A Taxonomy of Computer Worms

Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham

ACM WORM 2003Speaker: Chang Huan Wu

2008/8/8

2

Outline

IntroductionClassification of Worms

– Target Discovery– Carrier– Activation– Payloads– Attackers

Conclusions

3

Introduction

What is a computer worm?– A program that propagates using

vulnerabilities in software/application– Self-propagating (distinct from a virus) – Self-replicating

In order to understand the worm threat, it is necessary to understand the various types of worms, payloads, and attackers

4

Target Discovery (1/3)

Scanning– Sequential & Random– Optimization

Preference for local addresses: Same OS and applications in a sub-network

Permutation scanning: Utilize distributed coordination to more effectively scan

Bandwidth-limited scanning: Do not wait for response

– Anomalous from normal Internet traffic

5

Target Discovery (2/3)

Pre-generated Target Lists– Attacker made a target list in advance

Externally Generated Target Lists– Metaservers keep a list of all the servers w

hich are currently active (Ex. Online game) Internal Target Lists

– Victim’s applications contain information about other hosts

6

Target Discovery (3/3)

Passive– Wait for potential victims to contact th

e worm (Ex. Un-patched browser)– Rely on user behavior to discover ne

w targets Contagion worms rely on normal communicati

on to discover new victims

– No anomalous traffic patterns during target discovery

7

Carrier (1/2)

Self-Carried– Transmits itself as part of the

infection processSecond Channel

– Require a secondary communication channel to complete the infection (Ex. Blaster: exploit uses RPC, download the worm body by TFTP)

8

Carrier (2/2)

Embedded– Sends itself as part of a normal com

munication channel, either appending to or replacing normal messages

– Usually used by passive worms– Relatively stealthy

9

Activation (1/3)

Human Activation– Convince a local user to execute the worm

– The slowest activation approach

Human Activity-Based Activation– Activated when the user performs some ac

tivity not normally related to a worm (Ex. r

esetting the machine, logging in)

10

Activation (2/3)

Scheduled Process Activation

– Unauthorized auto-updater programs

– Ex. Use DNS redirection attack to ser

ve a file to the desktop system to infe

ct the target

11

Activation (3/3)

Self Activation

– Initiate their own execution by

exploiting vulnerabilities in services

that are always on and available

– The fastest activation approach

12

Payloads (1/2)

None/nonfunctional

Internet Remote Control

Spam-Relays

Internet DoS

Access for Sale

13

Payloads (2/2)

Data CollectionData DamagePhysical-world DoS

– Use attached modems to dial emergency services

Physical-world Damage– Reflashing BIOS

…

14

Attackers (1/2)

Experimental Curiosity– Continual tendency for various individuals to expe

riment with viruses and worms

Pride and Power– A desire to acquire power, to show off their knowl

edge and ability to inflict harm on others

Commercial Advantage– Profit by manipulating financial markets via a synt

hetic economic disaster

15

Attackers (2/2)

Extortion and Criminal Gain– Credit-card information

Random Protest– Disrupt networks and infrastructure

Political ProtestTerrorismCyber Warfare

16

Conclusion

Developed a taxonomy of worms– Target discovery, Carrier, Activation, Payloads,

Attackers

– The carrier, activation, and payload are independ

ent of each other, and describe the worm itself

– Sometimes the easiest way to defend against a w

orm is to remove the motivation for writing a worm

in the first place

17

Comments

Classify worms in many dimensions

Different mechanism of Target Discovery / Carrier / Activation generate different traffic behaviors