Population: N=100,000 Scan rate = 4000/sec, Initially infected: I0=10 Monitored IP space 220, Monitoring interval: = 1 second

Slammer Simulation

Infected hosts estimation

Viruses vs Worms vs TrojansTypes of virusesVirus detectionVirus defenseGood viruses = bad idea

2

Summary From the Last Lecture

Due tomorrowMake sure you mention the venue in the

title:oConference or journal name, year of publicationoIf from workshop, mention also the main

conference that this workshop is associated withMake sure you include citations if youoUse figures or equations from paperoUse some text verbatimoTalk about ideas from another related paperoLike this “In [2] authors say that …” and then

have reference [2] in the reference section

3

Report 2

Spread on July 12 and 19, 2001Exploited a vulnerability in Microsoft

Internet Information Server that allows attacker to get full access to the machine (turned on by default)

Two variants – both probed random machines, one with static seed for RNG, another with random seed for RNG (CRv2)

CRv2 infected more than 359,000 computers in less than 14 hourso It doubled in size every 37 minuteso At the peak of infection more than 2,000 hosts

were infected each minute4

Code Red

5

Code Red v2

43% of infected machines were in US47% of infected machines were home

computersWorm was programmed to stop spreading

at midnight, then attack www1.whitehouse.govo It had hardcoded IP address so White House was

able to thwart the attack by simply changing the IP address-to-name mapping

Estimated damage ~2.6 billion

6

Code Red v2

Spread on January 25, 2003The fastest computer worm in history

o It doubled in size every 8.5 seconds. o It infected more than 90% of vulnerable hosts

within 10 minuteso It infected 75,000 hosts overall

Exploited buffer overflow vulnerability in Microsoft SQL server, discovered 6 months earlier

7

Sapphire/Slammer Worm

No malicious payloadThe aggressive spread had severe

consequenceso Created DoS effecto It disrupted backbone operationo Airline flights were canceledo Some ATM machines failed

8

Sapphire/Slammer Worm

9

Sapphire/Slammer Worm

Both Slammer and Code Red 2 use random scanningo Code Red uses multiple threads that invoke TCP

connection establishment through 3-way handshake – must wait for the other party to reply or for TCP timeout to expire

o Slammer packs its code in single UDP packet – speed is limited by how many UDP packets can a machine send

o Could we do the same trick with Code Red?Slammer authors tried to use linear

congruential generators to generate random addresses for scanning, but programmed it wrong

10

Why Was Slammer So Fast?

43% of infected machines were in US59% of infected machines were home

computersResponse was fast – after an hour sites

started filtering packetsfor SQL server port

11

Sapphire/Slammer Worm

12

BGP Impact of Slammer Worm

13

Stuxnet WormDiscovered in June/July 2010Targets industrial equipmentUses Windows vulnerabilities (known and

new) to break inInstalls PLC (Programmable Logic

Controller) rootkit and reprograms PLCoWithout physical schematic it is impossible to tell

what’s the ultimate effectSpread via USB drivesUpdates itself either by reporting to server

or by exchanging code with new copy of the worm

Many worms use random scanningThis works well only if machines have very

good RNGs with different seedsGetting large initial population represents

a problemo Then the infection rate skyrocketso The infection eventually reaches saturation

since all machines are probing same addresses

14

Scanning Strategies

“Warhol Worms: The Potential for Very Fast Internet Plagues”, Nicholas C Weaver

15

Random Scanning

Worm can get large initial population with hitlist scanning

Assemble a list of potentially vulnerable machines prior to releasing the worm – a hitlisto E.g., through a slow scan

When the scan finds a vulnerable machine, hitlist is divided in half and one half is communicated to this machine upon infectiono This guarantees very fast spread – under one

minute! 16

Scanning Strategies

17

Hitlist Scanning

Worm can get prevent die-out in the end with permutation scanning

All machines share a common pseudorandom permutation of IP address space

Machines that are infected continue scanning just after their point in the permutationo If they encounter already infected machine they

will continue from a random pointPartitioned permutation is the

combination of permutation and hitlist scanningo In the beginning permutation space is halved, later

scanning is simple permutation scan18

Scanning Strategies

19

Permutation Scanning

Worm can get behind the firewall, or notice the die-out and then switch to subnet scanning

Goes sequentially through subnet address space, trying every address

20

Scanning Strategies

Several ways to download malicious codeo From a central servero From the machine that performed infectiono Send it along with the exploit in a single packet

21

Infection Strategies

Three factors define worm spread:o Size of vulnerable population

Prevention – patch vulnerabilities, increase heterogeneity

o Rate of infection (scanning and propagation strategy) Deploy firewalls Distribute worm signatures

o Length of infectious period Patch vulnerabilities after the outbreak

Worm Defense