330 likes | 811 Views
“How to 0wn the Internet in Your Spare Time” Nathanael Paul Malware Seminar September 7, 2004 The Internet has… ~250,000,000 hosts on Internet (January 2004) (Source: Internet Systems Consortium, Inc. (http://www.isc.org/) ~300,000,000 Internet Users
E N D
“How to 0wn the Internet in Your Spare Time” Nathanael Paul Malware Seminar September 7, 2004
The Internet has… • ~250,000,000 hosts on Internet (January 2004) (Source: Internet Systems Consortium, Inc. (http://www.isc.org/) • ~300,000,000 Internet Users • ~140,000,000 USA Internet Users http://www.clickz.com/stats/big_picture/geographics/article.php/3397231 • 1 million is: • ~0.7% of the USA Internet Users • ~0.3% of all Internet Users
Analyzing Past Attempted Takeovers • 1988: Morris Worm • July 13, 2001: Code Red I v2 • Aug. 4, 2001: Code Red II • Sept. 18, 2001: Nimda • Presenting worms that are “…capable of infecting most or all vulnerable targets in a few minutes…” or “…in 10s of seconds…”
Morris Worm • Multi-vectored like Nimda • rsh • fingerd via buffer overflow that worked on VAX and caused core dump on Suns • sendmail • Morris worm infected 6,000 of 60,000 hosts (5-10%) • Very large percentage compared to today’s worms
Code Red I v2 (CRv1) • Used an IIS vulnerability to perform website defacement (“Hacked by Chinese”) • “Randomly” scanned for vulnerable IPs • Linear spread, since random number generator seed was fixed • In early stages, infection rate was about 1.8 other servers infected per hour • Hosts with inaccurate clocks kept it alive past July 19
Proportion of vulnerable servers compromised • Random Constant Model • N: total number of vulnerable hosts • T: t is relative to this constant • K: compromise rate • a(t) = at time t, the proportion of compromised vulnerable machines • a(t) = eK(t-T)/1+eK(t-T) • Does not depend on N
Code Red II • Used same IIS vulnerability as CRv1 but installed root backdoor instead • Fixed random IP generator • Scan: • Class B address space 3/8 probability • Class A address space 1/2 probability • Whole Internet address space 1/8 probability • Utilize Topology • Emphasize localized spread
Nimda • Multi-vectored worm [relate back to morris worm] • IIS vulnerability • Email (Firewall evasion!) • Network shares • Infect webpages • Scan for Code Red and Sadmind backdoors • Almost no probing to 100 probes/sec in ½ hour
How to Spread Faster • The Warhol worm • capable of infecting machines in a matter of minutes… • Hit-list scanning • Faster startup • Permutation Scanning • Limit redundant scans • Topologically Aware worms
Hit-lists • Brute-force • Use your favorite search engine • DNS search • Distributed scanning using zombies • Stealth scan (takes longer but pretty much undetectable)
Permutation Scanning • Eliminate redundant scanning by partitioning searches • Start scanning from your point in permutation • If machine in sequence is infected, randomly choose new point to scan and increment counter • Else infect computer and then scan • Stop scanning when counter == SCAN_LIMIT
Topological Scanning • Use email addresses • MyDoom used Google, Yahoo, Altavista, and Lycos • Internet cache for URLs • P2P peers • Ping results
Conventional • 10 scans/sec • Fast Scanning • 100 scans/sec • Warhol • 100 scans/sec • 10,000 entry hit-list • Permutation scanning • Gives up when count = 2 From How To 0wn the Internet In Your Spare Time pdf slides
More on Warhol worm From How To 0wn the Internet In Your Spare Time pdf slides
Sapphire WormJanuary 25, 2003 http://www.caida.org/analysis/security/sapphire/
Sapphire WormJanuary 25, 2003 From 0 infected hosts to 74855 in 30 minutes http://www.caida.org/analysis/security/sapphire/
Sapphire Worm • Fastest spreading worm in history • Doubled in size every 8.5 seconds • Code Red’s population doubled every 37 minutes • Over 90% of vulnerable machines compromised in ~10 minutes • Targeted Microsoft’s SQLServer through buffer overflow (patch had been released) • Sent UDP packets (376 bytes) to port 1434, so easy to filter • Reached over 55 million scans/sec in under 3 minutes http://www.cs.berkeley.edu/~nweaver/sapphire/
Witty WormMarch 19, 2004 • Used hit-list or timed release of worm • Compromised ISS products through buffer overflows (ISS RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE) • Infected 12,000 computers and wrote to random points on disk • Spread one day after vulnerability was announced http://www.caida.org/analysis/security/witty/
Witty v. Sapphire • Witty • At peak, flooded Internet with over 90 Gbits/sec • Infected host, then sent 20,000 packets between 796 and 1307 bytes • Sapphire • With 100 Mb/s link, 30,000+/sec scans with Sapphire • From one copy of worm, using 404-byte UDP packets, 30000 * 404 = 12120000 bytes http://www.caida.org/analysis/security/witty/
Flash worms • Capable of infecting most vulnerable servers in < 30 seconds… • Need a high bandwidth link • 9 million servers were 13 Mb compressed • Initial copies of the worm have hit-lists • Hit-lists could be divided up into chunks and distributed on known high bandwidth servers
Contagion or Stealth worms • Stealthily propogate a worm • Web server to clients • P2P clients • Identical software, anonymity, large files, many clients, less monitoring, less diversity • My estimate: Sometimes 1 in 20 hits on software searches result in detected virus on Kazaa • Very difficult to detect since traffic pattern change is so small • Use those md5 sums!
KaZaa • Fizzer, Lolol, K0wbot, Win32.Mydoom.A • Use IRC channels for remote control • Download office_crack or rootkitXP for Win32.Mydoom.A • Authors recorded 9 million distinct IP addresses connecting to a monitored university host (5800 distinct university host) • Brilliant Digital • Trojan bundled in Kazaa • http://www.cs.berkeley.edu/~nweaver/0wn2.html
Updating Worms • Distributed Control • Each worm could have a subset of infected hosts • Each command can be signed and then sent to other copies of worm • Received commands can be verified and then forwarded • Programmable Updates • Possible with crypto modules correctly implemented? • Most viruses/worms not well-written
What have we learned since 1988? • New legal awareness • 1995, Pile sentenced to 18 months for SMEG virus (British) • Smith sentenced to 20 months and $5000 fine for releasing Melissa virus (USA) • Simon Vallor sentenced to 2 years (Wales) • Teenager who wrote MSBlast.B most likely will be sentenced to 18 to 37 months (USA) • Has it worked?
Lots of things to work on • Buffer Overflows still prevalent • Passwords still poorly chosen • People with a lot less skill than Robert Morris have done much more damage • Misconfigured policies • Complexity is anathema to security • Morris used a sendmail vulnerability • People don’t keep up with patches (even on servers) • Security Holes … Who Cares? [USENIX security 2003, http://www.usenix.org/events/sec03/tech/rescorla.html]
Government Role • “Cyber-Center for Disease Control" (CDC) • Homeland security? • Cyber CDC responsible for: • Identifying outbreaks • Rapidly analyzing pathogens • How open should results be? • Fighting infections • Anticipating new vectors. • Proactively devising detectors for new vectors • Resisting future threats
Observations • Infection from a new exploit (0-day) can happen fast! (or even an old exploit) • A well-written virus/worm without any “large” errors could do really bad damage • Some potential “solutions”… • Distributed Firewalls • Honeypots • Can diversity help? • IIS exploits in Code Red, IRC channels used for remote control