240 likes | 533 Views
A Taxonomy of Computer Worms. Ashish Gupta Network Security April 2004. Worm vs a virus. 1. Self propagates across the network 2. Exploits security or policy flaws in widely used services 3. Less mature defense today. +. Activation. Target Discovery. Attacker. Payload. Carrier.
E N D
A Taxonomy of Computer Worms Ashish Gupta Network Security April 2004
Worm vs a virus 1. Self propagates across the network 2. Exploits security or policy flaws in widely used services 3. Less mature defense today
+ Activation Target Discovery Attacker Payload Carrier OVERVIEW
Target Discovery • Scanningsequential, random • Target Lists pre-generated, external (game servers), internal • Passive
Target Discovery • Internal Target Lists • Discover the local communication topology • Similar to DV algorithm • Very fast ?? • Function of shortest paths • Any example ? • Difficult to detect • Suggests highly distributed sensors
Toolkit potential • http://smf.chat.ru/e_dvl_news.htm • http://viruszone.by.ru/create.html • http://lcamtuf.coredump.cx/worm.txt Worm tutorial
Carrier • Self-Carried active transmission • Second Channel e.g. RPC, TFTP ( blaster worm ) • Embedded e.g. web requests
Activation • Human Activation Social Enginnering e.g. MyDoom SCO Killer ! • Human activity-based activation e.g. logging in, rebooting • Scheduled process activation e.g. updates, backup etc. • Self Activation e.g. Code Red
MyDoom : Fastest Ever http://www.cnn.com/2004/TECH/internet/01/28/mydoom.spreadwed/
Payload • Internet Remote Control • Internet DOS : paper’s dream realized • Data Damage: Chernobyl , Klez • Physical World Damage • Human control Blackmail !
Attacker • Curiosity • Pride and Power • Commercial Advantage • Extortion and criminal gain • Terrorism Example • Cyber Warfare
Theodore Kaczynski • Born in Chicago • extremely gifted as a child • Americanterrorist who attempted to fight against what he perceived as the evils of technological progress • eighteen-year-long campaign of sending mail bombs to various people, killing three and wounding 29. • The first mail bomb was sent in late 1978 to Prof. Buckley Crist at Northwestern University
+ Activation Target Discovery Attacker Payload Carrier CONCLUSION
??? • given the target discovery/propagation methods of worms, • how to detect it? • with only network traffic header data? • at ISP? at edge routers? at end hosts?