Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 7 Worms. Worms  We’ve previously discussed worms  Here, consider 2 in slightly more depth o Xerox PARC (1982) o Morris Worm (1988)  Recall.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 7 Worms. Worms  We’ve previously discussed worms  Here, consider 2 in slightly more depth o Xerox PARC (1982) o Morris Worm (1988)  Recall."— Presentation transcript:

1 Chapter 7 Worms

2 Worms  We’ve previously discussed worms  Here, consider 2 in slightly more depth o Xerox PARC (1982) o Morris Worm (1988)  Recall also discussion of Slammer…

3 History  “Worm” mentioned in fiction in 1975 o The Shockwave Rider by John Brunner o Next slide…

4 History I guess you all know about tapeworms... ? Good. Well, what I turned loose in the net yesterday was the.., father and mother of all tapeworms....My newest----my masterpiece---breeds by itself.... By now I don't know exactly what there is in the worm. More bits are being added automatically as it works its way to places I never dared guess existed....And---no, it can't be killed. It's indefinitely self-perpetuating so long as the net exists. Even if one segment of it is inactivated, a counterpart of the missing portion will remain in store at some other station and the worm will automatically subdivide and send a duplicate head to collect the spare groups and restore them to their proper place.

5 History  Xerox Palo Alto Research Center o Xerox PARC  Established 1970 o To create “the office of the future”  Helped create laser printers, Ethernet, modern PC, GUI, VLSI  Original Apple Macintosh heavily influenced by the “Alto”

6 Xerox PARC  Developed a program so unused CPU cycles could be put to use o Use your machine for parallel processing when not busy with your work  “Worm” to manage the machines o Composed of “segments” which is why they called it a worm o One segment per machine o Segments communicated with each other

7 Xerox PARC  “Worm” had many safety features o For example, no disk access o Also, could be shut down  Key insights o Managing growth is difficult o Stability is difficult maintain

8 Morris Worm  “Internet Worm” of 1988  Major wake up call…  Three stages  Stage 1: Get access o Sendmail --- debug command o Finger --- read input using “gets” (no bounds checking…) o rexec and pwd guessing (or rsh)

9 Morris Worm  Stage 2: Grappling hook o Once a remote shell was obtained, send, compile, and run small C program o Code sent as source, so immune to damage by communication channel  Only passed seven bits out of eight  Would have destroyed exe file o Retrieve several exes until it found one that worked

10 Morris Worm  Stage 3: Propagate o Used some stealth --- named itself “sh” o Cleaned up (removed source code, etc.) o Prevented “core dump” o Propagate by looking at network routing tables and other local resources o Had no destructive payload

11 Propagation  Humans slow compared to networks o “Fast burners” o Warhol worms o Flash worms o Surreptitious (or slow) worms --- later  How can worm propagate faster? o Can’t use too much bandwidth…

12 Propagation  How to propagate faster o Shorten initial startup time o Minimize contention between instances of the worm o Increase rate that targets are probed o Use low-overhead protocols (UDP vs TCP)  Recall that Slammer used UDP

13 Propagation  Surreptitious worm o That is, slow worm  Slow infection rate o Hide in normal traffic o Hard to detect  Create a zombie army o What good is that?  A lot like modern Botnets

14 Initial Seeding  How to start the worm  A single instance? o Slow initial growth o Easier to trace  Multiple instances? o Faster initial growth o Use wireless networks, spam, Botnets o Other?

15 Finding Targets  IP numbers o IPv4, that is  Worms “scan” for targets o Search for vulnerable IP addresses  How to scan?

16 Finding Targets  How to scan?  Random o Used in Code Red and Slammer  Localized o Favor machines on same network o Why?  Hit list o Avoids contention, speeds initial spread

17 Finding Targets  Permutation scanning o Treat IP address space as sequence o Each worm select random starting point o Each time previously-infected machine found, select new starting point o Can be used to detect (near) saturation

18 Finding Targets  Topological scanning o Actual network topology o Topology of a social network o “Topology” of users’ email o IM worm  Morris Worm used topological scan o Was this a good idea for Morris Worm?

19 Finding Targets  Passive scanning o Wait for useful info to come to you o Sniff network traffic for… o Valid IP addresses o Operating system and services o Network traffic pattern  Other scanning strategies? o Santy worm used Google

20 Worms: The Bottom Line  A well-designed worm… o Virus-like concealment o Exploit technical/human weaknesses o Hijacking legitimate transactions o Rapid (or slow) spreading  Worms are potent type of malware  Equally potent defensives needed o Next chapter

Download ppt "Chapter 7 Worms. Worms  We’ve previously discussed worms  Here, consider 2 in slightly more depth o Xerox PARC (1982) o Morris Worm (1988)  Recall."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Data Communications and Computer Networks Chapter 1 CS 3830 Lecture 5 Omar Meqdadi Department of Computer Science and Software Engineering University of.

Data Communications and Computer Networks Chapter 1 CS 3830 Lecture 5 Omar Meqdadi Department of Computer Science and Software Engineering University of.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Malicious Software programs exploiting system vulnerabilities known as malicious software or malware program fragments that need a host program e.g. viruses,

Malicious Software programs exploiting system vulnerabilities known as malicious software or malware program fragments that need a host program e.g. viruses,
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.
Malicious Software Malicious Software Han Zhang & Ruochen Sun.

Malicious Software Malicious Software Han Zhang & Ruochen Sun.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Similar presentations

Ads by Google