Scanning the Internet for External Cloud Exposures via SSL Certs
Worm Propagation Simulation Analysis
1. Page 1 of 22
Name: Allen Galvan
Due: 22 November 2005
CSFI 214: Information Security Systems Analysis – Fall 2005
Lab #4: Worms
Last printed 11/20/2005 22:43:00 a11/p11 Page 1 of 22
2. Page 2 of 22
Directions................................................................................................................................. .3
Worm Propagation Simulation (Local/Global Networks) Introduction.................................4 .
Summarize each Worm......................................................................................... ...................4
Analyze each Worm Simulation....................................................................... .......................6
Compare the Similarities and Dissimilarities of the Worms
.....................................................................................................................
...........................13
Bibliography............................................................................................................ ...............15
Appendix..................................................................................................... ...........................16
Last printed 11/20/2005 22:43:00 a11/p11 Page 2 of 22
3. Page 3 of 22
Directions
Hand in a report with the answers to these questions.
You must include an appendix with each of the plots and annotated screen shots for each
worm.
o The raw data must be included in the Excel spreadsheet when the assignment is sent
electronically.
Last printed 11/20/2005 22:43:00 a11/p11 Page 3 of 22
4. Page 4 of 22
Worm Propagation Simulation (Local/Global Networks) Introduction
The worm simulation is giving us an idea of the behavior of the worm over a period of time
and regarding various shades of protected and unprotected local and global networks.
Summarize each Worm
For each worm, write a short summary that includes the following kinds of information:
o Name: SoBig.A (W32.Sobig.A@mm), 1/16/2003
o Propagation:
o It searches for e-mail addresses, so that it can attack other computers and
propagate.
o Payload:
o Sobig has no damaging payload.
o Noteworthy points:
o The W32.Sobig.A@mm worm scans all .txt, .eml, .html, .htm, .dbx and
.wab files on a target computer.
o It can by identified by the sending address of big@boss.com.
o Download a removal tool at Security Response Sobig A page.
o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1
o Name: Slammer (Saphire), 1/25/03
o Propagation
o The worm sequentially or randomly scans for IP addresses.
o The worm infects computers from a list of IP addresses. These IP addresses
were accumulated by the attacker(s), or gotten from information from the
infected computer host.
o The worm waits for the target computer to contact it, and then it propagates
to other computers.
o Payload
o The payload routines are separate from the propagation routines.
o Payload examples are:
Internet Remote Control to control a user’s computer remotely.
Spam Relays to let Spammers hide their IP addresses.
HTML Proxies, which make it hard to shut down illegal websites.
DoS attacks.
Data Collection, for valuable financial information on the infected
computer’s hard drive.
Sell the computer as a “zombie army” for profit.
http://www.cs.unc.edu/~jeffay/courses /nidsS05/slides/4-Early-DoS-
Worms.pdf
o Noteworthy points
o The Slammer worm is also known as the Sapphire worm.
Last printed 11/20/2005 22:43:00 a11/p11 Page 4 of 22
5. Page 5 of 22
o The Sapphire Worm was the fastest computer worm in history. As it began
spreading throughout the Internet, it doubled in size every 8.5 seconds.
o It infected more than 90 percent of vulnerable hosts within 10 minutes.
o Sapphire exploited a buffer overflow vulnerability on host computers
connected to the Internet runnin Microsoft's SQL Server or MSDE 2000
g
(Microsoft SQL Server Desktop Engine).
o This vulnerability is an underlying indexing service that was discovered in
July 2002. Microsoft released a patch to fix the vulnerability before it was
announced[1].
o The worm infected at least 75,000 host computers. It caused network
outages. It caused canceled airline flights, interference with elections, and
ATM failures.
o Several disassembled versions of the source code of the worm are available.
