worm propagation simulation analysis

of 23

Name: Allen GalvanDue: 22 November 2005CSFI 214: Information Security Systems Analysis – Fall 2005Lab #4: Worms

Last printed 11/20/2005 10:43:00 PM Page 1 of 23

of 23

Directions.............................................................................................................................3Worm Propagation Simulation (Local/Global Networks) Introduction..............................4Summarize each Worm........................................................................................................4Analyze each Worm Simulation..........................................................................................6Compare the Similarities and Dissimilarities of the Worms.............................................14Bibliography......................................................................................................................15Appendix............................................................................................................................16


of 23

Directions

Hand in a report with the answers to these questions.

You must include an appendix with each of the plots and annotated screen shots for each worm.

o The raw data must be included in the Excel spreadsheet when the assignment is sent electronically.


of 23

Worm Propagation Simulation (Local/Global Networks) Introduction

The worm simulation is giving us an idea of the behavior of the worm over a period of time and regarding various shades of protected and unprotected local and global networks.

Summarize each Worm

For each worm, write a short summary that includes the following kinds of information:

o Name : SoBig.A (W32.Sobig.A@mm), 1/16/2003o Propagation:

o It searches for e-mail addresses, so that it can attack other computers and propagate.

o Payload: o Sobig has no damaging payload.

o Noteworthy points: o The W32.Sobig.A@mm worm scans all .txt, .eml, .html, .htm, .dbx

and .wab files on a target computer. o It can by identified by the sending address of [email protected]. o Download a removal tool at Security Response Sobig A page.o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1

o Name : Slammer (Saphire), 1/25/03o Propagation

o The worm sequentially or randomly scans for IP addresses.o The worm infects computers from a list of IP addresses. These IP

addresses were accumulated by the attacker(s), or gotten from information from the infected computer host.

o The worm waits for the target computer to contact it, and then it propagates to other computers.

o Payload o The payload routines are separate from the propagation routines.o Payload examples are:

Internet Remote Control to control a user’s computer remotely. Spam Relays to let Spammers hide their IP addresses. HTML Proxies, which make it hard to shut down illegal websites. DoS attacks. Data Collection, for valuable financial information on the infected

computer’s hard drive. Sell the computer as a “zombie army” for profit. http://www.cs.unc.edu/~jeffay/courses/nidsS05/slides/4-Early-

DoS-Worms.pdf


http://www.cs.unc.edu/~jeffay/courses/nidsS05/slides/4-Early-DoS-Worms.pdf

http://www.cs.unc.edu/~jeffay/courses/nidsS05/slides/4-Early-DoS-Worms.pdf

http://www.chariot.net.au/viruslist.php?page=101031&v=1

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

mailto:[email protected]

mailto:W32.Sobig.A@mm

mailto:W32.Sobig.A@mm

of 23

o Noteworthy points o The Slammer worm is also known as the Sapphire worm.

o The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds.

o It infected more than 90 percent of vulnerable hosts within 10 minutes.

o Sapphire exploited a buffer overflow vulnerability on host computers connected to the Internet running Microsoft's SQL Server or MSDE 2000 (Microsoft SQL Server Desktop Engine).

o This vulnerability is an underlying indexing service that was discovered in July 2002. Microsoft released a patch to fix the vulnerability before it was announced[1].

o The worm infected at least 75,000 host computers. It caused network outages. It caused canceled airline flights, interference with elections, and ATM failures.

o Several disassembled versions of the source code of the worm are available. [2].

o Name : Blaster (W32.Blaster.Worm), 8/12/03o Propagation :

o The infected host computer runs a copy of msblast.exe, that it found on the target computer and it begins scanning for other vulnerable computers to compromise in the same way. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies.

o Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026.

o Ref: http://www.cert.org/advisories/CA-2003-20.htmlo Ref: http://microsoft.com/technet/treeview/default.asp?url=/tech o Ref: http://isc.sans.org/show_comment.php?id=350

o Payload o Msblast.exe

o Noteworthy points o The Blaster worm spreads to unpatched and unprotected Windows

