A WORST-CASE WORM BY

NICHOLAS WEAVER AND VERN PAXSON

Presenter:

K M Sabidur Rahman,

ECS 236: Computer Security: Intrusion Detection Based Approach,

UC Davis

krahman@ucdavis.eduhttp://www.linkedin.com/in/kmsabidurrahman/

http://www.linkedin.com/in/kmsabidurrahman/5/13/20161

Agenda•How to model damage done by worms

•Attack details (target, ways)

•How to estimate number of infected system

•Damages done by worm (data, hardware, downtime)

•How to estimate damages and loss

•Defense against worms

5/13/20162

What is Worm?•malicious

•self-propagating network programs

•capable of spreading substantially faster than humans can respond

•contain highly malicious payloads

•represent a substantial threat to computing infrastructure

•Slammer worm disrupting a nuclear power plant’s systems, ATMs and 911 operations

•Welchia’s disruption of the Navy Marine Corps Intranet and ATMs

5/13/20163

Modeling of a Worm’s damage

5/13/20164

Assumptions related to Attack•Infect as many US systems as possible

•Maximize damage in each infected system

•Keep the worm active as long as possible to reinfect any repaired but vulnerable system

5/13/20165

Assumptions on Attacker resources•Several experienced programmers

•Access to significant amount of computing hardware

•Several months of time for development and testing

•Nation state adversary (more resource than terrorist group)

5/13/20166

Candidates to target•Windows SMB/CIFS file sharing

•This server is distributed with Windows 98

•SMB/CIFS are widely deployed

•Default anonymous login capabilities

•SMB service runs as part of OS kernel

•On-by-default nature means most of the Windows PCs are vulnerable

•File sharing is essential for business operations

5/13/20167

SMB/CIFS vulnerabilities•Allows arbitrary remote execution as long as the attacker has domain access

•Worm can query the local windows domain controller and ask for a list of local machines and their names

•RPC vulnerability (Blaster worm)•RPC vulnerability (Blaster worm)

•To cross the firewall and spread across different domains, mail-worm mode or infected web browser mode can be used.

•Use US related IP addresses to target the worm

5/13/20168

Speed of propagationSpread across Internet: Slammer worm took less than 10 minutes to infect 10’s of thousands of servers

Spread through gateways: Needs human action (mail/web). Nimda’sworm took within a few hours. Pure mail worm such as SoBig.Erequired a little more than a day to reach the peak volumerequired a little more than a day to reach the peak volume

Intranet spread: With 100 Mbps and 1 Gbps LANs, infecting a few victims takes less than a second. The whole intranet in much less than a minute.

Total spread time in US business hour can be in hours

5/13/20169

TestingHas to be tested in wide range of environments

Make it polymorphic or include anti-anti-virus routines

5/13/201610

Estimating number of Infected system•Penetration of 60% of the vulnerable business PCs is plausible in worst case

•Survey from 2001 suggests 85 million PCs in business and government of US

•Not including 45 million households with PCs•Not including 45 million households with PCs

5/13/201611

Attack’s Damage Data damage payload: Once the infected machine is no longer needed as a part of spreading process, worm may damage the remote or local disks. Overwrite random sectors on the disk.

Hardware damage: Reflash the BIOS, corrupting the bootrap program Hardware damage: Reflash the BIOS, corrupting the bootrap program to initialize the computer. Software can flash BIOS in 7 popular systems and 2 motherboards

5/13/201612

Attack’s damageAttempting reinfections and increasing downtime: Zero day exploit significantly increases the downtime.

The time between when a system is restored and when a patch is installed allows a system to be reinfected if there are still copies active installed allows a system to be reinfected if there are still copies active on the local network

5/13/201613

Estimating damageDrec: represents the system administration time to restore the system: reload the operating system, install patches, reinstall applications, restore data from backups, and reconnect the system to the network

Assumed to be ½ hour for this analysis. Which roughly translated to $20 per system$20 per system

Dtime: productivity loss due to downtime, depends on both the value of the labor and the time lost. Approximated to be $35/hr

5/13/201614

Estimating damageTtime: 16 hr, two working day per user. First day, to develop patches and workarounds by Microsoft. Second day to restore full network operation by local sysadmin.

Ddata: Lost data, approximated to $2000, single loss incident.

P : 0.1. Assuming data is not lost most of the time, because of Plost_data: 0.1. Assuming data is not lost most of the time, because of backups

Pbios: 0.1. Attacker will be able to permanently destroy limited number of configurations

Dbios: $1400 (cost of replacement) + $1000 (40 hr productivity) = $ 2400

5/13/201615

Estimating loss

5/13/201616

Model limitationDoesn’t consider nonlinear effect on companies: follow-on effect (sometimes these values are inflated)

A downtime of one hour may not have that much consequences as one day

Some companies may suffer slowly over longer termsSome companies may suffer slowly over longer terms

Possible damage to critical infrastructure (power grid, hospital, telecommunication, nuclear infrastructure)

5/13/201617

Current defenses and recommendationsMost email worms are stopped by signature based scanning, can be easily avoided

Most of the IDS are deployed to protect against external attacks (but this attack is from internal connections)

Restrictive policies for mail worm scanning should be enforcedRestrictive policies for mail worm scanning should be enforced

Additional filters for unusual characteristics (long strings in header)

Network file sharing can be restricted

Servers can be of different platform(Linux)

Disabling BIOS reflashing

Data backups and off-site storage protection

5/13/201618

5/13/201619