a taxonomy of computer worms nicholas weaver, vern paxson, stuart staniford, and robert cunningham...
TRANSCRIPT
A Taxonomy of Computer Worms
Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham
ACM WORM 2003Speaker: Chang Huan Wu
2008/8/8
2
Outline
IntroductionClassification of Worms
– Target Discovery– Carrier– Activation– Payloads– Attackers
Conclusions
3
Introduction
What is a computer worm?– A program that propagates using
vulnerabilities in software/application– Self-propagating (distinct from a virus) – Self-replicating
In order to understand the worm threat, it is necessary to understand the various types of worms, payloads, and attackers
4
Target Discovery (1/3)
Scanning– Sequential & Random– Optimization
Preference for local addresses: Same OS and applications in a sub-network
Permutation scanning: Utilize distributed coordination to more effectively scan
Bandwidth-limited scanning: Do not wait for response
– Anomalous from normal Internet traffic
5
Target Discovery (2/3)
Pre-generated Target Lists– Attacker made a target list in advance
Externally Generated Target Lists– Metaservers keep a list of all the servers w
hich are currently active (Ex. Online game) Internal Target Lists
– Victim’s applications contain information about other hosts
6
Target Discovery (3/3)
Passive– Wait for potential victims to contact th
e worm (Ex. Un-patched browser)– Rely on user behavior to discover ne
w targets Contagion worms rely on normal communicati
on to discover new victims
– No anomalous traffic patterns during target discovery
7
Carrier (1/2)
Self-Carried– Transmits itself as part of the
infection processSecond Channel
– Require a secondary communication channel to complete the infection (Ex. Blaster: exploit uses RPC, download the worm body by TFTP)
8
Carrier (2/2)
Embedded– Sends itself as part of a normal com
munication channel, either appending to or replacing normal messages
– Usually used by passive worms– Relatively stealthy
9
Activation (1/3)
Human Activation– Convince a local user to execute the worm
– The slowest activation approach
Human Activity-Based Activation– Activated when the user performs some ac
tivity not normally related to a worm (Ex. r
esetting the machine, logging in)
10
Activation (2/3)
Scheduled Process Activation
– Unauthorized auto-updater programs
– Ex. Use DNS redirection attack to ser
ve a file to the desktop system to infe
ct the target
11
Activation (3/3)
Self Activation
– Initiate their own execution by
exploiting vulnerabilities in services
that are always on and available
– The fastest activation approach
12
Payloads (1/2)
None/nonfunctional
Internet Remote Control
Spam-Relays
Internet DoS
Access for Sale
13
Payloads (2/2)
Data CollectionData DamagePhysical-world DoS
– Use attached modems to dial emergency services
Physical-world Damage– Reflashing BIOS
…
14
Attackers (1/2)
Experimental Curiosity– Continual tendency for various individuals to expe
riment with viruses and worms
Pride and Power– A desire to acquire power, to show off their knowl
edge and ability to inflict harm on others
Commercial Advantage– Profit by manipulating financial markets via a synt
hetic economic disaster
15
Attackers (2/2)
Extortion and Criminal Gain– Credit-card information
Random Protest– Disrupt networks and infrastructure
Political ProtestTerrorismCyber Warfare
16
Conclusion
Developed a taxonomy of worms– Target discovery, Carrier, Activation, Payloads,
Attackers
– The carrier, activation, and payload are independ
ent of each other, and describe the worm itself
– Sometimes the easiest way to defend against a w
orm is to remove the motivation for writing a worm
in the first place
17
Comments
Classify worms in many dimensions
Different mechanism of Target Discovery / Carrier / Activation generate different traffic behaviors