SlideShare une entreprise Scribd logo

Worm Propagation Simulation Analysis

Télécharger en tant que DOC, PDF
A
allengalvan

Worm Propagation Simulation Analysis

Technologie
1  sur  22
Page 1 of 22 Name: Allen Galvan Due: 22 November 2005 CSFI 214: Information Security Systems Analysis – Fall 2005 Lab #4: Worms Last printed 11/20/2005 22:43:00 a11/p11 Page 1 of 22
Page 2 of 22 Directions................................................................................................................................. .3 Worm Propagation Simulation (Local/Global Networks) Introduction.................................4 . Summarize each Worm......................................................................................... ...................4 Analyze each Worm Simulation....................................................................... .......................6 Compare the Similarities and Dissimilarities of the Worms ..................................................................................................................... ...........................13 Bibliography............................................................................................................ ...............15 Appendix..................................................................................................... ...........................16 Last printed 11/20/2005 22:43:00 a11/p11 Page 2 of 22
Page 3 of 22 Directions Hand in a report with the answers to these questions. You must include an appendix with each of the plots and annotated screen shots for each worm. o The raw data must be included in the Excel spreadsheet when the assignment is sent electronically. Last printed 11/20/2005 22:43:00 a11/p11 Page 3 of 22
Page 4 of 22 Worm Propagation Simulation (Local/Global Networks) Introduction The worm simulation is giving us an idea of the behavior of the worm over a period of time and regarding various shades of protected and unprotected local and global networks. Summarize each Worm For each worm, write a short summary that includes the following kinds of information: o Name: SoBig.A (W32.Sobig.A@mm), 1/16/2003 o Propagation: o It searches for e-mail addresses, so that it can attack other computers and propagate. o Payload: o Sobig has no damaging payload. o Noteworthy points: o The W32.Sobig.A@mm worm scans all .txt, .eml, .html, .htm, .dbx and .wab files on a target computer. o It can by identified by the sending address of big@boss.com. o Download a removal tool at Security Response Sobig A page. o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 o Name: Slammer (Saphire), 1/25/03 o Propagation o The worm sequentially or randomly scans for IP addresses. o The worm infects computers from a list of IP addresses. These IP addresses were accumulated by the attacker(s), or gotten from information from the infected computer host. o The worm waits for the target computer to contact it, and then it propagates to other computers. o Payload o The payload routines are separate from the propagation routines. o Payload examples are:  Internet Remote Control to control a user’s computer remotely.  Spam Relays to let Spammers hide their IP addresses.  HTML Proxies, which make it hard to shut down illegal websites.  DoS attacks.  Data Collection, for valuable financial information on the infected computer’s hard drive.  Sell the computer as a “zombie army” for profit.  http://www.cs.unc.edu/~jeffay/courses /nidsS05/slides/4-Early-DoS- Worms.pdf o Noteworthy points o The Slammer worm is also known as the Sapphire worm. Last printed 11/20/2005 22:43:00 a11/p11 Page 4 of 22
Page 5 of 22 o The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. o It infected more than 90 percent of vulnerable hosts within 10 minutes. o Sapphire exploited a buffer overflow vulnerability on host computers connected to the Internet runnin Microsoft's SQL Server or MSDE 2000 g (Microsoft SQL Server Desktop Engine). o This vulnerability is an underlying indexing service that was discovered in July 2002. Microsoft released a patch to fix the vulnerability before it was announced[1]. o The worm infected at least 75,000 host computers. It caused network outages. It caused canceled airline flights, interference with elections, and ATM failures. o Several disassembled versions of the source code of the worm are available. [2]. o Name: Blaster (W32.Blaster.Worm), 8/12/03 o Propagation: o The infected host computer runs a copy of msblast.exe, that it found on the target computer and it begins scanning for other vulnerable computers to compromise in the same way. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. o Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026. o Ref: http://www.cert.org/advisories/CA-2003-20.html o Ref: http://microsoft.com/technet/treeview/default.asp?url=/tech o Ref: http://isc.sans.org/show_comment.php?id=350 o Payload o Msblast.exe o Noteworthy points o The Blaster worm spreads to unpatched and unprotected Windows 2000/XP host computers. o It exploits a Buffer Overrun In RPC Interface vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution, it attempts to retrieve a copy of the file msblast.exe from the infected host. o The infected host computer may suddenly and repeatedly crash or reboot. o It may also perform a DoS on http://www.windowsupdate.com. This would stop the host from downloading the patch to address the vulnerabiity. l o Download the patch at Microsoft Security Bulletin MS03-026. o Ref: Symantec W32.Blaster.Worm page o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 o Name: Netsky (W32.Netsky@mm), 4/20/04 o Propagation Last printed 11/20/2005 22:43:00 a11/p11 Page 5 of 22
Page 6 of 22 o It sends itself to the email addresses on hard drives and mapped drives. o Payload o No payload. o Noteworthy points o The W32.Netsky@mm worm that has its own mass mailing method. o It uses an SMTP mailing engine. o The body, subject line, and attachment of the emails vary. o Download a removal tool at Security Response Netsky page. o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 o Name: Sasser (W32.Sasser.Worm), 5/10/04 o Propagation o The infected Sasser host systems are used to infect other host computers. o Payload o No payload. o Noteworthy points o The W.32.Sasser worm and its variants run on Window 95/98/Me host s computer machines. These operating systems were not infected by the Sasser worm. o An infected Windows XP and 2000 computer may crash or suddenly and repeatedly reboot. o Download the patch fix at Microsoft Security Bulletin MS04-011. o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 o Name: MyDoom (W32.Mydoom.M), 7/26/04 o Propagation o It propagates by sending itself to the email addresses it finds on the systems that it infects. o Payload o Noteworthy points o The W32.Mydoom.M@mm worm is a mass emailer worm. o It has its own SMTP emailing method. o Find a removal tool at Security Response W32.Mydoom.M page. o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 Analyze each Worm Simulation Analyze the results of each simulation:  Blaster  MyDoom  Netsky  Sasser  Slammer  SoBig Last printed 11/20/2005 22:43:00 a11/p11 Page 6 of 22
Page 7 of 22 Analyze the results of the Blaster simulation: 1. When was the peak infection for the local network  The infection on the local netw occurred 8 days 10 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw stopped spreading 9 days 10 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected are increasing slightly.  The slope of the global network Infected is increasing dramatically, while the slope of the global network Patched is almost zero. 4. What do sudden changes (infections) indicate?  Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread?  The infection spread from vulnerable computers. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally?  Patching helped slow the infection; until a 5 and one half days when patching didn’t help slow the infection, for the local network.  Patching helped slow the infection for the global network. 8. What interesting patterns did you find?  Local Network: the Patched infection rate reached an asymptote of 40%; whereas the Infected infection rate reached a maximum of 20%, nine days after the attack started.  Global Network: the Patched systems had a very low infection rate. The Infected infection rate was constant and reached a maximum of 100% 3 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?  This worm propagates by attacking vulnerable and unpatched computers. 11. Are there differences between the local and global infections?  The Patched for both networks were relatively protected and had a mild infection rate at 9 days after the attack started.  The Infected in the local netw was mild, whereas the Infection in the global ork network was almost the whole ofthe network at 9 days after the attack started. 12. What conclusions can you draw from your analysis of the data? Last printed 11/20/2005 22:43:00 a11/p11 Page 7 of 22
Page 8 of 22  Patched systems were more slowly infected compared to vulnerable systems. The local network infection was mild, whereas the global network was almost entirely infected. Analyze the results of the MyDoom simulation: 1. When was the peak infection of the local network?  The infection on the local netw occurred 13 days 2 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw stopped spreading 13 days 2 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected are increasing slightly.  The slope of the global network Infected is increasing mildly, while the slope of the global network Patched is almost zero. 4. What do sudden changes (infections) indicate?  Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread? a. The infection spread from vulnerable computers. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally?  Patching slightly did not help slow the infection, for the local network.  Patching helped slow the infection for the global network. 8. What interesting patterns did you find?  Local Network: The Patched was infected at a constant rate and reached a maximum of 40%. The Infected was infected at a constant rate and reached a maximum of 32%, about 13 days after the attack started.  Global Network: The Patched was infected at a constant rate and reached a maximum of 5%, 14 days after the attack started. The Infected was infected at a constant rate and reached a maximum of 50%, about 10 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?  This worm propagates by attacking vulnerable and unpatched computers 11. Are there differences between the local and global infections? Last printed 11/20/2005 22:43:00 a11/p11 Page 8 of 22
Page 9 of 22 The Patched for the local network infection was slightly more dramatic at 40%, whereas the global network infection was minor at 5%, at 15 days after the attack started.  The Infected for the global network infection was about the same, i.e., constant at about 45% at 15 days after the infection started. 12. What conclusions can you draw from your analysis of the data?  Patched systems were more slowly infected compared to vulnerable systems. The local and global network infection were both mildly infected. Analyze the results of the Netsky simulation: 1. When was the peak infection?  The infection on the local netw occurred 16 days 9 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw occurred 23 days 14 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected are increasing slightly. The Infected slope reached a point of inflection at 15 days and began decreasing.  The slope of the global network Infected is increasing sharply, and leveled off at 13 days, and decreased at 21 days. The slope of the global network Patched increased slightly. 4. What do sudden changes (infections) indicate?  Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread?  The infection spread from vulnerable computers. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally?  Patching did not help slow the infection, for the local network.  Patching helped slow the infection for the global network. 8. What interesting patterns did you find?  Local Network: The Patched was infected at a constant rate and reached a point of increasing inflection at 70%, about 23 days after the attack started. The Infected was infected at a constant parabolic rate and reached a maximum of 32%, and the slope turned downward, at 15.5 days, to a point of 18% at 23 days after the attack started.  Global Network: The Patched was infected at a constant rate and reached a maximum of 30%, about 23 days after the attack started. The Infected was Last printed 11/20/2005 22:43:00 a11/p11 Page 9 of 22
Page 10 of 22 infected at an exponential rate, at 13 days and 63%, and leveled off and decreased to about 53% at about 20 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?  This worm propagates by attacking vulnerable and unpatched computers 11. Are there differences between the local and global infections?  The Patched for the local and global network infections were both relatively constant at about 55% and 40%, respectively, after about 22 days after the attack started.  The Infected for the global network infection was about the same, i.e., increasing at about 13 days and then decreasing.  The Netsky worm caused local computer harm by spreading itself by emailing itself to email addresses found on the local Pc. The email was unauthorized.  The Netsky worm caused global harm by clogging email system and making unauthorized changes to computer systems. 12. What conclusions can you draw from your analysis of the data?  Patched systems and vulnerable systems of both local and global networks were equally infected at a rate of about 45%. Analyze the results of the Sasser simulation: 1. When was the peak infection?  The infection on the local netw occurred 7 days 5 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw occurred 11 days 5 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected are increasing slightly.  The slope of the global network Infected is increasing sharply, and leveled off at 3 days, and decreased at 11 days. The slope of the global network Patched was almost zero. 4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread? a. The infection spread from vulnerable computers. b. The Slammer worm spread the fastest. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally? Last printed 11/20/2005 22:43:00 a11/p11 Page 10 of 22
