Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010077560 | QA76.9.A25 N394 2004 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Focusing exclusively on Internet worms, this book offers you solid worm detection and mitigation strategies for your work in the field. This ground-breaking volume enables you to put rising worm trends into perspective with practical information in detection and defence techniques utilizing data from live networks, real IP addresses and commercial tools. It helps you understand the classifications and groupings of worms, and offers a deeper understanding of how they threaten network and system security. are implemented, the book scrutinizes targets that worms have attacked over the years and the likely targets of the immediate future. Moreover, this reference explains how to detect worms using a variety of mechanisms and evaluates the strengths and weaknesses of three approaches - traffic analysis, honeypots and dark network monitors, and signature analysis. The book concludes with a discussion of four effective defences against network worms, including host-based defences, network firewalls and filters, application layer proxies, and a direct attack on the worm network itself.
Table of Contents
Foreword | p. xvii |
Preface | p. xxi |
Acknowledgments | p. xxvii |
1 Introduction | p. 1 |
1.1 Why worm-based intrusions? | p. 2 |
1.2 The new threat model | p. 3 |
1.3 A new kind of analysis requirement | p. 4 |
1.4 The persistent costs of worms | p. 5 |
1.5 Intentions of worm creators | p. 6 |
1.6 Cycles of worm releases | p. 7 |
References | p. 8 |
Part I Background and Taxonomy | p. 9 |
2 Worms Defined | p. 11 |
2.1 A formal definition | p. 12 |
2.2 The five components of a worm | p. 12 |
2.3 Finding new victims: reconnaissance | p. 14 |
2.4 Taking control: attack | p. 15 |
2.5 Passing messages: communication | p. 15 |
2.6 Taking orders: command interface | p. 16 |
2.7 Knowing the network: intelligence | p. 17 |
2.8 Assembly of the pieces | p. 18 |
2.9 Ramen worm analysis | p. 19 |
2.10 Conclusions | p. 21 |
References | p. 21 |
3 Worm Traffic Patterns | p. 23 |
3.1 Predicted traffic patterns | p. 23 |
3.1.1 Growth patterns | p. 23 |
3.1.2 Traffic scan and attack patterns | p. 25 |
3.2 Disruption in Internet backbone activities | p. 26 |
3.2.1 Routing data | p. 26 |
3.2.2 Multicast backbone | p. 27 |
3.2.3 Infrastructure servers | p. 28 |
3.3 Observed traffic patterns | p. 28 |
3.3.1 From a large network | p. 28 |
3.3.2 From a black hole monitor | p. 30 |
3.3.3 From an individual host | p. 31 |
3.4 Conclusions | p. 34 |
References | p. 34 |
4 Worm History and Taxonomy | p. 37 |
4.1 The beginning | p. 38 |
4.1.1 Morris worm, 1988 | p. 39 |
4.1.2 HI.COM VMS worm, 1988 | p. 41 |
4.1.3 DECNet WANK worm, 1989 | p. 42 |
4.1.4 Hacking kits | p. 43 |
4.2 UNIX targets | p. 44 |
4.2.1 ADMw0rm-v1, 1998 | p. 44 |
4.2.2 ADM Millennium worm, 1999 | p. 45 |
4.2.3 Ramen, 2000 | p. 46 |
4.2.4 1i0n worm, 2001 | p. 47 |
4.2.5 Cheese worm, 2001 | p. 48 |
