How to 0wn the Internet In Your Spare Time Authors Stuart Staniford, Vern Paxson, Nicholas Weaver Published Proceedings of the 11th USENIX Security Symposium.

Slides:

Advertisements

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

By Hiranmayi Pai Neeraj Jain

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.

Modeling the spread of active worms Zesheng Chen, Lixin Gao, and Kevin Kwiat bearhsu - INFOCOM 2003.

Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Modeling the Spread of Worms Wade Trappe. Overview Quick discussion of how the Internet is organized. Random Constant Spread (RCS) Model and Code-Red.

Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)

Internet Worms - A Quick Overview Presented By : Sumitha Bhandarkar Presented On :

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Unit 2 - Hardware Computer Security.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

“How to 0wn the Internet in Your Spare Time” Nathanael Paul Malware Seminar September 7, 2004.

 a crime committed on a computer network, esp. the Internet.

Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.

CIS 442- Chapter 3 Worms. Biological and computer worms Definition, main characteristics Differences from Viruses Bandwidth consumption and speed of propagation.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.

Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

Recent Internet Viruses & Worms By Doppalapudi Raghu.

Computer Viruses and Worms By: Monika Gupta Monika Gupta.

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Exact Modeling of Propagation for Permutation-Scanning Worms Parbati Kumar Manna, Shigang Chen, Sanjay Ranka INFOCOM’08.

Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.

Malicious Software.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.

1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

Types of Computer Malware. The first macro virus was written for Microsoft Word and was discovered in August Today, there are thousands of macro.

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

Computer virus Done: Aaesha Mohammed ID: H

2016/3/13 1 Peer-to-peer system-based active worm attacks: Modeling, analysis and defense Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan Computer Communications.

Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.

Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Case Study: Code Red Author: Jedidiah.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Very Fast containment of Scanning Worms

Viruses and Other Malicious Content

Virus Attack Final Presentation

Code-red worm Attack on Computers.

Chap 10 Malicious Software.

A Distributed DoS in Action

Case Study: Code Red Author: Jedidiah R. Crandall,

Brad Karp UCL Computer Science

Internet Worms: Reality or Hype

Chap 10 Malicious Software.

CSE551: Introduction to Information Security

Introduction to Internet Worm

Presentation transcript:

How to 0wn the Internet In Your Spare Time Authors Stuart Staniford, Vern Paxson, Nicholas Weaver Published Proceedings of the 11th USENIX Security Symposium 2002 Presenter Shawn Embleton

Outline Introduction Code Red Worm Better Worms in Practice Better Worms in Theory Simulations & Results

Introduction Internet Worms differ from viruses in that they do not require user participation –excepting poor code and security practices 1988 Morris Worm –Repeat infections possible – crashed systems 1999 Melissa Macro –Half worm/virus –Incapacitated many servers

Code Red v.1 First seen July 12, 2001 Spread by exploiting a Microsoft IIS.ida vulnerability discovered by eEye on June 18 th 99 propagation threads, 100 th defaced pages Problem, RNG used static ‘seed’ which also incorporated the TID == 99 spread lists –Resulted in linear spreading

Code Red v.1 Continued Defaced root level pages 1 st to 19 th  attempted to spread 20 th to 28 th  attempted to DDOS –target was www1.whitehouse.gov Memory resident –Reboot the system to disinfect

Code Red I v.2 Started spreading July 19 th, 2001 Similar code base Fixed the RNG seeding problem Over 359,000 systems infected in 14 hours Systems that were power cycled were re-infected before patch could be applied …

Code Red I v.2 Plot K=1.8 T=11.9 Chemical Abstracts

Analysis Random Constant Spread Model [RCS] N - total number of vulnerable hosts K – initial compromise rate T – time fixing when incident occurs a – proportion of compromised vulnerable t – time [in hours] Applied using “logistic equation” –Rate of growth in finite system –Equal likelihood of any attacking any other

