Zmap’s Fast Internet Scan Tool Could Spread Zero Days In Minutes

Researchers have released a tool which can scan virtually the entire Internet in less than one hour. In the wrong hands, the tool could confer the ability to uncover  and exploit millions of vulnerable servers in minutes – but security researchers welcome the powers it will give them for good.

Zmap, created at the University of Michigan, uses a stripped-down network stack to quickly send test packets to all the IP version 4 (IPv4) addresses on the Internet, and can be used to gather data about the hosts, including their vulnerability to attack. A powerful research tool, it enabled the researchers to show continuing risk from an UPnP vulnerability.

It could also be also be used by criminals to exploit new (“zero day”) vulnerabilities, infecting millions of hosts within minutes before they can be patched – but researchers are not overly concerned, since the crooks can already do this using stolen resources.

A unique moment in time

The Zmap tool “creates the possibility for an attacker with control of only a small number of machines to scan for and infect all public hosts suffering from a new vulnerability within minutes,” the researchers – led by Professor J Alex Halderman – told the Usenix security conference in Washington, also detailing ways in which it can be used for good.

“Criminals already have the capability to spread zero-days quickly by using botnets or fast-spreading worms, so this isn’t a new kind of threat,” Professor Halderman told TechWeekeurope.  “What ZMap does is level the playing field for legitimate researchers, since it makes fast Internet-wide scanning possible without these kinds of stolen resources.

“Relatively few script kiddies have access to the gigabit-speed networks needed to scan at ZMap’s full speed, but these are available at a growing number of research institutions.”

Zmap could also allow for tracking of individual users even if their ISP changes their IP address, or they physically travel to a different machine. It could also make secure communication possible without knowing the recipient’s address, simply by sending an encrypted package to every address on the Internet.

The tool has been released as open source and can be downloaded for free. It can run on a moderately powerful machine with a fast connection to the Internet and scan 98 percent of the addresses on the Internet within 45 minutes.

It works quickly because the researchers skipped the TCP/IP network stack, creating Ethernet frames directly to make use of 97 percent of the bandwidth of a Gigabit Ethernet network card. It also omitted handshakes and retransmits, so the software simply sends one or more packets to all the addresses – working in a random order so as not to overload any target network. 

The tool is only possible because the Internet is currently all squeezed into the (comparatively) small IP version 4 (IPv4) address space, leaving empty the much larger IP version 6 (IPv6) address space, where a brute force scan would be impossible using current hardware.  “We are living in a unique period”, the researchers said in their talk. “IPv4 can be quickly, exhaustively scanned – IPv6 has not yet been widely deployed.”

UPnP vulnerability tracked

On January 29, HD Moore disclosed vulnerabilities in the UPnP (universal plug and play) protocol by which devices find and use networked resources. The problem affected nearly 7000 products, but many of them had patches available before Moore published his findings. The Mjichigan team scanned the Internet on 11 February, and found 15.7 million publicly addressable UPnP devices, of which 3.4 million were still vulnerable.

“Given that these vulnerable devices can be infected with a single UDP packet, we note that these 3.4 million devices could have been infected in approximately the same length of time – much faster than network operators can reasonably respond or for patches to be applied to vulnerable hosts,” the team said in the paper. “Leveraging methodology similar to ZMap, it would only have taken a matter of hours from the time of disclosure to infect every publicly available vulnerable host.”

The tool was also used to uncover hidden services such as the Tor private network, identifying 86 percent of live Tor “bridges” with a single scan.

Despite the possibility of misuse, the team has released the tool to the public, pointing out that its existence will make people aware that things on the Internet are not hidden by simply not advertising them. Criminals can already perform very similar acts using less efficient tools, because they have access to stolen resources.

The Internet security community welcomed its arrival: “Zmap is just an additional resource to a growing need for Internet measurement,” said Claudio Guarnieri of scanning specialist Rapid7. “There have been other related projects and initiatives like Shodan, Internet Census 2012, Critical.IO and a plethora of academic papers on the topic.”

The benefits of such projects outweigh the possibility of their being used for malicious purposes, said Guarnieri: “Internet worms existed long before any whitehat research on Internet scanning was done. HD Moore, along with my team – Rapid7 Labs – spent the last year performing research on Internet measurement data and the outcomes of that research allowed us to expose several security issues as well as raise awareness on the terrifying state of the Internet as a global network.”

The Michigan team called for legitimate users to be good Internet citizens, co-ordinating their scans with network admins, not overloading target networks, and allowing them to opt out of scans.