2000/XP host computers. o It exploits a Buffer Overrun In RPC Interface vulnerability in Microsoft's

DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon


http://isc.sans.org/show_comment.php?id=350

http://microsoft.com/technet/treeview/default.asp?url=/tech%20%20%20%20Ref:%20Ref:%20%20http://net/security/bulletin/MS03-026.asp

http://www.cert.org/advisories/CA-2003-20.html

http://www.cs.berkeley.edu/~nweaver/sapphire/#2

http://www.cs.berkeley.edu/~nweaver/sapphire/#1

of 23

successful execution, it attempts to retrieve a copy of the file msblast.exe from the infected host.

o The infected host computer may suddenly and repeatedly crash or reboot. o It may also perform a DoS on http://www.windowsupdate.com. This

would stop the host from downloading the patch to address the vulnerability.

o Download the patch at Microsoft Security Bulletin MS03-026. o Ref: Symantec W32.Blaster.Worm page

o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1

o Name : Netsky (W32.Netsky@mm), 4/20/04o Propagation

o It sends itself to the email addresses on hard drives and mapped drives. o Payload

o No payload.o Noteworthy points

o The W32.Netsky@mm worm that has its own mass mailing method. o It uses an SMTP mailing engine. o The body, subject line, and attachment of the emails vary. o Download a removal tool at Security Response Netsky page.


o Name : Sasser (W32.Sasser.Worm), 5/10/04o Propagation

o The infected Sasser host systems are used to infect other host computers. o Payload

o No payload.o Noteworthy points

o The W.32.Sasser worm and its variants run on Windows 95/98/Me host computer machines. These operating systems were not infected by the Sasser worm.

o An infected Windows XP and 2000 computer may crash or suddenly and repeatedly reboot.

o Download the patch fix at Microsoft Security Bulletin MS04-011.


o Name : MyDoom (W32.Mydoom.M), 7/26/04o Propagation

o It propagates by sending itself to the email addresses it finds on the systems that it infects.

o Payload o Noteworthy points

o The W32.Mydoom.M@mm worm is a mass emailer worm. o It has its own SMTP emailing method.


mailto:W32.Mydoom.M@mm


http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx


http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

mailto:W32.Netsky@mm

mailto:W32.Netsky@mm


http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

http://www.windowsupdate.com/

of 23

o Find a removal tool at Security Response W32.Mydoom.M page.


Analyze each Worm SimulationAnalyze the results of each simulation:

Blaster MyDoom Netsky Sasser Slammer SoBig



http://securityresponse.symantec.com/avcenter/venc/data/[email protected]#removalinstructions

of 23

Analyze the results of the Blaster simulation:1. When was the peak infection for the local network

The infection on the local network occurred 8 days 10 hours.2. When did the infections effectively stop spreading (i.e. almost no infection)?

The infection on the local network stopped spreading 9 days 10 hours.3. What can you infer from the steepness and direction of the slope in the

graphs? The slopes of the local network Patched and Infected are increasing slightly. The slope of the global network Infected is increasing dramatically, while the

slope of the global network Patched is almost zero.4. What do sudden changes (infections) indicate?

Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious.

5. How rapidly did the infection spread? The infection spread from vulnerable computers.

6. Which local networks get infected? Get infected first?

The network with no security got infected first. Prevented the spread most affectively?

The network with strong host and network security prevented the worm spread most effectively.

7. Did patching help to slow the infection in each of the local networks and globally? Patching helped slow the infection; until a 5 and one half days when patching

didn’t help slow the infection, for the local network. Patching helped slow the infection for the global network.

8. What interesting patterns did you find? Local Network: the Patched infection rate reached an asymptote of 40%;

whereas the Infected infection rate reached a maximum of 20%, nine days after the attack started.

Global Network: the Patched systems had a very low infection rate. The Infected infection rate was constant and reached a maximum of 100% 3 days after the attack started.

