How to 0wn the Internet In Your Spare Time

1
How to 0wn the Internet In Your Spare Time

• Authors
• Stuart Staniford, Vern Paxson, Nicholas Weaver
• Published
• Proceedings of the 11th USENIX Security Symposium
  2002
• Presenter
• Shawn Embleton

2
Outline

• Introduction
• Code Red Worm
• Better Worms in Practice
• Better Worms in Theory
• Simulations Results

3
Introduction

• Internet Worms differ from viruses in that they
  do not require user participation
• excepting poor code and security practices
• 1988 Morris Worm
• Repeat infections possible crashed systems
• 1999 Melissa Macro
• Half worm/virus
• Incapacitated many email servers

4
Code Red v.1

• First seen July 12, 2001
• Spread by exploiting a Microsoft IIS .ida
  vulnerability discovered by eEye on June 18th
• 99 propagation threads, 100th defaced pages
• Problem, RNG used static seed which also
  incorporated the TID 99 spread lists
• Resulted in linear spreading

5
Code Red v.1 Continued

• Defaced root level pages
• 1st to 19th ? attempted to spread
• 20th to 28th ? attempted to DDOS
• target was www1.whitehouse.gov
• Memory resident
• Reboot the system to disinfect

6
Code Red I v.2

• Started spreading July 19th, 2001
• Similar code base
• Fixed the RNG seeding problem
• Over 359,000 systems infected in 14 hours
• Systems that were power cycled were re-infected
  before patch could be applied

7
Code Red I v.2 Plot
Chemical Abstracts
K1.8 T11.9
8
Analysis

• Random Constant Spread Model RCS
• N - total number of vulnerable hosts
• K initial compromise rate
• T time fixing when incident occurs
• a proportion of compromised vulnerable
• t time in hours
• Applied using logistic equation
• Rate of growth in finite system
• Equal likelihood of any attacking any other

9
Analysis
10
Better Worms in Practice

• Localized Scanning ? Code Red II v.3
• August 4, 2001 but different code base
• No defacement, no DDOS code, same exploit used
  contained a string Code Red II
• If no prior infection, initiates, installs
  backdoor, waits one day and reboots machine
• If Chinese language on system, 600/48 threads
  else 300/24 threads are used to propagate

11
Better Worms in Practice

• Localized Scanning ? Code Red II v.3
• 1/8 probability of probing random IP address
• 4/8 probability of probing same /8 network
• 3/8 probability of probing same /16 network
• No analytical model given
• No empirical data provided

12
Better Worms in Practice

• Localized Scanning ? Code Red II v.3

LBNL
13
Better Worms in Practice

• Localized Scanning ? Code Red II v.3
• "GET
• /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXX
• XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXu
  9090u6858uc
• bd3u7801u9090u6858ucbd3u7801u9090u6858ucbd
  3u7801u9090
• u9090u8190u00c3u0003u8b00u531bu53ffu0078u
  0000u00a

14
Better Worms in Practice

• Multi-Vector Worms ? Nimda
• September 18th, 2001
• 5 different attack vectors
• Client to client via email
• Client to client via open network shares
• Web server to client through browsing
• Client to server through Directory Traversal
  exploits
• Client to server through previous worm backdoors

15
Better Worms in Practice

• Multi-Vector Worms ? Nimda
• Email propagation
• MIME message containing readme.exe payload
• Slight binary variations to change hashes of the
  attachment
• Variable Subject Line
• Scans local hypertext files along with received
  MAPI for additional email addresses to contact ?
  every 10 days
• File System propagation
• Creates MIME copies of itself on local and
  network drives
• Can exploit Explorer preview vulnerabilities
• Trojans legitimate applications on the system

16
Better Worms in Practice

• Multi-Vector Worms ? Nimda
• Web-Server Propagation
• Scans servers that the user browses for
  vulnerabilities
• Looks for Sadmind, Code Red backdoors new
  exploits
• Spreads to browsing users by appending the
  following to all files in web-aware directories
• Also added guest account to Administrators Group

17
Better Worms in Theory

• Hit List Scanning
• Permutation Scanning
• Topologically Aware Worms
• Internet Scale Hit Lists

18
Better Worms in Theory

• Hit List Scanning
• Worm needs a substantial base before the
  exponential spreading really takes off
• Before release, gather a list of potentially
  vulnerable systems
• After launch, these systems are infected much
  more rapidly and provide the needed base
• List can retrieved or systematically halved

19
Better Worms in Theory

• Permutation Scanning
• Random scanning has inherent problems
• Many addresses are rescanned
• No way to know when infection is nearing
  completion
• Share a common permutation of the address space
• Easy to compute at each host
• Newly infected machines start scanning from some
  index
• After N infected machines encountered, stop
  scanning

20
Better Worms in Theory

• Topologically Aware Worms
• Look for Web servers in infected machines caches
• High probability of being actual servers
• Look for mail in users address book
• If spreading through mail servers for instance
• Email worms incorporate this tactic now

21
Better Worms in Theory

• Flash Worms ? Main Idea of Paper
• Obtain hit-list of systems with relevant service
  open
• OC-12 scan the entire Internet in 2 hours
• Include pre-knowledge of high-capacity servers
• Use a N-partitioned overlapping list infection
  technique
• Argument is made for 30 seconds to total
  domination

22
Better Worms in Theory

• Contagion Worms
• Slower spreading to avoid countermeasures based
  on heuristics such as capacity fluctuations
• Talk about using P2P apps to attain high degree
  of host inter-connectivity for spreading in a
  m-way tree type style
• More stealthy idea than a fast spreading worm

23
Simulations

• Simulated a Warhol style worm
• Combination of hit-list and permutation scanning
• Assumptions
• Complete connectivity in 32-bit address space
• Scan until 99.99 infection
• Parameters
• Conventional - Code Red style with 10
  scans/second
• Fast - Code Red style with 100 scans/second
• Warhol - 100 scans/s hit-list permutation
  scanning

24
Results
Simulation
25
Strengths

• Published relatively quickly with a reasonable
  mathematical model which rather accurately
  captures the data
• Performed simulations that correlate with the
  proposed mathematical model well
• Results support hypothesis of total Internet
  domination

26
Weaknesses

• Some of the data could possibly be interpreted in
  additional manners than offered
• Paper seems to have a heavy what-if factor
• Main call for action is made without laying out
  any specific plans or specifications
• Small incongruities with other recognized
  associations such as C.E.R.T.

27
Improvements

• Authors might have proposed a specific defense
  system alongside the call for action
• Could have gathered data from more locations than
  just LBNL and Chemical Abstracts Service Corp.
• More helpful to compare the different worms using
  the same analysis methods
• Connections/Second vs. Distinct Remote Hosts
  Attacking

28
References

• www.caida.org
• www.cert.org
• http//www.thesitewizard.com/news/coderediiworm.sh
  tml
• How to 0wn the Internet in Your Spare Time
• Staniford, Paxson, Weaver

29
Questions
?