A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

Slides:

Advertisements

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

Advertisements

IS 376 NOVEMBER 5, DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge.

Thank you to IT Training at Indiana University Computer Malware.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

FIREWALLS Chapter 11.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

By Hiranmayi Pai Neeraj Jain

Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.

Data Communications and Computer Networks Chapter 1 CS 3830 Lecture 5 Omar Meqdadi Department of Computer Science and Software Engineering University of.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Introduction to Security Computer Networks Computer Networks Term B10.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

COEN 252: Computer Forensics Router Investigation.

Computer Viruses and Worms Dragan Lojpur Zhu Fang.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.

Honeypot and Intrusion Detection System

Active Worms CSE 4471: Information Security 1. Active Worm vs. Virus Active Worm –A program that propagates itself over a network, reproducing itself.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.

A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.

MyDoom By: Philippe Bissohong. Background ► MyDoom  Novarg, Mimail.R and Shimgapi ► Computer worm, unlike a virus it attacks a network.

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

10/11/2015 Computer virus By Al-janabi Rana J 1. 10/11/2015 A computer virus is a computer program that can copy itself and infect a computer without.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Viruses Juan Arriola CS-100. HISTORY Computers viruses first appeared with the credit of John von Neumann due to his studies on the self replication of.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

Types of Electronic Infection

Security at NCAR David Mitchell February 20th, 2007.

ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

{ Macro by Gabriel and Brian. Definiti on a macro virus is a virus that is written in a macro language that is to say, a language built into a software.

Computer Viruses and Worms By: Monika Gupta Monika Gupta.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

NETWORK SECURITY Definitions and Preventions Toby Wilson.

1 3 Computing System Fundamentals 3.7 Utility Software.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.

By Thomas Pantone Cosc 380.  A virus is a type of malware that self replicates after being executed and inserts itself into other programs, data files,

CS4622 Team 4 Worms, DoS, and Smurf Attacks

Code-red worm Attack on Computers.

Internet Worm propagation

A Distributed DoS in Action

Brad Karp UCL Computer Science

Introduction to Internet Worm

Presentation transcript:

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen Stone

Mass-Mailing Worms  Background (Morris, Code Red, and Slammer)  Analysis of SoBig and MyDoom worms  Anomalies  TCP  IP addresses  DNS  Traffic In General  Discussion and Conclusions  Protection

Worms – What are they? “A self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another program; however, a worm is self- contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers.” - Wikipedia (wikipedia.org)

The Morris Worm  The first internet worm, written by Robert T. Morris, Jr., a first-year Computer Science Student at Cornell University.  Infected roughly six thousand machines nationwide in November of  Performance of victim machines drastically reduced because of propagation attempts.

Scanning Worms  Typical worms use aggressive IP scanning to find potential victim machines that are vulnerable to the exploit it carries.  Code Red, 2001  359,000 computers infected within 14 hours.  IIS exploit – spread through web scanning.  Slammer Worm, 2002  75,000 hosts – number doubled every 8.5 seconds.  UDP packet crafted against SQL Server.  Zero Day Exploits

Mass-mailing Worms  Sends itself via .  Usually infects with attachments.  Harvests addresses from address book, web cache, and hard disk. (unlike viruses)  No need to acquire new targets.  Tricks users into running malicious code on their own machines.  Some worms use their own SMTP engine.

Analysis  The SoBig and MyDoom mass-mailing worms  Real network trace data, collected from the edge router of CMU’s Electrical and Computer Engineering Department  Two Week Periods (Aug. – Sept and Jan. – Feb. 2004)

Infected or chatty? Heuristics of suspicion  Outgoing SMTP connections on a controlled network not going to an authorized mail server.  Message payload – Similar to the payload sizes of known worm traffic from Symantec.  Admittedly not 100 percent accurate.

Worm Effect – TCP Traffic  Scanning worms have spikes in all kinds of traffic, caused by scanning for other boxes to compromise.  Mass-mailing worms use to spread to potential victim boxes through mail service over TCP.

Worm Effect – TCP Traffic

Since the worms use their own SMTP engines, there should be no outbound SMTP traffic spikes from the existing mail servers. There is a spike in traffic with SoBig, but not MyDoom. Spoofed s from the harvest of addresses creates false guesses, which create backscatter. SoBig is more aggressive than MyDoom during propagation.

Worm Effect – Distinct IPs  Normal boxes that are not infected touch an average number of distinct IPs in a given day.  Infected boxes use addresses from all over, from the harvest.  The number of distinct IPs an infected system touches should be noticably larger.  The number of IPs a mail server touches should not change, intuitively, since they already send to new IPs on a regular basis.

Worm Effect – Distinct IPs  Infected boxes experienced a rise  Mail servers did as well, despite the expectation.  Attributed also to the spoofing effort.

Worm Effect - DNS  DNS related events expected to rise, since SMTP needs to resolve the IP associated with addresses.  New cache entry, refreshed cache entry, cache entry expiration

Worm Effect - DNS

Worm Effect – Overall Traffic  HTTP traffic dominates the network, with over 90% of all inbound and outbound traffic.  Do the infected systems make a large impact on that fact?

Worm Effect – Overall Traffic

Discussion and Conclusions  Mass-mailing worms show significant and noticeable impact on a network.  Prevention measures at the DNS Server, rather than at the SMTP Server.  Detection focused on Outgoing TCP, DNS, and Distinct IP’s, rather than on whole-network anomaly, due to the impact of HTTP.

Discussion and Conclusions  Both worms overran the network.  SoBig moreso than MyDoom.  SMTP servers still affected, even with mail clients on the worms, due to backscatter.  Antivirus software on Mail Servers actually counter-productive as a defense measure.

Protection  Detect worms either at the border router or individual systems.  Utilize DNS servers to limit the spread of the worm, possibly quarantining malicious traffic.  Pay strict attention to outgoing SMTP traffic and investigate spikes in such traffic.

Sources  “A Study of Mass-mailing Worms”  Wong, Bielski, McCune, Wang, CMU 2004  Proceedings of the 2004 AMC workshop on rapid malcode.  “The Spread of the Sapphire/Slammer Worm”  Moore, Paxson, Savage, Shannon, Staniford, Weaver   “Code-Red: a case study on the spread and victims of an Internet worm”  Moore, Shannon, Claffy  Proceedings of the 2 nd ACM SIGCOMM Workshop on Internet measurement.  “The Cornell Commission: On Morris and the Worm”  Eisenberg, Gries, Hartmanis, Holcomb, Lynn, Santoro  Communications of the ACM, Vol. 32, Issue 6.