9. Which of the worms spread the fastest? The Slammer worm spread the fastest.

10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? This worm propagates by attacking vulnerable and unpatched computers.

11. Are there differences between the local and global infections? The Patched for both networks were relatively protected and had a mild

infection rate at 9 days after the attack started. The Infected in the local network was mild, whereas the Infection in the

global network was almost the whole of the network at 9 days after the attack started.

12. What conclusions can you draw from your analysis of the data?


of 23

Patched systems were more slowly infected compared to vulnerable systems. The local network infection was mild, whereas the global network was almost entirely infected.

Analyze the results of the MyDoom simulation:1. When was the peak infection of the local network?


The infection on the local network stopped spreading 13 days 2 hours.3. What can you infer from the steepness and direction of the slope in the

graphs? The slopes of the local network Patched and Infected are increasing slightly. The slope of the global network Infected is increasing mildly, while the slope

of the global network Patched is almost zero.4. What do sudden changes (infections) indicate?

Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious.

5. How rapidly did the infection spread? a. The infection spread from vulnerable computers.




7. Did patching help to slow the infection in each of the local networks and globally? Patching slightly did not help slow the infection, for the local network. Patching helped slow the infection for the global network.

8. What interesting patterns did you find? Local Network: The Patched was infected at a constant rate and reached a

maximum of 40%. The Infected was infected at a constant rate and reached a maximum of 32%, about 13 days after the attack started.

Global Network: The Patched was infected at a constant rate and reached a maximum of 5%, 14 days after the attack started. The Infected was infected at a constant rate and reached a maximum of 50%, about 10 days after the attack started.


10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? This worm propagates by attacking vulnerable and unpatched computers

11. Are there differences between the local and global infections?


of 23

The Patched for the local network infection was slightly more dramatic at 40%, whereas the global network infection was minor at 5%, at 15 days after the attack started.

The Infected for the global network infection was about the same, i.e., constant at about 45% at 15 days after the infection started.

12. What conclusions can you draw from your analysis of the data? Patched systems were more slowly infected compared to vulnerable systems.

The local and global network infection were both mildly infected.

Analyze the results of the Netsky simulation:1. When was the peak infection?


The infection on the local network occurred 23 days 14 hours.3. What can you infer from the steepness and direction of the slope in the

graphs? The slopes of the local network Patched and Infected are increasing slightly.

The Infected slope reached a point of inflection at 15 days and began decreasing.

The slope of the global network Infected is increasing sharply, and leveled off at 13 days, and decreased at 21 days. The slope of the global network Patched increased slightly.

4. What do sudden changes (infections) indicate? Sudden changes (infections) indicate that either the infection was suddenly

stopped, or it suddenly became more infectious.5. How rapidly did the infection spread?

The infection spread from vulnerable computers.6. Which local networks get infected?

Get infected first? The network with no security got infected first.

Prevented the spread most affectively? The network with strong host and network security prevented the worm

spread most effectively.7. Did patching help to slow the infection in each of the local networks and

globally? Patching did not help slow the infection, for the local network. Patching helped slow the infection for the global network.

8. What interesting patterns did you find? Local Network: The Patched was infected at a constant rate and reached a

point of increasing inflection at 70%, about 23 days after the attack started. The Infected was infected at a constant parabolic rate and reached a maximum of 32%, and the slope turned downward, at 15.5 days, to a point of 18% at 23 days after the attack started.

Global Network: The Patched was infected at a constant rate and reached a maximum of 30%, about 23 days after the attack started. The Infected was


of 23

infected at an exponential rate, at 13 days and 63%, and leveled off and decreased to about 53% at about 20 days after the attack started.


10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? This worm propagates by attacking vulnerable and unpatched computers

11. Are there differences between the local and global infections? The Patched for the local and global network infections were both relatively

constant at about 55% and 40%, respectively, after about 22 days after the attack started.

The Infected for the global network infection was about the same, i.e., increasing at about 13 days and then decreasing.

