a taxonomy of computer worms
DESCRIPTION
A Taxonomy of Computer Worms. Ashish Gupta Network Security April 2004. Worm vs a virus. 1. Self propagates across the network 2. Exploits security or policy flaws in widely used services 3. Less mature defense today. +. Activation. Target Discovery. Attacker. Payload. Carrier. - PowerPoint PPT PresentationTRANSCRIPT
A Taxonomy of Computer Worms
Ashish GuptaNetwork Security
April 2004
Worm vs a virus
1. Self propagates across the network
2. Exploits security or policy flaws in widely used services
3. Less mature defense today
+
AttackerTarget Discovery
Carrier
Activation
Payload
OVERVIEW
Target Discovery
Target Discovery
• Scanningsequential, random
•Target Listspre-generated, external (game servers), internal
•Passive
Target Discovery
• Internal Target Lists– Discover the local communication topology– Similar to DV algorithm– Very fast ??
• Function of shortest paths– Any example ?– Difficult to detect
• Suggests highly distributed sensors
Toolkit potential
• http://smf.chat.ru/e_dvl_news.htm• http://viruszone.by.ru/create.html• http://lcamtuf.coredump.cx/worm.txt Worm
tutorial
Carrier
Carrier• Self-Carriedactive transmission
• Second Channele.g. RPC, TFTP ( blaster worm )
• Embeddede.g. web requests
Activation
Activation
•Human ActivationSocial Enginnering e.g. MyDoom SCO Killer !
•Human activity-based activatione.g. logging in, rebooting
•Scheduled process activatione.g. updates, backup etc.
•Self Activation e.g. Code Red
MyDoom : Fastest Ever
http://www.cnn.com/2004/TECH/internet/01/28/mydoom.spreadwed/
Payload
Payload
• Internet Remote Control
• Internet DOS : paper’s dream realized
• Data Damage: Chernobyl , Klez
• Physical World Damage
• Human control Blackmail !
Attacker
Attacker
• Curiosity
• Pride and Power
• Commercial Advantage
• Extortion and criminal gain
• Terrorism Example
• Cyber Warfare
Theodore Kaczynski
• Born in Chicago• extremely gifted as a child• American terrorist who attempted to fight against what he
perceived as the evils of technological progress• eighteen-year-long campaign of sending mail bombs to
various people, killing three and wounding 29. • The first mail bomb was sent in late 1978 to Prof. Buckley
Crist at Northwestern University
+
AttackerTarget Discovery
Carrier
Activation
Payload
CONCLUSION
???
• given the target discovery/propagation methods of worms, – how to detect it? – with only network traffic header data? – at ISP? at edge routers? at end hosts?