How to 0wn the Internet In Your

Spare TimeAuthors

Stuart Staniford, Vern Paxson, Nicholas Weaver

PublishedProceedings of the 11th USENIX Security

Symposium 2002

PresenterShawn Embleton

Outline• Introduction

• Code Red Worm

• Better Worms in Practice

• Better Worms in Theory

• Simulations & Results

Introduction• Internet Worms differ from viruses in that they

do not require user participation– excepting poor code and security practices

• 1988 Morris Worm– Repeat infections possible – crashed systems

• 1999 Melissa Macro– Half worm/virus– Incapacitated many email servers

Code Red v.1• First seen July 12, 2001

• Spread by exploiting a Microsoft IIS .ida vulnerability discovered by eEye on June 18th

• 99 propagation threads, 100th defaced pages

• Problem, RNG used static ‘seed’ which also incorporated the TID == 99 spread lists– Resulted in linear spreading

Code Red v.1 Continued• Defaced root level pages

• 1st to 19th attempted to spread

• 20th to 28th attempted to DDOS– target was www1.whitehouse.gov

• Memory resident– Reboot the system to disinfect

Code Red I v.2• Started spreading July 19th, 2001

• Similar code base

• Fixed the RNG seeding problem

• Over 359,000 systems infected in 14 hours

• Systems that were power cycled were re-infected before patch could be applied …

Code Red I v.2 Plot

K=1.8T=11.9

Chemical

Abstracts

Analysis• Random Constant Spread Model [RCS]

• N - total number of vulnerable hosts• K – initial compromise rate• T – time fixing when incident occurs

• a – proportion of compromised vulnerable• t – time [in hours]

• Applied using “logistic equation”– Rate of growth in finite system– Equal likelihood of any attacking any other

Analysis

Better Worms in Practice

• Localized Scanning Code Red II v.3

• August 4, 2001 but different code base– No defacement, no DDOS code, same exploit

used [contained a string “Code Red II”]

• If no prior infection, initiates, installs backdoor, waits one day and reboots machine

• If Chinese language on system, 600/48 threads else 300/24 threads are used to propagate

Better Worms in Practice

• Localized Scanning Code Red II v.3

• 1/8 probability of probing random IP address

• 4/8 probability of probing same /8 network

• 3/8 probability of probing same /16 network

• No analytical model given• No empirical data provided

Better Worms in Practice

• Localized Scanning Code Red II v.3

LBNL

Better Worms in Practice

• Localized Scanning Code Red II v.3

• "GET • /default.ida?

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX• XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXX• XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXX• XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

%u9090%u6858%uc• bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801

%u9090• %u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff

%u0078%u0000%u00=a

Better Worms in Practice

• Multi-Vector Worms Nimda

• September 18th, 2001

• 5 different attack vectors– Client to client via email– Client to client via open network shares– Web server to client through browsing– Client to server through Directory Traversal exploits– Client to server through previous worm backdoors

Better Worms in Practice

• Multi-Vector Worms Nimda

• Email propagation– MIME message containing ‘readme.exe’ payload

• Slight binary variations to change hashes of the attachment– Variable Subject Line– Scans local hypertext files along with received MAPI for

additional email addresses to contact every 10 days

• File System propagation– Creates MIME copies of itself on local and network drives

• Can exploit Explorer preview vulnerabilities– Trojans legitimate applications on the system

Better Worms in Practice

• Multi-Vector Worms Nimda

• Web-Server Propagation– Scans servers that the user browses for vulnerabilities– Looks for Sadmind, Code Red backdoors + new exploits

– Spreads to browsing users by appending the following to all files in web-aware directories

– Also added ‘guest’ account to Administrators Group

Better Worms in Theory• Hit List Scanning

• Permutation Scanning

• Topologically Aware Worms

• Internet Scale Hit Lists

Better Worms in Theory• Hit List Scanning

• Worm needs a substantial base before the exponential spreading really takes off

• Before release, gather a list of potentially vulnerable systems

• After launch, these systems are infected much more rapidly and provide the needed base

• List can retrieved or systematically halved

Better Worms in Theory• Permutation Scanning

• Random scanning has inherent problems– Many addresses are rescanned– No way to know when infection is nearing completion

• Share a common permutation of the address space– Easy to compute at each host– Newly infected machines start scanning from some index– After N infected machines encountered, stop scanning

Better Worms in Theory• Topologically Aware Worms

• Look for Web servers in infected machines caches– High probability of being actual servers

• Look for mail in users address book– If spreading through mail servers for instance

• Email worms incorporate this tactic now

Better Worms in Theory• Flash Worms Main Idea of Paper

• Obtain hit-list of systems with relevant service open– OC-12 scan the entire Internet in 2 hours

• Include pre-knowledge of high-capacity servers

• Use a N-partitioned overlapping list infection technique

• Argument is made for 30 seconds to total domination

Better Worms in Theory• Contagion Worms

• Slower spreading to avoid countermeasures based on heuristics such as capacity fluctuations

• Talk about using P2P apps to attain high degree of host inter-connectivity for spreading in a m-way tree type style

• More stealthy idea than a fast spreading worm

Simulations• Simulated a ‘Warhol” style worm

– Combination of hit-list and permutation scanning

• Assumptions– Complete connectivity in 32-bit address space– Scan until 99.99% infection

• Parameters– Conventional - Code Red style with 10 scans/second– Fast - Code Red style with 100 scans/second– Warhol - 100 scans/s + hit-list + permutation scanning

ResultsSim

ulation

Strengths• Published relatively quickly with a reasonable

mathematical model which rather accurately captures the data

• Performed simulations that correlate with the proposed mathematical model well

• Results support hypothesis of total Internet domination …

Weaknesses• Some of the data could possibly be interpreted

in additional manners than offered

• Paper seems to have a heavy “what-if” factor

• Main call for action is made without laying out any specific plans or specifications

• Small incongruities with other recognized associations [such as C.E.R.T.]

Improvements• Authors might have proposed a specific defense

system alongside the call for action

• Could have gathered data from more locations than just LBNL and Chemical Abstracts Service Corp.

• More helpful to compare the different worms using the same analysis methods– Connections/Second vs. Distinct Remote Hosts Attacking

References• www.caida.org

• www.cert.org

• http://www.thesitewizard.com/news/coderediiworm.shtml

• How to 0wn the Internet in Your Spare Time– Staniford, Paxson, Weaver

Questions

?