[2].
o Name: Blaster (W32.Blaster.Worm), 8/12/03
o Propagation:
o The infected host computer runs a copy of msblast.exe, that it found on the
target computer and it begins scanning for other vulnerable computers to
compromise in the same way. In the course of propagation, a TCP session
to port 135 is used to execute the attack. However, access to TCP ports 139
and 445 may also provide attack vectors and should be considered when
applying mitigation strategies.
o Microsoft has published information about this vulnerability in Microsoft
Security Bulletin MS03-026.
o Ref: http://www.cert.org/advisories/CA-2003-20.html
o Ref: http://microsoft.com/technet/treeview/default.asp?url=/tech
o Ref: http://isc.sans.org/show_comment.php?id=350
o Payload
o Msblast.exe
o Noteworthy points
o The Blaster worm spreads to unpatched and unprotected Windows 2000/XP
host computers.
o It exploits a Buffer Overrun In RPC Interface vulnerability in Microsoft's
DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon
successful execution, it attempts to retrieve a copy of the file msblast.exe
from the infected host.
o The infected host computer may suddenly and repeatedly crash or reboot.
o It may also perform a DoS on http://www.windowsupdate.com. This would
stop the host from downloading the patch to address the vulnerabiity.
l
o Download the patch at Microsoft Security Bulletin MS03-026.
o Ref: Symantec W32.Blaster.Worm page
o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1
o Name: Netsky (W32.Netsky@mm), 4/20/04
o Propagation
Last printed 11/20/2005 22:43:00 a11/p11 Page 5 of 22
6. Page 6 of 22
o It sends itself to the email addresses on hard drives and mapped drives.
o Payload
o No payload.
o Noteworthy points
o The W32.Netsky@mm worm that has its own mass mailing method.
o It uses an SMTP mailing engine.
o The body, subject line, and attachment of the emails vary.
o Download a removal tool at Security Response Netsky page.
o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1
o Name: Sasser (W32.Sasser.Worm), 5/10/04
o Propagation
o The infected Sasser host systems are used to infect other host computers.
o Payload
o No payload.
o Noteworthy points
o The W.32.Sasser worm and its variants run on Window 95/98/Me host
s
computer machines. These operating systems were not infected by the
Sasser worm.
o An infected Windows XP and 2000 computer may crash or suddenly and
repeatedly reboot.
o Download the patch fix at Microsoft Security Bulletin MS04-011.
o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1
o Name: MyDoom (W32.Mydoom.M), 7/26/04
o Propagation
o It propagates by sending itself to the email addresses it finds on the systems
that it infects.
o Payload
o Noteworthy points
o The W32.Mydoom.M@mm worm is a mass emailer worm.
o It has its own SMTP emailing method.
o Find a removal tool at Security Response W32.Mydoom.M page.
o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1
Analyze each Worm Simulation
Analyze the results of each simulation:
Blaster
MyDoom
Netsky
Sasser
Slammer
SoBig
Last printed 11/20/2005 22:43:00 a11/p11 Page 6 of 22
7. Page 7 of 22
Analyze the results of the Blaster simulation:
1. When was the peak infection for the local network
The infection on the local netw occurred 8 days 10 hours.
ork
2. When did the infections effectively stop spreading (i.e. almost no infection)?
The infection on the local netw stopped spreading 9 days 10 hours.
ork
3. What can you infer from the steepness and direction of the slope in the
graphs?
The slopes of the local network Patchedand Infected are increasing slightly.
The slope of the global network Infected is increasing dramatically, while the
slope of the global network Patched is almost zero.
4. What do sudden changes (infections) indicate?
Sudden changes (infections) indicate that either the infection was suddenly
stopped, or it suddenly became more infectious.
5. How rapidly did the infection spread?
The infection spread from vulnerable computers.
6. Which local networks get infected?
Get infected first?
The network with no security got infected first.
Prevented the spread most affectively?
The network with strong host and network security prevented the worm
spread most effectively.
7. Did patching help to slow the infection in each of the local networks and
globally?
Patching helped slow the infection; until a 5 and one half days when patching
didn’t help slow the infection, for the local network.
Patching helped slow the infection for the global network.
8. What interesting patterns did you find?
Local Network: the Patched infection rate reached an asymptote of 40%;
whereas the Infected infection rate reached a maximum of 20%, nine days after
the attack started.
Global Network: the Patched systems had a very low infection rate. The
Infected infection rate was constant and reached a maximum of 100% 3 days
after the attack started.
