A WORST-CASE WORM BY NICHOLAS WEAVER AND VERN PAXSON Presenter: K M Sabidur Rahman, ECS 236: Computer Security: Intrusion Detection Based Approach, UC Davis [email protected]http://www.linkedin.com/in/kmsabidurrahman/ http://www.linkedin.com/in/kmsabidurrahman/ 5/13/2016 1
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A WORST-CASE WORM BY
NICHOLAS WEAVER AND VERN PAXSON
Presenter:
K M Sabidur Rahman,
ECS 236: Computer Security: Intrusion Detection Based Approach,
•To cross the firewall and spread across different domains, mail-worm mode or infected web browser mode can be used.
•Use US related IP addresses to target the worm
5/13/20168
Speed of propagationSpread across Internet: Slammer worm took less than 10 minutes to infect 10’s of thousands of servers
Spread through gateways: Needs human action (mail/web). Nimda’sworm took within a few hours. Pure mail worm such as SoBig.Erequired a little more than a day to reach the peak volumerequired a little more than a day to reach the peak volume
Intranet spread: With 100 Mbps and 1 Gbps LANs, infecting a few victims takes less than a second. The whole intranet in much less than a minute.
Total spread time in US business hour can be in hours
5/13/20169
TestingHas to be tested in wide range of environments
Make it polymorphic or include anti-anti-virus routines
5/13/201610
Estimating number of Infected system•Penetration of 60% of the vulnerable business PCs is plausible in worst case
•Survey from 2001 suggests 85 million PCs in business and government of US
•Not including 45 million households with PCs•Not including 45 million households with PCs
5/13/201611
Attack’s Damage Data damage payload: Once the infected machine is no longer needed as a part of spreading process, worm may damage the remote or local disks. Overwrite random sectors on the disk.
Hardware damage: Reflash the BIOS, corrupting the bootrap program Hardware damage: Reflash the BIOS, corrupting the bootrap program to initialize the computer. Software can flash BIOS in 7 popular systems and 2 motherboards
5/13/201612
Attack’s damageAttempting reinfections and increasing downtime: Zero day exploit significantly increases the downtime.
The time between when a system is restored and when a patch is installed allows a system to be reinfected if there are still copies active installed allows a system to be reinfected if there are still copies active on the local network
5/13/201613
Estimating damageDrec: represents the system administration time to restore the system: reload the operating system, install patches, reinstall applications, restore data from backups, and reconnect the system to the network
Assumed to be ½ hour for this analysis. Which roughly translated to $20 per system$20 per system
Dtime: productivity loss due to downtime, depends on both the value of the labor and the time lost. Approximated to be $35/hr
5/13/201614
Estimating damageTtime: 16 hr, two working day per user. First day, to develop patches and workarounds by Microsoft. Second day to restore full network operation by local sysadmin.
Ddata: Lost data, approximated to $2000, single loss incident.
P : 0.1. Assuming data is not lost most of the time, because of Plost_data: 0.1. Assuming data is not lost most of the time, because of backups
Pbios: 0.1. Attacker will be able to permanently destroy limited number of configurations