1 / 20

Jonghyun Kim

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown. Jonghyun Kim. Contents. Introduction Objectives Background Worm trace collection methodology Analyzed results Animation of Code-RedⅠ v2 Summary and conclusion. Introduction.

lexi
Download Presentation

Jonghyun Kim

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Code-Red : a case study on the spread and victims of an Internet wormDavid Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim

  2. Contents • Introduction • Objectives • Background • Worm trace collection methodology • Analyzed results • Animation of Code-RedⅠ v2 • Summary and conclusion

  3. Introduction • Virus vs. Worm -Virus : 1. do not try to break into machines 2. spread by user’s action 3. attach themselves onto other program -Worm : 1. try to break into machines using some vulnerability 2. spread on their own without user action 3. exist as a separate code in memory • Some Worms - Morris in Nov 3, 1988 - Lion in Mar, 2001 - WANK in Oct, 1989 - Code-Red in Jul, 2001 - Ramen in Jan, 2001

  4. Objectives • Collect packet information generated by Code-Red (How to collect this information and identify Code-Red?) • Analyze the spread of Code-Red • Trace geographic location and top-level domains in which Code-Red resides.

  5. Background • The Chronology of Code-Red outbreak 1. On Jun 18, 2001, eEye released information about a buffer- overflow vulnerability in Microsoft’s IIS web servers. 2. On Jun 26, 2001, Microsoft released a patch for the vulnerability 3. On Jul 12, 2001, Code-RedⅠv1 spread by exploiting the above vulnerability 4. On Jul 19, 2001, Code-RedⅠv2 spread 5. On Aug 4, 2001, Code-RedⅡ spread * Cost of recovering from Code-Red : 2.6 billion dollars

  6. Characteristics of Code-Red 1. Code-RedⅠv1 : - Use a static seed, so it generated the same list of IP addresses - Between 1st and 19th of every month, it attempts to infect machines. (Infection phase) - Between 20th and 28th, it stops infecting machines and does a DoS attack against www1.whitehouse.gov (attack phase) - Between 29th and the last day, it does nothing. (dormant phase) * scanning mechanism … 3 2 1

  7. Characteristics of Code-Red 1. Code-RedⅠv1 : - Use a static seed, so it generated the same list of IP addresses - Between 1st and 19th of every month, it attempts to infect machines. (Infection phase) - Between 20th and 28th, it stops infecting machines and does a DoS attack against www1.whitehouse.gov (attack phase) - Between 29th and the last day, it does nothing. (dormant phase) * scanning mechanism … 3 1 2

  8. Characteristics of Code-Red 1. Code-RedⅠv1 : - Use a static seed, so it generated the same list of IP addresses - Between 1st and 19th of every month, it attempts to infect machines. (Infection phase) - Between 20th and 28th, it stops infecting machines and does a DoS attack against www1.whitehouse.gov (attack phase) - Between 29th and the last day, it does nothing. (dormant phase) * scanning mechanism … 2 3 1 Therefore, the spread is slow

  9. 2. Code-RedⅠv2 : - Identical to Code-RedⅠv1 except that it uses a random seed, so it generates a different list of IP addresses * scanning mechanism 1 5 2 1 4 2 3 3 1 3 2 Therefore, the spread is much faster than Code-RedⅠv1 Intuitively, the rate of infection will be exponential

  10. 3. Code-RedⅡ : - set up backdoor ( more dangerous than Code-RedⅠ) - become dormant for a day to avoid being discovered by system administrator (slow infection mechanism) - after rebooting the machine, it begins to spread * scanning mechanism Let’s assume that the infected host IP address is 10.9.8.7 10.0.0.0 Relative amount of probes 10.9.0.0 1/8 10.9.8.7 3/8 X.X.X.X 10.X.X.X 1/2 10.9.X.X Idea : Hosts within the network of an infected host may run the same vulnerable software

  11. Worm trace collection Methodology • Three sources used to collect the worm packets - Passive network monitors within /8 network and /16 network - Backup data set from filtering router • Worm identification If a host sends at least two TCP SYN packets on port 80 to two different hosts within research network, the host is considered to be infected. Research network /8 network Monitor Filtering router /16 network An infected host trying to probe hosts Monitor

  12. Analyzed result • Outbreak of Code-RedⅠ v1 Normal activity of TCP SYN Packets on port 80 Infected hosts by Code-RedⅠv1 - Each Infected host probed the same set of 23 IP addresses into the research network because Code-RedⅠv1 used a static seed

  13. Outbreak of the Code-RedⅠ v2 (infection rate) Cumulative total of unique IP addresses One minute infection rates Detected unique IP addresses ≈ 359,000 Peak infection rate ≈ 2000 hosts /minute

  14. Outbreak of the Code-RedⅠ v2 (deactivation rate) Some infected hosts were patched Infection phase attack phase Cumulative total of deactivated hosts One minute deactivation rate The author’s methodology of identifying worms were not able to distinguish hosts infected with Code-RedⅡ from those Infected with Code-RedⅠv2 because two scanning mechanisms used by Code-RedⅠ v2 and Code-RedⅡ are a little similar (i.e. they use random seed)

  15. Geographic location of Code-Red Ⅰ v2 They made this table by using IxMapping service which is useful to find location of certain host based on its IP address

  16. Top-Level domains in which Code-Red Ⅰ v2 resides They made this table by using NetSizer service

  17. Top 10 domains (ISPs) in which Code-Red Ⅰ v2 resides It shows that machines operated by home users and small businesses are the majority of infected hosts.

  18. Animation Code-RedⅠ v2 Animation of Code-RedⅠv2

  19. Summary andConclusion • This paper shows how to extract various useful information from only logged IP header data (traffic analysis) • DHCP inflates the number of infected hosts as measured by IP addresses, whereas NAT deflates the number of compromised IP address. We should consider those two factors in estimating the spread of Internet worms • From the worm viewpoint, scanning mechanism is the key to spread fast, while from the defense viewpoint, ISP level solution should be achieved to mitigate Internet worms

  20. Autonomous System Monitor Infected host Messages are protected Router Worm scanner Worm packets … Hardware compiler Network segment

More Related