Worm Propagation Simulation Analysis

1,097 views
1,022 views

Published on

Worm Propagation Simulation Analysis

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,097
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Worm Propagation Simulation Analysis

  1. 1. Page 1 of 22 Name: Allen Galvan Due: 22 November 2005 CSFI 214: Information Security Systems Analysis – Fall 2005 Lab #4: Worms Last printed 11/20/2005 22:43:00 a11/p11 Page 1 of 22
  2. 2. Page 2 of 22 Directions................................................................................................................................. .3 Worm Propagation Simulation (Local/Global Networks) Introduction.................................4 . Summarize each Worm......................................................................................... ...................4 Analyze each Worm Simulation....................................................................... .......................6 Compare the Similarities and Dissimilarities of the Worms ..................................................................................................................... ...........................13 Bibliography............................................................................................................ ...............15 Appendix..................................................................................................... ...........................16 Last printed 11/20/2005 22:43:00 a11/p11 Page 2 of 22
  3. 3. Page 3 of 22 Directions Hand in a report with the answers to these questions. You must include an appendix with each of the plots and annotated screen shots for each worm. o The raw data must be included in the Excel spreadsheet when the assignment is sent electronically. Last printed 11/20/2005 22:43:00 a11/p11 Page 3 of 22
  4. 4. Page 4 of 22 Worm Propagation Simulation (Local/Global Networks) Introduction The worm simulation is giving us an idea of the behavior of the worm over a period of time and regarding various shades of protected and unprotected local and global networks. Summarize each Worm For each worm, write a short summary that includes the following kinds of information: o Name: SoBig.A (W32.Sobig.A@mm), 1/16/2003 o Propagation: o It searches for e-mail addresses, so that it can attack other computers and propagate. o Payload: o Sobig has no damaging payload. o Noteworthy points: o The W32.Sobig.A@mm worm scans all .txt, .eml, .html, .htm, .dbx and .wab files on a target computer. o It can by identified by the sending address of big@boss.com. o Download a removal tool at Security Response Sobig A page. o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 o Name: Slammer (Saphire), 1/25/03 o Propagation o The worm sequentially or randomly scans for IP addresses. o The worm infects computers from a list of IP addresses. These IP addresses were accumulated by the attacker(s), or gotten from information from the infected computer host. o The worm waits for the target computer to contact it, and then it propagates to other computers. o Payload o The payload routines are separate from the propagation routines. o Payload examples are:  Internet Remote Control to control a user’s computer remotely.  Spam Relays to let Spammers hide their IP addresses.  HTML Proxies, which make it hard to shut down illegal websites.  DoS attacks.  Data Collection, for valuable financial information on the infected computer’s hard drive.  Sell the computer as a “zombie army” for profit.  http://www.cs.unc.edu/~jeffay/courses /nidsS05/slides/4-Early-DoS- Worms.pdf o Noteworthy points o The Slammer worm is also known as the Sapphire worm. Last printed 11/20/2005 22:43:00 a11/p11 Page 4 of 22
  5. 5. Page 5 of 22 o The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. o It infected more than 90 percent of vulnerable hosts within 10 minutes. o Sapphire exploited a buffer overflow vulnerability on host computers connected to the Internet runnin Microsoft's SQL Server or MSDE 2000 g (Microsoft SQL Server Desktop Engine). o This vulnerability is an underlying indexing service that was discovered in July 2002. Microsoft released a patch to fix the vulnerability before it was announced[1]. o The worm infected at least 75,000 host computers. It caused network outages. It caused canceled airline flights, interference with elections, and ATM failures. o Several disassembled versions of the source code of the worm are available. [2]. o Name: Blaster (W32.Blaster.Worm), 8/12/03 o Propagation: o The infected host computer runs a copy of msblast.exe, that it found on the target computer and it begins scanning for other vulnerable computers to compromise in the same way. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. o Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026. o Ref: http://www.cert.org/advisories/CA-2003-20.html o Ref: http://microsoft.com/technet/treeview/default.asp?url=/tech o Ref: http://isc.sans.org/show_comment.php?id=350 o Payload o Msblast.exe o Noteworthy points o The Blaster worm spreads to unpatched and unprotected Windows 2000/XP host computers. o It exploits a Buffer Overrun In RPC Interface vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution, it attempts to retrieve a copy of the file msblast.exe from the infected host. o The infected host computer may suddenly and repeatedly crash or reboot. o It may also perform a DoS on http://www.windowsupdate.com. This would stop the host from downloading the patch to address the vulnerabiity. l o Download the patch at Microsoft Security Bulletin MS03-026. o Ref: Symantec W32.Blaster.Worm page o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 o Name: Netsky (W32.Netsky@mm), 4/20/04 o Propagation Last printed 11/20/2005 22:43:00 a11/p11 Page 5 of 22
