CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Coordination Center is part of.

Slides:

Advertisements

Similar presentations

Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia.

Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

By Hiranmayi Pai Neeraj Jain

Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network Francesco Paolucci, Piero Castoldi Research Unit at Scuola Superiore.

Packets and Protocols Chapter Seven Real World Packet Captures.

7 Effective Habits when using the Internet Philip O’Kane 1.

CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA The CERT Coordination Center is part of.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.

The MS Blaster worm Presented by: Zhi-Wen Ouyang.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.

CERN’s Computer Security Challenge

W HAT DOES EXPLOIT MEAN ? A ND THE S ASSER WORM Seminar on Software Engineering, Short Presentation Christian Gruber.

 a crime committed on a computer network, esp. the Internet.

Honeypot and Intrusion Detection System

computer Viruses Ever MAde To Protect What Matters

Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Malware.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,

Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.

CIS 442- Chapter 3 Worms. Biological and computer worms Definition, main characteristics Differences from Viruses Bandwidth consumption and speed of propagation.

Attacks On systems And Networks To understand how we can protect our system and network we need to know about what kind of attacks a hacker/cracker would.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Recent Internet Viruses & Worms By Doppalapudi Raghu.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.

Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,

4061 Session 26 (4/19). Today Network security Sockets: building a server.

Open Malicious Source Symantec Security Response Kaoru Hayashi.

Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Understand Malware LESSON Security Fundamentals.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

The Internet Worm Incident Eugene H. Spafford  Attack Format –Worm vs. Virus  Attack Specifications –Worm operation –Infection and propagaion  Topics.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 3 Network Security Threats Chapter 4.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

MUHAMMAD GHAZI AIMAN BIN MOHD AIDI. DEFINITION  A computer virus is a malware program that, when executed, replicates by inserting copies of itself (possibly.

NEXT GENERATION ATTACKS & EXPLOIT MITIGATIONS TECHNIQUES ID No: 1071 Name: Karthik GK ID: College: Sathyabama university.

By Thomas Pantone Cosc 380.  A virus is a type of malware that self replicates after being executed and inserts itself into other programs, data files,

1  Carnegie Mellon University Overview of the CERT/CC and the Survivable Systems Initiative Andrew P. Moore CERT Coordination Center.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Presented by : Matthew Sulkosky COSC 316 (Host Security) BOTNETS A.K.A ZOMBIE COMPUTING.

1 What will be the Coming Super Worms and Viruses By Alan S H Lam.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Internet Worm propagation

Chap 10 Malicious Software.

A Distributed DoS in Action

Brad Karp UCL Computer Science

Chap 10 Malicious Software.

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

CSE551: Introduction to Information Security

Introduction to Internet Worm

Presentation transcript:

CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA The CERT Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is sponsored by the U.S. Department of Defense. © 2004 by Carnegie Mellon University some images copyright 1 Worm Trends

© 2004 by Carnegie Mellon University 2 Overview Major Internet worms SQL/Slammer MS-Blaster Welchia/Nachi Witty Sasser Dabber Plexus

© 2004 by Carnegie Mellon University 3 SQL/Slammer - Jan 25th, 2003 Memory resident worm that spread via flaw in MS SQL Name Resolution service -1434/UDP -Pseudo random target selection Points of Interest -Single packet contained entire payload (exploit, and complete worm) -Attacked service utilized UDP -These factors combined allowed the worm to shift performance bottlenecks from system constraints and network latency to a system constrained only by bandwidth. This allowed a VERY rapid attack pattern. Slammers performance was less from design as it was from circumstances lining up for the attacker, but the lesson on what works was clear. The worm resulted in extensive network congestion/outage and infected most vulnerable hosts in the first minutes it was released.

© 2004 by Carnegie Mellon University 4 Blaster - Aug 11th, 2003 Attacked via flaw in MS RPC service -135/TCP -Semi-sequential scanning algorithm that started locally -DDoS code programmed to attack windowsupdate.com -Utilized TFTP and bind shellcode to propagate Points of Interest -Attacked a core OS service versus application -Directly based on public exploit code -SYN flood DDoS attack feature which became common in subsequent Malware -Crashed RPC service after remote shell was terminated (after infection) because of a poor function call choice Blaster attacked a core OS service. This meant there was a large vulnerable population to exploit. After Blaster, an increase in embedded DDoS code was seen. Additionally, there was active discussion of the code that caused the RPC service to crash. This issue was fixed in a manual exploit shortly before the worm was released. The community had learned from the mistake.

