Introduction to Internet Worm Cliff C. Zou

Common forms of malware “Malware” --- malicious software Viruses Worms Trojan horses Appear to be good but perform malicious actions Spyware, adware Email spam, phishing

What is an Internet worm? A code that replicates itself over a computer network on its own and usually performs malicious actions Exploit a vulnerability in some remote computers OS, installed software has the vulnerability Runs on compromised computers without permission from their users Jump from one computer to another through the Internet Automatic spreading without any human intervention Basic difference from “viruses”

Worm propagation process Find new targets IP random scanning Send TCP/SYN or UDP packet Compromise targets Exploit vulnerability Newly infected join infection army

Worm research motivation Code Red (Jul. 2001) : 360,000 infected in 14 hours Slammer (Jan. 2003) : 75,000 infected in 10 minutes Congested parts of Internet (ATMs down…) Blaster (Aug. 2003) : 150,000 ~ 8 million infected DDOS attack (shut down domain windowsupdate.com) Witty (Mar. 2004) : 12,000 infected in half an hour Attack vulnerability in ISS security products Sasser (May 2004) : 500,000 infected within two days Infection faster than human response !

How to defend against Internet worm attack? Automatic response required First, understanding worm behavior Basis for worm detection/defense Similar to epidemic spreading Next, worm detection Automatic (catch worm speed) Unknown worm (no known signature) Last, must have autonomous defense False alarm? More advanced worm? (e.g., polymorphic worm)

Internet Worm Modeling Internet worm propagation is similar to epidemic spreading Borrow models from epidemiology area Modify models based on worm’s behaviors Simple epidemic model: It: # of infected N: # of total population

Simple worm propagation model address space, size W N : total vulnerable It : infected by time t N-It vulnerable at time t scan rate (per host), h W Prob. of a scan hitting vulnerable # of increased infected in a unit time

Worm modeling papers references “How to own the Internet in your spear time” First modeling paper after Code Red (most important paper) “On the Performance of Internet Worm Scanning Strategies” “Epidemic spreading in complex networks with degree correlations”

Internet worm detection Detection of unknown worm No signature is known before a worm’s break out Different forms of worm detection Detect a worm’s breakout in the Internet Minimum, does not provide further information Detect infected hosts in the global Internet Help filtering, protect local networks Detect local infected hosts Help maintenance; stop major damage before too late Automatic signature generation Most valuable; directly help worm filtering

Worm detection papers references “Monitoring and Early Warning for Internet Worms” “Fast Portscan Detection Using Sequential Hypothesis Testing” “Cooperative Response Strategies for Large Scale Attack Mitigation” “Automated Worm Fingerprinting”

Internet worm defense Can catch a worm’s rapid speed? Automatic, quick enough “Internet Quarantine: Requirements for Containing Self-Propagating Code” Acceptable false alarm cost? Major reason for slow deployment of automatic worm defense systems People tend to forget worms until hit hard “Throttling Viruses: Restricting Propagation to Defeat Mobile Malicious Code”

Advanced worms  Polymorphic worms Worm changes its code as it spreads out Use encryption to hide code signature Use code transformation technique for change Make it harder to automatically generate signature Two papers (attack/defense): “Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic” “Polygraph: Automatic Signature Generation for Polymorphic Worms”