Presentation is loading. Please wait.

Presentation is loading. Please wait.

Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” The Future of Internet Worms Jose Nazario Crimelabs Research.

Published byJennifer Bruce Modified over 9 years ago

Similar presentations

Presentation on theme: "Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” The Future of Internet Worms Jose Nazario Crimelabs Research."— Presentation transcript:

1 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” The Future of Internet Worms Jose Nazario Crimelabs Research

2 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Disclaimer Will not build Intrusion detection

3 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Overview Introduction Six Components Problems in Current Worm Paradigms Evolution of Worm Networks Detection Strategies Conclusions

4 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Worms Defined Automated intrusion agents Infect one host, launch, infect again Self propelled –viruses require carrier programs

5 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Worms in History Morris worm Persistent Windows worms Rise of Linux worms (2000 …) Examples: Win32.Bremer, Ramen, sadmind/IIS

6 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Why Worms? Ease –write and launch once –many acquisitions –continually working Pervasiveness –weeds out weakest targets –penetrates difficult networks

7 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Two Futures Small increases –better rootkits –encryption –increased attack capabilities Paradigm shift

8 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Six Components of Worms Reconnaissance Specific Attacks Command Interface Communication Mechanisms Intelligence Capabilities Unused and Non-attack Capabilities

9 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Reconnaissance Target identification Active methods –scanning Passive methods –OS fingerprinting –traffic analysis

10 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Specific Attacks Exploits –buffer overflows, cgi-bin, etc. –Trojan horse injections Limited in targets Two components –local, remote

11 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Command Interface Interface to compromised system –administrative shell –network client Accepts instructions –person –other worm node

12 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Communications Information transfer Protocols Stealth concerns

13 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Intelligence Database Knowledge of other nodes Concrete vs. abstract Complete vs. incomplete

14 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Unused and Non-attack Capabilities Remainder of exploits Non-exploit capabilities Various possibilities

15 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Assembled Pieces

16 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Questions?

17 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Current Limitations Limited capabilities Growth and traffic patterns Network structure Intelligence Database

18 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Limited Capabilities: Recon

19 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Limited Capabilities: Attack

20 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Traffic Growth Rates T worm =kN  (T scans n scans )(T comm n comms )  t fT worm = T worm _______ T tot Traffic, hence profile, increases with time.

21 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Traffic Growth Patterns

22 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Network Structure

23 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Network Topology

24 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Limitations of Directionality

25 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Intelligence Database

26 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Limitations Conclusions Highly visible Easily Blocked –need a signature Unable to achieve a specific target Readily caught

27 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Questions?

28 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Future Considerations Dynamic behavior Dynamic updates Communications mechanisms Infection mechanisms Network topologies Communications topology New targets

29 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Dynamic Behavior Communications channels

30 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Dynamic Behavior Dynamic invocation of capabilities

31 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Dynamic Network Roles Not every node contains all components

32 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Updates to the Nodes

33 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Embedding Messages Images Text MP3 files Usenet, web, mailing lists Freenet, Gnutella, Napster

34 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Stealth Broadcasts

35 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Signed Updates Source verification

36 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Communications Topology Broadcast from central site

37 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Communications Topology Store and forward

38 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Passive Methods Target acquisition

39 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Payload Injection

40 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Network Topology Guerilla network

41 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Network Topology Directed tree

42 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” New Targets Embedded devices –bugs –prevalence on broadband Large audience targets –Akamai clients –Political, financial motivations

43 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Questions?

44 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Worm Detection Challenges –Fast moving –Always adding new nodes Traditional Worm Paradigm –Analyze one node, know all –Same signature for all nodes Hard to distinguish between worms and aggressive or scripted attackers

45 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Worm Signatures Correlation Analysis –Scans, attacks –Quick succession of scans across hosts –Quick follow up of attacks with scans Growth of Traffic –exponential

46 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” New Challenges Identifying communications channels Identifying all scans, attacks –Constantly changing Larger Picture

47 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Defenses Traditional paradigms Detection –anomaly detection –agent based IDS –focus on common parts

48 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Defenses NIDS –Hone in on common parts Poison Injections –Null, shutdown payloads Traffic analysis –Identifying communications partners All are labor intensive

49 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Conclusions Worms will evolve –increased use of hiding tools Impending paradigm shift –not all nodes look alike –update capable –No one signature

50 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Acknowledgements Crimelabs –Rick –Chris –Jeremy –Brandon –Ben Michal Zalewski Simple Nomad Dug Song Blackhat

51 Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Questions?

Download ppt "Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” The Future of Internet Worms Jose Nazario Crimelabs Research."

Similar presentations

Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia.

Defense and Detection Strategies Against Internet Worms Usman Sarwar Network Research Group, University Science Malaysia.
Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks.

The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com.

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
A Taxonomy of Computer Worms Ashish Gupta Network Security April 2004.

A Taxonomy of Computer Worms Ashish Gupta Network Security April 2004.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.

Honeywall CD-ROM. 2 Developers and Speakers  Dave Dittrich University of Washington  Rob McMillen USMC  Jeff Nathan Sygate  William Salusky AOL.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Similar presentations

Ads by Google