Presentation is loading. Please wait.

Presentation is loading. Please wait.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Similar presentations


Presentation on theme: "Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim."— Presentation transcript:

1 Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim

2 Contents Introduction Objectives Background Worm trace collection methodology Analyzed results Animation of Code-Red Ⅰ v2 Summary and conclusion

3 Introduction Virus vs. Worm -Virus : 1. do not try to break into machines 2. spread by user’s action 3. attach themselves onto other program -Worm : 1. try to break into machines using some vulnerability 2. spread on their own without user action 3. exist as a separate code in memory Some Worms - Morris in Nov 3, Lion in Mar, WANK in Oct, Code-Red in Jul, Ramen in Jan, 2001

4 Objectives Collect packet information generated by Code-Red (How to collect this information and identify Code-Red?) Analyze the spread of Code-Red Trace geographic location and top-level domains in which Code-Red resides.

5 Background The Chronology of Code-Red outbreak 1. On Jun 18, 2001, eEye released information about a buffer- overflow vulnerability in Microsoft’s IIS web servers. 2. On Jun 26, 2001, Microsoft released a patch for the vulnerability 3. On Jul 12, 2001, Code-Red Ⅰ v1 spread by exploiting the above vulnerability 4. On Jul 19, 2001, Code-Red Ⅰ v2 spread 5. On Aug 4, 2001, Code-Red Ⅱ spread * Cost of recovering from Code-Red : 2.6 billion dollars

6 Characteristics of Code-Red 1. Code-Red Ⅰ v1 : - Use a static seed, so it generated the same list of IP addresses - Between 1 st and 19 th of every month, it attempts to infect machines. (Infection phase) - Between 20 th and 28 th, it stops infecting machines and does a DoS attack against www1.whitehouse.gov (attack phase) - Between 29 th and the last day, it does nothing. (dormant phase) * scanning mechanism … 1 2 3

7 Characteristics of Code-Red 1. Code-Red Ⅰ v1 : - Use a static seed, so it generated the same list of IP addresses - Between 1 st and 19 th of every month, it attempts to infect machines. (Infection phase) - Between 20 th and 28 th, it stops infecting machines and does a DoS attack against www1.whitehouse.gov (attack phase) - Between 29 th and the last day, it does nothing. (dormant phase) * scanning mechanism … 12 3

8 Characteristics of Code-Red 1. Code-Red Ⅰ v1 : - Use a static seed, so it generated the same list of IP addresses - Between 1 st and 19 th of every month, it attempts to infect machines. (Infection phase) - Between 20 th and 28 th, it stops infecting machines and does a DoS attack against www1.whitehouse.gov (attack phase) - Between 29 th and the last day, it does nothing. (dormant phase) * scanning mechanism … Therefore, the spread is slow

9 2. Code-Red Ⅰ v2 : - Identical to Code-Red Ⅰ v1 except that it uses a random seed, so it generates a different list of IP addresses * scanning mechanism Therefore, the spread is much faster than Code-Red Ⅰ v1 Intuitively, the rate of infection will be exponential

10 3. Code-Red Ⅱ : - set up backdoor ( more dangerous than Code-Red Ⅰ ) - become dormant for a day to avoid being discovered by system administrator (slow infection mechanism) - after rebooting the machine, it begins to spread * scanning mechanism Let’s assume that the infected host IP address is X.X 3/8 1/8 1/2 X.X.X.X 10.X.X.X Relative amount of probes Idea : Hosts within the network of an infected host may run the same vulnerable software

11 Worm trace collection Methodology Three sources used to collect the worm packets - Passive network monitors within /8 network and /16 network - Backup data set from filtering router Worm identification If a host sends at least two TCP SYN packets on port 80 to two different hosts within research network, the host is considered to be infected. Research network Filtering router An infected host trying to probe hosts Monitor /8 network /16 network

12 Analyzed result Outbreak of Code-Red Ⅰ v1 - Each Infected host probed the same set of 23 IP addresses into the research network because Code-Red Ⅰ v1 used a static seed Normal activity of TCP SYN Packets on port 80 Infected hosts by Code-Red Ⅰ v1

13 Outbreak of the Code-Red Ⅰ v2 (infection rate) Cumulative total of unique IP addressesOne minute infection rates Detected unique IP addresses ≈ 359,000 Peak infection rate ≈ 2000 hosts /minute

14 Outbreak of the Code-Red Ⅰ v2 (deactivation rate) Infection phase attack phase The author’s methodology of identifying worms were not able to distinguish hosts infected with Code-Red Ⅱ from those Infected with Code-Red Ⅰ v2 because two scanning mechanisms used by Code-Red Ⅰ v2 and Code-Red Ⅱ are a little similar (i.e. they use random seed) Some infected hosts were patched Cumulative total of deactivated hostsOne minute deactivation rate

15 Geographic location of Code-Red Ⅰ v2 They made this table by using IxMapping service which is useful to find location of certain host based on its IP address

16 Top-Level domains in which Code-Red Ⅰ v2 resides They made this table by using NetSizer service

17 Top 10 domains (ISPs) in which Code-Red Ⅰ v2 resides It shows that machines operated by home users and small businesses are the majority of infected hosts.

18 Animation Code-Red Ⅰ v2 Animation of Code-Red Ⅰ v2

19 Summary and Conclusion This paper shows how to extract various useful information from only logged IP header data (traffic analysis) DHCP inflates the number of infected hosts as measured by IP addresses, whereas NAT deflates the number of compromised IP address. We should consider those two factors in estimating the spread of Internet worms From the worm viewpoint, scanning mechanism is the key to spread fast, while from the defense viewpoint, ISP level solution should be achieved to mitigate Internet worms

20 … Monitor Router Infected host Autonomous System Network segment Messages are protected Hardware compiler Worm scanner Worm packets


Download ppt "Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim."

Similar presentations


Ads by Google