Defense and Detection Strategies against Internet Worms

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Nutshell review - This is an excellent book on worm history, development, detection and defense. If you want a book covering computer worms then this is for you.

Author(s): Jose Nazario
Series: Artech House computer security series
Publisher: Artech House
Year: 2004

Language: English
Pages: 319
City: Boston, MA

Team DDU......Page 1
Contents......Page 8
Foreword......Page 18
Preface......Page 22
Acknowledgments......Page 28
1 Introduction......Page 30
1.1 Why worm-based intrusions?......Page 31
1.2 The new threat model......Page 32
1.3 A new kind of analysis requirement......Page 33
1.4 The persistent costs of worms......Page 34
1.5 Intentions of worm creators......Page 35
1.6 Cycles of worm releases......Page 36
1.6 References......Page 37
Part I Background and Taxonomy......Page 38
2 Worms Defined......Page 40
2.2 The five components of a worm......Page 41
2.3 Finding new victims: reconnaissance......Page 43
2.5 Passing messages: communication......Page 44
2.6 Taking orders: command interface......Page 45
2.7 Knowing the network: intelligence......Page 46
2.8 Assembly of the pieces......Page 47
2.9 Ramen worm analysis......Page 48
2.10 References......Page 50
3.1.1 Growth patterns......Page 52
3.1.2 Traffic scan and attack patterns......Page 54
3.2.1 Routing data......Page 55
3.2.2 Multicast backbone......Page 56
3.3.1 From a large network......Page 57
3.3.2 From a black hole monitor......Page 59
3.3.3 From an individual host......Page 60
3.4 References......Page 63
4 Worm History and Taxonomy......Page 66
4.1 The beginning......Page 67
4.1.1 Morris worm, 1988......Page 68
4.1.2 HI.COM VMS worm, 1988......Page 70
4.1.3 DECNet WANK worm, 1989......Page 71
4.1.4 Hacking kits......Page 72
4.2.1 ADMw0rm-v1, 1998......Page 73
4.2.2 ADM Millennium worm, 1999......Page 74
4.2.3 Ramen, 2000......Page 75
4.2.4 1i0n worm, 2001......Page 76
4.2.6 sadmind/IIS worm, 2001......Page 77
4.2.8 Adore, 2001......Page 78
4.2.9 Apache worms, 2002......Page 79
4.2.10 Variations on Apache worms......Page 80
4.3.1 mIRC Script.ini worm, 1997......Page 82
4.3.3 Love Letter worm, 2001......Page 83
4.3.4 911 worm, 2001......Page 84
4.3.6 Code Red, 2001......Page 85
4.3.7 Code Red II, 2001......Page 87
4.3.8 Nimda, 2001......Page 88
4.3.10 MSN Messenger worm, 2002......Page 89
4.3.11 SQL Snake, 2002......Page 90
4.3.13 Sapphire, 2003......Page 91
4.4 Related research......Page 92
4.4.2 Web spiders......Page 93
4.5 References......Page 94
5.1 Target selection......Page 98
5.1.1 Target platform......Page 99
5.1.2 Vulnerability selection......Page 100
5.2.1 Interpreted versus compiled languages......Page 101
5.3 Scanning techniques......Page 103
5.4 Payload delivery mechanism......Page 104
5.5 Installation on the target host......Page 105
5.6 Establishing the worm network......Page 106
5.8 Alternative designs......Page 107
5.9 References......Page 109
Part II Worm Trends......Page 110
6.1.1 Random scanning......Page 112
6.1.2 Random scanning using lists......Page 114
6.1.3 Island hopping......Page 115
6.1.4 Directed attacking......Page 116
6.1.5 Hit-list scanning......Page 117
6.2.1 Single point......Page 118
6.2.3 Widespread introduction with a delayed trigger......Page 119
6.3.1 Hierarchical tree......Page 120
6.3.2 Centrally connected network......Page 122
6.3.3 Shockwave Rider-type and guerilla networks......Page 123
6.3.4 Hierarchical networks......Page 124
6.3.5 Mesh networks......Page 125
6.4.1 Prevalence of target......Page 126
6.4.2 Homogeneous versus heterogeneous targets......Page 127
6.5.1 Direct injection......Page 128
6.5.2 Child to parent request......Page 129
6.5.3 Central source or sources......Page 130
6.6 References......Page 131
7.1 Servers......Page 132
7.1.2 Windows servers......Page 133
7.2.1 Broadband users......Page 134
7.2.3 New client applications......Page 136
7.3 Embedded devices......Page 137
7.3.2 Embedded devices......Page 138
7.4 References......Page 139
8.1 Intelligent worms......Page 142
8.1.1 Attacks against the intelligent worm......Page 146
8.2 Modular and upgradable worms......Page 147
8.2.1 Attacks against modular worms......Page 150
8.3 Warhol and Flash worms......Page 151
