A Study of Mass

Download Report

Transcript A Study of Mass 

A Study of Massmailing Worms
By Cynthia Wong, Stan Bielski, Jonathan
M. McCune, and Chenxi Wang, Carnegie
Mellon University, 2004
Presented by Allen Stone
Mass-Mailing Worms
 Background (Morris, Code Red, and Slammer)
 Analysis of SoBig and MyDoom worms
 Anomalies




TCP
IP addresses
DNS
Traffic In General
 Discussion and Conclusions
 Protection
Worms – What are they?
“A self-replicating computer program, similar to a
computer virus. A virus attaches itself to, and becomes
part of, another program; however, a worm is selfcontained and does not need to be part of another
program to propagate itself. They are often designed
to exploit the file transmission capabilities found on
many computers.” - Wikipedia (wikipedia.org)
The Morris Worm
 The first internet worm, written by Robert
T. Morris, Jr., a first-year Computer
Science Student at Cornell University.
 Infected roughly six thousand machines
nationwide in November of 1988.
 Performance of victim machines
drastically reduced because of
propagation attempts.
Scanning Worms
 Typical worms use aggressive IP scanning to
find potential victim machines that are
vulnerable to the exploit it carries.
 Code Red, 2001
 359,000 computers infected within 14 hours.
 IIS exploit – spread through web scanning.
 Slammer Worm, 2002
 75,000 hosts – number doubled every 8.5 seconds.
 UDP packet crafted against SQL Server.
 Zero Day Exploits
Mass-mailing Worms
 Sends itself via email.
 Usually infects with email attachments.
 Harvests email addresses from address book,
web cache, and hard disk. (unlike viruses)
 No need to acquire new targets.
 Tricks users into running malicious code on
their own machines.
 Some worms use their own SMTP engine.
Analysis
 The SoBig and MyDoom mass-mailing
worms
 Real network trace data, collected from
the edge router of CMU’s Electrical and
Computer Engineering Department
 Two Week Periods (Aug. – Sept. 2003
and Jan. – Feb. 2004)
Infected or chatty?
Heuristics of suspicion
 Outgoing SMTP connections on a
controlled network not going to an
authorized mail server.
 Message payload – Similar to the
payload sizes of known worm traffic from
Symantec.
 Admittedly not 100 percent accurate.
Worm Effect – TCP Traffic
 Scanning worms have spikes in all kinds
of traffic, caused by scanning for other
boxes to compromise.
 Mass-mailing worms use email to spread
to potential victim boxes through mail
service over TCP.
Worm Effect – TCP Traffic
Worm Effect – TCP Traffic
• Since
the worms use their own
SMTP engines, there should be no
outbound SMTP traffic spikes from
the existing mail servers.
• There is a spike in traffic with
SoBig, but not MyDoom.
• Spoofed emails from the harvest
of addresses creates false
guesses, which create backscatter.
• SoBig is more aggressive than
MyDoom during propagation.
Worm Effect – Distinct IPs
 Normal boxes that are not infected touch an
average number of distinct IPs in a given day.
 Infected boxes use email addresses from all
over, from the harvest.
 The number of distinct IPs an infected system
touches should be noticably larger.
 The number of IPs a mail server touches
should not change, intuitively, since they
already send to new IPs on a regular basis.
Worm Effect – Distinct IPs
 Infected boxes experienced a rise
 Mail servers did as well, despite the
expectation.
 Attributed also to the spoofing effort.
Worm Effect - DNS
 DNS related events expected to rise,
since SMTP needs to resolve the IP
associated with email addresses.
 New cache entry, refreshed cache entry,
cache entry expiration
Worm Effect - DNS
Worm Effect – Overall
Traffic
 HTTP traffic dominates the network, with
over 90% of all inbound and outbound
traffic.
 Do the infected systems make a large
impact on that fact?
Worm Effect – Overall Traffic
Discussion and
Conclusions
 Mass-mailing worms show significant and
noticeable impact on a network.
 Prevention measures at the DNS Server,
rather than at the SMTP Server.
 Detection focused on Outgoing TCP,
DNS, and Distinct IP’s, rather than on
whole-network anomaly, due to the
impact of HTTP.
Discussion and
Conclusions
 Both worms overran the network.
 SoBig moreso than MyDoom.
 SMTP servers still affected, even with
mail clients on the worms, due to
backscatter.
 Antivirus software on Mail Servers
actually counter-productive as a defense
measure.
Protection
 Detect worms either at the border router
or individual systems.
 Utilize DNS servers to limit the spread of
the worm, possibly quarantining
malicious email traffic.
 Pay strict attention to outgoing SMTP
traffic and investigate spikes in such
traffic.
Sources
 “A Study of Mass-mailing Worms”
 Wong, Bielski, McCune, Wang, CMU 2004
 Proceedings of the 2004 AMC workshop on rapid malcode.
 “The Spread of the Sapphire/Slammer Worm”
 Moore, Paxson, Savage, Shannon, Staniford, Weaver
 http://www.cs.berkeley.edu/~nweaver/sapphire/
 “Code-Red: a case study on the spread and victims of an Internet
worm”
 Moore, Shannon, Claffy
 Proceedings of the 2nd ACM SIGCOMM Workshop on Internet
measurement.
 “The Cornell Commission: On Morris and the Worm”
 Eisenberg, Gries, Hartmanis, Holcomb, Lynn, Santoro
 Communications of the ACM, Vol. 32, Issue 6.