worm propagation simulation analysis
DESCRIPTION
Worm Propagation Simulation AnalysisTRANSCRIPT
Page 1 of 23
Name: Allen GalvanDue: 22 November 2005CSFI 214: Information Security Systems Analysis – Fall 2005Lab #4: Worms
Last printed 11/20/2005 10:43:00 PM Page 1 of 23
Page 2 of 23
Directions.............................................................................................................................3Worm Propagation Simulation (Local/Global Networks) Introduction..............................4Summarize each Worm........................................................................................................4Analyze each Worm Simulation..........................................................................................6Compare the Similarities and Dissimilarities of the Worms.............................................14Bibliography......................................................................................................................15Appendix............................................................................................................................16
Last printed 11/20/2005 10:43:00 PM Page 2 of 23
Page 3 of 23
Directions
Hand in a report with the answers to these questions.
You must include an appendix with each of the plots and annotated screen shots for each worm.
o The raw data must be included in the Excel spreadsheet when the assignment is sent electronically.
Last printed 11/20/2005 10:43:00 PM Page 3 of 23
Page 4 of 23
Worm Propagation Simulation (Local/Global Networks) Introduction
The worm simulation is giving us an idea of the behavior of the worm over a period of time and regarding various shades of protected and unprotected local and global networks.
Summarize each Worm
For each worm, write a short summary that includes the following kinds of information:
o Name : SoBig.A (W32.Sobig.A@mm), 1/16/2003o Propagation:
o It searches for e-mail addresses, so that it can attack other computers and propagate.
o Payload: o Sobig has no damaging payload.
o Noteworthy points: o The W32.Sobig.A@mm worm scans all .txt, .eml, .html, .htm, .dbx
and .wab files on a target computer. o It can by identified by the sending address of [email protected]. o Download a removal tool at Security Response Sobig A page.o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1
o Name : Slammer (Saphire), 1/25/03o Propagation
o The worm sequentially or randomly scans for IP addresses.o The worm infects computers from a list of IP addresses. These IP
addresses were accumulated by the attacker(s), or gotten from information from the infected computer host.
o The worm waits for the target computer to contact it, and then it propagates to other computers.
o Payload o The payload routines are separate from the propagation routines.o Payload examples are:
Internet Remote Control to control a user’s computer remotely. Spam Relays to let Spammers hide their IP addresses. HTML Proxies, which make it hard to shut down illegal websites. DoS attacks. Data Collection, for valuable financial information on the infected
computer’s hard drive. Sell the computer as a “zombie army” for profit. http://www.cs.unc.edu/~jeffay/courses/nidsS05/slides/4-Early-
DoS-Worms.pdf
Last printed 11/20/2005 10:43:00 PM Page 4 of 23
Page 5 of 23
o Noteworthy points o The Slammer worm is also known as the Sapphire worm.
o The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds.
o It infected more than 90 percent of vulnerable hosts within 10 minutes.
o Sapphire exploited a buffer overflow vulnerability on host computers connected to the Internet running Microsoft's SQL Server or MSDE 2000 (Microsoft SQL Server Desktop Engine).
o This vulnerability is an underlying indexing service that was discovered in July 2002. Microsoft released a patch to fix the vulnerability before it was announced[1].
o The worm infected at least 75,000 host computers. It caused network outages. It caused canceled airline flights, interference with elections, and ATM failures.
o Several disassembled versions of the source code of the worm are available. [2].
o Name : Blaster (W32.Blaster.Worm), 8/12/03o Propagation :
o The infected host computer runs a copy of msblast.exe, that it found on the target computer and it begins scanning for other vulnerable computers to compromise in the same way. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies.
o Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026.
o Ref: http://www.cert.org/advisories/CA-2003-20.htmlo Ref: http://microsoft.com/technet/treeview/default.asp?url=/tech o Ref: http://isc.sans.org/show_comment.php?id=350
o Payload o Msblast.exe
o Noteworthy points o The Blaster worm spreads to unpatched and unprotected Windows
2000/XP host computers. o It exploits a Buffer Overrun In RPC Interface vulnerability in Microsoft's
DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon
Last printed 11/20/2005 10:43:00 PM Page 5 of 23
Page 6 of 23
successful execution, it attempts to retrieve a copy of the file msblast.exe from the infected host.
o The infected host computer may suddenly and repeatedly crash or reboot. o It may also perform a DoS on http://www.windowsupdate.com. This
would stop the host from downloading the patch to address the vulnerability.
