How to 0wn the Internet in your spare time & A worst case worm

Stuart Staniford, Vern Paxson,

Nicholas WeaverPresented by: Jesus Morales

Overview How to 0wn the Internet in your spare time

Worms Analytical Spread Model Worm improvement Cyber CDC

A worst-case worm Linear cost model The attack Damage estimations

How to 0wn the Internet in your spare time

The Problem: an attacker controlling high numbers of hosts on the Internet could cause much damage DDOS attacks: shut down much of the

Internet Access/disperse sensitive information Corrupt information

The way: worms

Worms [Worms]

Worms, formally known as “Automated Intrusion Agents”, are software components that are capable of, using their

own means, for infecting a computer system and using it in an automated fashion to infect another system.

A virus by contrast can’t spread/infect on its own.

Code Red I (July 2001) [Worms]

Began : July 12, 2001 Exploit : Microsoft IIS webservers (buffer overflow) Named “Code Red” because :

the folks at eEye security worked through the night to identify and analyze this worm drinking “code red” (mountain dew) to stay up.

the worm defaced some websites with the phrase “Hacked by Chinese”

Launched 99 threads on infected host, which all generated random IP addresses and tried to compromise them.

Version 1 did not infect too many hosts due to use of static seed in the random number generator. Version 2 came out on July 19th with this “bug” fixed and spread rapidly.

The worm behavior each month: 1st to 19th --- spread by infection 20th to 28th --- launch DOS on www.whitehouse.gov 28th till end-of-month --- take rest.

Infected 359,000 hosts in under 14 hours.

Code Red: Analytical model

Simplifying assumptions: No patching No firewalls No churn

Infection rate is proportional to

# hosts already infected

# hosts not infected, but susceptible

Result: Logistic equation Well known for epi-demics

in finite systems)1( aaK

dt

da )(

)(

1 TtK

TtK

e

ea

Saturation

Initial compromise rate

Infected fraction

Code Red I: Initial and reemergence outbreaks

Improvements: Localized scanning [Network Security II ]

Observation: Density of vulnerable hosts in IP address space is not uniform

Idea: Bias scanning towards local network

Used in CodeRed II P=0.50: Choose address from local class-A network (/8) P=0.38: Choose address from local class-B network

(/16) P=0.12: Choose random address

Allows worm to spread more quickly

Code Red II (August 2001) [Worms]

Began : August 4th, 2001 Exploit : Microsoft IIS webservers (buffer

overflow) Named “Code Red II” because :

It contained a comment stating so. However the codebase was new.

Infected IIS on windows 2000 successfully but caused system crash on windows NT.

Installed a root backdoor on the infected machine.

Improvements: Multi-vector [Network Security II ]

Idea: Use multiple propagation methods simultaneously

Example: Nimda IIS vulnerability Bulk e-mails Open network shares Defaced web pages Code Red II backdoor

Onset of Nimda

Time (PDT) 18 September, 2001

HTTP c

onnect

ions/

seco

nd s

een

at

LBN

L(o

nly

confi

rmed N

imda a

ttack

s)

1/2 hour

Improvements: Hit-list scanning [Network Security II ]

Problem: Spread is slow during initial phase

Idea: Collect a list of promising targets before worm is released

Low-profile 'stealthy' scan

Distributed scan Spider/crawler Surveys or databases Attacks from other

worms Low overhead, since list

shrinks quickly

Improvements: Permutation scanning [Network

Security II ]

Problem: Many addresses are scanned multiple times

Idea: Generate random permutation of all IP addresses, scan in order

Hit-list hosts start at their own position in the permutation When an infected host is found, restart at a random point Can be combined with divide-and-conquer approach

H0 H4 H1 H3 H2H1 (Restart)

Warhol worms [Network Security II ]

Worm using both hit-list and permutation scanning could infect most vulnerable targets in <1 hour

Simulation: Compare 10 scans/second

(Code Red) 100 scans/second 100 scans/second

plus 10,000 entry hit list (Warhol worm)

First Warhol worm 'in the wild': SQLSlammer

"In the future, everyone will have 15 minutes of fame"

-- Andy Warhol

Num

ber

of

Inst

ance

s

Time (hours)

Flash worms [Network Security II ]

A flash worm would start with a hit list that contains most/all vulnerable hosts

Realistic scenario: Complete scan takes 2h with an OC-12 Internet warfare?

