a study of mass- mailing worms by cynthia wong, stan bielski, jonathan m. mccune, and chenxi wang,...
TRANSCRIPT
A Study of Mass-A Study of Mass-mailing Wormsmailing WormsBy Cynthia Wong, Stan Bielski, Jonathan By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004Mellon University, 2004
Presented by Allen Stone
Mass-Mailing WormsMass-Mailing Worms
Background (Morris, Code Red, and Slammer)Background (Morris, Code Red, and Slammer) Analysis of SoBig and MyDoom wormsAnalysis of SoBig and MyDoom worms AnomaliesAnomalies
TCPTCP IP addressesIP addresses DNSDNS Traffic In GeneralTraffic In General
Discussion and ConclusionsDiscussion and Conclusions ProtectionProtection
Worms – What are they?Worms – What are they?
““A self-replicating computer program, similar to a A self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes computer virus. A virus attaches itself to, and becomes part of, another program; however, a worm is self-part of, another program; however, a worm is self-contained and does not need to be part of another contained and does not need to be part of another program to propagate itself. They are often designed program to propagate itself. They are often designed to exploit the file transmission capabilities found on to exploit the file transmission capabilities found on many computers.” - Wikipedia (wikipedia.org)many computers.” - Wikipedia (wikipedia.org)
The Morris WormThe Morris Worm
The first internet worm, written by Robert The first internet worm, written by Robert T. Morris, Jr., a first-year Computer T. Morris, Jr., a first-year Computer Science Student at Cornell University.Science Student at Cornell University.
Infected roughly six thousand machines Infected roughly six thousand machines nationwide in November of 1988.nationwide in November of 1988.
Performance of victim machines Performance of victim machines drastically reduced because of drastically reduced because of propagation attempts.propagation attempts.
Scanning WormsScanning Worms
Typical worms use aggressive IP scanning to Typical worms use aggressive IP scanning to find potential victim machines that are find potential victim machines that are vulnerable to the exploit it carries.vulnerable to the exploit it carries.
Code Red, 2001Code Red, 2001 359,000 computers infected within 14 hours.359,000 computers infected within 14 hours. IIS exploit – spread through web scanning.IIS exploit – spread through web scanning.
Slammer Worm, 2002Slammer Worm, 2002 75,000 hosts – number doubled every 8.5 seconds.75,000 hosts – number doubled every 8.5 seconds. UDP packet crafted against SQL Server.UDP packet crafted against SQL Server.
Zero Day ExploitsZero Day Exploits
Mass-mailing WormsMass-mailing Worms
Sends itself via email.Sends itself via email. Usually infects with email attachments.Usually infects with email attachments. Harvests email addresses from address book, Harvests email addresses from address book,
web cache, and hard disk. (unlike viruses)web cache, and hard disk. (unlike viruses) No need to acquire new targets.No need to acquire new targets. Tricks users into running malicious code on Tricks users into running malicious code on
their own machines.their own machines. Some worms use their own SMTP engine.Some worms use their own SMTP engine.
AnalysisAnalysis
The SoBig and MyDoom mass-mailing The SoBig and MyDoom mass-mailing wormsworms
Real network trace data, collected from Real network trace data, collected from the edge router of CMU’s Electrical and the edge router of CMU’s Electrical and Computer Engineering DepartmentComputer Engineering Department
Two Week Periods (Aug. – Sept. 2003 Two Week Periods (Aug. – Sept. 2003 and Jan. – Feb. 2004)and Jan. – Feb. 2004)
Infected or chatty? Infected or chatty? Heuristics of suspicionHeuristics of suspicion
Outgoing SMTP connections on a Outgoing SMTP connections on a controlled network not going to an controlled network not going to an authorized mail server.authorized mail server.
Message payload – Similar to the Message payload – Similar to the payload sizes of known worm traffic from payload sizes of known worm traffic from Symantec.Symantec.
Admittedly not 100 percent accurate.Admittedly not 100 percent accurate.
Worm Effect – TCP TrafficWorm Effect – TCP Traffic
Scanning worms have spikes in all kinds Scanning worms have spikes in all kinds of traffic, caused by scanning for other of traffic, caused by scanning for other boxes to compromise.boxes to compromise.
Mass-mailing worms use email to spread Mass-mailing worms use email to spread to potential victim boxes through mail to potential victim boxes through mail service over TCP.service over TCP.
Worm Effect – TCP TrafficWorm Effect – TCP Traffic
Worm Effect – TCP TrafficWorm Effect – TCP Traffic• Since the worms use their own SMTP engines, there should be no outbound SMTP traffic spikes from the existing mail servers.
• There is a spike in traffic with SoBig, but not MyDoom.
• Spoofed emails from the harvest of addresses creates false guesses, which create backscatter.