o Download the patch at Microsoft Security Bulletin MS03-026. o Ref: Symantec W32.Blaster.Worm page
o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1
o Name : Netsky (W32.Netsky@mm), 4/20/04o Propagation
o It sends itself to the email addresses on hard drives and mapped drives. o Payload
o No payload.o Noteworthy points
o The W32.Netsky@mm worm that has its own mass mailing method. o It uses an SMTP mailing engine. o The body, subject line, and attachment of the emails vary. o Download a removal tool at Security Response Netsky page.
o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1
o Name : Sasser (W32.Sasser.Worm), 5/10/04o Propagation
o The infected Sasser host systems are used to infect other host computers. o Payload
o No payload.o Noteworthy points
o The W.32.Sasser worm and its variants run on Windows 95/98/Me host computer machines. These operating systems were not infected by the Sasser worm.
o An infected Windows XP and 2000 computer may crash or suddenly and repeatedly reboot.
o Download the patch fix at Microsoft Security Bulletin MS04-011.
o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1
o Name : MyDoom (W32.Mydoom.M), 7/26/04o Propagation
o It propagates by sending itself to the email addresses it finds on the systems that it infects.
o Payload o Noteworthy points
o The W32.Mydoom.M@mm worm is a mass emailer worm. o It has its own SMTP emailing method.
Last printed 11/20/2005 10:43:00 PM Page 6 of 23
Page 7 of 23
o Find a removal tool at Security Response W32.Mydoom.M page.
o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1
Analyze each Worm SimulationAnalyze the results of each simulation:
Blaster MyDoom Netsky Sasser Slammer SoBig
Last printed 11/20/2005 10:43:00 PM Page 7 of 23
Page 8 of 23
Analyze the results of the Blaster simulation:1. When was the peak infection for the local network
The infection on the local network occurred 8 days 10 hours.2. When did the infections effectively stop spreading (i.e. almost no infection)?
The infection on the local network stopped spreading 9 days 10 hours.3. What can you infer from the steepness and direction of the slope in the
graphs? The slopes of the local network Patched and Infected are increasing slightly. The slope of the global network Infected is increasing dramatically, while the
slope of the global network Patched is almost zero.4. What do sudden changes (infections) indicate?
Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious.
5. How rapidly did the infection spread? The infection spread from vulnerable computers.
6. Which local networks get infected? Get infected first?
The network with no security got infected first. Prevented the spread most affectively?
The network with strong host and network security prevented the worm spread most effectively.
7. Did patching help to slow the infection in each of the local networks and globally? Patching helped slow the infection; until a 5 and one half days when patching
didn’t help slow the infection, for the local network. Patching helped slow the infection for the global network.
8. What interesting patterns did you find? Local Network: the Patched infection rate reached an asymptote of 40%;
whereas the Infected infection rate reached a maximum of 20%, nine days after the attack started.
Global Network: the Patched systems had a very low infection rate. The Infected infection rate was constant and reached a maximum of 100% 3 days after the attack started.
9. Which of the worms spread the fastest? The Slammer worm spread the fastest.
10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? This worm propagates by attacking vulnerable and unpatched computers.
11. Are there differences between the local and global infections? The Patched for both networks were relatively protected and had a mild
infection rate at 9 days after the attack started. The Infected in the local network was mild, whereas the Infection in the
global network was almost the whole of the network at 9 days after the attack started.
12. What conclusions can you draw from your analysis of the data?
Last printed 11/20/2005 10:43:00 PM Page 8 of 23
Page 9 of 23
Patched systems were more slowly infected compared to vulnerable systems. The local network infection was mild, whereas the global network was almost entirely infected.
Analyze the results of the MyDoom simulation:1. When was the peak infection of the local network?
The infection on the local network occurred 13 days 2 hours.2. When did the infections effectively stop spreading (i.e. almost no infection)?
The infection on the local network stopped spreading 13 days 2 hours.3. What can you infer from the steepness and direction of the slope in the
graphs? The slopes of the local network Patched and Infected are increasing slightly. The slope of the global network Infected is increasing mildly, while the slope
of the global network Patched is almost zero.4. What do sudden changes (infections) indicate?
Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious.
5. How rapidly did the infection spread? a. The infection spread from vulnerable computers.
6. Which local networks get infected? Get infected first?
The network with no security got infected first. Prevented the spread most affectively?
