Worms Botnets and The Underground Economy CS 161 Computer Security Profs Vern Paxson David Wagner TAs John Bethencourt Erika Chin Matthew Finifter Cynthia Sturton Joel Weinberger http inst eecs berkeley edu cs161 April 16 2010 Further Worm Developments Malicious payloads disk trashing Global outbreaks within 24 hours of vulnerability disclosure Server exploited for infection is a NIDS Single outbreak of 15 million infectees Counterworm released to clean up original worm oh and install a root backdoor DoS ing Windows Update as a worm spreads Worms that use Google to search for victims Thinking About Worm Defenses We can methodically explore possible worm defenses by considering dI t S t I t dt N Strategy 1 reduce contact rate to slow a worm s propagation how can we reduce it Decrease N so that random scanning less effective Turn off unneeded services aggressive patch management Increase size of address space IPv6 Worm countermeasures Heuristics to guess likely address use patterns Locate likely victims via DNS Google Suppress scans limit connection fanout Isolate susceptibles install firewall blocks upon outbreak Thinking About Defenses con t Reduce I t dI t S t I t dt N Identify and isolate quarantine infected hosts Reduce S t Dynamically push out patches What did Slammer teach us about employing dynamic defenses They have to be fully automated No human in the loop Thus highly accurate Worm Take Aways Potentially enormous reach damage Weapon Hard to get right Emergent behavior surprising dynamics Institutional antibodies Propagation faster than human response What about fighting a worm using a worm White worm spreads to disinfect patch Experience shows likely not to behave predictably Additional issues legality collateral damage target worm having already patched so white worm can t access victim Botnets Collection of compromised machines bots under unified control of an attacker botmaster Method of compromise decoupled from method of control Launch a worm virus drive by infection etc Upon infection new bot phones home to rendezvous w botnet command and control C C Lots of ways to architect C C Star topology hierarchical peer to peer Encrypted stealthy communication Botmaster uses C C to push out commands and updates Botnets con t Constitute the Great Modern Threat of Internet security Why botnets rather than worms Greater control Less emergent Quieter Optimal flexibility Why the shift towards valuing these instead of seismic worm infection events Profit How can attackers leverage scale to monetize botnets Monetizing Botnets General malware monetization Keylogging steal financial email social network accounts Transaction generators Monetization that leverages scale DDoS extortion Spam discussed next week Click fraud Scam infrastructure Hosting web pages e g phishing Redirection to evade blacklisting takedown DNS Which of these cause serious pain for infected user None Users have little incentive to prevent externality Marketplace Ads for Services Marketplace Ads for Goods Marketplace Ads for Goods con t The Underground Economy Why is its emergence significant Markets enable efficiencies Specialization individuals rewarded for doing a single thing particularly well Lowers barrier to entry Only need a single skill Some underground market activities are legal Competition spurs innovation Accelerates arms race Defenders must assume a more pessimistic threat model Facilitates non Internet attacks political nation state Provides actors with cheap attack components Provides stealthy actors with plausible cover The Underground Economy con t What problems do underground markets face Markets only provide major efficiencies if they facilitate deals between strangers Susceptible to infiltration Depending on marketplace architecture can present a target single point of failure By definition deals are between crooks Major issue of betrayal by rippers
View Full Document
Unlocking...