1 / 42

How to Own the Internet In Your Spare Time!

How to Own the Internet In Your Spare Time!. Group III Bill Barnes, Jeanann Boyce, Joe Braccia, Tonya Stephens,. Resources. http://www.cs.berkeley.edu/~nweaver/cdc.web/cdc.pdf http://www.cfz.org.uk/ web.mit.edu www.whitehouse.gov www.cert.com www.governmentsecurity.org www.infosec.net.

camdyn
Download Presentation

How to Own the Internet In Your Spare Time!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Own the Internet In Your Spare Time! Group III Bill Barnes, Jeanann Boyce, Joe Braccia, Tonya Stephens,

  2. Resources http://www.cs.berkeley.edu/~nweaver/cdc.web/cdc.pdf http://www.cfz.org.uk/ web.mit.edu www.whitehouse.gov www.cert.com www.governmentsecurity.org www.infosec.net

  3. Introduction • Denial of service DDOS attacks- control hosts on the Web to do enormous damage • Bring down: • E-commerce sites • News outlets • Command and coordination infrastructure • Routers • Root name servers • Collect sensitive information –passwords, credit card numbers, address books, archived email, • Sow confusion and chaos by distributing false information

  4. Problem • “The Internet is an insecure place. Many of the protocols used in the Internet do not provide any security. Tools to "sniff" passwords off of the network are in common use by malicious hackers. • Worms, viruses challenge the security of the Internet • Interruptions of Networks and Denial of Service • Corruption of sensitive information Excerpt from web.mit.edu

  5. Code Red – version I • Used Microsoft’s web server .ida vulnerability • Launched 99 threads of random IP addresses. Random number generator initialized on a fixed seed, so all IP addresses had the same fixed seed. • Linear spread, could be stopped with relative ease.

  6. Progression of the Infection • Binomial distribution – each server is either infected or not, until all servers are infected Inf Inf Inf Inf Inf Inf Inf Inf Inf Inf

  7. Code Red II Was not really code red

  8. Code Red II • Code Red left back doors in infected systems • Code Red II was really the residue of Code Red • It lead to the spread of another worm the Nimda Worm

  9. Code Red I version II • Spread through mailing lists discussion • Now used random number generation for IP address • DDOS payload targeting www.whitehouse.gov • Worm turned itself off as a result of an internal constraint, then turned itself back on August 1 (still continues to reappear) The arbitrary reappearance is called the Random ConstantSpread Model (RCS)

  10. Spreading of Nimda Worm • from client to client via email • from client to client via open network shares • from web server to client via browsing of compromised web sites • from client to web server via active scanning for and exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities (VU#111677and CA-2001-12) • from client to web server via scanning for the back doors left behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS" (CA-2001-11) worms

  11. E-mail • Arrives as an email • Has a readme.exe attachment • The text in the subject line of the mail message is variable. • There are many slight variations • The worm will attempt to resends the infected email messages every 10 days.

  12. Where does it mail itself? • The email addresses targeted are taken from two sources • The html files in the user's web cache folder • The contents of the user's email messages

  13. On a Server • The infected client transfers a copy of the Nimda code via tftp (69/UDP) to any IIS server that it scans and finds vulnerable. T • On the server machine, the worm traverses each directory in the system and writes a MIME- copy of itself to disk with .eml or .nws extensions. • Any web content files found, are appended with JavaScript

  14. More Damage • In order to further expose the machine, the worm • enables the sharing of the c: drive as C$ • creates a "Guest" account on Windows NT and 2000 systems • adds this account to the "Administrator" group.

  15. On it Goes • Furthermore, the Nimda worm creates Trojan horse copies of legitimate applications. • These will first execute the Nimda code further infecting the system.

  16. Impact • Intruders can execute commands within the LocalSystem security context on machines. • On a client the worm will be run with the same privileges as the user who triggered it. • Hosts infected will be party to attacks on other Internet sites. The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected machines.

  17. Problem • The worm spreads with a binomial progression • The problem is getting the start • A large number of machines are protected • This slows down the worm in the initial stages

  18. Solution: BetterWorms • Hit list scanning • Permutation scanning • Topologically aware worms • Internet scale hit list

  19. Hit list scanning • The code writer develops a list of potentially vulnerable machines and starts there • Port Scans • Distributed Scans • DNS Scans • Spiders • Surveys • Listening in on newsgroups and chats

  20. Permutation scanning • Scan is random but starts at the point of the present infection on the current machine. • This provides a coordinated scan. • This keeps the infection rate high.

  21. Topologically aware worms • The virus infects a host. • Information on the host is used to develop new targets. • Non random spread to targeted systems occurs.