Page 11 of 22 c. Patching helped slow the infection for the local network. d. Patching helped slow the infection for the global network. 8. What interesting patterns did you find? a. Local Network: The Patched was infected at a constant rate and reached a point of increasing inflection at 35%, about 11 days after the attack started. The Infected was infected at a constant rate and reached a maximum of 40%, and the slope turned downward, at 7 days, after the attack started. b. Global Network: The Patched was infected at a constant rate and reached a maximum of 10%, about 11 days after the attack started. The Infected was infected at a constant rate, at 3 days and 80%, and leveled off and decreased to about 60% at about 11 days afterthe attack started. 9. Which of the worms spread the fastest? a. The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? a. This worm propagates by attacking vulnerable and unpatched computers. 11. Are there differences between the local and global infections? a. The Patched for the local network infection was mild whereas the global network was almost zero infected at 11 days after the attack started. b. The Infected for the global network infection was about more dramatic at about 70%, compared to the local network which was about mild atabout 40% infection rate at 7 days after the infection started. 12. What conclusions can you draw from your analysis of the data?  Patched systems of the local and global networks were infected at a slower infection rate than the vulnerable systems of the local and global networks. Analyze the results of the Slammer simulation: 1. When was the peak infection?  The infection on the local netw occurred 10 minutes. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw occurred in 10 seconds. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected were both almost zero.  The slope of the global network Infected was increasing but at 15 days started to sharply increase to 100% infection. The slope of the global network Patched was almost zero. 4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. b. The infection spread from vulnerable computers. 5. How rapidly did the infection spread?  The Slammer worm spread the fastest. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first. Last printed 11/20/2005 22:43:00 a11/p11 Page 11 of 22
Page 12 of 22  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally? a. Patching did help slow the infection, for the local network. b. Patching helped slow the infection for the global network. 8. What interesting patterns did you find? a. Local Network: The Patched was not infected at a 0% rate after 26 days. The Infected was almost not infected at a5% rate. b. Global Network: The Patched was not infected at a 0% rate after 26 days. The Infected was infected at a constant rate, at 15 days and 15%, and dramatically increased to 100% at about 21 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? a. This worm propagates by accumulated lists of IP addresses, and thereby attacks vulnerable and unpatched computers. 11. Are there differences between the local and global infections? a. The Patched for both the local and global network infections were both at zero, i.e., not infected at 26 days after the attack started. b. The Infected for the global network infection was about more dramatic at about 100%, compared to the local network which was about mild at about 15% infection rate at 26 days after the infection started. 12. What conclusions can you draw from your analysis of the data?  Patched systems of the local and global networks were not infected. The Infected systems for the global network were almost totally infected, as compared with the local network was mildly infected. Analyze the results of the SoBig simulation: 1. When was the peak infection?  The infection on the local netw occurred 12 days 19 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw occurred 15 days 8 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected both slightly increased.  The slope of the global network Infected was increasing sharply but at 5 days started to sharply decrease from 95% infection. The slope of the global network Patched was almost zero and later was slightly infected at 11% at 16 after the start of the attack. 4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread? Last printed 11/20/2005 22:43:00 a11/p11 Page 12 of 22
Page 13 of 22 a. The infection spread from vulnerable computers. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally? a. Patching slightly helped slow the infection for the first four days; and then patching slightly did not help slow the infection, for the local network. b. Patching helped slow the infection for the global network. 8. What interesting patterns did you find? a. Local Network: The Patched was infected at a constant rate and reached a maximum of 42% at 15 days after the attack started.. The Infected was infected at a constant rate and reached a maximum of 30% at 12 days after the attack started. b. Global Network: The Patched was slighted infected at a 12% rate after 16 days after the attack started. The Infected was infected at a constant rate, at 5 days and 95%, and decreased to 68% at about 15 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? a. It propagates through email, so this implies that users are opening emails of unknown origin. 11. Are there differences between the local and global infections? a. The Patched for the local network was mild at 52%, whereas the global network was lower at 12% at 15 days after the attack started. b. The Infected for the global network infection was about more dramatic at about 96%, compared to the local network which was about mild atabout 42% infection rate at 15 days after the infection started. 12. What conclusions can you draw from your analysis of the data?  Patched systems of the local was mild whereas the global network was about half infected. The Infected systems for the global network were almost totally infected, as compared with the local network was mildly infected at about half of the Infected global network. Compare the Similarities and Dissimilarities of the Worms Based on your readings from the Anti-Virus vendors, from a behavioral perspective (what the worms actually do) . . . o How do the worms differ from one another? (A table may be a good way to highlight the differences.) o One of the worms propagated through compiled lists of IP addresses. o The Slammer worm had the faster infection rate. Last printed 11/20/2005 22:43:00 a11/p11 Page 13 of 22
Page 14 of 22 o There was no correlation between the local and globa network infection l rates. o How are the worms similar? o The worms all infected vulnerable systems. o The systems that were generally patched were less infected. o Most of the worms propagated through email addresses harvested from the infected machines. Last printed 11/20/2005 22:43:00 a11/p11 Page 14 of 22
Page 15 of 22 Bibliography http://www.f-secure.com/v-descs/ http://www.f-secure.com/v-descs/bagle.shtml http://www.trendmicro.com/vinfo/viru sencyclo/default5.asp?VName=WORM%5FMYDO OM%2EM&VSect=S http://www.cert.org/tech_tips/Melissa_FAQ.html http://www.cert.org/tech_tips/Melissa_FAQ.html http://www.pcworld.com/news/art cle/0,aid,108988,00.asp i http://www.rbs2.com/cvirus.htm http://www.wholesecurity.com/threat/cost_of_worms.html http://www.naisolutions.com/Products/LANDesk/AddOns/patchManager.htm http://redmondmag.com/news/article.asp?Editoria lsID=6142 http://www.next-gendatacenterforum.com/document.asp?doc_id=67044 Last printed 11/20/2005 22:43:00 a11/p11 Page 15 of 22
Page 16 of 22 Appendix Last printed 11/20/2005 22:43:00 a11/p11 Page 16 of 22
Page 17 of 22 Worm Simulator Results Strong host security and network security No Security Blaster Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 17 of 22
Page 18 of 22 Strong host security and network security No Security MyDoom Global Network Peak MyDoom Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 18 of 22
Page 19 of 22 Strong host security and network security No Security Netsky Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 19 of 22
Page 20 of 22 Strong host security and network security No Security Sasser Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 20 of 22
Page 21 of 22 Strong host security and network security No Security Slammer Global Network peak Slammer Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 21 of 22
Page 22 of 22 Strong host security and network security No Security SoBig Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 22 of 22

