Download Code-Red

Code-Red : a case study on the spread
and victims of an Internet worm
David Moore, Colleen Shannon, Jeffery Brown
Jonghyun Kim
Contents
•
•
•
•
•
•
•
Introduction
Objectives
Background
Worm trace collection methodology
Analyzed results
Animation of Code-RedⅠ v2
Summary and conclusion
Introduction
• Virus vs. Worm
-Virus :
1. do not try to break into machines
2. spread by user’s action
3. attach themselves onto other program
-Worm :
1. try to break into machines using some vulnerability
2. spread on their own without user action
3. exist as a separate code in memory
• Some Worms
- Morris in Nov 3, 1988
- WANK in Oct, 1989
- Ramen in Jan, 2001
- Lion in Mar, 2001
- Code-Red in Jul, 2001
Objectives
• Collect packet information generated by CodeRed
(How to collect this information and identify Code-Red?)
• Analyze the spread of Code-Red
• Trace geographic location and top-level domains
in which Code-Red resides.
Background
• The Chronology of Code-Red outbreak
1. On Jun 18, 2001, eEye released information about a bufferoverflow vulnerability in Microsoft’s IIS web servers.
2. On Jun 26, 2001, Microsoft released a patch for the vulnerability
3. On Jul 12, 2001, Code-RedⅠv1 spread by exploiting the above
vulnerability
4. On Jul 19, 2001, Code-RedⅠv2 spread
5. On Aug 4, 2001, Code-RedⅡ spread
* Cost of recovering from Code-Red : 2.6 billion dollars
• Characteristics of Code-Red
1. Code-RedⅠv1 :
- Use a static seed, so it generated the same list of IP addresses
- Between 1st and 19th of every month, it attempts to infect
machines. (Infection phase)
- Between 20th and 28th, it stops infecting machines and does a
DoS attack against www1.whitehouse.gov (attack phase)
- Between 29th and the last day, it does nothing. (dormant phase)
* scanning mechanism
1
2
3
…
• Characteristics of Code-Red
1. Code-RedⅠv1 :
- Use a static seed, so it generated the same list of IP addresses
- Between 1st and 19th of every month, it attempts to infect
machines. (Infection phase)
- Between 20th and 28th, it stops infecting machines and does a
DoS attack against www1.whitehouse.gov (attack phase)
- Between 29th and the last day, it does nothing. (dormant phase)
* scanning mechanism
3
1
2
…
• Characteristics of Code-Red
1. Code-RedⅠv1 :
- Use a static seed, so it generated the same list of IP addresses
- Between 1st and 19th of every month, it attempts to infect
machines. (Infection phase)
- Between 20th and 28th, it stops infecting machines and does a
DoS attack against www1.whitehouse.gov (attack phase)
- Between 29th and the last day, it does nothing. (dormant phase)
* scanning mechanism
1
2
3
Therefore, the spread is slow
…
2. Code-RedⅠv2 :
- Identical to Code-RedⅠv1 except that it uses a random seed, so
it generates a different list of IP addresses
* scanning mechanism
1
5
2
1
4
2
3
3
1
3
2
Therefore, the spread is much faster than Code-RedⅠv1
Intuitively, the rate of infection will be exponential
3. Code-RedⅡ :
- set up backdoor ( more dangerous than Code-RedⅠ)
- become dormant for a day to avoid being discovered by system
administrator (slow infection mechanism)
- after rebooting the machine, it begins to spread
* scanning mechanism
Let’s assume that the infected host IP address is 10.9.8.7
10.0.0.0
10.9.0.0
3/8
10.9.8.7
Relative amount
of probes
1/8
X.X.X.X
10.X.X.X
1/2
10.9.X.X
Idea : Hosts within the network of an infected host may run the same
vulnerable software
Worm trace collection Methodology
• Three sources used to collect the worm packets
- Passive network monitors within /8 network and /16 network
- Backup data set from filtering router
• Worm identification
If a host sends at least two TCP SYN packets on port 80 to two
different hosts within research network, the host is considered to be
infected.
Research network
/8 network
Monitor
Filtering router
/16 network
Monitor
An infected host
trying to probe hosts
Analyzed result
• Outbreak of Code-RedⅠ v1
Normal activity of TCP SYN
Packets on port 80
Infected hosts
by Code-RedⅠv1
- Each Infected host probed the same set of 23 IP addresses into the
research network because Code-RedⅠv1 used a static seed
• Outbreak of the Code-RedⅠ v2 (infection rate)
Cumulative total of unique IP addresses
One minute infection rates
Detected unique IP addresses ≈ 359,000
Peak infection rate ≈ 2000 hosts /minute
• Outbreak of the Code-RedⅠ v2 (deactivation rate)
Some infected hosts
were patched
Infection phase
attack phase
Cumulative total of deactivated hosts
One minute deactivation rate
The author’s methodology of identifying worms were not able to
distinguish hosts infected with Code-RedⅡ from those Infected with
Code-RedⅠv2 because two scanning mechanisms used by Code-RedⅠ
v2 and Code-RedⅡ are a little similar (i.e. they use random seed)
• Geographic location of Code-Red Ⅰ v2
They made this table by using IxMapping service which is useful to
find location of certain host based on its IP address
• Top-Level domains in which Code-Red Ⅰ v2 resides
They made this table by using NetSizer service
• Top 10 domains (ISPs) in which Code-Red Ⅰ v2 resides
It shows that machines operated by home users and small
businesses are the majority of infected hosts.
Animation Code-RedⅠ v2
Animation of Code-RedⅠv2
Summary and Conclusion
• This paper shows how to extract various useful information from
only logged IP header data (traffic analysis)
• DHCP inflates the number of infected hosts as measured by IP
addresses, whereas NAT deflates the number of compromised
IP address. We should consider those two factors in estimating
the spread of Internet worms
• From the worm viewpoint, scanning mechanism is the key to
spread fast, while from the defense viewpoint, ISP level solution
should be achieved to mitigate Internet worms
Autonomous System
Monitor
Infected host
Messages
are protected
Worm scanner
Router
Worm packets
…
Hardware compiler
Network segment