Defense and Detection Strategies against Internet Worms

/Home/Internet Security: E-books

Jose Nazario
Artech House
ISBN 1-58053-537-2
2004

For quite a long time, computer security was a rather narrow field of study that was populated mainly by theoretical computer scientists, electrical engineers, and applied mathematicians. With the proliferation of open systems in general, and of the Internet and the World Wide Web (WWW) in particular, this situation has changed fundamentally. Today, computer and network practitioners are equally interested in computer security, since they require technologies and solutions that can be used to secure applications related to electronic commerce. Against this background, the field of computer security has become very broad and includes many topics of interest. The aim of this series is to publish state-of-the-art, high standard technical books on topics related to computer security. Further information about the series can be found on the WWW at the following URL:
http://www.esecurity.ch/serieseditor.html

Also, if you'd like to contribute to the series by writing a book about a topic related to computer security, feel free to contact either the Commissioning Editor or the Series Editor at Artech House.

Contents

* Foreword
* Preface
o Intended audience
o Layout of this book
o Assumed background
o Legal issues
o UNIX examples
o References
o Acknowledgments
* Chapter 1. Introduction
o 1.1 Why worm-based intrusions?
o 1.2 The new threat model
o 1.3 A new kind of analysis requirement
o 1.4 The persistent costs of worms
o 1.5 Intentions of worm creators
o 1.6 Cycles of worm releases
* Part I. Background and Taxonomy
* Chapter 2. Worms Defined
o 2.1 A formal definition
o 2.2 The five components of a worm
o 2.3 Finding new victims: reconnaissance
o 2.4 Taking control: attack
o 2.5 Passing messages: communication
o 2.6 Taking orders: command interface
o 2.7 Knowing the network: intelligence
o 2.8 Assembly of the pieces
o 2.9 Ramen worm analysis
o 2.10 Conclusions
* Chapter 3. Worm Traffic Patterns
o 3.1 Predicted traffic patterns
+ 3.1.1 Growth patterns
+ 3.1.2 Traffic scan and attack patterns
o 3.2 Disruption in Internet backbone activities
+ 3.2.1 Routing data
+ 3.2.2 Multicast backbone
+ 3.2.3 Infrastructure servers
o 3.3 Observed traffic patterns
+ 3.3.1 From a large network
+ 3.3.2 From a black hole monitor
+ 3.3.3 From an individual host
o 3.4 Conclusions
* Chapter 4. Worm History and Taxonomy
o 4.1 The beginning
+ 4.1.1 Morris worm, 1988
+ 4.1.2 HI.COM VMS worm, 1988
+ 4.1.3 DECNet WANK worm, 1989
+ 4.1.4 Hacking kits
o 4.2 UNIX targets
+ 4.2.1 ADMw0rm-v1, 1998
+ 4.2.2 ADM Millennium worm, 1999
+ 4.2.3 Ramen, 2000
+ 4.2.4 1i0n worm, 2001
+ 4.2.5 Cheese worm, 2001
+ 4.2.6 sadmind/IIS worm, 2001
+ 4.2.7 X.c: Telnetd worm, 2001
+ 4.2.8 Adore, 2001
+ 4.2.9 Apache worms, 2002
+ 4.2.10 Variations on Apache worms
o 4.3 Microsoft Windows and IIS targets
+ 4.3.1 mIRC Script.ini worm, 1997
+ 4.3.2 Melissa, 1999
+ 4.3.3 Love Letter worm, 2001
+ 4.3.4 911 worm, 2001
+ 4.3.5 Leaves worm, 2001
+ 4.3.6 Code Red, 2001
+ 4.3.7 Code Red II, 2001
+ 4.3.8 Nimda, 2001
+ 4.3.9 Additional e-mail worms
+ 4.3.10 MSN Messenger worm, 2002
+ 4.3.11 SQL Snake, 2002
