www.icir.org/vern/papers/cdc-usenix-sec02/index.html
Hosts are detected by the distinct URLs they attempt to retrieve, corresponding to the IIS exploits and attack strings. Since Nimda spreads by multiple vectors, the counts shown for it may be an underestimate. We begin with a mathematical model derived from empirical data of the spread of Code Red I v2 in July and August, 2001 (Section 12 2). We then discuss techniques employed for achieving greater effectiveness and virulence by the subsequent Code Red II and Nimda worms (Section 13 3). Hit-list scanning is a technique for accelerating the initial spread of a worm. Permutation scanning is a mechanism for distributed coordination of a worm. Combining these two techniques creates the possibility of a Warhol worm, 17 ^5seemingly capable of infecting most or all vulnerable targets in a few minutes to perhaps an hour. An extension of the hit-list technique creates a flash worm, which appears capable of infecting the vulnerable population in 10s of seconds: so fast that no human-mediated counter-response is possible. We then turn in Section 18 5 to the threat of a new class of surreptitious worms. These spread more slowly, but in a much harder to detect "contagion" fashion, masquerading as normal traffic. We demonstrate that such a worm today could arguably subvert upwards of 10,000,000 Internet hosts. Then in Section 19 6, we discuss some possibilities by which an attacker could control the worm using cryptographically-secured updates, enabling it to remain a threat for a considerable period of time. Even when most traces of the worm have been removed from the network, such an "updatable" worm still remains a significant threat. Having demonstrated the very serious nature of the threat, we then in Section 20 7 discuss an ambitious but we believe highly necessary strategy for addressing it: the establishment at a national or international level of a "Center for Disease Control" analog for virus- and worm-based threats to cybersecurity. We discuss the roles we envision such a Center serving, and offer thoughts on the sort of resources and structure the Center would require in order to do so. Our aim is not to comprehensively examine each role, but to spur further discussion of the issues within the community. Since July, 139,000 different remote Code Red I hosts have been confirmed attacking LBNL; Of these, 20,000 were observed to be infected with two different worms, and 1,000 with all three worms. Once it infected a host, Code-Red spread by launching 99 threads which generated random IP addresses, and then tried to compromise those IP addresses using the same vulnerability. A hundredth thread defaced the web server in some cases. However, the first version of the worm analyzed by Eeye, which came to be known as CRv1, had an apparent bug. The random number generator was initialized with a fixed seed, so that all copies of the worm in a particular thread, on all hosts, generated and attempted to compromise exactly the same sequence of IP addresses. On July 19th, 2001, a second version of the worm began to spread. This was suspected informally via mailing list discussion, then confirmed by the mathematical analysis we present below, and finally definitively confirmed by disassembly of the new worm. We developed a tentative quantitative theory of what happened with the spread of Code Red I worm. The new version spread very rapidly until almost all vulnerable IIS servers on the Internet were compromised. It stopped trying to spread at midnight UTC due to an internal constraint in the worm that caused it to turn itself off. It then reactivated on August 1st, though for a while its spread was suppressed by competition with Code Red II (see below). However, Code Red II died by design 26 SA01 on October 1, while Code Red I has continued to make a monthly resurgence, as seen in Figure 27 2. Why it continues to gain strength with each monthly appearance remains unknown. The model assumes that the worm had a good random number generator that is properly seeded. We define $N$ as the total number of vulnerable servers which can be potentially compromised from the Internet. We also ignore any spread of the worm behind firewalls on private Intranets). That is, the number of vulnerable hosts which an infected host can find and compromise per hour at the start of the incident, when few other hosts are compromised. We assume that $K$ is a global constant, and does not depend on the processor speed, network connection, or location of the infected machine. We assume that once it is compromised, it stays that way. We then have the following variables: * $a$ is the proportion of vulnerable machines which have been compromised. Now, we analyze the problem by assuming that at some particular time $t$ , a proportion of the machines $a$ have been compromised, and then asking how many more machines, $N da$ , will get compromised in the next amount of time $dt$ . The answer is: \begin{displaymath} N da = (N a) K (1-a) dt. This equation has been well known for many years as the logistic equation, and governs the rate of growth of epidemics in finite systems when all entities are equally likely to infect any other entity (which is true for randomized spreading among Internet-connected servers, in the absence of firewall filtering rules that differentially affect infectability from or to different addresses). For early $t$ (significantly before $T$ ), $a$ grows exponentially. For large $t$ (significantly after $T$ ), $a$ goes to $1$ (all vulnerable machines are compromised). The rate at which this happens depends only on $K$ (the rate at which one machine can compromise others), and not at all on the number of machines. This is interesting because it tells us that a worm like this can compromise all vulnerable machines on the Internet fairly fast. The $x$ -axis is the hour of the day (CDT time zone), while the $y$ -axis is probe rate, the number of different IP addresses seen, and a fit to the data discussed in the text. Figure 29 3 shows hourly probe rate data from Ken Eichmann of the Chemical Abstracts Service for the hourly probe rate inbound on port 80 at that site. Note that we fit the scan rate, rather than the number of distinct IPs seen at this site. The incoming scan rate seen at a site is directly proportional to the total number of infected IPs on the Internet, since there is a fixed probability for any worm copy to scan this particular site in the current time interval. However, the number of distinct IPs seen at a site is distorted relative to the overall infection curve. This is because a given worm copy, once it is infected, will take some amount of time before it gets around to scanning any particular site. For a small address space, this delay can be sizeable and causes the distinct IP graph at the given site to lag behind the overall Internet infection rate graph. One is that the worm came close to saturating before it turned itself off at midnight UTC (1900 CDT), as the number of copies ceased increasing a few hours before the worm's automatic turnoff. Thus it had found the bulk of the servers it was going to find at this time. Although Code Red I turned itself off at midnight UTC on July 19th, hosts with inaccurate clocks kept it alive and allowed it to spread again when the worm code allowed it to re-awaken on August 1st. Figure 31 4 shows similar data and fit for that incident. Since the worm code-base was the same, this lower spread rate indicates that the number of vulnerable systems was a little less than 40% as many as the first time around. That is, the data appears consistent with slightly more than half the systems having been fixed in the $11$ days intervening. The x-axis the time of day on August 1st (Central US Time). The y-axis shows the monitored probe rate and a fit for the data discussed in the text. The worm code contained a comment stating that it was "Code Red II," but it was an unrelated code base. It did use the same vulnerability, however--a buffer overflow in Microsoft's IIS Web server with CVE number CVE-2001-0500. When successful, the payload installed a root backdoor allowing unrestricted remote access to the infected host....
|
http://csua.com/feed/