How to 0wn the Internet in your spare time

1
How to 0wn the Internet in your spare time A
worst case worm

• Stuart Staniford, Vern Paxson, Nicholas Weaver
• Presented by Jesus Morales

2
Overview

• How to 0wn the Internet in your spare time
• Worms
• Analytical Spread Model
• Worm improvement
• Cyber CDC
• A worst-case worm
• Linear cost model
• The attack
• Damage estimations

3
How to 0wn the Internet in your spare time

• The Problem an attacker controlling high numbers
  of hosts on the Internet could cause much damage
• DDOS attacks shut down much of the Internet
• Access/disperse sensitive information
• Corrupt information
• The way worms

4
Worms Worms

• Worms, formally known as Automated Intrusion
  Agents, are software components that are capable
  of, using their own means, for infecting a
  computer system and using it in an automated
  fashion to infect another system.

A virus by contrast cant spread/infect on its
own.
5
Code Red I (July 2001) Worms

• Began July 12, 2001
• Exploit Microsoft IIS webservers (buffer
  overflow)
• Named Code Red because
• the folks at eEye security worked through the
  night to identify and analyze this worm drinking
  code red (mountain dew) to stay up.
• the worm defaced some websites with the phrase
  Hacked by Chinese
• Launched 99 threads on infected host, which all
  generated random IP addresses and tried to
  compromise them.
• Version 1 did not infect too many hosts due to
  use of static seed in the random number
  generator. Version 2 came out on July 19th with
  this bug fixed and spread rapidly.
• The worm behavior each month
• 1st to 19th --- spread by infection
• 20th to 28th --- launch DOS on
  www.whitehouse.gov
• 28th till end-of-month --- take rest.
• Infected 359,000 hosts in under 14 hours.

6
Code Red Analytical model

• Simplifying assumptions
• No patching
• No firewalls
• No churn
• Infection rate is proportional to
• hosts already infected
• hosts not infected, but susceptible
• Result Logistic equation
• Well known for epi-demics in finite systems

7
Code Red I Initial and reemergence outbreaks
8
Improvements Localized scanning Network
Security II

• Observation Density of vulnerable hosts in IP
  address space is not uniform
• Idea Bias scanning towards local network
• Used in CodeRed II
• P0.50 Choose address from local class-A network
  (/8)
• P0.38 Choose address from local class-B network
  (/16)
• P0.12 Choose random address
• Allows worm to spread more quickly

9
Code Red II (August 2001) Worms

• Began August 4th, 2001
• Exploit Microsoft IIS webservers (buffer
  overflow)
• Named Code Red II because
• It contained a comment stating so. However the
  codebase was new.
• Infected IIS on windows 2000 successfully
  but caused system crash on windows NT.
• Installed a root backdoor on the infected
  machine.

10
Improvements Multi-vector Network Security II

• Idea Use multiple propagation methods
  simultaneously
• Example Nimda
• IIS vulnerability
• Bulk e-mails
• Open network shares
• Defaced web pages
• Code Red II backdoor

11
Improvements Hit-list scanning Network Security
II

• Problem Spread is slow during initial phase
• Idea Collect a list of promising targets before
  worm is released
• Low-profile 'stealthy' scan
• Distributed scan
• Spider/crawler
• Surveys or databases
• Attacks from other worms
• Low overhead, since list shrinks quickly

12
Improvements Permutation scanning Network
Security II

• Problem Many addresses are scanned multiple
  times
• Idea Generate random permutation of all IP
  addresses, scan in order
• Hit-list hosts start at their own position in the
  permutation
• When an infected host is found, restart at a
  random point
• Can be combined with divide-and-conquer approach

13
Warhol worms Network Security II

• Worm using both hit-list and permutation scanning
  could infect most vulnerable targets in lt1 hour
• Simulation Compare
• 10 scans/second (Code Red)
• 100 scans/second
• 100 scans/second plus 10,000 entry hit list
  (Warhol worm)
• First Warhol worm 'in the wild' SQLSlammer

"In the future, everyone will have 15 minutes of
fame"
-- Andy Warhol
14
Flash worms Network Security II

• A flash worm would start with a hit list that
  contains most/all vulnerable hosts
• Realistic scenario
• Complete scan takes 2h with an OC-12
• Internet warfare?
• Problem Size of the hit list
• 9 million hosts ? 36 MB
• Compression works 7.5MB
• Can be sent over a 256kbps DSL link in 3 seconds
• Extremely fast
• Full infection in tens of seconds!

