Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.

Published byMarianna Webb Modified over 8 years ago

Similar presentations

Presentation on theme: "A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen."— Presentation transcript:

1 A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen Stone

2 Mass-Mailing Worms  Background (Morris, Code Red, and Slammer)  Analysis of SoBig and MyDoom worms  Anomalies  TCP  IP addresses  DNS  Traffic In General  Discussion and Conclusions  Protection

3 Worms – What are they? “A self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another program; however, a worm is self- contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers.” - Wikipedia (wikipedia.org)

4 The Morris Worm  The first internet worm, written by Robert T. Morris, Jr., a first-year Computer Science Student at Cornell University.  Infected roughly six thousand machines nationwide in November of 1988.  Performance of victim machines drastically reduced because of propagation attempts.

5 Scanning Worms  Typical worms use aggressive IP scanning to find potential victim machines that are vulnerable to the exploit it carries.  Code Red, 2001  359,000 computers infected within 14 hours.  IIS exploit – spread through web scanning.  Slammer Worm, 2002  75,000 hosts – number doubled every 8.5 seconds.  UDP packet crafted against SQL Server.  Zero Day Exploits

6 Mass-mailing Worms  Sends itself via email.  Usually infects with email attachments.  Harvests email addresses from address book, web cache, and hard disk. (unlike viruses)  No need to acquire new targets.  Tricks users into running malicious code on their own machines.  Some worms use their own SMTP engine.

7 Analysis  The SoBig and MyDoom mass-mailing worms  Real network trace data, collected from the edge router of CMU’s Electrical and Computer Engineering Department  Two Week Periods (Aug. – Sept. 2003 and Jan. – Feb. 2004)

8 Infected or chatty? Heuristics of suspicion  Outgoing SMTP connections on a controlled network not going to an authorized mail server.  Message payload – Similar to the payload sizes of known worm traffic from Symantec.  Admittedly not 100 percent accurate.

9 Worm Effect – TCP Traffic  Scanning worms have spikes in all kinds of traffic, caused by scanning for other boxes to compromise.  Mass-mailing worms use email to spread to potential victim boxes through mail service over TCP.

10 Worm Effect – TCP Traffic

11 Since the worms use their own SMTP engines, there should be no outbound SMTP traffic spikes from the existing mail servers. There is a spike in traffic with SoBig, but not MyDoom. Spoofed emails from the harvest of addresses creates false guesses, which create backscatter. SoBig is more aggressive than MyDoom during propagation.

12 Worm Effect – Distinct IPs  Normal boxes that are not infected touch an average number of distinct IPs in a given day.  Infected boxes use email addresses from all over, from the harvest.  The number of distinct IPs an infected system touches should be noticably larger.  The number of IPs a mail server touches should not change, intuitively, since they already send to new IPs on a regular basis.

13 Worm Effect – Distinct IPs  Infected boxes experienced a rise  Mail servers did as well, despite the expectation.  Attributed also to the spoofing effort.

14 Worm Effect - DNS  DNS related events expected to rise, since SMTP needs to resolve the IP associated with email addresses.  New cache entry, refreshed cache entry, cache entry expiration

15 Worm Effect - DNS

16 Worm Effect – Overall Traffic  HTTP traffic dominates the network, with over 90% of all inbound and outbound traffic.  Do the infected systems make a large impact on that fact?

17 Worm Effect – Overall Traffic

18 Discussion and Conclusions  Mass-mailing worms show significant and noticeable impact on a network.  Prevention measures at the DNS Server, rather than at the SMTP Server.  Detection focused on Outgoing TCP, DNS, and Distinct IP’s, rather than on whole-network anomaly, due to the impact of HTTP.

19 Discussion and Conclusions  Both worms overran the network.  SoBig moreso than MyDoom.  SMTP servers still affected, even with mail clients on the worms, due to backscatter.  Antivirus software on Mail Servers actually counter-productive as a defense measure.

20 Protection  Detect worms either at the border router or individual systems.  Utilize DNS servers to limit the spread of the worm, possibly quarantining malicious email traffic.  Pay strict attention to outgoing SMTP traffic and investigate spikes in such traffic.

21 Sources  “A Study of Mass-mailing Worms”  Wong, Bielski, McCune, Wang, CMU 2004  Proceedings of the 2004 AMC workshop on rapid malcode.  “The Spread of the Sapphire/Slammer Worm”  Moore, Paxson, Savage, Shannon, Staniford, Weaver  http://www.cs.berkeley.edu/~nweaver/sapphire/  “Code-Red: a case study on the spread and victims of an Internet worm”  Moore, Shannon, Claffy  Proceedings of the 2 nd ACM SIGCOMM Workshop on Internet measurement.  “The Cornell Commission: On Morris and the Worm”  Eisenberg, Gries, Hartmanis, Holcomb, Lynn, Santoro  Communications of the ACM, Vol. 32, Issue 6.

Download ppt "A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
IS 376 NOVEMBER 5, 2013 2013 DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge.

IS 376 NOVEMBER 5, DATA BREACH INVESTIGATIONS REPORT By The Verizon RISK Team Research Investigations Solutions Knowledge.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.

Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.
Data Communications and Computer Networks Chapter 1 CS 3830 Lecture 5 Omar Meqdadi Department of Computer Science and Software Engineering University of.

Data Communications and Computer Networks Chapter 1 CS 3830 Lecture 5 Omar Meqdadi Department of Computer Science and Software Engineering University of.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.

Similar presentations

Ads by Google