  6. 6. Page 6 of 22 o It sends itself to the email addresses on hard drives and mapped drives. o Payload o No payload. o Noteworthy points o The W32.Netsky@mm worm that has its own mass mailing method. o It uses an SMTP mailing engine. o The body, subject line, and attachment of the emails vary. o Download a removal tool at Security Response Netsky page. o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 o Name: Sasser (W32.Sasser.Worm), 5/10/04 o Propagation o The infected Sasser host systems are used to infect other host computers. o Payload o No payload. o Noteworthy points o The W.32.Sasser worm and its variants run on Window 95/98/Me host s computer machines. These operating systems were not infected by the Sasser worm. o An infected Windows XP and 2000 computer may crash or suddenly and repeatedly reboot. o Download the patch fix at Microsoft Security Bulletin MS04-011. o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 o Name: MyDoom (W32.Mydoom.M), 7/26/04 o Propagation o It propagates by sending itself to the email addresses it finds on the systems that it infects. o Payload o Noteworthy points o The W32.Mydoom.M@mm worm is a mass emailer worm. o It has its own SMTP emailing method. o Find a removal tool at Security Response W32.Mydoom.M page. o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 Analyze each Worm Simulation Analyze the results of each simulation:  Blaster  MyDoom  Netsky  Sasser  Slammer  SoBig Last printed 11/20/2005 22:43:00 a11/p11 Page 6 of 22
  7. 7. Page 7 of 22 Analyze the results of the Blaster simulation: 1. When was the peak infection for the local network  The infection on the local netw occurred 8 days 10 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw stopped spreading 9 days 10 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected are increasing slightly.  The slope of the global network Infected is increasing dramatically, while the slope of the global network Patched is almost zero. 4. What do sudden changes (infections) indicate?  Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread?  The infection spread from vulnerable computers. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally?  Patching helped slow the infection; until a 5 and one half days when patching didn’t help slow the infection, for the local network.  Patching helped slow the infection for the global network. 8. What interesting patterns did you find?  Local Network: the Patched infection rate reached an asymptote of 40%; whereas the Infected infection rate reached a maximum of 20%, nine days after the attack started.  Global Network: the Patched systems had a very low infection rate. The Infected infection rate was constant and reached a maximum of 100% 3 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?  This worm propagates by attacking vulnerable and unpatched computers. 11. Are there differences between the local and global infections?  The Patched for both networks were relatively protected and had a mild infection rate at 9 days after the attack started.  The Infected in the local netw was mild, whereas the Infection in the global ork network was almost the whole ofthe network at 9 days after the attack started. 12. What conclusions can you draw from your analysis of the data? Last printed 11/20/2005 22:43:00 a11/p11 Page 7 of 22
  8. 8. Page 8 of 22  Patched systems were more slowly infected compared to vulnerable systems. The local network infection was mild, whereas the global network was almost entirely infected. Analyze the results of the MyDoom simulation: 1. When was the peak infection of the local network?  The infection on the local netw occurred 13 days 2 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw stopped spreading 13 days 2 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected are increasing slightly.  The slope of the global network Infected is increasing mildly, while the slope of the global network Patched is almost zero. 4. What do sudden changes (infections) indicate?  Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread? a. The infection spread from vulnerable computers. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally?  Patching slightly did not help slow the infection, for the local network.  Patching helped slow the infection for the global network. 8. What interesting patterns did you find?  Local Network: The Patched was infected at a constant rate and reached a maximum of 40%. The Infected was infected at a constant rate and reached a maximum of 32%, about 13 days after the attack started.  Global Network: The Patched was infected at a constant rate and reached a maximum of 5%, 14 days after the attack started. The Infected was infected at a constant rate and reached a maximum of 50%, about 10 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?  This worm propagates by attacking vulnerable and unpatched computers 11. Are there differences between the local and global infections? Last printed 11/20/2005 22:43:00 a11/p11 Page 8 of 22