The Netsky worm caused local computer harm by spreading itself by emailing itself to email addresses found on the local Pc. The email was unauthorized.

The Netsky worm caused global harm by clogging email system and making unauthorized changes to computer systems.

12. What conclusions can you draw from your analysis of the data? Patched systems and vulnerable systems of both local and global networks

were equally infected at a rate of about 45%.

Analyze the results of the Sasser simulation:1. When was the peak infection?



graphs? The slopes of the local network Patched and Infected are increasing slightly. The slope of the global network Infected is increasing sharply, and leveled off

at 3 days, and decreased at 11 days. The slope of the global network Patched was almost zero.

4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly


a. The infection spread from vulnerable computers.b. The Slammer worm spread the fastest.





of 23

7. Did patching help to slow the infection in each of the local networks and globally?

c. Patching helped slow the infection for the local network. d. Patching helped slow the infection for the global network.

8. What interesting patterns did you find? a. Local Network: The Patched was infected at a constant rate and reached a

point of increasing inflection at 35%, about 11 days after the attack started. The Infected was infected at a constant rate and reached a maximum of 40%, and the slope turned downward, at 7 days, after the attack started.

b. Global Network: The Patched was infected at a constant rate and reached a maximum of 10%, about 11 days after the attack started. The Infected was infected at a constant rate, at 3 days and 80%, and leveled off and decreased to about 60% at about 11 days after the attack started.

9. Which of the worms spread the fastest? a. The Slammer worm spread the fastest.

10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?

a. This worm propagates by attacking vulnerable and unpatched computers. 11. Are there differences between the local and global infections?

a. The Patched for the local network infection was mild whereas the global network was almost zero infected at 11 days after the attack started.

b. The Infected for the global network infection was about more dramatic at about 70%, compared to the local network which was about mild at about 40% infection rate at 7 days after the infection started.

12. What conclusions can you draw from your analysis of the data? Patched systems of the local and global networks were infected at a slower

infection rate than the vulnerable systems of the local and global networks.

Analyze the results of the Slammer simulation:1. When was the peak infection?

The infection on the local network occurred 10 minutes.2. When did the infections effectively stop spreading (i.e. almost no infection)?

The infection on the local network occurred in 10 seconds.3. What can you infer from the steepness and direction of the slope in the

graphs? The slopes of the local network Patched and Infected were both almost zero. The slope of the global network Infected was increasing but at 15 days started

to sharply increase to 100% infection. The slope of the global network Patched was almost zero.


stopped, or it suddenly became more infectious.b. The infection spread from vulnerable computers.

5. How rapidly did the infection spread?


of 23

The Slammer worm spread the fastest.6. Which local networks get infected?


Prevented the spread most affectively? The network with strong host and network security prevented the

worm spread most effectively.7. Did patching help to slow the infection in each of the local networks and

globally?a. Patching did help slow the infection, for the local network. b. Patching helped slow the infection for the global network.

8. What interesting patterns did you find? a. Local Network: The Patched was not infected at a 0% rate after 26 days.

The Infected was almost not infected at a 5% rate.b. Global Network: The Patched was not infected at a 0% rate after 26 days.

The Infected was infected at a constant rate, at 15 days and 15%, and dramatically increased to 100% at about 21 days after the attack started.



a. This worm propagates by accumulated lists of IP addresses, and thereby attacks vulnerable and unpatched computers.

11. Are there differences between the local and global infections? a. The Patched for both the local and global network infections were both at

zero, i.e., not infected at 26 days after the attack started. b. The Infected for the global network infection was about more dramatic at

about 100%, compared to the local network which was about mild at about 15% infection rate at 26 days after the infection started.

12. What conclusions can you draw from your analysis of the data? Patched systems of the local and global networks were not infected. The

Infected systems for the global network were almost totally infected, as compared with the local network was mildly infected.