© 2004 by Carnegie Mellon University 5 Welchia/Nachi - Aug 18th, 2003 Basic purpose was to kill MSBlast, patch the vulnerability used by Blaster (and itself) and then to delete itself after Jan 1, Points of Interest -Attempt at “white” worm -Pre-attack ping testing – Improved scanning speed -Patched Vulnerability -Programmed to delete itself after Jan 1, 2004 Lesson learned from this worm was the unpredictable nature of worms when released into the wild. Traffic from the scanning routine caused network congestion / outages.

© 2004 by Carnegie Mellon University 6 Witty – March 19 th, 2004 Attacked flaw in ISS product’s Protocol Analysis Module -Targeted random UDP ports (port was not relevant due to PAM processing method) -Random IP selection -DESTRUCTIVE worm attempted to delete data at random disk locations Points of Interest -Destructive payload – this is rare in Malware for at least the following reasons: »Hard to generate money with this kind of attack »Eventually destroys the infected host and kills itself through disk rot -Released less than 2 days from public announcement -Launched via BOT Network ~ 100 starting points for the worm This worm was efficient, destructive and highly targeted. The use of BOT nets to launch the worm worked well and proved the value of bots in spreading worms.

© 2004 by Carnegie Mellon University 7 Sasser – April 30 th, 2004 Attacked flaw via MS LSASS service (MS bulletin MS04-011) -445/TCP -Multiple target selection methods Points of Interest -Insecure code – implemented an ftp daemon that contained a buffer overflow vulnerability -Later variant utilized the pre-attack ping seen in Nachi -Attempts to kill certain variants of Bagle virus -Netsky virus authors claimed authorship Two main points of interest in this code are the insecure code it introduced to the system and the possibility that is was used as a combat weapon against a rival intruder group.

© 2004 by Carnegie Mellon University 8 Dabber – May 13 th, 2004 Attacked systems infected with Sasser worm via vulnerability introduced in the Sasser ftp daemon code. Installed backdoor shell for future control of host Points of Interest -Exploited vulnerability in existing Malware Taught the ability of the Malware community to discover and leverage weaknesses in their “competitions” products to gain “market share”. The expected result will be an improvement in secure coding skills by the Malware authors.

© 2004 by Carnegie Mellon University 9 Plexus – June 3 rd, 2004 ~322 days from Vendor vulnerability announcement to Worm Worm that also included other attack techniques such as P2P and Network attack attempted to exploit MSRPC vulnerability from almost a year before. Ultimate goal was spread of personal information capture Trojan. It also installed backdoor and proxy code on the host. Points of Interest -Served as transport for other Malware – The use of the worm to install personal information stealing code represents the main motivation of the Malware development community…Money. Spreading malware via worm propagation has potential with individual user systems because even though the worm is very noisy and easily detected by organizations, home users are less likely to notice the infection. Exploiting older vulnerabilities also fits with the target audience because they are also less likely to be up to date on patches.

© 2004 by Carnegie Mellon University 10 Lessons Attacking UDP services can be far more efficient Enhancements in scanning algorithms Optimize code size to improve performance Bot nets as launching points for worms Worms for combat with rivals Worms can be efficient transport for other Malware

© 2004 by Carnegie Mellon University 11 Trends Propogation vs. payload Greater emphasis on purpose after spreading (e.g., DoS, patching, backdoors, harvesting information) Target platform Windows worms much more common than other platforms (e.g., Linux, Solaris, etc) Financial incentives are increasing Follow the money Targeting end-users rather than infrastructure

© 2004 by Carnegie Mellon University 12 CERT® Contact Information CERT Coordination Center Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh PA USA Hotline: CERT personnel answer 8:00 a.m. — 5:00 p.m. EST(GMT-5) / EDT(GMT-4), and are on call for emergencies during other hours. Fax: Web: