Post on 13-Feb-2017
transcript
A WORST-CASE WORM BY
NICHOLAS WEAVER AND VERN PAXSON
Presenter:
K M Sabidur Rahman,
ECS 236: Computer Security: Intrusion Detection Based Approach,
UC Davis
krahman@ucdavis.eduhttp://www.linkedin.com/in/kmsabidurrahman/
http://www.linkedin.com/in/kmsabidurrahman/5/13/20161
Agenda•How to model damage done by worms
•Attack details (target, ways)
•How to estimate number of infected system
•Damages done by worm (data, hardware, downtime)
•How to estimate damages and loss
•Defense against worms
5/13/20162
What is Worm?•malicious
•self-propagating network programs
•capable of spreading substantially faster than humans can respond
•contain highly malicious payloads
•represent a substantial threat to computing infrastructure
•Slammer worm disrupting a nuclear power plant’s systems, ATMs and 911 operations
•Welchia’s disruption of the Navy Marine Corps Intranet and ATMs
5/13/20163
Assumptions related to Attack•Infect as many US systems as possible
•Maximize damage in each infected system
•Keep the worm active as long as possible to reinfect any repaired but vulnerable system
5/13/20165
Assumptions on Attacker resources•Several experienced programmers
•Access to significant amount of computing hardware
•Several months of time for development and testing
•Nation state adversary (more resource than terrorist group)
5/13/20166
Candidates to target•Windows SMB/CIFS file sharing
•This server is distributed with Windows 98
•SMB/CIFS are widely deployed
•Default anonymous login capabilities
•SMB service runs as part of OS kernel
•On-by-default nature means most of the Windows PCs are vulnerable
•File sharing is essential for business operations
5/13/20167
SMB/CIFS vulnerabilities•Allows arbitrary remote execution as long as the attacker has domain access
•Worm can query the local windows domain controller and ask for a list of local machines and their names
•RPC vulnerability (Blaster worm)•RPC vulnerability (Blaster worm)
•To cross the firewall and spread across different domains, mail-worm mode or infected web browser mode can be used.
•Use US related IP addresses to target the worm
5/13/20168
Speed of propagationSpread across Internet: Slammer worm took less than 10 minutes to infect 10’s of thousands of servers
Spread through gateways: Needs human action (mail/web). Nimda’sworm took within a few hours. Pure mail worm such as SoBig.Erequired a little more than a day to reach the peak volumerequired a little more than a day to reach the peak volume
Intranet spread: With 100 Mbps and 1 Gbps LANs, infecting a few victims takes less than a second. The whole intranet in much less than a minute.
Total spread time in US business hour can be in hours
5/13/20169
TestingHas to be tested in wide range of environments
Make it polymorphic or include anti-anti-virus routines
5/13/201610
Estimating number of Infected system•Penetration of 60% of the vulnerable business PCs is plausible in worst case
•Survey from 2001 suggests 85 million PCs in business and government of US
•Not including 45 million households with PCs•Not including 45 million households with PCs
5/13/201611
Attack’s Damage Data damage payload: Once the infected machine is no longer needed as a part of spreading process, worm may damage the remote or local disks. Overwrite random sectors on the disk.
Hardware damage: Reflash the BIOS, corrupting the bootrap program Hardware damage: Reflash the BIOS, corrupting the bootrap program to initialize the computer. Software can flash BIOS in 7 popular systems and 2 motherboards
5/13/201612
Attack’s damageAttempting reinfections and increasing downtime: Zero day exploit significantly increases the downtime.
The time between when a system is restored and when a patch is installed allows a system to be reinfected if there are still copies active installed allows a system to be reinfected if there are still copies active on the local network
5/13/201613
Estimating damageDrec: represents the system administration time to restore the system: reload the operating system, install patches, reinstall applications, restore data from backups, and reconnect the system to the network
Assumed to be ½ hour for this analysis. Which roughly translated to $20 per system$20 per system
Dtime: productivity loss due to downtime, depends on both the value of the labor and the time lost. Approximated to be $35/hr
5/13/201614
Estimating damageTtime: 16 hr, two working day per user. First day, to develop patches and workarounds by Microsoft. Second day to restore full network operation by local sysadmin.
Ddata: Lost data, approximated to $2000, single loss incident.
P : 0.1. Assuming data is not lost most of the time, because of Plost_data: 0.1. Assuming data is not lost most of the time, because of backups
Pbios: 0.1. Attacker will be able to permanently destroy limited number of configurations
Dbios: $1400 (cost of replacement) + $1000 (40 hr productivity) = $ 2400
5/13/201615
Model limitationDoesn’t consider nonlinear effect on companies: follow-on effect (sometimes these values are inflated)
A downtime of one hour may not have that much consequences as one day
Some companies may suffer slowly over longer termsSome companies may suffer slowly over longer terms
Possible damage to critical infrastructure (power grid, hospital, telecommunication, nuclear infrastructure)
5/13/201617
Current defenses and recommendationsMost email worms are stopped by signature based scanning, can be easily avoided
Most of the IDS are deployed to protect against external attacks (but this attack is from internal connections)
Restrictive policies for mail worm scanning should be enforcedRestrictive policies for mail worm scanning should be enforced
Additional filters for unusual characteristics (long strings in header)
Network file sharing can be restricted
Servers can be of different platform(Linux)
Disabling BIOS reflashing
Data backups and off-site storage protection
5/13/201618