  9. 9. Page 9 of 22 The Patched for the local network infection was slightly more dramatic at 40%, whereas the global network infection was minor at 5%, at 15 days after the attack started.  The Infected for the global network infection was about the same, i.e., constant at about 45% at 15 days after the infection started. 12. What conclusions can you draw from your analysis of the data?  Patched systems were more slowly infected compared to vulnerable systems. The local and global network infection were both mildly infected. Analyze the results of the Netsky simulation: 1. When was the peak infection?  The infection on the local netw occurred 16 days 9 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw occurred 23 days 14 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected are increasing slightly. The Infected slope reached a point of inflection at 15 days and began decreasing.  The slope of the global network Infected is increasing sharply, and leveled off at 13 days, and decreased at 21 days. The slope of the global network Patched increased slightly. 4. What do sudden changes (infections) indicate?  Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread?  The infection spread from vulnerable computers. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally?  Patching did not help slow the infection, for the local network.  Patching helped slow the infection for the global network. 8. What interesting patterns did you find?  Local Network: The Patched was infected at a constant rate and reached a point of increasing inflection at 70%, about 23 days after the attack started. The Infected was infected at a constant parabolic rate and reached a maximum of 32%, and the slope turned downward, at 15.5 days, to a point of 18% at 23 days after the attack started.  Global Network: The Patched was infected at a constant rate and reached a maximum of 30%, about 23 days after the attack started. The Infected was Last printed 11/20/2005 22:43:00 a11/p11 Page 9 of 22
  10. 10. Page 10 of 22 infected at an exponential rate, at 13 days and 63%, and leveled off and decreased to about 53% at about 20 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?  This worm propagates by attacking vulnerable and unpatched computers 11. Are there differences between the local and global infections?  The Patched for the local and global network infections were both relatively constant at about 55% and 40%, respectively, after about 22 days after the attack started.  The Infected for the global network infection was about the same, i.e., increasing at about 13 days and then decreasing.  The Netsky worm caused local computer harm by spreading itself by emailing itself to email addresses found on the local Pc. The email was unauthorized.  The Netsky worm caused global harm by clogging email system and making unauthorized changes to computer systems. 12. What conclusions can you draw from your analysis of the data?  Patched systems and vulnerable systems of both local and global networks were equally infected at a rate of about 45%. Analyze the results of the Sasser simulation: 1. When was the peak infection?  The infection on the local netw occurred 7 days 5 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw occurred 11 days 5 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected are increasing slightly.  The slope of the global network Infected is increasing sharply, and leveled off at 3 days, and decreased at 11 days. The slope of the global network Patched was almost zero. 4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread? a. The infection spread from vulnerable computers. b. The Slammer worm spread the fastest. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally? Last printed 11/20/2005 22:43:00 a11/p11 Page 10 of 22
  11. 11. Page 11 of 22 c. Patching helped slow the infection for the local network. d. Patching helped slow the infection for the global network. 8. What interesting patterns did you find? a. Local Network: The Patched was infected at a constant rate and reached a point of increasing inflection at 35%, about 11 days after the attack started. The Infected was infected at a constant rate and reached a maximum of 40%, and the slope turned downward, at 7 days, after the attack started. b. Global Network: The Patched was infected at a constant rate and reached a maximum of 10%, about 11 days after the attack started. The Infected was infected at a constant rate, at 3 days and 80%, and leveled off and decreased to about 60% at about 11 days afterthe attack started. 9. Which of the worms spread the fastest? a. The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? a. This worm propagates by attacking vulnerable and unpatched computers. 11. Are there differences between the local and global infections? a. The Patched for the local network infection was mild whereas the global network was almost zero infected at 11 days after the attack started. b. The Infected for the global network infection was about more dramatic at about 70%, compared to the local network which was about mild atabout 40% infection rate at 7 days after the infection started. 12. What conclusions can you draw from your analysis of the data?  Patched systems of the local and global networks were infected at a slower infection rate than the vulnerable systems of the local and global networks. Analyze the results of the Slammer simulation: 1. When was the peak infection?  The infection on the local netw occurred 10 minutes. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw occurred in 10 seconds. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected were both almost zero.  The slope of the global network Infected was increasing but at 15 days started to sharply increase to 100% infection. The slope of the global network Patched was almost zero. 4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. b. The infection spread from vulnerable computers. 5. How rapidly did the infection spread?  The Slammer worm spread the fastest. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first. Last printed 11/20/2005 22:43:00 a11/p11 Page 11 of 22
