“How to 0wn the Internet in
Your Spare Time”
Nathanael Paul
Malware Seminar
September 7, 2004
The Internet has…
• ~250,000,000 hosts on Internet (January
2004) (Source: Internet Systems Consortium, Inc. (http://www.isc.org/)
• ~300,000,000 Internet Users
• ~140,000,000 USA Internet Users
http://www.clickz.com/stats/big_picture/geographics/article.php/3397231
• 1 million is:
– ~0.7% of the USA Internet Users
– ~0.3% of all Internet Users
Analyzing Past Attempted
Takeovers
•
•
•
•
•
1988: Morris Worm
July 13, 2001: Code Red I v2
Aug. 4, 2001: Code Red II
Sept. 18, 2001: Nimda
Presenting worms that are “…capable of
infecting most or all vulnerable targets in a
few minutes…” or “…in 10s of seconds…”
Morris Worm
• Multi-vectored like Nimda
– rsh
– fingerd via buffer overflow that worked on VAX
and caused core dump on Suns
– sendmail
• Morris worm infected 6,000 of 60,000
hosts (5-10%)
– Very large percentage compared to today’s
worms
Code Red I v2 (CRv1)
• Used an IIS vulnerability to perform
website defacement (“Hacked by
Chinese”)
• “Randomly” scanned for vulnerable IPs
– Linear spread, since random number
generator seed was fixed
• In early stages, infection rate was about
1.8 other servers infected per hour
• Hosts with inaccurate clocks kept it alive
past July 19
Proportion of vulnerable servers
compromised
• Random Constant Model
– N: total number of vulnerable hosts
– T: t is relative to this constant
– K: compromise rate
– a(t) = at time t, the proportion of compromised
vulnerable machines
• a(t) = eK(t-T)/1+eK(t-T)
– Does not depend on N
From How To
0wn the
Internet In
Your Spare
Time pdf
slides
Code Red II
• Used same IIS vulnerability as CRv1 but
installed root backdoor instead
• Fixed random IP generator
• Scan:
– Class B address space 3/8 probability
– Class A address space 1/2 probability
– Whole Internet address space 1/8 probability
• Utilize Topology
– Emphasize localized spread
Nimda
• Multi-vectored worm [relate back to morris
worm]
– IIS vulnerability
– Email (Firewall evasion!)
– Network shares
– Infect webpages
– Scan for Code Red and Sadmind backdoors
• Almost no probing to 100 probes/sec in ½
hour
From How To 0wn
the Internet In
Your Spare Time
pdf slides
From How To 0wn
the Internet In
Your Spare Time
pdf slides
How to Spread Faster
• The Warhol worm
– capable of infecting machines in a matter of
minutes…
• Hit-list scanning
– Faster startup
• Permutation Scanning
– Limit redundant scans
• Topologically Aware worms
Hit-lists
•
•
•
•
•
Brute-force
Use your favorite search engine
DNS search
Distributed scanning using zombies
Stealth scan (takes longer but pretty much
undetectable)
Permutation Scanning
• Eliminate redundant scanning by
partitioning searches
• Start scanning from your point in
permutation
– If machine in sequence is infected, randomly
choose new point to scan and increment
counter
– Else infect computer and then scan
• Stop scanning when counter ==
SCAN_LIMIT
Topological Scanning
• Use email addresses
– MyDoom used Google, Yahoo, Altavista, and
Lycos
• Internet cache for URLs
• P2P peers
• Ping results
• Conventional
– 10 scans/sec
• Fast Scanning
– 100 scans/sec
• Warhol
– 100 scans/sec
– 10,000 entry
hit-list
– Permutation
scanning
– Gives up when
count = 2
From How To 0wn the Internet In Your Spare Time pdf slides
More on Warhol worm
From How To 0wn the Internet In Your Spare Time pdf slides
Sapphire Worm
January 25, 2003
http://www.caida.org/analysis/security/sapphire/
Sapphire Worm
January 25, 2003
From 0 infected hosts to 74855 in 30 minutes
http://www.caida.org/analysis/security/sapphire/
Sapphire Worm
• Fastest spreading worm in history
– Doubled in size every 8.5 seconds
– Code Red’s population doubled every 37 minutes
