Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.

Published byMaryann Black Modified over 9 years ago

Similar presentations

Presentation on theme: "Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself."— Presentation transcript:

1 Active Worms CSE 4471: Information Security 1

2 Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself as it goes Virus –A program that searches out other programs and infects them by embedding a copy of itself in them 2

3 Active Worm vs. DDoS Propagation –Active worm: from few to many –DDoS: from many to few Relationship –Active worm can be used for network reconnaissance, preparation for DDoS 3

4 Instances of Active Worms (1) Morris Worm (1988) [1] –First active worm; took down several thousand UNIX machines on Internet Code Red v2 (2001) [2] –Targeted, spread via MS Windows IIS servers –Launched DDoS attacks on White House, other IP addresses Nimda (2001, netbios, UDP) [3] –Targeted IIS servers; slowed down Internet traffic SQL Slammer (2003, UDP) [4] –Targeted MS SQL Server, Desktop Engine –Substantially slowed down Internet traffic MyDoom (2004–2009, TCP) [5] Fastest spreading email worm (by some estimates) Launched DDoS attacks on SCO Group 4

5 Instances of Active Worms (2) Jan. 2007: Storm [6] –Email attachment downloaded malware –Infected machine joined a botnet Nov. 2008–Apr. 2009: Conficker [7] –Spread via vulnerability in MS Windows servers –Also had botnet component Jun.–Jul. 2009, Mar.–May 2010: Stuxnet [8–9] –Aim: destroy centrifuges at Natanz, Iran nuclear facility –“Escaped” into the wild in 2010 Aug. 2011: Morto [10] –Spread via Remote Desktop Protocol –OSU Security shut down RDP to all OSU computers 5

6 How an Active Worm Spreads Autonomous: human interaction unnecessary 6 infected machine (1) Scan (2) Probe (3) Transfer copy

7 Conficker Worm Spread 7 Data normalized for each country. Source: [7]

8 Scanning Strategy Random scanning –Probes random addresses in the IP address space (CRv2) Hitlist scanning –Probes addresses from an externally supplied list Topological scanning –Uses information on compromised host (Email worms, Stuxnet) Local subnet scanning –Preferentially scans targets that reside on the same subnet. (Code Red II & Nimda) 8

9 Techniques for Exploiting Vulnerabilities Morris Worm –fingerd (buffer overflow) –sendmail (bug in “debug mode”) –rsh/rexec (guess weak passwords) Code Red, Nimda, etc. (buffer overflows) Tricking users into opening malicious email attachments 9

10 Worm Exploit Techniques Case study: Conficker worm –Issues malformed RPC (TCP, port 445) to Server service on MS Windows systems –Exploits buffer overflow in unpatched systems –Worm installs backdoor, bot software invisibly –Downloads executable file from server, updates itself Workflow: see backup slides (1), (2) 10

11 Worm Behavior Modeling (1) Propagation model mirrors epidemic: 11 V :total # of vulnerable nodes N :size of address space i(t):percentage of infected nodes among V r :an infected node’s scanning speed

12 Worm Behavior Modeling (2) Multiply (*) by V ⋅ dt and collect terms: 12

13 Modeling the Conficker Worm This model’s predicted worm propagation similar to Conficker’s actual propagation 13 Sources: [7], Fig. 2; [8], Fig. 4 Conficker’s propagation

14 Practical Considerations This model assumes machine state: vulnerable → infected –In reality, countermeasures slow worm infection Infected machines can be “cleaned” (removed from epidemic) State: vulnerable → infected → removed –Attackers may limit, vary worm scan rate –Complicates mathematical models Need time-varying parameters for number of removed hosts R(t), worm scan rate r(t) Resulting differential equations are complex, cannot be solved using calculus alone 14

15 Summary Worms can spread quickly: –359,000 hosts in under 14 hours Home / small business hosts play significant role in global internet health –No system administrator ⇒ slow response –Can’t estimate infected machines by # of unique IP addresses: DHCP effect apparently real, significant Active Worm Modeling 15

