Defense and detection strategies against Internet worms

Title:

Personal Author:

Nazario, Jose

Series:

Artech House computer security series

Publication Information:

Boston, MA : Artech House, 2004

ISBN:

9781580535373

Subject Term:

Computer security

Computer networks -- Security measures

Computer viruses

Available:*

Library	Item Barcode	Call Number	Material Type	Item Category 1	Status
Searching... PSZ JB	30000010077560	QA76.9.A25 N394 2004	Open Access Book	Book	Searching... Unknown

Focusing exclusively on Internet worms, this book offers you solid worm detection and mitigation strategies for your work in the field. This ground-breaking volume enables you to put rising worm trends into perspective with practical information in detection and defence techniques utilizing data from live networks, real IP addresses and commercial tools. It helps you understand the classifications and groupings of worms, and offers a deeper understanding of how they threaten network and system security. are implemented, the book scrutinizes targets that worms have attacked over the years and the likely targets of the immediate future. Moreover, this reference explains how to detect worms using a variety of mechanisms and evaluates the strengths and weaknesses of three approaches - traffic analysis, honeypots and dark network monitors, and signature analysis. The book concludes with a discussion of four effective defences against network worms, including host-based defences, network firewalls and filters, application layer proxies, and a direct attack on the worm network itself.

Foreword	p. xvii
Preface	p. xxi
Acknowledgments	p. xxvii
1 Introduction	p. 1
1.1 Why worm-based intrusions?	p. 2
1.2 The new threat model	p. 3
1.3 A new kind of analysis requirement	p. 4
1.4 The persistent costs of worms	p. 5
1.5 Intentions of worm creators	p. 6
1.6 Cycles of worm releases	p. 7
References	p. 8
Part I Background and Taxonomy	p. 9
2 Worms Defined	p. 11
2.1 A formal definition	p. 12
2.2 The five components of a worm	p. 12
2.3 Finding new victims: reconnaissance	p. 14
2.4 Taking control: attack	p. 15
2.5 Passing messages: communication	p. 15
2.6 Taking orders: command interface	p. 16
2.7 Knowing the network: intelligence	p. 17
2.8 Assembly of the pieces	p. 18
2.9 Ramen worm analysis	p. 19
2.10 Conclusions	p. 21
References	p. 21
3 Worm Traffic Patterns	p. 23
3.1 Predicted traffic patterns	p. 23
3.1.1 Growth patterns	p. 23
3.1.2 Traffic scan and attack patterns	p. 25
3.2 Disruption in Internet backbone activities	p. 26
3.2.1 Routing data	p. 26
3.2.2 Multicast backbone	p. 27
3.2.3 Infrastructure servers	p. 28
3.3 Observed traffic patterns	p. 28
3.3.1 From a large network	p. 28
3.3.2 From a black hole monitor	p. 30
3.3.3 From an individual host	p. 31
3.4 Conclusions	p. 34
References	p. 34
4 Worm History and Taxonomy	p. 37
4.1 The beginning	p. 38
4.1.1 Morris worm, 1988	p. 39
4.1.2 HI.COM VMS worm, 1988	p. 41
4.1.3 DECNet WANK worm, 1989	p. 42
4.1.4 Hacking kits	p. 43
4.2 UNIX targets	p. 44
4.2.1 ADMw0rm-v1, 1998	p. 44
4.2.2 ADM Millennium worm, 1999	p. 45
4.2.3 Ramen, 2000	p. 46
4.2.4 1i0n worm, 2001	p. 47
4.2.5 Cheese worm, 2001	p. 48
4.2.6 sadmind/IIS worm, 2001	p. 48
4.2.7 X.c: Telnetd worm, 2001	p. 49
4.2.8 Adore, 2001	p. 49
4.2.9 Apache worms, 2002	p. 50
4.2.10 Variations on Apache worms	p. 51
4.3 Microsoft Windows and IIS targets	p. 53
4.3.1 mIRC Script.ini worm, 1997	p. 53
4.3.2 Melissa, 1999	p. 54
4.3.3 Love Letter worm, 2001	p. 54
4.3.4 911 worm, 2001	p. 55
4.3.5 Leaves worm, 2001	p. 56
4.3.6 Code Red, 2001	p. 56
4.3.7 Code Red II, 2001	p. 58
4.3.8 Nimda, 2001	p. 59
4.3.9 Additional e-mail worms	p. 60
4.3.10 MSN Messenger worm, 2002	p. 60
4.3.11 SQL Snake, 2002	p. 61
4.3.12 Deloder, 2002-2003	p. 62
4.3.13 Sapphire, 2003	p. 62
4.4 Related research	p. 63