The network with strong host and network security prevented the worm spread most effectively.
7. Did patching help to slow the infection in each of the local networks and globally? Patching slightly did not help slow the infection, for the local network. Patching helped slow the infection for the global network.
8. What interesting patterns did you find? Local Network: The Patched was infected at a constant rate and reached a
maximum of 40%. The Infected was infected at a constant rate and reached a maximum of 32%, about 13 days after the attack started.
Global Network: The Patched was infected at a constant rate and reached a maximum of 5%, 14 days after the attack started. The Infected was infected at a constant rate and reached a maximum of 50%, about 10 days after the attack started.
9. Which of the worms spread the fastest? The Slammer worm spread the fastest.
10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? This worm propagates by attacking vulnerable and unpatched computers
11. Are there differences between the local and global infections?
Last printed 11/20/2005 10:43:00 PM Page 9 of 23
Page 10 of 23
The Patched for the local network infection was slightly more dramatic at 40%, whereas the global network infection was minor at 5%, at 15 days after the attack started.
The Infected for the global network infection was about the same, i.e., constant at about 45% at 15 days after the infection started.
12. What conclusions can you draw from your analysis of the data? Patched systems were more slowly infected compared to vulnerable systems.
The local and global network infection were both mildly infected.
Analyze the results of the Netsky simulation:1. When was the peak infection?
The infection on the local network occurred 16 days 9 hours.2. When did the infections effectively stop spreading (i.e. almost no infection)?
The infection on the local network occurred 23 days 14 hours.3. What can you infer from the steepness and direction of the slope in the
graphs? The slopes of the local network Patched and Infected are increasing slightly.
The Infected slope reached a point of inflection at 15 days and began decreasing.
The slope of the global network Infected is increasing sharply, and leveled off at 13 days, and decreased at 21 days. The slope of the global network Patched increased slightly.
4. What do sudden changes (infections) indicate? Sudden changes (infections) indicate that either the infection was suddenly
stopped, or it suddenly became more infectious.5. How rapidly did the infection spread?
The infection spread from vulnerable computers.6. Which local networks get infected?
Get infected first? The network with no security got infected first.
Prevented the spread most affectively? The network with strong host and network security prevented the worm
spread most effectively.7. Did patching help to slow the infection in each of the local networks and
globally? Patching did not help slow the infection, for the local network. Patching helped slow the infection for the global network.
8. What interesting patterns did you find? Local Network: The Patched was infected at a constant rate and reached a
point of increasing inflection at 70%, about 23 days after the attack started. The Infected was infected at a constant parabolic rate and reached a maximum of 32%, and the slope turned downward, at 15.5 days, to a point of 18% at 23 days after the attack started.
Global Network: The Patched was infected at a constant rate and reached a maximum of 30%, about 23 days after the attack started. The Infected was
Last printed 11/20/2005 10:43:00 PM Page 10 of 23
Page 11 of 23
infected at an exponential rate, at 13 days and 63%, and leveled off and decreased to about 53% at about 20 days after the attack started.
9. Which of the worms spread the fastest? The Slammer worm spread the fastest.
10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? This worm propagates by attacking vulnerable and unpatched computers
11. Are there differences between the local and global infections? The Patched for the local and global network infections were both relatively
constant at about 55% and 40%, respectively, after about 22 days after the attack started.
The Infected for the global network infection was about the same, i.e., increasing at about 13 days and then decreasing.
The Netsky worm caused local computer harm by spreading itself by emailing itself to email addresses found on the local Pc. The email was unauthorized.
The Netsky worm caused global harm by clogging email system and making unauthorized changes to computer systems.
12. What conclusions can you draw from your analysis of the data? Patched systems and vulnerable systems of both local and global networks
were equally infected at a rate of about 45%.
Analyze the results of the Sasser simulation:1. When was the peak infection?
The infection on the local network occurred 7 days 5 hours.2. When did the infections effectively stop spreading (i.e. almost no infection)?
The infection on the local network occurred 11 days 5 hours.3. What can you infer from the steepness and direction of the slope in the
graphs? The slopes of the local network Patched and Infected are increasing slightly. The slope of the global network Infected is increasing sharply, and leveled off
at 3 days, and decreased at 11 days. The slope of the global network Patched was almost zero.
