A Taxonomy of Computer Worms
description
Transcript of A Taxonomy of Computer Worms
![Page 1: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/1.jpg)
A Taxonomy of Computer Worms
Ashish GuptaNetwork Security
April 2004
![Page 2: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/2.jpg)
Worm vs a virus
1. Self propagates across the network
2. Exploits security or policy flaws in widely used services
3. Less mature defense today
![Page 3: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/3.jpg)
![Page 4: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/4.jpg)
+
AttackerTarget Discovery
Carrier
Activation
Payload
OVERVIEW
![Page 5: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/5.jpg)
Target Discovery
![Page 6: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/6.jpg)
Target Discovery
• Scanningsequential, random
•Target Listspre-generated, external (game servers), internal
•Passive
![Page 7: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/7.jpg)
Target Discovery
• Internal Target Lists– Discover the local communication topology– Similar to DV algorithm– Very fast ??
• Function of shortest paths– Any example ?– Difficult to detect
• Suggests highly distributed sensors
![Page 8: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/8.jpg)
Toolkit potential
• http://smf.chat.ru/e_dvl_news.htm• http://viruszone.by.ru/create.html• http://lcamtuf.coredump.cx/worm.txt Worm
tutorial
![Page 9: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/9.jpg)
Carrier
![Page 10: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/10.jpg)
Carrier• Self-Carriedactive transmission
• Second Channele.g. RPC, TFTP ( blaster worm )
• Embeddede.g. web requests
![Page 11: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/11.jpg)
Activation
![Page 12: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/12.jpg)
Activation
•Human ActivationSocial Enginnering e.g. MyDoom SCO Killer !
•Human activity-based activatione.g. logging in, rebooting
•Scheduled process activatione.g. updates, backup etc.
•Self Activation e.g. Code Red
![Page 13: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/13.jpg)
![Page 14: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/14.jpg)
![Page 15: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/15.jpg)
![Page 16: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/16.jpg)
![Page 17: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/17.jpg)
MyDoom : Fastest Ever
http://www.cnn.com/2004/TECH/internet/01/28/mydoom.spreadwed/
![Page 18: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/18.jpg)
Payload
![Page 19: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/19.jpg)
Payload
• Internet Remote Control
• Internet DOS : paper’s dream realized
• Data Damage: Chernobyl , Klez
• Physical World Damage
• Human control Blackmail !
![Page 20: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/20.jpg)
Attacker
![Page 21: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/21.jpg)
Attacker
• Curiosity
• Pride and Power
• Commercial Advantage
• Extortion and criminal gain
• Terrorism Example
• Cyber Warfare
![Page 22: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/22.jpg)
Theodore Kaczynski
• Born in Chicago• extremely gifted as a child• American terrorist who attempted to fight against what he
perceived as the evils of technological progress• eighteen-year-long campaign of sending mail bombs to
various people, killing three and wounding 29. • The first mail bomb was sent in late 1978 to Prof. Buckley
Crist at Northwestern University
![Page 23: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/23.jpg)
+
AttackerTarget Discovery
Carrier
Activation
Payload
CONCLUSION
![Page 24: A Taxonomy of Computer Worms](https://reader033.fdocuments.us/reader033/viewer/2022061501/56815f76550346895dce7cd5/html5/thumbnails/24.jpg)
???
• given the target discovery/propagation methods of worms, – how to detect it? – with only network traffic header data? – at ISP? at edge routers? at end hosts?