CS G254/U645 Network Security                                                                Ravi Sundaram

9/25/07

 

How to 0wn the internet in Your Spare Time

Constantine Nikolopoulos

CS U645 Network Security

Sept 21

 

Morris worm – created in the late 80’s by Robert Morris Jr. a grad student at Cornell.

·        Father was a National Security Advisor

·        Created a first-generation Malware worm (malware)

 

McAfee – posted his aAnti-vVirus software on a bulletin boardforum charging only $5 through an honor system. Eventually became McAfee aAV multimillion dollar company protecting against virii/malware such as Morris’.

 

Code Red I à first seen in mid 2001, spread using Microsoft’s IIS Webservers. This would infect one server and try to connect to other servers through port 80, jumping from one to the other. Buggy random number generator.

Code Red II à same as CRI, except the bug was fixed and on top of it, it would attack http://www.whitehouse.gov. So it essentially DDOS’d (Distributed Denial of Service) on the white house. It had an inbuilt switch that caused it to die after the first of October 2001.

 

(Andy) Warhol or flash worm – they have 15 min. of fame and die out, but they spread rapidly and have Internet crashing ability.

Staniford Paxson Weaver “How to Own the Internet in your Spare Time” USENIX SECURITY SYMPOSIUM, 2002.  Ppredicted the “Big One” in 2002,

 

·            USENIX SECURITY SYMPOSIUM

 

Analysis of Spread

RCS à Random Constant Spread

·        Differential equation created

K à Rate à Number of computers/hr that an infected computer reaches out and touches

N à Total number of vulnerable computers on the Internet

T à time

a(t) à at time t the percent of infected computers

Nda à newly infected comp.

·        Number of newly infected computers at time t in interval dt

Nda (newly infected) = Na (already infected) * Kdt (how many each touches) * (1-a)

·        Only 1-a(t) count as touches because those are the unaffected comp.

 

 

da/(a(1-a)) = Kdt

 

= k(t-T)=((1da/1-a)+(1da/a)da) = Kdt

 

Integrate LHS from ½ to a and RHS from T to t

 

log_e(a/1-a) = K(t-T)
(a/1-a) = e^K(t-T)
a(t)=((e^K(t-T))/(1+e^K(t-T)))

S shaped graph à at the birth of the infection very few people have the infection, but shortly after there is a burst of infection where it multiplies and those few people infect a few other and it keeps exponentially growing. However, when it reaches its plateau it’s done because only a few more people can become affected.

 

 

2 strategies to become a good worm writer

·        Collect list of potential infectees and infect rapidly

·        Spread stealthily

 

Analyzed Code Red II

- Data matched theory almost perfectly

K = 1.-8/Hour

Nimda à multimode worm/virus

·        Found an exploit through IIS

·        Spreads through E-mail attachments

·        Copies itself across network shares

·        Added exploit code to web pages

·        Used backdoors

 

-Better Worm-

Hit list scanning

            -stealthy scan to learn what ports are open

            -distributed scans using zombies

            -buy lists off eBay/Netcraft

            -Spiders

            -Telescope – large block of IP addressess. on which you can listen

●These blocks aren't being used by any computer, but rather accept packets to see which machines are infected and how thefast a virus is spreading.

An example of telescoping is, if there is a block of 10,000 IPs, and 1000 detect a packet from a certain worm within an hour, it is assumed that the worm is propagating at a rate of 10% of vulnerable machines/hour in the world.

                       This is an example of a block of telescoped IP’s:

0.0.0.0/0

      |

      |

       0.0.0.0/1<<<----->128.0.0.0/1

 

Permutation Scanning (keep the growth going)

            -take hit list – permute it randomly – the reason for the random permutation is to prevent people from being able to predict the next IP targeted by the worm/virus

            -when you fork off a child – you keep half the list and give the child the other half

 

How fast can a worm infect the Internet

Average worm – 5kB (40 kb)
DSL – 250 kbps

            125kbps –used to send out worms

            In one second you can send out 3 worms and each person that becomes infected sends out however many they can send out.

            -You could take down 4 billion comps (the world) in 25 seconds.

 

Slammer Worm à

·        brought down the Internet in 15 minutes

·        it hit 1/25/03 Sat midnight EST

·        they never caught who created the worm but they suspect it was someone from Singapore

·        it was 376 bytes

·        1 udp packet., port 1434 Microsoft SQL server

 

How it worked

Malformed packet would come in causing buffer overflow rewrote stack’s return and retained control then it would pick a random IP address and send a copy of itself and keep repeating.