CS162

Operating Systems and

Systems Programming
Lecture 27

Cybersecurity Attacks

May 8, 2006
Prof. Anthony D. Joseph
http://inst.eecs.berkeley.edu/~cs162
 Review: Internet Viruses

• Self-replicating code and data

• Typically requires human interaction before
exploiting an application vulnerability
– Running an e-mail attachment
– Clicking on a link in an e-mail
– Inserting/connecting “infected” media to a PC
• Then search for files to infect or sends out e-mail
with an infected file

• FBI survey of 269 companies in 2004 found that

viruses caused ~$55 million in damages
• DIY toolkits proliferate on Internet
5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.2
 Review: Internet Worms

• Self-replicating, self-propagating code and data

• Use network to find potential victims
• Typically exploit vulnerabilities in an application
running on a machine or the machine’s operating
system to gain a foothold
• Then search the network for new victims

• 80% of worms/viruses in 2004 used e-mail as one

of their propagation mechanisms

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.3

 Goals for Today

• Hidden Software Attacks

• Malicious Hackers
• Critical Cyber Infrastructure Protection
• Worms and Viruses

• Want to learn more about security?

– Take CS 161 this fall

Note: Some slides and/or pictures in the following are

adapted from slides ©2005 Silberschatz, Galvin, and Gagne.
Gagne
Many slides generated from my lecture notes by Kubiatowicz.
5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.4
 Shrink Wrap Software Woes

• Can I trust software installed by the computer

manufacturer?
– Not really, most major computer manufacturers
have shipped computers with viruses
– How?
» Forget to update virus scanner on “gold” master
machine
• Software companies, PR firms, and others
routinely release software that contains viruses

• Linux hackers say “Start with the source”

– Does that work?

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.5

 Ken Thompson’s self-replicating program
• Bury Trojan horse in binaries, so no evidence in source
– Replicates itself to every UNIX system in the world and
even to new UNIX’s on new platforms. No visible sign.
– Gave Ken Thompson ability to log into any UNIX system
• Two steps: Make it possible (easy); Hide it (tricky)
• Step 1: Modify login.c
A: if (name == “ken”)
don’t check password
log in as root
– Easy to do but pretty blatant! Anyone looking will see.
• Step 2: Modify C compiler
– Instead of putting code in login.c, put in compiler:
B: if see trigger1
insert A into input stream
– Whenever compiler sees trigger1 (say /*gobbledygook*/),
puts A into input stream of compiler
– Now, don’t need A in login.c, just need trigger1
5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.6
 Self Replicating Program Continued
• Step 3: Modify compiler source code:
C: if see trigger2
insert B+C into input stream
– Now compile this new C compiler to produce binary
• Step 4: Self-replicating code!
– Simply remove statement C in compiler source code and
place “trigger2” into source instead
» As long as existing C compiler is used to recompile the C
compiler, the code will stay into the C compiler and will
compile back door into login.c
» But no one can see this from source code!
• When porting to new machine/architecture, use
existing C compiler to generate cross-compiler
– Code will migrate to new architecture!
• Lesson: never underestimate the cleverness of
computer hackers for hiding things!

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.7

 Cracker Profile

• Cracker = malicious hacker

• FBI Profiles (circa 1999)

– Nerd, teen whiz kid, anti-social underachiever,
social guru

• Later survey
– Avg age 16 – 19, 90% male, 70% live in US
– Spend avg 57 hrs/week online, 98% believe won’t
be caught

• Most motivated by prestige

– Finding bugs, mass infections, …
5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.8
 Evolution

• 1990’s: Internet spreads around the world

– Crackers proliferate in Eastern Europe

• Early 2000’s Do-It-Yourself toolkits

– Select propagation, infection, and payload on
website for customized virus/worm

• 2001-
– Crackers proliferate everywhere
– Profit motivation: very lucrative incentive!

