Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet Worms Brad Karp UCL Computer Science CS GZ03 / 4030 10 th December, 2007.

Published byPenelope McKinney Modified over 8 years ago

Similar presentations

Presentation on theme: "Internet Worms Brad Karp UCL Computer Science CS GZ03 / 4030 10 th December, 2007."— Presentation transcript:

1 Internet Worms Brad Karp UCL Computer Science CS GZ03 / 4030 10 th December, 2007

2 2 What’s a Worm? Vast numbers of Internet-attached hosts run vulnerable server software Worm: self-replicating code, containing –Exploit for widely used, vulnerable server software –Payload: code that executes after exploit succeeds Payload connects to other Internet hosts, sends copy of {exploit, payload} to each… Unlike virus, spread not human-mediated

3 3 What’s in the Payload? Could be anything…arbitrary code execution allowed by many exploits Install login facility for attacker, to allow use at will in botnet –Botnets used widely today to launch DDoS attacks, send spam –Market in botnets exists today (3-10 US cents/host/week for spam proxy in 2005 [Paxson]) Send sensitive files to attacker Destroy or corrupt data Enormous possibility for harm, in financial, privacy, and inconvenience terms

4 4 Code-RedI Worm June 18 th, 2001: eEye releases description of buffer overflow vulnerability in Microsoft IIS (web server) June 26 th, 2001: Microsoft releases patch July 12 th, 2001: Code-RedI worm released (i.e., first sent to vulnerable host) Estimated number hosts infected: 360,000 Estimated damages: $2.6 billion from loss of service availability, downtime, cleanup…

5 5 Code-RedI Behavior Payload: defaces web site –If language == English HELLO! Welcome to http://www.worm.com! Hacked By Chinese! 1 st – 19 th of every month: spread –Connect to random 32-bit IP address, send copy of self (exploit+payload) 20 th through end of every month: –Flood traffic to 198.137.240.91 (www.whitehouse.gov) Bug: fixed seed for random number generator –All hosts generate same sequence of IPs! –Result: only linear growth in infected population Only memory-resident; vanishes on reboot

6 6 Code-RedI v2: “Bugfix” Release July 19 th, 2001: new variant (“v2”) released –Uses random seed –Now all infected hosts try different targets White House changes IP address of its server to avoid DDoS attack –Result: July 20 th, Code-RedI v2 dies out 360K hosts infected in 14 hours

7 7 Growth of Code-RedI v2 Source: Vern Paxson, ICSI/UC Berkeley

8 8 Network Telescopes Monitor traffic arriving at sizeable regions of Internet address space. Reveals, e.g.,: –“Backscatter” (responses to randomly source-spoofed DDoS attacks) –Worms’ random scanning of IP addresses –Attackers’ random scanning for servers running particular service LBNL: 2 /16 networks, or 1/32768 th of Internet address space UCSD/Univ. Wisconsin: 1 /8 network, or 1/256 th of Internet address space

9 9 Spread of Code-RedI v2 Network telescope estimate of infected host count: –Count unique source IPs that attempt to connect to port 80 on non-used addresses Infected population over time fits logistic function –S-shaped curve: exponential growth at start, then slowing growth after most vulnerable nodes infected Worm dies just as 20 th starts –But even one host with wrong clock can keep trying to infect others –On August 1 st, worm begins to spread again!

10 10 Return of Code Red Worm Source: Vern Paxson, ICSI/UC Berkeley

11 11 A Competitor: Code-Red II Targets same IIS vulnerability; unrelated code Released August 4 th, 2001 Installs superuser backdoor; persists after reboot Spreads preferentially to local addresses: –½ probability generates address on same /8 –3/8 probability generates address on same /16 –1/8 probabliity generates random non-class-D, non- loopback address Result: squeezes out Code-Red I v2!

12 12 Slammer: A Fast UDP Worm Exploit: buffer overflow vulnerability in Microsoft SQL Server 2000 –Vulnerability reported in June 2002 –Patch released July 2002 SQL service uses connectionless UDP (rather than connection-oriented TCP) Entire worm fit in one packet! –No need to wait for RTT; send single packet, try next target address Slammer infected over 75K hosts in 10 minutes Growth rate limited by Internet’s capacity

13 13 Slammer’s Behavior Peak address scanning rate: 55 million scans / second –Reached in 3 minutes –Beyond that point, congestion-limited Payload non-malicious, apart from aggressive scanning Outages in 911 (emergency telephone) service, Bank of America ATM network –Purely from traffic load; crashed some network equipment, saturated some bottleneck links

14 14 Slammer’s Growth Limited by Internet Bandwidth (!) Source: Vern Paxson, ICSI/UC Berkeley

15 15 Worm Propagation Methods Random scanning (e.g., Code-Red, Slammer) Meta-server worm: query a service for hosts to infect (e.g., ask Google, “powered by phpbb”) Topological worm: find candidates from files on infected host’s disk (e.g., web server logs, bookmark files, email address books, ssh known hosts files, …) –Very fast; stealthy—no random scanning behavior to attract attention Contagion worm: piggyback worm on application’s usual connections –Connection patterns appear normal!

Download ppt "Internet Worms Brad Karp UCL Computer Science CS GZ03 / 4030 10 th December, 2007."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.

Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
The Threat of Internet Worms Vern Paxson ICSI Center for Internet Research and Lawrence Berkeley National Laboratory December 2, 2004.

The Threat of Internet Worms Vern Paxson ICSI Center for Internet Research and Lawrence Berkeley National Laboratory December 2, 2004.
Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.

Automated Worm Fingerprinting [Singh, Estan et al] Internet Quarantine: Requirements for Self- Propagating Code [Moore, Shannon et al] David W. Hill CSCI.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
Active Worm and Its Defense1 CSE651: Network Security.

Active Worm and Its Defense1 CSE651: Network Security.
Malware, con’t original slides provided by Prof. Vern Paxson University of California, Berkeley.

Malware, con’t original slides provided by Prof. Vern Paxson University of California, Berkeley.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
W HAT DOES EXPLOIT MEAN ? A ND THE S ASSER WORM Seminar on Software Engineering, Short Presentation 07.02.2008 Christian Gruber.

W HAT DOES EXPLOIT MEAN ? A ND THE S ASSER WORM Seminar on Software Engineering, Short Presentation Christian Gruber.
Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.
Lecture 26 Page 1 Advanced Network Security Malware for Networks Advanced Network Security Peter Reiher August, 2014.

Lecture 26 Page 1 Advanced Network Security Malware for Networks Advanced Network Security Peter Reiher August, 2014.

Similar presentations

Ads by Google