View
227
Download
3
Tags:
Embed Size (px)
Citation preview
How to Own the Internet in your spare time
Ashish Gupta
Network Security
April 2004
Overview
• What is the paper about ?
• Code Red Analysis
• Three new techniques for fast spreading
• Surreptitious worms
• Summary
The threat
• Millions of hosts enormous damage– Distributed DOS– Access Sensitive Information– Sow Confusion and Disruption
• This paper is about– Fast spreading of worms
Analysis of Code Red I
• Compromises MS IIS Web servers• Spreads by random IP generation – 99 threads
• Earlier bug Code Red I– DDOS attack to whitehouse.gov
• Modeling Random Constant Spread (RCS)• Gives an exponential eq:
• Depends only on K, not N
Better Worms
• Code Red II– Used a localized scanning technique
– 3/8 Class B, 1/2 class A, 1/8 rest
– Very successful strategy
– Affects many vulnerable hosts
– Proceeds quicker
3/8
1/2
1/8
Nimda Worm
• Nimda Worm August 2001– Maintained itself for months , multi-mode worm– Infected Web servers– Bulk emailing– Infecting Web clients– Using CodeRed II backdoors
Onset
• Very rapid onset
• Mail based spread very effective
• Full functionality ?
Faster Worms
Creating Better Worms
• Hit List Scanning– “getting off the ground” very fast– Say first 10,000 hosts– Pre-select 10,000-50,000 vulnerable machines – First worm carries the entire hit list– Hit list split in half on each infection– Can establish itself in few seconds
Permutation Scanning
• Random scanning inefficient lot of overlap All worms share a common pseudo – random
permutation
32 bit block cipher key
Permutation scanning
Index
IP Address
• How it works:– After first infection, start scanning after their point in
permutation– If machine already infected, random starting index
• Minimizes duplication of effort– W sees W’ W’ already working on the permutation list
of W W re-starts at a random point
• Keeps infection rate very high, comprehensive scan• Permutation key can be changed periodically for
effective rescan
A Warhol Worm
• Combination of hit-list and permutation scanning– Can spread widely in less than 15 mins
• Simulation results
Topological scanning
• Use info on victim to identify new targets– Email lists– P2P applications– List of web servers from IE favorites etc.
Faster Worms : Recap
• Fast Startup Hit List Scanning• Extremely Efficient Permutation scanning• Combine the above Warhol worms• exploit local information Topological scanning
Flash Worms
• Fastest Method Entire internet in 10s of seconds• Obtain hit-list of vulnerable servers in advance• 2 hours for entire IP space on OC-12 link (622 mbps)• List would be big ( ~ 48 MB )• Divide into n blocks
– Infect first of each block and hand over the block to the new worm– Repeat for each block
• Alternative: Store pre-assigned chunks on a high BW server• Two limitations
– Large list size– Latency
• Analysis: Sub-thirty limit on total infection time on a 256 kbps DSL link
For 3 million hosts, just 7 layers deep ( n = 10)
Stealth Worms
• No peculiar communication patterns• Very difficult to detect• Working:
– Pair of exploits: Es for server, Ec for client ???– Server Client Server , ….
• Limitations– Pair of threats required– Depends on web surfing
Exploiting P2P systems
• Large set, all running same software• Only single exploit now needed• More favorable for infection:
– Interconnect with large number of peers– Transfer large files– Not mainstream protocols– Execute on desktops, not servers
• Potentially immense size
Analysis of KaZaA traffic
• Immense traffic: 5-10 million conns per day• Huge diversity ! 9 million distinct hosts contacted in
November ( from 5,800 univ hosts )• If Kazaa exploited (variable size headers ? ), than a large
number can infected stealthily in a month• Starting point : brute force infect all university hosts ???• Actual spread much faster ?• Much work remaining total Kazaa size ?
Remote Control
• Distributed control
– Each worm knows about other worms *it* has infected
– Analysis: High connectivity , Average degree= 4– Without a single point of communication, updates can be
passed
• Programatic Updates– Worms as “computing capsules”– Can send arbitrary code !
Conclusion
• Worms present an extremely serious threat to the safety of the Internet