DOCSLIB.ORG

Malware 2: Worms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Malware 2: Worms Malware 2: Worms Friday, December 5, 2008 Sources: see final slide CS342 Computer Security Department of Computer Science Wellesley College Worms vs. Viruses o Both are self-replicating programs o Worms are ((y)usually) self-contained; viruses attach to a host program o Worms are (usually) self-activating; viruses require human intervention to spread. o Worms spread via networks; viruses can, too, but can also spread via other means. o Worms offer a scale of propagation (in terms of speed, number of hosts infected, potential for damage) not easily achieved by other mechanisms. They are the tool of choice for recruiting “zombie” computers. o One copy of a worm is called a segment or node. Malware 2: Worms 25-2 1 Trends and pertinence o Virus/Worms: In 12 years, propagation speed, as well as the estimated damages have increased by five, and two orders of magnitude, respectively o DDmgwgwamages will get worse and outag gmes more severe as more and more facets of our lives/society are digitally enmeshed Malware 2: Worms 25-3 Worm Components Exploit to get ‘in’ to the target – e.g., buffer overflow, password picture from guessing/cracking, misconfiguration Skoudis, p. 79. exploits, etc. Impact of worm, implements some specific action on behalf of attacker on the target: install backdoor, DDOS Pull rest of worm code agent, steal into target via FTP, Selection of new info,use HTTP, etc. (sometimes target addresses Scan targets and computrons and already contained in using different infect vulnerable storage, etc. warhead) selection targets techniques Other components in some worms: • Intelligence to locate other worm segments. • Communication with other worm segments • Control of other worm segments Malware 2: Worms 25-4 2 Worms: Scanning o Goal: Find new targets to attack o Common techniques: o Statistical: Scan 'random' IP addresses o Topological: Use information on infected hosts, e.g. address book, .rhosts file, network neighborhood, ... o Avoid double infections! Malware 2: Worms 25-5 Worm History Name Date Notes Creeper 1971 Program designed to move across a network of air traffic control systems XerPARC worms 1982 Shoch & Hupp distributed computation experiments Morris Worm Nov. 1988 Disabled early Internet by infecting Unix hosts Melissa Mar. 1999 MS word macro virus spread via Outlook email Love Bug May 2000 VBScript worm spread via Outlook email Ramen Jan 2001 Linux worm exploiting 3 buffer overflows Code Red Jul 2001 Infected 250K Windows IIS servers in 9 hours with goal of packet flood against whitehouse.gov Nimda Sep 2001 Multiexploit worm with 12 sppgreading mechanisms Klez Jan 2002 Mildly polymorphic; tried to disable antivirus Slapper Sep 2002 Spread via SSL flaw in Apache; built massive DDOS peer-to-peer network SQL Slammer Jan 2003 Small worm spreading in a matter of minutes via flaw in MS SQL Server database Malware 2: Worms 25-6 3 Morris (or Cornell or Unix) Worm (1988) o Robert Tappan Morris, Jr. o 23 years old, Cornell grad student, father worked at the NSA o He asked himself: “I wonder how large the Internet is?“ o Wrote a self-propagating program as a “test concept” o Exploited Unix vulnerabilities in sendmail and fingerd o Released at MIT o Bug in the worm caused it to go haywire – it was not planned to wreak havoc o The first worm that propagated using the Internet o Internet was designed with functionality in mind! o Following details from Eichin/Rochlis With Microscope and Tweezers paper Malware 2: Worms 25-7 How it entered (multiple means) o sendmmgm(ail in debug mode (as released in SunOS) allowed connections to spawn a shell. o fingerd (VAX systems) buffer overflow to spawn shell o In shell, compiled & executed C program to download rest of worm program o r-services (no-password access to other machines) o rexec o rsh Malware 2: Worms 25-8 4 Who it attacked: o accounts with obvious passwords: o none at all o the user name (once and appended to itself) o the “nickname” o last name (both spelled forwards and backwards) o passwords from a 432 word included dictionary o used the words ffmrom ///usr/dict/ words as passwd o trusted accounts through .rhosts Malware 2: Worms 25-9 Systems affected o SUN and VAX o Gained hostnames and account names through: o /etc/hosts.equiv o /.rhosts o .forward o .rhosts o routing tables o serial P2P links o randomly guessed first-hop addresses Malware 2: Worms 25-10 5 Covering Tracks o Erased argument list so could not tell how it was invoked o Deleted binary after use o Used resource limit functions to prevent a core dump o Named itself “sh” to avoid suspicion o Refreshed itself by forking about every 3 minutes o Constant strings obscured by XORing Malware 2: Worms 25-11 Example modern worm: Code Red (2001) o Worm probed random IP addresses and infected