Background Paper Presentation .ppt

A Study of Mass-mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Mass-Mailing Worms Background Morris, Code Red, and Slammer Analysis of SoBig and MyDoom worms Anomalies TCP IP addresses DNS Traffic In General Discussion and Conclusions Protection Worms – What are they? “A self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers.” - Wikipedia The Morris Worm The first internet worm, written by Robert T. Morris, Jr., a first-year Computer Science Student at Cornell University. Infected roughly six thousand machines nationwide in November of 1988. Performance of victim machines drastically reduced because of propagation attempts. Scanning Worms Typical worms use aggressive IP scanning to find potential victim machines that are vulnerable to the exploit it carries. Code Red, 2001 359,000 computers infected within 14 hours. IIS exploit – spread through web scanning. Slammer Worm, 2002 75,000 hosts – number doubled every 8.5 seconds. UDP packet crafted against SQL Server. Zero Day Exploits Mass-mailing Worms Sends itself via email. Usually infects with email attachments. Harvests email addresses from address book, web cache, and hard disk. unlike viruses No need to acquire new targets. Tricks users into running malicious code on their own machines. Some worms use their own SMTP engine. Analysis The SoBig and MyDoom mass-mailing worms Real network trace data, collected from the edge router of CMU’s Electrical and Computer Engineering Department Two Week Periods Aug. – Sept. 2003 and Jan. – Feb. 2004 Infected or chatty? Heuristics of suspicion Outgoing SMTP connections on a controlled network not going to an authorized mail se