Introduction%20to%20Internet%20Worm

1
Introduction to Internet Worm

• Cliff C. Zou
• CAP6133, Spring08

2
Common forms of malware

• Malware --- malicious software
• Viruses
• Worms
• Trojan horses
• Appear to be good but perform malicious actions
• Spyware, adware
• Email spam, phishing

3
What is an Internet worm?

• A code that replicates itself over a computer
  network on its own and usually performs malicious
  actions
• Exploit a vulnerability in some remote computers
• OS, installed software has the vulnerability
• Runs on compromised computers without permission
  from their users
• Jump from one computer to another through the
  Internet
• Automatic spreading without any human
  intervention
• Basic difference from viruses

4
Worm propagation process

• Find new targets
• IP random scanning
• Send TCP/SYN or UDP packet

• Compromise targets
• Exploit vulnerability

• Newly infected join infection army

5
Worm research motivation

• Code Red (Jul. 2001) 360,000 infected in 14
  hours
• Slammer (Jan. 2003) 75,000 infected in 10
  minutes Congested parts of Internet (ATMs down)
• Blaster (Aug. 2003) 150,000 8 million
  infected DDOS attack (shut down domain
  windowsupdate.com)
• Witty (Mar. 2004) 12,000 infected in half an
  hour Attack vulnerability in ISS security
  products
• Sasser (May 2004) 500,000 infected within two
  days

Infection faster than human response !
6
How to defend against Internet worm attack?

• Automatic response required
• First, understanding worm behavior
• Basis for worm detection/defense
• Similar to epidemic spreading
• Next, worm detection
• Automatic (catch worm speed)
• Unknown worm (no known signature)
• Last, must have autonomous defense
• False alarm?
• More advanced worm? (e.g., polymorphic worm)

7
Internet Worm Modeling

• Internet worm propagation is similar to epidemic
  spreading
• Borrow models from epidemiology area
• Modify models based on worms behaviors
• Simple epidemic model

It of infected N of total population
8
Simple worm propagation model
W

• address space, size W
• N total vulnerable
• It infected by time t
• N-It vulnerable at time t
• scan rate (per host), h

9
Worm modeling papers references

• How to own the Internet in your spear time
• First modeling paper after Code Red (most
  important paper)
• On the Performance of Internet Worm Scanning
  Strategies
• Modeling worm when it uses different scanning
  methods
• Models of Active Worm Defenses
• Modeling good worm defense against bad worm
• Modeling the Spread of Active Worms
• Modeling based on discrete-time equations

10
Internet worm detection

• Detection of unknown worm
• No signature is known before a worms break out
• Different forms of worm detection
• Detect a worms breakout in the Internet
• Minimum, does not provide further information
• Detect infected hosts in the global Internet
• Help filtering, protect local networks
• Detect local infected hosts
• Help maintenance stop major damage before too
  late
• Automatic signature generation
• Most valuable directly help worm filtering

11
Worm detection papers references

• Monitoring and Early Warning for Internet Worms
• Fast Portscan Detection Using Sequential
  Hypothesis Testing
• Cooperative Response Strategies for Large Scale
  Attack Mitigation
• Automated Worm Fingerprinting
• Host-based, network traffic-based worm detection
  systems
• Will be introduced in later topics

12
Internet worm defense

• Can catch a worms rapid speed?
• Automatic, quick enough
• Internet Quarantine Requirements for Containing
  Self-Propagating Code
• Acceptable false alarm cost?
• Major reason for slow deployment of automatic
  worm defense systems
• People tend to forget worms until hit hard
• Throttling Viruses Restricting Propagation to
  Defeat Mobile Malicious Code

13
Advanced worms ? Polymorphic worms

• A hot topic in current research community
• Worm changes its code as it spreads out
• Use encryption to hide code signature
• Use code transformation technique for change
• Make it harder to automatically generate
  signature
• Two papers (attack/defense)
• Advanced Polymorphic Worms Evading IDS by
  Blending in with Normal Traffic
• Polygraph Automatic Signature Generation for
  Polymorphic Worms