pre-select 10,000-50,000 vulnerable machines • First worm carries the entire hit list • Hit list split in half on each infection • Can establish itself in few seconds

  10. Permutation Scanning • Random scanning inefficient  lot of overlap • All worms share a common pseudo – random permutation 32 bit block cipher key Index Permutation scanning IP Address

  11. How it works: • After first infection, start scanning after their point in permutation • If machine already infected, random starting index • Minimizes duplication of effort • W sees W’  W’ already working on the permutation list of W  W re-starts at a random point • Keeps infection rate very high, comprehensive scan • Permutation key can be changed periodically for effective rescan

  12. A Warhol Worm • Combination of hit-list and permutation scanning • Can spread widely in less than 15 mins • Simulation results

  13. Topological scanning • Use info on victim to identify new targets • Email lists • P2P applications • List of web servers from IE favorites etc.

  14. Faster Worms : Recap • Fast Startup  Hit List Scanning • Extremely Efficient  Permutation scanning • Combine the above  Warhol worms • exploit local information Topological scanning

  15. Flash Worms • Fastest Method  Entire internet in 10s of seconds • Obtain hit-list of vulnerable servers in advance • 2 hours for entire IP space on OC-12 link (622 mbps) • List would be big ( ~ 48 MB ) • Divide into n blocks • Infect first of each block and hand over the block to the new worm • Repeat for each block • Alternative: Store pre-assigned chunks on a high BW server • Two limitations • Large list size • Latency • Analysis: Sub-thirty limit on total infection time on a 256 kbps DSL link

  16. For 3 million hosts, just 7 layers deep ( n = 10)

  17. Stealth Worms • No peculiar communication patterns • Very difficult to detect • Working: • Pair of exploits: Es for server, Ec for client ??? • Server  Client  Server , …. • Limitations • Pair of threats required • Depends on web surfing

  18. Exploiting P2P systems • Large set, all running same software • Only single exploit now needed • More favorable for infection: • Interconnect with large number of peers • Transfer large files • Not mainstream protocols • Execute on desktops, not servers • Potentially immense size

  19. Analysis of KaZaA traffic • Immense traffic: 5-10 million conns per day • Huge diversity !  9 million distinct hosts contacted in November ( from 5,800 univ hosts ) • If Kazaa exploited (variable size headers ? ), than a large number can infected stealthily in a month • Starting point : brute force infect all university hosts ??? • Actual spread much faster ? • Much work remaining  total Kazaa size ?

  20. Remote Control • Distributed control • Each worm knows about other worms *it* has infected • Analysis: High connectivity , Average degree= 4 • Without a single point of communication, updates can be passed • Programatic Updates • Worms as “computing capsules” • Can send arbitrary code !

  21. Conclusion • Worms present an extremely serious threat to the safety of the Internet

More Related