how to 0wn the internet in your spare time authors stuart staniford, vern paxson, nicholas weaver...
Post on 18-Jan-2018
238 Views
Preview:
DESCRIPTION
TRANSCRIPT
How to 0wn the Internet In Your
Spare TimeAuthors
Stuart Staniford, Vern Paxson, Nicholas Weaver
PublishedProceedings of the 11th USENIX Security
Symposium 2002
PresenterShawn Embleton
Outline• Introduction
• Code Red Worm
• Better Worms in Practice
• Better Worms in Theory
• Simulations & Results
Introduction• Internet Worms differ from viruses in that they
do not require user participation– excepting poor code and security practices
• 1988 Morris Worm– Repeat infections possible – crashed systems
• 1999 Melissa Macro– Half worm/virus– Incapacitated many email servers
Code Red v.1• First seen July 12, 2001
• Spread by exploiting a Microsoft IIS .ida vulnerability discovered by eEye on June 18th
• 99 propagation threads, 100th defaced pages
• Problem, RNG used static ‘seed’ which also incorporated the TID == 99 spread lists– Resulted in linear spreading
Code Red v.1 Continued• Defaced root level pages
• 1st to 19th attempted to spread
• 20th to 28th attempted to DDOS– target was www1.whitehouse.gov
• Memory resident– Reboot the system to disinfect
Code Red I v.2• Started spreading July 19th, 2001
• Similar code base
• Fixed the RNG seeding problem
• Over 359,000 systems infected in 14 hours
• Systems that were power cycled were re-infected before patch could be applied …
Code Red I v.2 Plot
K=1.8T=11.9
Chemical
Abstracts
Analysis• Random Constant Spread Model [RCS]
• N - total number of vulnerable hosts• K – initial compromise rate• T – time fixing when incident occurs
• a – proportion of compromised vulnerable• t – time [in hours]
• Applied using “logistic equation”– Rate of growth in finite system– Equal likelihood of any attacking any other
Analysis
Better Worms in Practice
• Localized Scanning Code Red II v.3
• August 4, 2001 but different code base– No defacement, no DDOS code, same exploit
used [contained a string “Code Red II”]
• If no prior infection, initiates, installs backdoor, waits one day and reboots machine
• If Chinese language on system, 600/48 threads else 300/24 threads are used to propagate
Better Worms in Practice
• Localized Scanning Code Red II v.3
• 1/8 probability of probing random IP address
• 4/8 probability of probing same /8 network
• 3/8 probability of probing same /16 network
• No analytical model given• No empirical data provided
Better Worms in Practice
• Localized Scanning Code Red II v.3
LBNL
Better Worms in Practice
• Localized Scanning Code Red II v.3
• "GET • /default.ida?
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX• XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXX• XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXX• XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
%u9090%u6858%uc• bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090• %u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff
%u0078%u0000%u00=a
Better Worms in Practice
• Multi-Vector Worms Nimda
• September 18th, 2001
• 5 different attack vectors– Client to client via email– Client to client via open network shares– Web server to client through browsing– Client to server through Directory Traversal exploits– Client to server through previous worm backdoors
Better Worms in Practice
• Multi-Vector Worms Nimda
• Email propagation– MIME message containing ‘readme.exe’ payload
• Slight binary variations to change hashes of the attachment– Variable Subject Line– Scans local hypertext files along with received MAPI for
additional email addresses to contact every 10 days
• File System propagation– Creates MIME copies of itself on local and network drives
• Can exploit Explorer preview vulnerabilities– Trojans legitimate applications on the system
Better Worms in Practice
• Multi-Vector Worms Nimda
• Web-Server Propagation– Scans servers that the user browses for vulnerabilities– Looks for Sadmind, Code Red backdoors + new exploits
– Spreads to browsing users by appending the following to all files in web-aware directories
– Also added ‘guest’ account to Administrators Group
Better Worms in Theory• Hit List Scanning
• Permutation Scanning
• Topologically Aware Worms
• Internet Scale Hit Lists
Better Worms in Theory• Hit List Scanning
• Worm needs a substantial base before the exponential spreading really takes off
• Before release, gather a list of potentially vulnerable systems
• After launch, these systems are infected much more rapidly and provide the needed base
• List can retrieved or systematically halved
Better Worms in Theory• Permutation Scanning
• Random scanning has inherent problems– Many addresses are rescanned– No way to know when infection is nearing completion
• Share a common permutation of the address space– Easy to compute at each host– Newly infected machines start scanning from some index– After N infected machines encountered, stop scanning
Better Worms in Theory• Topologically Aware Worms
• Look for Web servers in infected machines caches– High probability of being actual servers
• Look for mail in users address book– If spreading through mail servers for instance
• Email worms incorporate this tactic now
Better Worms in Theory• Flash Worms Main Idea of Paper
• Obtain hit-list of systems with relevant service open– OC-12 scan the entire Internet in 2 hours
• Include pre-knowledge of high-capacity servers
• Use a N-partitioned overlapping list infection technique
• Argument is made for 30 seconds to total domination
Better Worms in Theory• Contagion Worms
• Slower spreading to avoid countermeasures based on heuristics such as capacity fluctuations
• Talk about using P2P apps to attain high degree of host inter-connectivity for spreading in a m-way tree type style
• More stealthy idea than a fast spreading worm
Simulations• Simulated a ‘Warhol” style worm
– Combination of hit-list and permutation scanning
• Assumptions– Complete connectivity in 32-bit address space– Scan until 99.99% infection
• Parameters– Conventional - Code Red style with 10 scans/second– Fast - Code Red style with 100 scans/second– Warhol - 100 scans/s + hit-list + permutation scanning
ResultsSim
ulation
Strengths• Published relatively quickly with a reasonable
mathematical model which rather accurately captures the data
• Performed simulations that correlate with the proposed mathematical model well
• Results support hypothesis of total Internet domination …
Weaknesses• Some of the data could possibly be interpreted
in additional manners than offered
• Paper seems to have a heavy “what-if” factor
• Main call for action is made without laying out any specific plans or specifications
• Small incongruities with other recognized associations [such as C.E.R.T.]
Improvements• Authors might have proposed a specific defense
system alongside the call for action
• Could have gathered data from more locations than just LBNL and Chemical Abstracts Service Corp.
• More helpful to compare the different worms using the same analysis methods– Connections/Second vs. Distinct Remote Hosts Attacking
References• www.caida.org
• www.cert.org
• http://www.thesitewizard.com/news/coderediiworm.shtml
• How to 0wn the Internet in Your Spare Time– Staniford, Paxson, Weaver
Questions
?
top related