UD ELEG 867 - Code red - a case study on the spread and victims of internet orm

Unformatted text preview:

Code-Red: a case study on the spread and victims of an Intemet worm David Moore, Colleen Shannon, k claffy Abstractm On July 19, 2001, more than 359,000 comput- ers connected to the Internet were infected with the Code- Red (CRv2) worm in less than 14 hours. The cost of this epidemic, including subsequent strains of Code-Red, is es- timated to be in excess of $2.6 billion. Despite the global damage caused by this attack, there have been few seri- ous attempts to characterize the spread of the worm, partly due to the challenge of collecting global information about worms. Using a technique that enables global detection of worm spread, we collected and analyzed data over a period of 45 days beginning July 2nd, 2001 to determine the charac- teristics of the spread of Code-Red throughout the Internet. In this paper, we describe the methodology we use to trace the spread of Code-Red, and then describe the results of our trace analyses. We first detail the spread of the Code-Red and CodeRedH worms in terms of infection and deactiva- tion rates. Even without being optimized for spread of infec- tion, Code-Red infection rates peaked at over 2,000 hosts per minute. We then examine the properties of the infected host population, including geographic location, weekly and diur- nal time effects, top-level domains, and ISPs. We demon- strate that the worm was an international event, infection ac- tivity exhibited time-of-day effects, and found that, although most attention focused on large corporations, the Code-Red worm primarily preyed upon home and small business users. We also qualified the effects of DHCP on measurements of infected hosts and determined that IP addresses are not an accurate measure of the spread of a worm on fimescales longer than 24 hours. Finally, the experience of the Code- Red worm demonstrates that wide-spread vulnerabilities in Internet hosts can be exploited quickly and dramatically, and that techniques other than host patching are required to mitigate Internet worms. Keywords--Code-Red, Code-RedI, CodeRedI, CodeRedH, worm, security, backseatter, virus, epidemiology CAIDA, San Diego Supercomputer Center, University of California, San Diego. E-mail: {cshannon, dmoore, kc}@caida, org. Support for this work is provided by DARPA NMS Grant N66001- 01-1-8909, NSF grant NCR-971 I092, Cisco Systems URB Grant, and Caida members. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee pro~ed that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to rep0blish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. IMW'02, Nov. 6-8, 2002, Marseille, France Copyright 2002 ACM ISBN 1-58113-603-X/02/0011 ...$5.00 I. INTRODUCTION At 18:00 on November 2, 1988, Robert T. Morris re- leased a 99 line program onto the Internet. At 00:34 on November 3, 1988, Andy Sudduth of Harvard University posted the following message: "There may be a virus loose on the Internet?' Indeed, Sun and VAX machines across the country were screeching to a halt as invisible tasks uti- lized all available resources [1] [2]. No virus brought large computers across the country to a standstill - the culprit was actually the first malicious worm. Unlike viruses and trojans which rely on human intervention to spread, worms are self-repficating software designed to spread throughout a network on their own. Al- though the Morris worm was the first malicious worm to wreak widespread havoc, earfier worms were actually de- signed to maximize utilization of networked computation resources. In 1982 at Xerox's Palo Alto Research Cen- ter, John Shoch and Jon Hupp wrote five worm programs that performed such benign tasks as posting announce- ments [3]. However, research into using worm programs as tools was abandoned after it was determined that the consequences of a worm malfunction could be dire. In the years between the Morris worm in November 1988 and June 2001, Several other worms achieved tim- ited spread through host populations. The WANK (Worms Against Nuclear Killers) worm of October, 1989 attacked SPAN VAX/VMS systems via DECnet protocols [4]. The Ramen worm, first spread in January of 2001 targeted the wu-ftp daemon on RedHat Linux 6.2 and 7.0 systems [5]. Finally, the Lion Worm targeted the TSIG vulnerability in BIND in March of 2001 [6]. While all of these worms caused some damage, none approached the $2.6 billion cost of recovering from the Code-Red and CodeRedlI worms [7]. We can no longer af- ford to remain ignorant of the spread and effects of worms as information technology plays a critical role in our global economy. II. BACKGROUND On June 18, 2001, eEye released information about a buffer-overflow vulnerability in Microsoft's IIS web servers [8]. Microsoft released a patch for the vulnera- bility eight days later, on June 26, 2001 [9]. Then on July 27312, 2001, the Code-RedI worm began to exploit the afore- mentioned buffer-overflow vulnerability in Microsoft's IIS web servers. Upon infecting a machine, the worm checks to see if the date (as kept by the system clock) is between the first and the nineteenth of the month. If so, the worm generates a random list of IP addresses and probes each machine on the list ia an attempt to infect as many computers as pos- sible. However, this first version of the worm uses a static seed in its random number generator and thus generates identical lists of IP addresses on each infected machine. The first version of the worm spread slowly, because each infected machine began to spread the worm by probing machines that were either already infected or impregnable. On the 20th of every month, the worm is programmed to stop infecting other machines and proceed to its next at- tack phase in which it launches a Denial-of-Service attack against wwwl. whitehouse, gov from the 20th to the 28th of each month. The worm is dormant on days of the month following the 28th. On Jtd!y 13th, Ryan Permeh and Marc Maiffret at eEye Digital Security received logs of attacks by the worm and worked through the night to disassemble and analyze the worm. They christened the worm "Code-Red" both be- cause


View Full Document

UD ELEG 867 - Code red - a case study on the spread and victims of internet orm

Documents in this Course
Firewalls

Firewalls

53 pages

Load more
Download Code red - a case study on the spread and victims of internet orm
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Code red - a case study on the spread and victims of internet orm and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Code red - a case study on the spread and victims of internet orm 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?