Microsoft Internet Information Services (IIS) web server with buffer overflow vulnerability. o Defaced English websites hosted on server with message: Welcome to http://www.worm.com! Hacked by Chinese! o On July 19 over 359,000 hosts infected in 13-hour period o over 2,000 hosts infected per minute at peak o at 5:00 pm, worm attempted DoS attack against 198.137.240.91 (www.whitehouse.gov) o For details, see Moore & Shannon http://www.caida.org/research/security/code- red/coderedv2_analysis.xml o Estimated 975,000 servers infected by end of August with losses of $2.4 billion – Computer Economics o Shut down Japan Airline computer affecting ticketing & check-in, delaying 55 flights and 15,000 passengers 1-2 hours Malware 2: Worms 25-12 6 Spread of Code Red Worm July 19 01:05:00 2001 Malware 2: Worms 25-13 19 Hours Later July 19 20:15:00 2001 Malware 2: Worms 25-14 7 Vulnerabilities spawn Exploits o Vulnerability: A weakness in hardware, an operating system or a software application, usually a feature that can be misused to compromise a system o Exploit: A method used to take advantage of a vulnerability o Example: Code Red o June 18, 2001 Eeye Digital Security discloses vulnerability in Microsoft IIS web server o June 18, 2001 Microsoft issues alert, patch o June 19, 2001 CERT® Advisory CA-2001-13 Buffer Overflow In IIS o July 12, 2001 Code Red v. 1 is released o July 19, 2001 Code Red v.2 is released o August 4, 2001 Code Red II is released o Sept. 18, 2001 Nimda is released Malware 2: Worms 25-15 Vulnerability and exploit portals o Mitre’s CVE (Common Vulnerabilities and Exposures) httppg://cve.mitre.org o Network Security News http://www.security- update.com Updated ever hour, variety of sources Vendor’s sites have sometimes very good vulnerability info Malware 2: Worms 25-16 8 Code Red: Scanning technique 2,500 2,000 1,500 ote hosts ote g LBNL m 1,000 attackin Distinct re 500 0 0 50 100 150 Days since Sept. 20, 2001 o Cod e Red I: 99 thread s scan for vulnera ble IIS installations, using random number generator o Worm deactivated itself after a few days, but was designed to reactivate every month Malware 2: Worms 25-17 Code Red: Analytical model Saturation o Simplifying assumptions: o No patching o No firewalls o No churn o Infection rate is proportional to o # hosts already infected o # hosts not infected, but susceptible o Result: Logistic Infected fraction K(tT ) da e equation K a (1 a) a dt 1 eK (tT ) o Well known for epi- Initial compromise rate demics in finite systems Malware 2: Worms 25-18 9 Improvements: Localized scanning o Observation: Density of vulnerable hosts in IP address space is not uniform o Idea: Bias scanning towards local network o Used in CodeRed II o P=0.50: Choose address from local class-A network (/8) o P=0.38: Choose address from local class-B network (/16) o P=0.12: Choose random address o Allows worm to spread more quickly Malware 2: Worms 25-19 Improvements: Multi-vector o Idea: Use multiple Onset of Nimda propagation methods L simultaneously N 1/2 hour o Example: Morris worm o fingerd attack o sendmail DEBUG cmd o rhosts files o Password cracking nections/second seen seen at LB nections/second o Example: Nimda confirmed Nimda attacks) n y o IIS vulnera bility (b(bthoth (onl server and client!) HTTP co HTTP o Autoexec code in Outlook email o Windows file sharing Time (PDT) 18 September, 2001 o Code Red II backdoor Malware 2: Worms 25-20 10 Improvements: Hit-list scanning o Problem: Spread is slow during initial phase o Idea: Collect a list of promising targets before worm is released o Low-profile 'stealthy' scan o Distributed scan o Spider/crawler o Surveys or databases o Attacks from other worms o Low overhead, since list shrinks quickly Malware 2: Worms 25-21 Improvements: Permutation scanning H0 H4 H1 H3 H1 (Restart) H2 o Problem: Many addresses are scanned multiple times o Idea: Generate random permutation of all IP addresses, scan in order o Hit-list hosts start at their own position in the permutation o When an infected host is found, restart at a random point o Can be combined with divide-and-conquer approach Malware 2: Worms 25-22 11 Flash worms o A flash worm would start with a hit list that contains most/all vulnerable hosts o Realistic scenario: o Complete scan takes 2h with an OC-12 o Internet warfare? o Problem: Size of the hit list o 9 million hosts 36 MB o Compression works: 7.5MB o Can be sent over a 256kbps DSL link in 3 seconds o Extremely fast: o Full infection in tens of seconds! Malware 2: Worms 25-23 Warhol worms o Worm using both hit- "In the future, everyone will have list and permutation 15 minutes of fame" scanning could infect -- Andy Warhol most vulnera ble targets in <1 hour o Simulation: Compare o 10 scans/second (Code Red) o 100 scans/second o 100
Load more

Recommended publications
  • Storm: When Researchers Collide 7 Based on the Kademlia DHT Algorithm [5]
