Title: Potential Strategies for High Speed Active Worms: A Worst Case Analysis
1Potential Strategies for High Speed Active
WormsA Worst Case Analysis
- Nicholas Weaver
- U.C. Berkeley BRASS Group
- nweaver_at_cs.berkeley.edu
- Presented by Zesheng Chen
- April 3, 2002
2Outline
- How fast a worm can spread
- How long a given worm can remain a significant
threat on the Internet
3What is a Worm
- A program that copies itself over computer
networks, infecting programs and machines in
remote locations - Independence upon another program, executable, or
file to spread - Exponential growth
- Examples Morris Internet Worm, Code Red, Nimda,
Raman and Cheese, Melissa, The Love Bug ect.
4Active Worm Vs. Passive Worm
- Need human interaction or not
- Mail worm is passive worm
- How active worm works
- This paper will focus on active worms
5Code Reds Propagation Behavior (from David
Moores analysis)
6Simulating Worm Spread
- C program
- 232 entry address space
- A 32 bit, 6 round variant of RC5 is used to
generate all permutations - http//www.cs.berkeley.edu/nweaver/warhol.c
- http//www.cs.berkeley.edu/nweaver/division.c
- http//www.cs.berkeley.edu/nweaver/random.c
7Simulated Code Red v2
- A simulated Code Red v2 like worm 500,000
vulnerable machines, 10 scans per second, random
scanning, starting on a single machine. Graph
stops at 95 infection.
8Parameters of Simulator
- number of vulnerable machines
- number of scans per second
- time it takes to infect a machine
- number infected during the hitlist phase
- type of secondary scan (permutation, partitioned
permutation, and random)
9Hitlist Scanning
- What is Hitlist
- Why introduce Hitlist
- How to get the hitlist
- slow scan (Honeynet project)
- http//project.honeynet.org
- public surveys (Netcraft Survey)
- http//www.netcraft.com
10Example of Netcraft Survey
- Web site http//uptime.netcraft.com/up/graph/
- Query http//www-net.cs.umass.edu/security/
- Result
- The site www-net.cs.umass.edu is running
Apache/1.3.11 (Unix) PHP/3.0.14 on Compaq Tru64
11Performance Analysis of Hitlist Scanning
- Permutation scanning, halting at 8 was used in
all cases, 1,000,000 vulnerable hosts, 100
scans/second, 1 second to complete infection.
Graphs stop at 95 infection and do not include
the time to process the hitlist.
12Topological Scanning
- What is topological scanning
- E-mail worms
- Peer to peer application
- Using topological scanning to get the hitlist
- Papers
- Directed-Graph Epidemiological Models of
Computer Viruses by J. O. Kephart and S. R.
White - On Viral Propagation and the Effect of
Immunization by Wang, C., J.C. Knight, M. Elder - Email virus and worm propagation simulation by
Changchun Zou
13Local Subnet Scanning
- For example Code Red II and Nimda
- Why local subnet scanning
- Firewall
- Similar machines in local subnet
- Also can use local subnet scanning to get hitlist
14Permutation Scanning
- What is permutation scanning
- The process of permutation scanning
15The Effect of Permutation Scanning
- Semi coordinated, comprehensive scan
- Minimize duplication of effort
- Rescan (increase staying power)
- Partitioned permutation (further optimization)
16Performance Analysis of Permutation Scanning
- All cases were for 1,000,000 vulnerable hosts,
10,000 entry hitlist, 100 scans/worm/second, 1
second to complete infection. Graphs stop at 99
infection and do not include the time to process
the hitlist.
17Effects of Halt at 2, 4 and 8 on Permutation
Scanning
- All cases were for 1,000,000 vulnerable hosts,
10,000 entry hitlist, 100 scans/worm/second, 1
second to complete infection. Graphs stop at 99
infection and do not include the time to process
the hitlist.
18Dormant Worms
- Permutation scan which halts at 2, 1,000,000
vulnerable hosts, 10,000 entry hitlist, 100
scans/worm/second. Graph stops at 99 infection
and do not include the time to process the
hitlist.
19Multimode and Dual Mode Worms
- What are multimode worms
- Such as Morris worm and Nimda
- How multimode worms interact with permutation
scanning - classic multimode worm
- dual mode worm
20Performance of Multimode and Dual Mode Worms
- For all cases, there are 10,000 entry hitlist
(for the common exploit), permutation scanning
(halt at 2.) The dual mode worms are 100
scans/worm/second, with the multimode worm being
50 scans/second (but scanning for both holes).
21Other Policy to Increase Staying Power
- Countering counterattacks
- antiworms
- countering antiworms
- Distributed control and update mechanisms
- Goner mail worm
- (initial) degree of connectivity
22Example of Initial Degree of Connectivity
- 1M vulnerable hosts
- Using permutation scanning (with no halting)
- Result
Cases Degree of connectivity
When 95 infection is achieved 4
When 99 infection is achieved 5.5
Permutation based rescan Add 2 to each
23Defense
- Software
- prevent the common hole from developing
- such as buffer overflow
- fine grained access controls
- host based intrusion detection
- Protocol
- isolating infected and comprised machines
from the net - tracking and punishing those responsible for
outbreak
24Contribution
- Present Hitlist concept
- Permutation scanning
25Discussion
- Philosophy keep secret or disclose
- Extreme example of hitlist
- Flash Worms Thirty Seconds to Infect the
Internet by Stuart Staniford, Gary Grim, Roelof
Jonkman - Other stategies
- The Future of Internet Worms by Jose Nazario
- Other factors
- Code Red worm propagation modeling and analysis
by Changchun Zou
26Function of Worm Spread
- No. of infected machines
- f (no. of vulnerable machines, no. of hitlist,
scan rate, the time to infect a machine) - No death rate or patch rate
27Effects of the Fraction of Vulnerable Machines
- All entries are for a hitlist of 10,000
machines, 100 scans/worm/second, permutation
scanning (no halting). Graphs stop at 99
infection and do not include the time to process
the hitlist.
28Effects of the Scanning Speed
- All entries are for a hitlist of 10,000
machines, 1M vulnerable hosts, and permutation
scanning (no halting). Graphs stop at 99
infection and do not include the time to process
the hitlist.
29More Information
- Refer to
- http//www.research.ibm.com/antivirus/index.htm
- http//www.cs.berkeley.edu/nweaver/warhol.html
- http//www.cs.virginia.edu/survive/research/virus
.html - http//tennis.ecs.umass.edu/czou/research.htm