“how to 0wn the internet in your spare time” nathanael paul malware seminar september 7, 2004
Post on 29-Dec-2015
222 Views
Preview:
TRANSCRIPT
The Internet has…
• ~250,000,000 hosts on Internet (January 2004) (Source: Internet Systems Consortium, Inc. (http://www.isc.org/)
• ~300,000,000 Internet Users• ~140,000,000 USA Internet Users
http://www.clickz.com/stats/big_picture/geographics/article.php/3397231
• 1 million is:– ~0.7% of the USA Internet Users– ~0.3% of all Internet Users
Analyzing Past Attempted Takeovers
• 1988: Morris Worm
• July 13, 2001: Code Red I v2
• Aug. 4, 2001: Code Red II
• Sept. 18, 2001: Nimda
• Presenting worms that are “…capable of infecting most or all vulnerable targets in a few minutes…” or “…in 10s of seconds…”
Morris Worm
• Multi-vectored like Nimda– rsh– fingerd via buffer overflow that worked on
VAX and caused core dump on Suns– sendmail
• Morris worm infected 6,000 of 60,000 hosts (5-10%)– Very large percentage compared to today’s
worms
Code Red I v2 (CRv1)
• Used an IIS vulnerability to perform website defacement (“Hacked by Chinese”)
• “Randomly” scanned for vulnerable IPs– Linear spread, since random number
generator seed was fixed
• In early stages, infection rate was about 1.8 other servers infected per hour
• Hosts with inaccurate clocks kept it alive past July 19
Proportion of vulnerable servers compromised
• Random Constant Model– N: total number of vulnerable hosts– T: t is relative to this constant– K: compromise rate– a(t) = at time t, the proportion of compromised
vulnerable machines
• a(t) = eK(t-T)/1+eK(t-T)
– Does not depend on N
Code Red II
• Used same IIS vulnerability as CRv1 but installed root backdoor instead
• Fixed random IP generator
• Scan:– Class B address space 3/8 probability– Class A address space 1/2 probability– Whole Internet address space 1/8 probability
• Utilize Topology– Emphasize localized spread
Nimda
• Multi-vectored worm [relate back to morris worm]– IIS vulnerability– Email (Firewall evasion!)– Network shares– Infect webpages– Scan for Code Red and Sadmind backdoors
• Almost no probing to 100 probes/sec in ½ hour
How to Spread Faster
• The Warhol worm– capable of infecting machines in a matter of
minutes…
• Hit-list scanning– Faster startup
• Permutation Scanning– Limit redundant scans
• Topologically Aware worms
Hit-lists
• Brute-force
• Use your favorite search engine
• DNS search
• Distributed scanning using zombies
• Stealth scan (takes longer but pretty much undetectable)
Permutation Scanning
• Eliminate redundant scanning by partitioning searches
• Start scanning from your point in permutation– If machine in sequence is infected, randomly
choose new point to scan and increment counter
– Else infect computer and then scan
• Stop scanning when counter == SCAN_LIMIT
Topological Scanning
• Use email addresses– MyDoom used Google, Yahoo, Altavista, and
Lycos
• Internet cache for URLs
• P2P peers
• Ping results
• Conventional– 10 scans/sec
• Fast Scanning– 100 scans/sec
• Warhol– 100 scans/sec
– 10,000 entry hit-list
– Permutation scanning
– Gives up when count = 2
From How To 0wn the Internet In Your Spare Time pdf slides
Sapphire WormJanuary 25, 2003
http://www.caida.org/analysis/security/sapphire/
From 0 infected hosts to 74855 in 30 minutes
Sapphire Worm
http://www.cs.berkeley.edu/~nweaver/sapphire/
• Fastest spreading worm in history– Doubled in size every 8.5 seconds– Code Red’s population doubled every 37 minutes– Over 90% of vulnerable machines compromised in
~10 minutes
• Targeted Microsoft’s SQLServer through buffer overflow (patch had been released)
• Sent UDP packets (376 bytes) to port 1434, so easy to filter
• Reached over 55 million scans/sec in under 3 minutes
Witty WormMarch 19, 2004
• Used hit-list or timed release of worm• Compromised ISS products through buffer
overflows (ISS RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE)
• Infected 12,000 computers and wrote to random points on disk
• Spread one day after vulnerability was announced
http://www.caida.org/analysis/security/witty/
Witty v. Sapphire
• Witty– At peak, flooded Internet with over 90
Gbits/sec– Infected host, then sent 20,000 packets
between 796 and 1307 bytes
• Sapphire– With 100 Mb/s link, 30,000+/sec scans with
Sapphire– From one copy of worm, using 404-byte UDP
packets, 30000 * 404 = 12120000 byteshttp://www.caida.org/analysis/security/witty/
Flash worms
• Capable of infecting most vulnerable servers in < 30 seconds…
• Need a high bandwidth link– 9 million servers were 13 Mb compressed– Initial copies of the worm have hit-lists– Hit-lists could be divided up into chunks and
distributed on known high bandwidth servers
Contagion or Stealth worms
• Stealthily propogate a worm– Web server to clients– P2P clients
• Identical software, anonymity, large files, many clients, less monitoring, less diversity
• My estimate: Sometimes 1 in 20 hits on software searches result in detected virus on Kazaa
– Very difficult to detect since traffic pattern change is so small
• Use those md5 sums!
KaZaa• Fizzer, Lolol, K0wbot, Win32.Mydoom.A
– Use IRC channels for remote control– Download office_crack or rootkitXP for
Win32.Mydoom.A
• Authors recorded 9 million distinct IP addresses connecting to a monitored university host (5800 distinct university host)
• Brilliant Digital– Trojan bundled in Kazaa– http://www.cs.berkeley.edu/~nweaver/0wn2.html
Updating Worms
• Distributed Control– Each worm could have a subset of infected
hosts– Each command can be signed and then sent
to other copies of worm– Received commands can be verified and then
forwarded
• Programmable Updates– Possible with crypto modules correctly
implemented?– Most viruses/worms not well-written
What have we learned since 1988?
• New legal awareness– 1995, Pile sentenced to 18 months for SMEG
virus (British)– Smith sentenced to 20 months and $5000 fine
for releasing Melissa virus (USA)– Simon Vallor sentenced to 2 years (Wales)– Teenager who wrote MSBlast.B most likely
will be sentenced to 18 to 37 months (USA)
• Has it worked?
Lots of things to work on
• Buffer Overflows still prevalent• Passwords still poorly chosen• People with a lot less skill than Robert Morris
have done much more damage• Misconfigured policies• Complexity is anathema to security
– Morris used a sendmail vulnerability
• People don’t keep up with patches (even on servers)– Security Holes … Who Cares?[USENIX security 2003, http://www.usenix.org/events/sec03/tech/rescorla.html]
Government Role
• “Cyber-Center for Disease Control" (CDC)– Homeland security?
• Cyber CDC responsible for:– Identifying outbreaks– Rapidly analyzing pathogens
• How open should results be?
– Fighting infections– Anticipating new vectors.– Proactively devising detectors for new vectors– Resisting future threats
Observations
• Infection from a new exploit (0-day) can happen fast! (or even an old exploit)
• A well-written virus/worm without any “large” errors could do really bad damage
• Some potential “solutions”…– Distributed Firewalls– Honeypots– Can diversity help?
• IIS exploits in Code Red, IRC channels used for remote control
top related