Defense and Detection Strategies Against Internet

Worms

Usman Sarwarusman@nrg.cs.usm.my

Network Research Group, University Science Malaysia.

Agenda

Basically we have two parts in the presentation

Understanding the worm Planning the strategies

Worms

A computer worm is a program that self-propagates across a network exploiting security or policy flaws in widely-used services.

A computer worm is a program that travels from one computer to another but does not attach itself to the operating system of the computer it “infects.”

Destruction by worms

In recent years there were lots of massive destruction by the worms which somehow paralyzed the organizations

for example: Code red [$2 billion ] Love bug [$9 billion ]

Types of worms

There are two types of worms Host worms Network worms

Construction of worm

Target platform? How it will attack the remote system Selecting computer language Scanning techniques Payload delivery mechanism Installation on target host Establishing the worm network

Introduction mechanisms

Single point Multiple point Delayed trigger

Components of worms

There are five components of worms Reconnaissance Attack components. Communication components Command components Intelligence components

Infection patterns

Random Scanning Random Scanning using lists Island hoping Directed attacking Hit-list scanning

Worm network topologies

Hierarchical tree Centrally connected network Shockwave Rider-type and guerilla networks Hierarchical networks Mesh networks

Target vulnerabilities

Prevalence of target Homogeneous versus heterogeneous targets

Traffic analysis

Growth in traffic volume Rise in the number of scans and sweeps Change in traffic patterns for some hosts Predicting scans by analyzing the scan

engine

Pattern Matching

Port Matching IP Address matching

Host based detection

Host firewalls Virus detection software Partitioned privileges Sandboxing of applications Disabling unneeded services and features Patching known holes

Firewall & Network Defenses

Perimeter firewalls Subnet firewalls Reactive IDS deployments

Proxy Defenses

Configuration Authentication via proxy server Mail server proxies Web based proxies

Software vulnerabilities

Most security vendors focus on adding features rather than fixing existing products SQL SERVER (Slammer worm) Windows (blaster worm)

Attacking the worm network

Shutdown messages Bluffing with worm Slowing down the spread

Future worms attributes expectations

Intelligence Polymorphism techniques Modular and upgradability Better hiding techniques Web crawlers as worms Super worms Political messages.

References 1- Ranum, M. J., and F. M. Avolio, “A Toolkit and Methods for Internet Firewalls,” Proc. USENIX Summer, 1994, pp. 37–44. 2 Safford, D. R., D. L. Schales, and D. K. Hess, “The TAMU Security Package:

An Ongoing Response to Internet Intruders in an Academic Environment,” Proc. Fourth USENIX Security Symposium, Santa Clara, CA, 1993, pp. 91–118. 3 Wack, J., K. Cutler, and J. Pole, “Guidelines on Firewalls and Firewall Policy: Recommendations of the National Institute of Standards and Technology,” 2001. Available at http://csrc.nist.gov/publications/nistpubs/800-41/ sp800-41.pdf. 4- Chapman, D. B., “Network (In)Security Through IP Packet Filtering,” Proc. UNIX Security Symposium III, Baltimore, MD, 1992, pp. 63–76. 5-Mullen, T., “The Right to Defend,” 2002. Available at http:// www. securityfocus.com/columnists/98. 6-Liston, T., “LaBrea,” 2001. Available at http://www.hackbusters.net/. 7-Defense and Detection strategies against internet worms by Jose Nazario.