“How to 0wn the Internet in Your Spare Time”

“How to 0wn the Internet in Your Spare Time”

Nathanael Paul

Malware Seminar

September 7, 2004

The Internet has…

• ~250,000,000 hosts on Internet (January 2004) (Source: Internet Systems Consortium, Inc. (http://www.isc.org/)

• ~300,000,000 Internet Users• ~140,000,000 USA Internet Users

http://www.clickz.com/stats/big_picture/geographics/article.php/3397231

• 1 million is:– ~0.7% of the USA Internet Users– ~0.3% of all Internet Users

Analyzing Past Attempted Takeovers

• 1988: Morris Worm

• July 13, 2001: Code Red I v2

• Aug. 4, 2001: Code Red II

• Sept. 18, 2001: Nimda

• Presenting worms that are “…capable of infecting most or all vulnerable targets in a few minutes…” or “…in 10s of seconds…”

Morris Worm

• Multi-vectored like Nimda– rsh– fingerd via buffer overflow that worked on

VAX and caused core dump on Suns– sendmail

• Morris worm infected 6,000 of 60,000 hosts (5-10%)– Very large percentage compared to today’s

worms

Code Red I v2 (CRv1)

• Used an IIS vulnerability to perform website defacement (“Hacked by Chinese”)

• “Randomly” scanned for vulnerable IPs– Linear spread, since random number

generator seed was fixed

• In early stages, infection rate was about 1.8 other servers infected per hour

• Hosts with inaccurate clocks kept it alive past July 19

Proportion of vulnerable servers compromised

• Random Constant Model– N: total number of vulnerable hosts– T: t is relative to this constant– K: compromise rate– a(t) = at time t, the proportion of compromised

vulnerable machines

• a(t) = eK(t-T)/1+eK(t-T)

– Does not depend on N

From How To 0wn the Internet In Your Spare Time pdf slides

Code Red II

• Used same IIS vulnerability as CRv1 but installed root backdoor instead

• Fixed random IP generator

• Scan:– Class B address space 3/8 probability– Class A address space 1/2 probability– Whole Internet address space 1/8 probability

• Utilize Topology– Emphasize localized spread

Nimda

• Multi-vectored worm [relate back to morris worm]– IIS vulnerability– Email (Firewall evasion!)– Network shares– Infect webpages– Scan for Code Red and Sadmind backdoors

• Almost no probing to 100 probes/sec in ½ hour



How to Spread Faster

• The Warhol worm– capable of infecting machines in a matter of

minutes…

• Hit-list scanning– Faster startup

• Permutation Scanning– Limit redundant scans

• Topologically Aware worms

Hit-lists

• Brute-force

• Use your favorite search engine

• DNS search

• Distributed scanning using zombies

• Stealth scan (takes longer but pretty much undetectable)

Permutation Scanning

• Eliminate redundant scanning by partitioning searches

• Start scanning from your point in permutation– If machine in sequence is infected, randomly

choose new point to scan and increment counter

– Else infect computer and then scan

• Stop scanning when counter == SCAN_LIMIT

Topological Scanning

• Use email addresses– MyDoom used Google, Yahoo, Altavista, and

Lycos

• Internet cache for URLs

• P2P peers

• Ping results

• Conventional– 10 scans/sec

• Fast Scanning– 100 scans/sec

• Warhol– 100 scans/sec

– 10,000 entry hit-list

– Permutation scanning

– Gives up when count = 2


More on Warhol worm


Sapphire WormJanuary 25, 2003

http://www.caida.org/analysis/security/sapphire/

Sapphire WormJanuary 25, 2003

http://www.caida.org/analysis/security/sapphire/

From 0 infected hosts to 74855 in 30 minutes

Sapphire Worm

http://www.cs.berkeley.edu/~nweaver/sapphire/

• Fastest spreading worm in history– Doubled in size every 8.5 seconds– Code Red’s population doubled every 37 minutes– Over 90% of vulnerable machines compromised in

~10 minutes

• Targeted Microsoft’s SQLServer through buffer overflow (patch had been released)

• Sent UDP packets (376 bytes) to port 1434, so easy to filter

• Reached over 55 million scans/sec in under 3 minutes

Witty WormMarch 19, 2004

• Used hit-list or timed release of worm• Compromised ISS products through buffer

overflows (ISS RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE)

• Infected 12,000 computers and wrote to random points on disk

• Spread one day after vulnerability was announced

http://www.caida.org/analysis/security/witty/

Witty v. Sapphire

• Witty– At peak, flooded Internet with over 90

Gbits/sec– Infected host, then sent 20,000 packets

between 796 and 1307 bytes

• Sapphire– With 100 Mb/s link, 30,000+/sec scans with

Sapphire– From one copy of worm, using 404-byte UDP

packets, 30000 * 404 = 12120000 byteshttp://www.caida.org/analysis/security/witty/

Flash worms

• Capable of infecting most vulnerable servers in < 30 seconds…

• Need a high bandwidth link– 9 million servers were 13 Mb compressed– Initial copies of the worm have hit-lists– Hit-lists could be divided up into chunks and

distributed on known high bandwidth servers

Contagion or Stealth worms

• Stealthily propogate a worm– Web server to clients– P2P clients

• Identical software, anonymity, large files, many clients, less monitoring, less diversity

• My estimate: Sometimes 1 in 20 hits on software searches result in detected virus on Kazaa

– Very difficult to detect since traffic pattern change is so small

• Use those md5 sums!

KaZaa• Fizzer, Lolol, K0wbot, Win32.Mydoom.A

– Use IRC channels for remote control– Download office_crack or rootkitXP for

Win32.Mydoom.A

• Authors recorded 9 million distinct IP addresses connecting to a monitored university host (5800 distinct university host)

• Brilliant Digital– Trojan bundled in Kazaa– http://www.cs.berkeley.edu/~nweaver/0wn2.html

Updating Worms

• Distributed Control– Each worm could have a subset of infected

hosts– Each command can be signed and then sent

to other copies of worm– Received commands can be verified and then

forwarded

• Programmable Updates– Possible with crypto modules correctly

implemented?– Most viruses/worms not well-written

What have we learned since 1988?

• New legal awareness– 1995, Pile sentenced to 18 months for SMEG

virus (British)– Smith sentenced to 20 months and $5000 fine

for releasing Melissa virus (USA)– Simon Vallor sentenced to 2 years (Wales)– Teenager who wrote MSBlast.B most likely

will be sentenced to 18 to 37 months (USA)

• Has it worked?

Lots of things to work on

• Buffer Overflows still prevalent• Passwords still poorly chosen• People with a lot less skill than Robert Morris

have done much more damage• Misconfigured policies• Complexity is anathema to security

– Morris used a sendmail vulnerability

• People don’t keep up with patches (even on servers)– Security Holes … Who Cares?[USENIX security 2003, http://www.usenix.org/events/sec03/tech/rescorla.html]

Government Role

• “Cyber-Center for Disease Control" (CDC)– Homeland security?

• Cyber CDC responsible for:– Identifying outbreaks– Rapidly analyzing pathogens

• How open should results be?

– Fighting infections– Anticipating new vectors.– Proactively devising detectors for new vectors– Resisting future threats

Observations

• Infection from a new exploit (0-day) can happen fast! (or even an old exploit)

• A well-written virus/worm without any “large” errors could do really bad damage

• Some potential “solutions”…– Distributed Firewalls– Honeypots– Can diversity help?

• IIS exploits in Code Red, IRC channels used for remote control

Documents

“How to 0wn the Internet in Your Spare Time”