• SoBig is more aggressive than MyDoom during propagation.
Worm Effect – Distinct IPsWorm Effect – Distinct IPs
Normal boxes that are not infected touch an Normal boxes that are not infected touch an average number of distinct IPs in a given day.average number of distinct IPs in a given day.
Infected boxes use email addresses from all Infected boxes use email addresses from all over, from the harvest.over, from the harvest.
The number of distinct IPs an infected system The number of distinct IPs an infected system touches should be noticably larger.touches should be noticably larger.
The number of IPs a mail server touches The number of IPs a mail server touches should not change, intuitively, since they should not change, intuitively, since they already send to new IPs on a regular basis.already send to new IPs on a regular basis.
Worm Effect – Distinct IPsWorm Effect – Distinct IPs
Infected boxes experienced a riseInfected boxes experienced a rise Mail servers did as well, despite the Mail servers did as well, despite the
expectation.expectation. Attributed also to the spoofing effort.Attributed also to the spoofing effort.
Worm Effect - DNSWorm Effect - DNS
DNS related events expected to rise, DNS related events expected to rise, since SMTP needs to resolve the IP since SMTP needs to resolve the IP associated with email addresses.associated with email addresses. New cache entry, refreshed cache entry, New cache entry, refreshed cache entry,
cache entry expirationcache entry expiration
Worm Effect - DNSWorm Effect - DNS
Worm Effect – Overall Worm Effect – Overall TrafficTraffic
HTTP traffic dominates the network, with HTTP traffic dominates the network, with over 90% of all inbound and outbound over 90% of all inbound and outbound traffic.traffic.
Do the infected systems make a large Do the infected systems make a large impact on that fact?impact on that fact?
Worm Effect – Overall TrafficWorm Effect – Overall Traffic
Discussion and Discussion and ConclusionsConclusions
Mass-mailing worms show significant and Mass-mailing worms show significant and noticeable impact on a network.noticeable impact on a network.
Prevention measures at the DNS Server, Prevention measures at the DNS Server, rather than at the SMTP Server.rather than at the SMTP Server.
Detection focused on Outgoing TCP, Detection focused on Outgoing TCP, DNS, and Distinct IP’s, rather than on DNS, and Distinct IP’s, rather than on whole-network anomaly, due to the whole-network anomaly, due to the impact of HTTP.impact of HTTP.
Discussion and Discussion and ConclusionsConclusions
Both worms overran the network.Both worms overran the network. SoBig moreso than MyDoom.SoBig moreso than MyDoom.
SMTP servers still affected, even with SMTP servers still affected, even with mail clients on the worms, due to mail clients on the worms, due to backscatter.backscatter.
Antivirus software on Mail Servers Antivirus software on Mail Servers actually counter-productive as a defense actually counter-productive as a defense measure.measure.
ProtectionProtection
Detect worms either at the border router Detect worms either at the border router or individual systems.or individual systems.
Utilize DNS servers to limit the spread of Utilize DNS servers to limit the spread of the worm, possibly quarantining the worm, possibly quarantining malicious email traffic.malicious email traffic.
Pay strict attention to outgoing SMTP Pay strict attention to outgoing SMTP traffic and investigate spikes in such traffic and investigate spikes in such traffic.traffic.
SourcesSources
““A Study of Mass-mailing Worms”A Study of Mass-mailing Worms” Wong, Bielski, McCune, Wang, CMU 2004Wong, Bielski, McCune, Wang, CMU 2004 Proceedings of the 2004 AMC workshop on rapid malcode.Proceedings of the 2004 AMC workshop on rapid malcode.
““The Spread of the Sapphire/Slammer Worm”The Spread of the Sapphire/Slammer Worm” Moore, Paxson, Savage, Shannon, Staniford, WeaverMoore, Paxson, Savage, Shannon, Staniford, Weaver http://www.cs.berkeley.edu/~nweaver/sapphire/http://www.cs.berkeley.edu/~nweaver/sapphire/
““Code-Red: a case study on the spread and victims of an Internet Code-Red: a case study on the spread and victims of an Internet worm”worm” Moore, Shannon, ClaffyMoore, Shannon, Claffy Proceedings of the 2Proceedings of the 2ndnd ACM SIGCOMM Workshop on Internet ACM SIGCOMM Workshop on Internet
measurement.measurement. ““The Cornell Commission: On Morris and the Worm”The Cornell Commission: On Morris and the Worm”
Eisenberg, Gries, Hartmanis, Holcomb, Lynn, SantoroEisenberg, Gries, Hartmanis, Holcomb, Lynn, Santoro Communications of the ACMCommunications of the ACM, Vol. 32, Issue 6., Vol. 32, Issue 6.