  22. Stealth Worm • Elegant • A host server is infected • The host checks each machine coming to the site for vulnerability • When a client is found vulnerable the worm goes to the client. • As the client surfs he spreads the worm to other servers

  23. The Dreaded Mongolian Death Worm • Attacks • spits yellow saliva that works like powerful acid • generates electrical discharges powerful enough to kill a camel • Is probably not a worm • Scientists think it is a limbless, burrowing reptile, probably a giant member of a group of reptiles known as worm lizards

  24. Last Known Site of M.D.W For the latest breaking news about the Mongolian Death Worm: http://www.cfz.org.uk/

  25. Updates and Controls • Goner mail worm [CE02] contained primitive remote control code • Code Red II contain a form of unlimited remote control • Darwin and Bigfoot • Next evolution • We haven’t seen it yet, but believe it’s out there

  26. Distributed Control • The worms have: • a list of other known, running copies of the worm • an ability to create encrypted communication channels to spread information • The worms can: • Verify the command • Share the command • Execute the command

  27. Distributed Control • The really rotten part: • any command can be initially sent to an any worm instance • it spreads to all running copies

  28. Degree of Connectivity • the average degree of nodes in the worm network is 4 when 95% infection is achieved • The average degree of nodes in the worm network is 5.5 when 99% infection is achieved. • each permutation based rescan will add 2 to the degree of every worm, • Representing the copy discovered by each instance • The copy which discovers each instance. • Multiple rescans increase the connectivity between worms without additional communication between the worm instances.

  29. Programmatic Updates • Dynamic code loading is supported by many Operating Systems • The worm author can exploit this “convenience” • The combo of flexible language and a small interpreter leads to greater worm control

  30. New Attack Models and Seeds • New security hole found • Attack created • Released on the worm network • Quick Worm Propagation

  31. Cryptographic Modules • If home grown, then it maybe so-so • If it exploits say, OpenSSL, then widespread panic and mass chaos may ensue

  32. Solution: Create a Cyber CDC “Center for Disease Control”

  33. Cyber CDC Mission • Monitor the national and worldwide progression of various forms of disease • Identify incipient threats and new outbreaks • Actively foster research for combating various diseases and other health threats.

  34. Roles of Cyber CDC • Identify outbreaks • Rapidly analyze pathogens • Fight infections • Anticipate new vectors • Proactively devise detectors for new vectors • Resist future threats

  35. Role 1 – Identify Outbreaks Identify and analyze malicious code events before a fast active worm reaches saturation. Task 1 • develop robust communication mechanisms for gathering and coordinating “field information” • Mechanisms would likely be (i) decentralized, and (ii) span multiple communication mechanisms (e.g., Internet, cellular, pager, private line). Task 2 • Sponsor research in automated mechanisms for detecting worms based on traffic patterns; • Foster the deployment of a widespread set of sensors. The set of sensors must be sufficiently diverse or secret such that an attacker cannot design their worm to avoid them – but there are policy issues concerning privacy and access control

  36. Role 2 – Rapidly analyzing pathogensOnce a worm pathogen is identified, the next step is to understand (i) how it spreads and (ii) what it does in addition to spreading. CDC Task • Procure and develop state-of-the-art program analysis tools, to assist an on-call group of experts. • Tools would need to go beyond simple disassembly – i.e. recognize variants from a library of different algorithms and components using a variety of development toolkits, and also components from previous worms, which would be archived in detail by a CDC staff librarian.

  37. Role 3 -- Fighting infectionsRetard the progress or subsequent application of the worm CDC Task • Establish mechanisms to propagate signatures describing how worms and their traffic can be detected and terminated or isolated, and deploy an accompanying body of agents that can then apply the mechanisms .

  38. Role 4 -- Anticipating new vectorsProactive -- identify incipient threats using techniques which would also apply to the numerous strains of zombies present on the Internet, as they too are a significant resource for an attacker. CDC Task • Track the use of different applications in the Internet, to detect when previously unknown ones begin to appear in widespread use via conventional traffic monitoring variables such as TCP/UDP port numbers. CDC Task • Analyze the threat potential of new applications. How widely spread might their use become? How homogeneous are the clients and servers? What are likely exploit strategies for subverting the implementations? What are the application’s native communication patterns?

  39. Role 5 -- Proactively devising detectorsDeploy analyzers that understand how the protocol functions, to have some hope of detecting contagion worms as they propagate. CDC Task • Foster the development of application analysis modules suitable for integration with the intrusion detection systems in use by the CDC’s outbreak identification elements.

  40. Role 6 -- Resisting future threats Shift the makeup of Internet applications such that they become much less amenable to abuse – e.g. this may entail broader notions of sandboxing, type safety, and inherent limitations on the rate of creating connections and the volume of traffic transmitted over them. CDC Task • Foster research into resilient application design paradigms and infrastructure modifications that (somehow) remain viable for adaptation by the commercial software industry, perhaps assisted by legislation or government policy. CDC Task • Vet applications as conforming to a certain standard of resilience to exploitation, particularly self propagating forms of exploitation.

  41. Issues for the CDC Implementation is challenging -- • Open, shared DB??? • Competes with private sector interests – McAffee et. al. • Authenticating inputs from field sources – a lengthy manual assessment which slows the collection of vital information • Presents a target for side-attacks which would cripple the analysis effort • Provides experiential information to attacker which would help them hone their attacks • Boundary -- National vs International

  42. A Pikachu Production This presentation brought to you by Pikachus every where!

More Related