9. Which of the worms spread the fastest?
The Slammer worm spread the fastest.
10. Based on what you learned about each worm, which kinds of weaknesses and
infection vectors help to spread the worms the fastest?
This worm propagates by attacking vulnerable and unpatched computers.
11. Are there differences between the local and global infections?
The Patched for both networks were relatively protected and had a mild
infection rate at 9 days after the attack started.
The Infected in the local netw was mild, whereas the Infection in the global
ork
network was almost the whole ofthe network at 9 days after the attack started.
12. What conclusions can you draw from your analysis of the data?
Last printed 11/20/2005 22:43:00 a11/p11 Page 7 of 22
8. Page 8 of 22
Patched systems were more slowly infected compared to vulnerable systems.
The local network infection was mild, whereas the global network was almost
entirely infected.
Analyze the results of the MyDoom simulation:
1. When was the peak infection of the local network?
The infection on the local netw occurred 13 days 2 hours.
ork
2. When did the infections effectively stop spreading (i.e. almost no infection)?
The infection on the local netw stopped spreading 13 days 2 hours.
ork
3. What can you infer from the steepness and direction of the slope in the
graphs?
The slopes of the local network Patchedand Infected are increasing slightly.
The slope of the global network Infected is increasing mildly, while the slope of
the global network Patched is almost zero.
4. What do sudden changes (infections) indicate?
Sudden changes (infections) indicate that either the infection was suddenly
stopped, or it suddenly became more infectious.
5. How rapidly did the infection spread?
a. The infection spread from vulnerable computers.
6. Which local networks get infected?
Get infected first?
The network with no security got infected first.
Prevented the spread most affectively?
The network with strong host and network security prevented the worm
spread most effectively.
7. Did patching help to slow the infection in each of the local networks and
globally?
Patching slightly did not help slow the infection, for the local network.
Patching helped slow the infection for the global network.
8. What interesting patterns did you find?
Local Network: The Patched was infected at a constant rate and reached a
maximum of 40%. The Infected was infected at a constant rate and reached a
maximum of 32%, about 13 days after the attack started.
Global Network: The Patched was infected at a constant rate and reached a
maximum of 5%, 14 days after the attack started. The Infected was infected at
a constant rate and reached a maximum of 50%, about 10 days after the attack
started.
9. Which of the worms spread the fastest?
The Slammer worm spread the fastest.
10. Based on what you learned about each worm, which kinds of weaknesses and
infection vectors help to spread the worms the fastest?
This worm propagates by attacking vulnerable and unpatched computers
11. Are there differences between the local and global infections?
Last printed 11/20/2005 22:43:00 a11/p11 Page 8 of 22
9. Page 9 of 22
The Patched for the local network infection was slightly more dramatic at 40%,
whereas the global network infection was minor at 5%, at 15 days after the
attack started.
The Infected for the global network infection was about the same, i.e., constant
at about 45% at 15 days after the infection started.
12. What conclusions can you draw from your analysis of the data?
Patched systems were more slowly infected compared to vulnerable systems.
The local and global network infection were both mildly infected.
Analyze the results of the Netsky simulation:
1. When was the peak infection?
The infection on the local netw occurred 16 days 9 hours.
ork
2. When did the infections effectively stop spreading (i.e. almost no infection)?
The infection on the local netw occurred 23 days 14 hours.
ork
3. What can you infer from the steepness and direction of the slope in the
graphs?
The slopes of the local network Patchedand Infected are increasing slightly.
The Infected slope reached a point of inflection at 15 days and began
decreasing.
The slope of the global network Infected is increasing sharply, and leveled off
at 13 days, and decreased at 21 days. The slope of the global network Patched
increased slightly.
4. What do sudden changes (infections) indicate?
Sudden changes (infections) indicate that either the infection was suddenly
stopped, or it suddenly became more infectious.
5. How rapidly did the infection spread?
The infection spread from vulnerable computers.
6. Which local networks get infected?
Get infected first?
The network with no security got infected first.
Prevented the spread most affectively?