4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly
stopped, or it suddenly became more infectious.5. How rapidly did the infection spread?
a. The infection spread from vulnerable computers.b. The Slammer worm spread the fastest.
6. Which local networks get infected? Get infected first?
The network with no security got infected first. Prevented the spread most affectively?
The network with strong host and network security prevented the worm spread most effectively.
Last printed 11/20/2005 10:43:00 PM Page 11 of 23
Page 12 of 23
7. Did patching help to slow the infection in each of the local networks and globally?
c. Patching helped slow the infection for the local network. d. Patching helped slow the infection for the global network.
8. What interesting patterns did you find? a. Local Network: The Patched was infected at a constant rate and reached a
point of increasing inflection at 35%, about 11 days after the attack started. The Infected was infected at a constant rate and reached a maximum of 40%, and the slope turned downward, at 7 days, after the attack started.
b. Global Network: The Patched was infected at a constant rate and reached a maximum of 10%, about 11 days after the attack started. The Infected was infected at a constant rate, at 3 days and 80%, and leveled off and decreased to about 60% at about 11 days after the attack started.
9. Which of the worms spread the fastest? a. The Slammer worm spread the fastest.
10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?
a. This worm propagates by attacking vulnerable and unpatched computers. 11. Are there differences between the local and global infections?
a. The Patched for the local network infection was mild whereas the global network was almost zero infected at 11 days after the attack started.
b. The Infected for the global network infection was about more dramatic at about 70%, compared to the local network which was about mild at about 40% infection rate at 7 days after the infection started.
12. What conclusions can you draw from your analysis of the data? Patched systems of the local and global networks were infected at a slower
infection rate than the vulnerable systems of the local and global networks.
Analyze the results of the Slammer simulation:1. When was the peak infection?
The infection on the local network occurred 10 minutes.2. When did the infections effectively stop spreading (i.e. almost no infection)?
The infection on the local network occurred in 10 seconds.3. What can you infer from the steepness and direction of the slope in the
graphs? The slopes of the local network Patched and Infected were both almost zero. The slope of the global network Infected was increasing but at 15 days started
to sharply increase to 100% infection. The slope of the global network Patched was almost zero.
4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly
stopped, or it suddenly became more infectious.b. The infection spread from vulnerable computers.
5. How rapidly did the infection spread?
Last printed 11/20/2005 10:43:00 PM Page 12 of 23
Page 13 of 23
The Slammer worm spread the fastest.6. Which local networks get infected?
Get infected first? The network with no security got infected first.
Prevented the spread most affectively? The network with strong host and network security prevented the
worm spread most effectively.7. Did patching help to slow the infection in each of the local networks and
globally?a. Patching did help slow the infection, for the local network. b. Patching helped slow the infection for the global network.
8. What interesting patterns did you find? a. Local Network: The Patched was not infected at a 0% rate after 26 days.
The Infected was almost not infected at a 5% rate.b. Global Network: The Patched was not infected at a 0% rate after 26 days.
The Infected was infected at a constant rate, at 15 days and 15%, and dramatically increased to 100% at about 21 days after the attack started.
9. Which of the worms spread the fastest? The Slammer worm spread the fastest.
10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?
a. This worm propagates by accumulated lists of IP addresses, and thereby attacks vulnerable and unpatched computers.
11. Are there differences between the local and global infections? a. The Patched for both the local and global network infections were both at
zero, i.e., not infected at 26 days after the attack started. b. The Infected for the global network infection was about more dramatic at
about 100%, compared to the local network which was about mild at about 15% infection rate at 26 days after the infection started.
12. What conclusions can you draw from your analysis of the data? Patched systems of the local and global networks were not infected. The
Infected systems for the global network were almost totally infected, as compared with the local network was mildly infected.
Analyze the results of the SoBig simulation:1. When was the peak infection?
The infection on the local network occurred 12 days 19 hours.2. When did the infections effectively stop spreading (i.e. almost no infection)?
The infection on the local network occurred 15 days 8 hours.3. What can you infer from the steepness and direction of the slope in the
graphs? The slopes of the local network Patched and Infected both slightly increased. The slope of the global network Infected was increasing sharply but at 5 days
started to sharply decrease from 95% infection. The slope of the global
Last printed 11/20/2005 10:43:00 PM Page 13 of 23
Page 14 of 23
network Patched was almost zero and later was slightly infected at 11% at 16 after the start of the attack.