4.2.6 sadmind/IIS worm, 2001 | p. 48 |
4.2.7 X.c: Telnetd worm, 2001 | p. 49 |
4.2.8 Adore, 2001 | p. 49 |
4.2.9 Apache worms, 2002 | p. 50 |
4.2.10 Variations on Apache worms | p. 51 |
4.3 Microsoft Windows and IIS targets | p. 53 |
4.3.1 mIRC Script.ini worm, 1997 | p. 53 |
4.3.2 Melissa, 1999 | p. 54 |
4.3.3 Love Letter worm, 2001 | p. 54 |
4.3.4 911 worm, 2001 | p. 55 |
4.3.5 Leaves worm, 2001 | p. 56 |
4.3.6 Code Red, 2001 | p. 56 |
4.3.7 Code Red II, 2001 | p. 58 |
4.3.8 Nimda, 2001 | p. 59 |
4.3.9 Additional e-mail worms | p. 60 |
4.3.10 MSN Messenger worm, 2002 | p. 60 |
4.3.11 SQL Snake, 2002 | p. 61 |
4.3.12 Deloder, 2002-2003 | p. 62 |
4.3.13 Sapphire, 2003 | p. 62 |
4.4 Related research | p. 63 |
4.4.1 Agent systems | p. 64 |
4.4.2 Web spiders | p. 64 |
4.5 Conclusions | p. 65 |
References | p. 65 |
5 Construction of a Worm | p. 69 |
5.1 Target selection | p. 69 |
5.1.1 Target platform | p. 70 |
5.1.2 Vulnerability selection | p. 71 |
5.2 Choice of languages | p. 72 |
5.2.1 Interpreted versus compiled languages | p. 72 |
5.3 Scanning techniques | p. 74 |
5.4 Payload delivery mechanism | p. 75 |
5.5 Installation on the target host | p. 76 |
5.6 Establishing the worm network | p. 77 |
5.7 Additional considerations | p. 78 |
5.8 Alternative designs | p. 78 |
5.9 Conclusions | p. 80 |
References | p. 80 |
Part II Worm Trends | p. 81 |
6 Infection Patterns | p. 83 |
6.1 Scanning and attack patterns | p. 83 |
6.1.1 Random scanning | p. 83 |
6.1.2 Random scanning using lists | p. 85 |
6.1.3 Island hopping | p. 86 |
6.1.4 Directed attacking | p. 87 |
6.1.5 Hit-list scanning | p. 88 |
6.2 Introduction mechanisms | p. 89 |
6.2.1 Single point | p. 89 |
6.2.2 Multiple point | p. 90 |
6.2.3 Widespread introduction with a delayed trigger | p. 90 |
6.3 Worm network topologies | p. 91 |
6.3.1 Hierarchical tree | p. 91 |
6.3.2 Centrally connected network | p. 93 |
6.3.3 Shockwave Rider-type and guerilla networks | p. 94 |
6.3.4 Hierarchical networks | p. 95 |
6.3.5 Mesh networks | p. 96 |
6.4 Target vulnerabilities | p. 97 |
6.4.1 Prevalence of target | p. 97 |
6.4.2 Homogeneous versus heterogeneous targets | p. 98 |
6.5 Payload propagation | p. 99 |
6.5.1 Direct injection | p. 99 |
6.5.2 Child to parent request | p. 100 |
6.5.3 Central source or sources | p. 101 |
6.6 Conclusions | p. 102 |
References | p. 102 |
7 Targets of Attack | p. 103 |
7.1 Servers | p. 103 |
7.1.1 UNIX servers | p. 104 |
7.1.2 Windows servers | p. 104 |
7.2 Desktops and workstations | p. 105 |
7.2.1 Broadband users | p. 105 |
7.2.2 Intranet systems | p. 107 |
7.2.3 New client applications | p. 107 |
7.3 Embedded devices | p. 108 |
7.3.1 Routers and infrastructure equipment | p. 109 |
7.3.2 Embedded devices | p. 109 |
7.4 Conclusions | p. 110 |
References | p. 110 |
8 Possible Futures for Worms | p. 113 |
8.1 Intelligent worms | p. 113 |
8.1.1 Attacks against the intelligent worm | p. 117 |
8.2 Modular and upgradable worms | p. 118 |
8.2.1 Attacks against modular worms | p. 121 |
8.3 Warhol and Flash worms | p. 122 |