The network with strong host and network security prevented the worm
spread most effectively.
7. Did patching help to slow the infection in each of the local networks and
globally?
Patching did not help slow the infection, for the local network.
Patching helped slow the infection for the global network.
8. What interesting patterns did you find?
Local Network: The Patched was infected at a constant rate and reached a point
of increasing inflection at 70%, about 23 days after the attack started. The
Infected was infected at a constant parabolic rate and reached a maximum of
32%, and the slope turned downward, at 15.5 days, to a point of 18% at 23 days
after the attack started.
Global Network: The Patched was infected at a constant rate and reached a
maximum of 30%, about 23 days after the attack started. The Infected was
Last printed 11/20/2005 22:43:00 a11/p11 Page 9 of 22
10. Page 10 of 22
infected at an exponential rate, at 13 days and 63%, and leveled off and
decreased to about 53% at about 20 days after the attack started.
9. Which of the worms spread the fastest?
The Slammer worm spread the fastest.
10. Based on what you learned about each worm, which kinds of weaknesses and
infection vectors help to spread the worms the fastest?
This worm propagates by attacking vulnerable and unpatched computers
11. Are there differences between the local and global infections?
The Patched for the local and global network infections were both relatively
constant at about 55% and 40%, respectively, after about 22 days after the
attack started.
The Infected for the global network infection was about the same, i.e.,
increasing at about 13 days and then decreasing.
The Netsky worm caused local computer harm by spreading itself by emailing
itself to email addresses found on the local Pc. The email was unauthorized.
The Netsky worm caused global harm by clogging email system and making
unauthorized changes to computer systems.
12. What conclusions can you draw from your analysis of the data?
Patched systems and vulnerable systems of both local and global networks were
equally infected at a rate of about 45%.
Analyze the results of the Sasser simulation:
1. When was the peak infection?
The infection on the local netw occurred 7 days 5 hours.
ork
2. When did the infections effectively stop spreading (i.e. almost no infection)?
The infection on the local netw occurred 11 days 5 hours.
ork
3. What can you infer from the steepness and direction of the slope in the
graphs?
The slopes of the local network Patchedand Infected are increasing slightly.
The slope of the global network Infected is increasing sharply, and leveled off
at 3 days, and decreased at 11 days. The slope of the global network Patched
was almost zero.
4. What do sudden changes (infections) indicate?
a. Sudden changes (infections) indicate that either the infection was suddenly
stopped, or it suddenly became more infectious.
5. How rapidly did the infection spread?
a. The infection spread from vulnerable computers.
b. The Slammer worm spread the fastest.
6. Which local networks get infected?
Get infected first?
The network with no security got infected first.
Prevented the spread most affectively?
The network with strong host and network security prevented the worm
spread most effectively.
7. Did patching help to slow the infection in each of the local networks and
globally?
Last printed 11/20/2005 22:43:00 a11/p11 Page 10 of 22
11. Page 11 of 22
c. Patching helped slow the infection for the local network.
d. Patching helped slow the infection for the global network.
8. What interesting patterns did you find?
a. Local Network: The Patched was infected at a constant rate and reached a
point of increasing inflection at 35%, about 11 days after the attack started.
The Infected was infected at a constant rate and reached a maximum of
40%, and the slope turned downward, at 7 days, after the attack started.
b. Global Network: The Patched was infected at a constant rate and reached a
maximum of 10%, about 11 days after the attack started. The Infected was
infected at a constant rate, at 3 days and 80%, and leveled off and decreased
to about 60% at about 11 days afterthe attack started.
9. Which of the worms spread the fastest?
a. The Slammer worm spread the fastest.
10. Based on what you learned about each worm, which kinds of weaknesses and
infection vectors help to spread the worms the fastest?
a. This worm propagates by attacking vulnerable and unpatched computers.
11. Are there differences between the local and global infections?
a. The Patched for the local network infection was mild whereas the global
network was almost zero infected at 11 days after the attack started.
b. The Infected for the global network infection was about more dramatic at
about 70%, compared to the local network which was about mild atabout
40% infection rate at 7 days after the infection started.