4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly
stopped, or it suddenly became more infectious.5. How rapidly did the infection spread?
a. The infection spread from vulnerable computers.6. Which local networks get infected?
Get infected first? The network with no security got infected first.
Prevented the spread most affectively? The network with strong host and network security prevented the
worm spread most effectively.7. Did patching help to slow the infection in each of the local networks and
globally?a. Patching slightly helped slow the infection for the first four days; and then
patching slightly did not help slow the infection, for the local network. b. Patching helped slow the infection for the global network.
8. What interesting patterns did you find? a. Local Network: The Patched was infected at a constant rate and reached a
maximum of 42% at 15 days after the attack started.. The Infected was infected at a constant rate and reached a maximum of 30% at 12 days after the attack started.
b. Global Network: The Patched was slighted infected at a 12% rate after 16 days after the attack started. The Infected was infected at a constant rate, at 5 days and 95%, and decreased to 68% at about 15 days after the attack started.
9. Which of the worms spread the fastest? The Slammer worm spread the fastest.
10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?
a. It propagates through email, so this implies that users are opening emails of unknown origin.
11. Are there differences between the local and global infections? a. The Patched for the local network was mild at 52%, whereas the global
network was lower at 12% at 15 days after the attack started. b. The Infected for the global network infection was about more dramatic at
about 96%, compared to the local network which was about mild at about 42% infection rate at 15 days after the infection started.
12. What conclusions can you draw from your analysis of the data? Patched systems of the local was mild whereas the global network was about
half infected. The Infected systems for the global network were almost totally infected, as compared with the local network was mildly infected at about half of the Infected global network.
Last printed 11/20/2005 10:43:00 PM Page 14 of 23
Page 15 of 23
Compare the Similarities and Dissimilarities of the Worms
Based on your readings from the Anti-Virus vendors, from a behavioral perspective (what the worms actually do) . . .
o How do the worms differ from one another? (A table may be a good way to highlight the differences.)
o One of the worms propagated through compiled lists of IP addresses.o The Slammer worm had the faster infection rate.o There was no correlation between the local and global network infection
rates.o How are the worms similar?
o The worms all infected vulnerable systems.o The systems that were generally patched were less infected.o Most of the worms propagated through email addresses harvested from the
infected machines.
Last printed 11/20/2005 10:43:00 PM Page 15 of 23
Page 16 of 23
Bibliography
http://www.f-secure.com/v-descs/http://www.f-secure.com/v-descs/bagle.shtmlhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYDOOM%2EM&VSect=Shttp://www.cert.org/tech_tips/Melissa_FAQ.htmlhttp://www.cert.org/tech_tips/Melissa_FAQ.htmlhttp://www.pcworld.com/news/article/0,aid,108988,00.asphttp://www.rbs2.com/cvirus.htm http://www.wholesecurity.com/threat/cost_of_worms.htmlhttp://www.naisolutions.com/Products/LANDesk/AddOns/patchManager.htmhttp://redmondmag.com/news/article.asp?EditorialsID=6142http://www.next-gendatacenterforum.com/document.asp?doc_id=67044
Last printed 11/20/2005 10:43:00 PM Page 16 of 23
Page 17 of 23
Appendix
Last printed 11/20/2005 10:43:00 PM Page 17 of 23
Page 18 of 23
Worm Simulator Results
Strong host security and network security No Security
Blaster Local Results Peak
Only firewall security Only host security
Last printed 11/20/2005 10:43:00 PM Page 18 of 23
Page 19 of 23
Strong host security and network security No Security
MyDoom Global Network PeakMyDoom Local Results Peak
Only firewall security Only host security
Last printed 11/20/2005 10:43:00 PM Page 19 of 23
Page 20 of 23
Strong host security and network security No Security
Netsky Local Results Peak
Only firewall security Only host security
Last printed 11/20/2005 10:43:00 PM Page 20 of 23
Page 21 of 23
Strong host security and network security No Security
Sasser Local Results Peak
Only firewall security Only host security
Last printed 11/20/2005 10:43:00 PM Page 21 of 23
Page 22 of 23
Strong host security and network security No Security
Slammer Global Network peakSlammer Local Results Peak
Only firewall security Only host security
Last printed 11/20/2005 10:43:00 PM Page 22 of 23
Page 23 of 23
Strong host security and network security No Security
SoBig Local Results Peak
Only firewall security Only host security
Last printed 11/20/2005 10:43:00 PM Page 23 of 23