8.3.1 Attacks against the Flash worm model | p. 125 |
8.4 Polymorphic traffic | p. 126 |
8.5 Using Web crawlers as worms | p. 127 |
8.6 Superworms and Curious Yellow | p. 129 |
8.6.1 Analysis of Curious Yellow | p. 130 |
8.7 Jumping executable worm | p. 130 |
8.8 Conclusions | p. 131 |
8.8.1 Signs of the future | p. 132 |
8.8.2 A call to action | p. 132 |
References | p. 132 |
Part III Detection | p. 135 |
9 Traffic Analysis | p. 137 |
9.1 Part overview | p. 137 |
9.2 Introduction to traffic analysis | p. 138 |
9.3 Traffic analysis setup | p. 139 |
9.3.1 The use of simulations | p. 141 |
9.4 Growth in traffic volume | p. 142 |
9.4.1 Exponential growth of server hits | p. 143 |
9.5 Rise in the number of scans and sweeps | p. 143 |
9.5.1 Exponential rise of unique sources | p. 145 |
9.5.2 Correlation analysis | p. 147 |
9.5.3 Detecting scans | p. 148 |
9.6 Change in traffic patterns for some hosts | p. 148 |
9.7 Predicting scans by analyzing the scan engine | p. 150 |
9.8 Discussion | p. 156 |
9.8.1 Strengths of traffic analysis | p. 156 |
9.8.2 Weaknesses of traffic analysis | p. 156 |
9.9 Conclusions | p. 158 |
9.10 Resources | p. 158 |
9.10.1 Packet capture tools | p. 158 |
9.10.2 Flow analysis tools | p. 158 |
References | p. 159 |
10 Honeypots and Dark (Black Hole) Network Monitors | p. 161 |
10.1 Honeypots | p. 162 |
10.1.1 Risks of using honeypots | p. 163 |
10.1.2 The use of honeypots in worm analysis | p. 163 |
10.1.3 An example honeypot deployment | p. 164 |
10.2 Black hole monitoring | p. 164 |
10.2.1 Setting up a network black hole | p. 166 |
10.2.2 An example black hole monitor | p. 167 |
10.2.3 Analyzing black hole data | p. 167 |
10.3 Discussion | p. 170 |
10.3.1 Strengths of honeypot monitoring | p. 170 |
10.3.2 Weaknesses of honeypot monitoring | p. 171 |
10.3.3 Strengths of black hole monitoring | p. 171 |
10.3.4 Weaknesses of black hole monitoring | p. 172 |
10.4 Conclusions | p. 172 |
10.5 Resources | p. 173 |
10.5.1 Honeypot resources | p. 173 |
10.5.2 Black hole monitoring resources | p. 173 |
References | p. 173 |
11 Signature-Based Detection | p. 175 |
11.1 Traditional paradigms in signature analysis | p. 176 |
11.1.1 Worm signatures | p. 177 |
11.2 Network signatures | p. 177 |
11.2.1 Distributed intrusion detection | p. 179 |
11.3 Log signatures | p. 180 |
11.3.1 Logfile processing | p. 181 |
11.3.2 A more versatile script | p. 184 |
11.3.3 A central log server | p. 188 |
11.4 File system signatures | p. 190 |
11.4.1 Chkrootkit | p. 190 |
11.4.2 Antivirus products | p. 192 |
11.4.3 Malicious payload content | p. 194 |
11.5 Analyzing the Slapper worm | p. 195 |
11.6 Creating signatures for detection engines | p. 198 |
11.6.1 For NIDS use | p. 198 |
11.6.2 For logfile analysis | p. 200 |
11.6.3 For antivirus products and file monitors | p. 201 |
11.7 Analysis of signature-based detection | p. 204 |
11.7.1 Strengths of signature-based detection methods | p. 204 |
11.7.2 Weaknesses in signature-based detection methods | p. 205 |
11.8 Conclusions | p. 206 |