15
Surreptitious worms Network Security II

• Idea Hide worms in inconspicuous traffic to
  avoid detection
• Leverage P2P systems?
• High node degree
• Lots of traffic to hide in
• Proprietary protocols
• Homogeneous software
• Immense size (30,000,000 Kazaa downloads!)

16
Conclusion A Cyber-CDC? Network Security II

• Paper advocates creation of a CDC equivalent for
  computer worms and -viruses
• Responsibilities of the CDC
• Deploy sensors to detect outbreaks quickly
• Rapidly analyze new pathogens
• Propagate signatures to isolate the worm/virus
• Do research in the field
• CDC should be collaborative, but not all
  information should be available to the public
  ? "Partially open" approach

17
Worst-case worm

• Question how much economic damage to the US in a
  worst-case worm attack?
• Estimates based on
• Worst-case worm
• Linear damage model
• Lost productivity
• Repair time
• Lost data
• Damage to systems
• Assumption Murphys Law

18
Cost model

• Dtotal total cost of damage
• Ninf number of systems infected
• Dsystem damage per system
• Ppenetration fraction of systems infected
• Nvulnerable potential infectees
• Drec cost of system recovery
• Ttime total downtime (hr)
• Dtime cost of downtime per hour
• Pdata probability of unrecoverable data loss
• Ddata cost of data loss
• Pbios probability of system loss due to
  hardware damage
• Dbios replacement value of the computer

19
Cost model (cont)

• Dtotal Ninf Dsystem
• Ninf Ppenetration Nvulnerable
• Dsystem Drec TtimeDtime
  PdataDdata PbiosDbios

20
The attack target

• Target
• Windows SMB/CIFS file sharing server
• Part of all distributions since Windows 98
• Desktop file sharing, printer sharing,
  centralized Windows file servers.
• Is on by default
• Assumption the attacker knows a zero day
  exploit for SMB/CIFS

21
The attack Propagation

• Internet spread
• Slammer infected 10s of thousands of servers in
  less than 10 minutes.
• Flash worms spread lt 1 minute
• Spread through gateways
• Slow phase mail and web vectors require some
  level of human action within an organization
• Conservative upper bound 1 day. Probably much
  faster.
• Intranet spread
• Nearly instantaneous
• Fast LANs infection of a new victim lt 1 second.
• Can use hit-list to spread even faster

22
Damage

• Estimations
• Penetration (Ppenetration) .60 of all vulnerable
  machines
• Number of vulnerable machines (Nvulnerable) 85
  mill
• Consider only business and govt (2001)
• Not considering home computers
• Recovery (Drec) 20 per system
• Down time
• Dtime 35 /hr
• Ttime 16 hr (2 days)

23
Damage (cont.)

• Data loss (Ddata) 2,000
• Percentage of unrecoverable data (Plost_data)
  0.1
• Percentage of unrecoverable machines (Pbios) 0.1
• Cost for lost machines (Dbios) 2,400

24
Damage (cont.)
25
Conclusion

• Damage potential is huge
• Need preventive measures
• Solid data back ups
• Protect BIOSes
• Mail-worm defenses
• Improved recovery procedures
• Reduce monocultures
• Vulnerable spots (SMB/CIFS) are ubiquitous hence
  merit special defenses

26
References

• Network Security II lecture 22 COMP529 -
  Computer Network Protocols and Systems. Andreas
  Haeberlen www.cs.rice.edu/eugeneng/teaching/f04/c
  omp529/lectures/lecture22.ppt
• Worms
• Pandurang Kamat www.scd.ucar.edu/nets/presentatio
  ns/Security-for-I2techs/Security-for-I2techs.ppt