8.3.1 Attacks against the Flash worm model......Page 154
8.4 Polymorphic traffic......Page 155
8.5 Using Web crawlers as worms......Page 156
8.6 Superworms and Curious Yellow......Page 158
8.7 Jumping executable worm......Page 159
8.8 Conclusions......Page 160
8.8 References......Page 161
Part III Detection......Page 164
9.1 Part overview......Page 166
9.2 Introduction to traffic analysis......Page 167
9.3 Traffic analysis setup......Page 168
9.3.1 The use of simulations......Page 170
9.4 Growth in traffic volume......Page 171
9.5 Rise in the number of scans and sweeps......Page 172
9.5.1 Exponential rise of unique sources......Page 174
9.5.2 Correlation analysis......Page 176
9.6 Change in traffic patterns for some hosts......Page 177
9.7 Predicting scans by analyzing the scan engine......Page 179
9.8.2 Weaknesses of traffic analysis......Page 185
9.10.2 Flow analysis tools......Page 187
9.10 References......Page 188
10 Honeypots and Dark (Black Hole) Network Monitors......Page 190
10.1 Honeypots......Page 191
10.1.2 The use of honeypots in worm analysis......Page 192
10.2 Black hole monitoring......Page 193
10.2.1 Setting up a network black hole......Page 195
10.2.3 Analyzing black hole data......Page 196
10.3.1 Strengths of honeypot monitoring......Page 199
10.3.3 Strengths of black hole monitoring......Page 200
10.4 Conclusions......Page 201
10.5.2 Black hole monitoring resources......Page 202
10.5 References......Page 237
11 Signature-Based Detection......Page 204
11.1 Traditional paradigms in signature analysis......Page 205
11.2 Network signatures......Page 206
11.2.1 Distributed intrusion detection......Page 208
11.3 Log signatures......Page 209
11.3.1 Logfile processing......Page 210
11.3.2 A more versatile script......Page 213
11.3.3 A central log server......Page 217
11.4.1 Chkrootkit......Page 219
11.4.2 Antivirus products......Page 221
11.4.3 Malicious payload content......Page 223
11.5 Analyzing the Slapper worm......Page 224
11.6.1 For NIDS use......Page 227
11.6.2 For logfile analysis......Page 229
11.6.3 For antivirus products and file monitors......Page 230
11.7.1 Strengths of signature-based detection methods......Page 233
11.7.2 Weaknesses in signature-based detection methods......Page 234
11.9.1 Logfile analysis tools......Page 235
11.9.3 Network intrusion detection tools......Page 236
Part IV Defenses......Page 238
12.1 Part overview......Page 240
12.3 Host firewalls......Page 242
12.4 Virus detection software......Page 243
12.5 Partitioned privileges......Page 245
12.6 Sandboxing of applications......Page 248
12.7.1 Identifying services......Page 250
12.8 Aggressively patching known holes......Page 252
12.9 Behavior limits on hosts......Page 254
12.10 Biologically inspired host defenses......Page 256
12.11.2 Weaknesses of host-based defense strategies......Page 258
12.11 References......Page 259
13 Firewall and Network Defenses......Page 262
13.1 Example rules......Page 263
13.2 Perimeter firewalls......Page 265
13.2.1 Stopping existing worms......Page 266
13.2.3 Inbound and outbound rules......Page 267
13.4 Reactive IDS deployments......Page 268
13.4.1 Dynamically created rulesets......Page 269
13.6 Conclusions......Page 271
13.6 References......Page 272
14 Proxy-Based Defenses......Page 274
14.1 Example configuration......Page 275
14.1.1 Client configuration......Page 277
14.3 Mail server proxies......Page 278
14.4 Web-based proxies......Page 280
14.5.2 Weaknesses of proxy-based defenses......Page 282
14.7 References......Page 283
15 Attacking the Worm Network......Page 286
15.1 Shutdown messages......Page 288
15.2 "I am already infected"......Page 289
15.3 Poison updates......Page 290
15.4 Slowing down the spread......Page 291
15.5 Legal implications of attacking worm nodes......Page 292
15.6 A more professional and effective way to stop worms......Page 293
15.7.2 Weaknesses of attacking the worm network......Page 295
15.8 References......Page 296
16.1 A current example......Page 298
16.2 Reacting to worms......Page 299
16.2.1 Detection......Page 300
16.2.2 Defenses......Page 301
16.4 The continuing threat......Page 302
16.4.2 Future worms......Page 303
16.6.3 Common vendor resources......Page 304
16.6.4 Vendor-neutral sites......Page 305
16.6 References......Page 306
About the Author......Page 308
Index......Page 310