16 References (1) 1. Wikipedia, “Morris worm,” https://en.wikipedia.org/wiki/Morris_wormhttps://en.wikipedia.org/wiki/Morris_worm 2. Wikipedia, “Code Red (computer worm),” https://en.wikipedia.org/wiki/ Code_Red_wormhttps://en.wikipedia.org/wiki/ Code_Red_worm 3. Wikipedia, “Nimda,” https://en.wikipedia.org/wiki/Nimdahttps://en.wikipedia.org/wiki/Nimda 4. Wikipedia, “SQL Slammer”, https://en.wikipedia.org/wiki/SQL_Slammerhttps://en.wikipedia.org/wiki/SQL_Slammer 5. Wikipedia, “MyDoom”, https://en.wikipedia.org/wiki/Mydoomhttps://en.wikipedia.org/wiki/Mydoom 6. Wikipedia, “Storm worm,” https://en.wikipedia.org/wiki/Storm_Wormhttps://en.wikipedia.org/wiki/Storm_Worm 7. Wikipedia, “Conficker,” https://en.wikipedia.org/wiki/Confickerhttps://en.wikipedia.org/wiki/Conficker 8. D. E. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” The New York Times, 1 Jun. 2012, https://www.nytimes.com/2012/06/01/world/ middleeast/obama-ordered-wave-of-cyberattacks-against-iran.htmlhttps://www.nytimes.com/2012/06/01/world/ middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html 9. N. Falliere, L. O. Murchu, and E. Chien, Symantec, “W32.Stuxnet,” Feb. 2011, http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400- 3123-99 http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400- 3123-99 10. T. Bitton, “Morto Post Mortem: Dissecting a Worm,” 7 Sep. 2011, http://blog.imperva.com/2011/09/morto-post-mortem-a-worm-deep-dive.html http://blog.imperva.com/2011/09/morto-post-mortem-a-worm-deep-dive.html 11. Cooperative Association for Internet Data Analysis (UCSD), “The Spread of the Code-Red Worm (CRv2),” 2001, http://www.caida.org/research/security/code-red/ coderedv2_analysis.xmlhttp://www.caida.org/research/security/code-red/ coderedv2_analysis.xml 16

17 References (2) 12. Cooperative Association for Internet Data Analysis (UCSD), “Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope”, 2009, http://www.caida.org/research/security/ms08-067/conficker.xmlhttp://www.caida.org/research/security/ms08-067/conficker.xml 13. C. C. Zou, W. Gong, and D. Towsley, “Code Red Worm Propagation Modeling and Analysis,” Proc. ACM CCS, 2002. 14. P. Porras, H. Saidi, and V. Yegneswaran, 19 Mar. 2009, http://mtc.sri.com/Conficker/ http://mtc.sri.com/Conficker/ 17

18 Backup Slides 18

19 Conficker Workflow (1) 19 Conficker’s exploitation workflow. Source: [14], Fig. 1

20 Conficker Workflow (2) 20 Conficker’s self-update workflow. Source: [14], Fig. 3

Download ppt "Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Sigurnost računala i podataka

Sigurnost računala i podataka
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Lecture 13 Malicious Software modified from slides of Lawrie Brown.

Lecture 13 Malicious Software modified from slides of Lawrie Brown.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Coordination Center is part of.

CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA The CERT Coordination Center is part of.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
The MS Blaster worm Presented by: Zhi-Wen Ouyang.

The MS Blaster worm Presented by: Zhi-Wen Ouyang.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Cryptography and Network Security Chapter 21

Cryptography and Network Security Chapter 21
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.

 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.
Active Worm and Its Defense1 CSE651: Network Security.

Active Worm and Its Defense1 CSE651: Network Security.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
1 Email Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 7 – Malicious Software.

Similar presentations

Ads by Google