How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.

Slides:



Advertisements
Similar presentations
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.
Copyright Silicon Defense Worm Overview Stuart Staniford Silicon Defense
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Modeling the Spread of Worms Wade Trappe. Overview Quick discussion of how the Internet is organized. Random Constant Spread (RCS) Model and Code-Red.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Introduction to Honeypot, Botnet, and Security Measurement
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
“How to 0wn the Internet in Your Spare Time” Nathanael Paul Malware Seminar September 7, 2004.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
JEnterprise Suite For Network Monitoring and Security Dr. Sureswaran Ramadass, Dr. Rahmat Budiarto, Mr. Ahmad Manasrah, Mr. M. F. Pasha.
CIS 442- Chapter 3 Worms. Biological and computer worms Definition, main characteristics Differences from Viruses Bandwidth consumption and speed of propagation.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Presented by: Maha, Marina and Aleks Viruses,Wormsand Trojans.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
©Ian Sommerville 2004Software Engineering Case Studies Slide 1 The Internet Worm Compromising the availability and reliability of systems through security.
2.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 2: Examining.
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.
Malicious Software.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.
MyDoom ☉ Ian Axelrod ☉ Chris Mungol ☉ Antonio Silva ☉ Joshua Sole ☉ Somnath Banerjee Group 5 CS4235/8803.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
W elcome to our Presentation. Presentation Topic Virus.
How to 0wn the Internet In Your Spare Time Authors Stuart Staniford, Vern Paxson, Nicholas Weaver Published Proceedings of the 11th USENIX Security Symposium.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.
By Thomas Pantone Cosc 380.  A virus is a type of malware that self replicates after being executed and inserts itself into other programs, data files,
Internet security for the home Paul Norton MEng(Hons) MIEE Electronic engineer working for Pascall Electronics Ltd. on the Isle of Wight A talk on Internet.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Automated Response Using System Call Delays Anil Somayaji and Stephanie Forrest USENIX symposium How to Own the Internet In your Spare Time Stuart.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Threats to computers Andrew Cormack UKERNA.
Viruses and Other Malicious Content
Internet Worm propagation
Chap 10 Malicious Software.
A Distributed DoS in Action
Brad Karp UCL Computer Science
Chap 10 Malicious Software.
CSE551: Introduction to Information Security
Introduction to Internet Worm
Presentation transcript:

How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558

What could you do if you 0wn’d a million hosts? ► Distributed DOS attacks ► Access sensitive information ► Confuse-Corrupt the information Makes it valuable tool in Cyber warfare

How to 0wn a million hosts? Worms ► Programs that self-propagate across the Internet exploiting security flaws in widely- used services (As opposed to viruses, which require user action to spread.) (As opposed to viruses, which require user action to spread.)

Code Red I ► Initial version released July 13, ► Exploited known bug in Microsoft IIS Web servers. ► But: failure to seed random number generator.All worms attempted to compromise the same sequence of hosts. ► Linear spread, didn’t get very far

Code Red I v2 ► Released July 19, ► Same codebase but:  random number generator correctly seeded.  DDoS payload targeting IP address of ► That night, Code Red dies (except for hosts with inaccurate clocks!) ► It just takes one of these to restart the worm come the first of the next month!

Random Constant Spread Model ► N: Total number of Vulnerable servers in Internet ► K: Initial Compromise Rate: Rate at which a infected host is able to infect new hosts at the start of the incident ► a: Proportion of machines already compromised ► T: Time at which the incident happens ► Equation: Nda = (Na)K(1-a)dt ► Solution: a = e (K(t-T)) / 1 + e (K(t-T)) ► Good enough model (Works for Code Red I)

► K=1.8 T=11.9 ► Max probe rate: scans per hour ► Came close to saturation before turning off

► Reawake on Aug 1 st, K=0.7 ► Number of vulnerable systems was less than 40% as many as the first time ► Code Red more or less followed the model.

