Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Slides:

Advertisements

Similar presentations

Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia.

Advertisements

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Lesson 3-Hacker Techniques

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

The MS Blaster worm Presented by: Zhi-Wen Ouyang.

Chapter 7 Worms. Worms  We’ve previously discussed worms  Here, consider 2 in slightly more depth o Xerox PARC (1982) o Morris Worm (1988)  Recall.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

Active Worm and Its Defense1 CSE651: Network Security.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.

W HAT DOES EXPLOIT MEAN ? A ND THE S ASSER WORM Seminar on Software Engineering, Short Presentation Christian Gruber.

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

“How to 0wn the Internet in Your Spare Time” Nathanael Paul Malware Seminar September 7, 2004.

Honeypot and Intrusion Detection System

Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

CIS 442- Chapter 3 Worms. Biological and computer worms Definition, main characteristics Differences from Viruses Bandwidth consumption and speed of propagation.

How to Own the Internet in Your Spare Time (Stuart Staniford Vern Paxson Nicholas Weaver ) Giannis Kapantaidakis University of Crete CS558.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Security at NCAR David Mitchell February 20th, 2007.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Programmed Threats Richard Newman. What is a Programmed Threat? Potential source of harm from computer code May be in form of - Executable program - Executable.

Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” The Future of Internet Worms Jose Nazario Crimelabs Research.

Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.

A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.

DoS/DDoS attack and defense

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Understand Malware LESSON Security Fundamentals.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

How to 0wn the Internet In Your Spare Time Authors Stuart Staniford, Vern Paxson, Nicholas Weaver Published Proceedings of the 11th USENIX Security Symposium.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Network Attacks Instructor: Dr. X. Outline Worms DoS.

Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.

Servers in the Wild… …and the threats that lurk about. DePaul University Information Security Team TLT Presentation 08 May 2002.

OVERVIEW Virus & Worm overview Virus & Worm Difference CodeRed Worm Impact Detection Prevention.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Viruses and Other Malicious Content

Code-red worm Attack on Computers.

Internet Worms, SYN DOS attack

Brad Karp UCL Computer Science

Intrusion Detection system

CSE551: Introduction to Information Security

Introduction to Internet Worm

Presentation transcript:

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003

WORMS

Worms, formally known as “Automated Intrusion Agents”, are software components that are capable of, using their own means, for infecting a computer system and using it in an automated fashion to infect another system. What are network worms ? A virus by contrast can’t spread/infect on its own.

Infect and take over large number of internet hosts…turn them into zombies. These hosts can then be used to : launch a massive Distributed Denial of Service (DDOS) attack. access sensitive information on the hosts. inject false or malicious information into networks. Worm-based attack model provides : “ease” of automation. penetration fuelled by speed and aggressiveness. What can these “cute creatures” do ?

Reconnaissance capability Attack capability Command interface Communication capability Intelligence capability Components of a worm

Target identification Active methods scanning Passive methods OS fingerprinting traffic analysis Reconnaissance

Exploits buffer overflow, cgi-bin etc. Generally involves privilege escalation Two components local remote Attacks

Interface to compromised system root/administrative shell network client Accepts commands person other worm siblings Command Interface

Information transfer network vulnerability information commands and data etc. Network clients to various services Stealth issues handled much the same way as “rootkits” Communications

The worm system may maintain a list of infected nodes centralized or distributed Knowledge of other siblings The infected machines can then be put to use by instructing them through the command interface Intelligence

First malicious worm In 1982 some worms were written at Xerox PARC for doing legitimate networking tasks. Exploits : sendmail (mal-formatted input) and finger daemon (buffer-overflow) on Vax and Sun machines. Used trust relationships amongst the hosts to spread No command interface Infected 6000 hosts (10 % of the Internet) Morris Worm (November 1988)

Began : July 12, 2001 Exploit : Microsoft IIS webservers (buffer overflow) Named “Code Red” because : the folks at eEye security worked through the night to identify and analyze this worm drinking “code red” (mountain dew) to stay up. the worm defaced some websites with the phrase “Hacked by Chinese” Version 1 did not infect too many hosts due to use of static seed in the random number generator. Version 2 came out on July 19 th with this “bug” fixed and spread rapidly. The worm behavior each month: 1 st to 19 th --- spread by infection 20 th to 28 th --- launch DOS on 28 th till end-of-month --- take rest. Infected 359,000 hosts in under 14 hours. Code Red I (July 2001)

Cumulative total of unique IP addresses infected by the first outbreak of Code-Red-I v2. (source: “Code-Red: a case study on the spread and victims of an internet worm”. Moore et. al.)

Warhol worms -- infecting most of the targets in under 15 min. “In the future, everybody will be world-famous for 15 minutes.” -- Andy Warhol “How to 0wn the Internet in Your Spare Time”. Weaver et. al. Usenix ’02 [Weav02]. Combination of “Hit-list” scanning and “permutation” scanning. Worms-2… The Next Generation Source : [Weav02]

SQL Slammer (Jan 2003) – The future is NOW ! Began : January 25 th. (Also known as “Sapphire”. ) Exploit : Microsoft SQL Server (buffer overflow) contains a simple, fast scanner in a 376 byte worm inside a UDP packet. all it did was send this packet to udp port The first “Warhol” worm. doubled in size every 8.5 seconds. (Code-Red doubled every 37 min.) infected more than 90% of vulnerable hosts within 10 minutes. No malicious payload but jammed networks worldwide with traffic. affected businesses, ATM machines, grounded flights etc. Flaws : too aggressive in scanning; countered its own growth quickly by eating up bandwidth. error in random number generator caused elimination of quite a lot of search space.

SQL Slammer (Jan 2003) -- “The worm that ate the Internet !” Source:

Worms have been around for a while and are evolving constantly increase in hiding tools morphing worms warhol worms stealth worms Defenses should evolve too enforce fundamentals strictly : security patches, NIDS etc. increase depth of defense, not just perimeter rapid analysis and response (counter-attack) changing strategies to detect dynamic worms Conclusion