12. What conclusions can you draw from your analysis of the data?
Patched systems of the local and global networks were infected at a slower
infection rate than the vulnerable systems of the local and global networks.
Analyze the results of the Slammer simulation:
1. When was the peak infection?
The infection on the local netw occurred 10 minutes.
ork
2. When did the infections effectively stop spreading (i.e. almost no infection)?
The infection on the local netw occurred in 10 seconds.
ork
3. What can you infer from the steepness and direction of the slope in the
graphs?
The slopes of the local network Patchedand Infected were both almost zero.
The slope of the global network Infected was increasing but at 15 days started
to sharply increase to 100% infection. The slope of the global network Patched
was almost zero.
4. What do sudden changes (infections) indicate?
a. Sudden changes (infections) indicate that either the infection was suddenly
stopped, or it suddenly became more infectious.
b. The infection spread from vulnerable computers.
5. How rapidly did the infection spread?
The Slammer worm spread the fastest.
6. Which local networks get infected?
Get infected first?
The network with no security got infected first.
Last printed 11/20/2005 22:43:00 a11/p11 Page 11 of 22
12. Page 12 of 22
Prevented the spread most affectively?
The network with strong host and network security prevented the worm
spread most effectively.
7. Did patching help to slow the infection in each of the local networks and
globally?
a. Patching did help slow the infection, for the local network.
b. Patching helped slow the infection for the global network.
8. What interesting patterns did you find?
a. Local Network: The Patched was not infected at a 0% rate after 26 days.
The Infected was almost not infected at a5% rate.
b. Global Network: The Patched was not infected at a 0% rate after 26 days.
The Infected was infected at a constant rate, at 15 days and 15%, and
dramatically increased to 100% at about 21 days after the attack started.
9. Which of the worms spread the fastest?
The Slammer worm spread the fastest.
10. Based on what you learned about each worm, which kinds of weaknesses and
infection vectors help to spread the worms the fastest?
a. This worm propagates by accumulated lists of IP addresses, and thereby
attacks vulnerable and unpatched computers.
11. Are there differences between the local and global infections?
a. The Patched for both the local and global network infections were both at
zero, i.e., not infected at 26 days after the attack started.
b. The Infected for the global network infection was about more dramatic at
about 100%, compared to the local network which was about mild at about
15% infection rate at 26 days after the infection started.
12. What conclusions can you draw from your analysis of the data?
Patched systems of the local and global networks were not infected. The
Infected systems for the global network were almost totally infected, as
compared with the local network was mildly infected.
Analyze the results of the SoBig simulation:
1. When was the peak infection?
The infection on the local netw occurred 12 days 19 hours.
ork
2. When did the infections effectively stop spreading (i.e. almost no infection)?
The infection on the local netw occurred 15 days 8 hours.
ork
3. What can you infer from the steepness and direction of the slope in the
graphs?
The slopes of the local network Patchedand Infected both slightly increased.
The slope of the global network Infected was increasing sharply but at 5 days
started to sharply decrease from 95% infection. The slope of the global
network Patched was almost zero and later was slightly infected at 11% at 16
after the start of the attack.
4. What do sudden changes (infections) indicate?
a. Sudden changes (infections) indicate that either the infection was suddenly
stopped, or it suddenly became more infectious.
5. How rapidly did the infection spread?
Last printed 11/20/2005 22:43:00 a11/p11 Page 12 of 22
13. Page 13 of 22
a. The infection spread from vulnerable computers.
6. Which local networks get infected?
Get infected first?
The network with no security got infected first.
Prevented the spread most affectively?
The network with strong host and network security prevented the worm
spread most effectively.
7. Did patching help to slow the infection in each of the local networks and
globally?
a. Patching slightly helped slow the infection for the first four days; and then
patching slightly did not help slow the infection, for the local network.
b. Patching helped slow the infection for the global network.
8. What interesting patterns did you find?
a. Local Network: The Patched was infected at a constant rate and reached a
maximum of 42% at 15 days after the attack started.. The Infected was
infected at a constant rate and reached a maximum of 30% at 12 days after
the attack started.
b. Global Network: The Patched was slighted infected at a 12% rate after 16
days after the attack started. The Infected was infected at a constant rate, at
5 days and 95%, and decreased to 68% at about 15 days after the attack
started.