Recommandé

Zeus' Not Dead Yet
Zeus' Not Dead YetZeus' Not Dead Yet
Zeus' Not Dead Yetpinkflawd
 
Shellshock bug
Shellshock bugShellshock bug
Shellshock bugRaashid Muhammed
 
Blast off!
Blast off!Blast off!
Blast off!UltraUploader
 
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...Cyphort
 
Dissecting ZeuS malware
Dissecting ZeuS malwareDissecting ZeuS malware
Dissecting ZeuS malwareCyphort
 
Modern computer virology
Modern computer virologyModern computer virology
Modern computer virologySandun Perera
 
Spo2 w22
Spo2 w22Spo2 w22
Spo2 w22SelectedPresentations
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 

Recommandé

Zeus' Not Dead Yet
Zeus' Not Dead YetZeus' Not Dead Yet
Zeus' Not Dead Yetpinkflawd
 
Shellshock bug
Shellshock bugShellshock bug
Shellshock bugRaashid Muhammed
 
Blast off!
Blast off!Blast off!
Blast off!UltraUploader
 
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...Cyphort
 
Dissecting ZeuS malware
Dissecting ZeuS malwareDissecting ZeuS malware
Dissecting ZeuS malwareCyphort
 
Modern computer virology
Modern computer virologyModern computer virology
Modern computer virologySandun Perera
 
Spo2 w22
Spo2 w22Spo2 w22
Spo2 w22SelectedPresentations
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
File inflection techniques
File inflection techniquesFile inflection techniques
File inflection techniquesSandun Perera
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareThomas Roccia
 
Computer virus 2
Computer virus 2Computer virus 2
Computer virus 2Nishant Reshwal
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
V!R0L0gy - Malwares vs Glitch Art
V!R0L0gy - Malwares vs Glitch ArtV!R0L0gy - Malwares vs Glitch Art
V!R0L0gy - Malwares vs Glitch ArtDomenico Barra
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...UltraUploader
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesCyphort
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit frameworkLe Quyen
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverGregory Hanis
 
5 worms and other malware
5 worms and other malware5 worms and other malware
5 worms and other malwaredrewz lin
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
Fluid Studio Effective Networking Principles (BYU Student Alumni Association)
Fluid Studio Effective Networking Principles (BYU Student Alumni Association)Fluid Studio Effective Networking Principles (BYU Student Alumni Association)
Fluid Studio Effective Networking Principles (BYU Student Alumni Association)John Dye ( dyejo, inc. )
 
Fluid Studio Twitter Presentation March 2009
Fluid Studio Twitter Presentation March 2009Fluid Studio Twitter Presentation March 2009
Fluid Studio Twitter Presentation March 2009John Dye ( dyejo, inc. )
 
Social Media—Guiding Principles and Application Uses
Social Media—Guiding Principles and Application UsesSocial Media—Guiding Principles and Application Uses
Social Media—Guiding Principles and Application UsesJohn Dye ( dyejo, inc. )
 
09 You Tube University
09 You Tube University09 You Tube University
09 You Tube UniversityJohn Dye ( dyejo, inc. )
 
Alphagraphics Utah Social Media Seminar
Alphagraphics Utah Social Media SeminarAlphagraphics Utah Social Media Seminar
Alphagraphics Utah Social Media SeminarJohn Dye ( dyejo, inc. )
 
MARKETING STRATEGY IN THE AGE OF DIGITAL
MARKETING STRATEGY IN THE AGE OF DIGITALMARKETING STRATEGY IN THE AGE OF DIGITAL
MARKETING STRATEGY IN THE AGE OF DIGITALJohn Dye ( dyejo, inc. )
 

Contenu connexe

Tendances

42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
File inflection techniques
File inflection techniquesFile inflection techniques
File inflection techniquesSandun Perera
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareThomas Roccia
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
V!R0L0gy - Malwares vs Glitch Art
V!R0L0gy - Malwares vs Glitch ArtV!R0L0gy - Malwares vs Glitch Art
V!R0L0gy - Malwares vs Glitch ArtDomenico Barra
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...UltraUploader
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesCyphort
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit frameworkLe Quyen
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverGregory Hanis
 
5 worms and other malware
5 worms and other malware5 worms and other malware
5 worms and other malwaredrewz lin
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 

Tendances (16)

42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
 
File inflection techniques
File inflection techniquesFile inflection techniques
File inflection techniques
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
 
Computer virus 2
Computer virus 2Computer virus 2
Computer virus 2
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case Study
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
 
V!R0L0gy - Malwares vs Glitch Art
V!R0L0gy - Malwares vs Glitch ArtV!R0L0gy - Malwares vs Glitch Art
V!R0L0gy - Malwares vs Glitch Art
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox Techniques
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
 
