"A Worst-Case Worm" by Nicholas Weaver and Vern Paxson is an interesting paper. This shows how we can model the cost of such attacks in terms of real money.
The byproduct of sericulture in different industries.pptx
Computer Security: Worms
1. A WORST-CASE WORM
BY
NICHOLAS WEAVER AND VERN PAXSON
Presenter:
K M Sabidur Rahman,
ECS 236: Computer Security: Intrusion Detection Based Approach,
UC Davis
krahman@ucdavis.edu
http://www.linkedin.com/in/kmsabidurrahman/
http://www.linkedin.com/in/kmsabidurrahman/5/13/20161
2. Agenda
•How to model damage done by worms
•Attack details (target, ways)
•How to estimate number of infected system
•Damages done by worm (data, hardware, downtime)
•How to estimate damages and loss
•Defense against worms
5/13/20162
3. What is Worm?
•malicious
•self-propagating network programs
•capable of spreading substantially faster than humans can respond
•contain highly malicious payloads
•represent a substantial threat to computing infrastructure
•Slammer worm disrupting a nuclear power plant’s systems, ATMs and
911 operations
•Welchia’s disruption of the Navy Marine Corps Intranet and ATMs
5/13/20163
5. Assumptions related to Attack
•Infect as many US systems as possible
•Maximize damage in each infected system
•Keep the worm active as long as possible to reinfect any repaired but
vulnerable system
5/13/20165
6. Assumptions on Attacker resources
•Several experienced programmers
•Access to significant amount of computing hardware
•Several months of time for development and testing
•Nation state adversary (more resource than terrorist group)
5/13/20166
7. Candidates to target
•Windows SMB/CIFS file sharing
•This server is distributed with Windows 98
•SMB/CIFS are widely deployed
•Default anonymous login capabilities
•SMB service runs as part of OS kernel
•On-by-default nature means most of the Windows PCs are vulnerable
•File sharing is essential for business operations
5/13/20167
8. SMB/CIFS vulnerabilities
•Allows arbitrary remote execution as long as the attacker has domain
access
•Worm can query the local windows domain controller and ask for a list
of local machines and their names
•RPC vulnerability (Blaster worm)•RPC vulnerability (Blaster worm)
•To cross the firewall and spread across different domains, mail-worm
mode or infected web browser mode can be used.
•Use US related IP addresses to target the worm
5/13/20168
9. Speed of propagation
Spread across Internet: Slammer worm took less than 10 minutes to
infect 10’s of thousands of servers
Spread through gateways: Needs human action (mail/web). Nimda’s
worm took within a few hours. Pure mail worm such as SoBig.E
required a little more than a day to reach the peak volumerequired a little more than a day to reach the peak volume
Intranet spread: With 100 Mbps and 1 Gbps LANs, infecting a few
victims takes less than a second. The whole intranet in much less than
a minute.
Total spread time in US business hour can be in hours
5/13/20169
10. Testing
Has to be tested in wide range of environments
Make it polymorphic or include anti-anti-virus routines
5/13/201610
11. Estimating number of Infected system
•Penetration of 60% of the vulnerable business PCs is plausible in
worst case
•Survey from 2001 suggests 85 million PCs in business and
government of US
•Not including 45 million households with PCs•Not including 45 million households with PCs
5/13/201611
12. Attack’s Damage
Data damage payload: Once the infected machine is no longer needed
as a part of spreading process, worm may damage the remote or local
disks. Overwrite random sectors on the disk.
Hardware damage: Reflash the BIOS, corrupting the bootrap programHardware damage: Reflash the BIOS, corrupting the bootrap program
to initialize the computer. Software can flash BIOS in 7 popular systems
and 2 motherboards
5/13/201612
13. Attack’s damage
Attempting reinfections and increasing downtime: Zero day exploit
significantly increases the downtime.
The time between when a system is restored and when a patch is
installed allows a system to be reinfected if there are still copies activeinstalled allows a system to be reinfected if there are still copies active
on the local network
5/13/201613
14. Estimating damage
Drec: represents the system administration time to restore the system:
reload the operating system, install patches, reinstall applications,
restore data from backups, and reconnect the system to the network
Assumed to be ½ hour for this analysis. Which roughly translated to
$20 per system$20 per system
Dtime: productivity loss due to downtime, depends on both the value of
the labor and the time lost. Approximated to be $35/hr
5/13/201614
15. Estimating damage
Ttime: 16 hr, two working day per user. First day, to develop patches
and workarounds by Microsoft. Second day to restore full network
operation by local sysadmin.
Ddata: Lost data, approximated to $2000, single loss incident.
P : 0.1. Assuming data is not lost most of the time, because ofPlost_data: 0.1. Assuming data is not lost most of the time, because of
backups
Pbios: 0.1. Attacker will be able to permanently destroy limited number of
configurations
Dbios: $1400 (cost of replacement) + $1000 (40 hr productivity) = $ 2400
5/13/201615
17. Model limitation
Doesn’t consider nonlinear effect on companies: follow-on effect
(sometimes these values are inflated)
A downtime of one hour may not have that much consequences as one
day
Some companies may suffer slowly over longer termsSome companies may suffer slowly over longer terms
Possible damage to critical infrastructure (power grid, hospital,
telecommunication, nuclear infrastructure)
5/13/201617
18. Current defenses and recommendations
Most email worms are stopped by signature based scanning, can be
easily avoided
Most of the IDS are deployed to protect against external attacks (but
this attack is from internal connections)
Restrictive policies for mail worm scanning should be enforcedRestrictive policies for mail worm scanning should be enforced
Additional filters for unusual characteristics (long strings in header)
Network file sharing can be restricted
Servers can be of different platform(Linux)
Disabling BIOS reflashing
Data backups and off-site storage protection
5/13/201618