► Released August 4, ► Comment in code: “Code Red II.”But in fact completely different code base. ► Payload: a root backdoor allowing unrestricted remote access ► Bug: crashes NT, only works right on Windows ► Used localized scanning strategy Code Red II

► Attempt to infect addresses close to it  With probability 3/8 it chooses a random IP from with the class B address space of the infected machine  With probability ½ from class A  And with probability 1/8 from the whole internet ► Localized spreading works - hosts around it are often similar,topologically faster,spreads fast in internal network once it gets through the firewall Localized Scanning

Nimda ► Released September 18, ► Multi- mode spreading:  attack IIS servers via infected clients.  itself to address book as a virus  copy itself across open network shares  modifying Web pages on infected servers in order to infect clients  scanning for Code Red II and sadmind backdoors (!)

► Average connections per second ► About 3X number of Code Red probes ► Full functionality still not known!

► Since Nimda spreads by multiple vectors,the counts shown for it may be an underestimate

► Why Red Code I continues to gain strength each month remains unknown

Ways of reducing time ► Hit List scanning ► Permutation scanning ► Topological Scanning ► Internet scale hit-lists

Hit List scanning Idea: reduce slow startup phase. Idea: reduce slow startup phase. ► The author of the worm collects the list of around 10, ,000 potentially vulnerable machines ideally the ones with very good network connection, before releasing the worm ► The worm when released initially attacks these machines.So the initial infection is higher.When it infects a machine it divides the hit-list in half

Ways to get Hit list  Distributed Scanning - use zombies  Stealthy Scan- spread it over several months  DNS searches - e. g., www. domain. com  Spiders - ask the search engines  Just Listening-P2P, or exploit existing worms

Permutation Scanning Idea: reduce redundant scanning. ► Permutation allows a worm to detect when a host is already infected. ► Worms share a common permutation of the IP address space. ► An infected machine starts scanning just after their position in the permutation. When the worm sees an infected machine is chooses a new random start point.

Warhol Worm ► Based on:  Hit List &  Permutation Scanning ► Simulation Environment ► Results of Simulation

► So now we already have methods to in <15 minutes. ► So now we already have methods to attack most vulnerable targets in <15 minutes.

Topological Scanning ► Alternative to hit-list scanning ► Use addresses available on victim’s machines. ► Use this as a start point before using Permutation Scanning. ► Peer to peer systems are highly vulnerable to this kind of scanning

► Idea: use an Internet- sized hit list. ( entire address space scan roughly 2hr) ( entire address space scan roughly 2hr) ► Initial copy of the worm has the entire hit list. ► Each generation, infects n from the list, gives each 1/n. (Or, point them to a well- connected servers that serves up portions of the list.) ► If n=10 requires 7 generations to infect 10^7 hosts (less than 30 seconds! ) Flash Worms:The Real Danger

► All those worms use singular communication patterns ► This forms the basis for automatic detection ► How can we remove that weakness from worms? Still need better worms

Contagion Worms ► Suppose you have two exploits:  Es : exploit in web server  Ec: exploit in client ► You infect a server (or client) with Es (Ec) ► Then you…wait. (Perhaps you bait, e. g., host porn.) ► When vulnerable client arrives, infect it. ► You send over both Es and Ec ► As client happens to visit other vulnerable servers infects ► Clearly there are no unusual communication patterns to be observed (other than slightly larger- than- usual transfers)

► They become Dangerous with P2P systems because:  Likely only need a single exploit, not a pair.  Often, peers running identical software.  Often used to transfer large files.  Often give access to user’s desktop rather than server.  and can be Very Large Contagion Worms

► KazaA: 9 million distinct IP connections with university hosts (5800) in a single month ► If you 0wn’d a single university, then in November, 2001 you could have 0wn’d 9 million additional hosts. ► How fast? Faster than 1 month. Contagion Worms

Updating and control ► Distributed control  Each worm has a list of other copies  Ability to create encrypted communication channels to spread info  Commands cryptographically signed by author.  Each worm copy, confirms signature,spreads to other copies and then executes the command ► Programmatic Updates  Operating systems allow dynamic code loading  New encrypted attack modules from Worm author

Centre for Disease Control ► Roles it is expected to perform  Identifying outbreaks  Rapidly Analyzing pathogens  Fighting Infections  Anticipating new vectors  Resisting future threats

How open? ► Have a open website (accessible to all)? ► Drawbacks:  Attacker targets the site  How correct an information placed on site is  Attacker also gains understanding  Some sources may not be willing to make their information public ► How International.