5 worms and other malware
5 worms and other malware5 worms and other malware
5 worms and other malware
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
 

En vedette

Fluid Studio Effective Networking Principles (BYU Student Alumni Association)
Fluid Studio Effective Networking Principles (BYU Student Alumni Association)Fluid Studio Effective Networking Principles (BYU Student Alumni Association)
Fluid Studio Effective Networking Principles (BYU Student Alumni Association)John Dye ( dyejo, inc. )
 
Fluid Studio Twitter Presentation March 2009
Fluid Studio Twitter Presentation March 2009Fluid Studio Twitter Presentation March 2009
Fluid Studio Twitter Presentation March 2009John Dye ( dyejo, inc. )
 
Social Media—Guiding Principles and Application Uses
Social Media—Guiding Principles and Application UsesSocial Media—Guiding Principles and Application Uses
Social Media—Guiding Principles and Application UsesJohn Dye ( dyejo, inc. )
 

En vedette (6)

Fluid Studio Effective Networking Principles (BYU Student Alumni Association)
Fluid Studio Effective Networking Principles (BYU Student Alumni Association)Fluid Studio Effective Networking Principles (BYU Student Alumni Association)
Fluid Studio Effective Networking Principles (BYU Student Alumni Association)
 
Fluid Studio Twitter Presentation March 2009
Fluid Studio Twitter Presentation March 2009Fluid Studio Twitter Presentation March 2009
Fluid Studio Twitter Presentation March 2009
 
Social Media—Guiding Principles and Application Uses
Social Media—Guiding Principles and Application UsesSocial Media—Guiding Principles and Application Uses
Social Media—Guiding Principles and Application Uses
 
09 You Tube University
09 You Tube University09 You Tube University
09 You Tube University
 
Alphagraphics Utah Social Media Seminar
Alphagraphics Utah Social Media SeminarAlphagraphics Utah Social Media Seminar
Alphagraphics Utah Social Media Seminar
 
MARKETING STRATEGY IN THE AGE OF DIGITAL
MARKETING STRATEGY IN THE AGE OF DIGITALMARKETING STRATEGY IN THE AGE OF DIGITAL
MARKETING STRATEGY IN THE AGE OF DIGITAL
 

Similaire à Worm Propagation Simulation Analysis

Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareshubaira
 
Computer worm
Computer wormComputer worm
Computer wormzelkan19
 
Computer worm
Computer wormComputer worm
Computer wormzelkan19
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
Zotob Worm
Zotob WormZotob Worm
Zotob Wormyotengo4
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec
 
Ransomware History and Monitoring Tips
Ransomware History and Monitoring TipsRansomware History and Monitoring Tips
Ransomware History and Monitoring TipsNetFort
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksCyphort
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....Shah Sheikh
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Florin D. Tanasache
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INVijay Sarathy Rangayyan
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajaliwebhostingguy
 

Similaire à Worm Propagation Simulation Analysis (20)

Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomware
 
Computer worm
Computer wormComputer worm
Computer worm
 
Computer worm
Computer wormComputer worm
Computer worm
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 
Zotob Worm
Zotob WormZotob Worm
Zotob Worm
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit Analysis
 
Ransomware History and Monitoring Tips
Ransomware History and Monitoring TipsRansomware History and Monitoring Tips
Ransomware History and Monitoring Tips
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
 
Malware
MalwareMalware
Malware
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
 
Information security
Information securityInformation security
Information security
 

Dernier

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Dernier (20)

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Worm Propagation Simulation Analysis

