1 / 32

“How to 0wn the Internet in Your Spare Time”

“How to 0wn the Internet in Your Spare Time” Nathanael Paul Malware Seminar September 7, 2004 The Internet has… ~250,000,000 hosts on Internet (January 2004) (Source: Internet Systems Consortium, Inc. (http://www.isc.org/) ~300,000,000 Internet Users

Download Presentation

“How to 0wn the Internet in Your Spare Time”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. “How to 0wn the Internet in Your Spare Time” Nathanael Paul Malware Seminar September 7, 2004

  2. The Internet has… • ~250,000,000 hosts on Internet (January 2004) (Source: Internet Systems Consortium, Inc. (http://www.isc.org/) • ~300,000,000 Internet Users • ~140,000,000 USA Internet Users http://www.clickz.com/stats/big_picture/geographics/article.php/3397231 • 1 million is: • ~0.7% of the USA Internet Users • ~0.3% of all Internet Users

  3. Analyzing Past Attempted Takeovers • 1988: Morris Worm • July 13, 2001: Code Red I v2 • Aug. 4, 2001: Code Red II • Sept. 18, 2001: Nimda • Presenting worms that are “…capable of infecting most or all vulnerable targets in a few minutes…” or “…in 10s of seconds…”

  4. Morris Worm • Multi-vectored like Nimda • rsh • fingerd via buffer overflow that worked on VAX and caused core dump on Suns • sendmail • Morris worm infected 6,000 of 60,000 hosts (5-10%) • Very large percentage compared to today’s worms

  5. Code Red I v2 (CRv1) • Used an IIS vulnerability to perform website defacement (“Hacked by Chinese”) • “Randomly” scanned for vulnerable IPs • Linear spread, since random number generator seed was fixed • In early stages, infection rate was about 1.8 other servers infected per hour • Hosts with inaccurate clocks kept it alive past July 19

  6. Proportion of vulnerable servers compromised • Random Constant Model • N: total number of vulnerable hosts • T: t is relative to this constant • K: compromise rate • a(t) = at time t, the proportion of compromised vulnerable machines • a(t) = eK(t-T)/1+eK(t-T) • Does not depend on N

  7. From How To 0wn the Internet In Your Spare Time pdf slides

  8. Code Red II • Used same IIS vulnerability as CRv1 but installed root backdoor instead • Fixed random IP generator • Scan: • Class B address space 3/8 probability • Class A address space 1/2 probability • Whole Internet address space 1/8 probability • Utilize Topology • Emphasize localized spread

  9. Nimda • Multi-vectored worm [relate back to morris worm] • IIS vulnerability • Email (Firewall evasion!) • Network shares • Infect webpages • Scan for Code Red and Sadmind backdoors • Almost no probing to 100 probes/sec in ½ hour

  10. From How To 0wn the Internet In Your Spare Time pdf slides

  11. From How To 0wn the Internet In Your Spare Time pdf slides

  12. How to Spread Faster • The Warhol worm • capable of infecting machines in a matter of minutes… • Hit-list scanning • Faster startup • Permutation Scanning • Limit redundant scans • Topologically Aware worms

  13. Hit-lists • Brute-force • Use your favorite search engine • DNS search • Distributed scanning using zombies • Stealth scan (takes longer but pretty much undetectable)

  14. Permutation Scanning • Eliminate redundant scanning by partitioning searches • Start scanning from your point in permutation • If machine in sequence is infected, randomly choose new point to scan and increment counter • Else infect computer and then scan • Stop scanning when counter == SCAN_LIMIT

  15. Topological Scanning • Use email addresses • MyDoom used Google, Yahoo, Altavista, and Lycos • Internet cache for URLs • P2P peers • Ping results

  16. Conventional • 10 scans/sec • Fast Scanning • 100 scans/sec • Warhol • 100 scans/sec • 10,000 entry hit-list • Permutation scanning • Gives up when count = 2 From How To 0wn the Internet In Your Spare Time pdf slides

