How to Own the Internet in your spare time Ashish Gupta Network Security April 2004
Dec 22, 2015
How to Own the Internet in your spare time
Ashish Gupta
Network Security
April 2004
Overview
• What is the paper about ?
• Code Red Analysis
• Three new techniques for fast spreading
• Surreptitious worms
• Summary
The threat
• Millions of hosts enormous damage– Distributed DOS– Access Sensitive Information– Sow Confusion and Disruption
• This paper is about– Fast spreading of worms
Analysis of Code Red I
• Compromises MS IIS Web servers• Spreads by random IP generation – 99 threads
• Earlier bug Code Red I– DDOS attack to whitehouse.gov
• Modeling Random Constant Spread (RCS)• Gives an exponential eq:
• Depends only on K, not N
Better Worms
• Code Red II– Used a localized scanning technique
– 3/8 Class B, 1/2 class A, 1/8 rest
– Very successful strategy
– Affects many vulnerable hosts
– Proceeds quicker
3/8
1/2
1/8
Nimda Worm
• Nimda Worm August 2001– Maintained itself for months , multi-mode worm– Infected Web servers– Bulk emailing– Infecting Web clients– Using CodeRed II backdoors
Onset
• Very rapid onset
• Mail based spread very effective
• Full functionality ?
Faster Worms
Creating Better Worms
• Hit List Scanning– “getting off the ground” very fast– Say first 10,000 hosts– Pre-select 10,000-50,000 vulnerable machines – First worm carries the entire hit list– Hit list split in half on each infection– Can establish itself in few seconds
Permutation Scanning
• Random scanning inefficient lot of overlap All worms share a common pseudo – random
permutation
32 bit block cipher key
Permutation scanning
Index
IP Address
• How it works:– After first infection, start scanning after their point in
permutation– If machine already infected, random starting index
• Minimizes duplication of effort– W sees W’ W’ already working on the permutation list
of W W re-starts at a random point
• Keeps infection rate very high, comprehensive scan• Permutation key can be changed periodically for
effective rescan
A Warhol Worm
• Combination of hit-list and permutation scanning– Can spread widely in less than 15 mins
• Simulation results
Topological scanning
• Use info on victim to identify new targets– Email lists– P2P applications– List of web servers from IE favorites etc.
Faster Worms : Recap
• Fast Startup Hit List Scanning• Extremely Efficient Permutation scanning• Combine the above Warhol worms• exploit local information Topological scanning
Flash Worms
• Fastest Method Entire internet in 10s of seconds• Obtain hit-list of vulnerable servers in advance• 2 hours for entire IP space on OC-12 link (622 mbps)• List would be big ( ~ 48 MB )• Divide into n blocks
– Infect first of each block and hand over the block to the new worm– Repeat for each block
• Alternative: Store pre-assigned chunks on a high BW server• Two limitations
– Large list size– Latency
• Analysis: Sub-thirty limit on total infection time on a 256 kbps DSL link
For 3 million hosts, just 7 layers deep ( n = 10)
Stealth Worms
• No peculiar communication patterns• Very difficult to detect• Working:
– Pair of exploits: Es for server, Ec for client ???– Server Client Server , ….
• Limitations– Pair of threats required– Depends on web surfing
Exploiting P2P systems
• Large set, all running same software• Only single exploit now needed• More favorable for infection:
– Interconnect with large number of peers– Transfer large files– Not mainstream protocols– Execute on desktops, not servers
• Potentially immense size
Analysis of KaZaA traffic
• Immense traffic: 5-10 million conns per day• Huge diversity ! 9 million distinct hosts contacted in
November ( from 5,800 univ hosts )• If Kazaa exploited (variable size headers ? ), than a large
number can infected stealthily in a month• Starting point : brute force infect all university hosts ???• Actual spread much faster ?• Much work remaining total Kazaa size ?
Remote Control
• Distributed control
– Each worm knows about other worms *it* has infected
– Analysis: High connectivity , Average degree= 4– Without a single point of communication, updates can be
passed
• Programatic Updates– Worms as “computing capsules”– Can send arbitrary code !
Conclusion
• Worms present an extremely serious threat to the safety of the Internet