+ 4.3.12 Deloder, 2002-2003
+ 4.3.13 Sapphire, 2003
o 4.4 Related research
+ 4.4.1 Agent systems
+ 4.4.2 Web spiders
o 4.5 Conclusions
* Chapter 5. Construction of a Worm
o 5.1 Target selection
+ 5.1.1 Target platform
+ 5.1.2 Vulnerability selection
o 5.2 Choice of languages
+ 5.2.1 Interpreted versus compiled languages
o 5.3 Scanning techniques
o 5.4 Payload delivery mechanism
o 5.5 Installation on the target host
o 5.6 Establishing the worm network
o 5.7 Additional considerations
o 5.8 Alternative designs
o 5.9 Conclusions
* Part II. Worm Trends
* Chapter 6. Infection Patterns
o 6.1 Scanning and attack patterns
+ 6.1.1 Random scanning
+ 6.1.2 Random scanning using lists
+ 6.1.3 Island hopping
+ 6.1.4 Directed attacking
+ 6.1.5 Hit-list scanning
o 6.2 Introduction mechanisms
+ 6.2.1 Single point
+ 6.2.2 Multiple point
+ 6.2.3 Widespread introduction with a delayed trigger
o 6.3 Worm network topologies
+ 6.3.1 Hierarchical tree
+ 6.3.2 Centrally connected network
+ 6.3.3 Shockwave Rider-type and guerilla networks
+ 6.3.4 Hierarchical networks
+ 6.3.5 Mesh networks
o 6.4 Target vulnerabilities
+ 6.4.1 Prevalence of target
+ 6.4.2 Homogeneous versus heterogeneous targets
o 6.5 Payload propagation
+ 6.5.1 Direct injection
+ 6.5.2 Child to parent request
+ 6.5.3 Central source or sources
o 6.6 Conclusions
* Chapter 7. Targets of Attack
o 7.1 Servers
+ 7.1.1 UNIX servers
+ 7.1.2 Windows servers
o 7.2 Desktops and workstations
+ 7.2.1 Broadband users
+ 7.2.2 Intranet systems
+ 7.2.3 New client applications
o 7.3 Embedded devices
+ 7.3.1 Routers and infrastructure equipment
+ 7.3.2 Embedded devices
o 7.4 Conclusions
* Chapter 8. Possible Futures for Worms
o 8.1 Intelligent worms
+ 8.1.1 Attacks against the intelligent worm
o 8.2 Modular and upgradable worms
+ 8.2.1 Attacks against modular worms
o 8.3 Warhol and Flash worms
+ 8.3.1 Attacks against the Flash worm model
o 8.4 Polymorphic traffic
o 8.5 Using Web crawlers as worms
o 8.6 Superworms and Curious Yellow
+ 8.6.1 Analysis of Curious Yellow
o 8.7 Jumping executable worm
o 8.8 Conclusions
+ 8.8.1 Signs of the future
+ 8.8.2 A call to action
* Part III. Detection
* Chapter 9. Traffic Analysis
o 9.1 Part overview
o 9.2 Introduction to traffic analysis
o 9.3 Traffic analysis setup
+ 9.3.1 The use of simulations
o 9.4 Growth in traffic volume
+ 9.4.1 Exponential growth of server hits
o 9.5 Rise in the number of scans and sweeps
+ 9.5.1 Exponential rise of unique sources
+ 9.5.2 Correlation analysis
+ 9.5.3 Detecting scans
o 9.6 Change in traffic patterns for some hosts
o 9.7 Predicting scans by analyzing the scan engine
o 9.8 Discussion
+ 9.8.1 Strengths of traffic analysis
+ 9.8.2 Weaknesses of traffic analysis
o 9.9 Conclusions
o 9.10 Resources
+ 9.10.1 Packet capture tools
+ 9.10.2 Flow analysis tools
* Chapter 10. Honeypots and Dark (Black Hole) Network Monitors
o 10.1 Honeypots
+ 10.1.1 Risks of using honeypots
+ 10.1.2 The use of honeypots in worm analysis
+ 10.1.3 An example honeypot deployment
o 10.2 Black hole monitoring
+ 10.2.1 Setting up a network black hole
+ 10.2.2 An example black hole monitor
+ 10.2.3 Analyzing black hole data
o 10.3 Discussion
+ 10.3.1 Strengths of honeypot monitoring
+ 10.3.2 Weaknesses of honeypot monitoring
