Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to 0wn the Internet In Your Spare Time Authors Stuart Staniford, Vern Paxson, Nicholas Weaver Published Proceedings of the 11th USENIX Security Symposium.

Published bySimon Wilson Modified over 8 years ago

Similar presentations

Presentation on theme: "How to 0wn the Internet In Your Spare Time Authors Stuart Staniford, Vern Paxson, Nicholas Weaver Published Proceedings of the 11th USENIX Security Symposium."— Presentation transcript:

1 How to 0wn the Internet In Your Spare Time Authors Stuart Staniford, Vern Paxson, Nicholas Weaver Published Proceedings of the 11th USENIX Security Symposium 2002 Presenter Shawn Embleton

2 Outline Introduction Code Red Worm Better Worms in Practice Better Worms in Theory Simulations & Results

3 Introduction Internet Worms differ from viruses in that they do not require user participation –excepting poor code and security practices 1988 Morris Worm –Repeat infections possible – crashed systems 1999 Melissa Macro –Half worm/virus –Incapacitated many email servers

4 Code Red v.1 First seen July 12, 2001 Spread by exploiting a Microsoft IIS.ida vulnerability discovered by eEye on June 18 th 99 propagation threads, 100 th defaced pages Problem, RNG used static ‘seed’ which also incorporated the TID == 99 spread lists –Resulted in linear spreading

5 Code Red v.1 Continued Defaced root level pages 1 st to 19 th  attempted to spread 20 th to 28 th  attempted to DDOS –target was www1.whitehouse.gov Memory resident –Reboot the system to disinfect

6 Code Red I v.2 Started spreading July 19 th, 2001 Similar code base Fixed the RNG seeding problem Over 359,000 systems infected in 14 hours Systems that were power cycled were re-infected before patch could be applied …

7 Code Red I v.2 Plot K=1.8 T=11.9 Chemical Abstracts

8 Analysis Random Constant Spread Model [RCS] N - total number of vulnerable hosts K – initial compromise rate T – time fixing when incident occurs a – proportion of compromised vulnerable t – time [in hours] Applied using “logistic equation” –Rate of growth in finite system –Equal likelihood of any attacking any other

9 Analysis

10 Better Worms in Practice Localized Scanning  Code Red II v.3 August 4, 2001 but different code base –No defacement, no DDOS code, same exploit used [contained a string “Code Red II”] If no prior infection, initiates, installs backdoor, waits one day and reboots machine If Chinese language on system, 600/48 threads else 300/24 threads are used to propagate

11 Better Worms in Practice Localized Scanning  Code Red II v.3 1/8 probability of probing random IP address 4/8 probability of probing same /8 network 3/8 probability of probing same /16 network No analytical model given No empirical data provided

12 Better Worms in Practice Localized Scanning  Code Red II v.3 LBNL

13 Better Worms in Practice Localized Scanning  Code Red II v.3 "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%uc bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090 %u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

14 Better Worms in Practice Multi-Vector Worms  Nimda September 18 th, 2001 5 different attack vectors –Client to client via email –Client to client via open network shares –Web server to client through browsing –Client to server through Directory Traversal exploits –Client to server through previous worm backdoors

15 Better Worms in Practice Multi-Vector Worms  Nimda Email propagation –MIME message containing ‘readme.exe’ payload Slight binary variations to change hashes of the attachment –Variable Subject Line –Scans local hypertext files along with received MAPI for additional email addresses to contact  every 10 days File System propagation –Creates MIME copies of itself on local and network drives Can exploit Explorer preview vulnerabilities –Trojans legitimate applications on the system

16 Better Worms in Practice Multi-Vector Worms  Nimda Web-Server Propagation –Scans servers that the user browses for vulnerabilities –Looks for Sadmind, Code Red backdoors + new exploits –Spreads to browsing users by appending the following to all files in web-aware directories –Also added ‘guest’ account to Administrators Group

17 Better Worms in Theory Hit List Scanning Permutation Scanning Topologically Aware Worms Internet Scale Hit Lists

18 Better Worms in Theory Hit List Scanning Worm needs a substantial base before the exponential spreading really takes off Before release, gather a list of potentially vulnerable systems After launch, these systems are infected much more rapidly and provide the needed base List can retrieved or systematically halved

19 Better Worms in Theory Permutation Scanning Random scanning has inherent problems –Many addresses are rescanned –No way to know when infection is nearing completion Share a common permutation of the address space –Easy to compute at each host –Newly infected machines start scanning from some index –After N infected machines encountered, stop scanning

20 Better Worms in Theory Topologically Aware Worms Look for Web servers in infected machines caches –High probability of being actual servers Look for mail in users address book –If spreading through mail servers for instance Email worms incorporate this tactic now

21 Better Worms in Theory Flash Worms  Main Idea of Paper Obtain hit-list of systems with relevant service open –OC-12 scan the entire Internet in 2 hours Include pre-knowledge of high-capacity servers Use a N-partitioned overlapping list infection technique Argument is made for 30 seconds to total domination

22 Better Worms in Theory Contagion Worms Slower spreading to avoid countermeasures based on heuristics such as capacity fluctuations Talk about using P2P apps to attain high degree of host inter-connectivity for spreading in a m-way tree type style More stealthy idea than a fast spreading worm

23 Simulations Simulated a ‘Warhol” style worm –Combination of hit-list and permutation scanning Assumptions –Complete connectivity in 32-bit address space –Scan until 99.99% infection Parameters –Conventional - Code Red style with 10 scans/second –Fast - Code Red style with 100 scans/second –Warhol - 100 scans/s + hit-list + permutation scanning

24 Results Simulation

25 Strengths Published relatively quickly with a reasonable mathematical model which rather accurately captures the data Performed simulations that correlate with the proposed mathematical model well Results support hypothesis of total Internet domination …

26 Weaknesses Some of the data could possibly be interpreted in additional manners than offered Paper seems to have a heavy “what-if” factor Main call for action is made without laying out any specific plans or specifications Small incongruities with other recognized associations [such as C.E.R.T.]

27 Improvements Authors might have proposed a specific defense system alongside the call for action Could have gathered data from more locations than just LBNL and Chemical Abstracts Service Corp. More helpful to compare the different worms using the same analysis methods –Connections/Second vs. Distinct Remote Hosts Attacking

28 References www.caida.org www.cert.org http://www.thesitewizard.com/news/coder ediiworm.shtml How to 0wn the Internet in Your Spare Time –Staniford, Paxson, Weaver

29 Questions ?

Download ppt "How to 0wn the Internet In Your Spare Time Authors Stuart Staniford, Vern Paxson, Nicholas Weaver Published Proceedings of the 11th USENIX Security Symposium."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.

Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.
Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.
Copyright Silicon Defense 2003. Worm Overview Stuart Staniford Silicon Defense www.silicondefense.com.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Modeling the Spread of Worms Wade Trappe. Overview Quick discussion of how the Internet is organized. Random Constant Spread (RCS) Model and Code-Red.

Modeling the Spread of Worms Wade Trappe. Overview Quick discussion of how the Internet is organized. Random Constant Spread (RCS) Model and Code-Red.
Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)

Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)
Internet Worms - A Quick Overview Presented By : Sumitha Bhandarkar Presented On : 04.08.03.

Internet Worms - A Quick Overview Presented By : Sumitha Bhandarkar Presented On :
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
1 Email Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
Unit 2 - Hardware Computer Security.

Unit 2 - Hardware Computer Security.

Similar presentations

Ads by Google