Download presentation
Presentation is loading. Please wait.
Published byJennifer Bruce Modified over 9 years ago
1
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” The Future of Internet Worms Jose Nazario Crimelabs Research
2
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Disclaimer Will not build Intrusion detection
3
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Overview Introduction Six Components Problems in Current Worm Paradigms Evolution of Worm Networks Detection Strategies Conclusions
4
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Worms Defined Automated intrusion agents Infect one host, launch, infect again Self propelled –viruses require carrier programs
5
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Worms in History Morris worm Persistent Windows worms Rise of Linux worms (2000 …) Examples: Win32.Bremer, Ramen, sadmind/IIS
6
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Why Worms? Ease –write and launch once –many acquisitions –continually working Pervasiveness –weeds out weakest targets –penetrates difficult networks
7
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Two Futures Small increases –better rootkits –encryption –increased attack capabilities Paradigm shift
8
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Six Components of Worms Reconnaissance Specific Attacks Command Interface Communication Mechanisms Intelligence Capabilities Unused and Non-attack Capabilities
9
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Reconnaissance Target identification Active methods –scanning Passive methods –OS fingerprinting –traffic analysis
10
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Specific Attacks Exploits –buffer overflows, cgi-bin, etc. –Trojan horse injections Limited in targets Two components –local, remote
11
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Command Interface Interface to compromised system –administrative shell –network client Accepts instructions –person –other worm node
12
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Communications Information transfer Protocols Stealth concerns
13
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Intelligence Database Knowledge of other nodes Concrete vs. abstract Complete vs. incomplete
14
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Unused and Non-attack Capabilities Remainder of exploits Non-exploit capabilities Various possibilities
15
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Assembled Pieces
16
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Questions?
17
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Current Limitations Limited capabilities Growth and traffic patterns Network structure Intelligence Database
18
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Limited Capabilities: Recon
19
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Limited Capabilities: Attack
20
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Traffic Growth Rates T worm =kN (T scans n scans )(T comm n comms ) t fT worm = T worm _______ T tot Traffic, hence profile, increases with time.
21
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Traffic Growth Patterns
22
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Network Structure
23
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Network Topology
24
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Limitations of Directionality
25
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Intelligence Database
26
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Limitations Conclusions Highly visible Easily Blocked –need a signature Unable to achieve a specific target Readily caught
27
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Questions?
28
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Future Considerations Dynamic behavior Dynamic updates Communications mechanisms Infection mechanisms Network topologies Communications topology New targets
29
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Dynamic Behavior Communications channels
30
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Dynamic Behavior Dynamic invocation of capabilities
31
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Dynamic Network Roles Not every node contains all components
32
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Updates to the Nodes
33
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Embedding Messages Images Text MP3 files Usenet, web, mailing lists Freenet, Gnutella, Napster
34
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Stealth Broadcasts
35
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Signed Updates Source verification
36
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Communications Topology Broadcast from central site
37
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Communications Topology Store and forward
38
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Passive Methods Target acquisition
39
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Payload Injection
40
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Network Topology Guerilla network
41
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Network Topology Directed tree
42
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” New Targets Embedded devices –bugs –prevalence on broadband Large audience targets –Akamai clients –Political, financial motivations
43
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Questions?
44
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Worm Detection Challenges –Fast moving –Always adding new nodes Traditional Worm Paradigm –Analyze one node, know all –Same signature for all nodes Hard to distinguish between worms and aggressive or scripted attackers
45
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Worm Signatures Correlation Analysis –Scans, attacks –Quick succession of scans across hosts –Quick follow up of attacks with scans Growth of Traffic –exponential
46
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” New Challenges Identifying communications channels Identifying all scans, attacks –Constantly changing Larger Picture
47
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Defenses Traditional paradigms Detection –anomaly detection –agent based IDS –focus on common parts
48
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Defenses NIDS –Hone in on common parts Poison Injections –Null, shutdown payloads Traffic analysis –Identifying communications partners All are labor intensive
49
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Conclusions Worms will evolve –increased use of hiding tools Impending paradigm shift –not all nodes look alike –update capable –No one signature
50
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Acknowledgements Crimelabs –Rick –Chris –Jeremy –Brandon –Ben Michal Zalewski Simple Nomad Dug Song Blackhat
51
Blackhat 2001 Las Vegas, Nazario, “The Future of Internet Worms” Questions?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.