how to 0wn the internet in your spare time l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
“How to 0wn the Internet in Your Spare Time” PowerPoint Presentation
Download Presentation
“How to 0wn the Internet in Your Spare Time”

Loading in 2 Seconds...

play fullscreen
1 / 32

“How to 0wn the Internet in Your Spare Time” - PowerPoint PPT Presentation


  • 424 Views
  • Uploaded on

“How to 0wn the Internet in Your Spare Time” Nathanael Paul Malware Seminar September 7, 2004 The Internet has… ~250,000,000 hosts on Internet (January 2004) (Source: Internet Systems Consortium, Inc. (http://www.isc.org/) ~300,000,000 Internet Users

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '“How to 0wn the Internet in Your Spare Time”' - ostinmannual


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
how to 0wn the internet in your spare time

“How to 0wn the Internet in Your Spare Time”

Nathanael Paul

Malware Seminar

September 7, 2004

the internet has
The Internet has…
  • ~250,000,000 hosts on Internet (January 2004) (Source: Internet Systems Consortium, Inc. (http://www.isc.org/)
  • ~300,000,000 Internet Users
  • ~140,000,000 USA Internet Users http://www.clickz.com/stats/big_picture/geographics/article.php/3397231
  • 1 million is:
    • ~0.7% of the USA Internet Users
    • ~0.3% of all Internet Users
analyzing past attempted takeovers
Analyzing Past Attempted Takeovers
  • 1988: Morris Worm
  • July 13, 2001: Code Red I v2
  • Aug. 4, 2001: Code Red II
  • Sept. 18, 2001: Nimda
  • Presenting worms that are “…capable of infecting most or all vulnerable targets in a few minutes…” or “…in 10s of seconds…”
morris worm
Morris Worm
  • Multi-vectored like Nimda
    • rsh
    • fingerd via buffer overflow that worked on VAX and caused core dump on Suns
    • sendmail
  • Morris worm infected 6,000 of 60,000 hosts (5-10%)
    • Very large percentage compared to today’s worms
code red i v2 crv1
Code Red I v2 (CRv1)
  • Used an IIS vulnerability to perform website defacement (“Hacked by Chinese”)
  • “Randomly” scanned for vulnerable IPs
    • Linear spread, since random number generator seed was fixed
  • In early stages, infection rate was about 1.8 other servers infected per hour
  • Hosts with inaccurate clocks kept it alive past July 19
proportion of vulnerable servers compromised
Proportion of vulnerable servers compromised
  • Random Constant Model
    • N: total number of vulnerable hosts
    • T: t is relative to this constant
    • K: compromise rate
    • a(t) = at time t, the proportion of compromised vulnerable machines
  • a(t) = eK(t-T)/1+eK(t-T)
    • Does not depend on N
code red ii
Code Red II
  • Used same IIS vulnerability as CRv1 but installed root backdoor instead
  • Fixed random IP generator
  • Scan:
    • Class B address space 3/8 probability
    • Class A address space 1/2 probability
    • Whole Internet address space 1/8 probability
  • Utilize Topology
    • Emphasize localized spread
nimda
Nimda
  • Multi-vectored worm [relate back to morris worm]
    • IIS vulnerability
    • Email (Firewall evasion!)
    • Network shares
    • Infect webpages
    • Scan for Code Red and Sadmind backdoors
  • Almost no probing to 100 probes/sec in ½ hour
how to spread faster
How to Spread Faster
  • The Warhol worm
    • capable of infecting machines in a matter of minutes…
  • Hit-list scanning
    • Faster startup
  • Permutation Scanning
    • Limit redundant scans
  • Topologically Aware worms
hit lists
Hit-lists
  • Brute-force
  • Use your favorite search engine
  • DNS search
  • Distributed scanning using zombies
  • Stealth scan (takes longer but pretty much undetectable)
permutation scanning
Permutation Scanning
  • Eliminate redundant scanning by partitioning searches
  • Start scanning from your point in permutation
    • If machine in sequence is infected, randomly choose new point to scan and increment counter
    • Else infect computer and then scan
  • Stop scanning when counter == SCAN_LIMIT
topological scanning
Topological Scanning
  • Use email addresses
    • MyDoom used Google, Yahoo, Altavista, and Lycos
  • Internet cache for URLs
  • P2P peers
  • Ping results
slide18
Conventional
    • 10 scans/sec
  • Fast Scanning
    • 100 scans/sec
  • Warhol
    • 100 scans/sec
    • 10,000 entry hit-list
    • Permutation scanning
    • Gives up when count = 2

