“How to 0wn the Internet in Your Spare Time”

Nathanael Paul

Malware Seminar

September 7, 2004

The Internet has…

• ~250,000,000 hosts on Internet (January 2004) (Source: Internet Systems Consortium, Inc. (http://www.isc.org/)

• ~300,000,000 Internet Users• ~140,000,000 USA Internet Users

http://www.clickz.com/stats/big_picture/geographics/article.php/3397231

• 1 million is:– ~0.7% of the USA Internet Users– ~0.3% of all Internet Users

Analyzing Past Attempted Takeovers

• 1988: Morris Worm

• July 13, 2001: Code Red I v2

• Aug. 4, 2001: Code Red II

• Sept. 18, 2001: Nimda

• Presenting worms that are “…capable of infecting most or all vulnerable targets in a few minutes…” or “…in 10s of seconds…”

Morris Worm

• Multi-vectored like Nimda– rsh– fingerd via buffer overflow that worked on

VAX and caused core dump on Suns– sendmail

• Morris worm infected 6,000 of 60,000 hosts (5-10%)– Very large percentage compared to today’s

worms

Code Red I v2 (CRv1)

• Used an IIS vulnerability to perform website defacement (“Hacked by Chinese”)

• “Randomly” scanned for vulnerable IPs– Linear spread, since random number

generator seed was fixed

• In early stages, infection rate was about 1.8 other servers infected per hour

• Hosts with inaccurate clocks kept it alive past July 19

Proportion of vulnerable servers compromised

• Random Constant Model– N: total number of vulnerable hosts– T: t is relative to this constant– K: compromise rate– a(t) = at time t, the proportion of compromised

vulnerable machines

• a(t) = eK(t-T)/1+eK(t-T)

– Does not depend on N

From How To 0wn the Internet In Your Spare Time pdf slides

Code Red II

• Used same IIS vulnerability as CRv1 but installed root backdoor instead

• Fixed random IP generator

• Scan:– Class B address space 3/8 probability– Class A address space 1/2 probability– Whole Internet address space 1/8 probability

• Utilize Topology– Emphasize localized spread

Nimda

• Multi-vectored worm [relate back to morris worm]– IIS vulnerability– Email (Firewall evasion!)– Network shares– Infect webpages– Scan for Code Red and Sadmind backdoors

• Almost no probing to 100 probes/sec in ½ hour

From How To 0wn the Internet In Your Spare Time pdf slides

From How To 0wn the Internet In Your Spare Time pdf slides

How to Spread Faster

• The Warhol worm– capable of infecting machines in a matter of

minutes…

• Hit-list scanning– Faster startup

• Permutation Scanning– Limit redundant scans

• Topologically Aware worms

Hit-lists

• Brute-force

• Use your favorite search engine

• DNS search

• Distributed scanning using zombies

• Stealth scan (takes longer but pretty much undetectable)

Permutation Scanning

• Eliminate redundant scanning by partitioning searches

• Start scanning from your point in permutation– If machine in sequence is infected, randomly

choose new point to scan and increment counter

– Else infect computer and then scan

• Stop scanning when counter == SCAN_LIMIT

Topological Scanning

• Use email addresses– MyDoom used Google, Yahoo, Altavista, and

Lycos

• Internet cache for URLs

• P2P peers

• Ping results

• Conventional– 10 scans/sec

• Fast Scanning– 100 scans/sec

• Warhol– 100 scans/sec

– 10,000 entry hit-list

– Permutation scanning

– Gives up when count = 2

From How To 0wn the Internet In Your Spare Time pdf slides

More on Warhol worm

From How To 0wn the Internet In Your Spare Time pdf slides

Sapphire WormJanuary 25, 2003

http://www.caida.org/analysis/security/sapphire/

Sapphire WormJanuary 25, 2003

http://www.caida.org/analysis/security/sapphire/

From 0 infected hosts to 74855 in 30 minutes

Sapphire Worm

http://www.cs.berkeley.edu/~nweaver/sapphire/

• Fastest spreading worm in history– Doubled in size every 8.5 seconds– Code Red’s population doubled every 37 minutes– Over 90% of vulnerable machines compromised in

