Transcript Defense and detection strategies against internet worms

Defense and Detection
Strategies Against Internet
Worms
Usman Sarwar
[email protected]
Network Research Group,
University Science Malaysia.
Agenda
Basically we have two parts in the
presentation
 Understanding the worm
 Planning the strategies
Worms

A computer worm is a program that
self-propagates across a network
exploiting security or policy flaws in
widely-used services.

A computer worm is a program that
travels from one computer to another
but does not attach itself to the
operating system of the computer it
“infects.”
Destruction by worms
In recent years there were lots of massive
destruction by the worms which somehow
paralyzed the organizations
for example:
 Code red [$2 billion ]
 Love bug [$9 billion ]
Types of worms
There are two types of worms
 Host worms
 Network worms
Construction of worm







Target platform?
How it will attack the remote system
Selecting computer language
Scanning techniques
Payload delivery mechanism
Installation on target host
Establishing the worm network
Introduction mechanisms



Single point
Multiple point
Delayed trigger
Components of worms
There are five components of worms
 Reconnaissance
 Attack components.
 Communication components
 Command components
 Intelligence components
Infection patterns





Random Scanning
Random Scanning using lists
Island hoping
Directed attacking
Hit-list scanning
Worm network topologies





Hierarchical tree
Centrally connected network
Shockwave Rider-type and guerilla networks
Hierarchical networks
Mesh networks
Target vulnerabilities


Prevalence of target
Homogeneous versus heterogeneous targets
Traffic analysis




Growth in traffic volume
Rise in the number of scans and sweeps
Change in traffic patterns for some hosts
Predicting scans by analyzing the scan
engine
Pattern Matching


Port Matching
IP Address matching
Host based detection






Host firewalls
Virus detection software
Partitioned privileges
Sandboxing of applications
Disabling unneeded services and features
Patching known holes
Firewall & Network Defenses



Perimeter firewalls
Subnet firewalls
Reactive IDS deployments
Proxy Defenses




Configuration
Authentication via proxy server
Mail server proxies
Web based proxies
Software vulnerabilities

Most security vendors focus on adding
features rather than fixing existing products


SQL SERVER (Slammer worm)
Windows (blaster worm)
Attacking the worm network



Shutdown messages
Bluffing with worm
Slowing down the spread
Future worms attributes
expectations







Intelligence
Polymorphism techniques
Modular and upgradability
Better hiding techniques
Web crawlers as worms
Super worms
Political messages.
References















1- Ranum, M. J., and F. M. Avolio, “A Toolkit and Methods for Internet
Firewalls,” Proc. USENIX Summer, 1994, pp. 37–44.
2 Safford, D. R., D. L. Schales, and D. K. Hess, “The TAMU Security Package:
An
Ongoing Response to Internet Intruders in an Academic Environment,” Proc.
Fourth USENIX Security Symposium, Santa Clara, CA, 1993, pp. 91–118.
3 Wack, J., K. Cutler, and J. Pole, “Guidelines on Firewalls and Firewall Policy:
Recommendations of the National Institute of Standards and Technology,”
2001. Available at http://csrc.nist.gov/publications/nistpubs/800-41/
sp800-41.pdf.
4- Chapman, D. B., “Network (In)Security Through IP Packet Filtering,” Proc.
UNIX Security Symposium III, Baltimore, MD, 1992, pp. 63–76.
5-Mullen, T., “The Right to Defend,” 2002. Available at http:// www.
securityfocus.com/columnists/98.
6-Liston, T., “LaBrea,” 2001. Available at http://www.hackbusters.net/.
7-Defense and Detection strategies against internet worms by Jose Nazario.