From How To 0wn the Internet In Your Spare Time pdf slides

more on warhol worm
More on Warhol worm

From How To 0wn the Internet In Your Spare Time pdf slides

sapphire worm january 25 2003
Sapphire WormJanuary 25, 2003

http://www.caida.org/analysis/security/sapphire/

sapphire worm january 25 200321
Sapphire WormJanuary 25, 2003

From 0 infected hosts to 74855 in 30 minutes

http://www.caida.org/analysis/security/sapphire/

sapphire worm
Sapphire Worm
  • Fastest spreading worm in history
    • Doubled in size every 8.5 seconds
    • Code Red’s population doubled every 37 minutes
    • Over 90% of vulnerable machines compromised in ~10 minutes
  • Targeted Microsoft’s SQLServer through buffer overflow (patch had been released)
  • Sent UDP packets (376 bytes) to port 1434, so easy to filter
  • Reached over 55 million scans/sec in under 3 minutes

http://www.cs.berkeley.edu/~nweaver/sapphire/

witty worm march 19 2004
Witty WormMarch 19, 2004
  • Used hit-list or timed release of worm
  • Compromised ISS products through buffer overflows (ISS RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE)
  • Infected 12,000 computers and wrote to random points on disk
  • Spread one day after vulnerability was announced

http://www.caida.org/analysis/security/witty/

witty v sapphire
Witty v. Sapphire
  • Witty
    • At peak, flooded Internet with over 90 Gbits/sec
    • Infected host, then sent 20,000 packets between 796 and 1307 bytes
  • Sapphire
    • With 100 Mb/s link, 30,000+/sec scans with Sapphire
    • From one copy of worm, using 404-byte UDP packets, 30000 * 404 = 12120000 bytes

http://www.caida.org/analysis/security/witty/

flash worms
Flash worms
  • Capable of infecting most vulnerable servers in < 30 seconds…
  • Need a high bandwidth link
    • 9 million servers were 13 Mb compressed
    • Initial copies of the worm have hit-lists
    • Hit-lists could be divided up into chunks and distributed on known high bandwidth servers
contagion or stealth worms
Contagion or Stealth worms
  • Stealthily propogate a worm
    • Web server to clients
    • P2P clients
      • Identical software, anonymity, large files, many clients, less monitoring, less diversity
      • My estimate: Sometimes 1 in 20 hits on software searches result in detected virus on Kazaa
    • Very difficult to detect since traffic pattern change is so small
      • Use those md5 sums!
kazaa
KaZaa
  • Fizzer, Lolol, K0wbot, Win32.Mydoom.A
    • Use IRC channels for remote control
    • Download office_crack or rootkitXP for Win32.Mydoom.A
  • Authors recorded 9 million distinct IP addresses connecting to a monitored university host (5800 distinct university host)
  • Brilliant Digital
    • Trojan bundled in Kazaa
    • http://www.cs.berkeley.edu/~nweaver/0wn2.html
updating worms
Updating Worms
  • Distributed Control
    • Each worm could have a subset of infected hosts
    • Each command can be signed and then sent to other copies of worm
    • Received commands can be verified and then forwarded
  • Programmable Updates
    • Possible with crypto modules correctly implemented?
    • Most viruses/worms not well-written
what have we learned since 1988
What have we learned since 1988?
  • New legal awareness
    • 1995, Pile sentenced to 18 months for SMEG virus (British)
    • Smith sentenced to 20 months and $5000 fine for releasing Melissa virus (USA)
    • Simon Vallor sentenced to 2 years (Wales)
    • Teenager who wrote MSBlast.B most likely will be sentenced to 18 to 37 months (USA)
  • Has it worked?
lots of things to work on
Lots of things to work on
  • Buffer Overflows still prevalent
  • Passwords still poorly chosen
  • People with a lot less skill than Robert Morris have done much more damage
  • Misconfigured policies
  • Complexity is anathema to security
    • Morris used a sendmail vulnerability
  • People don’t keep up with patches (even on servers)
    • Security Holes … Who Cares?

[USENIX security 2003, http://www.usenix.org/events/sec03/tech/rescorla.html]

government role
Government Role
  • “Cyber-Center for Disease Control" (CDC)
    • Homeland security?
  • Cyber CDC responsible for:
    • Identifying outbreaks
    • Rapidly analyzing pathogens
      • How open should results be?
    • Fighting infections
    • Anticipating new vectors.
    • Proactively devising detectors for new vectors
    • Resisting future threats
observations
Observations
  • Infection from a new exploit (0-day) can happen fast! (or even an old exploit)
  • A well-written virus/worm without any “large” errors could do really bad damage
  • Some potential “solutions”…
    • Distributed Firewalls
    • Honeypots
    • Can diversity help?
      • IIS exploits in Code Red, IRC channels used for remote control