Analyze the results of the SoBig simulation:1. When was the peak infection?



graphs? The slopes of the local network Patched and Infected both slightly increased. The slope of the global network Infected was increasing sharply but at 5 days

started to sharply decrease from 95% infection. The slope of the global


of 23

network Patched was almost zero and later was slightly infected at 11% at 16 after the start of the attack.



a. The infection spread from vulnerable computers.6. Which local networks get infected?


Prevented the spread most affectively? The network with strong host and network security prevented the

worm spread most effectively.7. Did patching help to slow the infection in each of the local networks and

globally?a. Patching slightly helped slow the infection for the first four days; and then

patching slightly did not help slow the infection, for the local network. b. Patching helped slow the infection for the global network.

8. What interesting patterns did you find? a. Local Network: The Patched was infected at a constant rate and reached a

maximum of 42% at 15 days after the attack started.. The Infected was infected at a constant rate and reached a maximum of 30% at 12 days after the attack started.

b. Global Network: The Patched was slighted infected at a 12% rate after 16 days after the attack started. The Infected was infected at a constant rate, at 5 days and 95%, and decreased to 68% at about 15 days after the attack started.



a. It propagates through email, so this implies that users are opening emails of unknown origin.

11. Are there differences between the local and global infections? a. The Patched for the local network was mild at 52%, whereas the global

network was lower at 12% at 15 days after the attack started. b. The Infected for the global network infection was about more dramatic at

about 96%, compared to the local network which was about mild at about 42% infection rate at 15 days after the infection started.

12. What conclusions can you draw from your analysis of the data? Patched systems of the local was mild whereas the global network was about

half infected. The Infected systems for the global network were almost totally infected, as compared with the local network was mildly infected at about half of the Infected global network.


of 23

Compare the Similarities and Dissimilarities of the Worms

Based on your readings from the Anti-Virus vendors, from a behavioral perspective (what the worms actually do) . . .

o How do the worms differ from one another? (A table may be a good way to highlight the differences.)

o One of the worms propagated through compiled lists of IP addresses.o The Slammer worm had the faster infection rate.o There was no correlation between the local and global network infection

rates.o How are the worms similar?

o The worms all infected vulnerable systems.o The systems that were generally patched were less infected.o Most of the worms propagated through email addresses harvested from the

infected machines.


of 23

Bibliography

http://www.f-secure.com/v-descs/http://www.f-secure.com/v-descs/bagle.shtmlhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYDOOM%2EM&VSect=Shttp://www.cert.org/tech_tips/Melissa_FAQ.htmlhttp://www.cert.org/tech_tips/Melissa_FAQ.htmlhttp://www.pcworld.com/news/article/0,aid,108988,00.asphttp://www.rbs2.com/cvirus.htm http://www.wholesecurity.com/threat/cost_of_worms.htmlhttp://www.naisolutions.com/Products/LANDesk/AddOns/patchManager.htmhttp://redmondmag.com/news/article.asp?EditorialsID=6142http://www.next-gendatacenterforum.com/document.asp?doc_id=67044


http://www.next-gendatacenterforum.com/document.asp?doc_id=67044

http://redmondmag.com/news/article.asp?EditorialsID=6142

http://www.naisolutions.com/Products/LANDesk/AddOns/patchManager.htm

http://www.wholesecurity.com/threat/cost_of_worms.html

http://www.rbs2.com/cvirus.htm

http://www.pcworld.com/news/article/0,aid,108988,00.asp

http://www.cert.org/tech_tips/Melissa_FAQ.html

http://www.cert.org/tech_tips/Melissa_FAQ.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M&VSect=S

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.M&VSect=S

http://www.f-secure.com/v-descs/bagle.shtml

http://www.f-secure.com/v-descs/

of 23

Appendix


of 23

Worm Simulator Results

Strong host security and network security No Security

Blaster Local Results Peak

Only firewall security Only host security


of 23


MyDoom Global Network PeakMyDoom Local Results Peak



of 23


Netsky Local Results Peak



of 23


Sasser Local Results Peak



of 23


Slammer Global Network peakSlammer Local Results Peak



of 23


SoBig Local Results Peak



worm propagation simulation analysis

Technology