    When It comes to Internet threats, B R a n d o n E n R i g h t, g E o ff V o E l k er , few topics get researchers and the media as Stefan SaVagE, ChRiS kaniCh, and kiRill LevchEnko excited as the propagation speed and vital- ity of modern malware. One such example is the SQL Slammer worm, which was the first so-called Warhol Worm, a term used to Storm: when describe worms that get their “15 minutes of fame” by spreading at an exponential researchers collide rate—infecting every vulnerable machine Brandon Enright is a network security analyst at in under 15 minutes [1]. It is ironic, then, that the University of California, San Diego. He is pri- the latest malware to capture the attention marily interested in malware and exploit research. of researchers is not one of the shortest- [email protected] lived but one of the longest, largest, and most successful bots ever: Storm. Geoff Voelker is an associate professor of computer science at the University of California, San Diego. He works in computer systems and networking. Storm got its name from a particular self-propa- [email protected] gation spam email subject line used in early 2007: “230 dead as storm batters Europe.” Storm, also known as the Storm worm, is not actually a worm. It is hybrid malware: part worm, part bot (a pro- Stefan Savage is an associate professor of computer gram designed to perform automated tasks), part science at the University of California, San Diego.
    [Show full text]
  • Detection, Propagation Modeling and Designing of Advanced Internet Worms
    DETECTION, PROPAGATION MODELING AND DESIGNING OF ADVANCED INTERNET WORMS By PARBATI KUMAR MANNA A DISSERTATION PRESENTED TO THE GRADUATE SCHOOL OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY UNIVERSITY OF FLORIDA 2008 1 °c 2008 Parbati Kumar Manna 2 To my family, friends, and teachers 3 ACKNOWLEDGMENTS I want to take this opportunity to thank all the people who helped me during my doctoral sojourn. I understand that it is rather late to acknowledge their contributions, but as the saying goes, better late than never! First, I want to thank my committee, starting with my advisor and Chair, Dr. Sanjay Ranka. He expressed his intention to work with me during my very first week of class at University of Florida, and has been a true guide to me in every aspect since then. He offered me complete freedom in pursuing my research in any area that I felt passionate about, and provided ample research direction from time to time. I am truly thankful and honored to work as his student for the past six years. It has also been a pleasure to work with Dr. Shigang Chen, who served as my co-chair. A stalwart in the network research community, he has been instrumental in providing his domain expertise to my research area in a very big way. Without his help, I can barely imagine myself to be where I am now. I would also like to thank Dr. Alin Dobra, Dr. Christopher Germaine, Dr. Sartaj Sahni and Dr. Malay Ghosh who helped me in various academic as well as non-academic matters throughout my stay at Gainesville.
    [Show full text]
  • A Research on Different Types of Malware and Detection Techniques
    International Journal of Recent Technology and Engineering (IJRTE) ISSN: 2277-3878, Volume-8 Issue-2S8, August 2019 A Research on Different Types of Malware and Detection Techniques Chandini S B, Rajendra A B,Nitin Srivatsa G Abstract—Malware has become a serious threat. Malware that load on to memory by inserting infected code into an analysis is one of the challenging domain. The increase in the executable file. malware exploitation has made the detailed study of the malware, understand the different types of malware and its behavior model Resident Virus and analyze the existing detection system with their short comes to This type of virus hides within the computer memory and identify the research gaps [8] to solve the specific problem. So in gets activated whenever the operating system starts or this paper, we have presented the different malware taxonomy and different malware detection techniques with its features and also execute a specific action. presented the malware model and the research gaps in the Non-resident Virus malware analysis domain. This type of virus does not reside in memory. It infects the Keywords: Polymorphic virus, Malware genesis, target and transfers the control to the infected application Self-replicating cellular automata, Zero-day threat, obfuscation program. It consists of finder module and replicating modules technique, and Anomaly-based detection. finder will find the new targets to infect the new file and the replicates will infect the file. I. INTRODUCTION Macro Virus Malware is a malicious code which comes with the intention to destruct the system [1]. Some of the symptoms of This virus is written in a macro language.