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.9

 Evolution (Circa 2001-)
• Cracking for profit, including organized crime
– But, 50% of viruses still contain the names of crackers or
the groups that are supposedly behind viruses
• Goal: create massive botnets of 10-100,000+ machines
– Aggregate bandwidth (gigabits – terabits)
– Each machine sets up encrypted, authenticated connection
to central point (IRC server) and waits for commands
• Rented for pennies per machine per hour/campaign for:
– Overloading/attacking websites, pay-per-click scams,
distributed password cracking, sending spam/phishing e-
mail, or hosting phishing websites…
– Also, Distributed Denial of Service (DDoS) attacks
» Overwhelm server and/or network links
» Political msgs, fame/bragging
» Extortion (“pay or your site and business die”)
5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.10
 Network Environments

• Single host

• Subnet/corporate network

• ISP-level, Internet-scale

• Critical Cyber Infrastructure Protection

– Supervisory Control And Data Acquisition (SCADA)
– Power plants, chemical factories, refineries,
water/sewage plants, port/rail facilities, …
– Real risk is “boomable” industries/facilities

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.11

 Example True SCADA Incidental Attack Scenarios

• Port of Houston, 20 Sept 2001

– >1 billion containers (2000), 6,400 ships (2002), $11 billion
revenue (2002)
– $15 billion petrochemical complex: largest in nation, second in
the world
– 19 year old UK teenage member of a group called Allied
Haxor Elite trying to get back at a girl he met in a chatroom
(Found not guilty)
• Ohio's Davis-Besse nuclear power plant, offline, Jan 2003
– Slammer worm penetrated a private computer network and
disabled control and safety monitoring systems for ~5 hours
– Penetrated unsecured network of an unnamed Davis-Besse
contractor, then squirmed through a T1 line bridging that
network and Davis-Besse's corporate network
• Northeast power outage, 50 million people, August 2003
– MSBlaster worm crippled key detection systems and delayed
response during a critical time: “significantly worsened the
effect of the outage”

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.12

 SCADA Vulnerabilities

• Control Systems Are Adopting Standardized Technologies with Known

Vulnerabilities
– Migration to COTS technology (WindowsXP and WinXP embedded)
• Control Systems Are Connected to Other Networks
– Want real-time view of process “values” from business side
• Insecure Connections Exacerbate Vulnerabilities
– Insecure dial-in, wireless backhaul, …
• Information about Infrastructures and Control Systems Is Publicly
Available
– Easy to purchase equipment for analysis
– Regulatory filings reveal lots of info
– Toolkits easily available
• Social threats
– Insider threat (Queensland sewage treatment plant intrusion)
– Lack of operator console password protection

GAO-04-354, “Critical Infrastructure Protection:

Challenges and Efforts to Secure Control Systems,
5/8/06 Joseph CS162 ©UCB Spring
March 2006
2004 Lec 27.13
 Insufficient Network Isolation

• No firewall between RTUs and SCADA LAN

• No sanity checking of data or controls

No firewall between corporate and SCADA LANs

• No firewall for Data Historian

• No sanity checking of entered values

Jonathan Pollet,
5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.14
PlantData Technologies
 Survey of ~50 water supply providers (Ezell 1997)

• Insecure network connections

– Operators can access email from admin LAN (75%)
– Admin LAN is remote accessible (75%)
• Vulnerable to corruption of information
• Sensitive to Denial of Service attacks
– Flooding of wireless/wired link
– DoS against controller or RTUs
• Limited or no authentication in protocols
– Slow/old CPUs in field equipment
– High upgrade cost per field device (+ more BW/mem/config)
• My observation:
– Hard to model effects of incremental retrofit/deployment

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.15

 Other COTS Implications

• RTUs interconnected by leased lines, public Internet, or wireless

– A power company's SCADA traffic was blocked by leased line
failures at a telco that fell prey to Slammer worm
• Vulnerability and Risk Assessment Team and a power utility…
– Drove to a remote substation, while sitting in their vehicle,
they noticed a wireless network antenna
– Fired up notebooks and connected to network
– 10 minutes later, they’d mapped entire substation’s equipment
– 15 mins later, they’d mapped the entire operational control
network
– 20 mins later, they’d accessed the business network and
downloaded several business reports
– Never even left the vehicle…

Alan S. Brown, “SCADA vs. the hackers,”

Mechanical Engineering, December 2002
5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.16
 Administrivia

• Last day of sections is tomorrow

• Final Exam:
– May 18th 12:30-3:30pm, Bechtel Auditorium

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.17

 Zotab Virus (August 2005)

• Infect machines and set IE security to low (enables pop-up

website ads)
• Revenue from ads that now appear
• User may remove virus, but IE settings will likely remain
set to low
• Continued revenue from ads…

• More than 100 companies, including Financial Times,

ABCNews and CNN, were hit by the Zotob Windows 2000
worm in August 2005

• Two men arrested (will be charged and prosecuted in their

respective homelands):
– Moroccan 18-year-old Farid Essebar
– Turkish 21-year-old Atilla Ekici