9. Which of the worms spread the fastest?
The Slammer worm spread the fastest.
10. Based on what you learned about each worm, which kinds of weaknesses and
infection vectors help to spread the worms the fastest?
a. It propagates through email, so this implies that users are opening emails of
unknown origin.
11. Are there differences between the local and global infections?
a. The Patched for the local network was mild at 52%, whereas the global
network was lower at 12% at 15 days after the attack started.
b. The Infected for the global network infection was about more dramatic at
about 96%, compared to the local network which was about mild atabout
42% infection rate at 15 days after the infection started.
12. What conclusions can you draw from your analysis of the data?
Patched systems of the local was mild whereas the global network was about
half infected. The Infected systems for the global network were almost totally
infected, as compared with the local network was mildly infected at about half
of the Infected global network.
Compare the Similarities and Dissimilarities of the Worms
Based on your readings from the Anti-Virus vendors, from a behavioral perspective (what
the worms actually do) . . .
o How do the worms differ from one another? (A table may be a good way to
highlight the differences.)
o One of the worms propagated through compiled lists of IP addresses.
o The Slammer worm had the faster infection rate.
Last printed 11/20/2005 22:43:00 a11/p11 Page 13 of 22
14. Page 14 of 22
o There was no correlation between the local and globa network infection
l
rates.
o How are the worms similar?
o The worms all infected vulnerable systems.
o The systems that were generally patched were less infected.
o Most of the worms propagated through email addresses harvested from the
infected machines.
Last printed 11/20/2005 22:43:00 a11/p11 Page 14 of 22
15. Page 15 of 22
Bibliography
http://www.f-secure.com/v-descs/
http://www.f-secure.com/v-descs/bagle.shtml
http://www.trendmicro.com/vinfo/viru sencyclo/default5.asp?VName=WORM%5FMYDO
OM%2EM&VSect=S
http://www.cert.org/tech_tips/Melissa_FAQ.html
http://www.cert.org/tech_tips/Melissa_FAQ.html
http://www.pcworld.com/news/art cle/0,aid,108988,00.asp
i
http://www.rbs2.com/cvirus.htm
http://www.wholesecurity.com/threat/cost_of_worms.html
http://www.naisolutions.com/Products/LANDesk/AddOns/patchManager.htm
http://redmondmag.com/news/article.asp?Editoria lsID=6142
http://www.next-gendatacenterforum.com/document.asp?doc_id=67044
Last printed 11/20/2005 22:43:00 a11/p11 Page 15 of 22
16. Page 16 of 22
Appendix
Last printed 11/20/2005 22:43:00 a11/p11 Page 16 of 22
17. Page 17 of 22
Worm Simulator Results
Strong host security and network security No Security
Blaster Local Results Peak
Only firewall security Only host security
Last printed 11/20/2005 22:43:00 a11/p11 Page 17 of 22
18. Page 18 of 22
Strong host security and network security No Security
MyDoom Global Network Peak
MyDoom Local Results Peak
Only firewall security Only host security
Last printed 11/20/2005 22:43:00 a11/p11 Page 18 of 22
19. Page 19 of 22
Strong host security and network security No Security
Netsky Local Results Peak
Only firewall security Only host security
Last printed 11/20/2005 22:43:00 a11/p11 Page 19 of 22
20. Page 20 of 22
Strong host security and network security No Security
Sasser Local Results Peak
Only firewall security Only host security
Last printed 11/20/2005 22:43:00 a11/p11 Page 20 of 22
21. Page 21 of 22
Strong host security and network security No Security
Slammer Global Network peak
Slammer Local Results Peak
Only firewall security Only host security
Last printed 11/20/2005 22:43:00 a11/p11 Page 21 of 22
22. Page 22 of 22
Strong host security and network security No Security
SoBig Local Results Peak
Only firewall security Only host security
Last printed 11/20/2005 22:43:00 a11/p11 Page 22 of 22