Analysis

Better Worms in Practice Localized Scanning  Code Red II v.3 August 4, 2001 but different code base –No defacement, no DDOS code, same exploit used [contained a string “Code Red II”] If no prior infection, initiates, installs backdoor, waits one day and reboots machine If Chinese language on system, 600/48 threads else 300/24 threads are used to propagate

Better Worms in Practice Localized Scanning  Code Red II v.3 1/8 probability of probing random IP address 4/8 probability of probing same /8 network 3/8 probability of probing same /16 network No analytical model given No empirical data provided

Better Worms in Practice Localized Scanning  Code Red II v.3 LBNL

Better Worms in Practice Localized Scanning  Code Red II v.3 "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%uc bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090 %u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

Better Worms in Practice Multi-Vector Worms  Nimda September 18 th, different attack vectors –Client to client via –Client to client via open network shares –Web server to client through browsing –Client to server through Directory Traversal exploits –Client to server through previous worm backdoors

Better Worms in Practice Multi-Vector Worms  Nimda propagation –MIME message containing ‘readme.exe’ payload Slight binary variations to change hashes of the attachment –Variable Subject Line –Scans local hypertext files along with received MAPI for additional addresses to contact  every 10 days File System propagation –Creates MIME copies of itself on local and network drives Can exploit Explorer preview vulnerabilities –Trojans legitimate applications on the system

Better Worms in Practice Multi-Vector Worms  Nimda Web-Server Propagation –Scans servers that the user browses for vulnerabilities –Looks for Sadmind, Code Red backdoors + new exploits –Spreads to browsing users by appending the following to all files in web-aware directories –Also added ‘guest’ account to Administrators Group

Better Worms in Theory Hit List Scanning Permutation Scanning Topologically Aware Worms Internet Scale Hit Lists

Better Worms in Theory Hit List Scanning Worm needs a substantial base before the exponential spreading really takes off Before release, gather a list of potentially vulnerable systems After launch, these systems are infected much more rapidly and provide the needed base List can retrieved or systematically halved

Better Worms in Theory Permutation Scanning Random scanning has inherent problems –Many addresses are rescanned –No way to know when infection is nearing completion Share a common permutation of the address space –Easy to compute at each host –Newly infected machines start scanning from some index –After N infected machines encountered, stop scanning

Better Worms in Theory Topologically Aware Worms Look for Web servers in infected machines caches –High probability of being actual servers Look for mail in users address book –If spreading through mail servers for instance worms incorporate this tactic now

Better Worms in Theory Flash Worms  Main Idea of Paper Obtain hit-list of systems with relevant service open –OC-12 scan the entire Internet in 2 hours Include pre-knowledge of high-capacity servers Use a N-partitioned overlapping list infection technique Argument is made for 30 seconds to total domination

Better Worms in Theory Contagion Worms Slower spreading to avoid countermeasures based on heuristics such as capacity fluctuations Talk about using P2P apps to attain high degree of host inter-connectivity for spreading in a m-way tree type style More stealthy idea than a fast spreading worm

Simulations Simulated a ‘Warhol” style worm –Combination of hit-list and permutation scanning Assumptions –Complete connectivity in 32-bit address space –Scan until 99.99% infection Parameters –Conventional - Code Red style with 10 scans/second –Fast - Code Red style with 100 scans/second –Warhol scans/s + hit-list + permutation scanning

Results Simulation

Strengths Published relatively quickly with a reasonable mathematical model which rather accurately captures the data Performed simulations that correlate with the proposed mathematical model well Results support hypothesis of total Internet domination …

Weaknesses Some of the data could possibly be interpreted in additional manners than offered Paper seems to have a heavy “what-if” factor Main call for action is made without laying out any specific plans or specifications Small incongruities with other recognized associations [such as C.E.R.T.]

Improvements Authors might have proposed a specific defense system alongside the call for action Could have gathered data from more locations than just LBNL and Chemical Abstracts Service Corp. More helpful to compare the different worms using the same analysis methods –Connections/Second vs. Distinct Remote Hosts Attacking

References ediiworm.shtml How to 0wn the Internet in Your Spare Time –Staniford, Paxson, Weaver

Questions ?