  12. 12. Page 12 of 22  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally? a. Patching did help slow the infection, for the local network. b. Patching helped slow the infection for the global network. 8. What interesting patterns did you find? a. Local Network: The Patched was not infected at a 0% rate after 26 days. The Infected was almost not infected at a5% rate. b. Global Network: The Patched was not infected at a 0% rate after 26 days. The Infected was infected at a constant rate, at 15 days and 15%, and dramatically increased to 100% at about 21 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? a. This worm propagates by accumulated lists of IP addresses, and thereby attacks vulnerable and unpatched computers. 11. Are there differences between the local and global infections? a. The Patched for both the local and global network infections were both at zero, i.e., not infected at 26 days after the attack started. b. The Infected for the global network infection was about more dramatic at about 100%, compared to the local network which was about mild at about 15% infection rate at 26 days after the infection started. 12. What conclusions can you draw from your analysis of the data?  Patched systems of the local and global networks were not infected. The Infected systems for the global network were almost totally infected, as compared with the local network was mildly infected. Analyze the results of the SoBig simulation: 1. When was the peak infection?  The infection on the local netw occurred 12 days 19 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw occurred 15 days 8 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected both slightly increased.  The slope of the global network Infected was increasing sharply but at 5 days started to sharply decrease from 95% infection. The slope of the global network Patched was almost zero and later was slightly infected at 11% at 16 after the start of the attack. 4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread? Last printed 11/20/2005 22:43:00 a11/p11 Page 12 of 22
  13. 13. Page 13 of 22 a. The infection spread from vulnerable computers. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally? a. Patching slightly helped slow the infection for the first four days; and then patching slightly did not help slow the infection, for the local network. b. Patching helped slow the infection for the global network. 8. What interesting patterns did you find? a. Local Network: The Patched was infected at a constant rate and reached a maximum of 42% at 15 days after the attack started.. The Infected was infected at a constant rate and reached a maximum of 30% at 12 days after the attack started. b. Global Network: The Patched was slighted infected at a 12% rate after 16 days after the attack started. The Infected was infected at a constant rate, at 5 days and 95%, and decreased to 68% at about 15 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? a. It propagates through email, so this implies that users are opening emails of unknown origin. 11. Are there differences between the local and global infections? a. The Patched for the local network was mild at 52%, whereas the global network was lower at 12% at 15 days after the attack started. b. The Infected for the global network infection was about more dramatic at about 96%, compared to the local network which was about mild atabout 42% infection rate at 15 days after the infection started. 12. What conclusions can you draw from your analysis of the data?  Patched systems of the local was mild whereas the global network was about half infected. The Infected systems for the global network were almost totally infected, as compared with the local network was mildly infected at about half of the Infected global network. Compare the Similarities and Dissimilarities of the Worms Based on your readings from the Anti-Virus vendors, from a behavioral perspective (what the worms actually do) . . . o How do the worms differ from one another? (A table may be a good way to highlight the differences.) o One of the worms propagated through compiled lists of IP addresses. o The Slammer worm had the faster infection rate. Last printed 11/20/2005 22:43:00 a11/p11 Page 13 of 22
  14. 14. Page 14 of 22 o There was no correlation between the local and globa network infection l rates. o How are the worms similar? o The worms all infected vulnerable systems. o The systems that were generally patched were less infected. o Most of the worms propagated through email addresses harvested from the infected machines. Last printed 11/20/2005 22:43:00 a11/p11 Page 14 of 22
  15. 15. Page 15 of 22 Bibliography http://www.f-secure.com/v-descs/ http://www.f-secure.com/v-descs/bagle.shtml http://www.trendmicro.com/vinfo/viru sencyclo/default5.asp?VName=WORM%5FMYDO OM%2EM&VSect=S http://www.cert.org/tech_tips/Melissa_FAQ.html http://www.cert.org/tech_tips/Melissa_FAQ.html http://www.pcworld.com/news/art cle/0,aid,108988,00.asp i http://www.rbs2.com/cvirus.htm http://www.wholesecurity.com/threat/cost_of_worms.html http://www.naisolutions.com/Products/LANDesk/AddOns/patchManager.htm http://redmondmag.com/news/article.asp?Editoria lsID=6142 http://www.next-gendatacenterforum.com/document.asp?doc_id=67044 Last printed 11/20/2005 22:43:00 a11/p11 Page 15 of 22
  16. 16. Page 16 of 22 Appendix Last printed 11/20/2005 22:43:00 a11/p11 Page 16 of 22
  17. 17. Page 17 of 22 Worm Simulator Results Strong host security and network security No Security Blaster Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 17 of 22
  18. 18. Page 18 of 22 Strong host security and network security No Security MyDoom Global Network Peak MyDoom Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 18 of 22
  19. 19. Page 19 of 22 Strong host security and network security No Security Netsky Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 19 of 22
  20. 20. Page 20 of 22 Strong host security and network security No Security Sasser Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 20 of 22
  21. 21. Page 21 of 22 Strong host security and network security No Security Slammer Global Network peak Slammer Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 21 of 22
  22. 22. Page 22 of 22 Strong host security and network security No Security SoBig Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 22 of 22

×