  • 1. Page 1 of 22 Name: Allen Galvan Due: 22 November 2005 CSFI 214: Information Security Systems Analysis – Fall 2005 Lab #4: Worms Last printed 11/20/2005 22:43:00 a11/p11 Page 1 of 22
  • 2. Page 2 of 22 Directions................................................................................................................................. .3 Worm Propagation Simulation (Local/Global Networks) Introduction.................................4 . Summarize each Worm......................................................................................... ...................4 Analyze each Worm Simulation....................................................................... .......................6 Compare the Similarities and Dissimilarities of the Worms ..................................................................................................................... ...........................13 Bibliography............................................................................................................ ...............15 Appendix..................................................................................................... ...........................16 Last printed 11/20/2005 22:43:00 a11/p11 Page 2 of 22
  • 3. Page 3 of 22 Directions Hand in a report with the answers to these questions. You must include an appendix with each of the plots and annotated screen shots for each worm. o The raw data must be included in the Excel spreadsheet when the assignment is sent electronically. Last printed 11/20/2005 22:43:00 a11/p11 Page 3 of 22
  • 4. Page 4 of 22 Worm Propagation Simulation (Local/Global Networks) Introduction The worm simulation is giving us an idea of the behavior of the worm over a period of time and regarding various shades of protected and unprotected local and global networks. Summarize each Worm For each worm, write a short summary that includes the following kinds of information: o Name: SoBig.A (W32.Sobig.A@mm), 1/16/2003 o Propagation: o It searches for e-mail addresses, so that it can attack other computers and propagate. o Payload: o Sobig has no damaging payload. o Noteworthy points: o The W32.Sobig.A@mm worm scans all .txt, .eml, .html, .htm, .dbx and .wab files on a target computer. o It can by identified by the sending address of big@boss.com. o Download a removal tool at Security Response Sobig A page. o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 o Name: Slammer (Saphire), 1/25/03 o Propagation o The worm sequentially or randomly scans for IP addresses. o The worm infects computers from a list of IP addresses. These IP addresses were accumulated by the attacker(s), or gotten from information from the infected computer host. o The worm waits for the target computer to contact it, and then it propagates to other computers. o Payload o The payload routines are separate from the propagation routines. o Payload examples are:  Internet Remote Control to control a user’s computer remotely.  Spam Relays to let Spammers hide their IP addresses.  HTML Proxies, which make it hard to shut down illegal websites.  DoS attacks.  Data Collection, for valuable financial information on the infected computer’s hard drive.  Sell the computer as a “zombie army” for profit.  http://www.cs.unc.edu/~jeffay/courses /nidsS05/slides/4-Early-DoS- Worms.pdf o Noteworthy points o The Slammer worm is also known as the Sapphire worm. Last printed 11/20/2005 22:43:00 a11/p11 Page 4 of 22
  • 5. Page 5 of 22 o The Sapphire Worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. o It infected more than 90 percent of vulnerable hosts within 10 minutes. o Sapphire exploited a buffer overflow vulnerability on host computers connected to the Internet runnin Microsoft's SQL Server or MSDE 2000 g (Microsoft SQL Server Desktop Engine). o This vulnerability is an underlying indexing service that was discovered in July 2002. Microsoft released a patch to fix the vulnerability before it was announced[1]. o The worm infected at least 75,000 host computers. It caused network outages. It caused canceled airline flights, interference with elections, and ATM failures. o Several disassembled versions of the source code of the worm are available. [2]. o Name: Blaster (W32.Blaster.Worm), 8/12/03 o Propagation: o The infected host computer runs a copy of msblast.exe, that it found on the target computer and it begins scanning for other vulnerable computers to compromise in the same way. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. o Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026. o Ref: http://www.cert.org/advisories/CA-2003-20.html o Ref: http://microsoft.com/technet/treeview/default.asp?url=/tech o Ref: http://isc.sans.org/show_comment.php?id=350 o Payload o Msblast.exe o Noteworthy points o The Blaster worm spreads to unpatched and unprotected Windows 2000/XP host computers. o It exploits a Buffer Overrun In RPC Interface vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution, it attempts to retrieve a copy of the file msblast.exe from the infected host. o The infected host computer may suddenly and repeatedly crash or reboot. o It may also perform a DoS on http://www.windowsupdate.com. This would stop the host from downloading the patch to address the vulnerabiity. l o Download the patch at Microsoft Security Bulletin MS03-026. o Ref: Symantec W32.Blaster.Worm page o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 o Name: Netsky (W32.Netsky@mm), 4/20/04 o Propagation Last printed 11/20/2005 22:43:00 a11/p11 Page 5 of 22
  • 6. Page 6 of 22 o It sends itself to the email addresses on hard drives and mapped drives. o Payload o No payload. o Noteworthy points o The W32.Netsky@mm worm that has its own mass mailing method. o It uses an SMTP mailing engine. o The body, subject line, and attachment of the emails vary. o Download a removal tool at Security Response Netsky page. o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 o Name: Sasser (W32.Sasser.Worm), 5/10/04 o Propagation o The infected Sasser host systems are used to infect other host computers. o Payload o No payload. o Noteworthy points o The W.32.Sasser worm and its variants run on Window 95/98/Me host s computer machines. These operating systems were not infected by the Sasser worm. o An infected Windows XP and 2000 computer may crash or suddenly and repeatedly reboot. o Download the patch fix at Microsoft Security Bulletin MS04-011. o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 o Name: MyDoom (W32.Mydoom.M), 7/26/04 o Propagation o It propagates by sending itself to the email addresses it finds on the systems that it infects. o Payload o Noteworthy points o The W32.Mydoom.M@mm worm is a mass emailer worm. o It has its own SMTP emailing method. o Find a removal tool at Security Response W32.Mydoom.M page. o Ref: http://www.chariot.net.au/viruslist.php?page=101031&v=1 Analyze each Worm Simulation Analyze the results of each simulation:  Blaster  MyDoom  Netsky  Sasser  Slammer  SoBig Last printed 11/20/2005 22:43:00 a11/p11 Page 6 of 22