11.9 Resources | p. 206 |
11.9.1 Logfile analysis tools | p. 206 |
11.9.2 Antivirus tools | p. 207 |
11.9.3 Network intrusion detection tools | p. 207 |
References | p. 208 |
Part IV Defenses | p. 209 |
12 Host-Based Defenses | p. 211 |
12.1 Part overview | p. 211 |
12.2 Host defense in depth | p. 213 |
12.3 Host firewalls | p. 213 |
12.4 Virus detection software | p. 214 |
12.5 Partitioned privileges | p. 216 |
12.6 Sandboxing of applications | p. 219 |
12.7 Disabling unneeded services and features | p. 221 |
12.7.1 Identifying services | p. 221 |
12.7.2 Features within a service | p. 223 |
12.8 Aggressively patching known holes | p. 223 |
12.9 Behavior limits on hosts | p. 225 |
12.10 Biologically inspired host defenses | p. 227 |
12.11 Discussion | p. 229 |
12.11.1 Strengths of host-based defense strategies | p. 229 |
12.11.2 Weaknesses of host-based defense strategies | p. 229 |
12.12 Conclusions | p. 230 |
References | p. 230 |
13 Firewall and Network Defenses | p. 233 |
13.1 Example rules | p. 234 |
13.2 Perimeter firewalls | p. 236 |
13.2.1 Stopping existing worms | p. 237 |
13.2.2 Preventing future worms | p. 238 |
13.2.3 Inbound and outbound rules | p. 238 |
13.3 Subnet firewalls | p. 239 |
13.3.1 Defending against active worms | p. 239 |
13.4 Reactive IDS deployments | p. 239 |
13.4.1 Dynamically created rulesets | p. 240 |
13.5 Discussion | p. 242 |
13.5.1 Strengths of firewall defenses | p. 242 |
13.5.2 Weaknesses of firewall systems | p. 242 |
13.6 Conclusions | p. 242 |
References | p. 243 |
14 Proxy-Based Defenses | p. 245 |
14.1 Example configuration | p. 246 |
14.1.1 Client configuration | p. 248 |
14.2 Authentication via the proxy server | p. 249 |
14.3 Mail server proxies | p. 249 |
14.4 Web-based proxies | p. 251 |
14.5 Discussion | p. 253 |
14.5.1 Strengths of proxy-based defenses | p. 253 |
14.5.2 Weaknesses of proxy-based defenses | p. 253 |
14.6 Conclusions | p. 254 |
14.7 Resources | p. 254 |
References | p. 254 |
15 Attacking the Worm Network | p. 257 |
15.1 Shutdown messages | p. 259 |
15.2 "I am already infected" | p. 260 |
15.3 Poison updates | p. 261 |
15.4 Slowing down the spread | p. 262 |
15.5 Legal implications of attacking worm nodes | p. 263 |
15.6 A more professional and effective way to stop worms | p. 264 |
15.7 Discussion | p. 266 |
15.7.1 Strengths of attacking the worm network | p. 266 |
15.7.2 Weaknesses of attacking the worm network | p. 266 |
15.8 Conclusions | p. 267 |
References | p. 267 |
16 Conclusions | p. 269 |
16.1 A current example | p. 269 |
16.2 Reacting to worms | p. 270 |
16.2.1 Detection | p. 271 |
16.2.2 Defenses | p. 272 |
16.3 Blind spots | p. 273 |
16.4 The continuing threat | p. 273 |
16.4.1 Existing worms | p. 274 |
16.4.2 Future worms | p. 274 |
16.5 Summary | p. 275 |
16.6 On-line resources | p. 275 |
16.6.1 RFC availability | p. 275 |
16.6.2 Educational material | p. 275 |
16.6.3 Common vendor resources | p. 275 |
16.6.4 Vendor-neutral sites | p. 276 |
References | p. 277 |
About the Author | p. 279 |
Index | p. 281 |