Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim

Contents Introduction Objectives Background Worm trace collection methodology Analyzed results Animation of Code-RedⅠ v2 Summary and conclusion

Introduction Virus vs. Worm Some Worms -Virus : -Worm : 1. do not try to break into machines 2. spread by user’s action 3. attach themselves onto other program -Worm : 1. try to break into machines using some vulnerability 2. spread on their own without user action 3. exist as a separate code in memory Some Worms - Morris in Nov 3, 1988 - Lion in Mar, 2001 - WANK in Oct, 1989 - Code-Red in Jul, 2001 - Ramen in Jan, 2001

Objectives Collect packet information generated by Code-Red (How to collect this information and identify Code-Red?) Analyze the spread of Code-Red Trace geographic location and top-level domains in which Code-Red resides.

Background The Chronology of Code-Red outbreak 1. On Jun 18, 2001, eEye released information about a buffer- overflow vulnerability in Microsoft’s IIS web servers. 2. On Jun 26, 2001, Microsoft released a patch for the vulnerability 3. On Jul 12, 2001, Code-RedⅠv1 spread by exploiting the above vulnerability 4. On Jul 19, 2001, Code-RedⅠv2 spread 5. On Aug 4, 2001, Code-RedⅡ spread * Cost of recovering from Code-Red : 2.6 billion dollars

… 1. Code-RedⅠv1 : Characteristics of Code-Red - Use a static seed, so it generated the same list of IP addresses - Between 1st and 19th of every month, it attempts to infect machines. (Infection phase) - Between 20th and 28th, it stops infecting machines and does a DoS attack against www1.whitehouse.gov (attack phase) - Between 29th and the last day, it does nothing. (dormant phase) * scanning mechanism … 3 2 1

… 1. Code-RedⅠv1 : Characteristics of Code-Red - Use a static seed, so it generated the same list of IP addresses - Between 1st and 19th of every month, it attempts to infect machines. (Infection phase) - Between 20th and 28th, it stops infecting machines and does a DoS attack against www1.whitehouse.gov (attack phase) - Between 29th and the last day, it does nothing. (dormant phase) * scanning mechanism … 3 1 2

… 1. Code-RedⅠv1 : Characteristics of Code-Red - Use a static seed, so it generated the same list of IP addresses - Between 1st and 19th of every month, it attempts to infect machines. (Infection phase) - Between 20th and 28th, it stops infecting machines and does a DoS attack against www1.whitehouse.gov (attack phase) - Between 29th and the last day, it does nothing. (dormant phase) * scanning mechanism … 2 3 1 Therefore, the spread is slow

- Identical to Code-RedⅠv1 except that it uses a random seed, so it generates a different list of IP addresses * scanning mechanism 1 5 2 1 4 2 3 3 1 3 2 Therefore, the spread is much faster than Code-RedⅠv1 Intuitively, the rate of infection will be exponential

- set up backdoor ( more dangerous than Code-RedⅠ) - become dormant for a day to avoid being discovered by system administrator (slow infection mechanism) - after rebooting the machine, it begins to spread * scanning mechanism Let’s assume that the infected host IP address is 10.9.8.7 10.0.0.0 Relative amount of probes 10.9.0.0 1/8 10.9.8.7 3/8 X.X.X.X 10.X.X.X 1/2 10.9.X.X Idea : Hosts within the network of an infected host may run the same vulnerable software

Worm trace collection Methodology Three sources used to collect the worm packets - Passive network monitors within /8 network and /16 network - Backup data set from filtering router Worm identification If a host sends at least two TCP SYN packets on port 80 to two different hosts within research network, the host is considered to be infected. Research network /8 network Monitor Filtering router /16 network An infected host trying to probe hosts Monitor

Analyzed result Outbreak of Code-RedⅠ v1 Normal activity of TCP SYN Packets on port 80 Infected hosts by Code-RedⅠv1 - Each Infected host probed the same set of 23 IP addresses into the research network because Code-RedⅠv1 used a static seed

Outbreak of the Code-RedⅠ v2 (infection rate) Cumulative total of unique IP addresses One minute infection rates Detected unique IP addresses ≈ 359,000 Peak infection rate ≈ 2000 hosts /minute

Outbreak of the Code-RedⅠ v2 (deactivation rate) Some infected hosts were patched Infection phase attack phase Cumulative total of deactivated hosts One minute deactivation rate The author’s methodology of identifying worms were not able to distinguish hosts infected with Code-RedⅡ from those Infected with Code-RedⅠv2 because two scanning mechanisms used by Code-RedⅠ v2 and Code-RedⅡ are a little similar (i.e. they use random seed)

Geographic location of Code-Red Ⅰ v2 They made this table by using IxMapping service which is useful to find location of certain host based on its IP address

Top-Level domains in which Code-Red Ⅰ v2 resides They made this table by using NetSizer service

Top 10 domains (ISPs) in which Code-Red Ⅰ v2 resides It shows that machines operated by home users and small businesses are the majority of infected hosts.

Animation Code-RedⅠ v2 Animation of Code-RedⅠv2

Summary and Conclusion This paper shows how to extract various useful information from only logged IP header data (traffic analysis) DHCP inflates the number of infected hosts as measured by IP addresses, whereas NAT deflates the number of compromised IP address. We should consider those two factors in estimating the spread of Internet worms From the worm viewpoint, scanning mechanism is the key to spread fast, while from the defense viewpoint, ISP level solution should be achieved to mitigate Internet worms

… Autonomous System Monitor Infected host Messages are protected Router Worm scanner Worm packets … Hardware compiler Network segment