Presentation is loading. Please wait.

Presentation is loading. Please wait.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Published byFelicia Beaston Modified over 9 years ago

Similar presentations

Presentation on theme: "Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim."— Presentation transcript:

1 Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim

2 Contents Introduction Objectives Background
Worm trace collection methodology Analyzed results Animation of Code-RedⅠ v2 Summary and conclusion

3 Introduction Virus vs. Worm Some Worms -Virus : -Worm :
1. do not try to break into machines 2. spread by user’s action 3. attach themselves onto other program -Worm : 1. try to break into machines using some vulnerability 2. spread on their own without user action 3. exist as a separate code in memory Some Worms - Morris in Nov 3, Lion in Mar, 2001 - WANK in Oct, Code-Red in Jul, 2001 - Ramen in Jan, 2001

4 Objectives Collect packet information generated by Code-Red
(How to collect this information and identify Code-Red?) Analyze the spread of Code-Red Trace geographic location and top-level domains in which Code-Red resides.

5 Background The Chronology of Code-Red outbreak 1. On Jun 18, 2001, eEye released information about a buffer- overflow vulnerability in Microsoft’s IIS web servers. 2. On Jun 26, 2001, Microsoft released a patch for the vulnerability 3. On Jul 12, 2001, Code-RedⅠv1 spread by exploiting the above vulnerability 4. On Jul 19, 2001, Code-RedⅠv2 spread 5. On Aug 4, 2001, Code-RedⅡ spread * Cost of recovering from Code-Red : 2.6 billion dollars

6 … 1. Code-RedⅠv1 : Characteristics of Code-Red
- Use a static seed, so it generated the same list of IP addresses - Between 1st and 19th of every month, it attempts to infect machines. (Infection phase) - Between 20th and 28th, it stops infecting machines and does a DoS attack against www1.whitehouse.gov (attack phase) - Between 29th and the last day, it does nothing. (dormant phase) * scanning mechanism 3 2 1

7 … 1. Code-RedⅠv1 : Characteristics of Code-Red
- Use a static seed, so it generated the same list of IP addresses - Between 1st and 19th of every month, it attempts to infect machines. (Infection phase) - Between 20th and 28th, it stops infecting machines and does a DoS attack against www1.whitehouse.gov (attack phase) - Between 29th and the last day, it does nothing. (dormant phase) * scanning mechanism 3 1 2

8 … 1. Code-RedⅠv1 : Characteristics of Code-Red
- Use a static seed, so it generated the same list of IP addresses - Between 1st and 19th of every month, it attempts to infect machines. (Infection phase) - Between 20th and 28th, it stops infecting machines and does a DoS attack against www1.whitehouse.gov (attack phase) - Between 29th and the last day, it does nothing. (dormant phase) * scanning mechanism 2 3 1 Therefore, the spread is slow

9 - Identical to Code-RedⅠv1 except that it uses a random seed, so
it generates a different list of IP addresses * scanning mechanism 1 5 2 1 4 2 3 3 1 3 2 Therefore, the spread is much faster than Code-RedⅠv1 Intuitively, the rate of infection will be exponential

10 - set up backdoor ( more dangerous than Code-RedⅠ)
- become dormant for a day to avoid being discovered by system administrator (slow infection mechanism) - after rebooting the machine, it begins to spread * scanning mechanism Let’s assume that the infected host IP address is Relative amount of probes 1/8 3/8 X.X.X.X 10.X.X.X 1/2 10.9.X.X Idea : Hosts within the network of an infected host may run the same vulnerable software

11 Worm trace collection Methodology
Three sources used to collect the worm packets - Passive network monitors within /8 network and /16 network - Backup data set from filtering router Worm identification If a host sends at least two TCP SYN packets on port 80 to two different hosts within research network, the host is considered to be infected. Research network /8 network Monitor Filtering router /16 network An infected host trying to probe hosts Monitor

12 Analyzed result Outbreak of Code-RedⅠ v1 Normal activity of TCP SYN
Packets on port 80 Infected hosts by Code-RedⅠv1 - Each Infected host probed the same set of 23 IP addresses into the research network because Code-RedⅠv1 used a static seed

13 Outbreak of the Code-RedⅠ v2 (infection rate)
Cumulative total of unique IP addresses One minute infection rates Detected unique IP addresses ≈ 359,000 Peak infection rate ≈ 2000 hosts /minute

14 Outbreak of the Code-RedⅠ v2 (deactivation rate)
Some infected hosts were patched Infection phase attack phase Cumulative total of deactivated hosts One minute deactivation rate The author’s methodology of identifying worms were not able to distinguish hosts infected with Code-RedⅡ from those Infected with Code-RedⅠv2 because two scanning mechanisms used by Code-RedⅠ v2 and Code-RedⅡ are a little similar (i.e. they use random seed)

15 Geographic location of Code-Red Ⅰ v2
They made this table by using IxMapping service which is useful to find location of certain host based on its IP address

16 Top-Level domains in which Code-Red Ⅰ v2 resides
They made this table by using NetSizer service

17 Top 10 domains (ISPs) in which Code-Red Ⅰ v2 resides
It shows that machines operated by home users and small businesses are the majority of infected hosts.

18 Animation Code-RedⅠ v2 Animation of Code-RedⅠv2

19 Summary and Conclusion
This paper shows how to extract various useful information from only logged IP header data (traffic analysis) DHCP inflates the number of infected hosts as measured by IP addresses, whereas NAT deflates the number of compromised IP address. We should consider those two factors in estimating the spread of Internet worms From the worm viewpoint, scanning mechanism is the key to spread fast, while from the defense viewpoint, ISP level solution should be achieved to mitigate Internet worms

20 … Autonomous System Monitor Infected host Messages are protected
Router Worm scanner Worm packets Hardware compiler Network segment

Download ppt "Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.

Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.

Internet Quarantine: Requirements for Containing Self- Propagating Code David Moore, Colleen Shannon, Geoffrey M. Voelker, Stefan Savage.
CS-495 Advanced Networking J. Scott Miller, Spring 2005 Against Internet Intrusions (paper)

CS-495 Advanced Networking J. Scott Miller, Spring 2005 Against Internet Intrusions (paper)
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.

Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
Malware  Viruses  E-mail Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Internet Worms Brad Karp UCL Computer Science CS GZ03 / 4030 10 th December, 2007.

Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
Internet Drivers License CSS411/BIS421 Computing Technology & Public Policy Mark Kochanski Spring 2010.

Internet Drivers License CSS411/BIS421 Computing Technology & Public Policy Mark Kochanski Spring 2010.

Similar presentations

Ads by Google