– Over 90% of vulnerable machines compromised in
~10 minutes
• Targeted Microsoft’s SQLServer through buffer
overflow (patch had been released)
• Sent UDP packets (376 bytes) to port 1434, so
easy to filter
• Reached over 55 million scans/sec in under 3
minutes
http://www.cs.berkeley.edu/~nweaver/sapphire/
Witty Worm
March 19, 2004
• Used hit-list or timed release of worm
• Compromised ISS products through buffer
overflows (ISS RealSecure Network,
RealSecure Server Sensor, RealSecure
Desktop, and BlackICE)
• Infected 12,000 computers and wrote to
random points on disk
• Spread one day after vulnerability was
announced
http://www.caida.org/analysis/security/witty/
Witty v. Sapphire
• Witty
– At peak, flooded Internet with over 90
Gbits/sec
– Infected host, then sent 20,000 packets
between 796 and 1307 bytes
• Sapphire
– With 100 Mb/s link, 30,000+/sec scans with
Sapphire
– From one copy of worm, using 404-byte UDP
packets, 30000 * 404 = 12120000 bytes
http://www.caida.org/analysis/security/witty/
Flash worms
• Capable of infecting most vulnerable
servers in < 30 seconds…
• Need a high bandwidth link
– 9 million servers were 13 Mb compressed
– Initial copies of the worm have hit-lists
– Hit-lists could be divided up into chunks and
distributed on known high bandwidth servers
Contagion or Stealth worms
• Stealthily propogate a worm
– Web server to clients
– P2P clients
• Identical software, anonymity, large files, many
clients, less monitoring, less diversity
• My estimate: Sometimes 1 in 20 hits on software
searches result in detected virus on Kazaa
– Very difficult to detect since traffic pattern
change is so small
• Use those md5 sums!
KaZaa
• Fizzer, Lolol, K0wbot, Win32.Mydoom.A
– Use IRC channels for remote control
– Download office_crack or rootkitXP for
Win32.Mydoom.A
• Authors recorded 9 million distinct IP
addresses connecting to a monitored
university host (5800 distinct university
host)
• Brilliant Digital
– Trojan bundled in Kazaa
– http://www.cs.berkeley.edu/~nweaver/0wn2.html
Updating Worms
• Distributed Control
– Each worm could have a subset of infected
hosts
– Each command can be signed and then sent
to other copies of worm
– Received commands can be verified and then
forwarded
• Programmable Updates
– Possible with crypto modules correctly
implemented?
– Most viruses/worms not well-written
What have we learned since 1988?
• New legal awareness
– 1995, Pile sentenced to 18 months for SMEG
virus (British)
– Smith sentenced to 20 months and $5000 fine
for releasing Melissa virus (USA)
– Simon Vallor sentenced to 2 years (Wales)
– Teenager who wrote MSBlast.B most likely
will be sentenced to 18 to 37 months (USA)
• Has it worked?
Lots of things to work on
• Buffer Overflows still prevalent
• Passwords still poorly chosen
• People with a lot less skill than Robert Morris
have done much more damage
• Misconfigured policies
• Complexity is anathema to security
– Morris used a sendmail vulnerability
• People don’t keep up with patches (even on
servers)
– Security Holes … Who Cares?
[USENIX security 2003, http://www.usenix.org/events/sec03/tech/rescorla.html]
Government Role
• “Cyber-Center for Disease Control" (CDC)
– Homeland security?
• Cyber CDC responsible for:
– Identifying outbreaks
– Rapidly analyzing pathogens
• How open should results be?
– Fighting infections
– Anticipating new vectors.
– Proactively devising detectors for new vectors
– Resisting future threats
Observations
• Infection from a new exploit (0-day) can
happen fast! (or even an old exploit)
• A well-written virus/worm without any
“large” errors could do really bad damage
• Some potential “solutions”…
– Distributed Firewalls
– Honeypots
– Can diversity help?
• IIS exploits in Code Red, IRC channels used for
remote control