Unformatted text preview:

CS 261 Computer Security David Wagner Attacks Scribe: Erika Chin October 30, 2007 1 Notable Worms Worm Date # Infected Time to Infect Code Red 7/2001 360,000 6 days Code Red II 8/2001 ? ? Nimda 9/2001 ? (on the order of millions) 22 minutes Slammer 1/2003 75,000 10 minutes Blaster 8/2003 8,000,000 2 days *The first three worms were crude attacks. The Slammer worm distinguished itself by its rapid spread due to its single packet infection capabilities. These worms resulted in billions of dollars in financial loss. Networks went down, people lost email access, and companies lost productivity. Eventually, CEOs and CFOs went to Microsoft to tell them that it was unacceptable and that they had to improve the quality of their software. With each successive worm propagating faster and faster, the potential for damage, disruption, and financial loss increased. Furthermore, these worms showed the potential to spread faster than system administrators could respond. This sparked an academic interest in worms and other attacks. 2 How Bad Can it Get? In terms of payload and economic and financial loss, we examine how harmful these attacks can be. Malicious attacks can impact the economy through: • Loss of data o Example: One could gain access to critical data, encrypt it, and demand ransom. o Cost: Unknown. Most companies have backups. • Attack to critical infrastructure o Example: One could take down power grids and water systems. o Cost: It is difficult to evaluate the feasibility of attack or estimate the cost as there is not much public data on this subject. • Loss of hardware o Example: One could overwrite the BIOS. o Cost: $1,000-2,000 per machine • Unauthorized transactions o Example: One could create a worm to sell U.S. bonds.• Loss (and cost) of a system administrator’s time o Cost: $50-100 per hour per system administrator and it could take up to an hour per machine to restore data from backups. • Loss of productivity o Example: Without working machines, employees may have nothing to do but sit and wait for their computers to come back online. On a larger scale, many e-commerce companies lose revenue when their sites go down or when users cannot gain access to the network. o Cost: This can vary greatly depending on the company. Some businesses are based on e-commerce. Amazon makes about $100,000-200,000 per hour. Airlines, likewise, make about $100,000 in online ticket sales. Other companies lose employee productivity waiting on the system administrator. An average of $50 is lost per hour per employee. In total, costs per machine could be $500-$1,000. With over 200,000,000 machines in the U.S. alone, an attack could cost the nation $5-50 billion. 3 Building a High-speed Worm If one wanted to build a high-speed worm without worrying about noise (detection), one could seed the worm with a hit list (a list of known vulnerable hosts). This would ensure rapid, exponential infection. One could also use multiple propagation mechanisms. For example, Nimda used 5-6 techniques. It used email with malicious attachments (to pass through firewalls), random scanning in octets (to spread quickly), and infected web servers so that anyone who viewed the HTML would also get infected (to spread widely). 4 Building a Stealthy Worm There are many ways to create a stealthy worm. One could: • Rate limit the propagation. Make sure that the worm spreads slowly. • Wait some time after infection/download. This way if the user notices the infection, they will not be able to figure out what it is from immediately. • Avoid creating noticeable changes in the network. Network monitors log information and create statistics on traffic. A stealthy worm must not trigger any alarms or increase network traffic. • Create a worm that piggybacks on existing network connections. For example, one could exploit a vulnerability in a P2P program, ex. bit torrenting programs. Then, when the infected user opens a connection to another client, the worm can piggyback across that connection. Another example is the client-server-based worm. If one could find vulnerabilities in a web server and browser, then the worm could propagate across servers and browsers stealthily. This method is rare, however, as it would require exploiting two vulnerabilities, one in the server and one in the client.5 In Recent Years In recent years, a market for vulnerabilities has developed. These vulnerabilities can sell for $1,000 to $50,000. Purchasers include large companies, like Cisco, that want to patch their vulnerabilities before the public is aware of it. It is also suspected that the U.S. Government purchases these vulnerabilities (although it is not known whether they do this to attack or defend systems). Most worms no longer make headlines anymore. The Blaster worm was the last of the major, publicized worms. This is because the motivation for spreading worms has shifted. In the early 2000s, young hackers exploited systems to gain fame and bragging rights. These hackers sought to create noisy, disruptive worms. The more damage they caused, the more attention they got. Now, malware writers are motivated by the financial prospects of worm creation. These writers would rather receive money than gain fame. Flashy worms do not make money. They are often fixed very quickly, and thus the attacker “wastes” the vulnerability. Instead, attackers look for ways to create stealthy worms, so that they can stay under the radar and make money. This is discussed further in Section 7. From 2001 to 2003, we saw the damage due to worms escalate. The number of infected machines increased while the time to infect decreased. These attacks have shown us that quickly propagating attacks are a dangerous threat. The good news is that we have not yet seen any worst-case scenarios. Still, these automated attacks propagate faster than humans can respond, and for that reason, we need a defense. 6 Network Telescopes In order to do a longitudinal study of worms in the wild, we use network telescopes. To create a network telescope, one must go to the ISP and request a large address space of unassigned IP addresses. Traffic to these addresses are then directed to a small set of machines (a darknet). Because these IP addresses are unassigned and no legitimate computer is attached to any of the darknet’s IP addresses, we know that any incoming


View Full Document

Berkeley COMPSCI 261N - Attacks

Download Attacks
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Attacks and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Attacks 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?