How to Own the Internet in your spare time

Ashish Gupta

Network Security

April 2004

Overview

• What is the paper about ?

• Code Red Analysis

• Three new techniques for fast spreading

• Surreptitious worms

• Summary

The threat

• Millions of hosts enormous damage– Distributed DOS– Access Sensitive Information– Sow Confusion and Disruption

• This paper is about– Fast spreading of worms

Analysis of Code Red I

• Compromises MS IIS Web servers• Spreads by random IP generation – 99 threads

• Earlier bug Code Red I– DDOS attack to whitehouse.gov

• Modeling Random Constant Spread (RCS)• Gives an exponential eq:

• Depends only on K, not N

Better Worms

• Code Red II– Used a localized scanning technique

– 3/8 Class B, 1/2 class A, 1/8 rest

– Very successful strategy

– Affects many vulnerable hosts

– Proceeds quicker

3/8

1/2

1/8

Nimda Worm

• Nimda Worm August 2001– Maintained itself for months , multi-mode worm– Infected Web servers– Bulk emailing– Infecting Web clients– Using CodeRed II backdoors

Onset

• Very rapid onset

• Mail based spread very effective

• Full functionality ?

Faster Worms

Creating Better Worms

• Hit List Scanning– “getting off the ground” very fast– Say first 10,000 hosts– Pre-select 10,000-50,000 vulnerable machines – First worm carries the entire hit list– Hit list split in half on each infection– Can establish itself in few seconds

Permutation Scanning

• Random scanning inefficient lot of overlap All worms share a common pseudo – random

permutation

32 bit block cipher key

Permutation scanning

Index

IP Address

• How it works:– After first infection, start scanning after their point in

permutation– If machine already infected, random starting index

• Minimizes duplication of effort– W sees W’ W’ already working on the permutation list

of W W re-starts at a random point

• Keeps infection rate very high, comprehensive scan• Permutation key can be changed periodically for

effective rescan

A Warhol Worm

• Combination of hit-list and permutation scanning– Can spread widely in less than 15 mins

• Simulation results

Topological scanning

• Use info on victim to identify new targets– Email lists– P2P applications– List of web servers from IE favorites etc.

Faster Worms : Recap

• Fast Startup Hit List Scanning• Extremely Efficient Permutation scanning• Combine the above Warhol worms• exploit local information Topological scanning

Flash Worms

• Fastest Method Entire internet in 10s of seconds• Obtain hit-list of vulnerable servers in advance• 2 hours for entire IP space on OC-12 link (622 mbps)• List would be big ( ~ 48 MB )• Divide into n blocks

– Infect first of each block and hand over the block to the new worm– Repeat for each block

• Alternative: Store pre-assigned chunks on a high BW server• Two limitations

– Large list size– Latency

• Analysis: Sub-thirty limit on total infection time on a 256 kbps DSL link

For 3 million hosts, just 7 layers deep ( n = 10)

Stealth Worms

• No peculiar communication patterns• Very difficult to detect• Working:

– Pair of exploits: Es for server, Ec for client ???– Server Client Server , ….

• Limitations– Pair of threats required– Depends on web surfing

Exploiting P2P systems

• Large set, all running same software• Only single exploit now needed• More favorable for infection:

– Interconnect with large number of peers– Transfer large files– Not mainstream protocols– Execute on desktops, not servers

• Potentially immense size

Analysis of KaZaA traffic

• Immense traffic: 5-10 million conns per day• Huge diversity ! 9 million distinct hosts contacted in

November ( from 5,800 univ hosts )• If Kazaa exploited (variable size headers ? ), than a large

number can infected stealthily in a month• Starting point : brute force infect all university hosts ???• Actual spread much faster ?• Much work remaining total Kazaa size ?

Remote Control

• Distributed control

– Each worm knows about other worms *it* has infected

– Analysis: High connectivity , Average degree= 4– Without a single point of communication, updates can be

passed

• Programatic Updates– Worms as “computing capsules”– Can send arbitrary code !

Conclusion

• Worms present an extremely serious threat to the safety of the Internet