Presentation is loading. Please wait.

Presentation is loading. Please wait.

Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions."— Presentation transcript:

1 Worm Defense

2 Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions

3 What is a worm? An independent program that seeks out new hosts, from an existing host in order to further spread itself. Other definition: Programs which are able to replicate themselves (usually across computer networks) as stand alone programs (or sets of programs) and which do not depend on the existence of a host program are called computer worms Self-propagation and self-replication What is the differences between a worm and a virus? By different ways of infecting systems?

4 History of Worms: The Origins Science fiction references (i.e. Brunner’s “tapeworm” program in “shockwave rider” 1976 Xerox work in 1982, Shock and Hepp coined the use of the term “worm” and carried out experiments with worm like programs [6] CHRISTMA EXEC from 1987 that spread via email and required the user to execute it. Internet worm in 1988. The morris worm infects close to 10% of the then internet (6000 machines). IRC Worms, from 1987 to present day worms have targeted IRC clients (Mirc and PIRC)

5 History of Worms : Email worms Melissa (March 1999) A worm/virus hybrid that sent mail to the first 50 users in the outlook address book, containing the worm/virus. Could also spread as a conventional macro virus. KAK (February 2000) A VBS worm similar to bubbleboy that exploited a hole in outlook to autoexecute on receipt. Love Letter (May 2000) Another VBS worm that worked like Melissa, but was also able to spread via IRC

6 History of Worms: resurgence In the last two years we have seen a resurgence of non email distributed worms Code Red and variants (from July 13th, 2001)  Code Red (CRv1)  Code Red I (CRv2)  Code Red II Nimda ( Sep 18 th, 2001) Slammer / Sapphire worm (January 2003)

7 What worms could do? some of them could be… Launch Distributed Denial of Service (DDoS) attacks  Bring down Electronic commerce site  Cut off New outlets  Disable Root name servers Access Sensitive Material on any host  Passwords, credit card numbers and address book Sow Confusion and Disruption  Send out false information  Make messages appear authentic

8 Replication methods of Worm Two main methods exist for worms to spread: Use legitimate services Email  Sircam + previous examples File Shares  Sircam + Deloder Exploit system vulnerabilities Webservers  NIMDA and CODERED MS SQLServer  Slammer

9 Why Worms can Spread? Homogeneous software base  Exploit software design flaws of commonly used Internet tools  Microsoft controls more than 90% of PCs High-bandwidth interconnections  Machines are “close” to each other  Makes it easy for a virus to spread

10 Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions

11 Main Ideas Analyzing current worms, Code Red and Nimda Develop some new, highly virulent techniques, including hit-list scanning, permutation scanning and use of Internet- sized hit-lists Envision a “Cyber-Center for Disease Control”

12 Code Red I (CRv1) Released July 13, 2001 Exploited vulnerability in Microsoft IIS Web Server Generated 100 Threads  99 Threads comprised random IP address  1 Threads defaced the web server Contained a bug  Random number initialized with a fixed seed  Always compromised same sequence of machine

13 Random Constant Spread Model a quantitative theory for the spread of Code Red I worm N  Total number of vulnerable servers  Assume fixed K  Initial comprise rate  The number of vulnerable hosts an infected host can compromise  Measured in infections/hours a  Fraction of vulnerable machines compromised t  Time (in hours)

14 RCS (con’t) N da = (N a) K (1 - a) dt So the differential equation is da/dt = K a (1 - a) With a solution of

15 Comments For an early t, a grows exponentially For a large t, a goes to 1 The rate only depends on K and has nothing to do with N at all! From the graph, K = 1.8, T = 11.9 Maximum 510,000 scans an hour! Why the scan rate instead of the number of distinct IPs be fit?