~10 minutes

• Targeted Microsoft’s SQLServer through buffer overflow (patch had been released)

• Sent UDP packets (376 bytes) to port 1434, so easy to filter

• Reached over 55 million scans/sec in under 3 minutes

Witty WormMarch 19, 2004

• Used hit-list or timed release of worm• Compromised ISS products through buffer

overflows (ISS RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE)

• Infected 12,000 computers and wrote to random points on disk

• Spread one day after vulnerability was announced

http://www.caida.org/analysis/security/witty/

Witty v. Sapphire

• Witty– At peak, flooded Internet with over 90

Gbits/sec– Infected host, then sent 20,000 packets

between 796 and 1307 bytes

• Sapphire– With 100 Mb/s link, 30,000+/sec scans with

Sapphire– From one copy of worm, using 404-byte UDP

packets, 30000 * 404 = 12120000 byteshttp://www.caida.org/analysis/security/witty/

Flash worms

• Capable of infecting most vulnerable servers in < 30 seconds…

• Need a high bandwidth link– 9 million servers were 13 Mb compressed– Initial copies of the worm have hit-lists– Hit-lists could be divided up into chunks and

distributed on known high bandwidth servers

Contagion or Stealth worms

• Stealthily propogate a worm– Web server to clients– P2P clients

• Identical software, anonymity, large files, many clients, less monitoring, less diversity

• My estimate: Sometimes 1 in 20 hits on software searches result in detected virus on Kazaa

– Very difficult to detect since traffic pattern change is so small

• Use those md5 sums!

KaZaa• Fizzer, Lolol, K0wbot, Win32.Mydoom.A

– Use IRC channels for remote control– Download office_crack or rootkitXP for

Win32.Mydoom.A

• Authors recorded 9 million distinct IP addresses connecting to a monitored university host (5800 distinct university host)

• Brilliant Digital– Trojan bundled in Kazaa– http://www.cs.berkeley.edu/~nweaver/0wn2.html

Updating Worms

• Distributed Control– Each worm could have a subset of infected

hosts– Each command can be signed and then sent

to other copies of worm– Received commands can be verified and then

forwarded

• Programmable Updates– Possible with crypto modules correctly

implemented?– Most viruses/worms not well-written

What have we learned since 1988?

• New legal awareness– 1995, Pile sentenced to 18 months for SMEG

virus (British)– Smith sentenced to 20 months and $5000 fine

for releasing Melissa virus (USA)– Simon Vallor sentenced to 2 years (Wales)– Teenager who wrote MSBlast.B most likely

will be sentenced to 18 to 37 months (USA)

• Has it worked?

Lots of things to work on

• Buffer Overflows still prevalent• Passwords still poorly chosen• People with a lot less skill than Robert Morris

have done much more damage• Misconfigured policies• Complexity is anathema to security

– Morris used a sendmail vulnerability

• People don’t keep up with patches (even on servers)– Security Holes … Who Cares?[USENIX security 2003, http://www.usenix.org/events/sec03/tech/rescorla.html]

Government Role

• “Cyber-Center for Disease Control" (CDC)– Homeland security?

• Cyber CDC responsible for:– Identifying outbreaks– Rapidly analyzing pathogens

• How open should results be?

– Fighting infections– Anticipating new vectors.– Proactively devising detectors for new vectors– Resisting future threats

Observations

• Infection from a new exploit (0-day) can happen fast! (or even an old exploit)

• A well-written virus/worm without any “large” errors could do really bad damage

• Some potential “solutions”…– Distributed Firewalls– Honeypots– Can diversity help?

• IIS exploits in Code Red, IRC channels used for remote control