![Page 1: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/1.jpg)
A Taxonomy of Computer Worms
Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham
ACM WORM 2003Speaker: Chang Huan Wu
2008/8/8
![Page 2: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/2.jpg)
2
Outline
IntroductionClassification of Worms
– Target Discovery– Carrier– Activation– Payloads– Attackers
Conclusions
![Page 3: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/3.jpg)
3
Introduction
What is a computer worm?– A program that propagates using
vulnerabilities in software/application– Self-propagating (distinct from a virus) – Self-replicating
In order to understand the worm threat, it is necessary to understand the various types of worms, payloads, and attackers
![Page 4: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/4.jpg)
4
Target Discovery (1/3)
Scanning– Sequential & Random– Optimization
Preference for local addresses: Same OS and applications in a sub-network
Permutation scanning: Utilize distributed coordination to more effectively scan
Bandwidth-limited scanning: Do not wait for response
– Anomalous from normal Internet traffic
![Page 5: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/5.jpg)
5
Target Discovery (2/3)
Pre-generated Target Lists– Attacker made a target list in advance
Externally Generated Target Lists– Metaservers keep a list of all the servers w
hich are currently active (Ex. Online game) Internal Target Lists
– Victim’s applications contain information about other hosts
![Page 6: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/6.jpg)
6
Target Discovery (3/3)
Passive– Wait for potential victims to contact th
e worm (Ex. Un-patched browser)– Rely on user behavior to discover ne
w targets Contagion worms rely on normal communicati
on to discover new victims
– No anomalous traffic patterns during target discovery
![Page 7: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/7.jpg)
7
Carrier (1/2)
Self-Carried– Transmits itself as part of the
infection processSecond Channel
– Require a secondary communication channel to complete the infection (Ex. Blaster: exploit uses RPC, download the worm body by TFTP)
![Page 8: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/8.jpg)
8
Carrier (2/2)
Embedded– Sends itself as part of a normal com
munication channel, either appending to or replacing normal messages
– Usually used by passive worms– Relatively stealthy
![Page 9: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/9.jpg)
9
Activation (1/3)
Human Activation– Convince a local user to execute the worm
– The slowest activation approach
Human Activity-Based Activation– Activated when the user performs some ac
tivity not normally related to a worm (Ex. r
esetting the machine, logging in)
![Page 10: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/10.jpg)
10
Activation (2/3)
Scheduled Process Activation
– Unauthorized auto-updater programs
– Ex. Use DNS redirection attack to ser
ve a file to the desktop system to infe
ct the target
![Page 11: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/11.jpg)
11
Activation (3/3)
Self Activation
– Initiate their own execution by
exploiting vulnerabilities in services
that are always on and available
– The fastest activation approach
![Page 12: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/12.jpg)
12
Payloads (1/2)
None/nonfunctional
Internet Remote Control
Spam-Relays
Internet DoS
Access for Sale
![Page 13: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/13.jpg)
13
Payloads (2/2)
Data CollectionData DamagePhysical-world DoS
– Use attached modems to dial emergency services
Physical-world Damage– Reflashing BIOS
…
![Page 14: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/14.jpg)
14
Attackers (1/2)
Experimental Curiosity– Continual tendency for various individuals to expe
riment with viruses and worms
Pride and Power– A desire to acquire power, to show off their knowl
edge and ability to inflict harm on others
Commercial Advantage– Profit by manipulating financial markets via a synt
hetic economic disaster
![Page 15: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/15.jpg)
15
Attackers (2/2)
Extortion and Criminal Gain– Credit-card information
Random Protest– Disrupt networks and infrastructure
Political ProtestTerrorismCyber Warfare
![Page 16: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/16.jpg)
16
Conclusion
Developed a taxonomy of worms– Target discovery, Carrier, Activation, Payloads,
Attackers
– The carrier, activation, and payload are independ
ent of each other, and describe the worm itself
– Sometimes the easiest way to defend against a w
orm is to remove the motivation for writing a worm
in the first place
![Page 17: A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8](https://reader033.vdocument.in/reader033/viewer/2022051401/56649e9d5503460f94b9ebaa/html5/thumbnails/17.jpg)
17
Comments
Classify worms in many dimensions
Different mechanism of Target Discovery / Carrier / Activation generate different traffic behaviors