1. Defense and Detection Strategies Against Internet Worms Usman Sarwar usman@nrg.cs.usm.my Network Research Group, University Science Malaysia.

2. Agenda Basically we have two parts in the presentation Understanding the worm Planning the strategies

3. Worms A computer worm is a program that self-propagates across a network exploiting security or policy flaws in widely-used services. A computer worm is a program that travels from one computer to another but does not attach itself to the operating system of the computer it infects.

4. Destruction by worms In recent years there were lots of massive destruction by the worms which somehow paralyzed the organizations for example: Code red [$2 billion ] Love bug [$9 billion ]

5. Types of worms There are two types of worms Host worms Network worms

6. Construction of worm Target platform? How it will attack the remote system Selecting computer language Scanning techniques Payload delivery mechanism Installation on target host Establishing the worm network

7. Introduction mechanisms Single point Multiple point Delayed trigger

8. Components of worms There are five components of worms Reconnaissance Attack components. Communication components Command components Intelligence components

9. Infection patterns Random Scanning Random Scanning using lists Island hoping Directed attacking Hit-list scanning

10. Worm network topologies Hierarchical tree Centrally connected network Shockwave Rider-type and guerilla networks Hierarchical networks Mesh networks

11. Target vulnerabilities Prevalence of target Homogeneous versus heterogeneous targets

12. Traffic analysis Growth in traffic volume Rise in the number of scans and sweeps Change in traffic patterns for some hosts Predicting scans by analyzing the scan engine

13. Pattern Matching Port Matching IP Address matching

14. Host based detection Host firewalls Virus detection software Partitioned privileges Sandboxing of applications Disabling unneeded services and features Patching known holes

15. Firewall & Network Defenses Perimeter firewalls Subnet firewalls Reactive IDS deployments

16. Proxy Defenses Configuration Authentication via proxy server Mail server proxies Web based proxies

17. Software vulnerabilities Most security vendors focus on adding features rather than fixing existing products SQL SERVER (Slammer worm) Windows (blaster worm)

18. Attacking the worm network Shutdown messages Bluffing with worm Slowing down the spread

19. Future worms attributes expectations Intelligence Polymorphism techniques Modular and upgradability Better hiding techniques Web crawlers as worms Super worms Political messages.

20. References 1- Ranum, M. J., and F. M. Avolio, A Toolkit and Methods for Internet Firewalls, Proc. USENIX Summer, 1994, pp. 37–44. 2 Safford, D. R., D. L. Schales, and D. K. Hess, The TAMU Security Package: An Ongoing Response to Internet Intruders in an Academic Environment, Proc. Fourth USENIX Security Symposium, Santa Clara, CA, 1993, pp. 91–118. 3 Wack, J., K. Cutler, and J. Pole, Guidelines on Firewalls and Firewall Policy: Recommendations of the National Institute of Standards and Technology, 2001. Available at http://csrc.nist.gov/publications/nistpubs/800-41/ sp800-41.pdf. 4- Chapman, D. B., Network (In)Security Through IP Packet Filtering, Proc. UNIX Security Symposium III, Baltimore, MD, 1992, pp. 63–76. 5-Mullen, T., The Right to Defend, 2002. Available at http:// www. securityfocus.com/columnists/98. 6-Liston, T., LaBrea, 2001. Available at http://www.hackbusters.net/.http://www.hackbusters.net/ 7-Defense and Detection strategies against internet worms by Jose Nazario.