How to 0wn the Internet in Your Spare Time
by Stuart Staniford, Vern Paxson, Nicholas Weaver
url show details
Details
| type: | misc | | publisher: | USENIX | | year: | 2002 | | pages: | 149--167 | | annote: | Stuart Staniford (Silicon Defense ICSI Center for Internet Research UC Berkeley); Vern Paxson (Silicon Defense ICSI Center for Internet Research UC Berkeley); Nicholas Weaver (Silicon Defense ICSI Center for Internet Research UC Berkeley); | | address: | pub-USENIX:adr | | editor: | {USENIX} | | abstract: | The ability of attackers to rapidly gain control of vast numbers of Internet hosts poses an immense risk to the overall security of the Internet. Once subverted | | organization: | USENIX | | month: | may # "~14 | | booktitle: | Proceedings of the 11th {USENIX} Security Symposium |
|
|
You need to log in to add tags and post comments.
When this paper was published, fast-spreading Internet worms and their DoS-like effects were hot issues. But, we haven't seen any worm outbreaks for a while (storm worm is not an Internet worm. :) Recently, malware writing is motivated by financial gain, and most of malware spread through various infection vectors such as email attachments, browser vulnerabilities, P2P downloads, video codecs, free software, and even specially targeted messages. I think what we really need now is a counter cyber crime organization that monitors and deals all the computer malware-related incidents.
This was an interesting paper, which especially emphasized how worms could take over many vulnerable hosts in a matter of seconds or minutes. This paper got me thinking about how one could build countermeasures using the same vulnerabilities that the worms exploit. Googling around uncovered this: http://en.wikipedia.org/wiki/Nachi_worm. Apparently, folks at Xerox PARC designed a "worm with good intent" that spreads through Windows vulnerabilities and attempts to download patches and fixes from Windows update.
I'm less optimistic that a "CDC" can be efficiently coordinated among so many distributed entities. I think software will better evolve to handle these kinds of epidemics. For example, with the popularity of virtual machines these days, I wonder if it's just a matter of time that downloaded untrusted applications (e.g., the paper mentions email attachments) are automatically sandboxed and executed in a separate lightweight VM and discarded as needed.
This paper provided a good discussion of several large-scale worms, such as Code Red, and examined how future worms could spread even quicker by using more sophisticated scanning algorithms. I'm not sure the proposal for a cyber version of of the CDC would be a good idea, though. It seems that any pro-active automated countermeasures could be easily circumvented.
There are three main components in the article: in the first part, they analyze three worms that were recent that the time of writing; in the second they give some general techniques that they believe could yield even more effective worms; and in the third section they discuss the proposed idea of implementing a cyber center for disease control.
The section I found most interesting was the application of standard contagion dynamics to analyze the spread of worms. The study of contagious diseases has a rich history; I wonder if some of the more advanced dynamics models could also be used to analyze worm spreading behavior -- and perhaps also offer other ideas on how to control them.
This paper provide a good overview on the Internet worms, especially for Code Red I, Code Red II, and Nimda. Also, section 4 "Better" worms- theory, and section 5 Stealth worms- contagion are interesting and informative sections describing how worms can spread themselves over the Internet.
An interesting paper teaching people how to write 'more powerful' worms. The author use the simplest epidemic model to model the spread of a worm, which I don't quite believe the correctness. The reason is I really doubt the possibility of a worm to reach all vunerable hosts (all a large part of them) in the Internet. The exponential growth may be explained simply as a "branching process" before the patches come out.
Also I am not sure about the "Permutation Scanning" can really help the worm spread faster since I think the Internet connectivity is another issue.
The paper does a good job of analysis and listing ways in which botnets could spread faster than they do now.
However, and this is probably a dumb question, why must a botnet designer want to make it spread fast? It would seem that a more important criterion to think about, is to make it less likely to be detected, thereby ensuring its longevity. A botnet that infects hosts much faster is much more likely to generate more bursts in traffic that network administrators and the like are bound to notice and thereby fix(is that wishful thinking?).
This was a very interesting read, that gave an overview of the techniques that internet worms use to spread and proposed the establishment of Centers for Disease Control for virus- and worm-based threats. In sections 3 & 4 the authors describe how to build better worms that could potentially spread in a matter of minutes. It is interesting to see that very soon after this paper was published the worm Slammer had scanned the entire internet address space (2^32!) in under 10 minutes. I wonder if the author of Slammer got any ideas from this paper…
I found the idea of disabling a worm through the same security hole that it used to infect the host quite interesting. Maybe writing a new worm that patches another one could be very effective. In section 4.5 the authors describe a new kind of worms that might fetch lists of target hosts from a high-bandwidth server. But, what happens if the deployment of a worm is very successful? Would the infected hosts do a distributed DOS on the server hosting the target lists?
By the way here is an interesting paper on using a P2P network for performing DoS attacks.
This paper gives a very interesting description of the development of worm. I am wondering is there any very recent development in worm?