A Case Study on Computer Worms Balaji Badam
Computer worms A self-propagating program on a network Types of Worms Target Discovery Carrier Activation Payloads Attackers
Target Discovery Mechanism by which a worm discovers new targets to infect Techniques Scanning Pre-generated Target Lists Externally Generated Target Lists Internal Target Lists Passive
Scanning Probing a set of addresses to identify vulnerable hosts Sequential Random Simple so most common propagation strategy. Efficiency Factors Density of vulnerable machines Design of the scanner Ability of edge routers to forward the worm traffic
Pre-Generated Target Lists Pre-assembled list of probable victims Not easy to generate Small scale lists can be generated from public sources Comprehensive lists require either a distributed scan or a compromise of a complete database
Externally Generated Target Lists Maintained by a separate server, such as a metaserver Dynamic list of active servers A metaserver worm queries the metaserver to determine new targets Half-Life Google
Internal Target Lists Generated from local information /etc/hosts Topological worms spread based on local information Morris worm Advantages Can spread quickly for machines that are highly connected Machines being contacted are already known machines, thus traffic seems normal
Passive Worms Do not seek out victim machines Wait for potential victims to establish contact Rely on user behavior to discover new targets Example: Contagion Worms Advantage no anomalous traffic patterns Disadvantage potentially slow
Carriers Means by which propagation occurs Types Self-Carried Actively transmits itself as part of the infection process Second Channel Passive version of self-carried carrier Embedded Hides inside a normal communication channel Stealthy with contagion strategy Speed dependent on the communication type
Activation Means by which worm is activated on host Types Human Activation Activated by local user interaction Human Activity-Based Activation Activated on user-initiated computer task Scheduled Process Activation Activated through Scheduled System processes Faster than the other two activation methods
Self Activation Initiate own execution by exploiting known vulnerabilities Execution happens as soon as the worm can locate a copy of the vulnerable service and transmit the code Advantage: Fastest of the activation methods
Payloads Code on worm other than propagation code Reflects the goal of the attacker Classification of Payloads None/nonfunctional - Most common Internet Remote Control Ex: Code Red II Spam Relays - relay spammers, block anti-spam Access for Sale Data Damage Data Collection - targets sensitive data
Classification of Payloads… HTML-Proxies - redirects web requests to randomly selected proxies Internet DOS - Attacks specific sites, most common Time delayed data erasers Physical-world remote control - Air Traffic Control Physical-world DOS - Dialing 911 via modem Physical-world Reconnaissance - Scanning telephone numbers for answering modems
Attackers People who write the worm code Many different reasons for developing worms Experimental Curiosity IloveYou – thesis project Morris Worm – accident Pride and Power Extortion and Criminal Gain Sobig – linking to illegal activities
Attackers… Commercial Advantage Random Protest Unabomber for computers Political Protest Yaha worm Terrorism Economic disruption Cyber Warfare
The Ecology of worms Application Design Buffer Overflows – smashing the stack Privileges Application Deployment – Microsoft XP Economic Factors - cheaper to release buggy code Patch Deployment - cheaper to bundle patches Monocultures – monopolies have common design