1 / 21

A Study of Mass-mailing Worms

A Study of Mass-mailing Worms. By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004. Presented by Allen Stone. Mass-Mailing Worms. Background (Morris, Code Red, and Slammer) Analysis of SoBig and MyDoom worms Anomalies TCP IP addresses DNS

noreen
Download Presentation

A Study of Mass-mailing Worms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Study of Mass-mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen Stone

  2. Mass-Mailing Worms • Background (Morris, Code Red, and Slammer) • Analysis of SoBig and MyDoom worms • Anomalies • TCP • IP addresses • DNS • Traffic In General • Discussion and Conclusions • Protection

  3. Worms – What are they? “A self-replicating computer program, similar to a computer virus. A virus attaches itself to, and becomes part of, another program; however, a worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers.” - Wikipedia (wikipedia.org)

  4. The Morris Worm • The first internet worm, written by Robert T. Morris, Jr., a first-year Computer Science Student at Cornell University. • Infected roughly six thousand machines nationwide in November of 1988. • Performance of victim machines drastically reduced because of propagation attempts.

  5. Scanning Worms • Typical worms use aggressive IP scanning to find potential victim machines that are vulnerable to the exploit it carries. • Code Red, 2001 • 359,000 computers infected within 14 hours. • IIS exploit – spread through web scanning. • Slammer Worm, 2002 • 75,000 hosts – number doubled every 8.5 seconds. • UDP packet crafted against SQL Server. • Zero Day Exploits

  6. Mass-mailing Worms • Sends itself via email. • Usually infects with email attachments. • Harvests email addresses from address book, web cache, and hard disk. (unlike viruses) • No need to acquire new targets. • Tricks users into running malicious code on their own machines. • Some worms use their own SMTP engine.

  7. Analysis • The SoBig and MyDoom mass-mailing worms • Real network trace data, collected from the edge router of CMU’s Electrical and Computer Engineering Department • Two Week Periods (Aug. – Sept. 2003 and Jan. – Feb. 2004)

  8. Infected or chatty? Heuristics of suspicion • Outgoing SMTP connections on a controlled network not going to an authorized mail server. • Message payload – Similar to the payload sizes of known worm traffic from Symantec. • Admittedly not 100 percent accurate.

  9. Worm Effect – TCP Traffic • Scanning worms have spikes in all kinds of traffic, caused by scanning for other boxes to compromise. • Mass-mailing worms use email to spread to potential victim boxes through mail service over TCP.

  10. Worm Effect – TCP Traffic

  11. Worm Effect – TCP Traffic • Since the worms use their own SMTP engines, there should be no outbound SMTP traffic spikes from the existing mail servers. • There is a spike in traffic with SoBig, but not MyDoom. • Spoofed emails from the harvest of addresses creates false guesses, which create backscatter. • SoBig is more aggressive than MyDoom during propagation.

  12. Worm Effect – Distinct IPs • Normal boxes that are not infected touch an average number of distinct IPs in a given day. • Infected boxes use email addresses from all over, from the harvest. • The number of distinct IPs an infected system touches should be noticably larger. • The number of IPs a mail server touches should not change, intuitively, since they already send to new IPs on a regular basis.

  13. Worm Effect – Distinct IPs • Infected boxes experienced a rise • Mail servers did as well, despite the expectation. • Attributed also to the spoofing effort.

  14. Worm Effect - DNS • DNS related events expected to rise, since SMTP needs to resolve the IP associated with email addresses. • New cache entry, refreshed cache entry, cache entry expiration

  15. Worm Effect - DNS

  16. Worm Effect – Overall Traffic • HTTP traffic dominates the network, with over 90% of all inbound and outbound traffic. • Do the infected systems make a large impact on that fact?

  17. Worm Effect – Overall Traffic

  18. Discussion and Conclusions • Mass-mailing worms show significant and noticeable impact on a network. • Prevention measures at the DNS Server, rather than at the SMTP Server. • Detection focused on Outgoing TCP, DNS, and Distinct IP’s, rather than on whole-network anomaly, due to the impact of HTTP.

  19. Discussion and Conclusions • Both worms overran the network. • SoBig moreso than MyDoom. • SMTP servers still affected, even with mail clients on the worms, due to backscatter. • Antivirus software on Mail Servers actually counter-productive as a defense measure.

  20. Protection • Detect worms either at the border router or individual systems. • Utilize DNS servers to limit the spread of the worm, possibly quarantining malicious email traffic. • Pay strict attention to outgoing SMTP traffic and investigate spikes in such traffic.

  21. Sources • “A Study of Mass-mailing Worms” • Wong, Bielski, McCune, Wang, CMU 2004 • Proceedings of the 2004 AMC workshop on rapid malcode. • “The Spread of the Sapphire/Slammer Worm” • Moore, Paxson, Savage, Shannon, Staniford, Weaver • http://www.cs.berkeley.edu/~nweaver/sapphire/ • “Code-Red: a case study on the spread and victims of an Internet worm” • Moore, Shannon, Claffy • Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurement. • “The Cornell Commission: On Morris and the Worm” • Eisenberg, Gries, Hartmanis, Holcomb, Lynn, Santoro • Communications of the ACM, Vol. 32, Issue 6.

More Related