Problem: Size of the hit list 9 million hosts 36 MB Compression works: 7.5MB Can be sent over a 256kbps DSL link in 3

seconds Extremely fast:

Full infection in tens of seconds!

Surreptitious worms [Network Security II

]

Idea: Hide worms in inconspicuous traffic to avoid detection

Leverage P2P systems?

High node degree Lots of traffic to hide in Proprietary protocols Homogeneous

software Immense size

(30,000,000 Kazaa downloads!)

Conclusion: A Cyber-CDC? [Network Security II ]

Paper advocates creation of a CDC equivalent for computer worms and -viruses

Responsibilities of the CDC: Deploy sensors to detect outbreaks quickly Rapidly analyze new pathogens Propagate signatures to isolate the worm/virus Do research in the field

CDC should be collaborative, but not all information should be available to the public "Partially open" approach

Worst-case worm Question: how much economic damage to

the US in a worst-case worm attack? Estimates based on:

Worst-case worm Linear damage model

Lost productivity Repair time Lost data Damage to systems

Assumption: Murphy’s Law

Cost model Dtotal = total cost of damage Ninf = number of systems infected Dsystem = damage per system Ppenetration = fraction of systems infected Nvulnerable = potential infectees Drec = cost of system recovery Ttime = total downtime (hr) Dtime = cost of downtime per hour Pdata = probability of unrecoverable data loss Ddata = cost of data loss Pbios = probability of system loss due to hardware

damage Dbios = replacement value of the computer

Cost model (cont)

Dtotal = Ninf * Dsystem

Ninf = Ppenetration * Nvulnerable

Dsystem = Drec + Ttime*Dtime + Pdata*Ddata + Pbios*Dbios

The attack: target Target

Windows SMB/CIFS file sharing server Part of all distributions since Windows

98 Desktop file sharing, printer sharing,

centralized Windows file servers. Is on by default Assumption: the attacker knows a

“zero day” exploit for SMB/CIFS

The attack: Propagation Internet spread

Slammer infected 10’s of thousands of servers in less than 10 minutes.

Flash worms: spread < 1 minute Spread through gateways

Slow phase: mail and web vectors require some level of human action within an organization

Conservative upper bound: 1 day. Probably much faster.

Intranet spread Nearly instantaneous Fast LANs: infection of a new victim < 1 second.

Can use hit-list to spread even faster

Damage Estimations:

Penetration (Ppenetration): .60 of all vulnerable machines

Number of vulnerable machines (Nvulnerable): 85 mill

Consider only business and gov’t (2001) Not considering home computers

Recovery (Drec): $20 per system Down time:

Dtime: 35 $/hr Ttime: 16 hr (2 days)

Damage (cont.)

Data loss (Ddata): $2,000 Percentage of unrecoverable data

(Plost_data): 0.1 Percentage of unrecoverable

machines (Pbios): 0.1 Cost for lost machines (Dbios):

$2,400

Damage (cont.)

Conclusion Damage potential is huge Need preventive measures

Solid data back ups Protect BIOSes Mail-worm defenses Improved recovery procedures Reduce monocultures Vulnerable spots (SMB/CIFS) are ubiquitous

hence merit special defenses

References Network Security II: lecture 22

COMP529 - Computer Network Protocols and Systems. Andreas Haeberlen www.cs.rice.edu/~eugeneng/teaching/f04/comp529/lectures/lecture22.ppt

WormsPandurang Kamat www.scd.ucar.edu/nets/presentations/Security-for-I2techs/Security-for-I2techs.ppt