A Case Study on Computer Worms Balaji Badam

Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation  Payloads  Attackers

Target Discovery Mechanism by which a worm discovers new targets to infect Techniques  Scanning  Pre-generated Target Lists  Externally Generated Target Lists  Internal Target Lists  Passive

Scanning Probing a set of addresses to identify vulnerable hosts  Sequential  Random Simple so most common propagation strategy. Efficiency Factors  Density of vulnerable machines  Design of the scanner  Ability of edge routers to forward the worm traffic

Pre-Generated Target Lists Pre-assembled list of probable victims Not easy to generate  Small scale lists can be generated from public sources  Comprehensive lists require either a distributed scan or a compromise of a complete database

Externally Generated Target Lists Maintained by a separate server, such as a metaserver  Dynamic list of active servers A metaserver worm queries the metaserver to determine new targets  Half-Life  Google

Internal Target Lists Generated from local information  /etc/hosts Topological worms spread based on local information  Morris worm Advantages  Can spread quickly for machines that are highly connected  Machines being contacted are already known machines, thus traffic seems normal

Passive Worms Do not seek out victim machines  Wait for potential victims to establish contact  Rely on user behavior to discover new targets Example: Contagion Worms Advantage  no anomalous traffic patterns Disadvantage  potentially slow

Carriers Means by which propagation occurs Types  Self-Carried Actively transmits itself as part of the infection process  Second Channel Passive version of self-carried carrier  Embedded Hides inside a normal communication channel Stealthy with contagion strategy Speed dependent on the communication type

Activation Means by which worm is activated on host Types  Human Activation Activated by local user interaction  Human Activity-Based Activation Activated on user-initiated computer task  Scheduled Process Activation Activated through Scheduled System processes Faster than the other two activation methods

Self Activation Initiate own execution by exploiting known vulnerabilities Execution happens as soon as the worm can locate a copy of the vulnerable service and transmit the code Advantage: Fastest of the activation methods

Payloads Code on worm other than propagation code Reflects the goal of the attacker Classification of Payloads None/nonfunctional - Most common Internet Remote Control Ex: Code Red II Spam Relays - relay spammers, block anti-spam Access for Sale Data Damage Data Collection - targets sensitive data

Classification of Payloads… HTML-Proxies - redirects web requests to randomly selected proxies Internet DOS - Attacks specific sites, most common Time delayed data erasers Physical-world remote control - Air Traffic Control Physical-world DOS - Dialing 911 via modem Physical-world Reconnaissance - Scanning telephone numbers for answering modems

Attackers People who write the worm code Many different reasons for developing worms Experimental Curiosity  IloveYou – thesis project  Morris Worm – accident Pride and Power Extortion and Criminal Gain  Sobig – linking to illegal activities

Attackers… Commercial Advantage Random Protest  Unabomber for computers Political Protest  Yaha worm Terrorism  Economic disruption Cyber Warfare

The Ecology of worms Application Design Buffer Overflows – smashing the stack Privileges Application Deployment – Microsoft XP Economic Factors - cheaper to release buggy code Patch Deployment - cheaper to bundle patches Monocultures – monopolies have common design