+ 10.3.3 Strengths of black hole monitoring
+ 10.3.4 Weaknesses of black hole monitoring
o 10.4 Conclusions
o 10.5 Resources
+ 10.5.1 Honeypot resources
+ 10.5.2 Black hole monitoring resources
* Chapter 11. Signature-Based Detection
o 11.1 Traditional paradigms in signature analysis
+ 11.1.1 Worm signatures
o 11.2 Network signatures
+ 11.2.1 Distributed intrusion detection
o 11.3 Log signatures
+ 11.3.1 Logfile processing
+ 11.3.2 A more versatile script
+ 11.3.3 A central log server
o 11.4 File system signatures
+ 11.4.1 Chkrootkit
+ 11.4.2 Antivirus products
+ 11.4.3 Malicious payload content
o 11.5 Analyzing the Slapper worm
o 11.6 Creating signatures for detection engines
+ 11.6.1 For NIDS use
+ 11.6.2 For logfile analysis
+ 11.6.3 For antivirus products and file monitors
o 11.7 Analysis of signature-based detection
+ 11.7.1 Strengths of signature-based detection methods
+ 11.7.2 Weaknesses in signature-based detection methods
o 11.8 Conclusions
o 11.9 Resources
+ 11.9.1 Logfile analysis tools
+ 11.9.2 Antivirus tools
+ 11.9.3 Network intrusion detection tools
* Part IV. Defenses
* Chapter 12. Host-Based Defenses
o 12.1 Part overview
o 12.2 Host defense in depth
o 12.3 Host firewalls
o 12.4 Virus detection software
o 12.5 Partitioned privileges
o 12.6 Sandboxing of applications
o 12.7 Disabling unneeded services and features
+ 12.7.1 Identifying services
+ 12.7.2 Features within a service
o 12.8 Aggressively patching known holes
o 12.9 Behavior limits on hosts
o 12.10 Biologically inspired host defenses
o 12.11 Discussion
+ 12.11.1 Strengths of host-based defense strategies
+ 12.11.2 Weaknesses of host-based defense strategies
o 12.12 Conclusions
* Chapter 13. Firewall and Network Defenses
o 13.1 Example rules
o 13.2 Perimeter firewalls
+ 13.2.1 Stopping existing worms
+ 13.2.2 Preventing future worms
+ 13.2.3 Inbound and outbound rules
o 13.3 Subnet firewalls
+ 13.3.1 Defending against active worms
o 13.4 Reactive IDS deployments
+ 13.4.1 Dynamically created rulesets
o 13.5 Discussion
+ 13.5.1 Strengths of firewall defenses
+ 13.5.2 Weaknesses of firewall systems
o 13.6 Conclusions
* Chapter 14. Proxy-Based Defenses
o 14.1 Example configuration
+ 14.1.1 Client configuration
o 14.2 Authentication via the proxy server
o 14.3 Mail server proxies
o 14.4 Web-based proxies
o 14.5 Discussion
+ 14.5.1 Strengths of proxy-based defenses
+ 14.5.2 Weaknesses of proxy-based defenses
o 14.6 Conclusions
o 14.7 Resources
* Chapter 15. Attacking the Worm Network
o 15.1 Shutdown messages
o 15.2 "I am already infected"
o 15.3 Poison updates
o 15.4 Slowing down the spread
o 15.5 Legal implications of attacking worm nodes
o 15.6 A more professional and effective way to stop worms
o 15.7 Discussion
+ 15.7.1 Strengths of attacking the worm network
+ 15.7.2 Weaknesses of attacking the worm network
o 15.8 Conclusions
* Chapter 16. Conclusions
o 16.1 A current example
o 16.2 Reacting to worms
+ 16.2.1 Detection
+ 16.2.2 Defenses
o 16.3 Blind spots
o 16.4 The continuing threat
+ 16.4.1 Existing worms
+ 16.4.2 Future worms
o 16.5 Summary
o 16.6 On-line resources
+ 16.6.1 RFC availability
+ 16.6.2 Educational material
+ 16.6.3 Common vendor resources
+ 16.6.4 Vendor-neutral sites