Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: " Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts."— Presentation transcript:

1  Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts  estimation

2  Viruses vs Worms vs Trojans  Types of viruses  Virus detection  Virus defense  Good viruses = bad idea 2

3  Due tomorrow  Make sure you mention the venue in the title: o Conference or journal name, year of publication o If from workshop, mention also the main conference that this workshop is associated with  Make sure you include citations if you o Use figures or equations from paper o Use some text verbatim o Talk about ideas from another related paper o Like this “In [2] authors say that …” and then have reference [2] in the reference section 3

4  Spread on July 12 and 19, 2001  Exploited a vulnerability in Microsoft Internet Information Server that allows attacker to get full access to the machine (turned on by default)  Two variants – both probed random machines, one with static seed for RNG, another with random seed for RNG (CRv2)  CRv2 infected more than 359,000 computers in less than 14 hours o It doubled in size every 37 minutes o At the peak of infection more than 2,000 hosts were infected each minute 4

5 5

6  43% of infected machines were in US  47% of infected machines were home computers  Worm was programmed to stop spreading at midnight, then attack www1.whitehouse.gov o It had hardcoded IP address so White House was able to thwart the attack by simply changing the IP address-to-name mapping  Estimated damage ~2.6 billion 6

7  Spread on January 25, 2003  The fastest computer worm in history o It doubled in size every 8.5 seconds. o It infected more than 90% of vulnerable hosts within 10 minutes o It infected 75,000 hosts overall  Exploited buffer overflow vulnerability in Microsoft SQL server, discovered 6 months earlier 7

8  No malicious payload  The aggressive spread had severe consequences o Created DoS effect o It disrupted backbone operation o Airline flights were canceled o Some ATM machines failed 8

9 9

10  Both Slammer and Code Red 2 use random scanning o Code Red uses multiple threads that invoke TCP connection establishment through 3-way handshake – must wait for the other party to reply or for TCP timeout to expire o Slammer packs its code in single UDP packet – speed is limited by how many UDP packets can a machine send o Could we do the same trick with Code Red?  Slammer authors tried to use linear congruential generators to generate random addresses for scanning, but programmed it wrong 10

11  43% of infected machines were in US  59% of infected machines were home computers  Response was fast – after an hour sites started filtering packets for SQL server port 11

12 12

13 13  Discovered in June/July 2010  Targets industrial equipment  Uses Windows vulnerabilities (known and new) to break in  Installs PLC (Programmable Logic Controller) rootkit and reprograms PLC o Without physical schematic it is impossible to tell what’s the ultimate effect  Spread via USB drives  Updates itself either by reporting to server or by exchanging code with new copy of the worm

14  Many worms use random scanning  This works well only if machines have very good RNGs with different seeds  Getting large initial population represents a problem o Then the infection rate skyrockets o The infection eventually reaches saturation since all machines are probing same addresses 14 “Warhol Worms: The Potential for Very Fast Internet Plagues”, Nicholas C Weaver

15 15

16  Worm can get large initial population with hitlist scanning  Assemble a list of potentially vulnerable machines prior to releasing the worm – a hitlist o E.g., through a slow scan  When the scan finds a vulnerable machine, hitlist is divided in half and one half is communicated to this machine upon infection o This guarantees very fast spread – under one minute! 16

17 17

18  Worm can get prevent die-out in the end with permutation scanning  All machines share a common pseudorandom permutation of IP address space  Machines that are infected continue scanning just after their point in the permutation o If they encounter already infected machine they will continue from a random point  Partitioned permutation is the combination of permutation and hitlist scanning o In the beginning permutation space is halved, later scanning is simple permutation scan 18

19 19

20  Worm can get behind the firewall, or notice the die-out and then switch to subnet scanning  Goes sequentially through subnet address space, trying every address 20

21  Several ways to download malicious code o From a central server o From the machine that performed infection o Send it along with the exploit in a single packet 21

22  Three factors define worm spread: o Size of vulnerable population  Prevention – patch vulnerabilities, increase heterogeneity o Rate of infection (scanning and propagation strategy)  Deploy firewalls  Distribute worm signatures o Length of infectious period  Patch vulnerabilities after the outbreak

Download ppt " Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Sigurnost računala i podataka

Sigurnost računala i podataka
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Packets and Protocols Chapter Seven Real World Packet Captures.

Packets and Protocols Chapter Seven Real World Packet Captures.
1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.

1 Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Univ. Massachusetts, Amherst.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.

Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Modeling the Spread of Worms Wade Trappe. Overview Quick discussion of how the Internet is organized. Random Constant Spread (RCS) Model and Code-Red.

Modeling the Spread of Worms Wade Trappe. Overview Quick discussion of how the Internet is organized. Random Constant Spread (RCS) Model and Code-Red.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.

 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Similar presentations

Ads by Google