Code Red Worm Propagation Modeling and Analysis Zou, Gong,

1
Code Red Worm Propagation Modeling and
AnalysisZou, Gong, Towsley

• Michael E. Locasto
• March 21, 2003

2
Overview

• Code Red incident data impact
• epidemiology models
• traditional (biological) infection models
• two-factor worm model
• related work questions
• (Weaver Sapphire)

3
Motivation

• Internet great medium for spreading malicious
  code
• Code Red Co. renew interest in worm studies
• Issues
• How to explain worm propagation curves?
• What factors affect spreading behavior?
• Can we generate a more accurate model?

4
Background Code Red

• Three versions
• CRv1.1 (bad rng) July 13, 2001
• CRv1.2 July 19, 2001
• CRv2 August, 2001
• 100 threads, 300k victims
• maliciously crafted URL (default.ida
  vulnerability)

5
Background The Stack Smash

• Buffer overflows in C functions
• gets(), etc
• home-grown functions
• code injection modify return pointer
• both parts are critical overflow alone does not
  allow you to execute code

6
The Stack Smashing Mechanism

• Insert junk (nop), attack code, and return
  value
• this is how many worms propagate
• SQL Slammer fits in one UDP packet. (376 bytes
  of assembly code)

7
Epidemic Models

• Deterministic vs. Stochastic
• Simple epidemic model (previous paper)
• general epidemic model (Kermack-Mckendrick add
  notion of removed hosts)
• good baseline, need to be adjusted to explain
  Internet worm data
• any model must be deterministic (b/c of scale)

8
Two-Factor Worm Model

• Two major factors affect worm spread
• dynamic human countermeasures
• anti-virus software cleaning
• patching
• firewall updates
• disconnect/shutdown
• interference due to aggressive scanning
• Rate of infection (ß) is not constant

9
Two-Factor Worm Model (con)

• Two important restrictions
• consider only continuously activated worms
• consider worms that propagate w/ort topology

10
Infection Statistics
11
Classic Simple Epidemic Model

• Model presented in previous paper (classic simple
  epidemic model, k1.8, kBN)
• a(t) J(t) / N (fraction of population infected)
• Wrong! (compare to last slide)

12
Simple Epidemic Model Math

• Variables
• infected hosts (had virus at some point) J(t)
• population size N
• infection rate ß(t)
• dJ(t)/dt ßJ(t)N - J(t)

13
Two-Factor Model Math

• dI(t)/dt ß(t)N - R(t) - I(t) - Q(t)I(t) -
  dR(t)/dt
• S(t) susceptible hosts
• I(t) infectious hosts
• R(t) removed hosts from I population
• Q(t) removed hosts from S population
• J(t) I(t) R(t)
• C(t) R(t) Q(t)
• J(t) I(t) R(t)
• N population (IRQS)

14
Two-Factor Fit

• Take removed hosts from both S and I populations
  into account
• non-constant infection rate (decreases)
• fits well with observed data

15
Results

• Two-factor worm model
• accurate model without topology constraints
• explains exponential start end drop off
• identifies 2 critical factors in worm propagation
• Only 60 of CR targets infected

16
The SQL Slammer (Sapphire)

• Infection stats
• 90 in 10 minutes
• pop doubled every 8.5s
• gt75000 infected
• 1 UDP packet!

17
Questions

• Sapphire paper
• http//www.caida.org/outreach/papers/2003/sapphire
  /sapphire.html
• Previous Code Red paper
• http//www.icir.org/vern/papers/cdc-usenix-sec02/