16 Code Red II Release August 4 th, 2001 Was Unrelated code base with Code Red Exploited vulnerability in a buffer overflow of Microsoft IIS Web Server Installed a root backdoor allowing unrestricted remote access Localized scanning strategy  3/8 IP address within the class B network  ½ within the class A network  1/8 the whole Internet

17 Nimda Released on Sep 18 th, 2001 Five method to spread at least  From infect client to server, probing for a Microsoft IIS vulnerability (again MS!)  Emailing itself as an attachment  Copying itself across open network shares  From infected server to client  Scanning for the backdoors by Code Red II

18 Better worms The virulence of a worm could be further increased if  Faster scanning  More targets

19 Hit-list Scanning To “getting off the ground” Hit-list scanning  Collect a list of 10,000 to 50,000 vulnerable machines before releasing the worm  Half the list with the new infected host  How to collect them? Stealthy scans ( same as portscan ) Distributed scanning DNS searches Spiders Public surveys Just listen, waiting others to knock the door

20 Permutation Scanning Assumption: a worm could detect that a particular target is already infected Share a pseudo random permutation of the IP address space Use a 32-bit block cipher and a key Any host starts just after its point If meet an infected one, start randomly Self-coordinated, comprehensive, also random A partitioned permutation scan, for attacking multiple security hole (how?)

21 A Simulation: Warhol Worm Combination of hit-list and permutation scanning A simulation of Warhol worm’s spread  2^32 entry address space  A 32-bit, 6-round variant of RC5 Sharply reduce the infection time to 15 minutes  So called “Warhol”, from the quotation ”In the future, everyone will have 15 minutes of fame”

22 Num of Instance Time Red: Warhol Green: Fast Scanning Black: Conventional Hit-list scanning improves the initial spread, while Permutation scanning keep infection rate high

23 Topological Scanning Use information contained on the victim machine to find new targets  Neighbors  Peers  URLs

24 A compact worm: Flash worm Mass coverage inside 30 seconds? Flash worms ‘in theory’ can achieve this. Each copy of the worm carries with it a set of targets, it uses some to target new hosts, and sends along a portion of the remaining addresses to each of its ‘children’. The result being as a worm makes more copies of itself, each copy get smaller, keeping the worms network load predictable. Requires high bandwidth for first few infections (10 million addresses = 40 megs!)

25 Flash worm (con’t) 200k 100k 50k = Infected computer. = computer that could be infected, but hasn’t = computer that wasn’t sucessfully infected

26 Stealth worms What the difference? Avoiding detection by having a slow replication rate. Hiding infection mechanism by appearing to be ‘normal’ traffic. Slowly building up a large infection base, with the hope of payload triggering at a set date. Or store record of infection to allow worms to be ‘activated’ in future, by an authorized signed message sent instantly along the infection path. Popular with diseases that show no symptoms, harder to achieve in the world of IDS.

27 Stealth Worm on P2P systems P2P systems suited to contagion worms  All running the same software  A client = a server  Interconnectivity  Transferring large files  Pay less attention by the intrusion detection systems  …  And potentially immense size

28 Updates and Control How to control and modify a worm after its release Worm-to-worm communication  A list of other known, running worm  Encrypted communication channels  Degree of connectivity Programmable updates  Dynamic code loading supported by OS

29 Cyber-Center for Disease Control Mission:  Identifying outbreaks  Rapidly analyzing pathogens  Fighting infections  Anticipating new vectors  Proactively devising detectors for new vectors  Resisting future threat

30 Outline Worm “How to Own the Internet in Your Spare Time” Worm defenses Discussions

31 Approach for worm defense Prevention Containment Cleanup

32 Worm defense - prevention Prevention by  Reduce the size of vulnerable hosts  Limit the speed at which a worm spread Limitations  Depend on current software vulnerabilities Related research  Matthew M.Williamson “Throttling Viruses: Restricting Propagation to Defeat Malicious Mobil Code”

33 Worm defense - containment Block the infectious communication between infected and uninfected hosts, by  Firewalls  Content filters  blacklists Related work  David Moore “Internet Quarantine: Requirements for Containment Self-Propagating Code”  Stuart Staniford “Containment of Scanning Worms in Enterprise Networks”

34 Worm defense - cleanup Cleanup by  Disinfection tools  System update, patches Limitations  Limited to human time scales  Can not handle an acute outbreak Related work  ?

35 Discussions

36 Thank you.

Download ppt "Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)

Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Worms By: Aaron Stahler. Difference Between a Worm and A Virus Viruses are computer programs that are designed to spread themselves from one file to another.

Worms By: Aaron Stahler. Difference Between a Worm and A Virus Viruses are computer programs that are designed to spread themselves from one file to another.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Active Worm and Its Defense1 CSE651: Network Security.

Active Worm and Its Defense1 CSE651: Network Security.
1 Email Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.

Similar presentations

Ads by Google