and victims of an Internet worm

guideflannelServers

Dec 4, 2013 (3 years and 11 months ago)

101 views

Code
-
Red : a case study on the spread

and victims of an Internet worm



David Moore, Colleen Shannon, Jeffery Brown

Jonghyun Kim

Contents


Introduction


Objectives


Background


Worm trace collection methodology


Analyzed results


Animation of Code
-
RedⅠ v2



Summary and conclusion

Introduction


Virus vs. Worm


-
Virus :


1. do not try to break into machines


2. spread by user

s action


3. attach themselves onto other program


-
Worm :


1. try to break into machines using some vulnerability


2. spread on their own without user action


3. exist as a separate code in memory



Some Worms


-

Morris in Nov 3, 1988
-

Lion in Mar, 2001


-

WANK in Oct, 1989
-

Code
-
Red in Jul, 2001


-

Ramen in Jan, 2001

Objectives


Collect packet information generated by Code
-
Red


(How to collect this information and identify Code
-
Red?)


Analyze the spread of Code
-
Red


Trace geographic location and top
-
level domains
in which Code
-
Red resides.

Background


The Chronology of Code
-
Red outbreak


1. On Jun 18, 2001, eEye released information about a buffer
-


overflow vulnerability in Microsoft

s IIS web servers.


2. On Jun 26, 2001, Microsoft released a patch for the vulnerability


3. On Jul 12, 2001,
Code
-
RedⅠv1

spread by exploiting the above


vulnerability


4. On Jul 19, 2001,
Code
-
RedⅠv2

spread


5. On Aug 4, 2001,
Code
-
RedⅡ

spread



* Cost of recovering from Code
-
Red : 2.6 billion dollars


Characteristics of Code
-
Red


1. Code
-
RedⅠv1 :


-

Use
a static seed
, so it generated the same list of IP addresses


-

Between 1
st

and 19
th

of every month, it attempts to infect


machines. (
Infection phase
)


-

Between 20
th

and 28
th
, it stops infecting machines and does a


DoS attack against www1.whitehouse.gov (
attack phase
)


-

Between 29
th

and the last day, it does nothing. (
dormant phase
)



* scanning mechanism



1

2

3


Characteristics of Code
-
Red


1. Code
-
RedⅠv1 :



-

Use
a static seed
, so it generated the same list of IP addresses


-

Between 1
st

and 19
th

of every month, it attempts to infect


machines. (
Infection phase
)


-

Between 20
th

and 28
th
, it stops infecting machines and does a


DoS attack against www1.whitehouse.gov (
attack phase
)


-

Between 29
th

and the last day, it does nothing. (
dormant phase
)



* scanning mechanism



1

2

3


Characteristics of Code
-
Red


1. Code
-
RedⅠv1 :



-

Use
a static seed
, so it generated the same list of IP addresses


-

Between 1
st

and 19
th

of every month, it attempts to infect


machines. (
Infection phase
)


-

Between 20
th

and 28
th
, it stops infecting machines and does a


DoS attack against www1.whitehouse.gov (
attack phase
)


-

Between 29
th

and the last day, it does nothing. (
dormant phase
)



* scanning mechanism



1

2

3

Therefore, the spread is slow


2. Code
-
RedⅠv2 :


-

Identical to Code
-
RedⅠv1 except that it uses
a random seed
, so


it generates a different list of IP addresses




* scanning mechanism

1

2

3

4

5

1

2

3

1

2

3

Therefore, the spread is much faster than Code
-
RedⅠv1

Intuitively, the rate of infection will be exponential


3. Code
-
RedⅡ :


-

set up backdoor ( more dangerous than Code
-
RedⅠ)


-

become dormant for a day to avoid being discovered by system


administrator (slow infection mechanism)


-

after rebooting the machine, it begins to spread


* scanning mechanism


Let’s assume that the infected host IP address is 10.9.8.7

10.0.0.0

10.9.0.0

10.9.8.7

10.9.X.X

3/8

1/8

1/2

X.X.X.X

10.X.X.X

Relative amount

of probes

Idea : Hosts within the network of an infected host may run the same


vulnerable software

Worm trace collection Methodology


Three sources used to collect the worm packets


-

Passive network monitors within /8 network and /16 network


-

Backup data set from filtering router



Worm identification


If a host sends at least two TCP SYN packets on port 80 to two
different hosts within research network, the host is considered to be
infected.

Research network

Filtering router

An infected host

trying to probe hosts

Monitor

Monitor

/8 network

/16 network

Analyzed result


Outbreak of Code
-
yŒ‹?HG•X


-

Each Infected host probed the same set of 23 IP addresses into the


research network because Code
-
RedⅠv1 used a static seed

Normal activity of TCP SYN

Packets on port 80

Infected hosts

by Code
-
RedⅠv1


Outbreak of the Code
-
yŒ‹?HG•YGO•••ŒŠ›•–•G™ˆ›ŒP


Cumulative total of unique IP addresses

One minute infection rates

Detected unique IP addresses ≈ 359,000

Peak infection rate ≈ 2000 hosts /minute


Outbreak of the Code
-
yŒ‹?HG•YGO‹ŒˆŠ›••ˆ›•–•G™ˆ›ŒP


Infection phase

attack phase

The author

s methodology of identifying worms were not able to

distinguish hosts infected with Code
-
RedⅡ from those Infected with

Code
-
RedⅠv2 because two scanning mechanisms used by Code
-
RedⅠ

v2 and Code
-
RedⅡ are a little similar (i.e. they use random seed)

Some infected hosts

were patched

Cumulative total of deactivated hosts

One minute deactivation rate


Geographic location of Code
-
yŒ‹G?HG•Y

They made this table by using
IxMapping service

which is useful to


find location of certain host based on its IP address


Top
-
Level domains in which Code
-
yŒ‹G?HG•YG™Œš•‹Œš

They made this table by using
NetSizer service


Top 10 domains (ISPs) in which Code
-
yŒ‹G?HG•YG™Œš•‹Œš

It shows that machines operated by home users and small

businesses are the majority of infected hosts.

Animation Code
-
RedⅠ v2


Animation of Code
-
RedⅠv2

Summary and

Conclusion


This paper shows how to extract various useful information from
only logged IP header data (
traffic analysis
)



DHCP

inflates the number of infected hosts as measured by IP
addresses, whereas
NAT

deflates the number of compromised
IP address. We should consider those two factors in estimating
the spread of Internet worms



From the worm viewpoint, scanning mechanism is the key to
spread fast, while from the defense viewpoint, ISP level solution
should be achieved to mitigate Internet worms



Monitor

Router

Infected host

Autonomous System

Network segment

Messages

are protected

Hardware compiler

Worm scanner

Worm packets