CodeRed: A Case Study on the Spread - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

CodeRed: A Case Study on the Spread

Description:

Code-Red: A Case Study on the Spread. and Victims of an ... Sobig (multiple variants) SQL Slammer. Blaster/Welchia. Are we prepared for the next big virus? ... – PowerPoint PPT presentation

Number of Views:134
Avg rating:3.0/5.0
Slides: 18
Provided by: Rav26
Category:

less

Transcript and Presenter's Notes

Title: CodeRed: A Case Study on the Spread


1
Introduction
  • Code-Red A Case Study on the Spread
  • and Victims of an Internet Worm
  • D. Moore, C. Shannon, K. Claffy
  • Observation and Analysis of BGP
  • Behavior under Stress
  • L. Wang, X. Zhao, D. Pei, R. Bush, D. Massey,
  • A. Mankin, S. Wu, L. Zhang

2
Outline
  • About Code-Red
  • Flavors of Code-Red
  • Spread of Code-Red
  • Observations on Code-Red
  • Paving the way for Nimda
  • Resulting Impact
  • Code-Red and Beyond

3
About Code-Red
  • Exploits a buffer-overflow vulnerability in the
    MS IIS web server
  • If day of month is 1 through 19, worm attempts to
    spread
  • If day of month is 20 through 28, worm DoS
    attacks www1.whitehouse.gov
  • On remaining days of the month, the worm is
    dormant

4
Flavors of Code-Red
  • Initial variant became known as Code-RedI v1
    (07-12-01)
  • Used a static seed for random number generator,
    thus limiting its spread
  • Not very damaging
  • Second variant entitled Code-RedI v2 (07-19-01)
  • Fixed the bug in the first worm and thus had a
    much greater impact

5
Flavors of Code-Red
  • Third variant was named Code-RedII (08-04-01)
  • Most harmful of the three
  • Lies dormant for a day and then reboots the
    machine
  • Uses a much more complex random IP selection
    scheme
  • Installs backdoor software, thus effectively
    turning compromised machines into zombies

6
Spread of Code-Red
  • Code-RedI v1 had little impact on global
    resources
  • Code-RedI v2 spread to more than 359,000 machines
    in 14 hours
  • Code-RedII spread to the same host population as
    Code-RedI v2
  • Code-RedI v2 traffic is difficult to distinguish
    from Code-RedII

7
Total of Infected IP Addresses
8
Infection Rates
9
Observations on Code-Red
  • Host characterization by domain shows ISP domains
    most infected
  • Noticeable diurnal cycle on infected hosts (1/3
    1/2)

10
Observations on Code-Red
  • Patch rate was described as sluggish
  • July 24 through July 31, 1.5 patched per day
  • After worm began spreading again on August 1,
    patches systems doubled from 32 to 64
  • .EDU patched well, .COM and .NET did not respond
    as well

11
Patch Rate
12
Paving the way for Nimda
  • Nimda is a mass-mailing virus that was released
    on 09-18-01
  • Spreads via email, but also installs itself on
    IIS servers previously compromised by Code-Red
  • Can also propagate itself via compromised IIS
    servers

13
Resulting Impact
  • This combined threat of Code-Red and Nimda ended
    up having an effect on BGP itself
  • At the peak of the attack, a massive increase in
    BGP updates was recorded
  • It was believed at the time that this behavior
    indicated a global routing instability

14
BGP Announcements
15
Resulting Impact
  • Further study showed that the majority of these
    BGP updates did not lead to AS path changes
  • Of the path changes that did occur, they were
    limited to a small subset of unstable networks

16
Resulting Impact
  • After analyzing the data, it was discovered that
    BGP did not exhibit routing instability
  • The apparent instability was a series of
    monitoring artifacts
  • However, local changes proved to have a global
    scope
  • BGP should be improved to better prepare for the
    future

17
Code-Red And Beyond
  • Major virus attacks since Code-Red
  • Sobig (multiple variants)
  • SQL Slammer
  • Blaster/Welchia
  • Are we prepared for the next big virus?
Write a Comment
User Comments (0)
About PowerShow.com