1 / 18

Worms – Code Red

Worms – Code Red. BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne. Who gets Internet worms?.

vanna-stanley
Download Presentation

Worms – Code Red

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

  2. Who gets Internet worms? • Big question: who gets code red? Big companies? Home users? Web servers? People who know they aren’t running IIS? • Host infection plots show some slight diurnal behavior ==> people turning off their “web servers” • Looking deeper shows extreme diurnal behavior, masked in simple plots (1/3 to 1/2 machines turned on/off daily)

  3. What is the Code-Red worm? • Malicious program that connects to other machines and replicates itself • Exploits a vulnerability in Microsoft IIS • Days 1-19 of each month • displays ‘hacked by Chinese’ message on English language servers • tries to open connections to infect 100 other randomly chosen machines • Day 20-27 • launches a denial-of-service attack on the IP address of www1.whitehouse.gov

  4. Code-Red Detection • Data collected from a /8 network at UCSD and two /16 networks at Lawrence Berkeley Laboratories (LBL) • 1/256th of total address space monitored • Machines sending TCP SYN packets to port 80 of nonexistent hosts considered infected • Data spans 24-hour period from midnight UTC July 19th - midnight UTC July 20th

  5. Host Infection Rate • 359,104 hosts infected in 24 hour period • Between 11:00 and 16:00 UTC, the growth is exponential • 2,000 hosts infected per minute at the peak of the infection rate (16:00 UTC)

  6. Host Infection Rate

  7. Exponential Infection Rate

  8. Infection Rate over Time

  9. Host Deactivation • Machines isolated, patched, and rebooted throughout the day • Host considered inactive after we observe no further unsolicited traffic • Because the Code-Red worm is programmed to stop infecting new hosts at midnight on the 20th of every month, the majority of hosts stopped probing in the last hour before midnight UTC on July 20th

  10. Host Deactivation

  11. Host Deactivation Rates over Time

  12. Host Characterization: Country • The following graph shows the top ten countries of origin for all infected hosts • Surprisingly, Korea is the second most prevalent country, behind countries with more advanced network infrastructure

  13. Host Characterization:Country of Origin

  14. Conclusions • 359,104 hosts infected in less than 14 hours • up to 2,000 hosts per minute infected • Collateral damage: routers, switches, printers, and DSL modems crashed, rebooted, or otherwise damaged • Unpatched, insecure machines put everyone at risk • Will we be prepared for the next major exploit?

  15. Patching Survey • Idea: randomly test subset of previously infected IP addresses to see if they have been patched or are still vulnerable • 360,000 IP addresses in pool from initial July 19th infection • 10,000 chosen randomly each day and surveyed between 9am and 5pm PDT

  16. Patching Rate

  17. Host Infections

  18. Conclusions • 1/3 - 1/2 of hosts are coming and going on a daily cycle • DHCP effect can skew statistics, since the same host can have multiple IP addresses • Even with the “best” possible warning, the majority of IIS patching occurred after the start of the next round of CodeRed

More Related