  • 7. Page 7 of 22 Analyze the results of the Blaster simulation: 1. When was the peak infection for the local network  The infection on the local netw occurred 8 days 10 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw stopped spreading 9 days 10 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected are increasing slightly.  The slope of the global network Infected is increasing dramatically, while the slope of the global network Patched is almost zero. 4. What do sudden changes (infections) indicate?  Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread?  The infection spread from vulnerable computers. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally?  Patching helped slow the infection; until a 5 and one half days when patching didn’t help slow the infection, for the local network.  Patching helped slow the infection for the global network. 8. What interesting patterns did you find?  Local Network: the Patched infection rate reached an asymptote of 40%; whereas the Infected infection rate reached a maximum of 20%, nine days after the attack started.  Global Network: the Patched systems had a very low infection rate. The Infected infection rate was constant and reached a maximum of 100% 3 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?  This worm propagates by attacking vulnerable and unpatched computers. 11. Are there differences between the local and global infections?  The Patched for both networks were relatively protected and had a mild infection rate at 9 days after the attack started.  The Infected in the local netw was mild, whereas the Infection in the global ork network was almost the whole ofthe network at 9 days after the attack started. 12. What conclusions can you draw from your analysis of the data? Last printed 11/20/2005 22:43:00 a11/p11 Page 7 of 22
  • 8. Page 8 of 22  Patched systems were more slowly infected compared to vulnerable systems. The local network infection was mild, whereas the global network was almost entirely infected. Analyze the results of the MyDoom simulation: 1. When was the peak infection of the local network?  The infection on the local netw occurred 13 days 2 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw stopped spreading 13 days 2 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected are increasing slightly.  The slope of the global network Infected is increasing mildly, while the slope of the global network Patched is almost zero. 4. What do sudden changes (infections) indicate?  Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread? a. The infection spread from vulnerable computers. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally?  Patching slightly did not help slow the infection, for the local network.  Patching helped slow the infection for the global network. 8. What interesting patterns did you find?  Local Network: The Patched was infected at a constant rate and reached a maximum of 40%. The Infected was infected at a constant rate and reached a maximum of 32%, about 13 days after the attack started.  Global Network: The Patched was infected at a constant rate and reached a maximum of 5%, 14 days after the attack started. The Infected was infected at a constant rate and reached a maximum of 50%, about 10 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?  This worm propagates by attacking vulnerable and unpatched computers 11. Are there differences between the local and global infections? Last printed 11/20/2005 22:43:00 a11/p11 Page 8 of 22
  • 9. Page 9 of 22 The Patched for the local network infection was slightly more dramatic at 40%, whereas the global network infection was minor at 5%, at 15 days after the attack started.  The Infected for the global network infection was about the same, i.e., constant at about 45% at 15 days after the infection started. 12. What conclusions can you draw from your analysis of the data?  Patched systems were more slowly infected compared to vulnerable systems. The local and global network infection were both mildly infected. Analyze the results of the Netsky simulation: 1. When was the peak infection?  The infection on the local netw occurred 16 days 9 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw occurred 23 days 14 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected are increasing slightly. The Infected slope reached a point of inflection at 15 days and began decreasing.  The slope of the global network Infected is increasing sharply, and leveled off at 13 days, and decreased at 21 days. The slope of the global network Patched increased slightly. 4. What do sudden changes (infections) indicate?  Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread?  The infection spread from vulnerable computers. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally?  Patching did not help slow the infection, for the local network.  Patching helped slow the infection for the global network. 8. What interesting patterns did you find?  Local Network: The Patched was infected at a constant rate and reached a point of increasing inflection at 70%, about 23 days after the attack started. The Infected was infected at a constant parabolic rate and reached a maximum of 32%, and the slope turned downward, at 15.5 days, to a point of 18% at 23 days after the attack started.  Global Network: The Patched was infected at a constant rate and reached a maximum of 30%, about 23 days after the attack started. The Infected was Last printed 11/20/2005 22:43:00 a11/p11 Page 9 of 22
  • 10. Page 10 of 22 infected at an exponential rate, at 13 days and 63%, and leveled off and decreased to about 53% at about 20 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest?  This worm propagates by attacking vulnerable and unpatched computers 11. Are there differences between the local and global infections?  The Patched for the local and global network infections were both relatively constant at about 55% and 40%, respectively, after about 22 days after the attack started.  The Infected for the global network infection was about the same, i.e., increasing at about 13 days and then decreasing.  The Netsky worm caused local computer harm by spreading itself by emailing itself to email addresses found on the local Pc. The email was unauthorized.  The Netsky worm caused global harm by clogging email system and making unauthorized changes to computer systems. 12. What conclusions can you draw from your analysis of the data?  Patched systems and vulnerable systems of both local and global networks were equally infected at a rate of about 45%. Analyze the results of the Sasser simulation: 1. When was the peak infection?  The infection on the local netw occurred 7 days 5 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw occurred 11 days 5 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected are increasing slightly.  The slope of the global network Infected is increasing sharply, and leveled off at 3 days, and decreased at 11 days. The slope of the global network Patched was almost zero. 4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread? a. The infection spread from vulnerable computers. b. The Slammer worm spread the fastest. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally? Last printed 11/20/2005 22:43:00 a11/p11 Page 10 of 22
  • 11. Page 11 of 22 c. Patching helped slow the infection for the local network. d. Patching helped slow the infection for the global network. 8. What interesting patterns did you find? a. Local Network: The Patched was infected at a constant rate and reached a point of increasing inflection at 35%, about 11 days after the attack started. The Infected was infected at a constant rate and reached a maximum of 40%, and the slope turned downward, at 7 days, after the attack started. b. Global Network: The Patched was infected at a constant rate and reached a maximum of 10%, about 11 days after the attack started. The Infected was infected at a constant rate, at 3 days and 80%, and leveled off and decreased to about 60% at about 11 days afterthe attack started. 9. Which of the worms spread the fastest? a. The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? a. This worm propagates by attacking vulnerable and unpatched computers. 11. Are there differences between the local and global infections? a. The Patched for the local network infection was mild whereas the global network was almost zero infected at 11 days after the attack started. b. The Infected for the global network infection was about more dramatic at about 70%, compared to the local network which was about mild atabout 40% infection rate at 7 days after the infection started. 12. What conclusions can you draw from your analysis of the data?  Patched systems of the local and global networks were infected at a slower infection rate than the vulnerable systems of the local and global networks. Analyze the results of the Slammer simulation: 1. When was the peak infection?  The infection on the local netw occurred 10 minutes. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw occurred in 10 seconds. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected were both almost zero.  The slope of the global network Infected was increasing but at 15 days started to sharply increase to 100% infection. The slope of the global network Patched was almost zero. 4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. b. The infection spread from vulnerable computers. 5. How rapidly did the infection spread?  The Slammer worm spread the fastest. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first. Last printed 11/20/2005 22:43:00 a11/p11 Page 11 of 22
