Chapter 7 Worms. Worms  We’ve previously discussed worms  Here, consider 2 in slightly more depth o Xerox PARC (1982) o Morris Worm (1988)  Recall.

Slides:



Advertisements
Similar presentations
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Advertisements

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Data Communications and Computer Networks Chapter 1 CS 3830 Lecture 5 Omar Meqdadi Department of Computer Science and Software Engineering University of.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Introduction to Security Computer Networks Computer Networks Term B10.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Malicious Software programs exploiting system vulnerabilities known as malicious software or malware program fragments that need a host program e.g. viruses,
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Video Following is a video of what can happen if you don’t update your security settings! security.
Introduction to Honeypot, Botnet, and Security Measurement
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.
Malicious Software Malicious Software Han Zhang & Ruochen Sun.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Computer Safety Workshop Presented by Roy Coleman April 14, 2015 © 2015 Roy Coleman.
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Malware Fighting Spyware, Viruses, and Malware Ch 4.
Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
“How to 0wn the Internet in Your Spare Time” Nathanael Paul Malware Seminar September 7, 2004.
More Network Security Threats Worm = a stand-alone program that can replicate itself and spread Worms can also contain manipulation routines to perform.
Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
CIS 442- Chapter 3 Worms. Biological and computer worms Definition, main characteristics Differences from Viruses Bandwidth consumption and speed of propagation.
How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
CS 3830 Day 5 Introduction 1-1. Announcements  Program 1 due today at 3pm  Program 2 posted by tonight (due next Friday at 3pm)  Quiz 1 at the end.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 25 – Virus Detection and Prevention.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.
Networking Basics CCNA 1 Chapter 11.
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Crisis And Aftermath Eugene H. Spafford 이희범.  Introduction  How the worm operated  Aftermath Contents.
Programmed Threats Richard Newman. What is a Programmed Threat? Potential source of harm from computer code May be in form of - Executable program - Executable.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.
Networks. Ethernet  Invented by Dr. Robert Metcalfe in 1970 at Xerox Palo Alto Research Center  Allows group of computers to communicate in a Local.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.
Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Introduction1-1 Chapter 1: roadmap 1.1 What is the Internet? 1.2 Network edge  end systems, access networks, links 1.3 Network core  circuit switching,
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Chapter 5: Switch Configuration
Chap 10 Malicious Software.
Brad Karp UCL Computer Science
Chap 10 Malicious Software.
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
CSE551: Introduction to Information Security
Crisis and Aftermath Morris worm.
Introduction to Internet Worm
Presentation transcript:

Chapter 7 Worms

Worms  We’ve previously discussed worms  Here, consider 2 in slightly more depth o Xerox PARC (1982) o Morris Worm (1988)  Recall also discussion of Slammer…

History  “Worm” mentioned in fiction in 1975 o The Shockwave Rider by John Brunner o Next slide…

History I guess you all know about tapeworms... ? Good. Well, what I turned loose in the net yesterday was the.., father and mother of all tapeworms....My newest----my masterpiece---breeds by itself.... By now I don't know exactly what there is in the worm. More bits are being added automatically as it works its way to places I never dared guess existed....And---no, it can't be killed. It's indefinitely self-perpetuating so long as the net exists. Even if one segment of it is inactivated, a counterpart of the missing portion will remain in store at some other station and the worm will automatically subdivide and send a duplicate head to collect the spare groups and restore them to their proper place.

History  Xerox Palo Alto Research Center o Xerox PARC  Established 1970 o To create “the office of the future”  Helped create laser printers, Ethernet, modern PC, GUI, VLSI  Original Apple Macintosh heavily influenced by the “Alto”

Xerox PARC  Developed a program so unused CPU cycles could be put to use o Use your machine for parallel processing when not busy with your work  “Worm” to manage the machines o Composed of “segments” which is why they called it a worm o One segment per machine o Segments communicated with each other

Xerox PARC  “Worm” had many safety features o For example, no disk access o Also, could be shut down  Key insights o Managing growth is difficult o Stability is difficult maintain

Morris Worm  “Internet Worm” of 1988  Major wake up call…  Three stages  Stage 1: Get access o Sendmail --- debug command o Finger --- read input using “gets” (no bounds checking…) o rexec and pwd guessing (or rsh)

Morris Worm  Stage 2: Grappling hook o Once a remote shell was obtained, send, compile, and run small C program o Code sent as source, so immune to damage by communication channel  Only passed seven bits out of eight  Would have destroyed exe file o Retrieve several exes until it found one that worked

Morris Worm  Stage 3: Propagate o Used some stealth --- named itself “sh” o Cleaned up (removed source code, etc.) o Prevented “core dump” o Propagate by looking at network routing tables and other local resources o Had no destructive payload

Propagation  Humans slow compared to networks o “Fast burners” o Warhol worms o Flash worms o Surreptitious (or slow) worms --- later  How can worm propagate faster? o Can’t use too much bandwidth…

Propagation  How to propagate faster o Shorten initial startup time o Minimize contention between instances of the worm o Increase rate that targets are probed o Use low-overhead protocols (UDP vs TCP)  Recall that Slammer used UDP

Propagation  Surreptitious worm o That is, slow worm  Slow infection rate o Hide in normal traffic o Hard to detect  Create a zombie army o What good is that?  A lot like modern Botnets

Initial Seeding  How to start the worm  A single instance? o Slow initial growth o Easier to trace  Multiple instances? o Faster initial growth o Use wireless networks, spam, Botnets o Other?

Finding Targets  IP numbers o IPv4, that is  Worms “scan” for targets o Search for vulnerable IP addresses  How to scan?

Finding Targets  How to scan?  Random o Used in Code Red and Slammer  Localized o Favor machines on same network o Why?  Hit list o Avoids contention, speeds initial spread

Finding Targets  Permutation scanning o Treat IP address space as sequence o Each worm select random starting point o Each time previously-infected machine found, select new starting point o Can be used to detect (near) saturation

Finding Targets  Topological scanning o Actual network topology o Topology of a social network o “Topology” of users’ o IM worm  Morris Worm used topological scan o Was this a good idea for Morris Worm?

Finding Targets  Passive scanning o Wait for useful info to come to you o Sniff network traffic for… o Valid IP addresses o Operating system and services o Network traffic pattern  Other scanning strategies? o Santy worm used Google

Worms: The Bottom Line  A well-designed worm… o Virus-like concealment o Exploit technical/human weaknesses o Hijacking legitimate transactions o Rapid (or slow) spreading  Worms are potent type of malware  Equally potent defensives needed o Next chapter

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.