Presentation is loading. Please wait.

Presentation is loading. Please wait.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Published byShanna Walters Modified over 8 years ago

Similar presentations

Presentation on theme: "Worm Defense Alexander Chang CS239 – Network Security 05/01/2006."— Presentation transcript:

1 Worm Defense Alexander Chang CS239 – Network Security 05/01/2006

2 What is a worm? Self-replicating/self-propagating programs Spread from system to system without user interaction Finds vulnerabilities in systems and uses them to spread Spread via network Different from virus which requires user interaction

3 Danger? Take over systems Access sensitive information  Passwords, credit card numbers, patient records, emails Disrupts system functions  Government, nuclear power plants, hospitals DDoS attack Bandwidth saturation

4 Code Red (CRv1) July 13 th, 2001 Exploit Microsoft IIS vulnerabilities Each infected system scans random 32bit IP addresses to attack Bug in the random generator resulting linear spread

5 Code Red I (CRv2) July 19 th, 2001 Same as CRv1 but with random generator bug fix DDoS payload targeting IP address of www.whitehouse.gov Bug in the code made it die for date >= 20 th of the month

6 Code Red II August 4 th, 2001 Not related to Code Red (just comment says Code Red) Exploit buffer overflow in MS IIS web server Installed remote root backdoor which can be used for anything

7 Nimda September 18 th, 2001 Multiple method of spreading  MS IIS vulnerability  Email  Copying over network shares  Webpage infection  Scan backdoor left by Code Red II From no probing to 100 probes/sec in just 30 minutes

8 Sapphire/Slammer/SQLSlammer January 25 th, 2003 Exploit MS SQL Server buffer overflow Fastest spreading worm Peak rate of 55million scans/sec after just 3 min Rate slowed down because bandwidth saturation No malicious payload, just saturated bandwidth causing many servers out of connection

9 Slammer effect : Before and after 30 minutes What if Slammer had malicious payload?

10 Used Techniques Random scanning  Code Red, Code Red I Localized scanning  Code Red II  Machines in the same network are more likely to run the same software Multi-vector  Nimda  Several methods of spreading

11 Possible Techniques 1 Hit-list scanning  First 10k infection is the hardest  Use a list of 10~50k vulnerable machines  Several methods to generate the list Stealthy scan: random scan taking several months Distributed scan: using already compromised hosts DNS search: already known servers such as mail/web servers Just listening: P2P networks advertise their servers, previous worms advertised many servers

12 Possible Techniques 2 Permutation Scanning  Random scan probes same host multiple times  Permutation of IP addresses  When an infected host is found, start from random point in the permutation  Self-coordinated, comprehensive scanning  Very high infection rate

13 Possible Techniques 3 Warhol Worm Hit-list and permutation scanning combined Start off quickly and high infection rate Simulation shows 99.99% of 300k hosts infected in less t han 15 min. Many other techniques  Topological scanning – use info from the infected machine to spread machines in the same subnet  Flash worm – using high band width with compressed hit-list  Stealth worms – web servers to clients, P2P

14 Dealing with worm threat Prevention  Prevent vulnerability by Secure coding practices  Patching software  Heterogeneity of network Treatment  Patching after breakout  Virus scanning Containment

15 Incoming  Black list  Signature based detection  Identify scanning characteristics of worms Outgoing  TCP connection threshold  Use worm signature for outbound traffic

16 Detection – signature based Attack Signature:  A description which represents a particular attack or action Eg, a classic antivirus signature Vulnerability Signature:  A description of the class of vulnerable systems Eg, “Windows XP, SP2, not patched since 10/1/2004”  A description of how to exploit a particular vulnerability Behavioral Signatures:  A behavior necessary for a class of worms (E.G. Scanning)  A behavior common to many implementations (half-open connec tions)

17 Detection – runtime analysis Mark all the data from unsafe source and derived data to be dirty Any execution attempts are signaled as possible threat Generate Self-Certifying Allerts and distribute to peers u sing overlay – peers only run overlay code so less susce ptible to attacks Each host verifies alert in a VM and if the vulnerability is found, generates filter Multiple filters to prevent false positive  Generic filter – disjunction of multiple specific conditions  Specific filter – more stringent conditions

18 Thoughts Detection  Polymorphic worms Obfuscation, encryption  False positive Attacker generates suspicious traffic with byte strings that are common in normal traffic  Signature generation time  Dynamic taint analysis – expensive or low coverage a nd resource-hungry

19 Thoughts Distribution/deployment  Pervasive P2P collaboration E2E detection and distribution  Secure communication Overlay? Intrusion detection systems? Honeypots, honeyfarms?

20 Remarks Future worms will be more aggressive Need automatic detection mechanisms  No global answer, need to apply all the techniques Network level detections have limitations becaus e of limited/no knowledge of software vulnerabilit ies E2E detection, secure P2P distribution of worm i nformation

Download ppt "Worm Defense Alexander Chang CS239 – Network Security 05/01/2006."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Sigurnost računala i podataka

Sigurnost računala i podataka
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.

Worm Defense. Outline Worm “How to Own the Internet in Your Spare Time” Worm defense Discussions.
Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.

Worm Defenses Zach Lovelady and Nick Oliver cs239 – Network Security – Spr2003.
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.

Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, Paul Barham.
Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)

Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Cryptography and Network Security Chapter 21

Cryptography and Network Security Chapter 21
Active Worm and Its Defense1 CSE651: Network Security.

Active Worm and Its Defense1 CSE651: Network Security.
Malicious Software Malicious Software Han Zhang & Ruochen Sun.

Malicious Software Malicious Software Han Zhang & Ruochen Sun.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Similar presentations

Ads by Google