    [Show full text]
  • Computer Viruses and Malware Advances in Information Security
    Computer Viruses and Malware Advances in Information Security Sushil Jajodia Consulting Editor Center for Secure Information Systems George Mason University Fairfax, VA 22030-4444 email: [email protected] The goals of the Springer International Series on ADVANCES IN INFORMATION SECURITY are, one, to establish the state of the art of, and set the course for future research in information security and, two, to serve as a central reference source for advanced and timely topics in information security research and development. The scope of this series includes all aspects of computer and network security and related areas such as fault tolerance and software assurance. ADVANCES IN INFORMATION SECURITY aims to publish thorough and cohesive overviews of specific topics in information security, as well as works that are larger in scope or that contain more detailed background information than can be accommodated in shorter survey articles. The series also serves as a forum for topics that may not have reached a level of maturity to warrant a comprehensive textbook treatment. Researchers, as well as developers, are encouraged to contact Professor Sushil Jajodia with ideas for books under this series. Additional tities in the series: HOP INTEGRITY IN THE INTERNET by Chin-Tser Huang and Mohamed G. Gouda; ISBN-10: 0-387-22426-3 PRIVACY PRESERVING DATA MINING by Jaideep Vaidya, Chris Clifton and Michael Zhu; ISBN-10: 0-387- 25886-8 BIOMETRIC USER AUTHENTICATION FOR IT SECURITY: From Fundamentals to Handwriting by Claus Vielhauer; ISBN-10: 0-387-26194-X IMPACTS AND RISK ASSESSMENT OF TECHNOLOGY FOR INTERNET SECURITY.'Enabled Information Small-Medium Enterprises (TEISMES) by Charles A.
    [Show full text]
  • Network Intrusion Detection: Monitoring, Simulation and Visualization
    University of Central Florida STARS Electronic Theses and Dissertations, 2004-2019 2005 Network Intrusion Detection: Monitoring, Simulation And Visualization Mian Zhou University of Central Florida Part of the Computer Sciences Commons, and the Engineering Commons Find similar works at: https://stars.library.ucf.edu/etd University of Central Florida Libraries http://library.ucf.edu This Doctoral Dissertation (Open Access) is brought to you for free and open access by STARS. It has been accepted for inclusion in Electronic Theses and Dissertations, 2004-2019 by an authorized administrator of STARS. For more information, please contact [email protected]. STARS Citation Zhou, Mian, "Network Intrusion Detection: Monitoring, Simulation And Visualization" (2005). Electronic Theses and Dissertations, 2004-2019. 520. https://stars.library.ucf.edu/etd/520 Network Intrusion Detection: Monitoring, Simulation and Visualization by Mian Zhou B.E. Beijing University, 1998 M.S. University of Central Florida, 2001 A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the School of Computer Science in the College of Engineering and Computer Science at the University of Central Florida Orlando, Florida Summer Term 2005 Major Professor: Sheau-Dong Lang c 2005 by Mian Zhou Abstract This dissertation presents our work on network intrusion detection and intrusion sim- ulation. The work in intrusion detection consists of two different network anomaly-based approaches. The work in intrusion simulation introduces a model using explicit traffic gen- eration for the packet level traffic simulation. The process of anomaly detection is to first build profiles for the normal network activity and then mark any events or activities that deviate from the normal profiles as suspicious.
