Document Sample
worms Powered By Docstoc
					Worms – Code Red

                           BD 480
 This presentation is an amalgam of presentations by David
           Moore, Randy Marchany and Ed Skoudis.
             I have edited and added material.

                  Dr. Stephen C. Hayne
Who gets Internet worms?
n   Big question: who gets code red? Big
    companies? Home users? Web servers?
    People who know they aren’t running IIS?

n   Host infection plots show some slight diurnal
    behavior ==> people turning off their “web

n   Looking deeper shows extreme diurnal
    behavior, masked in simple plots (1/3 to 1/2
    machines turned on/off daily)
    What is the Code-Red worm?
n   Malicious program that connects to other
    machines and replicates itself
n   Exploits a vulnerability in Microsoft IIS
n   Days 1-19 of each month
    n   displays ‘hacked by Chinese’ message on English
        language servers
    n   tries to open connections to infect 100 other
        randomly chosen machines
n   Day 20-27
    n   launches a denial-of-service attack on the IP address
    Code-Red Detection
n   Data collected from a /8 network at UCSD
    and two /16 networks at Lawrence
    Berkeley Laboratories (LBL)
n   1/256th of total address space monitored
n   Machines sending TCP SYN packets to
    port 80 of nonexistent hosts considered
n   Data spans 24-hour period from midnight
    UTC July 19th - midnight UTC July 20th
Host Infection Rate
n   359,104 hosts infected in 24 hour period
n   Between 11:00 and 16:00 UTC, the growth is
n   2,000 hosts infected per minute at the peak
    of the infection rate (16:00 UTC)
Host Infection Rate
Exponential Infection Rate
Infection Rate over Time
Host Deactivation
n   Machines isolated, patched, and rebooted
    throughout the day
n   Host considered inactive after we observe no
    further unsolicited traffic
n   Because the Code-Red worm is programmed
    to stop infecting new hosts at midnight on the
    20th of every month, the majority of hosts
    stopped probing in the last hour before
    midnight UTC on July 20th
Host Deactivation
Host Deactivation Rates
over Time
Host Characterization: Country
n   The following graph shows the top ten
    countries of origin for all infected hosts
n    Surprisingly, Korea is the second most
    prevalent country, behind countries with
    more advanced network infrastructure
Host Characterization:
Country of Origin
    Host Characterization:
    Top-Level Domain (TLD)
n   47% of all infected hosts had no reverse DNS
    records, so we could not determine their TLDs
n   .COM, .NET, and .EDU are all represented in
    proportions equivalent to their overall share of
    existing hosts
n   136 .MIL hosts and 213 .GOV hosts also
n   390 hosts on private networks (addresses in infected, suggesting that private
    networks were vulnerable and many more
    private network hosts may be infected
Host Characterization:
Top-Level Domain (TLD)
Host Characterization:
Top-Level Domain (TLD)
    Host Characterization: Domain
n   47% of hosts lacked reverse DNS records, so
    we were unable to determine their hostnames
n   ISPs providing connectivity to home and small-
    business users had the most infected hosts
n   Machines maintained by home/small-business
    users (i.e. less likely to be maintained by a
    professional sysadmin) are an important aspect
    of global Internet health
Host Characterization:
Host Characterization:
n   at least 29% of all hosts infected on July 19th
    are still vulnerable
n   only 8.15% of all infected hosts are known to
    be patched
n   Code-Red worm will emerge from dormant
    stage at midnight UTC on August 1, 2001
n   Between than 105,000 and 330,000 hosts may
    be infected
n   Will a more malignant variant emerge?
Top-Level Domain (TLD)
Top-Level Domain (TLD)
Vulnerability: Domain
Vulnerability: Domain
n   359,104 hosts infected in less than 14 hours
n   up to 2,000 hosts per minute infected
n   Collateral damage: routers, switches, printers,
    and DSL modems crashed, rebooted, or
    otherwise damaged
n   Unpatched, insecure machines put everyone at

n   Will we be prepared for the next major
          Patching Survey
n   Idea: randomly test subset of previously
    infected IP addresses to see if they have
    been patched or are still vulnerable

n   360,000 IP addresses in pool from initial July
    19th infection

n   10,000 chosen randomly each day and
    surveyed between 9am and 5pm PDT
Patching Rate
Host Infections
Hosts by Timezone (UTC)
Hosts by Timezone (Local)
           Dynamic IP Addresses
n   Idea: How can we tell how many infected
    computers as opposed to IP addresses?
n   Motivation: Max of ~180,000 unique IPs seen
    in any 2 hour period, but more than 4 million
    across ~a week

n   For /24s, count:
    n   total number of unique IP addresses seen ever
    n   maximum number in 2 hour periods
n   High total, low max ==> lots of address
            Dynamic IP Addresses
n   For each /24, count:
    n   total number of unique IP addresses seen ever
    n   maximum number seen in 2 hour periods

n   On plot:
    n   x-axis is total number of unique addresses seen ever
    n   y-axis is maximum number for a 2 hour period
    n   the x = y (total = max) line shows /24s that had all their
        vulnerable hosts actively spreading in same 2 hour period,
        and those hosts didn’t change IP addresses
    n   the space far below and to the right of the x = y line (total
        >> max) shows /24s that appear to have a lot of dynamic
    n   color of points represents density (3d histogram)
DHCP Effect seen in /24s
n   1/3 - 1/2 of hosts are coming and going on a
    daily cycle

n   DHCP effect can skew statistics, since the
    same host can have multiple IP addresses

n   Even with the “best” possible warning, the
    majority of IIS patching occurred after the
    start of the next round of CodeRed

Shared By: