Population: N=100,000 Scan rate = 4000/sec, Initially infected: I0=10 Monitored IP space 220, Monitoring interval: = 1 second
Slammer Simulation
Infected hosts estimation
Viruses vs Worms vs TrojansTypes of virusesVirus detectionVirus defenseGood viruses = bad idea
2
Summary From the Last Lecture
Due tomorrowMake sure you mention the venue in the
title:oConference or journal name, year of publicationoIf from workshop, mention also the main
conference that this workshop is associated withMake sure you include citations if youoUse figures or equations from paperoUse some text verbatimoTalk about ideas from another related paperoLike this “In [2] authors say that …” and then
have reference [2] in the reference section
3
Report 2
Spread on July 12 and 19, 2001Exploited a vulnerability in Microsoft
Internet Information Server that allows attacker to get full access to the machine (turned on by default)
Two variants – both probed random machines, one with static seed for RNG, another with random seed for RNG (CRv2)
CRv2 infected more than 359,000 computers in less than 14 hourso It doubled in size every 37 minuteso At the peak of infection more than 2,000 hosts
were infected each minute4
Code Red
5
Code Red v2
43% of infected machines were in US47% of infected machines were home
computersWorm was programmed to stop spreading
at midnight, then attack www1.whitehouse.govo It had hardcoded IP address so White House was
able to thwart the attack by simply changing the IP address-to-name mapping
Estimated damage ~2.6 billion
6
Code Red v2
Spread on January 25, 2003The fastest computer worm in history
o It doubled in size every 8.5 seconds. o It infected more than 90% of vulnerable hosts
within 10 minuteso It infected 75,000 hosts overall
Exploited buffer overflow vulnerability in Microsoft SQL server, discovered 6 months earlier
7
Sapphire/Slammer Worm
No malicious payloadThe aggressive spread had severe
consequenceso Created DoS effecto It disrupted backbone operationo Airline flights were canceledo Some ATM machines failed
8
Sapphire/Slammer Worm
9
Sapphire/Slammer Worm
Both Slammer and Code Red 2 use random scanningo Code Red uses multiple threads that invoke TCP
connection establishment through 3-way handshake – must wait for the other party to reply or for TCP timeout to expire
o Slammer packs its code in single UDP packet – speed is limited by how many UDP packets can a machine send
o Could we do the same trick with Code Red?Slammer authors tried to use linear
congruential generators to generate random addresses for scanning, but programmed it wrong
10
Why Was Slammer So Fast?
43% of infected machines were in US59% of infected machines were home
computersResponse was fast – after an hour sites
started filtering packetsfor SQL server port
11
Sapphire/Slammer Worm
12
BGP Impact of Slammer Worm
13
Stuxnet WormDiscovered in June/July 2010Targets industrial equipmentUses Windows vulnerabilities (known and
new) to break inInstalls PLC (Programmable Logic
Controller) rootkit and reprograms PLCoWithout physical schematic it is impossible to tell
what’s the ultimate effectSpread via USB drivesUpdates itself either by reporting to server
or by exchanging code with new copy of the worm
Many worms use random scanningThis works well only if machines have very
good RNGs with different seedsGetting large initial population represents
a problemo Then the infection rate skyrocketso The infection eventually reaches saturation
since all machines are probing same addresses
14
Scanning Strategies
“Warhol Worms: The Potential for Very Fast Internet Plagues”, Nicholas C Weaver
15
Random Scanning
Worm can get large initial population with hitlist scanning
Assemble a list of potentially vulnerable machines prior to releasing the worm – a hitlisto E.g., through a slow scan
When the scan finds a vulnerable machine, hitlist is divided in half and one half is communicated to this machine upon infectiono This guarantees very fast spread – under one
minute! 16
Scanning Strategies
17
Hitlist Scanning
Worm can get prevent die-out in the end with permutation scanning
All machines share a common pseudorandom permutation of IP address space
Machines that are infected continue scanning just after their point in the permutationo If they encounter already infected machine they
will continue from a random pointPartitioned permutation is the
combination of permutation and hitlist scanningo In the beginning permutation space is halved, later
scanning is simple permutation scan18
Scanning Strategies
19
Permutation Scanning
Worm can get behind the firewall, or notice the die-out and then switch to subnet scanning
Goes sequentially through subnet address space, trying every address
20
Scanning Strategies
Several ways to download malicious codeo From a central servero From the machine that performed infectiono Send it along with the exploit in a single packet
21
Infection Strategies
Three factors define worm spread:o Size of vulnerable population
Prevention – patch vulnerabilities, increase heterogeneity
o Rate of infection (scanning and propagation strategy) Deploy firewalls Distribute worm signatures
o Length of infectious period Patch vulnerabilities after the outbreak
Worm Defense