  • 12. Page 12 of 22  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally? a. Patching did help slow the infection, for the local network. b. Patching helped slow the infection for the global network. 8. What interesting patterns did you find? a. Local Network: The Patched was not infected at a 0% rate after 26 days. The Infected was almost not infected at a5% rate. b. Global Network: The Patched was not infected at a 0% rate after 26 days. The Infected was infected at a constant rate, at 15 days and 15%, and dramatically increased to 100% at about 21 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? a. This worm propagates by accumulated lists of IP addresses, and thereby attacks vulnerable and unpatched computers. 11. Are there differences between the local and global infections? a. The Patched for both the local and global network infections were both at zero, i.e., not infected at 26 days after the attack started. b. The Infected for the global network infection was about more dramatic at about 100%, compared to the local network which was about mild at about 15% infection rate at 26 days after the infection started. 12. What conclusions can you draw from your analysis of the data?  Patched systems of the local and global networks were not infected. The Infected systems for the global network were almost totally infected, as compared with the local network was mildly infected. Analyze the results of the SoBig simulation: 1. When was the peak infection?  The infection on the local netw occurred 12 days 19 hours. ork 2. When did the infections effectively stop spreading (i.e. almost no infection)?  The infection on the local netw occurred 15 days 8 hours. ork 3. What can you infer from the steepness and direction of the slope in the graphs?  The slopes of the local network Patchedand Infected both slightly increased.  The slope of the global network Infected was increasing sharply but at 5 days started to sharply decrease from 95% infection. The slope of the global network Patched was almost zero and later was slightly infected at 11% at 16 after the start of the attack. 4. What do sudden changes (infections) indicate? a. Sudden changes (infections) indicate that either the infection was suddenly stopped, or it suddenly became more infectious. 5. How rapidly did the infection spread? Last printed 11/20/2005 22:43:00 a11/p11 Page 12 of 22
  • 13. Page 13 of 22 a. The infection spread from vulnerable computers. 6. Which local networks get infected?  Get infected first?  The network with no security got infected first.  Prevented the spread most affectively?  The network with strong host and network security prevented the worm spread most effectively. 7. Did patching help to slow the infection in each of the local networks and globally? a. Patching slightly helped slow the infection for the first four days; and then patching slightly did not help slow the infection, for the local network. b. Patching helped slow the infection for the global network. 8. What interesting patterns did you find? a. Local Network: The Patched was infected at a constant rate and reached a maximum of 42% at 15 days after the attack started.. The Infected was infected at a constant rate and reached a maximum of 30% at 12 days after the attack started. b. Global Network: The Patched was slighted infected at a 12% rate after 16 days after the attack started. The Infected was infected at a constant rate, at 5 days and 95%, and decreased to 68% at about 15 days after the attack started. 9. Which of the worms spread the fastest?  The Slammer worm spread the fastest. 10. Based on what you learned about each worm, which kinds of weaknesses and infection vectors help to spread the worms the fastest? a. It propagates through email, so this implies that users are opening emails of unknown origin. 11. Are there differences between the local and global infections? a. The Patched for the local network was mild at 52%, whereas the global network was lower at 12% at 15 days after the attack started. b. The Infected for the global network infection was about more dramatic at about 96%, compared to the local network which was about mild atabout 42% infection rate at 15 days after the infection started. 12. What conclusions can you draw from your analysis of the data?  Patched systems of the local was mild whereas the global network was about half infected. The Infected systems for the global network were almost totally infected, as compared with the local network was mildly infected at about half of the Infected global network. Compare the Similarities and Dissimilarities of the Worms Based on your readings from the Anti-Virus vendors, from a behavioral perspective (what the worms actually do) . . . o How do the worms differ from one another? (A table may be a good way to highlight the differences.) o One of the worms propagated through compiled lists of IP addresses. o The Slammer worm had the faster infection rate. Last printed 11/20/2005 22:43:00 a11/p11 Page 13 of 22
  • 14. Page 14 of 22 o There was no correlation between the local and globa network infection l rates. o How are the worms similar? o The worms all infected vulnerable systems. o The systems that were generally patched were less infected. o Most of the worms propagated through email addresses harvested from the infected machines. Last printed 11/20/2005 22:43:00 a11/p11 Page 14 of 22
  • 15. Page 15 of 22 Bibliography http://www.f-secure.com/v-descs/ http://www.f-secure.com/v-descs/bagle.shtml http://www.trendmicro.com/vinfo/viru sencyclo/default5.asp?VName=WORM%5FMYDO OM%2EM&VSect=S http://www.cert.org/tech_tips/Melissa_FAQ.html http://www.cert.org/tech_tips/Melissa_FAQ.html http://www.pcworld.com/news/art cle/0,aid,108988,00.asp i http://www.rbs2.com/cvirus.htm http://www.wholesecurity.com/threat/cost_of_worms.html http://www.naisolutions.com/Products/LANDesk/AddOns/patchManager.htm http://redmondmag.com/news/article.asp?Editoria lsID=6142 http://www.next-gendatacenterforum.com/document.asp?doc_id=67044 Last printed 11/20/2005 22:43:00 a11/p11 Page 15 of 22
  • 16. Page 16 of 22 Appendix Last printed 11/20/2005 22:43:00 a11/p11 Page 16 of 22
  • 17. Page 17 of 22 Worm Simulator Results Strong host security and network security No Security Blaster Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 17 of 22
  • 18. Page 18 of 22 Strong host security and network security No Security MyDoom Global Network Peak MyDoom Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 18 of 22
  • 19. Page 19 of 22 Strong host security and network security No Security Netsky Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 19 of 22
  • 20. Page 20 of 22 Strong host security and network security No Security Sasser Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 20 of 22
  • 21. Page 21 of 22 Strong host security and network security No Security Slammer Global Network peak Slammer Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 21 of 22
  • 22. Page 22 of 22 Strong host security and network security No Security SoBig Local Results Peak Only firewall security Only host security Last printed 11/20/2005 22:43:00 a11/p11 Page 22 of 22