worms – code red bd 480 this presentation is an amalgam of presentations by david moore, randy...
TRANSCRIPT
![Page 1: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/1.jpg)
Worms – Code Red
BD 480This presentation is an amalgam of presentations by
David Moore, Randy Marchany and Ed Skoudis.I have edited and added material.
Dr. Stephen C. Hayne
![Page 2: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/2.jpg)
Who gets Internet worms?
Big question: who gets code red? Big companies? Home users? Web servers? People who know they aren’t running IIS?
Host infection plots show some slight diurnal behavior ==> people turning off their “web servers”
Looking deeper shows extreme diurnal behavior, masked in simple plots (1/3 to 1/2 machines turned on/off daily)
![Page 3: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/3.jpg)
What is the Code-Red worm?
Malicious program that connects to other machines and replicates itself
Exploits a vulnerability in Microsoft IIS Days 1-19 of each month
displays ‘hacked by Chinese’ message on English language servers
tries to open connections to infect 100 other randomly chosen machines
Day 20-27 launches a denial-of-service attack on the IP
address of www1.whitehouse.gov
![Page 4: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/4.jpg)
Code-Red Detection Data collected from a /8 network at
UCSD and two /16 networks at Lawrence Berkeley Laboratories (LBL)
1/256th of total address space monitored
Machines sending TCP SYN packets to port 80 of nonexistent hosts considered infected
Data spans 24-hour period from midnight UTC July 19th - midnight UTC July 20th
![Page 5: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/5.jpg)
Host Infection Rate 359,104 hosts infected in 24 hour
period Between 11:00 and 16:00 UTC, the
growth is exponential 2,000 hosts infected per minute at the
peak of the infection rate (16:00 UTC)
![Page 6: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/6.jpg)
Host Infection Rate
![Page 7: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/7.jpg)
Exponential Infection Rate
![Page 8: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/8.jpg)
Infection Rate over Time
![Page 9: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/9.jpg)
Host Deactivation Machines isolated, patched, and
rebooted throughout the day Host considered inactive after we
observe no further unsolicited traffic Because the Code-Red worm is
programmed to stop infecting new hosts at midnight on the 20th of every month, the majority of hosts stopped probing in the last hour before midnight UTC on July 20th
![Page 10: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/10.jpg)
Host Deactivation
![Page 11: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/11.jpg)
Host Deactivation Rates over Time
![Page 12: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/12.jpg)
Host Characterization: Country
The following graph shows the top ten countries of origin for all infected hosts
Surprisingly, Korea is the second most prevalent country, behind countries with more advanced network infrastructure
![Page 13: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/13.jpg)
Host Characterization:Country of Origin
0
20000
40000
60000
80000
100000
120000
140000
160000
Infected Hosts
USKoreaChinaTaiwanCanadaUKGermanyAustraliaJapanNetherlands
![Page 14: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/14.jpg)
Conclusions 359,104 hosts infected in less than 14
hours up to 2,000 hosts per minute infected Collateral damage: routers, switches,
printers, and DSL modems crashed, rebooted, or otherwise damaged
Unpatched, insecure machines put everyone at risk
Will we be prepared for the next major exploit?
![Page 15: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/15.jpg)
Patching Survey
Idea: randomly test subset of previously infected IP addresses to see if they have been patched or are still vulnerable
360,000 IP addresses in pool from initial July 19th infection
10,000 chosen randomly each day and surveyed between 9am and 5pm PDT
![Page 16: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/16.jpg)
Patching Rate
![Page 17: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/17.jpg)
Host Infections
![Page 18: Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material](https://reader036.vdocuments.site/reader036/viewer/2022082806/551be6aa550346b9588b60af/html5/thumbnails/18.jpg)
Conclusions
1/3 - 1/2 of hosts are coming and going on a daily cycle
DHCP effect can skew statistics, since the same host can have multiple IP addresses
Even with the “best” possible warning, the majority of IIS patching occurred after the start of the next round of CodeRed