1. Optimization of Blaster worms Performance Evaluation Laboratory s1080060 Tatehiro Kaiwa Supervised by Prof. Hiroshi Toyoizumi by Stochastic Modeling

2. Purpose Modeling a Blaster worm, we investigate influence on a local network. Optimizing a Blaster worm, we observe and investigate the threat. To compare the difference between the existing Blaster worms and the optimized ones in local network.

3. Target Virus Name: W32.Blaster.Worm (Symantec) WORM_MSBLAST.A (Trend Micro) W32/Lovsan.worm.a (McAfee) Type : Worm Systems Affected : Windows 2000, XP Blaster worm exploits a vulnerability of DCOM RPC Service to penetrate. Causes system instability

4. Select an IP address Complete Random Local Create malicious Packets For XPFor 2000 Start to send many malicious packets Spread Algorithm (1) 0.40.6 0.80.2 These methods selected only once when the Blaster worm is executed.

5. Spread Algorithm (2) When the worm use own IP address, A.B.C.D, the worm change D into 0. Then the worm make the target address increasing monotonically. Probability a first worm and other worms attack to the same IP address with is very high. Infection rate of all worm except a first worm in the local network become smaller.

6. The Experimental Network This figure shows a local experimental network to collect Blaster worm packets data. To confirm and obtain some information about the Blaster worm.

7. Worm Data Collection Blaster HUB Sniffer Target Systems attacked and infected by Blaster worm may be instability, then sometimes shutdown. We cannot capture some packets with a infected PC and all target PCs installed Sniffer. Prepare a PC no infect, and connection as the figure, then capture all packets.

8. The Infection Model This figure is the worm infection model. ν ν ν ν λ λ λ λ ν ν: Infection rate of a Blaster worm outside of the local network. λ: Infection rate of Blaster worms inside of the local network.

9. The Model Solution (1) 3 We obtain the new model to mix a Poisson Process and a Yule Process. 2 1 n 1 2 0 n ν ν ν ν ν λ 2λ (n-1)λ 1 2 0 n ν+(n-1)λ ν+2λ ν+λ ν ν+nλ nλ where The process with infection rate ν is Poisson Process, and the process with infection rate λ is Yule Process. Each infection activities are independent.

10. The Model Solution (2) Windows XP Windows 2000 XP A ratio of each systems having the vulnerability in a local network.

11. The Model Solution (3) Rate of successful infection Average of the number of packets Each Infection Rate

12. Graphs of changing a ratio of each systems in the network The performance of the Blaster worms can be improved if the ratio of the Windows XP machines is high in the local network. All WinXP All Win2000 XP:2000=1:8

13. The difference between optimized and existing The Optimized Blaster worms prove great threat. Thus, the existing Blaster worm also has a potential threat the same. Existing Blaster Optimized Blaster XP:2000=1:8

14. Conclusion A performance of the Blaster worm is great influence a ratio of each OS in the target network. Optimized Blaster worms is the worm having a great threat. Thus, we need to be careful individually.

15. Future Works As the stochastic model may be different from existing Blaster worms 、 we need to close to the accurate model of the existing Blaster worms in the future.