Worms Taxonomy and Detection.ppt

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004 Outline Introduction Worm Classification Spreading Media Target Acquisition Polymorphic Worms Detection / Prevention Conclusion Introduction Common and costly So far, mostly benign… Need to react within seconds - too quickly for a human Spreading Media Traditional Email Windows File Sharing Hybrid Traditional Self-propagate through network Exploit some vulnerability to automatically execute worm payload Most common - buffer overflow Least common in existence Largest potential danger Spreads fastest Main subject of detection and containment research Email Spreads through email Relies on humans or poor application design Most are executable attachments Nimda executed automatically when previewed Most common form of worm Very hard to detect, but they spread slowly Windows File Sharing Spreads through windows file shares Worms don’t generally spread this way solely Very hard to penetrate a network perimeter this way Usually use other methods to penetrate network and then this method to spread within the network Hybrid Worms Combination of methods Example: Nimda Spread through email Copied itself to open network shares (was executed if someone viewed it in Windows Explorer) Traditional methods Used subnet scanning to look for open Code Red II and Sadmind backdoors Exploited multiple IIS Directory Traversal vulnerabilities Modified web pages to cause clients to download and execute the worm payload Hybrid Worms Detection difficulties Propagation pattern is difficult to predict since humans are involved If one method is blocked it might find another way in… Target Acquisition Random Scanning Subnet Scanning Routing Worm Pre-generated Hit List Topological Stealth / Passive Random Scanning 32 bit number is randomly generated and used as the IP address Slammer and Code Red I Hits black IP space frequently Only 28.6% of IP space is allocated Subnet Scanning Generate last 1, 2, or 3 bytes of IP address randomly Code Red II and