  17. More on Warhol worm From How To 0wn the Internet In Your Spare Time pdf slides

  18. Sapphire WormJanuary 25, 2003 http://www.caida.org/analysis/security/sapphire/

  19. Sapphire WormJanuary 25, 2003 From 0 infected hosts to 74855 in 30 minutes http://www.caida.org/analysis/security/sapphire/

  20. Sapphire Worm • Fastest spreading worm in history • Doubled in size every 8.5 seconds • Code Red’s population doubled every 37 minutes • Over 90% of vulnerable machines compromised in ~10 minutes • Targeted Microsoft’s SQLServer through buffer overflow (patch had been released) • Sent UDP packets (376 bytes) to port 1434, so easy to filter • Reached over 55 million scans/sec in under 3 minutes http://www.cs.berkeley.edu/~nweaver/sapphire/

  21. Witty WormMarch 19, 2004 • Used hit-list or timed release of worm • Compromised ISS products through buffer overflows (ISS RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE) • Infected 12,000 computers and wrote to random points on disk • Spread one day after vulnerability was announced http://www.caida.org/analysis/security/witty/

  22. Witty v. Sapphire • Witty • At peak, flooded Internet with over 90 Gbits/sec • Infected host, then sent 20,000 packets between 796 and 1307 bytes • Sapphire • With 100 Mb/s link, 30,000+/sec scans with Sapphire • From one copy of worm, using 404-byte UDP packets, 30000 * 404 = 12120000 bytes http://www.caida.org/analysis/security/witty/

  23. Flash worms • Capable of infecting most vulnerable servers in < 30 seconds… • Need a high bandwidth link • 9 million servers were 13 Mb compressed • Initial copies of the worm have hit-lists • Hit-lists could be divided up into chunks and distributed on known high bandwidth servers

  24. Contagion or Stealth worms • Stealthily propogate a worm • Web server to clients • P2P clients • Identical software, anonymity, large files, many clients, less monitoring, less diversity • My estimate: Sometimes 1 in 20 hits on software searches result in detected virus on Kazaa • Very difficult to detect since traffic pattern change is so small • Use those md5 sums!

  25. KaZaa • Fizzer, Lolol, K0wbot, Win32.Mydoom.A • Use IRC channels for remote control • Download office_crack or rootkitXP for Win32.Mydoom.A • Authors recorded 9 million distinct IP addresses connecting to a monitored university host (5800 distinct university host) • Brilliant Digital • Trojan bundled in Kazaa • http://www.cs.berkeley.edu/~nweaver/0wn2.html

  26. Updating Worms • Distributed Control • Each worm could have a subset of infected hosts • Each command can be signed and then sent to other copies of worm • Received commands can be verified and then forwarded • Programmable Updates • Possible with crypto modules correctly implemented? • Most viruses/worms not well-written

  27. What have we learned since 1988? • New legal awareness • 1995, Pile sentenced to 18 months for SMEG virus (British) • Smith sentenced to 20 months and $5000 fine for releasing Melissa virus (USA) • Simon Vallor sentenced to 2 years (Wales) • Teenager who wrote MSBlast.B most likely will be sentenced to 18 to 37 months (USA) • Has it worked?

  28. Lots of things to work on • Buffer Overflows still prevalent • Passwords still poorly chosen • People with a lot less skill than Robert Morris have done much more damage • Misconfigured policies • Complexity is anathema to security • Morris used a sendmail vulnerability • People don’t keep up with patches (even on servers) • Security Holes … Who Cares? [USENIX security 2003, http://www.usenix.org/events/sec03/tech/rescorla.html]

  29. Government Role • “Cyber-Center for Disease Control" (CDC) • Homeland security? • Cyber CDC responsible for: • Identifying outbreaks • Rapidly analyzing pathogens • How open should results be? • Fighting infections • Anticipating new vectors. • Proactively devising detectors for new vectors • Resisting future threats

  30. Observations • Infection from a new exploit (0-day) can happen fast! (or even an old exploit) • A well-written virus/worm without any “large” errors could do really bad damage • Some potential “solutions”… • Distributed Firewalls • Honeypots • Can diversity help? • IIS exploits in Code Red, IRC channels used for remote control

More Related