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.18

 Internet Worms: Zero-Day Exploits

• Morris worm infected a small number of hosts in a

few days (several thousand?)
– But, Internet only had ~60,000 computers!
• What about today? ~360M computers
• Theoretical “zero-day” exploit worm
– Rapidly propagating worm that exploits a common
Windows vulnerability on the day it is exposed
– Propagates faster than
human intervention,
infecting all vulnerable
machines in minutes

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.19

 Before Sapphire (AKA Slammer) Worm – 01/25/03

• Fastest computer worm in history

– Used MS SQL Server buffer overflow vulnerability
– Caused network outages, canceled airline flights, elections
problems, interrupted E911 service, and caused ATM failures
5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.20
 After Sapphire

• Doubled in size every 8.5 seconds, 55M scans/sec

– Infected >90% of vulnerable hosts within 10 mins
– Infected at least 75,000 hosts
5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.21
 DDoS Attacks

• Overwhelm server and/or network links

– Purpose: Extortion, revenge, “kill” competition
– Typical target is web server(s)
– Try to consume all resources (BW, disk space, CPU)
• Simple: same req. for large images/complex action
– Might be able to create packet filter to block
– Might also be able to block source subnets
– Have to put filters into the network (at upstream ISPs)
• Complex: Vary requests, rate, zombie set
– Harder to create packet filter (esp. if requests look “real”)
– Rotating set makes source subnet blocks hard
– Only choice may be to add more and more HW and BW

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.22

 Toxbot Trojan (Oct 10, 2005)

• Three Dutch crackers (19, 22, and 27)

• Used Toxbot Trojan (aka Codbot) to infect
machines
– Installed adware and spyware on user’
machines
– Conducted DDoS attack against a US company
for extortion (pay or crash your site)
– Conducted phishing attacks to hijack PayPal
and eBay accounts, then bought goods with
accounts
• Estimated network size of 100K
• Investigators later discovered true size (>1.5M!)

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.23

 Honeypots

• Distributed Intrusion Detection Systems

• Closely monitored network decoys
– Simulates one or more network services (or machines)
on one or more machines
– Causes an attacker to think you're running vulnerable
services
• Uses:
– May distract adversaries from more valuable machines
on a network
– May provide early warning about new attack and
exploitation trends (use to create new firewall rules)
– May enable in-depth examination of adversaries during
and after exploitation (log everything!)

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.24

 Microsoft Decoy Zombie

• Intentionally infected a machine with zombie code

• Within 20 days:
– PC received > 5 million connections!
– Tried to send 18 million spam e-mails containing ads
for 13,000 unique domains!
• October 27, 2005: filed 13 “John Doe” lawsuits
against spammers
– Enables them to subpoena ISPs and domain registrars
for identities

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.25

 Tarpits

• A very, very sticky honeypot…

– Network decoy: lets connections in, delays them
– Slow down scanning tools/worms to kill their
performance/propagation because they rely on
quick turnarounds
– Might also give us time to protect real hosts
• Example Implementation:
– Accept any incoming TCP connection
– When data transfer begins to occur, set TCP
window size to zero, so no data can be transferred
within the session
– Hold the connection open, and ignore any requests
by remote side to close session
– Attacker must wait for the connection to timeout
in order to disconnect
5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.26
 Witty Worm (Mar 04):
Attacking the IDS

• Targeted a buffer overflow vulnerability in several of a vendor’s

IDS products
– Deletes a randomly chosen sectors of hard drives over time
killing system
– Payload contained: “(^.^) insert witty message here (^.^)”
• Infected ~12,000 systems within 45 minutes

• Witty’s Many Firsts

– First widely propagated Internet worm with a destructive payload
– First worm with order of magnitude larger hit list than any previous
worm
– Shortest known interval between vulnerability disclosure and worm
release – 1 day
– First to spread through nodes doing something proactive to secure
their computers / networks
– Spread through a population almost an order of magnitude smaller
than that of previous worms
5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.27
 Conclusions

• Worms/Viruses are a critical threat

– Threat is zero-day attacks
• Cracker motivation has shifted from prestige to
profit
– Creation and rental of massive botnets
• Many Cyber Critical Infrastructure vulnerabilities
– May take a decade to fix
• Can use Honeypots/Tarpits for distributed
detection and attack prevention
• Even IDS and IPS systems are vulnerable
• Let’s thank the TAs and the camera operator!

5/8/06 Joseph CS162 ©UCB Spring 2006 Lec 27.28