Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.

Slides:



Advertisements
Similar presentations
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Advertisements

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Sigurnost računala i podataka
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Lecture 13 Malicious Software modified from slides of Lawrie Brown.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA The CERT Coordination Center is part of.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
The MS Blaster worm Presented by: Zhi-Wen Ouyang.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Cryptography and Network Security Chapter 21
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.
Active Worm and Its Defense1 CSE651: Network Security.
Introduction to Honeypot, Botnet, and Security Measurement
1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.
Malicious Software Malicious Software Han Zhang & Ruochen Sun.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
Mr. Mark Welton.  The five game changing viruses  Security best practices that deal with the problems.
Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.
Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.
Honeypot and Intrusion Detection System
Lecture 26 Page 1 Advanced Network Security Malware for Networks Advanced Network Security Peter Reiher August, 2014.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
Page 1 8 Oct 2004 IT Security Awareness Dangers in the Networked World Lai Zit Seng NUS School of Computing.
Computer Viruses and Worms By: Monika Gupta Monika Gupta.
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
4061 Session 26 (4/19). Today Network security Sockets: building a server.
Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.
Malicious Software.
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.
1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Stuxnet.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Understand Malware LESSON Security Fundamentals.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.
Defending against Hitlist Worms using NASR Khanh Nguyen.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
By Thomas Pantone Cosc 380.  A virus is a type of malware that self replicates after being executed and inserts itself into other programs, data files,
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Network Attacks Instructor: Dr. X. Outline Worms DoS.
Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.
Botnets A collection of compromised machines
Internet Quarantine: Requirements for Containing Self-Propagating Code
CSE 4471: Information Security
Viruses and Other Malicious Content
Worms Programs that seek to move from system to system
Botnets A collection of compromised machines
Internet Worm propagation
A Distributed DoS in Action
Active Worms, Buffer Overflow Attacks and BGP Attacks
Brad Karp UCL Computer Science
CSE551: Introduction to Information Security
Introduction to Internet Worm
Worms Programs that seek to move from system to system
Presentation transcript:

Active Worms CSE 4471: Information Security 1

Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself as it goes Virus –A program that searches out other programs and infects them by embedding a copy of itself in them 2

Active Worm vs. DDoS Propagation –Active worm: from few to many –DDoS: from many to few Relationship –Active worm can be used for network reconnaissance, preparation for DDoS 3

Instances of Active Worms (1) Morris Worm (1988) [1] –First active worm; took down several thousand UNIX machines on Internet Code Red v2 (2001) [2] –Targeted, spread via MS Windows IIS servers –Launched DDoS attacks on White House, other IP addresses Nimda (2001, netbios, UDP) [3] –Targeted IIS servers; slowed down Internet traffic SQL Slammer (2003, UDP) [4] –Targeted MS SQL Server, Desktop Engine –Substantially slowed down Internet traffic MyDoom (2004–2009, TCP) [5] Fastest spreading worm (by some estimates) Launched DDoS attacks on SCO Group 4

Instances of Active Worms (2) Jan. 2007: Storm [6] – attachment downloaded malware –Infected machine joined a botnet Nov. 2008–Apr. 2009: Conficker [7] –Spread via vulnerability in MS Windows servers –Also had botnet component Jun.–Jul. 2009, Mar.–May 2010: Stuxnet [8–9] –Aim: destroy centrifuges at Natanz, Iran nuclear facility –“Escaped” into the wild in 2010 Aug. 2011: Morto [10] –Spread via Remote Desktop Protocol –OSU Security shut down RDP to all OSU computers 5

How an Active Worm Spreads Autonomous: human interaction unnecessary 6 infected machine (1) Scan (2) Probe (3) Transfer copy

Conficker Worm Spread 7 Data normalized for each country. Source: [7]

Scanning Strategy Random scanning –Probes random addresses in the IP address space (CRv2) Hitlist scanning –Probes addresses from an externally supplied list Topological scanning –Uses information on compromised host ( worms, Stuxnet) Local subnet scanning –Preferentially scans targets that reside on the same subnet. (Code Red II & Nimda) 8

Techniques for Exploiting Vulnerabilities Morris Worm –fingerd (buffer overflow) –sendmail (bug in “debug mode”) –rsh/rexec (guess weak passwords) Code Red, Nimda, etc. (buffer overflows) Tricking users into opening malicious attachments 9

Worm Exploit Techniques Case study: Conficker worm –Issues malformed RPC (TCP, port 445) to Server service on MS Windows systems –Exploits buffer overflow in unpatched systems –Worm installs backdoor, bot software invisibly –Downloads executable file from server, updates itself Workflow: see backup slides (1), (2) 10

Worm Behavior Modeling (1) Propagation model mirrors epidemic: 11 V :total # of vulnerable nodes N :size of address space i(t):percentage of infected nodes among V r :an infected node’s scanning speed

Worm Behavior Modeling (2) Multiply (*) by V ⋅ dt and collect terms: 12

Modeling the Conficker Worm This model’s predicted worm propagation similar to Conficker’s actual propagation 13 Sources: [7], Fig. 2; [8], Fig. 4 Conficker’s propagation

Practical Considerations This model assumes machine state: vulnerable → infected –In reality, countermeasures slow worm infection Infected machines can be “cleaned” (removed from epidemic) State: vulnerable → infected → removed –Attackers may limit, vary worm scan rate –Complicates mathematical models Need time-varying parameters for number of removed hosts R(t), worm scan rate r(t) Resulting differential equations are complex, cannot be solved using calculus alone 14

Summary Worms can spread quickly: –359,000 hosts in under 14 hours Home / small business hosts play significant role in global internet health –No system administrator ⇒ slow response –Can’t estimate infected machines by # of unique IP addresses: DHCP effect apparently real, significant Active Worm Modeling 15

References (1) 1. Wikipedia, “Morris worm,” 2. Wikipedia, “Code Red (computer worm),” Code_Red_wormhttps://en.wikipedia.org/wiki/ Code_Red_worm 3. Wikipedia, “Nimda,” 4. Wikipedia, “SQL Slammer”, 5. Wikipedia, “MyDoom”, 6. Wikipedia, “Storm worm,” 7. Wikipedia, “Conficker,” 8. D. E. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” The New York Times, 1 Jun. 2012, middleeast/obama-ordered-wave-of-cyberattacks-against-iran.htmlhttps:// middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html 9. N. Falliere, L. O. Murchu, and E. Chien, Symantec, “W32.Stuxnet,” Feb. 2011, T. Bitton, “Morto Post Mortem: Dissecting a Worm,” 7 Sep. 2011, Cooperative Association for Internet Data Analysis (UCSD), “The Spread of the Code-Red Worm (CRv2),” 2001, coderedv2_analysis.xmlhttp:// coderedv2_analysis.xml 16

References (2) 12. Cooperative Association for Internet Data Analysis (UCSD), “Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope”, 2009, C. C. Zou, W. Gong, and D. Towsley, “Code Red Worm Propagation Modeling and Analysis,” Proc. ACM CCS, P. Porras, H. Saidi, and V. Yegneswaran, 19 Mar. 2009,

Backup Slides 18

Conficker Workflow (1) 19 Conficker’s exploitation workflow. Source: [14], Fig. 1

Conficker Workflow (2) 20 Conficker’s self-update workflow. Source: [14], Fig. 3

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.