4.4.1 Agent systems	p. 64
4.4.2 Web spiders	p. 64
4.5 Conclusions	p. 65
References	p. 65
5 Construction of a Worm	p. 69
5.1 Target selection	p. 69
5.1.1 Target platform	p. 70
5.1.2 Vulnerability selection	p. 71
5.2 Choice of languages	p. 72
5.2.1 Interpreted versus compiled languages	p. 72
5.3 Scanning techniques	p. 74
5.4 Payload delivery mechanism	p. 75
5.5 Installation on the target host	p. 76
5.6 Establishing the worm network	p. 77
5.7 Additional considerations	p. 78
5.8 Alternative designs	p. 78
5.9 Conclusions	p. 80
References	p. 80
Part II Worm Trends	p. 81
6 Infection Patterns	p. 83
6.1 Scanning and attack patterns	p. 83
6.1.1 Random scanning	p. 83
6.1.2 Random scanning using lists	p. 85
6.1.3 Island hopping	p. 86
6.1.4 Directed attacking	p. 87
6.1.5 Hit-list scanning	p. 88
6.2 Introduction mechanisms	p. 89
6.2.1 Single point	p. 89
6.2.2 Multiple point	p. 90
6.2.3 Widespread introduction with a delayed trigger	p. 90
6.3 Worm network topologies	p. 91
6.3.1 Hierarchical tree	p. 91
6.3.2 Centrally connected network	p. 93
6.3.3 Shockwave Rider-type and guerilla networks	p. 94
6.3.4 Hierarchical networks	p. 95
6.3.5 Mesh networks	p. 96
6.4 Target vulnerabilities	p. 97
6.4.1 Prevalence of target	p. 97
6.4.2 Homogeneous versus heterogeneous targets	p. 98
6.5 Payload propagation	p. 99
6.5.1 Direct injection	p. 99
6.5.2 Child to parent request	p. 100
6.5.3 Central source or sources	p. 101
6.6 Conclusions	p. 102
References	p. 102
7 Targets of Attack	p. 103
7.1 Servers	p. 103
7.1.1 UNIX servers	p. 104
7.1.2 Windows servers	p. 104
7.2 Desktops and workstations	p. 105
7.2.1 Broadband users	p. 105
7.2.2 Intranet systems	p. 107
7.2.3 New client applications	p. 107
7.3 Embedded devices	p. 108
7.3.1 Routers and infrastructure equipment	p. 109
7.3.2 Embedded devices	p. 109
7.4 Conclusions	p. 110
References	p. 110
8 Possible Futures for Worms	p. 113
8.1 Intelligent worms	p. 113
8.1.1 Attacks against the intelligent worm	p. 117
8.2 Modular and upgradable worms	p. 118
8.2.1 Attacks against modular worms	p. 121
8.3 Warhol and Flash worms	p. 122
8.3.1 Attacks against the Flash worm model	p. 125
8.4 Polymorphic traffic	p. 126
8.5 Using Web crawlers as worms	p. 127
8.6 Superworms and Curious Yellow	p. 129
8.6.1 Analysis of Curious Yellow	p. 130
8.7 Jumping executable worm	p. 130
8.8 Conclusions	p. 131
8.8.1 Signs of the future	p. 132
8.8.2 A call to action	p. 132
References	p. 132
Part III Detection	p. 135
9 Traffic Analysis	p. 137
9.1 Part overview	p. 137
9.2 Introduction to traffic analysis	p. 138
9.3 Traffic analysis setup	p. 139
9.3.1 The use of simulations	p. 141
9.4 Growth in traffic volume	p. 142
9.4.1 Exponential growth of server hits	p. 143
9.5 Rise in the number of scans and sweeps	p. 143
9.5.1 Exponential rise of unique sources	p. 145
9.5.2 Correlation analysis	p. 147
9.5.3 Detecting scans	p. 148
9.6 Change in traffic patterns for some hosts	p. 148
9.7 Predicting scans by analyzing the scan engine	p. 150
9.8 Discussion	p. 156
9.8.1 Strengths of traffic analysis	p. 156
9.8.2 Weaknesses of traffic analysis	p. 156
9.9 Conclusions	p. 158
9.10 Resources	p. 158
9.10.1 Packet capture tools	p. 158
9.10.2 Flow analysis tools	p. 158
References	p. 159
10 Honeypots and Dark (Black Hole) Network Monitors	p. 161
10.1 Honeypots	p. 162
10.1.1 Risks of using honeypots	p. 163
10.1.2 The use of honeypots in worm analysis	p. 163
10.1.3 An example honeypot deployment	p. 164
10.2 Black hole monitoring	p. 164
10.2.1 Setting up a network black hole	p. 166
10.2.2 An example black hole monitor	p. 167
10.2.3 Analyzing black hole data	p. 167
10.3 Discussion	p. 170
10.3.1 Strengths of honeypot monitoring	p. 170
10.3.2 Weaknesses of honeypot monitoring	p. 171
10.3.3 Strengths of black hole monitoring	p. 171
10.3.4 Weaknesses of black hole monitoring	p. 172