    [Show full text]
  • Outline Malicious Software Trojan (Horse)
    Outline CSci 5271 Malware and the network Introduction to Computer Security Malware and Denial of Service Announcements intermission Stephen McCamant University of Minnesota, Computer Science & Engineering Denial of service and the network Malicious software Trojan (horse) Shortened to Mal. ware Software whose inherent goal is Looks benign, has secret malicious malicious functionality Not just used for bad purposes Key technique: fool users into Strong adversary installing/running High visibility Concern dates back to 1970s, MLS Many types (Computer) viruses Worms Attaches itself to other software Completely automatic self-propagation Propagates when that program runs Requires remote security holes Once upon a time: floppy disks Classic example: 1988 Morris worm More modern: macro viruses “Golden age” in early 2000s Have declined in relative importance Internet-level threat seems to have declined Fast worm propagation Getting underneath Initial hit-list Lower-level/higher-privilege code can Pre-scan list of likely targets Accelerate cold-start phase deceive normal code Permutation-based sampling Rootkit: hide malware by changing Systematic but not obviously patterned kernel behavior Pseudorandom permutation MBR virus: take control early in boot Approximate time: 15 minutes Blue-pill attack: malware is a VMM “Warhol worm” Too fast for human-in-the-loop response running your system Malware motivation User-based monetization Once upon a time: curiosity, fame Adware, mild spyware Now predominates: money Keyloggers, stealing financial Modest-size
    [Show full text]
  • Use Style: Paper Title
    CORE Metadata, citation and similar papers at core.ac.uk Provided by Greenwich Academic Literature Archive © 2014 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. The definitive version is available at: http://dx.doi.org/10.1109/ICCCNT.2014.6963124 A Pseudo-Worm Daemon (PWD) for Empirical Analysis of Zero-Day Network Worms and Countermeasure Testing Khurram Shahzad and Steve Woodhead Internet Security Research Laboratory Department of Electrical, Electronic and Computer Engineering University of Greenwich London, UK {sk81,ws01}@gre.ac.uk Abstract— The cyber epidemiological analysis of computer sophistication of worm’s code, which have made them highly worms has emerged a key area of research in the field of cyber infectious and capable of causing a denial of service attack on security. In order to understand the epidemiology of computer the internet as in the case of SQL Slammer outbreak. The worms; a network daemon is required to empirically observe SQL Slammer worm is considered to be the fastest random- their infection and propagation behavior. The same facility can scanning worm in the history as it has achieved its full also be employed in testing candidate worm countermeasures. aggregate scanning rate, of over 55 million scans per seconds, In this paper, we present the architecture and design of Pseudo- only after 3 minutes of its release [1], while infecting 90% of Worm Daemon; termed (PWD), which is designed to perform susceptible machines within 10 minutes [1,2].
    [Show full text]
  • Painting the Internet a Different Kind of Warhol Worm.Pdf
    Painting the Internet: A Different Kind of Warhol Worm John Aycock Department of Computer Science University of Calgary 2500 University Drive N.W. Calgary, Alberta, Canada T2N 1N4 [email protected] TR 2006-834-27, May 2006 Abstract Some people have argued that software is artistic. If so, what about malware? Only occasional, small-scale attempts have been made to create art using mal- ware. We present “art worms,” worms which allow an artist to use the entire In- ternet as a canvas. These worms could be interactive, allowing an artist to stage a global performance, or non-interactive and automatic. Examples are given of art- works that could result from these worms. Art worms raise a variety of questions about the very nature of art: what constitutes art? must art be seen in order to exist? should art be destroyed? Two major technical aspects of art worms are communication and geolocation. Both aspects ensure that art worms behave correctly to create an overall picture. We look at a number of ways that malware can perform these tasks, which have broader applications to malware targeted at specific countries for the purposes of terrorism or information warfare. 1 Introduction ‘There is no reason not to consider the world as one gigantic painting.’ – Robert Rauschenberg, American artist1 It is unusual to find any connections to art in the field of computer security. Even Warhol worms, named after Andy Warhol, refer not to Warhol’s art but his famous quote [22]: ‘In the future everybody will be world famous for fifteen minutes.’ (Warhol worms may infect their targets in less than fifteen minutes [35].) There is no reason that art and computer security cannot meet.
