Presentation is loading. Please wait.

Presentation is loading. Please wait.

Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.

Published byLuke Worm Modified over 10 years ago

Similar presentations

Presentation on theme: "Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material."— Presentation transcript:

1 Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

2 Who gets Internet worms? Big question: who gets code red? Big companies? Home users? Web servers? People who know they aren’t running IIS? Host infection plots show some slight diurnal behavior ==> people turning off their “web servers” Looking deeper shows extreme diurnal behavior, masked in simple plots (1/3 to 1/2 machines turned on/off daily)

3 What is the Code-Red worm? Malicious program that connects to other machines and replicates itself Exploits a vulnerability in Microsoft IIS Days 1-19 of each month displays ‘hacked by Chinese’ message on English language servers tries to open connections to infect 100 other randomly chosen machines Day 20-27 launches a denial-of-service attack on the IP address of www1.whitehouse.gov

4 Code-Red Detection Data collected from a /8 network at UCSD and two /16 networks at Lawrence Berkeley Laboratories (LBL) 1/256th of total address space monitored Machines sending TCP SYN packets to port 80 of nonexistent hosts considered infected Data spans 24-hour period from midnight UTC July 19th - midnight UTC July 20th

5 Host Infection Rate 359,104 hosts infected in 24 hour period Between 11:00 and 16:00 UTC, the growth is exponential 2,000 hosts infected per minute at the peak of the infection rate (16:00 UTC)

6 Host Infection Rate

7 Exponential Infection Rate

8 Infection Rate over Time

9 Host Deactivation Machines isolated, patched, and rebooted throughout the day Host considered inactive after we observe no further unsolicited traffic Because the Code-Red worm is programmed to stop infecting new hosts at midnight on the 20th of every month, the majority of hosts stopped probing in the last hour before midnight UTC on July 20th

10 Host Deactivation

11 Host Deactivation Rates over Time

12 Host Characterization: Country The following graph shows the top ten countries of origin for all infected hosts Surprisingly, Korea is the second most prevalent country, behind countries with more advanced network infrastructure

13 Host Characterization: Country of Origin

14 Host Characterization: Top-Level Domain (TLD) 47% of all infected hosts had no reverse DNS records, so we could not determine their TLDs.COM,.NET, and.EDU are all represented in proportions equivalent to their overall share of existing hosts 136.MIL hosts and 213.GOV hosts also infected 390 hosts on private networks (addresses in 10.0.0.0/8) infected, suggesting that private networks were vulnerable and many more private network hosts may be infected

15 Host Characterization: Top-Level Domain (TLD)

16

17 Host Characterization: Domain 47% of hosts lacked reverse DNS records, so we were unable to determine their hostnames ISPs providing connectivity to home and small- business users had the most infected hosts Machines maintained by home/small-business users (i.e. less likely to be maintained by a professional sysadmin) are an important aspect of global Internet health

18 Host Characterization: Domain

19

20 Vulnerability at least 29% of all hosts infected on July 19th are still vulnerable only 8.15% of all infected hosts are known to be patched Code-Red worm will emerge from dormant stage at midnight UTC on August 1, 2001 Between than 105,000 and 330,000 hosts may be infected Will a more malignant variant emerge?

21 Vulnerability: Country

22

23 Vulnerability: Top-Level Domain (TLD)

24

25 Vulnerability: Domain

26

27 Conclusions 359,104 hosts infected in less than 14 hours up to 2,000 hosts per minute infected Collateral damage: routers, switches, printers, and DSL modems crashed, rebooted, or otherwise damaged Unpatched, insecure machines put everyone at risk Will we be prepared for the next major exploit?

28 Patching Survey Idea: randomly test subset of previously infected IP addresses to see if they have been patched or are still vulnerable 360,000 IP addresses in pool from initial July 19th infection 10,000 chosen randomly each day and surveyed between 9am and 5pm PDT

29 Patching Rate

30 Host Infections

31 Hosts by Timezone (UTC)

32 Hosts by Timezone (Local)

33 Dynamic IP Addresses Idea: How can we tell how many infected computers as opposed to IP addresses? Motivation: Max of ~180,000 unique IPs seen in any 2 hour period, but more than 4 million across ~a week For /24s, count: total number of unique IP addresses seen ever maximum number in 2 hour periods High total, low max ==> lots of address reuse

34 Dynamic IP Addresses For each /24, count: total number of unique IP addresses seen ever maximum number seen in 2 hour periods On plot: x-axis is total number of unique addresses seen ever y-axis is maximum number for a 2 hour period the x = y (total = max) line shows /24s that had all their vulnerable hosts actively spreading in same 2 hour period, and those hosts didn’t change IP addresses the space far below and to the right of the x = y line (total >> max) shows /24s that appear to have a lot of dynamic addresses color of points represents density (3d histogram)

35 DHCP Effect seen in /24s

36 Conclusions 1/3 - 1/2 of hosts are coming and going on a daily cycle DHCP effect can skew statistics, since the same host can have multiple IP addresses Even with the “best” possible warning, the majority of IIS patching occurred after the start of the next round of CodeRed

Download ppt "Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
1 Linux IP Masquerading Brian Vargyas XNet Information Systems.

1 Linux IP Masquerading Brian Vargyas XNet Information Systems.
Internet – Part I. What is Internet? Internet is a global computer network of inter-connected networks.

Internet – Part I. What is Internet? Internet is a global computer network of inter-connected networks.
Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.

Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
Everything.

Everything.
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Computer Science CSC 405Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 3. Program Security -- Part I.

Computer Science CSC 405Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 3. Program Security -- Part I.
Introduction to TCP/IP, the Internet, IP Addressing, and Domain Name.

Introduction to TCP/IP, the Internet, IP Addressing, and Domain Name.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.
© 2007 Cisco Systems, Inc. All rights reserved. 1 Network Addressing Networking for Home and Small Businesses – Chapter 5.

© 2007 Cisco Systems, Inc. All rights reserved. 1 Network Addressing Networking for Home and Small Businesses – Chapter 5.
The Internet and Java Sockets ICW Lecture 5 Tom Chothia.

The Internet and Java Sockets ICW Lecture 5 Tom Chothia.
How topology decisions affect speed/availability/security/cost/etc. Network Topology.

How topology decisions affect speed/availability/security/cost/etc. Network Topology.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

Similar presentations

Ads by Google