10.4 Conclusions	p. 172
10.5 Resources	p. 173
10.5.1 Honeypot resources	p. 173
10.5.2 Black hole monitoring resources	p. 173
References	p. 173
11 Signature-Based Detection	p. 175
11.1 Traditional paradigms in signature analysis	p. 176
11.1.1 Worm signatures	p. 177
11.2 Network signatures	p. 177
11.2.1 Distributed intrusion detection	p. 179
11.3 Log signatures	p. 180
11.3.1 Logfile processing	p. 181
11.3.2 A more versatile script	p. 184
11.3.3 A central log server	p. 188
11.4 File system signatures	p. 190
11.4.1 Chkrootkit	p. 190
11.4.2 Antivirus products	p. 192
11.4.3 Malicious payload content	p. 194
11.5 Analyzing the Slapper worm	p. 195
11.6 Creating signatures for detection engines	p. 198
11.6.1 For NIDS use	p. 198
11.6.2 For logfile analysis	p. 200
11.6.3 For antivirus products and file monitors	p. 201
11.7 Analysis of signature-based detection	p. 204
11.7.1 Strengths of signature-based detection methods	p. 204
11.7.2 Weaknesses in signature-based detection methods	p. 205
11.8 Conclusions	p. 206
11.9 Resources	p. 206
11.9.1 Logfile analysis tools	p. 206
11.9.2 Antivirus tools	p. 207
11.9.3 Network intrusion detection tools	p. 207
References	p. 208
Part IV Defenses	p. 209
12 Host-Based Defenses	p. 211
12.1 Part overview	p. 211
12.2 Host defense in depth	p. 213
12.3 Host firewalls	p. 213
12.4 Virus detection software	p. 214
12.5 Partitioned privileges	p. 216
12.6 Sandboxing of applications	p. 219
12.7 Disabling unneeded services and features	p. 221
12.7.1 Identifying services	p. 221
12.7.2 Features within a service	p. 223
12.8 Aggressively patching known holes	p. 223
12.9 Behavior limits on hosts	p. 225
12.10 Biologically inspired host defenses	p. 227
12.11 Discussion	p. 229
12.11.1 Strengths of host-based defense strategies	p. 229
12.11.2 Weaknesses of host-based defense strategies	p. 229
12.12 Conclusions	p. 230
References	p. 230
13 Firewall and Network Defenses	p. 233
13.1 Example rules	p. 234
13.2 Perimeter firewalls	p. 236
13.2.1 Stopping existing worms	p. 237
13.2.2 Preventing future worms	p. 238
13.2.3 Inbound and outbound rules	p. 238
13.3 Subnet firewalls	p. 239
13.3.1 Defending against active worms	p. 239
13.4 Reactive IDS deployments	p. 239
13.4.1 Dynamically created rulesets	p. 240
13.5 Discussion	p. 242
13.5.1 Strengths of firewall defenses	p. 242
13.5.2 Weaknesses of firewall systems	p. 242
13.6 Conclusions	p. 242
References	p. 243
14 Proxy-Based Defenses	p. 245
14.1 Example configuration	p. 246
14.1.1 Client configuration	p. 248
14.2 Authentication via the proxy server	p. 249
14.3 Mail server proxies	p. 249
14.4 Web-based proxies	p. 251
14.5 Discussion	p. 253
14.5.1 Strengths of proxy-based defenses	p. 253
14.5.2 Weaknesses of proxy-based defenses	p. 253
14.6 Conclusions	p. 254
14.7 Resources	p. 254
References	p. 254
15 Attacking the Worm Network	p. 257
15.1 Shutdown messages	p. 259
15.2 "I am already infected"	p. 260
15.3 Poison updates	p. 261
15.4 Slowing down the spread	p. 262
15.5 Legal implications of attacking worm nodes	p. 263
15.6 A more professional and effective way to stop worms	p. 264
15.7 Discussion	p. 266
15.7.1 Strengths of attacking the worm network	p. 266
15.7.2 Weaknesses of attacking the worm network	p. 266
15.8 Conclusions	p. 267
References	p. 267
16 Conclusions	p. 269
16.1 A current example	p. 269
16.2 Reacting to worms	p. 270
16.2.1 Detection	p. 271
16.2.2 Defenses	p. 272
16.3 Blind spots	p. 273
16.4 The continuing threat	p. 273
16.4.1 Existing worms	p. 274
16.4.2 Future worms	p. 274
16.5 Summary	p. 275
16.6 On-line resources	p. 275
16.6.1 RFC availability	p. 275
16.6.2 Educational material	p. 275
16.6.3 Common vendor resources	p. 275
16.6.4 Vendor-neutral sites	p. 276
References	p. 277
About the Author	p. 279
Index	p. 281

Available:*

On Order

Summary

Summary

Table of Contents