    [Show full text]
  • CS 457 - Network Security
    CS 457 - Network Security Fall 2014 Major Security Threats Today • Worms/viruses • DDoS attacks • Phishing, key-loggers, etc. • SPAM • Attacks against infrastructure (electricity, nuclear, financial , etc.) • Privacy Worms • Worms vs. viruses vs. Trojan Horses • How do worms propagate? – Apply an exploit to gain access to a machine (typically a buffer overflow) – Scan the Internet for other vulnerable machines – Infect and repeat Worms are Yesterday’s News • Code Red I, July 2001 – Used Microsoft web server vulnerability – Randomly generates IP addresses, intrudes machines – Set to attack whitehouse.gov • Code Red II – Used same vulnerability – Slightly more sophisticated address probing technique • Nimda (reverse of “admin”) – Scanning technique different from Code Red II • Sapphire/Slammer, Jan 2003 – Uses small UDP packets, so very fast – By contrast, previous worms had larger scanners and used TCP 4 NIMDA in NBNL Modeling Worm Propagation • Random Constant Spread (RCS) • Assumptions – Good random generator – No infections are cured – Compromise rate independent from CPU or network speed – Can only be compromised once RCS Model Nda = (Na) K(1-a)dt • <Constants> – N: total number of vulnerable servers – K: initial compromise rate – T: time which fixes when the incident happens • <Variables> – a: proportion of vulnerable machines which have been compromised – t: time (in hours) RCS Model and Measurement Better Worms How can hackers improve worm spread? • Hit-list scanning • Permutation scanning • Topologically aware worms Hit-list scanning
    [Show full text]
  • Limiting Vulnerability Exposure Through Effective Patch Management: Threat Mitigation Through Vulnerability Remediation
    Limiting Vulnerability Exposure through effective Patch Management: threat mitigation through vulnerability remediation Submitted in fulfilment of the requirements of the degree MASTER OF SCIENCE in the Department of Computer Science of Rhodes University Dominic Stjohn Dolin White <[email protected]> January 2006 Abstract This document aims to provide a complete discussion on vulnerability and patch management.It looks first at the trends relating to vulnerabilities, exploits, attacks and patches. These trends provide the drivers of patch and vulnerability management. Understanding these allows the fol- lowing chapters to present both policy and technical solutions to the problem. The policy lays out a comprehensive set of steps that can be followed by any organisation to implement their own patch management policy, including practical advice on integration with other policies, manag- ing risk, strategies for reducing downtime and vulnerability and generating patch metrics. It then discusses how best a vendors should implement a related patch release policy that will allow end-users to most effectively and timeously mitigate vulnerabilities. The next chapter discussed the technical aspect of automating parts of such a policy and how defence in depth can be ap- plied to the field of patch management. The document then concludes that patch management is becoming more difficult and the guidelines described will go a long way into creating a workable and effective means for mitigating exposure to vulnerabilities. However, more research is needed into vulnerabilities, exploits and particularly into threats. Contents 1 Introduction 1 1.1 Backgrounds .................................... 1 1.2 PatchManagement ................................. 3 1.2.1 Definitions ................................. 4 1.3 TheNeedforPatchManagement.
    [Show full text]
  • Effective Worm Detection for Various Scan Techniques
    1 Effective Worm Detection for Various Scan Techniques Jianhong Xia, Sarma Vangala, Jiang Wu and Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts at Amherst Amherst, MA 01003 fjxia, svangala, jiawu, [email protected] Kevin Kwiat Air Force Research Lab Information Directorate 525 Brooks Road, Rome, NY 13441 [email protected] Abstract— In recent years, the threats and damages vulnerable machines in the Internet within several hours caused by active worms have become more and more or even a few minutes. The Slammer worm [16] is an serious. In order to reduce the loss caused by fast- example of such worms that spread to all potential targets spreading active worms, an effective detection mechanism in less than 10 minutes. In order to find vulnerable to quickly detect worms is desired. In this paper, we first hosts, a worm can scan the entire IPv4 address space explore various scan strategies used by worms on finding vulnerable hosts. We show that targeted worms spread randomly. Such a mechanism of finding vulnerable hosts much faster than random scan worms. We then present a is called random scan. In this paper, we analyze various generic worm detection architecture to monitor malicious scan techniques that help worms spread faster than a worm activities. We propose and evaluate our detection random scan worm does. In particular, a worm that scans mechanism called Victim Number Based Algorithm. We IP address space selectively, for example, the only IP show that our detection algorithm is effective and able addresses used in the Internet, can spread faster than to detect worm events before 2% of vulnerable hosts a worm that randomly scans the entire IPv4 address are infected for most scenarios.
    [Show full text]
  • 9780321623980 Sample.Pdf
    Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. The author and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. Symantec Press Publisher: Linda McCarthy Editor in Chief: Karen Gettman Acquisitions Editor: Jessica Goldstein Cover Designer: Alan Clements Managing Editor: Gina Kanouse Senior Project Editor: Kristy Hart Copy Editor: Christal Andry Indexers: Cheryl Lenser and Larry Sweazy Compositor: Stickman Studio Manufacturing Buyer: Dan Uhrig The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U. S. Corporate and Government Sales (800) 382-3419 [email protected] For sales outside the U. S., please contact: International Sales [email protected] Visit us on the Web: www.awprofessional.com Library of Congress Number: 2004114972 Copyright © 2005 Symantec Corporation All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise.
    [Show full text]